chore: update dockerfiles and workflows for Windows eBPF branch

.github/workflows/codeql.yaml

@@ -6,6 +6,14 @@ on:
     branches: [main]
   pull_request:
     branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   analyze:
     name: Analyze
@@ -17,7 +25,6 @@ jobs:
         language: [go]
     runs-on: ubuntu-latest
     env:
-      IS_NOT_MERGE_GROUP: ${{ github.event_name != 'merge_group' }}
       GOOS: ${{ matrix.goos }}
       GOARCH: ${{ matrix.goarch }}
     timeout-minutes: 90
@@ -27,23 +34,18 @@ jobs:
       security-events: write
     steps:
       - name: Checkout repository
-        if: env.IS_NOT_MERGE_GROUP
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Setup go
-        if: env.IS_NOT_MERGE_GROUP
-        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: go.mod
       - name: Initialize CodeQL
-        if: env.IS_NOT_MERGE_GROUP
-        uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        if: env.IS_NOT_MERGE_GROUP
-        uses: github/codeql-action/autobuild@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
       - name: Perform CodeQL Analysis
-        if: env.IS_NOT_MERGE_GROUP
-        uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/commit-message.yaml

@@ -8,10 +8,15 @@ on:
       - synchronize
       - edited
       - reopened
+
+permissions:
+  contents: read
+
 jobs:
   commit-message:
     if: ${{ github.event_name != 'merge_group' }}
     runs-on: ubuntu-24.04
+    timeout-minutes: 5
     steps:
       - name: verify_commit_message
         env:

.github/workflows/devcontainer.yaml

@@ -0,0 +1,46 @@
+name: DevContainer
+on:
+  merge_group:
+  push:
+    branches: [main]
+    paths:
+      - ".devcontainer/**"
+      - "go.mod"
+  pull_request:
+    branches: [main]
+    paths:
+      - ".devcontainer/**"
+      - "go.mod"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build DevContainer
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Build and validate devcontainer
+        uses: devcontainers/ci@b63b30de439b47a52267f241112c5b453b673db5 # v0.3.1900000449
+        with:
+          runCmd: |
+            clang --version
+            llvm-strip --version
+            go version
+            EXPECTED_GO=$(grep '^go ' go.mod | awk '{print $2}')
+            ACTUAL_GO=$(go version | grep -oP '\d+\.\d+\.\d+')
+            if [ "$EXPECTED_GO" != "$ACTUAL_GO" ]; then
+              echo "::error::Go version mismatch: devcontainer has $ACTUAL_GO but go.mod requires $EXPECTED_GO"
+              exit 1
+            fi
+            kubectl version --client
+            helm version
+            kind version
+            grep -rl 'go:generate.*bpf2go' pkg/plugin/ | xargs -I{} go generate {}

.github/workflows/docs.yaml

@@ -3,6 +3,14 @@ name: Build and Deploy Retina.sh
 on:
   push:
     branches: ["main"]
+    paths:
+      - 'site/**'
+      - 'docs/**'
+  pull_request:
+    branches: ["main"]
+    paths:
+      - 'site/**'
+      - 'docs/**'
   workflow_dispatch:
   merge_group:
 permissions:
@@ -13,28 +21,36 @@ concurrency:
   group: "pages"
   cancel-in-progress: false
 jobs:
-  deploy:
-    if: ${{ github.event_name != 'merge_group' }}
-    environment:
-      name: retina.sh 
-      url: ${{ steps.deployment.outputs.page_url }}
+  build:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Setup Pages
-        uses: actions/configure-pages@v5
-      - uses: actions/setup-node@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 20
       - name: build
         run: |
           npm install --prefix site/
           npm run build --prefix site/
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+      - name: Upload build artifact
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
         with:
           path: "./site/build"
+
+  deploy:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    needs: build
+    environment:
+      name: retina.sh
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Setup Pages
+        uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0

.github/workflows/e2e-test-event-writer.yml

@@ -121,7 +121,7 @@ jobs:
           }
           echo "tag=$TAG" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
 
-      - name: Build and push images
+      - name: Build image
         shell: pwsh
         working-directory: ${{ env.EVENT_WRITER_PATH }}
         run: |
@@ -133,6 +133,14 @@ jobs:
           }
 
           $tag = "${{ steps.tag.outputs.tag }}"
+          echo "EVENT_WRITER_IMAGE=$image" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+          echo "EVENT_WRITER_TAG=$tag" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
           docker build -f "./Dockerfile" -t "${image}:${tag}" -t "${image}:latest" .
-          docker push "${image}:${tag}"
-          docker push "${image}:latest"
+
+      - name: Push images
+        if: ${{ github.event_name != 'pull_request' }}
+        shell: pwsh
+        working-directory: ${{ env.EVENT_WRITER_PATH }}
+        run: |
+          docker push "${env:EVENT_WRITER_IMAGE}:${env:EVENT_WRITER_TAG}"
+          docker push "${env:EVENT_WRITER_IMAGE}:latest"

.github/workflows/e2e.yaml

@@ -83,19 +83,22 @@ jobs:
   e2e:
     name: E2E
     runs-on: ubuntu-latest
+    timeout-minutes: 120
+    env:
+      CLUSTER_NAME: retina-e2e-${{ github.run_id }}-${{ github.run_attempt }}
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup go
-        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version-file: go.mod
       - run: go version
 
       - name: Az CLI login
-        uses: azure/login@v2
+        uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -115,4 +118,12 @@ jobs:
           fi
 
           go test -v ./test/e2e/. -timeout 60m -tags=e2e -count=1  -args -image-tag=${{ inputs.image_tag }} -image-registry=${{ inputs.image_registry }} -image-namespace=${{ inputs.image_namespace }} -create-infra=${{ !inputs.use_existing_infra }} -delete-infra=${{ !inputs.use_existing_infra }}
-
+
+      - name: Cleanup resource group
+        if: always()
+        shell: bash
+        run: |
+          if az group exists --name "$CLUSTER_NAME" 2>/dev/null | grep -q true; then
+            echo "Deleting resource group $CLUSTER_NAME..."
+            az group delete --name "$CLUSTER_NAME" --yes --no-wait || true
+          fi

.github/workflows/generate-check.yaml

@@ -0,0 +1,113 @@
+name: Check Generated Code
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  generate-check:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            runner: ubuntu-latest
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+    name: Generate (${{ matrix.arch }})
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: go.mod
+
+      - name: Check that committed .o files are empty stubs
+        run: |
+          RED='\033[0;31m'
+          YELLOW='\033[1;33m'
+          CYAN='\033[0;36m'
+          NC='\033[0m'
+          # Tracked .o files must be empty (0 bytes) in the committed tree.
+          # They exist so Go source with bpf2go references compiles without
+          # running go generate. Real BPF objects are built at image build time.
+          # This check runs BEFORE generate since generate populates them.
+          non_empty=$(git ls-files '*.o' | while read -r f; do
+            size=$(git cat-file -s "HEAD:$f" 2>/dev/null || echo 0)
+            if [ "$size" -gt 0 ]; then echo "$f ($size bytes)"; fi
+          done || true)
+          if [ -n "$non_empty" ]; then
+            echo ""
+            echo -e "${RED}============================================================${NC}"
+            echo -e "${RED}ERROR: The following .o files must be empty stubs (0 bytes).${NC}"
+            echo ""
+            echo -e "${YELLOW}${non_empty}${NC}"
+            echo ""
+            echo -e "${CYAN}Run 'make empty-bpf-objects' to truncate them, then commit.${NC}"
+            echo -e "${RED}============================================================${NC}"
+            echo "::error::Non-empty .o files committed. Run 'make empty-bpf-objects' and commit the result."
+            exit 1
+          fi
+
+      - name: Install BPF build dependencies
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y --no-install-recommends clang llvm lld libbpf-dev linux-headers-$(uname -r)
+          sudo apt-get install -y --no-install-recommends linux-tools-$(uname -r) linux-tools-common || true
+
+      - name: Run make generate for ${{ matrix.arch }}
+        run: |
+          # Generate BPF objects and Go bindings for this runner's native arch only,
+          # then run the remaining (non-BPF) generators.
+          GOARCH=${{ matrix.arch }} go generate ./pkg/plugin/...
+          go generate ./...
+
+      - name: Check for uncommitted changes
+        run: |
+          RED='\033[0;31m'
+          YELLOW='\033[1;33m'
+          CYAN='\033[0;36m'
+          NC='\033[0m'
+          failed=0
+
+          # 1. Check generated .go files match committed code.
+          #    Ignore .o files — they are empty stubs in the repo and get
+          #    populated with real BPF objects during generate.
+          if ! git diff --quiet -- ':!*.o'; then
+            echo ""
+            echo -e "${RED}============================================================${NC}"
+            echo -e "${RED}ERROR: Generated code is out of date.${NC}"
+            echo ""
+            echo -e "${YELLOW}The following files differ after running 'make generate':${NC}"
+            git diff --name-only -- ':!*.o'
+            echo ""
+            echo -e "${CYAN}Please run 'make generate' locally and commit the changes.${NC}"
+            echo -e "${RED}============================================================${NC}"
+            echo "::error::Generated code is out of date. Run 'make generate' locally and commit the changes."
+            failed=1
+          fi
+
+          # 2. Check for new generated files that weren't committed.
+          untracked=$(git ls-files --others --exclude-standard -- '*.go' | head -20)
+          if [ -n "$untracked" ]; then
+            echo ""
+            echo -e "${RED}============================================================${NC}"
+            echo -e "${RED}ERROR: New generated files are not committed.${NC}"
+            echo ""
+            echo -e "${YELLOW}${untracked}${NC}"
+            echo ""
+            echo -e "${CYAN}Please run 'make generate' locally and commit the new files.${NC}"
+            echo -e "${RED}============================================================${NC}"
+            echo "::error::New generated files are not committed. Run 'make generate' locally and commit the new files."
+            failed=1
+          fi
+
+          exit $failed