ci: add zizmor scanning and harden workflows #48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| tags: ["v*"] | |
| pull_request: | |
| branches: [main] | |
| env: | |
| BINK_VERSION: v0.1.1 | |
| permissions: {} | |
| concurrency: | |
| group: ci-${{ github.head_ref || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| unit: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: go.mod | |
| cache: true # zizmor: ignore[cache-poisoning] | |
| - name: Unit tests | |
| run: make unit | |
| - name: Vet | |
| run: make vet | |
| - name: Lint | |
| run: make lint | |
| e2e: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| permissions: | |
| contents: read | |
| packages: write | |
| env: | |
| IMAGE: ghcr.io/${{ github.repository }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Download bink release | |
| run: | | |
| sudo curl -fsSL -o /usr/local/bin/bink \ | |
| https://github.com/alicefr/bink/releases/download/${{ env.BINK_VERSION }}/bink | |
| sudo chmod +x /usr/local/bin/bink | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: go.mod | |
| cache: true # zizmor: ignore[cache-poisoning] | |
| - name: Set up KVM | |
| run: sudo chmod 666 /dev/kvm | |
| - name: Configure kernel | |
| run: | | |
| # Unload AppArmor profiles — the passt profile blocks remount | |
| # operations needed for passt's self-sandboxing inside containers. | |
| sudo aa-teardown 2>/dev/null || true | |
| # Allow unprivileged user namespace creation (needed by passt | |
| # inside containers). | |
| sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 | |
| - name: Enable KSM | |
| run: | | |
| sudo sh -c 'echo 1 > /sys/kernel/mm/ksm/run' | |
| sudo sh -c 'echo 5000 > /sys/kernel/mm/ksm/pages_to_scan' | |
| - name: Install system dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y podman | |
| - name: Start podman socket | |
| run: systemctl --user start podman.socket | |
| - name: Run e2e tests | |
| run: make buildimg deploy-bink e2e V=1 | |
| - name: Push to GHCR | |
| if: github.event_name == 'push' | |
| env: | |
| ACTOR: ${{ github.actor }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SHA: ${{ github.sha }} | |
| REF: ${{ github.ref }} | |
| REF_NAME: ${{ github.ref_name }} | |
| run: | | |
| podman login -u "${ACTOR}" -p "${GH_TOKEN}" ghcr.io | |
| podman push bootc-operator:dev "${IMAGE}":dev | |
| podman push bootc-operator:dev "${IMAGE}":"${SHA}" | |
| if [[ "${REF}" == refs/tags/v* ]]; then | |
| podman push bootc-operator:dev "${IMAGE}":"${REF_NAME}" | |
| fi | |
| if [[ "${REF}" == refs/heads/main ]]; then | |
| podman push bootc-operator:dev "${IMAGE}":latest | |
| fi |