Allow bind mounts of nodev,nosuid,noexec filesystems #4261
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: validate | |
| on: | |
| push: | |
| tags: | |
| - v* | |
| branches: | |
| - main | |
| - release-* | |
| pull_request: | |
| env: | |
| GO_VERSION: 1.20.x | |
| permissions: | |
| contents: read | |
| jobs: | |
| keyring: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: check runc.keyring | |
| run: make validate-keyring | |
| lint: | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 2 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: "${{ env.GO_VERSION }}" | |
| cache: false # golangci-lint-action does its own caching | |
| - name: install deps | |
| run: | | |
| sudo apt -q update | |
| sudo apt -q install libseccomp-dev | |
| - uses: golangci/golangci-lint-action@v3 | |
| with: | |
| version: v1.51 | |
| # Extra linters, only checking new code from a pull request. | |
| - name: lint-extra | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| golangci-lint run --config .golangci-extra.yml --new-from-rev=HEAD~1 --out-format=github-actions | |
| compile-buildtags: | |
| runs-on: ubuntu-22.04 | |
| env: | |
| # Don't ignore C warnings. Note that the output of "go env CGO_CFLAGS" by default is "-g -O2", so we keep them. | |
| CGO_CFLAGS: -g -O2 -Werror | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: install go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: "${{ env.GO_VERSION }}" | |
| - name: compile with no build tags | |
| run: make BUILDTAGS="" | |
| codespell: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: install deps | |
| # Version of codespell bundled with Ubuntu is way old, so use pip. | |
| run: pip install codespell | |
| - name: run codespell | |
| run: codespell | |
| shfmt: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: shfmt | |
| run: make shfmt | |
| shellcheck: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: install shellcheck | |
| env: | |
| VERSION: v0.8.0 | |
| BASEURL: https://github.com/koalaman/shellcheck/releases/download | |
| SHA256: f4bce23c11c3919c1b20bcb0f206f6b44c44e26f2bc95f8aa708716095fa0651 | |
| run: | | |
| mkdir ~/bin | |
| curl -sSfL --retry 5 $BASEURL/$VERSION/shellcheck-$VERSION.linux.x86_64.tar.xz | | |
| tar xfJ - -C ~/bin --strip 1 shellcheck-$VERSION/shellcheck | |
| sha256sum --strict --check - <<<"$SHA256 *$HOME/bin/shellcheck" | |
| # make sure to remove the old version | |
| sudo rm -f /usr/bin/shellcheck | |
| # Add ~/bin to $PATH. | |
| echo ~/bin >> $GITHUB_PATH | |
| - uses: lumaxis/shellcheck-problem-matchers@v2 | |
| - name: run | |
| run: make shellcheck | |
| - name: check-config.sh | |
| run : ./script/check-config.sh | |
| deps: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: install go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: "${{ env.GO_VERSION }}" | |
| - name: verify deps | |
| run: make verify-dependencies | |
| commit: | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| runs-on: ubuntu-22.04 | |
| # Only check commits on pull requests. | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: get pr commits | |
| id: 'get-pr-commits' | |
| uses: tim-actions/get-pr-commits@v1.3.0 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: check subject line length | |
| uses: tim-actions/commit-message-checker-with-regex@v0.3.1 | |
| with: | |
| commits: ${{ steps.get-pr-commits.outputs.commits }} | |
| pattern: '^.{0,72}(\n.*)*$' | |
| error: 'Subject too long (max 72)' | |
| cfmt: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: install deps | |
| run: | | |
| sudo apt -qq update | |
| sudo apt -qq install indent | |
| - name: cfmt | |
| run: | | |
| make cfmt | |
| git diff --exit-code | |
| release: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: check CHANGELOG.md | |
| run: make verify-changelog | |
| # We have to run this under Docker as Ubuntu (host) does not support all | |
| # the architectures we want to compile test against, and Dockerfile uses | |
| # Debian (which does). | |
| # | |
| # XXX: as currently this is the only job that is using Docker, we are | |
| # building and using the runcimage locally. In case more jobs running | |
| # under Docker will emerge, it will be good to have a separate make | |
| # runcimage job and share its result (the docker image) with whoever | |
| # needs it. | |
| - name: build docker image | |
| run: make runcimage | |
| - name: make releaseall | |
| run: make releaseall | |
| - name: upload artifacts | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: release-${{ github.run_id }} | |
| path: release/* | |
| get-images: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: install bashbrew | |
| env: | |
| BASEURL: https://github.com/docker-library/bashbrew/releases/download | |
| VERSION: v0.1.7 | |
| SHA256: 6b71a6fccfb2025d48a2b23324836b5513c29abfd2d16a57b7a2f89bd02fe53a | |
| run: | | |
| mkdir ~/bin | |
| curl -sSfL --retry 5 -o ~/bin/bashbrew \ | |
| $BASEURL/$VERSION/bashbrew-amd64 | |
| sha256sum --strict --check - <<<"$SHA256 *$HOME/bin/bashbrew" | |
| chmod a+x ~/bin/bashbrew | |
| # Add ~/bin to $PATH. | |
| echo ~/bin >> $GITHUB_PATH | |
| - name: check that get-images.sh is up to date | |
| run: | | |
| cd tests/integration | |
| ./bootstrap-get-images.sh > get-images.sh | |
| git diff --exit-code |