[Snyk] Security upgrade golang from latest to 1.22.4 #2549
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Smoke Test with IPv6 | |
| # Any change in triggers needs to be reflected in the concurrency group. | |
| on: | |
| pull_request: {} | |
| push: | |
| branches: | |
| - master | |
| - ft/master/** | |
| permissions: read-all | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} | |
| cancel-in-progress: true | |
| env: | |
| KIND_VERSION: v0.11.1 | |
| KIND_CONFIG: .github/kind-config-ipv6.yaml | |
| # Skip external traffic (e.g. 1.1.1.1 and www.google.com) due to no support for IPv6 in github action | |
| CONFORMANCE_TEMPLATE: examples/kubernetes/connectivity-check/connectivity-check-internal.yaml | |
| TIMEOUT: 5m | |
| LOG_TIME: 30m | |
| jobs: | |
| check_changes: | |
| name: Deduce required tests from code changes | |
| runs-on: ubuntu-18.04 | |
| outputs: | |
| tested: ${{ steps.tested-tree.outputs.src }} | |
| steps: | |
| - name: Checkout code | |
| if: ${{ !github.event.pull_request }} | |
| uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 | |
| with: | |
| persist-credentials: false | |
| - name: Check code changes | |
| uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 | |
| id: tested-tree | |
| with: | |
| filters: | | |
| src: | |
| - '!(test|Documentation)/**' | |
| conformance-test-ipv6: | |
| needs: check_changes | |
| if: ${{ needs.check_changes.outputs.tested == 'true' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 | |
| with: | |
| persist-credentials: false | |
| - name: Set image tag | |
| id: vars | |
| run: | | |
| if [ ${{ github.event.pull_request.head.sha }} != "" ]; then | |
| echo ::set-output name=tag::${{ github.event.pull_request.head.sha }} | |
| else | |
| echo ::set-output name=tag::${{ github.sha }} | |
| fi | |
| - name: Precheck generated connectivity manifest files | |
| run: | | |
| make -C examples/kubernetes/connectivity-check fmt | |
| make -C examples/kubernetes/connectivity-check all | |
| test -z "$(git status --porcelain)" || (echo "please run 'make -C examples/kubernetes/connectivity-check fmt all' and submit your changes"; exit 1) | |
| - name: Enable IPv6 in docker | |
| run: | | |
| # Keep existing cgroup-parent in github action | |
| sudo sh -c "echo '{ \"cgroup-parent\": \"/actions_job\", \"ipv6\": true, \"fixed-cidr-v6\": \"2001:db8:1::/64\" }' > /etc/docker/daemon.json" | |
| sudo cat /etc/docker/daemon.json | |
| sudo ip -6 route add 2001:db8:1::/64 dev docker0 | |
| sudo sysctl net.ipv6.conf.default.forwarding=1 | |
| sudo sysctl net.ipv6.conf.all.forwarding=1 | |
| sudo systemctl restart docker | |
| - name: Create kind cluster | |
| uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 | |
| with: | |
| version: ${{ env.KIND_VERSION }} | |
| config: ${{ env.KIND_CONFIG }} | |
| - name: Wait for images to be available | |
| timeout-minutes: 30 | |
| shell: bash | |
| run: | | |
| for image in cilium-ci operator-generic-ci hubble-relay-ci ; do | |
| until curl --silent -f -lSL "https://quay.io/api/v1/repository/${{ github.repository_owner }}/${image}/tag/${{ steps.vars.outputs.tag }}/images" &> /dev/null; do sleep 45s; done | |
| done | |
| - name: Install cilium chart | |
| run: | | |
| helm upgrade -i cilium ./install/kubernetes/cilium \ | |
| --namespace kube-system \ | |
| --set nodeinit.enabled=true \ | |
| --set kubeProxyReplacement=strict \ | |
| --set ipam.mode=kubernetes \ | |
| --set image.repository=quay.io/${{ github.repository_owner }}/cilium-ci \ | |
| --set image.tag=${{ steps.vars.outputs.tag }} \ | |
| --set image.pullPolicy=IfNotPresent \ | |
| --set image.useDigest=false \ | |
| --set hubble.relay.enabled=true \ | |
| --set hubble.relay.image.repository=quay.io/${{ github.repository_owner }}/hubble-relay-ci \ | |
| --set hubble.relay.image.tag=${{ steps.vars.outputs.tag }} \ | |
| --set hubble.relay.image.pullPolicy=IfNotPresent \ | |
| --set hubble.relay.image.useDigest=false \ | |
| --set operator.image.repository=quay.io/${{ github.repository_owner }}/operator \ | |
| --set operator.image.suffix=-ci \ | |
| --set operator.image.tag=${{ steps.vars.outputs.tag }} \ | |
| --set operator.image.pullPolicy=IfNotPresent \ | |
| --set operator.image.useDigest=false \ | |
| --set ipv6.enabled=true \ | |
| --set ipv4.enabled=false \ | |
| --set tunnel=disabled \ | |
| --set autoDirectNodeRoutes=true \ | |
| --set ipv6NativeRoutingCIDR=2001:db8:1::/64 | |
| kubectl wait -n kube-system --for=condition=Ready --all pod --timeout=${{ env.TIMEOUT }} | |
| # To make sure that cilium CRD is available (default timeout is 5m) | |
| kubectl wait --for condition=Established crd/ciliumnetworkpolicies.cilium.io --timeout=5m | |
| kubectl port-forward -n kube-system deployment/hubble-relay 4245:4245 & | |
| - name: Run conformance test (e.g. connectivity check without external 1.1.1.1 and www.google.com) | |
| run: | | |
| kubectl apply -f ${{ env.CONFORMANCE_TEMPLATE }} | |
| kubectl wait --for=condition=Available --all deployment --timeout=${{ env.TIMEOUT }} | |
| - name: Capture cilium-sysdump | |
| if: ${{ failure() }} | |
| # The following is needed to prevent hubble from receiving an empty | |
| # file (EOF) on stdin and displaying no flows. | |
| shell: 'script -q -e -c "bash --noprofile --norc -eo pipefail {0}"' | |
| run: | | |
| echo "=== Install latest stable CLI ===" | |
| curl -sSL --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum} | |
| sha256sum --check cilium-linux-amd64.tar.gz.sha256sum | |
| sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/bin | |
| rm cilium-linux-amd64.tar.gz{,.sha256sum} | |
| cilium version | |
| echo "=== Retrieve cluster state ===" | |
| kubectl get pods --all-namespaces -o wide | |
| cilium status | |
| cilium sysdump --output-filename cilium-sysdump-out | |
| - name: Upload cilium-sysdump | |
| uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 | |
| if: ${{ failure() }} | |
| with: | |
| name: cilium-sysdump-out.zip | |
| path: cilium-sysdump-out.zip | |
| - name: Send slack notification | |
| if: ${{ !success() && (github.event_name == 'schedule' || github.event_name == 'push') }} | |
| uses: 8398a7/action-slack@a74b761b4089b5d730d813fbedcd2ec5d394f3af | |
| with: | |
| status: ${{ job.status }} | |
| fields: repo,message,commit,author,action,eventName,ref,workflow,job,took # selectable (default: repo,message) | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |