kubernetes-sigs
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 49 additions & 11 deletions b/‎.github/workflows/build.yml‎
Lines changed: 49 additions & 11 deletions
diff --git a/‎.github/workflows/olm_tests.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/olm_tests.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 10 additions & 16 deletions b/‎.github/workflows/test.yml‎
Lines changed: 10 additions & 16 deletions
diff --git a/‎.golangci.yml‎
Lines changed: 63 additions & 46 deletions b/‎.golangci.yml‎
Lines changed: 63 additions & 46 deletions
@@ -27,7 +27,15 @@ jobs:
       - run: make verify-go-lint
 
   nix:
-    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+          - amd64
+          - arm64
+          - ppc64le
+    runs-on: ubuntu-24.04
+    name: nix / ${{ matrix.arch }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v28
@@ -38,15 +46,45 @@ jobs:
           name: security-profiles-operator
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
           pushFilter: security-profiles-operator
-      - run: make nix
+      - run: make nix-${{ matrix.arch }}
       - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
-          name: build
-          path: build.tar.gz
+          name: build-${{ matrix.arch }}
+          path: build/${{ matrix.arch }}
 
   nix-spoc:
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+          - amd64
+          - arm64
+          - ppc64le
+    runs-on: ubuntu-24.04
+    name: nix / spoc / ${{ matrix.arch }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v28
+        with:
+          install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install
+      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
+        with:
+          name: security-profiles-operator
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          pushFilter: security-profiles-operator
+      - run: nix-build nix/default-${{ matrix.arch }}.nix
+
+  nix-spoc-push:
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+          - amd64
+          - arm64
+          - ppc64le
     if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags')
-    runs-on: ubuntu-22.04
+    name: nix / spoc / push / ${{ matrix.arch }}
+    runs-on: ubuntu-24.04
     permissions:
       contents: write  # required for updating the release
       id-token: write  # required for sigstore signing
@@ -65,10 +103,10 @@ jobs:
           sudo curl -sSfL --retry 5 --retry-delay 3 -o /usr/bin/bom \
             https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux
           sudo chmod +x /usr/bin/bom
-      - run: make nix-spoc
+      - run: make nix-spoc-${{ matrix.arch }}
       - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
-          name: spoc
+          name: spoc-${{ matrix.arch }}
           path: |
             build/*
       - uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0
@@ -78,7 +116,7 @@ jobs:
             build/*
 
   bpf:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
@@ -95,7 +133,7 @@ jobs:
       - run: make verify-bpf
 
   build-image:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Remove unnecessary files
         run: |
@@ -136,7 +174,7 @@ jobs:
           push: ${{ github.ref == 'refs/heads/main' }}
 
   operator-image:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Docker Buildx
@@ -170,7 +208,7 @@ jobs:
           load: true
 
   ubi-image:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Docker Buildx
 
@@ -5,7 +5,7 @@ on:
       - main
   pull_request:
 env:
-  KIND_IMG_TAG: v1.32.0
+  KIND_IMG_TAG: v1.32.2
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -15,7 +15,7 @@ permissions: {}
 jobs:
   main:
     name: tests
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -17,7 +17,7 @@ jobs:
       # write security-events is required by all codeql-action workflows
       security-events: write
 
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: github/codeql-action/init@c4fb451437765abf5018c6fbf22cce1a7da1e5cc # v2.17.1
@@ -27,7 +27,7 @@ jobs:
       - uses: github/codeql-action/analyze@c4fb451437765abf5018c6fbf22cce1a7da1e5cc # v2.17.1
 
   coverage:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
@@ -43,7 +43,7 @@ jobs:
           verbose: true
 
   image:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - run: hack/install-crun
@@ -58,8 +58,7 @@ jobs:
 
   e2e-fedora:
     needs: image
-    # TODO: move back to 22.04 when https://github.com/actions/runner-images/issues/10678 got resolved
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 90
     env:
       RUN: ./hack/ci/run-fedora.sh
@@ -94,8 +93,7 @@ jobs:
 
   e2e-ubuntu:
     needs: image
-    # TODO: move back to 22.04 when https://github.com/actions/runner-images/issues/10678 got resolved
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 90
     env:
       RUN: ./hack/ci/run-ubuntu.sh
@@ -130,8 +128,7 @@ jobs:
 
   e2e-flatcar:
     needs: image
-    # TODO: move back to 22.04 when https://github.com/actions/runner-images/issues/10678 got resolved
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 90
     env:
       RUN: ./hack/ci/run-flatcar.sh
@@ -172,8 +169,7 @@ jobs:
 
   e2e-spoc:
     needs: image
-    # TODO: move back to 22.04 when https://github.com/actions/runner-images/issues/10678 got resolved
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 90
     env:
       RUN: ./hack/ci/run-debian.sh
@@ -203,8 +199,7 @@ jobs:
 
   e2e-seccomp-profile:
     needs: image
-    # TODO: move back to 22.04 when https://github.com/actions/runner-images/issues/10678 got resolved
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 90
     env:
       RUN: ./hack/ci/run-debian.sh
@@ -234,8 +229,7 @@ jobs:
 
   e2e-apparmor-profile:
     needs: image
-    # TODO: move back to 22.04 when https://github.com/actions/runner-images/issues/10678 got resolved
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 90
     env:
       RUN: ./hack/ci/run-debian.sh
@@ -264,7 +258,7 @@ jobs:
         run: $RUN hack/ci/e2e-apparmor.sh
 
   typos:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: crate-ci/typos@9d890159570d5018df91fedfa40b4730cd4a81b1 # v1.28.4
 
@@ -1,15 +1,9 @@
 ---
+version: "2"
 run:
   concurrency: 6
-  timeout: 10m
-issues:
-  exclude-rules:
-    - path: internal/pkg/daemon/bpfrecorder/generated.go
-      linters:
-        - gofumpt
-        - lll
 linters:
-  disable-all: true
+  default: none
   enable:
     - asasalint
     - asciicheck
@@ -32,7 +26,6 @@ linters:
     - exptostd
     - fatcontext
     - forcetypeassert
-    - gci
     - ginkgolinter
     - gocheckcompilerdirectives
     - gochecknoinits
@@ -43,14 +36,10 @@ linters:
     - gocyclo
     - godot
     - godox
-    - gofmt
-    - gofumpt
     - goheader
-    - goimports
     - gomodguard
     - goprintffuncname
     - gosec
-    - gosimple
     - gosmopolitan
     - govet
     - grouper
@@ -87,14 +76,12 @@ linters:
     - spancheck
     - sqlclosecheck
     - staticcheck
-    - stylecheck
     - tagalign
     - tagliatelle
     - testableexamples
     - testifylint
     - thelper
     - tparallel
-    - typecheck
     - unconvert
     - unparam
     - unused
@@ -109,6 +96,7 @@ linters:
     # - err113
     # - exhaustruct
     # - forbidigo
+    # - funcorder
     # - funlen
     # - gochecknoglobals
     # - gomoddirectives
@@ -121,35 +109,64 @@ linters:
     # - testpackage
     # - varnamelen
     # - wrapcheck
-linters-settings:
-  revive:
+  settings:
+    errcheck:
+      check-type-assertions: true
+      check-blank: true
+    gocognit:
+      min-complexity: 40
+    goconst:
+      min-occurrences: 6
+    gocritic:
+      enable-all: true
+    godox:
+      keywords:
+        - BUG
+        - FIXME
+        - HACK
+    gomoddirectives:
+      replace-allow-list:
+        - golang.org/x/sys
+    gosec:
+      excludes:
+        - G115
+    nestif:
+      min-complexity: 15
+    revive:
+      rules:
+        - name: unused-parameter
+          disabled: true
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
     rules:
-      - name: unused-parameter
-        disabled: true
-  goconst:
-    min-occurrences: 6
-  gomoddirectives:
-    replace-allow-list:
-      - golang.org/x/sys
-  gocognit:
-    min-complexity: 40
-  gosec:
-    excludes:
-      - G115  # Potential integer overflow when converting between types
-  nestif:
-    min-complexity: 15
-  gci:
-    sections:
-      - standard
-      - default
-      - localmodule
-  errcheck:
-    check-type-assertions: true
-    check-blank: true
-  godox:
-    keywords:
-      - BUG
-      - FIXME
-      - HACK
-  gocritic:
-    enable-all: true
+      - linters:
+          - lll
+        path: internal/pkg/daemon/bpfrecorder/generated.go
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gci
+    - gofmt
+    - gofumpt
+    - goimports
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - localmodule
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+      - internal/pkg/daemon/bpfrecorder/generated.go