Add Pixie hydra and kratos images to fix security vulns (upgrade Go and vuln deps) #2736
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: build-and-test | |
| on: | |
| pull_request_target: | |
| push: | |
| branches: | |
| - 'main' | |
| schedule: | |
| # Run at 23:09 PST (07:09 UTC) every sunday. Github suggests not running actions on the hour. | |
| - cron: '9 7 * * 0' | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| env-protect-setup: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| env-name: ${{ steps.output.outputs.env-name }} | |
| ref: ${{ steps.output.outputs.ref }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - id: output | |
| uses: ./.github/actions/env_protected_pr | |
| authorize: | |
| runs-on: ubuntu-latest | |
| needs: env-protect-setup | |
| environment: ${{ needs.env-protect-setup.outputs.env-name }} | |
| steps: | |
| - run: echo "Authorized" | |
| get-dev-image: | |
| needs: [authorize, env-protect-setup] | |
| uses: ./.github/workflows/get_image.yaml | |
| with: | |
| image-base-name: "dev_image_with_extras" | |
| ref: ${{ needs.env-protect-setup.outputs.ref }} | |
| clang-tidy: | |
| runs-on: oracle-16cpu-64gb-x86-64 | |
| needs: [authorize, env-protect-setup, get-dev-image] | |
| container: | |
| image: ${{ needs.get-dev-image.outputs.image-with-tag }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ needs.env-protect-setup.outputs.ref }} | |
| - name: Add pwd to git safe dir | |
| run: git config --global --add safe.directory `pwd` | |
| - name: get bazel config | |
| uses: ./.github/actions/bazelrc | |
| with: | |
| BB_API_KEY: ${{ secrets.BB_IO_API_KEY }} | |
| - name: Save Diff Info | |
| run: ./ci/save_diff_info.sh | |
| - name: Run Clang Tidy | |
| shell: bash | |
| run: | | |
| diff_file="diff_origin_main_cc" | |
| if [[ "${{ github.event_name }}" == "push" ]] || [[ "${{ github.event_name }}" == "schedule" ]]; then | |
| diff_file="diff_head_cc" | |
| fi | |
| ./ci/run_clang_tidy.sh -f "${diff_file}" | |
| code-coverage: | |
| if: github.event_name == 'push' | |
| needs: [authorize, env-protect-setup, get-dev-image] | |
| runs-on: oracle-16cpu-64gb-x86-64 | |
| container: | |
| image: ${{ needs.get-dev-image.outputs.image-with-tag }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ needs.env-protect-setup.outputs.ref }} | |
| - name: Add pwd to git safe dir | |
| run: git config --global --add safe.directory `pwd` | |
| - name: get bazel config | |
| uses: ./.github/actions/bazelrc | |
| with: | |
| dev: 'false' | |
| BB_API_KEY: ${{ secrets.BB_IO_API_KEY }} | |
| - name: Collect and upload coverage | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| run: | | |
| # Github actions container runner creates a docker network without IPv6 support. We enable it manually. | |
| sysctl -w net.ipv6.conf.lo.disable_ipv6=0 | |
| ./ci/collect_coverage.sh -u -b main -c "$(git rev-parse HEAD)" -r pixie-io/pixie | |
| generate-matrix: | |
| needs: [authorize, env-protect-setup, get-dev-image] | |
| runs-on: oracle-16cpu-64gb-x86-64 | |
| container: | |
| image: ${{ needs.get-dev-image.outputs.image-with-tag }} | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ needs.env-protect-setup.outputs.ref }} | |
| - name: Add pwd to git safe dir | |
| run: git config --global --add safe.directory `pwd` | |
| - name: get bazel config | |
| uses: ./.github/actions/bazelrc | |
| with: | |
| BB_API_KEY: ${{ secrets.BB_IO_API_KEY }} | |
| - name: Set matrix | |
| id: set-matrix | |
| shell: bash | |
| run: | | |
| matrix="$(./ci/github/matrix.sh '${{ github.event_name }}')" | |
| echo "Build & Test matrix: ${matrix}" | |
| echo "matrix=${matrix}" >> $GITHUB_OUTPUT | |
| - name: Upload Target Files | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: target_files | |
| path: | | |
| bazel_buildables_* | |
| bazel_tests_* | |
| build-and-test: | |
| needs: [authorize, env-protect-setup, get-dev-image, generate-matrix] | |
| runs-on: oracle-16cpu-64gb-x86-64 | |
| permissions: | |
| contents: read | |
| actions: read | |
| checks: write | |
| container: | |
| image: ${{ needs.get-dev-image.outputs.image-with-tag }} | |
| options: --privileged | |
| if: ${{ needs.generate-matrix.outputs.matrix && (toJson(fromJson(needs.generate-matrix.outputs.matrix)) != '[]') }} | |
| strategy: | |
| matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }} | |
| fail-fast: false | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| ref: ${{ needs.env-protect-setup.outputs.ref }} | |
| - name: Add pwd to git safe dir | |
| run: git config --global --add safe.directory `pwd` | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| - name: get bazel config | |
| uses: ./.github/actions/bazelrc | |
| with: | |
| dev: ${{ github.event_name == 'push' && 'false' || 'true' }} | |
| BB_API_KEY: ${{ secrets.BB_IO_API_KEY }} | |
| - name: Clear stale test.xml | |
| shell: bash | |
| run: rm -rf "$(bazel info ${{ matrix.args }} bazel-testlogs --noshow_progress 2>/dev/null)" | |
| - name: Build ${{ matrix.name }} | |
| shell: bash | |
| run: | | |
| ./scripts/bazel_ignore_codes.sh build \ | |
| ${{ matrix.args }} \ | |
| --target_pattern_file=target_files/${{ matrix.buildables }} \ | |
| 2> >(tee bazel_stderr) | |
| - name: Test ${{ matrix.name }} | |
| if: ${{ matrix.tests }} | |
| shell: bash | |
| run: | | |
| # Github actions container runner creates a docker network without IPv6 support. We enable it manually. | |
| sysctl -w net.ipv6.conf.lo.disable_ipv6=0 | |
| ./scripts/bazel_ignore_codes.sh test ${{ matrix.args }} --target_pattern_file=target_files/${{ matrix.tests }} \ | |
| 2> >(tee bazel_stderr) | |
| - name: Parse junit reports | |
| uses: dorny/test-reporter@6e6a65b7a0bd2c9197df7d0ae36ac5cee784230c # v2.0.0 | |
| if: always() | |
| with: | |
| name: testlogs-${{ matrix.name }} tests | |
| path: 'bazel-testlogs/**/test.xml' | |
| reporter: java-junit | |
| list-suites: all | |
| list-tests: failed | |
| fail-on-empty: false | |
| - name: Buildbuddy URL | |
| if: always() | |
| run: | | |
| [[ -f bazel_stderr ]] || (echo "Error before bazel ran" && exit 1) | |
| bb_url="$(cat bazel_stderr | grep -Po "(?<=Streaming build results to: ).*" | tail -n 1)" | |
| echo "${bb_url}" | |
| shell: bash | |
| build-and-test-status: | |
| if: always() | |
| needs: [build-and-test, clang-tidy, generate-matrix] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - if: needs.build-and-test.result == 'success' && needs.clang-tidy.result == 'success' | |
| run: echo "Build and Test complete ✓" | |
| - if: > | |
| needs.generate-matrix.result == 'success' && needs.clang-tidy.result == 'success' | |
| && needs.build-and-test.result == 'skipped' | |
| run: echo "Build and Test skipped no matrix configs generated ✓" | |
| - if: > | |
| !(needs.build-and-test.result == 'success' && needs.clang-tidy.result == 'success') && | |
| !(needs.generate-matrix.result == 'success' && | |
| needs.clang-tidy.result == 'success' && | |
| needs.build-and-test.result == 'skipped') | |
| run: | | |
| echo "Build and Test failed" | |
| exit 1 |