name: ci concurrency: group: ${{ github.workflow }}-${{ github.ref }} # Cancel stale PR runs without interrupting push, tag, scheduled, or # manually dispatched validation. cancel-in-progress: ${{ github.event_name == 'pull_request' }} permissions: contents: read on: workflow_dispatch: push: branches: - 'master' - '[0-9]+.[0-9]+' - '[0-9]+.x' pull_request: env: DESTDIR: ./build SETUP_BUILDX_VERSION: edge SETUP_BUILDKIT_IMAGE: moby/buildkit:latest jobs: validate-dco: uses: ./.github/workflows/.dco.yml build: runs-on: ${{ matrix.runner }} timeout-minutes: 20 # guardrails timeout for the whole job needs: - validate-dco strategy: fail-fast: false matrix: include: - runner: ubuntu-24.04 target: binary - runner: ubuntu-24.04 target: dynbinary - runner: ubuntu-24.04-arm target: binary - runner: ubuntu-24.04-arm target: dynbinary steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 with: version: ${{ env.SETUP_BUILDX_VERSION }} driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Build uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0 with: targets: ${{ matrix.target }} - name: List artifacts run: | tree -nh ${{ env.DESTDIR }} - name: Check artifacts run: | find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} + prepare-cross: runs-on: ubuntu-24.04 timeout-minutes: 20 # guardrails timeout for the whole job if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }} needs: - validate-dco outputs: includes: ${{ steps.gen.outputs.matrix }} steps: - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Create matrix id: gen uses: docker/bake-action/subaction/matrix@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0 with: target: binary-cross fields: platforms cross: runs-on: ubuntu-24.04 timeout-minutes: 20 # guardrails timeout for the whole job if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }} needs: - validate-dco - prepare-cross strategy: fail-fast: false matrix: include: ${{ fromJson(needs.prepare-cross.outputs.includes) }} steps: - name: Prepare env: PLATFORM: ${{ matrix.platforms }} run: | echo "PLATFORM_PAIR=${PLATFORM//\//-}" >> $GITHUB_ENV - name: Set up Docker Buildx uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 with: version: ${{ env.SETUP_BUILDX_VERSION }} driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Build uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0 with: targets: ${{ matrix.target }} set: | *.platform=${{ matrix.platforms }} - name: List artifacts run: | tree -nh ${{ env.DESTDIR }} - name: Check artifacts run: | find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} + govulncheck: runs-on: ubuntu-24.04 timeout-minutes: 120 # guardrails timeout for the whole job # Always run security checks, even with 'ci/validate-only' label permissions: contents: read # same as global permission security-events: write # required to write sarif report steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 with: version: ${{ env.SETUP_BUILDX_VERSION }} driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Run uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0 with: targets: govulncheck env: GOVULNCHECK_FORMAT: sarif - name: Upload SARIF report if: ${{ github.event_name != 'pull_request' && github.repository == 'moby/moby' }} uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: ${{ env.DESTDIR }}/govulncheck.out build-dind: runs-on: ubuntu-24.04 timeout-minutes: 120 # guardrails timeout for the whole job if: ${{ github.event_name != 'pull_request' || !contains(github.event.pull_request.labels.*.name, 'ci/validate-only') }} needs: - validate-dco steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 with: version: ${{ env.SETUP_BUILDX_VERSION }} driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }} buildkitd-flags: --debug - name: Build dind image uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0 with: targets: dind set: | *.output=type=cacheonly success: name: CI Build Success runs-on: ubuntu-24.04 if: ${{ always() }} needs: - validate-dco - build - prepare-cross - cross - govulncheck - build-dind steps: - name: Check CI result if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }} run: exit 1 - name: Report success run: echo "All CI jobs completed successfully" # Compatibility for the previous required check name. # TODO(vvoland): Remove once most PRs have rebased build-binary: name: build (binary) runs-on: ubuntu-24.04 if: ${{ always() }} needs: - success steps: - name: Check CI result if: ${{ needs.success.result != 'success' }} run: exit 1 - name: Report success run: echo "CI build completed successfully"