falcosecurity/falco
17 workflows · maturity 67% · 8 patterns · GitHub ↗
Practices
✓ Matrix✓ Permissions✓ Security scan○ AI review○ Cache✓ Concurrency✓ Reusable workflows
Detected patterns
Security dimensions
Tools: github/codeql-action/analyze, github/codeql-action/init, github/codeql-action/upload-sarif, ossf/scorecard-action
Workflows (17)
ci perms .github/workflows/ci.yml
View raw YAML
name: CI Build
on:
pull_request:
branches:
- master
- release/*
workflow_dispatch:
# Checks if any concurrent jobs under the same pull request or branch are being executed
# NOTE: this will cancel every workflow that is being ran against a PR as group is just the github ref (without the workflow name)
concurrency:
group: ${{ github.head_ref || github.run_id }}
cancel-in-progress: true
permissions:
contents: read
jobs:
fetch-version:
uses: ./.github/workflows/reusable_fetch_version.yaml
build-dev-packages-x86_64:
needs: [fetch-version]
uses: ./.github/workflows/reusable_build_packages.yaml
with:
arch: x86_64
version: ${{ needs.fetch-version.outputs.version }}
enable_debug: true
enable_sanitizers: true
use_mimalloc: true
build-dev-packages-arm64:
needs: [fetch-version]
uses: ./.github/workflows/reusable_build_packages.yaml
with:
arch: aarch64
version: ${{ needs.fetch-version.outputs.version }}
enable_debug: true
use_mimalloc: true
test-dev-packages:
needs: [fetch-version, build-dev-packages-x86_64]
uses: ./.github/workflows/reusable_test_packages.yaml
# See https://github.com/falcosecurity/falco/pull/3482
# Since musl build does not support dynamically loaded plugins,
# many tests would fail (the ones using `container.foo` fields).
# Disable tests on static builds for now.
# strategy:
# fail-fast: false
# matrix:
# static: ["static", ""]
with:
arch: x86_64
# sanitizers: ${{ matrix.static == '' && true || false }}
sanitizers: true
# static: ${{ matrix.static != '' && true || false }}
version: ${{ needs.fetch-version.outputs.version }}
test-dev-packages-arm64:
needs: [fetch-version, build-dev-packages-arm64]
uses: ./.github/workflows/reusable_test_packages.yaml
with:
arch: aarch64
version: ${{ needs.fetch-version.outputs.version }}
build-dev-minimal:
uses: ./.github/workflows/reusable_build_dev.yaml
with:
arch: x86_64
git_ref: ${{ github.event.pull_request.head.sha }}
minimal: true
build_type: Debug
build-dev-minimal-arm64:
uses: ./.github/workflows/reusable_build_dev.yaml
with:
arch: aarch64
git_ref: ${{ github.event.pull_request.head.sha }}
minimal: true
build_type: Debug
# builds using system deps, checking out the PR's code
# note: this also runs a command that generates an output of form: "<engine_version> <some_hash>",
# of which <some_hash> is computed by hashing in order the following:
# - Driver schema version supported by the built-in falcosecurity/libs
# - The supported event types usable in Falco rules (evt.type=xxx)
# - The supported rules fields with their name, type, and description
build-dev:
uses: ./.github/workflows/reusable_build_dev.yaml
with:
arch: x86_64
git_ref: ${{ github.event.pull_request.head.sha }}
minimal: false
sanitizers: true
build_type: Debug
cmd: "echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Engine:' | awk '{print $2}') $(echo $(build/userspace/falco/falco -c ./falco.yaml --version | grep 'Schema version:' | awk '{print $3}') $(build/userspace/falco/falco -c ./falco.yaml --list --markdown | grep '^`' | sort) $(build/userspace/falco/falco -c ./falco.yaml --list-events | sort) | sha256sum)"
# checks the falco engine checksum for consistency
check-engine-checksum:
runs-on: ubuntu-latest
needs: [build-dev]
steps:
- name: Checkout PR head ref
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Check Engine checksum
run: |
prev_hash=$(grep CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
cur_hash=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 2)
echo "encoded checksum: $prev_hash"
echo "current checksum: $cur_hash"
if [ $prev_hash != $cur_hash ]; then
echo "current engine checksum differs from the one encoded in userspace/engine/falco_engine_version.h"
exit 1
else
echo "current and encoded engine checksum are matching"
fi
# checks the falco engine version and enforce bumping when necessary
check-engine-version:
runs-on: ubuntu-latest
needs: [build-dev]
steps:
- name: Checkout base ref
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
ref: ${{ github.base_ref }}
- name: Check Engine version
run: |
base_hash=$(grep CHECKSUM "./userspace/engine/falco_engine_version.h" | awk '{print $3}' | sed -e 's/"//g')
base_engine_ver_major=$(grep ENGINE_VERSION_MAJOR "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
base_engine_ver_minor=$(grep ENGINE_VERSION_MINOR "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
base_engine_ver_patch=$(grep ENGINE_VERSION_PATCH "./userspace/engine/falco_engine_version.h" | head -n 1 | awk '{print $3}' | sed -e 's/(//g' -e 's/)//g')
base_engine_ver="${base_engine_ver_major}.${base_engine_ver_minor}.${base_engine_ver_patch}"
cur_hash=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 2)
cur_engine_ver=$(echo "${{ needs.build-dev.outputs.cmdout }}" | cut -d ' ' -f 1)
echo "baseref checksum: $base_hash"
echo "baseref engine version: $base_engine_ver"
echo "headref checksum: $cur_hash"
echo "headref engine version: $cur_engine_ver"
if [ "$base_hash" != "$cur_hash" ]; then
echo "engine checksum for baseref and headref differ"
if [ "$base_engine_ver" == "$cur_engine_ver" ]; then
echo "engine version must be bumped"
exit 1
else
echo "engine version for baseref and headref differ too, so no bump is required"
fi
fi
codeql matrix perms security .github/workflows/codeql.yaml
View raw YAML
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"
on:
push:
branches: [ "master" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "master" ]
permissions:
contents: read
jobs:
analyze:
name: Analyze
runs-on: ubuntu-22.04
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'cpp' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
- name: Update base image
run: sudo apt update -y
- name: Install build dependencies
run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libc-ares-dev libyaml-cpp-dev rpm libelf-dev cmake build-essential libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm git -y
- name: Prepare project
run: |
cmake -B build -S . -DBUILD_FALCO_MODERN_BPF=Off -DUSE_BUNDLED_DEPS=Off -DUSE_BUNDLED_NLOHMANN_JSON=On -DUSE_BUNDLED_CXXOPTS=On -DUSE_BUNDLED_CPPHTTPLIB=On
- name: Build
run: |
KERNELDIR=/lib/modules/$(uname -r)/build cmake --build build -j4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
codespell perms .github/workflows/codespell.yml
View raw YAML
name: Codespell
on:
pull_request:
permissions:
contents: read
jobs:
codespell:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: codespell-project/actions-codespell@94259cd8be02ad2903ba34a22d9c13de21a74461 # v2.0
with:
skip: .git
ignore_words_file: .codespellignore
check_filenames: true
check_hidden: false
engine-version-weakcheck perms .github/workflows/engine-version-weakcheck.yaml
View raw YAML
# NOTE: it is UNSAFE to run ANY kind of script when using the pull_request_target trigger!
# DO NOT TOUCH THIS FILE UNLESS THE TRIGGER IS CHANGED.
# See warning in https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
name: Engine version checks (weak)
on:
pull_request_target:
paths:
- 'userspace/engine/*.cpp'
- 'userspace/engine/*.h'
permissions:
contents: read
jobs:
paths-filter:
runs-on: ubuntu-latest
outputs:
engine_version_changed: ${{ steps.filter.outputs.engine_version }}
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter
with:
filters: |
engine_version:
- 'userspace/engine/falco_engine_version.h'
check-engine-version-weak:
runs-on: ubuntu-22.04
permissions:
pull-requests: write
needs: paths-filter
if: needs.paths-filter.outputs.engine_version_changed == 'false'
steps:
- name: Check driver Falco engine version
uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
with:
message: |
This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.
Please double check **userspace/engine/falco_engine_version.h** file. See [versioning for FALCO_ENGINE_VERSION](https://github.com/falcosecurity/falco/blob/master/RELEASE.md#falco-repo-this-repo).
/hold
format perms .github/workflows/format.yaml
View raw YAML
name: Format code
on:
pull_request:
push:
branches:
- master
- "release/**"
permissions:
contents: read
jobs:
format:
name: format code 🐲
runs-on: ubuntu-22.04
steps:
- name: Checkout repository 🎉
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Install deps ⛓️
run: |
sudo apt update -y
sudo apt install -y --no-install-recommends ca-certificates pip git
pip install pre-commit
- name: Run pre-commit ©️
run: |
pre-commit run --all-files
- name: Generate the git-diff 🚒
if: failure()
run: git diff > format_diff.patch
- name: Upload the git diff artifact 📦
if: failure()
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: format_diff.patch
path: ./format_diff.patch
insecure-api perms .github/workflows/insecure-api.yaml
View raw YAML
name: Insecure API check
on:
pull_request:
branches:
- master
- 'release/**'
- 'maintainers/**'
permissions:
contents: read
jobs:
insecure-api:
name: check-insecure-api
runs-on: ubuntu-latest
container:
image: semgrep/semgrep:1.85.0@sha256:b4c2272e0a2e59ca551ff96d3bbae657bd2b7356e339af557b27a96d9e751544
steps:
- name: Checkout Falco ⤵️
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Scan PR for insecure API usage 🕵️
run: |
semgrep scan \
--error \
--metrics=off \
--baseline-commit ${{ github.event.pull_request.base.sha }} \
--config=./semgrep
master perms .github/workflows/master.yaml
View raw YAML
name: Dev Packages and Docker images
on:
push:
branches: [master]
permissions:
contents: read
# Checks if any concurrent jobs is running for master CI and eventually cancel it
concurrency:
group: ci-master
cancel-in-progress: true
jobs:
fetch-version:
uses: ./.github/workflows/reusable_fetch_version.yaml
build-dev-packages:
needs: [fetch-version]
uses: ./.github/workflows/reusable_build_packages.yaml
with:
arch: x86_64
version: ${{ needs.fetch-version.outputs.version }}
secrets: inherit
build-dev-packages-arm64:
needs: [fetch-version]
uses: ./.github/workflows/reusable_build_packages.yaml
with:
arch: aarch64
version: ${{ needs.fetch-version.outputs.version }}
secrets: inherit
test-dev-packages:
needs: [fetch-version, build-dev-packages]
uses: ./.github/workflows/reusable_test_packages.yaml
# See https://github.com/falcosecurity/falco/pull/3482
# Since musl build does not support dynamically loaded plugins,
# many tests would fail (the ones using `container.foo` fields).
# Disable tests on static builds for now.
# strategy:
# fail-fast: false
# matrix:
# static: ["static", ""]
with:
arch: x86_64
# static: ${{ matrix.static != '' && true || false }}
version: ${{ needs.fetch-version.outputs.version }}
test-dev-packages-arm64:
needs: [fetch-version, build-dev-packages-arm64]
uses: ./.github/workflows/reusable_test_packages.yaml
with:
arch: aarch64
version: ${{ needs.fetch-version.outputs.version }}
publish-dev-packages:
needs: [fetch-version, test-dev-packages, test-dev-packages-arm64]
uses: ./.github/workflows/reusable_publish_packages.yaml
with:
bucket_suffix: '-dev'
version: ${{ needs.fetch-version.outputs.version }}
secrets: inherit
build-dev-docker:
needs: [fetch-version, publish-dev-packages]
uses: ./.github/workflows/reusable_build_docker.yaml
with:
arch: x86_64
bucket_suffix: '-dev'
version: ${{ needs.fetch-version.outputs.version }}
tag: master
secrets: inherit
build-dev-docker-arm64:
needs: [fetch-version, publish-dev-packages]
uses: ./.github/workflows/reusable_build_docker.yaml
with:
arch: aarch64
bucket_suffix: '-dev'
version: ${{ needs.fetch-version.outputs.version }}
tag: master
secrets: inherit
publish-dev-docker:
needs: [fetch-version, build-dev-docker, build-dev-docker-arm64]
uses: ./.github/workflows/reusable_publish_docker.yaml
with:
tag: master
secrets: inherit
release perms .github/workflows/release.yaml
View raw YAML
name: Release Packages and Docker images
on:
release:
types: [published]
permissions:
contents: read
# Checks if any concurrent jobs is running for release CI and eventually cancel it.
concurrency:
group: ci-release
cancel-in-progress: true
jobs:
release-settings:
runs-on: ubuntu-latest
outputs:
is_latest: ${{ steps.get_settings.outputs.is_latest }}
bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
steps:
- name: Get latest release
uses: rez0n/actions-github-release@27a57820ee808f8fd940c8a9d1f7188f854aa2b5 # v2.0
id: latest_release
env:
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ github.repository }}
type: "stable"
- name: Get settings for this release
id: get_settings
shell: python
run: |
import os
import re
import sys
semver_no_meta = '''^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?$'''
tag_name = '${{ github.event.release.tag_name }}'
is_valid_version = re.match(semver_no_meta, tag_name) is not None
if not is_valid_version:
print(f'Release version {tag_name} is not a valid full or pre-release. See RELEASE.md for more information.')
sys.exit(1)
is_prerelease = '-' in tag_name
# Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest
is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease
bucket_suffix = '-dev' if is_prerelease else ''
with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp:
print(f'is_latest={is_latest}'.lower(), file=ofp)
print(f'bucket_suffix={bucket_suffix}', file=ofp)
build-packages:
needs: [release-settings]
uses: ./.github/workflows/reusable_build_packages.yaml
with:
arch: x86_64
version: ${{ github.event.release.tag_name }}
use_jemalloc: true
secrets: inherit
build-packages-arm64:
needs: [release-settings]
uses: ./.github/workflows/reusable_build_packages.yaml
with:
arch: aarch64
version: ${{ github.event.release.tag_name }}
use_jemalloc: true
secrets: inherit
test-packages:
needs: [release-settings, build-packages]
uses: ./.github/workflows/reusable_test_packages.yaml
# See https://github.com/falcosecurity/falco/pull/3482
# Since musl build does not support dynamically loaded plugins,
# many tests would fail (the ones using `container.foo` fields).
# Disable tests on static builds for now.
# strategy:
# fail-fast: false
# matrix:
# static: ["static", ""]
with:
arch: x86_64
# static: ${{ matrix.static != '' && true || false }}
version: ${{ github.event.release.tag_name }}
test-packages-arm64:
needs: [release-settings, build-packages-arm64]
uses: ./.github/workflows/reusable_test_packages.yaml
with:
arch: aarch64
version: ${{ github.event.release.tag_name }}
publish-packages:
needs: [release-settings, test-packages, test-packages-arm64]
uses: ./.github/workflows/reusable_publish_packages.yaml
with:
bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
version: ${{ github.event.release.tag_name }}
secrets: inherit
# Both build-docker and its arm64 counterpart require build-packages because they use its output
build-docker:
needs: [release-settings, build-packages, publish-packages]
uses: ./.github/workflows/reusable_build_docker.yaml
with:
arch: x86_64
bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
version: ${{ github.event.release.tag_name }}
tag: ${{ github.event.release.tag_name }}
secrets: inherit
build-docker-arm64:
needs: [release-settings, build-packages, publish-packages]
uses: ./.github/workflows/reusable_build_docker.yaml
with:
arch: aarch64
bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
version: ${{ github.event.release.tag_name }}
tag: ${{ github.event.release.tag_name }}
secrets: inherit
publish-docker:
needs: [release-settings, build-docker, build-docker-arm64]
uses: ./.github/workflows/reusable_publish_docker.yaml
secrets: inherit
with:
is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
tag: ${{ github.event.release.tag_name }}
sign: true
release-body:
needs: [release-settings, publish-docker]
if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Clone repo
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Extract LIBS and DRIVER versions
run: |
cp .github/release_template.md release-body.md
LIBS_VERS=$(cat cmake/modules/falcosecurity-libs.cmake | grep 'set(FALCOSECURITY_LIBS_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*')
DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*+driver')
sed -i s/LIBSVER/$LIBS_VERS/g release-body.md
sed -i s/DRIVERVER/$DRIVER_VERS/g release-body.md
- name: Append release matrixes
run: |
sed -i s/FALCOBUCKET/${{ needs.release-settings.outputs.bucket_suffix }}/g release-body.md
sed -i s/FALCOVER/${{ github.event.release.tag_name }}/g release-body.md
- name: Generate release notes
uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
with:
milestone: ${{ github.event.release.tag_name }}
output: ./notes.md
- name: Merge release notes to pre existent body
run: cat notes.md >> release-body.md
- name: Attach release creator to release body
run: |
echo "" >> release-body.md
echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
- name: Download debug symbols for Falco x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ github.event.release.tag_name }}-x86_64.debug
- name: Rename x86_64 debug symbols
run: mv falco.debug falco-x86_64.debug
- name: Download debug symbols for Falco aarch64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ github.event.release.tag_name }}-aarch64.debug
- name: Rename aarch64 debug symbols
run: mv falco.debug falco-aarch64.debug
- name: Release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
body_path: ./release-body.md
tag_name: ${{ github.event.release.tag_name }}
name: ${{ github.event.release.name }}
files: |
falco-x86_64.debug
falco-aarch64.debug
reusable_build_dev perms .github/workflows/reusable_build_dev.yaml
View raw YAML
# This is a reusable workflow used by the master CI
on:
workflow_call:
outputs:
cmdout:
description: "Post-build command output"
value: ${{ jobs.build-and-test.outputs.cmdout }}
inputs:
arch:
description: x86_64 or aarch64
required: true
type: string
minimal:
description: Minimal build
required: true
type: boolean
sanitizers:
description: Enable sanitizer support
required: false
default: false
type: boolean
build_type:
description: One of 'Debug' or 'Release'
required: true
type: string
git_ref:
description: Git ref used for checking out the code
required: true
type: string
cmd:
description: If defined, this command is executed after a successful build and its output is set in the `cmdout` output
required: false
default: ''
type: string
permissions:
contents: read
jobs:
build-and-test:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
outputs:
cmdout: ${{ steps.run_cmd.outputs.out }}
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
ref: ${{ inputs.git_ref }}
- name: Update base image
run: sudo apt update -y
- name: Install build dependencies
run: sudo DEBIAN_FRONTEND=noninteractive apt install libelf-dev libyaml-cpp-dev cmake build-essential git -y
- name: Install build dependencies (non-minimal)
if: inputs.minimal != true
run: sudo DEBIAN_FRONTEND=noninteractive apt install libssl-dev libc-ares-dev rpm libcurl4-openssl-dev linux-headers-$(uname -r) clang llvm -y
- name: Prepare project
run: |
cmake -B build -S .\
-DBUILD_FALCO_UNIT_TESTS=On \
-DCMAKE_BUILD_TYPE=${{ inputs.build_type }} \
-DBUILD_FALCO_MODERN_BPF=Off \
-DBUILD_DRIVER=${{ inputs.minimal == true && 'OFF' || 'ON' }} \
-DMINIMAL_BUILD=${{ inputs.minimal == true && 'ON' || 'OFF' }} \
-DUSE_ASAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
-DUSE_UBSAN=${{ inputs.sanitizers == true && 'ON' || 'OFF' }} \
-DUSE_BUNDLED_DEPS=Off \
-DUSE_BUNDLED_NLOHMANN_JSON=On \
-DUSE_BUNDLED_CXXOPTS=On \
-DUSE_BUNDLED_CPPHTTPLIB=On \
- name: Build
run: |
KERNELDIR=/lib/modules/$(uname -r)/build cmake --build build -j4
- name: Run unit tests
run: |
pushd build
sudo ./unit_tests/falco_unit_tests
popd
- name: Run command
id: run_cmd
if: inputs.cmd != ''
run: |
OUT=$(${{ inputs.cmd }})
echo "out=${OUT}" >> $GITHUB_OUTPUT
reusable_build_docker perms .github/workflows/reusable_build_docker.yaml
View raw YAML
# This is a reusable workflow used by master and release CI
on:
workflow_call:
inputs:
arch:
description: x86_64 or aarch64
required: true
type: string
bucket_suffix:
description: bucket suffix for packages
required: false
default: ''
type: string
version:
description: The Falco version to use when building images
required: true
type: string
tag:
description: The tag to use (e.g. "master" or "0.35.0")
required: true
type: string
# Here we just build all docker images as tarballs,
# then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
# In this way, we don't need to publish any arch specific image,
# and this "build" workflow is actually only building images.
permissions:
contents: read
jobs:
build-docker:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
env:
TARGETARCH: ${{ (inputs.arch == 'aarch64' && 'arm64') || 'amd64' }}
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Build falco image
run: |
docker build -f docker/falco/Dockerfile -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} \
--build-arg VERSION_BUCKET=bin${{ inputs.bucket_suffix }} \
--build-arg FALCO_VERSION=${{ inputs.version }} \
--build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
--build-arg TARGETARCH=${TARGETARCH} \
.
docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-${{ inputs.arch }}.tar
- name: Build falco-debian image
run: |
docker build -f docker/falco-debian/Dockerfile -t docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian \
--build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
--build-arg FALCO_VERSION=${{ inputs.version }} \
--build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
--build-arg TARGETARCH=${TARGETARCH} \
.
docker save docker.io/falcosecurity/falco:${{ inputs.arch }}-${{ inputs.tag }}-debian --output /tmp/falco-${{ inputs.arch }}-debian.tar
- name: Build falco-driver-loader image
run: |
docker build -f docker/driver-loader/Dockerfile -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} \
--build-arg FALCO_IMAGE_TAG=${{ inputs.arch }}-${{ inputs.tag }} \
--build-arg FALCO_VERSION=${{ inputs.version }} \
--build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
--build-arg TARGETARCH=${TARGETARCH} \
.
docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-${{ inputs.arch }}.tar
- name: Build falco-driver-loader-buster image
run: |
docker build -f docker/driver-loader-buster/Dockerfile -t docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster \
--build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
--build-arg FALCO_VERSION=${{ inputs.version }} \
--build-arg FALCO_COMMIT_SHA=${{ github.sha }} \
--build-arg TARGETARCH=${TARGETARCH} \
.
docker save docker.io/falcosecurity/falco-driver-loader:${{ inputs.arch }}-${{ inputs.tag }}-buster --output /tmp/falco-driver-loader-${{ inputs.arch }}-buster.tar
- name: Upload images tarballs
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-images-${{ inputs.arch }}
path: /tmp/falco-*.tar
retention-days: 1
reusable_build_packages perms .github/workflows/reusable_build_packages.yaml
View raw YAML
# This is a reusable workflow used by master and release CI
on:
workflow_call:
inputs:
arch:
description: x86_64 or aarch64
required: true
type: string
version:
description: The Falco version to use when building packages
required: true
type: string
enable_debug:
description: Also create a debug build
required: false
type: boolean
default: false
enable_sanitizers:
description: Also create a sanitizer build
required: false
type: boolean
default: false
use_jemalloc:
description: Use jemalloc memory allocator
required: false
type: boolean
default: false
use_mimalloc:
description: Use mimalloc memory allocator
required: false
type: boolean
default: false
permissions:
contents: read
jobs:
build-modern-bpf-skeleton:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
container: fedora:41
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build dependencies
run: |
dnf install -y bpftool ca-certificates cmake make automake gcc gcc-c++ kernel-devel clang git pkg-config autoconf automake
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Build modern BPF skeleton
run: |
cmake -B skeleton-build -S . \
-DUSE_BUNDLED_DEPS=ON -DCREATE_TEST_TARGETS=Off -DFALCO_VERSION=${{ inputs.version }}
cmake --build skeleton-build --target ProbeSkeleton -j6
- name: Upload skeleton
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: bpf_probe_${{ inputs.arch }}.skel.h
path: skeleton-build/skel_dir/bpf_probe.skel.h
retention-days: 1
build-packages-release:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
needs: [build-modern-bpf-skeleton]
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build deps
run: |
sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm alien
- name: Install systemd rpm macros
run: |
wget https://www.rpmfind.net/linux/centos-stream/9-stream/BaseOS/${{ inputs.arch }}/os/Packages/systemd-rpm-macros-252-59.el9.noarch.rpm
sudo alien -d -i systemd-rpm-macros-252-59.el9.noarch.rpm
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Download skeleton
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: bpf_probe_${{ inputs.arch }}.skel.h
path: /tmp
- name: Install zig
if: inputs.sanitizers == false
uses: falcosecurity/libs/.github/actions/install-zig@master
- name: Prepare project
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
-DUSE_BUNDLED_DEPS=On \
-DFALCO_ETC_DIR=/etc/falco \
-DMODERN_BPF_SKEL_DIR=/tmp \
-DBUILD_DRIVER=Off \
-DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
-DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
-DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build --target falco -j6
- name: Build packages
run: |
cmake --build build --target package
- name: Upload Falco tar.gz package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.tar.gz
path: |
${{ github.workspace }}/build/falco-*.tar.gz
- name: Upload Falco deb package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.deb
path: |
${{ github.workspace }}/build/falco-*.deb
- name: Upload Falco rpm package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.rpm
path: |
${{ github.workspace }}/build/falco-*.rpm
- name: Upload Falco debug symbols
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}.debug
path: |
${{ github.workspace }}/build/userspace/falco/falco.debug
build-packages-debug:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-22.04' }}
if: ${{ inputs.enable_debug == true }}
needs: [build-modern-bpf-skeleton]
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build deps
run: |
sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Download skeleton
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: bpf_probe_${{ inputs.arch }}.skel.h
path: /tmp
- name: Install zig
if: inputs.sanitizers == false
uses: falcosecurity/libs/.github/actions/install-zig@master
- name: Prepare project
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Debug \
-DUSE_BUNDLED_DEPS=On \
-DFALCO_ETC_DIR=/etc/falco \
-DMODERN_BPF_SKEL_DIR=/tmp \
-DBUILD_DRIVER=Off \
-DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
-DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
-DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build --target falco -j6
- name: Build packages
run: |
cmake --build build --target package
- name: Upload Falco tar.gz package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}-debug.tar.gz
path: |
${{ github.workspace }}/build/falco-*.tar.gz
build-packages-sanitizers:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
if: ${{ inputs.enable_sanitizers == true }}
needs: [build-modern-bpf-skeleton]
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build deps
run: |
sudo apt update && sudo apt install -y --no-install-recommends ca-certificates cmake curl wget build-essential git pkg-config autoconf automake libtool m4 rpm
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Download skeleton
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: bpf_probe_${{ inputs.arch }}.skel.h
path: /tmp
- name: Prepare project
# Jemalloc and ASAN don't play very well together.
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Debug \
-DUSE_BUNDLED_DEPS=On \
-DFALCO_ETC_DIR=/etc/falco \
-DMODERN_BPF_SKEL_DIR=/tmp \
-DBUILD_DRIVER=Off \
-DUSE_JEMALLOC=Off \
-DUSE_MIMALLOC=Off \
-DUSE_ASAN=On \
-DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build --target falco -j6
- name: Build packages
run: |
cmake --build build --target package
- name: Upload Falco tar.gz package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-${{ inputs.arch }}-sanitizers.tar.gz
path: |
${{ github.workspace }}/build/falco-*.tar.gz
build-musl-package:
# x86_64 only for now
if: ${{ inputs.arch == 'x86_64' }}
runs-on: ubuntu-latest
container: alpine:3.17
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build dependencies
run: |
apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils clang llvm
git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
cd bpftool
git submodule update --init
cd src && make install
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Prepare project
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Release \
-DCPACK_GENERATOR=TGZ \
-DBUILD_DRIVER=Off \
-DUSE_JEMALLOC=${{ inputs.use_jemalloc }} \
-DUSE_MIMALLOC=${{ inputs.use_mimalloc }} \
-DUSE_BUNDLED_DEPS=On \
-DMUSL_OPTIMIZED_BUILD=On \
-DFALCO_ETC_DIR=/etc/falco \
-DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build -j6
- name: Build packages
run: |
cmake --build build -j6 --target package
- name: Rename static package
run: |
cd build
mv falco-${{ inputs.version }}-x86_64.tar.gz falco-${{ inputs.version }}-static-x86_64.tar.gz
- name: Upload Falco static package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-static-x86_64.tar.gz
path: |
${{ github.workspace }}/build/falco-${{ inputs.version }}-static-x86_64.tar.gz
build-wasm-package:
if: ${{ inputs.arch == 'x86_64' }}
runs-on: ubuntu-22.04
steps:
# Always install deps before invoking checkout action, to properly perform a full clone.
- name: Install build dependencies
run: |
sudo apt update
sudo DEBIAN_FRONTEND=noninteractive apt install cmake build-essential git emscripten -y
- name: Select node version
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: 14
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Prepare project
run: |
emcmake cmake -B build -S . \
-DCMAKE_BUILD_TYPE=Release \
-DUSE_BUNDLED_DEPS=On \
-DFALCO_ETC_DIR=/etc/falco \
-DBUILD_FALCO_UNIT_TESTS=On \
-DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cd build
emmake make -j6 all
- name: Run unit Tests
run: |
cd build
node ./unit_tests/falco_unit_tests.js
- name: Build packages
run: |
cd build
emmake make -j6 package
- name: Upload Falco WASM package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-wasm.tar.gz
path: |
${{ github.workspace }}/build/falco-${{ inputs.version }}-wasm.tar.gz
build-win32-package:
if: ${{ inputs.arch == 'x86_64' }}
runs-on: windows-latest
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Install NSIS
run: choco install nsis -y
# NOTE: Backslash doesn't work as line continuation on Windows.
- name: Prepare project
run: |
cmake -B build -S . -DCMAKE_BUILD_TYPE=Release -DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build --target package --config Release
- name: Run unit Tests
run: |
build/unit_tests/Release/falco_unit_tests.exe
- name: Upload Falco win32 installer
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-installer-Release-win32.exe
path: build/falco-*.exe
- name: Upload Falco win32 package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-Release-win32.exe
path: |
${{ github.workspace }}/build/userspace/falco/Release/falco.exe
build-macos-package:
if: ${{ inputs.arch == 'x86_64' }}
runs-on: macos-latest
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Prepare project
run: |
cmake -B build -S . \
-DMINIMAL_BUILD=On -DUSE_BUNDLED_DEPS=On -DBUILD_FALCO_UNIT_TESTS=On -DFALCO_VERSION=${{ inputs.version }}
- name: Build project
run: |
cmake --build build --target package
- name: Run unit Tests
run: |
sudo build/unit_tests/falco_unit_tests
- name: Upload Falco macos package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: falco-${{ inputs.version }}-macos
path: |
${{ github.workspace }}/build/userspace/falco/falco
reusable_fetch_version perms .github/workflows/reusable_fetch_version.yaml
View raw YAML
# This is a reusable workflow used by master and release CI
on:
workflow_call:
outputs:
version:
description: "Falco version"
value: ${{ jobs.fetch-version.outputs.version }}
permissions:
contents: read
jobs:
# We need to use an ubuntu-latest to fetch Falco version because
# Falco version is computed by some cmake scripts that do git sorceries
# to get the current version.
# But centos7 jobs have a git version too old and actions/checkout does not
# fully clone the repo, but uses http rest api instead.
fetch-version:
runs-on: ubuntu-latest
# Map the job outputs to step outputs
outputs:
version: ${{ steps.store_version.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Install build dependencies
run: |
sudo apt update
sudo apt install -y cmake build-essential
- name: Configure project
run: |
cmake -B build -S . -DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off
- name: Load and store Falco version output
id: store_version
run: |
FALCO_VERSION=$(cat build/userspace/falco/config_falco.h | grep 'FALCO_VERSION ' | cut -d' ' -f3 | sed -e 's/^"//' -e 's/"$//')
echo "version=${FALCO_VERSION}" >> $GITHUB_OUTPUT
reusable_publish_docker perms .github/workflows/reusable_publish_docker.yaml
View raw YAML
# This is a reusable workflow used by master and release CI
on:
workflow_call:
inputs:
tag:
description: The tag to push
required: true
type: string
is_latest:
description: Update the latest tag with the new image
required: false
type: boolean
default: false
sign:
description: Add signature with cosign
required: false
type: boolean
default: false
permissions:
contents: read
jobs:
publish-docker:
runs-on: ubuntu-latest
permissions:
attestations: write
id-token: write
contents: read
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Download x86_64 images tarballs
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-images-x86_64
path: /tmp/falco-images
- name: Download aarch64 images tarballs
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-images-aarch64
path: /tmp/falco-images
- name: Load all images
run: |
for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
- name: Login to Docker Hub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_SECRET }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr"
aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public.
- name: Login to Amazon ECR
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0
with:
registry-type: public
- name: Setup Crane
uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
with:
version: v0.15.1
# We're pushing the arch-specific manifests to Docker Hub so that we'll be able to easily create the index/multiarch later
- name: Push arch-specific images to Docker Hub
run: |
docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian
docker push docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian
docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
docker push docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster
docker push docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster
- name: Create Falco manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}
images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}
push: true
- name: Create falco-debian manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}-debian
images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian,docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian
push: true
- name: Create falco-driver-loader manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}
images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}
push: true
- name: Create falco-driver-loader-buster manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
inputs: docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster
images: docker.io/falcosecurity/falco-driver-loader:aarch64-${{ inputs.tag }}-buster,docker.io/falcosecurity/falco-driver-loader:x86_64-${{ inputs.tag }}-buster
push: true
- name: Get Digests for images
id: digests
# We could probably use the docker-manifest-action output instead of recomputing those with crane
run: |
echo "falco=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }})" >> $GITHUB_OUTPUT
echo "falco-debian=$(crane digest docker.io/falcosecurity/falco:${{ inputs.tag }}-debian)" >> $GITHUB_OUTPUT
echo "falco-driver-loader=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }})" >> $GITHUB_OUTPUT
echo "falco-driver-loader-buster=$(crane digest docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster)" >> $GITHUB_OUTPUT
- name: Publish images to ECR
run: |
crane copy docker.io/falcosecurity/falco:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}
crane copy docker.io/falcosecurity/falco:${{ inputs.tag }}-debian public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian
crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}
crane copy docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster
- name: Tag latest on Docker Hub and ECR
if: inputs.is_latest
run: |
crane tag docker.io/falcosecurity/falco:${{ inputs.tag }} latest
crane tag docker.io/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian
crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
crane tag docker.io/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster
crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }} latest
crane tag public.ecr.aws/falcosecurity/falco:${{ inputs.tag }}-debian latest-debian
crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }} latest
crane tag public.ecr.aws/falcosecurity/falco-driver-loader:${{ inputs.tag }}-buster latest-buster
- name: Setup Cosign
if: inputs.sign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Sign images with cosign
if: inputs.sign
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_YES: "true"
run: |
cosign sign docker.io/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }}
cosign sign docker.io/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }}
cosign sign docker.io/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }}
cosign sign docker.io/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }}
cosign sign public.ecr.aws/falcosecurity/falco:latest@${{ steps.digests.outputs.falco }}
cosign sign public.ecr.aws/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }}
cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }}
cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }}
- uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-name: docker.io/falcosecurity/falco
subject-digest: ${{ steps.digests.outputs.falco }}
push-to-registry: true
- uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-name: docker.io/falcosecurity/falco-driver-loader
subject-digest: ${{ steps.digests.outputs.falco-driver-loader }}
push-to-registry: true
reusable_publish_packages perms .github/workflows/reusable_publish_packages.yaml
View raw YAML
# This is a reusable workflow used by master and release CI
on:
workflow_call:
inputs:
version:
description: The Falco version to use when publishing packages
required: true
type: string
bucket_suffix:
description: bucket suffix for packages
required: false
default: ''
type: string
permissions:
id-token: write
contents: read
env:
AWS_S3_REGION: eu-west-1
AWS_CLOUDFRONT_DIST_ID: E1CQNPFWRXLGQD
jobs:
publish-packages:
runs-on: ubuntu-latest
container: docker.io/library/fedora:38
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Install dependencies
run: |
dnf install rpm-sign expect which createrepo gpg python python-pip -y
pip install awscli==1.29.60
# Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
# Note: master CI can only push dev packages as we have 2 different roles for master and release.
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3"
aws-region: ${{ env.AWS_S3_REGION }}
- name: Download RPM x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-x86_64.rpm
path: /tmp/falco-build-rpm
- name: Download RPM aarch64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-aarch64.rpm
path: /tmp/falco-build-rpm
- name: Download binary x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-x86_64.tar.gz
path: /tmp/falco-build-bin
- name: Download binary aarch64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-aarch64.tar.gz
path: /tmp/falco-build-bin
- name: Download static binary x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-static-x86_64.tar.gz
path: /tmp/falco-build-bin-static
- name: Download WASM package
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-wasm.tar.gz
path: /tmp/falco-wasm
- name: Import gpg key
env:
GPG_KEY: ${{ secrets.GPG_KEY }}
run: printenv GPG_KEY | gpg --import -
- name: Publish wasm
run: |
./scripts/publish-wasm -f /tmp/falco-wasm/falco-${{ inputs.version }}-wasm.tar.gz
- name: Publish rpm
run: |
./scripts/publish-rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-x86_64.rpm -f /tmp/falco-build-rpm/falco-${{ inputs.version }}-aarch64.rpm -r rpm${{ inputs.bucket_suffix }}
- name: Publish bin
run: |
./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
./scripts/publish-bin -f /tmp/falco-build-bin/falco-${{ inputs.version }}-aarch64.tar.gz -r bin${{ inputs.bucket_suffix }} -a aarch64
- name: Publish static
run: |
./scripts/publish-bin -f /tmp/falco-build-bin-static/falco-${{ inputs.version }}-static-x86_64.tar.gz -r bin${{ inputs.bucket_suffix }} -a x86_64
publish-packages-deb:
runs-on: ubuntu-latest
container: docker.io/debian:stable
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Install dependencies
run: |
apt update -y
apt-get install apt-utils bzip2 gpg awscli -y
# Configure AWS role; see https://github.com/falcosecurity/test-infra/pull/1102
# Note: master CI can only push dev packages as we have 2 different roles for master and release.
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco${{ inputs.bucket_suffix }}-s3"
aws-region: ${{ env.AWS_S3_REGION }}
- name: Download deb x86_64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-x86_64.deb
path: /tmp/falco-build-deb
- name: Download deb aarch64
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}-aarch64.deb
path: /tmp/falco-build-deb
- name: Import gpg key
env:
GPG_KEY: ${{ secrets.GPG_KEY }}
run: printenv GPG_KEY | gpg --import -
- name: Publish deb
run: |
./scripts/publish-deb -f /tmp/falco-build-deb/falco-${{ inputs.version }}-x86_64.deb -f /tmp/falco-build-deb/falco-${{ inputs.version }}-aarch64.deb -r deb${{ inputs.bucket_suffix }}
reusable_test_packages perms .github/workflows/reusable_test_packages.yaml
View raw YAML
# This is a reusable workflow used by master and release CI
on:
workflow_call:
inputs:
arch:
description: x86_64 or aarch64
required: true
type: string
static:
description: Falco packages use a static build
required: false
type: boolean
default: false
version:
description: The Falco version to use when testing packages
required: true
type: string
sanitizers:
description: Use sanitizer enabled build
required: false
default: false
type: boolean
permissions:
contents: read
jobs:
test-packages:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936
runs-on: ${{ (inputs.arch == 'aarch64' && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
steps:
- name: Download binary
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: falco-${{ inputs.version }}${{ inputs.static && '-static' || '' }}-${{ inputs.arch }}${{ inputs.sanitizers == true && '-sanitizers' || '' }}.tar.gz
- name: Install Falco package
run: |
ls falco-*.tar.gz
tar -xvf $(ls falco-*.tar.gz)
cd falco-${{ inputs.version }}-${{ inputs.arch }}
sudo cp -r * /
- name: Install kernel headers for falco-driver-loader tests
run: |
sudo apt update -y
sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
# Some builds use sanitizers, we always install support for them so they can run
- name: Install sanitizer support
if: inputs.sanitizers
run: |
sudo apt update -y
sudo apt install -y libasan5 libubsan1
- name: Run tests
env:
LSAN_OPTIONS: "intercept_tls_get_addr=0"
uses: falcosecurity/testing@main
with:
test-falco: 'true'
test-falcoctl: 'true'
test-k8saudit: 'true'
test-dummy: 'true'
static: ${{ inputs.static && 'true' || 'false' }}
test-drivers: 'true'
show-all: 'true'
report-name-suffix: ${{ inputs.static && '-static' || '' }}${{ inputs.sanitizers && '-sanitizers' || '' }}
scorecard perms security .github/workflows/scorecard.yaml
View raw YAML
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.
name: Scorecard supply-chain security
on:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
# Weekly on Mondays at 00:00.
- cron: '0 0 * * 1'
# The OSSF recommendation encourages to enable branch protection rules trigger
# to update the scorecard
# (https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection)
# but due to our GitHub org management this check is triggered too often and is
# therefore disabled.
# branch_protection_rule:
push:
branches: [ "master" ]
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
# Uncomment the permissions below if installing in a private repository.
# contents: read
# actions: read
steps:
- name: "Checkout code"
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecard on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
with:
sarif_file: results.sarif
staticanalysis perms .github/workflows/staticanalysis.yaml
View raw YAML
name: StaticAnalysis
on:
pull_request:
permissions:
contents: read
jobs:
staticanalysis:
runs-on: ubuntu-22.04
steps:
- name: Checkout ⤵️
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Install build dependencies ⛓️
run: |
sudo apt update -y
sudo apt install build-essential git cppcheck cmake -y
- name: Build and run cppcheck 🏎️
run: |
cmake -B build -S . \
-DCMAKE_BUILD_TYPE="release" \
-DUSE_BUNDLED_DEPS=On -DUSE_DYNAMIC_LIBELF=Off -DBUILD_WARNINGS_AS_ERRORS=ON -DCREATE_TEST_TARGETS=Off -DBUILD_DRIVER=Off
cmake --build build -j4 --target cppcheck
cmake --build build -j4 --target cppcheck_htmlreport
- name: Upload reports ⬆️
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: static-analysis-reports
path: ./build/static-analysis-reports