Instead of using a standalone modernize (and a separate job), add
modernize and go vet (which should be same-as/similar-to go fix) linters
to golangci-lint config.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This update includes a few breaking API changes that I needed to get in
before an actual runc release depends on it, so that we don't need to
deal with compatibility shims for them (or bumping the SOVERSION).
From a Go API perspective, there were no major changes -- though this
bump did also require a bump to github.com/cyphar/filepath-securejoin
because one of the wrapped APIs changed from int to uint64 as a flag
argument type. Again, better to get this done before we really depend on
this in a public way.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Some of runc integration tests may do something that I would not like
when running those on my development laptop. Examples include
- changing the root mount propagation [1];
- replacing /root/runc [2];
- changing the file in /etc (see checkpoint.bats).
Yet it is totally fine to do all that in a throwaway CI environment,
or inside a Docker container.
Introduce a mechanism to skip specific "unsafe" tests unless an
environment variable, RUNC_ALLOW_UNSAFE_TESTS, is set. Use it
from a specific checkpoint/restore test which modifies
/etc/criu/default.conf.
[1]: https://github.com/opencontainers/runc/pull/5200
[2]: https://github.com/opencontainers/runc/pull/5207
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
A bit of history. EXTRA_BUILDTAGS was introduced in commit dac417174,
as a quick way to add some extra Go build tags to the runc build.
Later, commit 767bc008 changed Makefile to not get EXTRA_TAGS from the
shell environment, as the name is quite generic and some unrelated
environment variable with that name can affect runc build. While such
change does make sense, it makes it more complicated to pass build tags
in CI and otherwise (see e.g. commit 0e1fe368a).
Moreover, runc build uses some Go build tags by default (via Makefile),
and while it is easy to add more build tags (via EXTRA_BUILDTAGS), in
order to remove some existing tags one has to redefine BUILDTAGS from
scratch, which is not very convenient (again, see commit 0e1fe368a which
gets the current value of BUILDTAGS from the Makefile in order to remove
a single tag).
To handle all of the above, let's do this:
- implement RUNC_BUILDTAGS, fixing the issue of not-so-unique name;
- allow to get RUNC_BUILDTAGS from shell environment;
- implement a feature to remove a build tag from default set by
prefixing it with "-" (as in RUNC_BUILDTAGS="-seccomp");
- document all this in README;
- make CI use the new feature;
- keep EXTRA_BUILDTAGS for backward compatibility, add a make warning
and a TODO to remove it for runc 1.6.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Commit 192e3d416f ("ci: add conmon tests run") was merged without
rebasing on top of commit e2c989b7e1 ("build: enable libpathrs by
default"), causing build failures when it was merged.
The solution is to just use the same install script as the rest of CI
from commit 7322b05f41 ("ci: build and install libpathrs").
Fixes: 192e3d416f ("ci: add conmon tests run")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
We do plan to make libpathrs required in the future, but in the meantime
we should test both with and without libpathrs in our CI to catch
regressions for users that will not use libpathrs initially.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Commit 67f6c37b ("ci/gha: switch to ubuntu 24.04") switched most GHA CI
to Ubuntu 24.04 except for one job. It says:
> Leave ubuntu-22.04 for ci/cross-i386 (issue with systemctl restart hang
> after apt install). This can be addressed separately later.
Assuming the issue it already fixed (updated systemd or something),
let's finalize the 24.04 switch.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The modernize documentation used to suggest -test flag but it's not
needed as it is enabled by default. Drop it.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Since we use modernize@latest, it may require latest Go as well (and now it does),
so use "go-version: stable" explicitly (which resolves to latest Go).
This fixes the issue with CI:
> go: golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest: golang.org/x/tools/gopls@v0.21.0 requires go >= 1.25 (running go 1.24.11; GOTOOLCHAIN=local)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
In view of recent criu-dev failure, let's not fail the
required "all-done" job when criu-dev tests fail.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This is to ensure that Go version in Dockerfile (which is used to build
release binaries) is:
- currently supported;
- used in CI tests.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
For some reason, some jobs in .github/workflows/validate.yml
have "fetch-depth: 0" argument to actions/checkout, meaning
"all history for all branches and tags". Obviously this is
not needed here.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This new version includes the fixes for CVE-2025-52881, so we can remove
the internal/third_party copy of the library we added in commit
ed6b1693b8 ("selinux: use safe procfs API for labels") as well as the
"replace" directive in go.mod (which is problematic for "go get"
installs).
Fixes: ed6b1693b8 ("selinux: use safe procfs API for labels")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This will result in slower runs but we are having issues with
golangci-lint (false positives) that are most probably related
to caching.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Due to the sensitive nature of these fixes, it was not possible to
submit these upstream and vendor the upstream library. Instead, this
patch uses a fork of github.com/opencontainers/selinux, branched at
commit opencontainers/selinux@879a755db5.
In order to permit downstreams to build with this patched version, a
snapshot of the forked version has been included in
internal/third_party/selinux. Note that since we use "go mod vendor",
the patched code is usable even without being "go get"-able. Once the
embargo for this issue is lifted we can submit the patches upstream and
switch back to a proper upstream go.mod entry.
Also, this requires us to temporarily disable the CI job we have that
disallows "replace" directives.
Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Bump bats to the version from Fedora 42 (used in "fedora" job), so we
have the same version everywhere.
This also fixes an issue introduced by commit d31e6b87 (which forgot to
bump bats in GHA CI), and adds a note to the yaml in order to avoid the
same issue in the future.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
All the new code appears in main (not in the release branches),
and we only want extra linter rules to apply to new code.
Disable lint-extra job if the PR is not to the main branch.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
