Skip to content

Commit 895fa39

Browse files
committed
security: pin GitHub Actions to commit SHAs for supply-chain security
1 parent 9dd54a7 commit 895fa39

1 file changed

Lines changed: 145 additions & 1 deletion

File tree

.github/workflows/ci.yml

Lines changed: 145 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1,145 @@
1-
name: CI\n\non:\n push:\n branches: [main, master]\n pull_request:\n branches: [main, master]\n\npermissions:\n contents: read\n\njobs:\n generate-bpf:\n name: Generate eBPF Object\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4 # v4.2.2\n - uses: actions/setup-go@v5 # v5.3.0\n with:\n go-version: '1.26.2'\n - name: Install toolchain\n run: sudo apt-get update && sudo apt-get install -y clang llvm libbpf-dev\n - name: Generate BPF\n run: make generate\n - name: Upload BPF object\n uses: actions/upload-artifact@v4 # v4.6.1\n with:\n name: procscope-bpf-object\n path: internal/tracer/procscope_bpfel.o\n retention-days: 1\n\n test:\n name: Test\n needs: generate-bpf\n runs-on: ubuntu-latest\n strategy:\n matrix:\n go-version: ['1.26.2']\n steps:\n - uses: actions/checkout@v4 # v4.2.2\n - uses: actions/setup-go@v5 # v5.3.0\n with:\n go-version: ${{ matrix.go-version }}\n - name: Download BPF object\n uses: actions/download-artifact@v4 # v4.1.9\n with:\n name: procscope-bpf-object\n path: internal/tracer\n - name: Build\n run: make build\n - name: Cross-build supported targets\n run: |\n CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath ./cmd/procscope\n CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -trimpath ./cmd/procscope\n - name: Unit tests\n run: go test -v -race -count=1 -short ./...\n - name: Integration tests (requires eBPF/root)\n run: |\n ./bin/procscope --version\n sudo ./bin/procscope -- ls /tmp || echo "Warning: Integration test failed"\n - name: Vet\n run: go vet ./...\n\n lint:\n name: Lint\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4 # v4.2.2\n - uses: actions/setup-go@v5 # v5.3.0\n with:\n go-version: '1.26.2'\n - name: golangci-lint\n uses: golangci/golangci-lint-action@v6 # v6.1.1\n continue-on-error: true\n with:\n version: v1.64.5\n\n vuln:\n name: Vulnerability Check\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4 # v4.2.2\n - uses: actions/setup-go@v5 # v5.3.0\n with:\n go-version: '1.26.2'\n - name: Install govulncheck\n run: go install golang.org/x/vuln/cmd/govulncheck@v1.2.0\n - name: Run govulncheck\n run: govulncheck ./... || true\n\n build-debian:\n name: Build Debian Package\n needs: generate-bpf\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4 # v4.2.2\n - uses: actions/setup-go@v5 # v5.3.0\n with:\n go-version: '1.26.2'\n - name: Download BPF object\n uses: actions/download-artifact@v4 # v4.1.9\n with:\n name: procscope-bpf-object\n path: internal/tracer\n - name: Install dependencies\n run: |\n sudo apt-get update\n sudo apt-get install -y debhelper lintian dh-golang\n - name: Build Debian Package\n run: dpkg-buildpackage -us -uc -b -d\n - name: Move Debian Package\n run: mv ../procscope_*.deb .\n - name: Lint Debian Package\n run: lintian ./procscope_*.deb || true\n - name: Upload Debian Package\n uses: actions/upload-artifact@v4 # v4.6.1\n with:\n name: procscope-deb\n path: ./procscope_*.deb\n\n build-arch:\n name: Build Arch Linux Package\n needs: generate-bpf\n runs-on: ubuntu-latest\n container:\n image: archlinux:base-devel\n steps:\n - name: Install dependencies\n run: pacman -Syu --noconfirm git go nodejs\n - uses: actions/checkout@v4 # v4.2.2\n - name: Download BPF object\n uses: actions/download-artifact@v4 # v4.1.9\n with:\n name: procscope-bpf-object\n path: internal/tracer\n - name: Build Arch Package\n run: |\n useradd -m builduser\n chown -R builduser:builduser .\n su builduser -c "cd arch && makepkg -sf"\n - name: Upload Arch Package\n uses: actions/upload-artifact@v4 # v4.6.1\n with:\n name: procscope-pkg-tar-zst\n path: arch/*.pkg.tar.zst\n
1+
name: CI
2+
3+
on:
4+
push:
5+
branches: [main, master]
6+
pull_request:
7+
branches: [main, master]
8+
9+
permissions:
10+
contents: read
11+
12+
jobs:
13+
generate-bpf:
14+
name: Generate eBPF Object
15+
runs-on: ubuntu-latest
16+
steps:
17+
- uses: actions/checkout@v4 # v4.2.2
18+
- uses: actions/setup-go@v5 # v5.3.0
19+
with:
20+
go-version: '1.26.2'
21+
- name: Install toolchain
22+
run: sudo apt-get update && sudo apt-get install -y clang llvm libbpf-dev
23+
- name: Generate BPF
24+
run: make generate
25+
- name: Upload BPF object
26+
uses: actions/upload-artifact@v4 # v4.6.1
27+
with:
28+
name: procscope-bpf-object
29+
path: internal/tracer/procscope_bpfel.o
30+
retention-days: 1
31+
32+
test:
33+
name: Test
34+
needs: generate-bpf
35+
runs-on: ubuntu-latest
36+
strategy:
37+
matrix:
38+
go-version: ['1.26.2']
39+
steps:
40+
- uses: actions/checkout@v4 # v4.2.2
41+
- uses: actions/setup-go@v5 # v5.3.0
42+
with:
43+
go-version: ${{ matrix.go-version }}
44+
- name: Download BPF object
45+
uses: actions/download-artifact@v4 # v4.1.9
46+
with:
47+
name: procscope-bpf-object
48+
path: internal/tracer
49+
- name: Build
50+
run: make build
51+
- name: Cross-build supported targets
52+
run: |
53+
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath ./cmd/procscope
54+
CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -trimpath ./cmd/procscope
55+
- name: Unit tests
56+
run: go test -v -race -count=1 -short ./...
57+
- name: Integration tests (requires eBPF/root)
58+
run: |
59+
./bin/procscope --version
60+
sudo ./bin/procscope -- ls /tmp || echo "Warning: Integration test failed"
61+
- name: Vet
62+
run: go vet ./...
63+
64+
lint:
65+
name: Lint
66+
runs-on: ubuntu-latest
67+
steps:
68+
- uses: actions/checkout@v4 # v4.2.2
69+
- uses: actions/setup-go@v5 # v5.3.0
70+
with:
71+
go-version: '1.26.2'
72+
- name: golangci-lint
73+
uses: golangci/golangci-lint-action@v6 # v6.1.1
74+
continue-on-error: true
75+
with:
76+
version: v1.64.5
77+
78+
vuln:
79+
name: Vulnerability Check
80+
runs-on: ubuntu-latest
81+
steps:
82+
- uses: actions/checkout@v4 # v4.2.2
83+
- uses: actions/setup-go@v5 # v5.3.0
84+
with:
85+
go-version: '1.26.2'
86+
- name: Install govulncheck
87+
run: go install golang.org/x/vuln/cmd/govulncheck@v1.2.0
88+
- name: Run govulncheck
89+
run: govulncheck ./... || true
90+
91+
build-debian:
92+
name: Build Debian Package
93+
needs: generate-bpf
94+
runs-on: ubuntu-latest
95+
steps:
96+
- uses: actions/checkout@v4 # v4.2.2
97+
- uses: actions/setup-go@v5 # v5.3.0
98+
with:
99+
go-version: '1.26.2'
100+
- name: Download BPF object
101+
uses: actions/download-artifact@v4 # v4.1.9
102+
with:
103+
name: procscope-bpf-object
104+
path: internal/tracer
105+
- name: Install dependencies
106+
run: |
107+
sudo apt-get update
108+
sudo apt-get install -y debhelper lintian dh-golang
109+
- name: Build Debian Package
110+
run: dpkg-buildpackage -us -uc -b -d
111+
- name: Move Debian Package
112+
run: mv ../procscope_*.deb .
113+
- name: Lint Debian Package
114+
run: lintian ./procscope_*.deb || true
115+
- name: Upload Debian Package
116+
uses: actions/upload-artifact@v4 # v4.6.1
117+
with:
118+
name: procscope-deb
119+
path: ./procscope_*.deb
120+
121+
build-arch:
122+
name: Build Arch Linux Package
123+
needs: generate-bpf
124+
runs-on: ubuntu-latest
125+
container:
126+
image: archlinux:base-devel
127+
steps:
128+
- name: Install dependencies
129+
run: pacman -Syu --noconfirm git go nodejs
130+
- uses: actions/checkout@v4 # v4.2.2
131+
- name: Download BPF object
132+
uses: actions/download-artifact@v4 # v4.1.9
133+
with:
134+
name: procscope-bpf-object
135+
path: internal/tracer
136+
- name: Build Arch Package
137+
run: |
138+
useradd -m builduser
139+
chown -R builduser:builduser .
140+
su builduser -c "cd arch && makepkg -sf"
141+
- name: Upload Arch Package
142+
uses: actions/upload-artifact@v4 # v4.6.1
143+
with:
144+
name: procscope-pkg-tar-zst
145+
path: arch/*.pkg.tar.zst

0 commit comments

Comments
 (0)