datadog-agent/.github/workflows/cws-btfhub-sync.yml at 08369548c836e523dd76ca41fd09127cebff2a64 · DataDog/datadog-agent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: "CWS BTFHub constants sync"

on:
  workflow_dispatch:
    inputs:
      base_branch:
        description: 'Base branch to target'
        required: false
        default: 'main'
        type: string
  schedule:
    - cron: '30 4 * * 4' # at 4:30 UTC on Thursday

permissions: {}

jobs:
  generate:
    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
        cone:
          - amzn
          - centos
          - debian
          - fedora
          - ol/7/arm64
          - ol/7/x86_64
          - ol/8/arm64
          - ol/8/x86_64
          - opensuse-leap
          - rhel
          - sles
          - ubuntu/16.04/x86_64
          - ubuntu/18.04/arm64
          - ubuntu/18.04/x86_64
          - ubuntu/20.04/arm64
          - ubuntu/20.04/x86_64
    steps:
      - name: Cleanup runner
        run: |
          sudo rm -rf /usr/local/lib/android >/dev/null 2>&1 || true
          docker rmi $(docker image ls -aq) >/dev/null 2>&1 || true
          sudo rm -rf /usr/share/dotnet || true
          sudo rm -rf /opt/ghc || true
          sudo rm -rf "/usr/local/share/boost" || true
          df -h

      - name: Checkout datadog-agent repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ inputs.base_branch || 'main' }}
          persist-credentials: false

      - name: Checkout btfhub-archive repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: DataDog/btfhub-archive
          path: dev/dist/archive
          sparse-checkout: ${{ matrix.cone }}
          persist-credentials: false

      - name: Install dda
        uses: ./.github/actions/install-dda
        with:
          features: legacy-tasks

      - name: Install go
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: '.go-version'

      - name: Compute name
        id: artifact-name
        run: |
          echo "ARTIFACT_NAME=constants-${{ matrix.cone }}" | tr '/' '-' >> $GITHUB_OUTPUT

      - name: Sync constants
        env:
          ARTIFACT_NAME: ${{ steps.artifact-name.outputs.ARTIFACT_NAME }}
        run: |
          # fix amd64 missing embed files
          touch pkg/ebpf/kernelbugs/c/uprobe-trigger.o
          touch pkg/ebpf/kernelbugs/c/detect-seccomp-bug

          # generate constants
          dda inv -- -e security-agent.generate-btfhub-constants --archive-path=./dev/dist/archive --output-path=./"$ARTIFACT_NAME".json

      - name: Upload artifact
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: ${{ steps.artifact-name.outputs.ARTIFACT_NAME }}
          path: ./${{ steps.artifact-name.outputs.ARTIFACT_NAME }}.json

  combine:
    needs: generate
    runs-on: ubuntu-22.04
    permissions:
      id-token: write # This is required for getting the required OIDC token from GitHub
    steps:
      - name: Checkout datadog-agent repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ inputs.base_branch || 'main' }}

      - name: Install dda
        uses: ./.github/actions/install-dda
        with:
          features: legacy-tasks

      - name: Install go
        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version-file: '.go-version'

      - name: Download All Artifacts
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          path: ./dev/dist/constants
          pattern: constants-*
          merge-multiple: true

      - name: Combine constants
        run: |
          # fix amd64 missing embed files
          touch pkg/ebpf/kernelbugs/c/uprobe-trigger.o
          touch pkg/ebpf/kernelbugs/c/detect-seccomp-bug

          # combine constants
          dda inv -- -e security-agent.combine-btfhub-constants --archive-path=./dev/dist/constants
          dda inv -- -e security-agent.split-btfhub-constants

      - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
        id: octo-sts
        with:
          scope: DataDog/datadog-agent
          policy: self.cws-btfhub-sync.create-pr

      - uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
        name: Create pull request
        with:
          token: ${{ steps.octo-sts.outputs.token }}
          commit-message: "CWS: sync BTFhub constants"
          branch: cws/constants-sync
          branch-suffix: timestamp
          sign-commits: true
          title: "CWS: sync BTFHub constants"
          body: |
              ### What does this PR do?
              This PR syncs the BTFHub constants used by CWS
              _This PR was autogenerated_
          milestone: 22 # triage
          labels: changelog/no-changelog, qa/no-code-change, team/agent-security