zishuo/runc
1
0
Fork 0
mirror of https://github.com/opencontainers/runc.git synced 2026-04-30 19:49:56 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
3e0829d19599dc6cc47e58343daf183a52a1fbef
runc/.github/workflows/validate.yml
T
Kir Kolyshkin d8c62c7d0b Makefile: add RUNC_BUILDTAGS, deprecate EXTRA_BUILDTAGS 
A bit of history. EXTRA_BUILDTAGS was introduced in commit dac417174,
as a quick way to add some extra Go build tags to the runc build.

Later, commit 767bc008 changed Makefile to not get EXTRA_TAGS from the
shell environment, as the name is quite generic and some unrelated
environment variable with that name can affect runc build. While such
change does make sense, it makes it more complicated to pass build tags
in CI and otherwise (see e.g. commit 0e1fe368a).

Moreover, runc build uses some Go build tags by default (via Makefile),
and while it is easy to add more build tags (via EXTRA_BUILDTAGS), in
order to remove some existing tags one has to redefine BUILDTAGS from
scratch, which is not very convenient (again, see commit 0e1fe368a which
gets the current value of BUILDTAGS from the Makefile in order to remove
a single tag).

To handle all of the above, let's do this:
 - implement RUNC_BUILDTAGS, fixing the issue of not-so-unique name;
 - allow to get RUNC_BUILDTAGS from shell environment;
 - implement a feature to remove a build tag from default set by
   prefixing it with "-" (as in RUNC_BUILDTAGS="-seccomp");
 - document all this in README;
 - make CI use the new feature;
 - keep EXTRA_BUILDTAGS for backward compatibility, add a make warning
   and a TODO to remove it for runc 1.6.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2026-03-18 13:17:17 +08:00

339 lines
9.9 KiB
YAML
Raw Blame History

name: validate
on:
push:
tags:
- v*
branches:
- main
- release-*
pull_request:
workflow_dispatch:
permissions:
contents: read
env:
GO_VERSION: 1.25
LIBPATHRS_VERSION: "0.2.4"
jobs:
keyring:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: check runc.keyring
run: make validate-keyring
lint:
timeout-minutes: 30
permissions:
contents: read
pull-requests: read
checks: write # to allow the action to annotate code in the PR.
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 2
- uses: actions/setup-go@v6
with:
go-version: "${{ env.GO_VERSION }}"
- name: install deps
run: |
sudo apt -q update
sudo apt -qy install libseccomp-dev
- uses: golangci/golangci-lint-action@v9
with:
version: v2.10
skip-cache: true
# Extra linters, only checking new code from a pull request to main.
- name: lint-extra
if: github.event_name == 'pull_request' && github.base_ref == 'main'
run: |
golangci-lint run --config .golangci-extra.yml --new-from-rev=HEAD~1
modernize:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 2
- uses: actions/setup-go@v6
with:
go-version: stable # modernize@latest may require latest Go.
- name: install deps
run: |
sudo apt -q update
sudo apt -qy install libseccomp-dev
- name: run go fix
run: |
go fix ./...
git diff --exit-code
- name: run modernize
run: |
go run golang.org/x/tools/go/analysis/passes/modernize/cmd/modernize@latest -fix ./...
git diff --exit-code
compile-buildtags:
runs-on: ubuntu-24.04
env:
# Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them.
CGO_CFLAGS: -g -O2 -Werror
steps:
- uses: actions/checkout@v6
- name: install go
uses: actions/setup-go@v6
with:
go-version: "${{ env.GO_VERSION }}"
- name: install deps
run: |
sudo apt update
sudo apt -y install libseccomp-dev lld
- name: install libpathrs ${{ env.LIBPATHRS_VERSION }}
run: |
sudo -E PATH="$PATH" ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
- name: compile with no build tags
run: make BUILDTAGS=""
- name: compile with runc_nocriu build tag
run: make RUNC_BUILDTAGS="runc_nocriu"
codespell:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: install deps
# Version of codespell bundled with Ubuntu is way old, so use pip.
run: pip install --break-system-packages codespell==v2.4.1
- name: run codespell
run: codespell
shfmt:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: shfmt
run: make shfmt
shellcheck:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: install shellcheck
env:
VERSION: v0.11.0
BASEURL: https://github.com/koalaman/shellcheck/releases/download
SHA256: 4da528ddb3a4d1b7b24a59d4e16eb2f5fd960f4bd9a3708a15baddbdf1d5a55b
run: |
mkdir ~/bin
curl -sSfL --retry 5 $BASEURL/$VERSION/shellcheck-$VERSION.linux.x86_64.tar.xz |
tar xfJ - -C ~/bin --strip 1 shellcheck-$VERSION/shellcheck
sha256sum --strict --check - <<<"$SHA256 *$HOME/bin/shellcheck"
# make sure to remove the old version
sudo rm -f /usr/bin/shellcheck
# Add ~/bin to $PATH.
echo ~/bin >> $GITHUB_PATH
- uses: lumaxis/shellcheck-problem-matchers@v2
- name: run
run: make shellcheck
- name: check-config.sh
run : ./script/check-config.sh
space-at-eol:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- run: rm -fr vendor
- run: if git -P grep -I -n '\s$'; then echo "^^^ extra whitespace at EOL, please fix"; exit 1; fi
deps:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: install go
uses: actions/setup-go@v6
with:
go-version: "${{ env.GO_VERSION }}"
check-latest: true
- name: verify deps
run: make verify-dependencies
- name: no toolchain in go.mod # See https://github.com/opencontainers/runc/pull/4717, https://github.com/dependabot/dependabot-core/issues/11933.
run: |
if grep -q '^toolchain ' go.mod; then echo "Error: go.mod must not have toolchain directive, please fix"; exit 1; fi
- name: no exclude nor replace in go.mod
run: |
if grep -Eq '^\s*(exclude|replace) ' go.mod; then echo "Error: go.mod must not have exclude/replace directive, it breaks go install. Please fix"; exit 1; fi
commit:
permissions:
contents: read
pull-requests: read
runs-on: ubuntu-24.04
steps:
- name: get pr commits
if: github.event_name == 'pull_request' # Only check commits on pull requests.
id: 'get-pr-commits'
uses: tim-actions/get-pr-commits@v1.3.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: check subject line length
if: github.event_name == 'pull_request' # Only check commits on pull requests.
uses: tim-actions/commit-message-checker-with-regex@v0.3.2
with:
commits: ${{ steps.get-pr-commits.outputs.commits }}
pattern: '^.{0,72}(\n.*)*$'
error: 'Subject too long (max 72)'
- name: succeed (not a PR) # Allow all-done to succeed for non-PRs.
if: github.event_name != 'pull_request'
run: echo "Nothing to check here."
cfmt:
runs-on: ubuntu-24.04
steps:
- name: checkout
uses: actions/checkout@v6
- name: install deps
run: |
sudo apt -qq update
sudo apt -qqy install indent
- name: cfmt
run: |
make cfmt
git diff --exit-code
check-go:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: check Go version
run: |
GO_VER=$(awk -F= '/^ARG\s+GO_VERSION=/ {print $2; quit}' Dockerfile)
echo "Go version used in Dockerfile: $GO_VER"
echo -n "Checking if Go $GO_VER is supported ... "
curl -fsSL https://go.dev/dl/?mode=json | jq -e 'any(.[]; .version | startswith("go'$GO_VER'"))'
echo -n "Checking if Go $GO_VER is tested against ... "
yq -e '.jobs.test.strategy.matrix.go-version | contains(["'$GO_VER'.x"])' .github/workflows/test.yml
release:
timeout-minutes: 30
runs-on: ubuntu-24.04
steps:
- name: checkout
uses: actions/checkout@v6
- name: check CHANGELOG.md
run: make verify-changelog
# We have to run this under Docker as Ubuntu (host) does not support all
# the architectures we want to compile test against, and Dockerfile uses
# Debian (which does).
#
# XXX: as currently this is the only job that is using Docker, we are
# building and using the runcimage locally. In case more jobs running
# under Docker will emerge, it will be good to have a separate make
# runcimage job and share its result (the docker image) with whoever
# needs it.
- name: build docker image
run: make runcimage
- name: make releaseall
run: make releaseall
- name: upload artifacts
uses: actions/upload-artifact@v7
with:
name: release-${{ github.run_id }}
path: release/*
get-images:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v6
- name: install bashbrew
env:
BASEURL: https://github.com/docker-library/bashbrew/releases/download
VERSION: v0.1.7
SHA256: 6b71a6fccfb2025d48a2b23324836b5513c29abfd2d16a57b7a2f89bd02fe53a
run: |
mkdir ~/bin
curl -sSfL --retry 5 -o ~/bin/bashbrew \
$BASEURL/$VERSION/bashbrew-amd64
sha256sum --strict --check - <<<"$SHA256 *$HOME/bin/bashbrew"
chmod a+x ~/bin/bashbrew
# Add ~/bin to $PATH.
echo ~/bin >> $GITHUB_PATH
- name: check that get-images.sh is up to date
run: |
cd tests/integration
./bootstrap-get-images.sh > get-images.sh
git diff --exit-code
conmon:
runs-on: ubuntu-24.04
steps:
- name: checkout
uses: actions/checkout@v6
- name: install runc and conmon deps
# XXX maybe switch to conmon/hack/github-actions-setup if the burden
# to maintain the list of needed packages here is too much to handle.
run: |
sudo apt update
sudo apt -y install libseccomp-dev libglib2.0-dev libsystemd-dev socat
- name: install libpathrs ${{ env.LIBPATHRS_VERSION }}
run: |
sudo -E PATH="$PATH" ./script/build-libpathrs.sh "$LIBPATHRS_VERSION" /usr
- name: install Go
uses: actions/setup-go@v6
with:
go-version: "${{ env.GO_VERSION }}"
- name: build runc
run: make
- name: setup bats
uses: bats-core/bats-action@4.0.0
with:
bats-version: 1.13.0 # As required by conmon in hack/github-actions-setup.
support-install: false
assert-install: false
detik-install: false
file-install: false
- name: checkout conmon
uses: actions/checkout@v6
with:
repository: containers/conmon
path: conmon
ref: v2.2.1
- name: build conmon
run: cd conmon && make
- name: run conmon tests
run: |
RUNTIME_BINARY=$(pwd)/runc ./conmon/test/run-tests.sh -j $(nproc)
all-done:
needs:
- check-go
- cfmt
- codespell
- commit
- compile-buildtags
- conmon
- deps
- get-images
- keyring
- lint
- modernize
- release
- shellcheck
- shfmt
- space-at-eol
runs-on: ubuntu-24.04
steps:
- run: echo "All jobs completed"
Reference in New Issue View Git Blame Copy Permalink