Skip to content

Update semgrep.yml #1025

Update semgrep.yml

Update semgrep.yml #1025

Workflow file for this run

name: CI
on:
push:
tags:
- v*
branches:
- master
pull_request:
jobs:
build-libbpf-docker-x86_64:
name: Build libbpf in Docker (x86_64)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Build libbpf
run: |
docker buildx build --progress plain --tag libbpf --target libbpf_builder .
id=$(docker create libbpf)
docker cp $id:/build/libbpf.tar.gz libbpf.x86_64.tar.gz
- name: Upload libbpf.tar.gz
uses: actions/upload-artifact@v4
with:
name: libbpf.x86_64.tar.gz
path: libbpf.x86_64.tar.gz
if-no-files-found: error
build-libbpf-docker-aarch64:
name: Build libbpf in Docker (aarch64, emulated)
runs-on: ubuntu-24.04
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: arm64
- uses: actions/checkout@v4
- name: Build libbpf
run: |
docker buildx build --progress plain --tag libbpf --target libbpf_builder --platform linux/arm64 .
id=$(docker create libbpf)
docker cp $id:/build/libbpf.tar.gz libbpf.aarch64.tar.gz
- name: Upload libbpf.tar.gz
uses: actions/upload-artifact@v4
with:
name: libbpf.aarch64.tar.gz
path: libbpf.aarch64.tar.gz
if-no-files-found: error
build-ebpf-exporter-docker-x86_64:
name: Build ebpf_exporter in Docker (x86_64, built-in libbpf)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch with tags to have the build version attached
- name: Build ebpf_exporter and examples
run: |
docker buildx build --progress plain --tag ebpf_exporter .
docker create --name ebpf_exporter ebpf_exporter
- name: Extract ebpf_exporter.x86_64
run: |
docker cp ebpf_exporter:/ebpf_exporter ebpf_exporter
- name: Upload ebpf_exporter
uses: actions/upload-artifact@v4
with:
name: ebpf_exporter.x86_64
path: ebpf_exporter
if-no-files-found: error
- name: Extract examples.x86_64.tar.gz
run: |
docker cp ebpf_exporter:/examples ./
tar -cvzf examples.x86_64.tar.gz -T <(find examples | grep -E "\.(yaml|bpf.o)$")
- name: Upload examples.x86_64.tar.gz
uses: actions/upload-artifact@v4
with:
name: examples.x86_64.tar.gz
path: examples.x86_64.tar.gz
if-no-files-found: error
- name: Extract ebpf_exporter_with_examples.x86_64.tar.gz
run: |
tar -cvzf ebpf_exporter_with_examples.x86_64.tar.gz --transform "s,\(.*\),ebpf_exporter-$(git describe --tags)/\1," -T <(echo ebpf_exporter; find examples | grep -E "\.(yaml|bpf.o)$" | sort)
- name: Upload ebpf_exporter_with_examples.x86_64.tar.gz
uses: actions/upload-artifact@v4
with:
name: ebpf_exporter_with_examples.x86_64.tar.gz
path: ebpf_exporter_with_examples.x86_64.tar.gz
if-no-files-found: error
build-ebpf-exporter-docker-aarch64:
name: Build ebpf_exporter in Docker (aarch64, emulated, built-in libbpf)
runs-on: ubuntu-24.04
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: arm64
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch with tags to have the build version attached
- name: Build ebpf_exporter and examples
run: |
docker buildx build --progress plain --tag ebpf_exporter --platform linux/arm64 .
docker create --name ebpf_exporter ebpf_exporter
- name: Extract ebpf_exporter.aarch64
run: |
docker cp ebpf_exporter:/ebpf_exporter ebpf_exporter
- name: Upload ebpf_exporter
uses: actions/upload-artifact@v4
with:
name: ebpf_exporter.aarch64
path: ebpf_exporter
if-no-files-found: error
- name: Extract examples.aarch64.tar.gz
run: |
docker cp ebpf_exporter:/examples ./
tar -cvzf examples.aarch64.tar.gz -T <(find examples | grep -E "\.(yaml|bpf.o)$")
- name: Upload examples.aarch64.tar.gz
uses: actions/upload-artifact@v4
with:
name: examples.aarch64.tar.gz
path: examples.aarch64.tar.gz
if-no-files-found: error
- name: Extract ebpf_exporter_with_examples.aarch64.tar.gz
run: |
tar -cvzf ebpf_exporter_with_examples.aarch64.tar.gz --transform "s,\(.*\),ebpf_exporter-$(git describe --tags)/\1," -T <(echo ebpf_exporter; find examples | grep -E "\.(yaml|bpf.o)$" | sort)
- name: Upload ebpf_exporter_with_examples.aarch64.tar.gz
uses: actions/upload-artifact@v4
with:
name: ebpf_exporter_with_examples.aarch64.tar.gz
path: ebpf_exporter_with_examples.aarch64.tar.gz
if-no-files-found: error
build-ebpf-exporter-static-x86_64-system-libbpf:
name: Build ebpf_exporter (x86_64, statically linked, system libbpf)
needs: build-libbpf-docker-x86_64
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: ^1.23
- name: Download libbpf.tar.gz
uses: actions/download-artifact@v4
with:
name: libbpf.x86_64.tar.gz
- name: Install libbpf
run: sudo tar -C / -xvvf libbpf.x86_64.tar.gz
- name: Install libelf-dev
run: sudo apt-get install -y libelf-dev
- name: Build
run: make -j $(nproc) build BUILD_LIBBPF=0
- name: Check static linkage
run: (ldd --verbose ./ebpf_exporter 2>&1 || true) | grep 'not a dynamic executable'
- name: Check for nss presence
run: if [[ $(objdump -tT ebpf_exporter | grep 'hidden _nss') ]]; then echo "unexpected nss symbols found"; exit 1; fi
- name: Check that it runs
run: ./ebpf_exporter --version
build-ebpf-exporter-static-x86_64-built-in-libbpf:
name: Build ebpf_exporter (x86_64, statically linked, built-in libbpf)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: ^1.23
- name: Install libelf-dev
run: sudo apt-get install -y libelf-dev
- name: Build
run: make -j $(nproc) build
- name: Check static linkage
run: (ldd --verbose ./ebpf_exporter 2>&1 || true) | grep 'not a dynamic executable'
- name: Check for nss presence
run: if [[ $(objdump -tT ebpf_exporter | grep 'hidden _nss') ]]; then echo "unexpected nss symbols found"; exit 1; fi
- name: Check that it runs
run: ./ebpf_exporter --version
build-ebpf-exporter-dynamic-x86_64-system-libbpf:
name: Build ebpf_exporter (x86_64, dynamically linked, system libbpf)
needs: build-libbpf-docker-x86_64
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: ^1.23
- name: Download libbpf.tar.gz
uses: actions/download-artifact@v4
with:
name: libbpf.x86_64.tar.gz
- name: Install libbpf
run: sudo tar -C / -xvvf libbpf.x86_64.tar.gz
- name: Install libelf-dev
run: sudo apt-get install -y libelf-dev
- name: Build
run: make -j $(nproc) build-dynamic BUILD_LIBBPF=0
- name: Check dynamic linkage
run: ldd --verbose ./ebpf_exporter
- name: Check that it runs
run: ./ebpf_exporter --version
build-ebpf-exporter-dynamic-x86_64-built-in-libbpf:
name: Build ebpf_exporter (x86_64, dynamically linked, built-in libbpf)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: ^1.23
- name: Install libelf-dev
run: sudo apt-get install -y libelf-dev
- name: Build
run: make -j $(nproc) build-dynamic
- name: Check dynamic linkage
run: ldd --verbose ./ebpf_exporter
- name: Check that it runs
run: LD_LIBRARY_PATH=libbpf/dest/usr/lib ./ebpf_exporter --version
test-ebpf-exporter-x86_64-system-libbpf:
name: Test ebpf_exporter (x86_64, system libbpf)
needs: build-libbpf-docker-x86_64
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: ^1.23
- name: Install systemtap-sdt-dev
run: sudo apt-get install -y systemtap-sdt-dev
- name: Download libbpf.tar.gz
uses: actions/download-artifact@v4
with:
name: libbpf.x86_64.tar.gz
- name: Install libbpf
run: sudo tar -C / -xvvf libbpf.x86_64.tar.gz
- name: Install libelf-dev
run: sudo apt-get install -y libelf-dev
- name: Update pci.ids
run: |
curl -o /tmp/pci.ids https://raw.githubusercontent.com/pciutils/pciids/master/pci.ids
sudo mv /tmp/pci.ids /usr/share/misc/pci.ids
- name: Test
run: make -j $(nproc) test BUILD_LIBBPF=0
- name: Test privileged
run: make -j $(nproc) test-privileged BUILD_LIBBPF=0
test-ebpf-exporter-x86_64-built-in-libbpf:
name: Test ebpf_exporter (x86_64, built-in libbpf)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: ^1.23
- name: Install systemtap-sdt-dev
run: sudo apt-get install -y systemtap-sdt-dev
- name: Install libelf-dev
run: sudo apt-get install -y libelf-dev
- name: Update pci.ids
run: |
curl -o /tmp/pci.ids https://raw.githubusercontent.com/pciutils/pciids/master/pci.ids
sudo mv /tmp/pci.ids /usr/share/misc/pci.ids
- name: Test
run: make -j $(nproc) test
- name: Test privileged
run: make -j $(nproc) test-privileged
lint-ebpf-exporter-x86_64-built-in-libbpf:
name: Lint ebpf_exporter (x86_64, built-in libbpf)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: ^1.23
cache: false # https://github.com/golangci/golangci-lint-action/issues/807
- name: Install systemtap-sdt-dev
run: sudo apt-get install -y systemtap-sdt-dev
- name: Install libelf-dev
run: sudo apt-get install -y libelf-dev
- name: Build libbpf
run: make -j $(nproc) libbpf.a
- name: Check vendored dependencies
run: go mod verify
- name: Run golangci-lint
uses: golangci/golangci-lint-action@v6
with:
version: latest
env:
CGO_CFLAGS: "-I${{ github.workspace }}/libbpf/dest/usr/include"
build-examples-x86_64-system-libbpf:
name: Build examples (x86_64, system libbpf)
needs: build-libbpf-docker-x86_64
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Download libbpf.tar.gz
uses: actions/download-artifact@v4
with:
name: libbpf.x86_64.tar.gz
- name: Install libbpf
run: sudo tar -C / -xvvf libbpf.x86_64.tar.gz
- name: Install libelf-dev
run: sudo apt-get install -y libelf-dev
- name: Install clang
run: sudo apt-get install -y clang
- name: Build benchmark bpf probes
run: make -j $(nproc) -C benchmark build BUILD_LIBBPF=0
- name: Build example bpf probes
run: make -j $(nproc) -C examples build BUILD_LIBBPF=0
build-examples-x86_64-built-in-libbpf:
name: Build examples (x86_64, built-in libbpf)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Install libelf-dev
run: sudo apt-get install -y libelf-dev
- name: Install clang
run: sudo apt-get install -y clang
- name: Build benchmark bpf probes
run: make -j $(nproc) -C benchmark build
- name: Build example bpf probes
run: make -j $(nproc) -C examples build
build-tracing-demos-x86_64:
name: Build tracing demos (x86_64)
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: ^1.23
- name: Install systemtap-sdt-dev
run: sudo apt-get install -y systemtap-sdt-dev
- name: Build
run: make -j $(nproc) tracing-demos
- name: Extract tracing-demos.x86_64.tar.gz
run: |
tar -cvzf tracing-demos.x86_64.tar.gz tracing/demos/*/demo
- name: Upload tracing-demos.x86_64.tar.gz
uses: actions/upload-artifact@v4
with:
name: tracing-demos.x86_64.tar.gz
path: tracing-demos.x86_64.tar.gz
if-no-files-found: error
check-configs-x86_64:
name: Check examples
runs-on: ubuntu-24.04
needs:
- build-ebpf-exporter-docker-x86_64
- build-tracing-demos-x86_64
steps:
- uses: actions/checkout@v4
- name: Download ebpf_exporter_with_examples.x86_64.tar.gz
uses: actions/download-artifact@v4
with:
name: ebpf_exporter_with_examples.x86_64.tar.gz
- name: Extract ebpf_exporter_with_examples.x86_64.tar.gz
run: tar --strip-components 1 -xzvf ebpf_exporter_with_examples.x86_64.tar.gz
- name: Download tracing-demos.x86_64.tar.gz
uses: actions/download-artifact@v4
with:
name: tracing-demos.x86_64.tar.gz
- name: Extract tracing-demos.x86_64.tar.gz
run: tar -xzvf tracing-demos.x86_64.tar.gz
- name: Print kernel version
run: uname -a
# Some programs expect to attach to symbols in modules
- name: Load expected kernel modules
run: sudo modprobe xfs
- name: Run configuration check
run: make config-check
clang-format:
name: Run clang-format check
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Install clang-format
run: sudo apt-get install -y clang-format make
- name: Run clang-format check
run: make clang-format-check
markdown-links:
name: Run markdown-links-check
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Run markdown-links-check
run: make markdown-link-check
jsonschema:
name: Run jsonschema checks
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Install jsonschema dependencies
run: sudo apt-get install -y python3-jsonschema make
- name: Install yq
run: sudo curl -Lo /usr/bin/yq https://github.com/mikefarah/yq/releases/download/v4.35.2/yq_linux_amd64 && sudo chmod +x /usr/bin/yq
- name: Run jsonschema check
run: make jsonschema
publish-docker-images:
name: Publish Docker images (x86_64, aarch64)
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: arm64
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch with tags to have the build version attached
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Docker Metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository }}
tags: |
type=raw,value=latest,enable={{is_default_branch}}
type=ref,event=branch
type=ref,event=tag
type=ref,event=pr
type=sha
- name: Docker Login
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
provenance: false # https://github.com/docker/build-push-action/issues/755
release-archive:
name: Release archive
runs-on: ubuntu-24.04
needs:
- build-ebpf-exporter-docker-aarch64
- build-ebpf-exporter-docker-x86_64
steps:
- name: Download ebpf_exporter.aarch64
uses: actions/download-artifact@v4
with:
name: ebpf_exporter.aarch64
- name: Rename ebpf_exporter.aarch64
run: mv ebpf_exporter ebpf_exporter.aarch64
- name: Download ebpf_exporter.x86_64
uses: actions/download-artifact@v4
with:
name: ebpf_exporter.x86_64
- name: Rename ebpf_exporter.x86_64
run: mv ebpf_exporter ebpf_exporter.x86_64
- name: Download examples.aarch64.tar.gz
uses: actions/download-artifact@v4
with:
name: examples.aarch64.tar.gz
- name: Download examples.x86_64.tar.gz
uses: actions/download-artifact@v4
with:
name: examples.x86_64.tar.gz
- name: Download ebpf_exporter_with_examples.aarch64.tar.gz
uses: actions/download-artifact@v4
with:
name: ebpf_exporter_with_examples.aarch64.tar.gz
- name: Download ebpf_exporter_with_examples.x86_64.tar.gz
uses: actions/download-artifact@v4
with:
name: ebpf_exporter_with_examples.x86_64.tar.gz
- name: Mark ebpf_exporter binaries as executable
run: chmod +x ebpf_exporter.aarch64 ebpf_exporter.x86_64
- name: Create sha256sums.txt
run: shasum -a 256 * > sha256sums.txt
- name: Create release archive
run: tar -czf release.tar.gz --transform "s,\(.*\),ebpf_exporter-${GITHUB_SHA}/\1," *
- name: Upload release.tar.gz
uses: actions/upload-artifact@v4
with:
name: release.tar.gz
path: release.tar.gz
if-no-files-found: error