mirror of
https://github.com/moby/moby.git
synced 2026-01-11 18:51:37 +00:00
6b7e2783d1
We had a few "runaway jobs" recently, where the job got stuck, and kept running for 6 hours (in one case even 24 hours, probably due some github outage). Some of those jobs could not be terminated. While running these actions on public repositories doesn't cost us, it's still not desirable to have jobs running for that long (as they can still hold up the queue). This patch adds a blanket "2 hours" time-limit to all jobs that didn't have a limit set. We should look at tweaking those limits to actually expected duration, but having a default at least is a start. Also changed the position of some existing timeouts so that we have a consistent order in which it's set; making it easier to spot locations where no limit is defined. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
171 lines
4.3 KiB
YAML
171 lines
4.3 KiB
YAML
name: ci
|
|
|
|
# Default to 'contents: read', which grants actions to read commits.
|
|
#
|
|
# If any permission is set, any permission not included in the list is
|
|
# implicitly set to "none".
|
|
#
|
|
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
push:
|
|
branches:
|
|
- 'master'
|
|
- '[0-9]+.[0-9]+'
|
|
pull_request:
|
|
|
|
env:
|
|
DESTDIR: ./build
|
|
SETUP_BUILDX_VERSION: latest
|
|
SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
|
|
|
|
jobs:
|
|
validate-dco:
|
|
uses: ./.github/workflows/.dco.yml
|
|
|
|
build:
|
|
runs-on: ubuntu-20.04
|
|
timeout-minutes: 120 # guardrails timeout for the whole job
|
|
needs:
|
|
- validate-dco
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
target:
|
|
- binary
|
|
- dynbinary
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
with:
|
|
version: ${{ env.SETUP_BUILDX_VERSION }}
|
|
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
|
|
buildkitd-flags: --debug
|
|
-
|
|
name: Build
|
|
uses: docker/bake-action@v4
|
|
with:
|
|
targets: ${{ matrix.target }}
|
|
-
|
|
name: List artifacts
|
|
run: |
|
|
tree -nh ${{ env.DESTDIR }}
|
|
-
|
|
name: Check artifacts
|
|
run: |
|
|
find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
|
|
|
|
prepare-cross:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 120 # guardrails timeout for the whole job
|
|
needs:
|
|
- validate-dco
|
|
outputs:
|
|
matrix: ${{ steps.platforms.outputs.matrix }}
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v4
|
|
-
|
|
name: Create matrix
|
|
id: platforms
|
|
run: |
|
|
matrix="$(docker buildx bake binary-cross --print | jq -cr '.target."binary-cross".platforms')"
|
|
echo "matrix=$matrix" >> $GITHUB_OUTPUT
|
|
-
|
|
name: Show matrix
|
|
run: |
|
|
echo ${{ steps.platforms.outputs.matrix }}
|
|
|
|
cross:
|
|
runs-on: ubuntu-20.04
|
|
timeout-minutes: 120 # guardrails timeout for the whole job
|
|
needs:
|
|
- validate-dco
|
|
- prepare-cross
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
platform: ${{ fromJson(needs.prepare-cross.outputs.matrix) }}
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
-
|
|
name: Prepare
|
|
run: |
|
|
platform=${{ matrix.platform }}
|
|
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
with:
|
|
version: ${{ env.SETUP_BUILDX_VERSION }}
|
|
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
|
|
buildkitd-flags: --debug
|
|
-
|
|
name: Build
|
|
uses: docker/bake-action@v4
|
|
with:
|
|
targets: all
|
|
set: |
|
|
*.platform=${{ matrix.platform }}
|
|
-
|
|
name: List artifacts
|
|
run: |
|
|
tree -nh ${{ env.DESTDIR }}
|
|
-
|
|
name: Check artifacts
|
|
run: |
|
|
find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
|
|
|
|
govulncheck:
|
|
runs-on: ubuntu-24.04
|
|
timeout-minutes: 120 # guardrails timeout for the whole job
|
|
permissions:
|
|
# required to write sarif report
|
|
security-events: write
|
|
# required to check out the repository
|
|
contents: read
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
with:
|
|
version: ${{ env.SETUP_BUILDX_VERSION }}
|
|
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
|
|
buildkitd-flags: --debug
|
|
-
|
|
name: Run
|
|
uses: docker/bake-action@v5
|
|
with:
|
|
targets: govulncheck
|
|
env:
|
|
GOVULNCHECK_FORMAT: sarif
|
|
-
|
|
name: Upload SARIF report
|
|
if: ${{ github.event_name != 'pull_request' && github.repository == 'moby/moby' }}
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: ${{ env.DESTDIR }}/govulncheck.out
|