AppArmor: Add read permission for executables #7262
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: test | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
env: | |
GO_VERSION: '1.23' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
permissions: {} | |
jobs: | |
analyze: | |
permissions: | |
# write security-events is required by all codeql-action workflows | |
security-events: write | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: github/codeql-action/init@c4fb451437765abf5018c6fbf22cce1a7da1e5cc # v2.17.1 | |
with: | |
languages: go | |
- uses: github/codeql-action/autobuild@c4fb451437765abf5018c6fbf22cce1a7da1e5cc # v2.17.1 | |
- uses: github/codeql-action/analyze@c4fb451437765abf5018c6fbf22cce1a7da1e5cc # v2.17.1 | |
coverage: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Install dependencies | |
run: sudo hack/install-packages | |
- run: make test-unit | |
- uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 | |
with: | |
files: build/coverage.out | |
flags: unittests | |
verbose: true | |
image: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- run: hack/install-crun | |
- run: make image | |
env: | |
XDG_RUNTIME_DIR: '' | |
- run: podman save -o image.tar security-profiles-operator | |
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: image | |
path: image.tar | |
e2e-fedora: | |
needs: image | |
# TODO: move back to 22.04 when https://github.com/actions/runner-images/issues/10678 got resolved | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 90 | |
env: | |
RUN: ./hack/ci/run-fedora.sh | |
steps: | |
- name: Set up vagrant | |
run: | | |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg | |
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list | |
sudo apt-get update | |
sudo apt-get install -y vagrant virtualbox | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: image | |
path: . | |
- name: Boot Virtual Machine | |
run: make vagrant-up-fedora | |
- name: Show environment information | |
run: | | |
$RUN kubectl wait --for=condition=ready --timeout=60s nodes --all | |
$RUN kubectl get nodes -o wide | |
- name: Set up git config | |
run: | | |
$RUN git config --global --add safe.directory /vagrant | |
- name: Run E2E tests | |
run: $RUN hack/ci/e2e-fedora.sh | |
- name: Run Flaky E2E tests | |
continue-on-error: true | |
run: | | |
$RUN "echo \"export E2E_TEST_FLAKY_TESTS_ONLY=true\" >> /vagrant/hack/ci/env.sh" | |
$RUN hack/ci/e2e-fedora.sh | |
e2e-ubuntu: | |
needs: image | |
# TODO: move back to 22.04 when https://github.com/actions/runner-images/issues/10678 got resolved | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 90 | |
env: | |
RUN: ./hack/ci/run-ubuntu.sh | |
steps: | |
- name: Set up vagrant | |
run: | | |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg | |
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list | |
sudo apt-get update | |
sudo apt-get install -y vagrant virtualbox | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: image | |
path: . | |
- name: Boot Virtual Machine | |
run: make vagrant-up-ubuntu | |
- name: Show environment information | |
run: | | |
$RUN kubectl wait --for=condition=ready --timeout=60s nodes --all | |
$RUN kubectl get nodes -o wide | |
- name: Set up git config | |
run: | | |
$RUN git config --global --add safe.directory /vagrant | |
- name: Run E2E tests | |
run: $RUN hack/ci/e2e-ubuntu.sh | |
- name: Run Flaky E2E tests | |
continue-on-error: true | |
run: | | |
$RUN "echo \"export E2E_TEST_FLAKY_TESTS_ONLY=true\" >> /vagrant/hack/ci/env.sh" | |
$RUN hack/ci/e2e-ubuntu.sh | |
e2e-flatcar: | |
needs: image | |
# TODO: move back to 22.04 when https://github.com/actions/runner-images/issues/10678 got resolved | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 90 | |
env: | |
RUN: ./hack/ci/run-flatcar.sh | |
steps: | |
- name: Set up vagrant | |
run: | | |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg | |
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list | |
sudo apt-get update | |
sudo apt-get install -y vagrant virtualbox | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Vagrant box version | |
id: vagrant-box | |
run: | | |
echo "version=$(curl -s https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vagrant.json | jq '.versions[0].version' | tr -d '".')" >> $GITHUB_OUTPUT | |
shell: bash | |
- name: Upgrade vagrant box | |
run: | | |
ln -sf hack/ci/Vagrantfile-flatcar Vagrantfile | |
vagrant box update | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: image | |
path: . | |
- name: Boot Virtual Machine | |
run: make vagrant-up-flatcar | |
- name: Show environment information | |
run: | | |
$RUN kubectl wait --for=condition=ready --timeout=600s node localhost | |
$RUN kubectl get nodes -o wide | |
- name: Run E2E tests | |
run: $RUN hack/ci/e2e-flatcar-dev-container.sh | |
- name: Run Flaky E2E tests | |
continue-on-error: true | |
run: | | |
$RUN "echo \"export E2E_TEST_FLAKY_TESTS_ONLY=true\" >> /vagrant/hack/ci/env-flatcar.sh" | |
$RUN hack/ci/e2e-flatcar-dev-container.sh | |
e2e-spoc: | |
needs: image | |
# TODO: move back to 22.04 when https://github.com/actions/runner-images/issues/10678 got resolved | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 90 | |
env: | |
RUN: ./hack/ci/run-debian.sh | |
steps: | |
- name: Set up vagrant | |
run: | | |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg | |
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list | |
sudo apt-get update | |
sudo apt-get install -y vagrant virtualbox | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: image | |
path: . | |
- name: Boot Virtual Machine | |
run: make vagrant-up-debian | |
- name: Show environment information | |
run: | | |
$RUN kubectl wait --for=condition=ready --timeout=60s nodes --all | |
$RUN kubectl get nodes -o wide | |
- name: Set up git config | |
run: | | |
$RUN git config --global --add safe.directory /vagrant | |
- name: Run spoc E2E tests | |
run: $RUN hack/ci/e2e-spoc.sh | |
e2e-seccomp-profile: | |
needs: image | |
# TODO: move back to 22.04 when https://github.com/actions/runner-images/issues/10678 got resolved | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 90 | |
env: | |
RUN: ./hack/ci/run-ubuntu.sh | |
steps: | |
- name: Set up vagrant | |
run: | | |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg | |
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list | |
sudo apt-get update | |
sudo apt-get install -y vagrant virtualbox | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: image | |
path: . | |
- name: Boot Virtual Machine | |
run: make vagrant-up-ubuntu | |
- name: Show environment information | |
run: | | |
$RUN kubectl wait --for=condition=ready --timeout=60s nodes --all | |
$RUN kubectl get nodes -o wide | |
- name: Set up git config | |
run: | | |
$RUN git config --global --add safe.directory /vagrant | |
- name: Run E2E test to record seccomp profile | |
run: $RUN hack/ci/e2e-seccomp.sh | |
e2e-apparmor-profile: | |
needs: image | |
# TODO: move back to 22.04 when https://github.com/actions/runner-images/issues/10678 got resolved | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 90 | |
env: | |
RUN: ./hack/ci/run-ubuntu.sh | |
steps: | |
- name: Set up vagrant | |
run: | | |
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg | |
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list | |
sudo apt-get update | |
sudo apt-get install -y vagrant virtualbox | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: image | |
path: . | |
- name: Boot Virtual Machine | |
run: make vagrant-up-debian | |
- name: Show environment information | |
run: | | |
$RUN kubectl wait --for=condition=ready --timeout=60s nodes --all | |
$RUN kubectl get nodes -o wide | |
- name: Set up git config | |
run: | | |
$RUN git config --global --add safe.directory /vagrant | |
- name: Run E2E test to record apparmor profile | |
run: $RUN hack/ci/e2e-apparmor.sh | |
typos: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: crate-ci/typos@b74202f74b4346efdbce7801d187ec57b266bac8 # v1.27.3 | |
with: | |
config: .typos.toml |