Merge pull request #74 from parca-dev/merge

Update with changes from upstream

Author: gnurizen

.github/renovate.json5

@@ -0,0 +1,38 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:best-practices",
+    "helpers:pinGitHubActionDigestsToSemver"
+  ],
+  "packageRules": [
+    {
+      "groupName": "Go dependencies",
+      "matchManagers": ["gomod"],
+      "schedule": ["before 8am every weekday"],
+      "automerge": true
+    },
+    {
+      "groupName": "Docker related dependencies",
+      "matchManagers": ["buildpacks", "devcontainer", "docker-compose", "dockerfile"],
+      "schedule": ["before 8am every weekday"],
+      "automerge": true
+    },
+    {
+      "groupName": "GitHub Actions",
+      "matchManagers": ["github-actions"],
+      "schedule": ["before 8am every weekday"],
+      "automerge": true
+    },
+    {
+      "groupName": "Rust dependencies",
+      "matchManagers": ["cargo"],
+      "schedule": ["before 8am every weekday"]
+    }
+  ],
+  "ignoreDeps": [
+    "golangci/golangci-lint-action"
+  ],
+  "labels": [
+    "dependencies"
+  ]
+}

.github/workflows/auto-tag.yml

@@ -0,0 +1,36 @@
+name: Monthly Tagging
+on:
+  workflow_dispatch: # Allows manual triggering of the workflow
+  schedule:
+    # Run every month on the 3rd day at 08:15 AM.
+    - cron: '15 8 3 * *'
+
+permissions:
+  contents: read
+
+jobs:
+  create-monthly-tag:
+    permissions:
+      contents: write # required for pushing git tags
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Configure Git
+        run: |
+          git config user.name "${GITHUB_ACTOR}"
+          git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+
+      - name: Get current year and week number
+        id: date
+        run: |
+          echo "tag_name=v0.0.$(date +%G%V)" >> "$GITHUB_OUTPUT"
+
+      - name: Create and push tag
+        run: |
+          TAG_NAME="${{ steps.date.outputs.tag_name }}"
+          # Create an annotated tag on the latest commit of the current branch (main)
+          git tag -a $TAG_NAME -m "$TAG_NAME"
+          # Push the newly created tag to the remote repository
+          git push origin $TAG_NAME

.github/workflows/codeql.yml

@@ -8,6 +8,8 @@ on:
   schedule:
     - cron: "21 6 * * 1"
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze Go (${{ matrix.target_arch }})
@@ -18,13 +20,13 @@ jobs:
         target_arch: [amd64, arm64]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up environment
         uses: ./.github/workflows/env
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
         with:
           languages: go
 
@@ -33,7 +35,7 @@ jobs:
           make TARGET_ARCH=${{ matrix.target_arch }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
         with:
             category: "/language:Go"
         timeout-minutes: 10

.github/workflows/codespell.yml

@@ -4,13 +4,15 @@ on:
     branches:
       - main
   pull_request:
+permissions:
+  contents: read
 jobs:
   codespell:
     runs-on: ubuntu-latest
     steps:
       - name: Install codespell
         run: sudo apt-get install codespell
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Codespell
         run: make codespell

.github/workflows/env/action.yml

@@ -1,5 +1,12 @@
 name: Common environment setup
 
+inputs:
+  skip_rust:
+    description: 'Set to true to skip installing Rust toolchains'
+    required: false
+    type: boolean
+    default: false
+
 runs:
   using: composite
   steps:
@@ -31,12 +38,13 @@ runs:
           libc6-arm64-cross qemu-user-binfmt libc6:arm64 \
           musl-dev:amd64 musl-dev:arm64 musl-tools binutils-aarch64-linux-gnu
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
         go-version-file: go.mod
         cache-dependency-path: go.sum
       id: go
     - name: Install Rust
+      if: ${{ inputs.skip_rust == false }}
       uses: dtolnay/rust-toolchain@stable
       with:
         targets: x86_64-unknown-linux-musl,aarch64-unknown-linux-musl

.github/workflows/fossa.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
+      - uses: fossas/fossa-action@3ebcea1862c6ffbd5cf1b4d0bd6b3fe7bd6f2cac # v1.7.0
         with:
           api-key: ${{secrets.FOSSA_API_KEY}}
           team: OpenTelemetry

.github/workflows/ossf-scorecard.yml

@@ -23,7 +23,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+      - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
           results_file: results.sarif
           results_format: sarif
@@ -42,6 +42,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
+        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
         with:
           sarif_file: results.sarif

.github/workflows/push-docker-image.yml

@@ -6,28 +6,31 @@ on:
     paths:
       - "Dockerfile"
 
+permissions:
+  contents: read
+
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
     if: github.repository == 'open-telemetry/opentelemetry-ebpf-profiler'
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       - name: Set current timestamp tag
         id: tag
         run: |
           echo "tag=$(date +%Y%m%d%H%M)" >> $GITHUB_OUTPUT
       - name: Build and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           push: true
           file: Dockerfile

.github/workflows/unit-test-on-pull-request.yml

@@ -6,13 +6,16 @@ on:
   pull_request:
     branches: ["**"]
 
+permissions:
+  contents: read
+
 jobs:
   legal:
     name: Check licenses of dependencies
     runs-on: ubuntu-24.04
     steps:
       - name: Clone code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up environment
         uses: ./.github/workflows/env
       - name: Check for changes in licenses of dependencies
@@ -31,24 +34,20 @@ jobs:
         target_arch: [amd64, arm64]
     steps:
       - name: Clone code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up environment
         uses: ./.github/workflows/env
       - name: Get linter version
         id: linter-version
         run: (echo -n "version="; make linter-version) >> "$GITHUB_OUTPUT"
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+      - name: linter
         env:
           GOARCH: ${{ matrix.target-arch }}
           CGO_ENABLED: 1
-        with:
-          version: ${{ steps.linter-version.outputs.version }}
-      - name: Lint eBPF code
         run: |
           sudo apt update
           sudo apt install -y clang-format-17
-          make lint -C support/ebpf
+          make lint
 
   test:
     name: Test (${{ matrix.target_arch }})
@@ -58,53 +57,65 @@ jobs:
         target_arch: [amd64, arm64]
     steps:
       - name: Clone code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up environment
         uses: ./.github/workflows/env
+        with:
+          skip_rust: true
       - name: Cache coredump modules
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: tools/coredump/modulecache
           key: coredumps-${{ matrix.target_arch }}-${{ hashFiles('tools/coredump/testdata/*/*.json') }}
           restore-keys: |
             coredumps-${{ matrix.target_arch }}
             coredumps-
-      - name: Direct Rust test
-        run: make rust-tests
       - name: Tests
         run: make test TARGET_ARCH=${{ matrix.target_arch }}
 
+  rust-test:
+    name: Rust Tests (${{ matrix.target_arch }})
+    runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        target_arch: [amd64, arm64]
+    steps:
+      - name: Clone code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up environment
+        uses: ./.github/workflows/env
+      - name: Tests
+        run: make rust-tests
+
   check-binary-blobs:
-    name: Check for differences in the eBPF and Rust binary blobs
+    name: Check for differences in the eBPF binary blobs
     runs-on: ubuntu-24.04
-    container: otel/opentelemetry-ebpf-profiler-dev:latest
+    container: otel/opentelemetry-ebpf-profiler-dev:latest@sha256:acce547f366150eb25392e1aff270df430ef6b759baeb4292999116018e70e6e
     defaults:
       run:
         shell: bash --login {0}
     steps:
       - name: Clone code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Hash binary blobs
         run: |
-          sha256sum support/ebpf/tracer.ebpf.release.* > binary-blobs.hash
-          sha256sum target/x86_64-unknown-linux-musl/release/libsymblib_capi.a >> binary-blobs.hash
-          sha256sum target/aarch64-unknown-linux-musl/release/libsymblib_capi.a >> binary-blobs.hash
+          sha256sum support/ebpf/tracer.ebpf.* > binary-blobs.hash
       - name: Rebuild eBPF blobs
         run: |
-          rm support/ebpf/tracer.ebpf.release.*
+          rm support/ebpf/tracer.ebpf.*
           make amd64 -C support/ebpf
           make arm64 -C support/ebpf
-      - name: Rebuild Rust blobs
-        run: |
-          rm -rf target/
-          make rust-components TARGET_ARCH=amd64
-          make rust-components TARGET_ARCH=arm64
       - name: Check for differences
         run: |
           if ! sha256sum --check binary-blobs.hash; then
             echo "Please rebuild and commit the updated binary blobs."
             exit 1
           fi
+      - if: failure()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: binary-blobs
+          path: support/ebpf/tracer.ebpf.*
 
   build-integration-test-binaries:
     name: Build integration test binaries (${{ matrix.target_arch }})
@@ -115,13 +126,13 @@ jobs:
         target_arch: [amd64, arm64]
     steps:
       - name: Clone code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up environment
         uses: ./.github/workflows/env
       - name: Prepare integration test binaries for qemu tests
         run: make integration-test-binaries TARGET_ARCH=${{ matrix.target_arch }}
       - name: Upload integration test binaries
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: integration-test-binaries-${{ matrix.target_arch }}
           path: support/*.test
@@ -138,7 +149,6 @@ jobs:
           # https://github.com/cilium/ci-kernels/pkgs/container/ci-kernels/versions?filters%5Bversion_type%5D=tagged
 
           # AMD64
-          # - { target_arch: amd64, kernel: 4.19.314 }
           - { target_arch: amd64, kernel: 5.4.276 }
           - { target_arch: amd64, kernel: 5.10.217 }
           - { target_arch: amd64, kernel: 5.15.159 }
@@ -155,7 +165,7 @@ jobs:
           - { target_arch: arm64, kernel: 6.12.16 }
     steps:
       - name: Clone code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Install dependencies
         run: |
           sudo apt-get update -y
@@ -167,7 +177,7 @@ jobs:
           go install github.com/florianl/[email protected]
           sudo mv ~/go/bin/bluebox /usr/local/bin/.
       - name: Fetch integration test binaries
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with: { name: "integration-test-binaries-${{ matrix.target_arch }}" }
       - name: Fetch precompiled kernel
         run: |

.gitignore

@@ -7,6 +7,3 @@ ebpf-profiler
 ci-kernels
 # Ignore target directory
 target/*
-# But not these specific paths
-!target/x86_64-unknown-linux-musl/release/libsymblib_capi.a
-!target/aarch64-unknown-linux-musl/release/libsymblib_capi.a