Lowering perms to CAP_NET_ADMIN #279
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| jobs: | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| check-latest: true | |
| - name: Cache Go modules | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cache/go-build | |
| ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Download and verify dependencies | |
| run: make deps | |
| - name: Install golangci-lint | |
| run: | | |
| # binary will be $(go env GOPATH)/bin/golangci-lint | |
| curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.4.0 | |
| golangci-lint --version | |
| - name: Run linting | |
| run: make lint | |
| test: | |
| name: Test | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, macos-latest] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| check-latest: true | |
| - name: Cache Go modules | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cache/go-build | |
| ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Download and verify dependencies | |
| run: make deps | |
| # Before (default): | |
| # - /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf | |
| # - stub-resolv.conf points to 127.0.0.53 (systemd-resolved stub listener) | |
| # - systemd-resolved forwards to the real upstream file: | |
| # /run/systemd/resolve/resolv.conf | |
| # Flow: /etc/resolv.conf -> stub-resolv.conf (127.0.0.53) -> systemd-resolved -> /run/systemd/resolve/resolv.conf | |
| # | |
| # After (bind-mount): | |
| # - /etc/resolv.conf is bind-mounted to /run/systemd/resolve/resolv.conf | |
| # - processes read upstream nameservers directly from /run/systemd/resolve/resolv.conf | |
| # Flow: /etc/resolv.conf -> /run/systemd/resolve/resolv.conf | |
| # | |
| # This makes processes talk directly to the upstream DNS servers and | |
| # bypasses the systemd-resolved *stub listener* (127.0.0.53). | |
| # | |
| # Important nuance: systemd-resolved itself is NOT stopped; it still runs and updates | |
| # /run/systemd/resolve/resolv.conf. Because this is a bind (not a copy), updates to the | |
| # upstream list are visible. Trade-off: we lose the stub’s features (caching, | |
| # split-DNS/VPN per-interface behavior, DNSSEC/DoT/DoH mediation, mDNS/LLMNR). | |
| # | |
| # Reason: network namespaces have their own network stack (interfaces, routes and loopback). | |
| # A process inside a network namespace resolves 127.0.0.53 against that namespace’s loopback, not the host’s, | |
| # and systemd-resolved usually listens on the host loopback. As a result the stub at 127.0.0.53 is often | |
| # unreachable from an isolated namespace and DNS lookups fail. | |
| # Bind-mounting /run/systemd/resolve/resolv.conf over /etc/resolv.conf forces processes to use the upstream | |
| # nameservers directly, avoiding that failure. | |
| - name: Change DNS configuration | |
| if: runner.os == 'Linux' | |
| run: sudo mount --bind /run/systemd/resolve/resolv.conf /etc/resolv.conf | |
| - name: Run unit tests | |
| run: make unit-test | |
| - name: Run e2e tests | |
| run: make e2e-test | |
| if: matrix.os == 'ubuntu-latest' | |
| - name: Check build | |
| run: make build |