Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/arm64-build-smoke.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
runs-on: ubuntu-24.04-arm
timeout-minutes: 25
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

- name: Install dependencies
run: |
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/bpfcompat-example-hosted.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

- name: Report KVM acceleration status
shell: bash
Expand Down Expand Up @@ -95,7 +95,7 @@ jobs:

- name: Upload reports
if: always()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: bpfcompat-reports-${{ github.run_id }}
if-no-files-found: warn
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/bpfcompat-example.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

- name: Verify KVM availability
shell: bash
Expand Down Expand Up @@ -64,7 +64,7 @@ jobs:

- name: Upload reports
if: always()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: bpfcompat-reports-${{ github.run_id }}
if-no-files-found: warn
Expand Down
22 changes: 11 additions & 11 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,10 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
fetch-depth: 0
- uses: actions/setup-go@v6
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
Expand All @@ -62,7 +62,7 @@ jobs:
- name: Coverage summary
run: go tool cover -func=coverage.out | tail -20
- name: Upload coverage artifact
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
if: always()
with:
name: coverage-${{ github.run_id }}
Expand All @@ -74,16 +74,16 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
fetch-depth: 0
- uses: actions/setup-go@v6
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: golangci-lint (pull request diff)
if: github.event_name == 'pull_request'
uses: golangci/golangci-lint-action@v9
uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9
with:
version: latest
args: --timeout=5m --new-from-rev=origin/main
Expand All @@ -99,7 +99,7 @@ jobs:
fi
- name: golangci-lint (push diff)
if: github.event_name != 'pull_request' && steps.push-diff-base.outputs.has_parent == 'true'
uses: golangci/golangci-lint-action@v9
uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9
with:
version: latest
args: --timeout=5m --new-from-rev=HEAD~1
Expand All @@ -112,8 +112,8 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
Expand All @@ -127,8 +127,8 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,16 +34,16 @@ jobs:
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
with:
go-version: "1.25.11"
cache: true

- name: Initialize CodeQL
uses: github/codeql-action/init@v4
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
with:
languages: go
# Go does not support build-mode: none; autobuild runs `go build`,
Expand All @@ -53,6 +53,6 @@ jobs:
queries: security-and-quality

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
with:
category: "/language:go"
19 changes: 11 additions & 8 deletions .github/workflows/compatibility-matrix-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,9 @@ on:
required: false
default: "false"

# Least privilege at the top; write scopes are granted per-job below.
permissions:
contents: write
pages: write
id-token: write
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
Expand All @@ -25,9 +24,13 @@ jobs:
name: Publish compatibility matrix
runs-on: [self-hosted, linux, x64]
timeout-minutes: 60
permissions:
contents: write # attach matrix assets to tag releases
pages: write # deploy the compatibility site to GitHub Pages
id-token: write # OIDC for Pages deployment

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

- name: Verify KVM availability
shell: bash
Expand Down Expand Up @@ -75,7 +78,7 @@ jobs:

- name: Upload compatibility evidence
if: always()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: bpfcompat-compatibility-matrix-${{ github.run_id }}
if-no-files-found: warn
Expand Down Expand Up @@ -113,14 +116,14 @@ jobs:

- name: Configure Pages
if: github.event_name == 'workflow_dispatch' && inputs.deploy_pages == 'true'
uses: actions/configure-pages@v6
uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6

- name: Upload Pages artifact
if: github.event_name == 'workflow_dispatch' && inputs.deploy_pages == 'true'
uses: actions/upload-pages-artifact@v5
uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5
with:
path: public/compatibility

- name: Deploy Pages
if: github.event_name == 'workflow_dispatch' && inputs.deploy_pages == 'true'
uses: actions/deploy-pages@v5
uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5
2 changes: 1 addition & 1 deletion .github/workflows/firecracker-preflight.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
runs-on: [self-hosted, linux, x64, kvm]
timeout-minutes: 20
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

- name: Verify KVM
run: |
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/kernel-freshness.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,8 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
with:
go-version: "1.25.11"
cache: true
Expand All @@ -55,7 +55,7 @@ jobs:

- name: Upload freshness report
if: always()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: kernel-freshness-${{ github.run_id }}
if-no-files-found: warn
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/latest-kernel-compatibility.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
VM_CONCURRENCY: ${{ github.event.inputs.concurrency || '2' }}

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

- name: Verify KVM availability
shell: bash
Expand Down Expand Up @@ -93,7 +93,7 @@ jobs:

- name: Upload latest-kernel evidence
if: always()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: bpfcompat-latest-kernel-${{ github.run_id }}
if-no-files-found: warn
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/multiarch-compatibility.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ jobs:
timeout-minutes: 75

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

- name: Verify runner virtualization
shell: bash
Expand Down Expand Up @@ -79,7 +79,7 @@ jobs:

- name: Upload multiarch evidence
if: always()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: bpfcompat-${{ matrix.arch }}-${{ github.run_id }}
if-no-files-found: warn
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/profile-catalog-maintenance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
with:
go-version: "1.25.11"
cache: true
Expand All @@ -40,7 +40,7 @@ jobs:

- name: Upload catalog evidence
if: always()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: bpfcompat-profile-catalog-${{ github.run_id }}
if-no-files-found: warn
Expand Down
25 changes: 14 additions & 11 deletions .github/workflows/release-artifacts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,19 +15,18 @@ name: release-artifacts
# bound to an env variable on the step (the documented safe pattern
# against workflow-injection). Untrusted contexts like commit messages
# or PR titles are never referenced here.
# - Actions are pinned to major version tags published by reputable orgs;
# we accept the standard GitHub-hosted runner trust boundary.
# - Actions are pinned by full commit SHA (with a version comment); we accept
# the standard GitHub-hosted runner trust boundary.

on:
push:
branches: [main]
tags: ["v*"]
workflow_dispatch:

# Least privilege at the top; write scopes are granted per-job below.
permissions:
contents: write # required to attach SBOM/release assets on tag builds
id-token: write # cosign keyless signing
packages: read
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
Expand All @@ -41,11 +40,15 @@ jobs:
name: Build, SBOM, sign
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: write # attach SBOM/release assets on tag builds
id-token: write # cosign keyless signing
packages: read
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
fetch-depth: 0
- uses: actions/setup-go@v6
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true
Expand Down Expand Up @@ -94,14 +97,14 @@ jobs:
sha256sum bpfcompat > bpfcompat.sha256
sha256sum bpfcompat-linux-amd64 bpfcompat-validator-static-linux-amd64 > SHA256SUMS
- name: Generate SBOM (CycloneDX)
uses: anchore/sbom-action@v0
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0
with:
path: .
format: cyclonedx-json
output-file: dist/bpfcompat.sbom.cdx.json
- name: Install cosign
if: startsWith(github.ref, 'refs/tags/v')
uses: sigstore/cosign-installer@v3
uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
- name: Sign binary + SBOM (tag releases only)
if: startsWith(github.ref, 'refs/tags/v')
run: |
Expand All @@ -110,7 +113,7 @@ jobs:
cosign sign-blob --yes dist/SHA256SUMS --output-signature dist/SHA256SUMS.sig --output-certificate dist/SHA256SUMS.crt
cosign sign-blob --yes dist/bpfcompat.sbom.cdx.json --output-signature dist/bpfcompat.sbom.cdx.sig --output-certificate dist/bpfcompat.sbom.cdx.crt
- name: Upload artifacts
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: bpfcompat-release-${{ steps.meta.outputs.version }}
path: |
Expand All @@ -132,7 +135,7 @@ jobs:
# The action consumes these assets at run time to skip building from
# source: bpfcompat-linux-amd64, bpfcompat-validator-static-linux-amd64,
# and SHA256SUMS for verification.
uses: softprops/action-gh-release@v3
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
with:
files: |
dist/bpfcompat-linux-amd64
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,25 +34,25 @@ jobs:
contents: read
steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
persist-credentials: false

- name: Run analysis
uses: ossf/scorecard-action@v2.4.3
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
publish_results: true

- name: Upload artifact
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: scorecard-results
path: results.sarif
retention-days: 5

- name: Upload to code scanning
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
with:
sarif_file: results.sarif
Loading
Loading