Container #9759
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Container | |
| on: | |
| workflow_call: | |
| workflow_run: | |
| workflows: ["Build"] | |
| types: | |
| - completed | |
| # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idconcurrency | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| # renovate: datasource=go depName=github.com/goreleaser/goreleaser | |
| GORELEASER_VERSION: v1.25.1 | |
| # renovate: datasource=github-releases depName=kubernetes/minikube extractVersion=^v(?<version>.+)$ | |
| MINIKUBE_VERSION: 1.33.1 | |
| # renovate: datasource=go depName=github.com/florianl/bluebox | |
| BLUEBOX_VERSION: v0.0.2 | |
| jobs: | |
| skip-check: | |
| name: Skip check | |
| continue-on-error: true | |
| runs-on: ubuntu-latest | |
| outputs: | |
| should_skip: ${{ steps.skip-check.outputs.should_skip }} | |
| permissions: | |
| actions: write | |
| contents: read | |
| steps: | |
| - id: skip-check | |
| uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1 | |
| with: | |
| do_not_skip: '["schedule", "workflow_dispatch"]' | |
| paths: |- | |
| [ | |
| "**.go", | |
| ".dockerignore", | |
| ".github/workflows/container.yml", | |
| ".go-version", | |
| "3rdparty", | |
| "Dockerfile*", | |
| "Makefile", | |
| "bpf/**", | |
| "deploy/**", | |
| "e2e/**", | |
| "go.mod", | |
| "go.sum" | |
| ] | |
| skip_after_successful_duplicate: false | |
| build-dependencies: | |
| name: Build and download dependencies | |
| needs: skip-check | |
| if: ${{ needs.skip-check.outputs.should_skip != 'true' }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| packages: write | |
| contents: read | |
| steps: | |
| - name: Check out the code | |
| uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version-file: .go-version | |
| - name: Set up Clang | |
| uses: KyleMayes/install-llvm-action@be40c5af3a4adc3e4a03199995ab73aa37536712 # v1.9.0 | |
| with: | |
| version: "14" | |
| - name: Install libbpf dependencies | |
| run: | | |
| sudo apt-get update -y | |
| sudo apt-get install -yq libelf-dev zlib1g-dev | |
| - name: Initialize and update libbpf submodule | |
| run: git submodule init && git submodule update | |
| - name: Build BPF | |
| run: | | |
| make ARCH=amd64 bpf | |
| make ARCH=arm64 bpf | |
| - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: ebpf-object-file-container | |
| path: bpf/out | |
| if-no-files-found: error | |
| - name: Validate | |
| uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0 | |
| with: | |
| distribution: goreleaser | |
| version: ${{ env.GORELEASER_VERSION }} | |
| args: check | |
| build-binaries: | |
| name: Build binaries using goreleaser | |
| runs-on: ubuntu-latest | |
| needs: build-dependencies | |
| container: | |
| image: docker.io/goreleaser/goreleaser-cross:v1.22.3@sha256:db9bd5614a051d43e1953361e838a264d9300114110d49159fa04ef37307febe | |
| options: --privileged | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - name: Check out the code | |
| uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
| with: | |
| fetch-depth: 0 | |
| # https://github.com/actions/checkout/issues/766 | |
| - name: Add repository directory to the git global config as a safe directory | |
| run: git config --global --add safe.directory "${GITHUB_WORKSPACE}" | |
| - name: Set Tag | |
| run: | | |
| echo "goreleaser_current_tag=`git describe --match 'v*' --tags`" >> $GITHUB_ENV | |
| - name: Set up Go | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version-file: .go-version | |
| - name: Initialize and update libbpf submodule | |
| run: git submodule init && git submodule update | |
| - name: Install libbpf dependencies | |
| run: | | |
| apt-get update -y | |
| apt-get install -yq lld libelf-dev zlib1g-dev libelf-dev:arm64 zlib1g-dev:arm64 pkg-config | |
| - name: Get branch name | |
| shell: bash | |
| run: echo "GITHUB_BRANCH_NAME=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV | |
| - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: ebpf-object-file-container | |
| path: bpf/out | |
| - name: List downloaded files | |
| shell: bash | |
| run: | | |
| ls -lR bpf | |
| mkdir -p pkg/profiler/cpu/bpf/programs/objects | |
| cp -r bpf/out/* pkg/profiler/cpu/bpf/programs/objects | |
| rm pkg/profiler/cpu/bpf/programs/objects/*/pid_namespace.bpf.o | |
| mkdir -p pkg/contained/bpf | |
| cp -r bpf/out/* pkg/contained/bpf | |
| find pkg/contained/bpf/*/ -type f | grep -v "pid_namespace.bpf.o" | xargs -I{} bash -c "rm {}" | |
| - name: Run Goreleaser | |
| run: goreleaser release --clean --skip=validate --skip=publish --snapshot --debug -f .goreleaser.yml | |
| env: | |
| GORELEASER_CURRENT_TAG: "${{ env.goreleaser_current_tag }}" | |
| - name: Archive generated artifacts | |
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: parca-agent-dist-container | |
| if-no-files-found: error | |
| path: | | |
| goreleaser/dist | |
| !goreleaser/dist/*.txt | |
| build-and-push-container: | |
| name: Container build and push | |
| needs: build-binaries | |
| runs-on: ubuntu-latest | |
| container: | |
| # https://github.com/containers/podman/tree/main/contrib/podmanimage | |
| image: quay.io/containers/podman:v4.9.4 | |
| options: >- | |
| --device /dev/fuse:rw | |
| --privileged | |
| --security-opt label=disable | |
| --security-opt seccomp=unconfined | |
| permissions: | |
| id-token: write | |
| packages: write | |
| contents: read | |
| steps: | |
| - name: Install dependencies | |
| run: dnf install --assumeyes --repo fedora git make jq which | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
| # https://github.com/actions/checkout/issues/766 | |
| - name: Add repository directory to the git global config as a safe directory | |
| run: git config --global --add safe.directory "${GITHUB_WORKSPACE}" | |
| - name: Set up Go | |
| uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| with: | |
| go-version-file: .go-version | |
| - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: parca-agent-dist-container | |
| path: goreleaser/dist | |
| #- name: Setup tmate session | |
| # uses: mxschmitt/action-tmate@v3 | |
| - name: List downloaded files | |
| shell: bash | |
| run: | | |
| ls -lR goreleaser/dist | |
| - name: Build container | |
| run: make container | |
| - name: Check images are created | |
| run: >- | |
| [[ -n "$(podman image list --filter=reference=ghcr.io/parca-dev/parca-agent --quiet)" ]] | |
| - name: Install cosign | |
| if: github.event_name != 'pull_request' | |
| uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 | |
| - name: "Set up Cloud SDK" | |
| if: github.event_name != 'pull_request' | |
| uses: "google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa" # v2.1.3 | |
| id: "auth" | |
| with: | |
| token_format: "access_token" # this is important as it will generate the token to be used as an oauth2 token for the next step | |
| workload_identity_provider: "projects/15974983059/locations/global/workloadIdentityPools/continuous-integration/providers/github-actions" | |
| service_account: "github-actions-agent@polar-signals-public.iam.gserviceaccount.com" | |
| - name: Login to registry | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| echo "${{ secrets.GITHUB_TOKEN }}" | podman login -u parca-dev --password-stdin ghcr.io | |
| echo "${{ secrets.QUAY_PASSWORD }}" | cosign login -u "${{ secrets.QUAY_USERNAME }}" --password-stdin quay.io | |
| cosign login -u oauth2accesstoken -p ${{ steps.auth.outputs.access_token }} gcr.io | |
| - name: Install crane | |
| if: github.event_name != 'pull_request' | |
| uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3 | |
| - name: Push and sign container (when merged) | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| make push-container | |
| make sign-container | |
| make push-signed-quay-container | |
| make push-signed-gcr-container | |
| - name: Save container image | |
| run: | | |
| IMAGE="$(podman image list --filter=reference=ghcr.io/parca-dev/parca-agent --format='{{.Repository}}:{{.Tag}}' | head -1)" | |
| podman image save --output=dist/parca-agent.tar "${IMAGE}" | |
| - name: Upload container image artifact | |
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: parca-agent.tar | |
| path: dist/parca-agent.tar | |
| run-end-to-end-tests: | |
| name: Run end-to-end tests | |
| runs-on: ubuntu-latest | |
| needs: build-and-push-container | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Check out the code | |
| uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 | |
| - name: Set up Go | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version-file: .go-version | |
| - name: Set up jsonnet | |
| run: ./env-jsonnet.sh | |
| - name: Set up Minikube | |
| uses: medyagh/setup-minikube@317d92317e473a10540357f1f4b2878b80ee7b95 # v0.0.16 | |
| with: | |
| minikube-version: ${{ env.MINIKUBE_VERSION }} | |
| driver: none | |
| kubernetes-version: stable # Determined by Minikube version | |
| # https://github.com/medyagh/setup-minikube/issues/110 | |
| - name: Patch CNI configuration | |
| run: | | |
| jq ' | |
| .cniVersion |= if split(".")[:2]|map(tonumber) < [0, 4] then "0.4.0" else . end | | |
| .plugins |= if [select(.[].type == "firewall")]|length == 0 then . + [{ "type": "firewall" }] else . end | |
| ' /etc/cni/net.d/1-k8s.conflist | sudo tee /etc/cni/net.d/1-k8s.conflist.patched | |
| sudo mv /etc/cni/net.d/1-k8s.conflist.patched /etc/cni/net.d/1-k8s.conflist | |
| sudo systemctl restart cri-docker | |
| - name: Download container image artifact | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: parca-agent.tar | |
| path: dist | |
| - name: Load container image | |
| run: docker image load --input=dist/parca-agent.tar | |
| - name: Run e2e tests | |
| run: make actions-e2e E2E_KUBECONTEXT=minikube | |
| - name: Upload kubectl logs | |
| run: ./e2e/e2e-dump.sh | |
| # Uncomment the next two lines to use upterm to debug CI | |
| # Run `touch continue` from upterm session to close upterm | |
| # and finish this step | |
| # - name: Setup upterm session | |
| # uses: lhotari/action-upterm@v1 | |
| - name: Archive production artifacts | |
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| if: ${{ always() }} | |
| with: | |
| name: kubectl e2e dump | |
| path: | | |
| ./tmp/e2e-dump |