falcosecurity · poiana · Oct 9, 2024 · Oct 9, 2024 · Oct 9, 2024
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    groups:
+      actions:
+        update-types:
+          - "minor"
+          - "patch"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -49,7 +49,7 @@ jobs:
           rm -rf /tmp/cmake-3.22.5-linux-$(uname -m)/
 
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 
@@ -100,7 +100,7 @@ jobs:
           apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang
 
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 
@@ -119,7 +119,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 
@@ -169,7 +169,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 
@@ -184,7 +184,7 @@ jobs:
     runs-on: macos-latest
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 
@@ -221,7 +221,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 
@@ -301,15 +301,15 @@ jobs:
           sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90
 
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
-          
+
       - name: Fix kernel mmap rnd bits
         # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
         # high-entropy ASLR in much newer kernels that GitHub runners are
         # using leading to random crashes: https://reviews.llvm.org/D148280
-        run: sudo sysctl vm.mmap_rnd_bits=28    
+        run: sudo sysctl vm.mmap_rnd_bits=28
 
       - name: Install deps ⛓️
         run: |
@@ -354,7 +354,7 @@ jobs:
           sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r) emscripten
 
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 

diff --git a/.github/workflows/create-comment-kernel-testing.yml b/.github/workflows/create-comment-kernel-testing.yml
@@ -47,14 +47,14 @@ jobs:
             var fs = require('fs');
             var issue_number = Number(fs.readFileSync('./NR'));
             var comment_body = fs.readFileSync('./COMMENT');
-            
+
             // Get the existing comments.
             const {data: comments} = await github.rest.issues.listComments({
               owner: context.repo.owner,
               repo: context.repo.repo,
               issue_number: issue_number,
             });
-            
+
             // Find any comment already made by the bot.
             const botComment = comments.find(comment => comment.user.id === 41898282 && comment.body.includes('# X64 kernel testing matrix'));
 

diff --git a/.github/workflows/driver-api-version.yml b/.github/workflows/driver-api-version.yml
@@ -12,15 +12,14 @@ on:
       - 'driver/ppm_events_public.h'
       - 'driver/bpf/maps.h'
       - 'driver/modern_bpf/maps/maps.h'
-
 
 jobs:
   paths-filter:
     runs-on: ubuntu-latest
     outputs:
       driver_api_changed: ${{ steps.filter.outputs.driver_api }}
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
     - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
       id: filter
       with:

diff --git a/.github/workflows/driver-schema-version.yml b/.github/workflows/driver-schema-version.yml
@@ -19,7 +19,7 @@ jobs:
     outputs:
       driver_schema_changed: ${{ steps.filter.outputs.driver_schema }}
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
     - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
       id: filter
       with:
@@ -34,14 +34,14 @@ jobs:
     needs: paths-filter
     if: needs.paths-filter.outputs.driver_schema_changed == 'false'
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: Check driver SCHEMA_VERSION
         uses: mshick/add-pr-comment@7c0890544fb33b0bdd2e59467fbacb62e028a096 # v2.8.1
         with:
           message: |
             Please double check **driver/SCHEMA_VERSION** file. See [versioning](https://github.com/falcosecurity/libs/blob/master/driver/README.VERSION.md#schema-version-number).
-            
+
             /hold
 
       - name: Trigger failure

diff --git a/.github/workflows/driverkit.yml b/.github/workflows/driverkit.yml
@@ -37,7 +37,7 @@ jobs:
       - name: Test drivers build on ${{ matrix.name }}
         run: |
           driverkit docker --kernelrelease ${{ matrix.kernelrelease }} --target ${{ matrix.target }} --output-module /tmp/libs.ko --output-probe /tmp/libs.o --driverversion $GITHUB_SHA --loglevel debug --kernelurls ${{ matrix.kernelurls }}
-          
+
   build-drivers-arm64:
     strategy:
       matrix:

diff --git a/.github/workflows/drivers_ci.yml b/.github/workflows/drivers_ci.yml
@@ -24,7 +24,7 @@ jobs:
       libscap: ${{ steps.filter.outputs.libscap }}
       libpman: ${{ steps.filter.outputs.libpman }}
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
     - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
       id: filter
       with:
@@ -48,14 +48,14 @@ jobs:
           - arch: amd64
             enable_gvisor: True
           - arch: amd64
-            enable_gvisor: False  
-      fail-fast: false  
+            enable_gvisor: False
+      fail-fast: false
     steps:
       - name: Checkout Libs ⤵️
         # We need to skip each step because of https://github.com/orgs/community/discussions/9141.
         # This avoids having a skipped job whose name is not the resolved matrix name, like "test-scap-${{ matrix.arch }} 😆 (bundled_deps)"
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 
@@ -73,14 +73,14 @@ jobs:
           cd src && sudo make install
 
       - name: Install kernel headers (actuated)
-        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59
+        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59 # v2
         if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'arm64'
 
       - name: Install kernel headers
         if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'amd64'
         run: |
           sudo apt install -y --no-install-recommends linux-headers-$(uname -r)
-          
+
       - name: Build scap-open and drivers 🏗️
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
         run: |
@@ -125,7 +125,7 @@ jobs:
     steps:
       - name: Checkout Libs ⤵️
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 
@@ -143,7 +143,7 @@ jobs:
           cd src && sudo make install
 
       - name: Install kernel headers (actuated)
-        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59
+        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59 # v2
         if: (needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true') && matrix.arch == 'arm64'
 
       - name: Install kernel headers and gcc
@@ -175,7 +175,7 @@ jobs:
         run: |
           cd build
           sudo ./test/drivers/drivers_test -k
-          
+
   test-drivers-ppc64le:
     name: test-drivers-ppc64le 😁 (system_deps,custom node)
     runs-on: ubuntu-22.04
@@ -211,15 +211,15 @@ jobs:
             sudo ./test/drivers/drivers_test -k
             rc_kmod=$?
             exit $(($rc_modern + $rc_bpf +$rc_kmod))
-        
+
   build-drivers-s390x:
     name: build-drivers-s390x 😁 (system_deps)
     runs-on: ubuntu-22.04
     needs: paths-filter
     steps:
       - name: Checkout Libs ⤵️
         if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 
@@ -232,7 +232,7 @@ jobs:
           githubToken: ${{ github.token }}
 
           install: |
-            apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libcap-dev libgtest-dev libprotobuf-dev linux-headers-generic            
+            apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential clang llvm git pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libcap-dev libgtest-dev libprotobuf-dev linux-headers-generic
             git clone https://github.com/libbpf/bpftool.git --branch v7.3.0 --single-branch
             cd bpftool
             git submodule update --init
@@ -248,7 +248,7 @@ jobs:
             mkdir -p build
             cd build && cmake -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=OFF -DMODERN_PROBE_INCLUDE="-I/usr/include/s390x-linux-gnu" -DBUILD_LIBSCAP_MODERN_BPF=ON -DMODERN_BPF_DEBUG_MODE=ON -DENABLE_DRIVERS_TESTS=On -DCREATE_TEST_TARGETS=On -DBUILD_LIBSCAP_GVISOR=OFF ../
             KERNELDIR=/lib/modules/$(ls /lib/modules)/build make driver bpf drivers_test -j6
-  
+
   build-modern-bpf-skeleton:
     needs: paths-filter
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
@@ -280,7 +280,7 @@ jobs:
   build-scap-open-w-extern-bpf-skeleton:
     env:
       ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
-    needs: [paths-filter,build-modern-bpf-skeleton] 
+    needs: [paths-filter,build-modern-bpf-skeleton]
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
     runs-on: 'ubuntu-latest'
     if: needs.paths-filter.outputs.driver == 'true' || needs.paths-filter.outputs.libscap == 'true' || needs.paths-filter.outputs.libpman == 'true'
@@ -344,7 +344,7 @@ jobs:
         run: |
           cd build
           source /opt/rh/devtoolset-9/enable
-          make scap-open -j6          
+          make scap-open -j6
 
   # Only runs on pull request since on master branch it is already triggered by pages CI.
   kernel-tests-dev:

diff --git a/.github/workflows/e2e_ci.yml b/.github/workflows/e2e_ci.yml
@@ -22,7 +22,7 @@ jobs:
       fail-fast: false
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 
@@ -65,7 +65,7 @@ jobs:
           cd src && sudo make install
 
       - name: Install kernel headers (actuated)
-        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59
+        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59 # v2
         if: matrix.arch == 'arm64'
 
       - name: Install kernel headers and gcc
@@ -118,7 +118,7 @@ jobs:
       fail-fast: false
     steps:
       - name: Checkout Libs ⤵️
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 
@@ -129,7 +129,7 @@ jobs:
           path: build
           key: build-e2e-${{ matrix.arch }}-${{ github.run_id }}
           restore-keys: build-e2e-
-          
+
       - name: Fix kernel mmap rnd bits
         # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
         # high-entropy ASLR in much newer kernels that GitHub runners are
@@ -150,7 +150,7 @@ jobs:
           sudo apt install -y --no-install-recommends clang gcc llvm build-essential cmake python3 quota
 
       - name: Install kernel headers (actuated)
-        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59
+        uses: self-actuated/get-kernel-sources@201eed7d915ac0a6021fb402cde5be7a6b945b59 # v2
         if: matrix.arch == 'arm64'
 
       - name: Install kernel headers and gcc

diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout repository 🎉
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           fetch-depth: 0
 

diff --git a/.github/workflows/latest-kernel.yml b/.github/workflows/latest-kernel.yml
@@ -21,13 +21,13 @@ jobs:
         run: |
           apk update && apk add git
           git clone https://aur.archlinux.org/linux-mainline.git linux/
-    
+
       - name: Generate driverkit config
         id: latest-version
         # Note: in case we are building latest mainline,
         # we grep the linux-mainline aur PKGBUILD "_tag" line, that is made like: "_tag=v6.4-rc1"
         # We then need to extract the part after the "=" and finally remove the starting "v".
-        run: |    
+        run: |
           cd linux/
           echo "kernelversion: 1" > dk.yaml
           echo "architecture: amd64" >> dk.yaml
@@ -45,19 +45,19 @@ jobs:
             echo "target: arch" >> dk.yaml
           fi
           echo "latest_vers=$(grep kernelrelease dk.yaml | awk -F": " '{print $2}')" >> $GITHUB_OUTPUT
-      
+
       - name: Upload driverkit config
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: driverkit_config.yaml
           path: linux/dk.yaml
-          
+
       - name: Test drivers build
         id: build
         run: |
           echo "Testing build of drivers against: ${{ steps.latest-version.outputs.latest_vers }}"
           driverkit docker -c linux/dk.yaml -l debug
-          
+
       - name: Update README badge
         uses: schneegans/dynamic-badges-action@e9a478b16159b4d31420099ba146cdc50f134483 # v1.7.0
         if: always() && github.event_name == 'schedule'