chore: cache Go/Rust dependencies and sample files (#1368)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Steve Beattie <steve+github@nxnw.org>

Author: egibs

.github/workflows/codeql.yaml

@@ -29,7 +29,14 @@ jobs:
         with:
           egress-policy: audit
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Cache yara-x-capi installation
+        id: yara-x-capi
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: yara-x-install
+          key: yara-x-capi-v1.12.0-${{ runner.os }}
       - name: Checkout virusTotal/yara-x
+        if: steps.yara-x-capi.outputs.cache-hit != 'true'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
@@ -38,23 +45,32 @@ jobs:
           path: yara-x
           ref: refs/tags/v1.12.0
       - name: Install Rust for yara-x-capi
+        if: steps.yara-x-capi.outputs.cache-hit != 'true'
         uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
         with:
           toolchain: stable
-      - name: Install cargo-c and yara-x-capi
+      - name: Cache Rust dependencies
+        if: steps.yara-x-capi.outputs.cache-hit != 'true'
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: |
+            ~/.cargo/registry/
+            ~/.cargo/git/
+          key: rust-cargo-v1.12.0-${{ runner.os }}
+          restore-keys: rust-cargo-
+      - name: Build yara-x-capi
+        if: steps.yara-x-capi.outputs.cache-hit != 'true'
         run: |
+          command -v cargo-cinstall || cargo install cargo-c --locked
           cd ${{ github.workspace }}/yara-x
-          cargo install cargo-c --locked
-          sudo -E env "PATH=$PATH" cargo cinstall -p yara-x-capi --features=native-code-serialization --release
-          sudo ldconfig -v
-          cd ${{ github.workspace }}
-          sudo rm -rf ${{ github.workspace }}/yara-x
+          cargo cinstall -p yara-x-capi --features=native-code-serialization --release --pkgconfigdir=${{ github.workspace }}/yara-x-install --includedir=${{ github.workspace }}/yara-x-install --libdir=${{ github.workspace }}/yara-x-install
+          rm -rf ${{ github.workspace }}/yara-x
       - name: Set up Go
         uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version-file: "go.mod"
           check-latest: true
-          cache: false
+          cache: true
       - name: Initialize CodeQL
         uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
         with:
@@ -63,12 +79,15 @@ jobs:
       - run: |
           go build -o /dev/null ./...
           go test -o /dev/null -c ./...
+        env:
+          PKG_CONFIG_PATH: ${{ github.workspace }}/yara-x-install
+          LD_LIBRARY_PATH: ${{ github.workspace }}/yara-x-install
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
         with:
           category: "/language:go"
   analyze-actions:
-    if: ${{ github.repository }} == 'chainguard-dev/malcontent'
+    if: ${{ github.repository == 'chainguard-dev/malcontent' }}
     runs-on: ubuntu-latest
     permissions:
       actions: read

.github/workflows/fuzz.yaml

@@ -117,7 +117,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git go nodejs upx xz yara-x~1.12.0
+          apk add curl findutils git gnutar go nodejs upx xz yara-x~1.12.0
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -127,7 +127,34 @@ jobs:
       - name: Trust repository
         run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
 
-      - name: Clone malcontent samples (required for compile fuzzers)
+      - name: Get Go cache paths
+        id: go-env
+        run: |
+          echo "modcache=$(go env GOMODCACHE)" >> "${GITHUB_OUTPUT}"
+          echo "cache=$(go env GOCACHE)" >> "${GITHUB_OUTPUT}"
+
+      - name: Cache Go dependencies
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: |
+            ${{ steps.go-env.outputs.modcache }}
+            ${{ steps.go-env.outputs.cache }}
+          key: go-${{ hashFiles('go.sum') }}
+          restore-keys: go-
+
+      - name: Get samples commit
+        id: samples
+        if: contains(matrix.target.package, 'programkind')
+        run: echo "commit=$(grep '^SAMPLES_COMMIT' Makefile | head -1 | cut -d'=' -f2 | tr -d ' ?')" >> "$GITHUB_OUTPUT"
+
+      - name: Cache malcontent samples
+        if: contains(matrix.target.package, 'programkind')
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: out/chainguard-sandbox/malcontent-samples
+          key: samples-${{ steps.samples.outputs.commit }}
+
+      - name: Clone malcontent samples (required for programkind fuzzers)
         if: contains(matrix.target.package, 'programkind')
         run: |
           make samples

.github/workflows/go-tests.yaml

@@ -37,7 +37,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git go nodejs upx xz yara-x~1.12.0
+          apk add curl findutils git gnutar go nodejs upx xz yara-x~1.12.0
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -47,13 +47,28 @@ jobs:
       - name: Trust repository
         run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
 
+      - name: Get Go cache paths
+        id: go-env
+        run: |
+          echo "modcache=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
+          echo "cache=$(go env GOCACHE)" >> "$GITHUB_OUTPUT"
+
+      - name: Cache Go dependencies
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: |
+            ${{ steps.go-env.outputs.modcache }}
+            ${{ steps.go-env.outputs.cache }}
+          key: go-${{ hashFiles('go.sum') }}
+          restore-keys: go-
+
       - name: Unit tests
         run: |
           make test
 
   integration:
     if: ${{ github.repository == 'chainguard-dev/malcontent' }}
-    runs-on: ubuntu-latest-16-core
+    runs-on: ubuntu-latest-32-core
     permissions:
       contents: read
     container:
@@ -64,7 +79,7 @@ jobs:
         --cap-add SETUID
         --cap-drop ALL
         --cgroupns private
-        --cpu-shares=16384
+        --cpu-shares=32768
         --memory-swappiness=0
         --security-opt no-new-privileges
         --ulimit core=0
@@ -74,7 +89,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git go nodejs upx xz yara-x~1.12.0
+          apk add curl findutils git gnutar go nodejs upx xz yara-x~1.12.0
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -84,6 +99,34 @@ jobs:
       - name: Trust repository
         run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
 
+      - name: Get Go cache paths
+        id: go-env
+        run: |
+          echo "modcache=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
+          echo "cache=$(go env GOCACHE)" >> "$GITHUB_OUTPUT"
+
+      - name: Cache Go dependencies
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: |
+            ${{ steps.go-env.outputs.modcache }}
+            ${{ steps.go-env.outputs.cache }}
+          key: go-${{ hashFiles('go.sum') }}
+          restore-keys: go-
+
+      - name: Get samples commit
+        id: samples
+        run: echo "commit=$(grep '^SAMPLES_COMMIT' Makefile | head -1 | cut -d'=' -f2 | tr -d ' ?')" >> "$GITHUB_OUTPUT"
+
+      - name: Cache malcontent samples
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: out/chainguard-sandbox/malcontent-samples
+          key: samples-${{ steps.samples.outputs.commit }}
+
+      - name: Prepare samples
+        run: make samples
+
       - name: Integration tests
         run: |
           make integration

.github/workflows/third-party.yaml

@@ -37,10 +37,39 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add bash curl findutils gh git go nodejs perl upx xz yara-x~1.12.0
+          apk add bash curl findutils gh git gnutar go nodejs perl upx xz yara-x~1.12.0
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Trust repository
         run: git config --global --add safe.directory "${GITHUB_WORKSPACE}"
+
+      - name: Get Go cache paths
+        id: go-env
+        run: |
+          echo "modcache=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
+          echo "cache=$(go env GOCACHE)" >> "$GITHUB_OUTPUT"
+
+      - name: Cache Go dependencies
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: |
+            ${{ steps.go-env.outputs.modcache }}
+            ${{ steps.go-env.outputs.cache }}
+          key: go-${{ hashFiles('go.sum') }}
+          restore-keys: go-
+
+      - name: Get samples commit
+        id: samples
+        run: echo "commit=$(grep '^SAMPLES_COMMIT' Makefile | head -1 | cut -d'=' -f2 | tr -d ' ?')" >> "$GITHUB_OUTPUT"
+
+      - name: Cache malcontent samples
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: out/chainguard-sandbox/malcontent-samples
+          key: samples-${{ steps.samples.outputs.commit }}
+
+      - name: Prepare samples
+        run: make samples
+
       - uses: chainguard-dev/actions/setup-gitsign@6f74cdeee55d70b03fa220746d6739dbbb3e9421
       - name: Set up Octo-STS
         uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1