Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new(ci): add RC/prerelease support #2533

Merged
merged 9 commits into from May 10, 2023
Merged

new(ci): add RC/prerelease support #2533

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
4a65ed1
new(ci): add RC/prerelease support
LucaGuerra May 4, 2023
c4ccbed
update(ci): react to release publishing, rewire variables
LucaGuerra May 8, 2023
51c79f8
update(ci): move release outputs declaration
LucaGuerra May 8, 2023
014b159
update(ci): move version computation logic to main jobs master/release
LucaGuerra May 8, 2023
25b7fdb
update(readme): add pre-release instructions to RELEASE.md
LucaGuerra May 8, 2023
282c243
update(docs): clarify release checking in the readme
LucaGuerra May 9, 2023
03f398b
update(ci): explicit branch name in action
LucaGuerra May 9, 2023
1c83531
update(ci): update needs for build docker
LucaGuerra May 9, 2023
227252e
update(ci): fail on non-semver release
LucaGuerra May 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
55 changes: 47 additions & 8 deletions .github/workflows/master.yaml
View file
Open in desktop
Expand Up @@ -9,46 +9,85 @@ concurrency:
cancel-in-progress: true

jobs:
# We need to use an ubuntu-latest to fetch Falco version because
# Falco version is computed by some cmake scripts that do git sorceries
# to get the current version.
# But centos7 jobs have a git version too old and actions/checkout does not
# fully clone the repo, but uses http rest api instead.
fetch-version:
runs-on: ubuntu-latest
# Map the job outputs to step outputs
outputs:
version: ${{ steps.store_version.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0

- name: Install build dependencies
run: |
sudo apt update
sudo apt install -y cmake build-essential

- name: Configure project
run: |
mkdir build && cd build
cmake -DUSE_BUNDLED_DEPS=On ..

- name: Load and store Falco version output
id: store_version
run: |
FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT

build-dev-packages:
needs: [fetch-version]
uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master
with:
arch: x86_64
version: ${{ needs.fetch-version.outputs.version }}
secrets: inherit

build-dev-packages-arm64:
needs: [fetch-version]
uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master
with:
arch: aarch64
version: ${{ needs.fetch-version.outputs.version }}
secrets: inherit

publish-dev-packages:
needs: [build-dev-packages, build-dev-packages-arm64]
needs: [fetch-version, build-dev-packages, build-dev-packages-arm64]
uses: falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml@master
with:
bucket_suffix: '-dev'
version: ${{ needs.build-dev-packages.outputs.version }}
version: ${{ needs.fetch-version.outputs.version }}
secrets: inherit

# Both build-dev-docker and its arm64 counterpart require build-dev-packages because they use its output
build-dev-docker:
needs: [build-dev-packages, publish-dev-packages]
needs: [fetch-version, publish-dev-packages]
uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master
with:
arch: x86_64
bucket_suffix: '-dev'
version: ${{ needs.build-dev-packages.outputs.version }}
version: ${{ needs.fetch-version.outputs.version }}
tag: master
secrets: inherit

build-dev-docker-arm64:
needs: [build-dev-packages, publish-dev-packages]
needs: [fetch-version, publish-dev-packages]
uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master
with:
arch: aarch64
bucket_suffix: '-dev'
version: ${{ needs.build-dev-packages.outputs.version }}
version: ${{ needs.fetch-version.outputs.version }}
tag: master
secrets: inherit

publish-dev-docker:
needs: [build-dev-docker, build-dev-docker-arm64]
needs: [fetch-version, build-dev-docker, build-dev-docker-arm64]
uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@master
with:
tag: master
secrets: inherit
75 changes: 64 additions & 11 deletions .github/workflows/release.yaml
View file
Open in desktop
@@ -1,53 +1,106 @@
name: Release Packages and Docker images
on:
push:
tags:
- '[0-9]+.[0-9]+.[0-9]+'
release:
types: [published]

# Checks if any concurrent jobs is running for release CI and eventually cancel it.
concurrency:
group: ci-release
cancel-in-progress: true

jobs:
release-settings:
runs-on: ubuntu-latest
outputs:
is_latest: ${{ steps.get_settings.outputs.is_latest }}
bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
steps:
- name: Get latest release
uses: rez0n/actions-github-release@v2.0
FedeDP marked this conversation as resolved.
Show resolved Hide resolved
id: latest_release
env:
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ github.repository }}
type: "stable"

- name: Get settings for this release
id: get_settings
shell: python
run: |
LucaGuerra marked this conversation as resolved.
Show resolved Hide resolved
import os
import re
import sys

semver_no_meta = '''^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?$'''
tag_name = '${{ github.event.release.tag_name }}'

is_valid_version = re.match(semver_no_meta, tag_name) is not None
if not is_valid_version:
print(f'Release version {tag_name} is not a valid full or pre-release. See RELEASE.md for more information.')
sys.exit(1)

is_prerelease = '-' in tag_name

# Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest
is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease

bucket_suffix = '-dev' if is_prerelease else ''

with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp:
print(f'is_latest={is_latest}'.lower(), file=ofp)
print(f'bucket_suffix={bucket_suffix}', file=ofp)

build-packages:
needs: [release-settings]
uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master
with:
arch: x86_64
version: ${{ github.event.release.tag_name }}
secrets: inherit

build-packages-arm64:
needs: [release-settings]
uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master
with:
arch: aarch64
version: ${{ github.event.release.tag_name }}
secrets: inherit

publish-packages:
needs: [build-packages, build-packages-arm64]
needs: [release-settings, build-packages, build-packages-arm64]
uses: falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml@master
with:
version: ${{ needs.build-packages.outputs.version }}
bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
version: ${{ github.event.release.tag_name }}
secrets: inherit

# Both build-docker and its arm64 counterpart require build-packages because they use its output
build-docker:
needs: [build-packages, publish-packages]
needs: [release-settings, build-packages, publish-packages]
uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master
with:
arch: x86_64
version: ${{ needs.build-packages.outputs.version }}
is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
version: ${{ github.event.release.tag_name }}
tag: ${{ github.event.release.tag_name }}
secrets: inherit

build-docker-arm64:
needs: [build-packages, publish-packages]
needs: [release-settings, build-packages, publish-packages]
uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master
with:
arch: aarch64
version: ${{ needs.build-packages.outputs.version }}
is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
version: ${{ github.event.release.tag_name }}
tag: ${{ github.event.release.tag_name }}
secrets: inherit

publish-docker:
needs: [build-docker, build-docker-arm64]
needs: [release-settings, build-docker, build-docker-arm64]
uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@master
secrets: inherit

with:
is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
tag: ${{ github.event.release.tag_name }}
39 changes: 24 additions & 15 deletions .github/workflows/reusable_build_docker.yaml
View file
Open in desktop
Expand Up @@ -12,9 +12,18 @@ on:
default: ''
type: string
version:
description: 'Falco version extracted from userspace/falco/config_falco.h'
description: The Falco version to use when building images
required: true
type: string
tag:
description: The tag to use (e.g. "master" or "0.35.0")
required: true
type: string
is_latest:
description: Update the latest tag with the new image
required: false
type: boolean
default: false

# Here we just build all docker images as tarballs,
# then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
Expand All @@ -39,10 +48,10 @@ jobs:
VERSION_BUCKET=bin${{ inputs.bucket_suffix }}
FALCO_VERSION=${{ inputs.version }}
tags: |
falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ github.ref_name }}
falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }}-slim
public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ github.ref_name }}
public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }}-slim
falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }}
falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-slim
public.ecr.aws/falcosecurity/falco-no-driver:${{ inputs.arch }}-${{ inputs.tag }}
public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-slim
outputs: type=docker,dest=/tmp/falco-no-driver-${{ inputs.arch }}.tar

- name: Build falco image
Expand All @@ -53,29 +62,29 @@ jobs:
VERSION_BUCKET=deb${{ inputs.bucket_suffix }}
FALCO_VERSION=${{ inputs.version }}
tags: |
falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }}
public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ github.ref_name }}
falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}
public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}
outputs: type=docker,dest=/tmp/falco-${{ inputs.arch }}.tar

- name: Build falco-driver-loader image
uses: docker/build-push-action@v3
with:
context: ${{ github.workspace }}/docker/driver-loader/
build-args: |
FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ github.ref_name }}
FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ inputs.tag }}
tags: |
falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ github.ref_name }}
public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ github.ref_name }}
falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}
public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}
outputs: type=docker,dest=/tmp/falco-driver-loader-${{ inputs.arch }}.tar

- name: Build no-driver latest image
if: ${{ github.ref_name != 'master' }}
if: ${{ inputs.is_latest }}
uses: docker/build-push-action@v3
with:
context: ${{ github.workspace }}/docker/no-driver/
build-args: |
VERSION_BUCKET=bin
FALCO_VERSION=${{ github.ref_name }}
FALCO_VERSION=${{ inputs.version }}
tags: |
falcosecurity/falco-no-driver:${{ inputs.arch }}-latest
falcosecurity/falco:${{ inputs.arch }}-latest-slim
Expand All @@ -84,20 +93,20 @@ jobs:
outputs: type=docker,dest=/tmp/falco-no-driver-latest-${{ inputs.arch }}.tar

- name: Build falco latest image
if: ${{ github.ref_name != 'master' }}
if: ${{ inputs.is_latest }}
uses: docker/build-push-action@v3
with:
context: ${{ github.workspace }}/docker/falco/
build-args: |
VERSION_BUCKET=deb
FALCO_VERSION=${{ github.ref_name }}
FALCO_VERSION=${{ inputs.version }}
tags: |
falcosecurity/falco:${{ inputs.arch }}-latest
public.ecr.aws/falcosecurity/falco:${{ inputs.arch }}-latest
outputs: type=docker,dest=/tmp/falco-latest-${{ inputs.arch }}.tar

- name: Build falco-driver-loader latest image
if: ${{ github.ref_name != 'master' }}
if: ${{ inputs.is_latest }}
uses: docker/build-push-action@v3
with:
context: ${{ github.workspace }}/docker/driver-loader/
Expand Down