server: ensure CNI teardown prevents IP leaks with missing netns #45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: test | |
| on: | |
| workflow_dispatch: | |
| push: | |
| tags: | |
| - v* | |
| branches: | |
| - main | |
| - release-* | |
| - nixpkgs | |
| pull_request: | |
| env: | |
| GO_VERSION: "1.23" | |
| NIX_VERSION: "2.24.3" | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - run: scripts/github-actions-packages | |
| - run: make | |
| - run: bin/crio version | |
| - run: make bin/crio.cross.linux.amd64 | |
| - run: bin/crio.cross.linux.amd64 version | |
| - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: build | |
| path: | | |
| bin/crio | |
| - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: docs | |
| path: | | |
| docs/crio.8 | |
| docs/crio.conf.5 | |
| docs/crio.conf.d.5 | |
| - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: config | |
| path: crio.conf | |
| build-freebsd: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - run: scripts/github-actions-packages | |
| - run: make bin/crio.cross.freebsd.amd64 | |
| validate-docs: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: build | |
| path: bin | |
| - run: chmod -R +x bin | |
| - run: | | |
| sudo -E make docs-generation | |
| hack/tree_status.sh | |
| validate-completions: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: build | |
| path: bin | |
| - run: chmod -R +x bin | |
| - run: | | |
| sudo -E make completions-generation | |
| hack/tree_status.sh | |
| validate-nri-tests: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: build | |
| path: bin | |
| - run: | | |
| sudo -E make check-nri-bats-tests GOSUMDB= | |
| build-static: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| run: | |
| - go-arch: amd64 | |
| os-arch: x86-64 | |
| - go-arch: arm64 | |
| os-arch: aarch64 | |
| - go-arch: ppc64le | |
| os-arch: PowerPC | |
| - go-arch: s390x | |
| os-arch: S/390 | |
| name: build static / ${{ matrix.run.go-arch }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27 | |
| with: | |
| install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install | |
| - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 | |
| with: | |
| name: cri-o-static | |
| authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" | |
| pushFilter: cri-o | |
| - run: nix-build nix/default-${{ matrix.run.go-arch }}.nix | |
| - run: file result/bin/crio | grep ${{ matrix.run.os-arch }} | |
| - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: build-static-${{ matrix.run.go-arch }} | |
| path: | | |
| result/bin/crio | |
| result/bin/pinns | |
| static-build-upload: | |
| if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/heads/release') || contains(github.ref, 'refs/tags') | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build-static | |
| steps: | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: build-static-amd64 | |
| path: ${{ github.sha }}/amd64 | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: build-static-arm64 | |
| path: ${{ github.sha }}/arm64 | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: build-static-ppc64le | |
| path: ${{ github.sha }}/ppc64le | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: build-static-s390x | |
| path: ${{ github.sha }}/s390x | |
| - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 | |
| with: | |
| credentials_json: ${{ secrets.GCS_CRIO_SA }} | |
| - uses: google-github-actions/upload-cloud-storage@e485962f2bef914ac9c3bdd571f821f0ba7946c4 # v2.2.0 | |
| with: | |
| path: ${{ github.sha }} | |
| destination: cri-o/artifacts | |
| upload-artifacts: | |
| if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/heads/release') || contains(github.ref, 'refs/tags') | |
| runs-on: ubuntu-latest | |
| needs: | |
| - static-build-upload | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - run: make upload-artifacts | |
| env: | |
| GCS_CRIO_SA: ${{ secrets.GCS_CRIO_SA }} | |
| create-release: | |
| if: contains(github.ref, 'refs/tags') | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| needs: | |
| - release-notes | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: release-notes | |
| path: build/release-notes | |
| - name: Get release version | |
| run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV | |
| - uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
| with: | |
| allowUpdates: true | |
| bodyFile: build/release-notes/${{ env.RELEASE_VERSION }}.md | |
| unit: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| run: | |
| - runner: ubuntu-latest | |
| arch: amd64 | |
| type: root | |
| - runner: ubuntu-latest | |
| arch: amd64 | |
| type: rootless | |
| name: unit / ${{ matrix.run.arch }} / ${{ matrix.run.type }} | |
| runs-on: ${{ matrix.run.runner }} | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
| with: | |
| path: | | |
| ~/.cache/go-build | |
| ~/go/pkg/mod | |
| key: go-unit-${{ matrix.run.arch }}-${{ matrix.run.type }}-${{ hashFiles('**/go.sum') }} | |
| - run: scripts/github-actions-packages | |
| - name: Update mocks | |
| run: | | |
| make mockgen -j $(nproc) | |
| hack/tree_status.sh | |
| - name: Download crun on arm64 # Required for checkpoint restore (criu) tests. | |
| if: ${{ matrix.run.arch == 'arm64' }} | |
| run: | | |
| sudo curl -sSfL --retry 5 --retry-delay 3 \ | |
| -o $CRUN_PATH \ | |
| https://github.com/containers/crun/releases/download/$CRUN_VERSION/crun-$CRUN_VERSION-linux-arm64 | |
| sudo chmod +x $CRUN_PATH | |
| crun --version | |
| env: | |
| CRUN_VERSION: 1.16.1 | |
| CRUN_PATH: /usr/bin/crun | |
| - name: Run unit tests as root | |
| if: ${{ matrix.run.type == 'root' }} | |
| run: | | |
| sudo PATH="$PATH" GOCACHE="$(go env GOCACHE)" GOMODCACHE="$(go env GOMODCACHE)" make testunit | |
| sudo chown -R $(id -u):$(id -g) "$(go env GOCACHE)" "$(go env GOMODCACHE)" || true | |
| - name: Run unit tests rootless | |
| if: ${{ matrix.run.type == 'rootless' }} | |
| run: make testunit | |
| - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: unit-${{ matrix.run.arch }}-${{ matrix.run.type }} | |
| path: build/coverage | |
| coverage: | |
| needs: unit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: unit-amd64-root | |
| path: build/coverage | |
| - uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 | |
| with: | |
| files: build/coverage/coverprofile | |
| verbose: true | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| release-notes: | |
| permissions: | |
| contents: write | |
| if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/heads/release') || contains(github.ref, 'refs/tags') | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Set current branch | |
| run: | | |
| raw=$(git branch -r --contains ${{ github.ref }}) | |
| branch=${raw##*/} | |
| echo "CURRENT_BRANCH=$branch" >> $GITHUB_ENV | |
| - run: make release-notes | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: release-notes | |
| path: build/release-notes | |
| if-no-files-found: ignore | |
| dependencies: | |
| permissions: | |
| contents: write | |
| if: github.ref == 'refs/heads/main' | |
| needs: release-notes | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - run: make dependencies | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: dependencies | |
| path: build/dependencies | |
| codeql-build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| actions: read | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: github/codeql-action/init@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 | |
| with: | |
| languages: go | |
| - uses: github/codeql-action/autobuild@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 | |
| - uses: github/codeql-action/analyze@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2 | |
| security-checks: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Run govulncheck | |
| run: make verify-govulncheck | |
| - name: Run gosec | |
| run: make verify-gosec |