ci: generate seccomp profile within pipeline (#1325)

Signed-off-by: Alessio Greggi <ale_grey_91@hotmail.it>
2026-02-14 18:09:58 +00:00 · 2025-02-06 12:44:08 +01:00
parent fa06d8d6ae
commit b7a2072b0f
13 changed files with 272 additions and 73 deletions
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -2,18 +2,6 @@ name: e2e
 permissions: {}

 on:
-  push:
-    branches: [ "*" ]
-    paths:
-      - '.github/workflows/e2e.yml'
-      - 'api/**'
-      - 'controllers/**'
-      - 'pkg/**'
-      - 'e2e/*'
-      - 'Dockerfile'
-      - 'go.*'
-      - 'main.go'
-      - 'Makefile'
  pull_request:
    branches: [ "*" ]
    paths:
--- a/.github/workflows/helm-test.yml
+++ b/.github/workflows/helm-test.yml
@@ -31,6 +31,7 @@ jobs:
          fi
      - name: Run chart-testing (lint)
        run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml
+        
      - name: Run docs-testing (helm-docs)
        id: helm-docs
        run: |
@@ -44,5 +45,5 @@ jobs:
          fi

      - name: Run chart-testing (install)
-        run: make helm-test
+        run: HELM_KIND_CONFIG="./hack/kind-cluster.yml" make helm-test
        if: steps.list-changed.outputs.changed == 'true'
--- a/.github/workflows/releaser.yml
+++ b/.github/workflows/releaser.yml
@@ -11,7 +11,40 @@ concurrency:
  cancel-in-progress: true

 jobs:
+  seccomp-generation:
+    name: Seccomp Generation
+    strategy:
+      fail-fast: false
+      matrix:
+        # differently from the e2e workflow
+        # we don't need all the versions of kubernetes
+        # to generate the seccomp profile.
+        k8s-version: [ 'v1.30.0' ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: 'go.mod'
+      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4
+        with:
+          version: v3.14.2
+      - name: unit tracing
+        run: sudo make trace-unit
+      - name: e2e tracing
+        run: sudo KIND_K8S_VERSION=${{ matrix.k8s-version }} make trace-e2e
+      - name: build seccomp profile
+        run: make seccomp
+      - name: upload artifact
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: capsule-seccomp
+          path: capsule-seccomp.json
+
  create-release:
+    needs: seccomp-generation
    runs-on: ubuntu-latest
    permissions:
      contents: write
@@ -33,6 +66,11 @@ jobs:
      - uses: anchore/sbom-action/download-syft@79202aee38a39bd2039be442e58d731b63baf740
      - name: Install Cosign
        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
+      - name: download artifact
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: capsule-seccomp
+          path: ./capsule-seccomp.json
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
        with:
--- a/.github/workflows/seccomp.yaml
+++ b/.github/workflows/seccomp.yaml
@@ -0,0 +1,54 @@
+name: seccomp
+permissions: {}
+
+on:
+  pull_request:
+    branches: [ "*" ]
+    paths:
+      - '.github/workflows/e2e.yml'
+      - 'api/**'
+      - 'controllers/**'
+      - 'pkg/**'
+      - 'e2e/*'
+      - 'Dockerfile'
+      - 'go.*'
+      - 'main.go'
+      - 'Makefile'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  seccomp-generation:
+    name: Seccomp Generation
+    strategy:
+      fail-fast: false
+      matrix:
+        # differently from the e2e workflow
+        # we don't need all the versions of kubernetes
+        # to generate the seccomp profile.
+        k8s-version: [ 'v1.30.0' ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version-file: 'go.mod'
+      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4
+        with:
+          version: v3.14.2
+      - name: unit tracing
+        run: sudo make trace-unit
+      - name: e2e tracing
+        run: sudo KIND_K8S_VERSION=${{ matrix.k8s-version }} make trace-e2e
+      - name: build seccomp profile
+        run: make seccomp
+      - name: upload artifact
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: capsule-seccomp
+          path: capsule-seccomp.json
+