Commit Graph

191 Commits

Author SHA1 Message Date
Mario Minardi
a3f7e72321
.github: use and pin slackapi/slack-github-action to latest 1.x (#13554)
Use slackapi/slack-github-action across the board and pin to latest 1.x.
Previously we were referencing the 1.27.0 tag directly which is
vulnerable to someone replacing that version tag with malicious code.

Replace usage of ruby/action-slack with slackapi/slack-github-action as
the latter is the officially supported action from slack.

Updates #cleanup

Signed-off-by: Mario Minardi <mario@tailscale.com>
2024-09-23 16:11:13 -06:00
Mario Minardi
22e98cf95e
.github: pin codeql actions to latest 3.x (#13552)
Pin codeql actions usage to latest 3.x. These were previously pointing
to `@2` which pulls in the latest v2 as they are released, with the
potential to break our workflows if a breaking change or malicious
version on the `@2` stream is ever pushed.

Changing this to a pinned version also means that dependabot will keep
this in the pinend version format (e.g., referencing a SHA) when it
opens a PR to bump the dependency.

The breaking change between v2 and v3 is that v3 requires Node 20 which
is a non-issue as we are running this on ubuntu latest.

Updates #cleanup

Signed-off-by: Mario Minardi <mario@tailscale.com>
2024-09-23 15:52:26 -06:00
Mario Minardi
2c1bbfb902
.github: pin actions/setup-go usage to latest 5.x (#13553)
Pin actions/checkout usage to latest 5.x. These were previously pointing
to `@4` which pulls in the latest v4 as they are released, with the
potential to break our workflows if a breaking change or malicious
version on the `@4` stream is ever pushed.

Changing this to a pinned version also means that dependabot will keep
this in the pinend version format (e.g., referencing a SHA) when it
opens a PR to bump the dependency.

The breaking change between v4 and v5 is that v5 requires Node 20 which
should be a non-issue where it is used.

Updates #cleanup

Signed-off-by: Mario Minardi <mario@tailscale.com>
2024-09-23 15:14:49 -06:00
Mario Minardi
07991dec83
.github: pin actions/checkout to latest v3 or v4 as appropriate (#13551)
Pin actions/checkout usage to latest 3.x or 4.x as appropriate. These
were previously pointing to `@4` or `@3` which pull in the latest
versions at these tags as they are released, with the potential to break
our workflows if a breaking change or malicious version for either of
these streams are released.

Changing this to a pinned version also means that dependabot will keep
this in the pinend version format (e.g., referencing a SHA) when it
opens a PR to bump the dependency.

Updates #cleanup

Signed-off-by: Mario Minardi <mario@tailscale.com>
2024-09-23 14:52:19 -06:00
Maisem Ali
f2713b663e .github: enable fuzz testing again (go1.23)
Updates #12912

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2024-09-11 14:50:13 -07:00
dependabot[bot]
71b550c73c
.github: Bump peter-evans/create-pull-request from 5.0.1 to 7.0.1 (#13419)
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 5.0.1 to 7.0.1.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases)
- [Commits](284f54f989...8867c4aba1)

---
updated-dependencies:
- dependency-name: peter-evans/create-pull-request
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-10 10:08:14 -06:00
Brad Fitzpatrick
696711cc17 all: switch to and require Go 1.23
Updates #12912

Change-Id: Ib4ae26eb5fb68ad2216cab4913811b94f7eed5b6
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-08-22 12:31:08 -07:00
Chris Palmer
59936e6d4a
scripts: don't refresh the pacman repository on Arch (#12194)
Fixes #12186

Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
Co-authored-by: Chris Palmer <cpalmer@tailscale.com>
2024-07-03 09:58:01 -07:00
Andrew Dunham
0323dd01b2 ci: enable checklocks workflow for specific packages
This turns the checklocks workflow into a real check, and adds
annotations to a few basic packages as a starting point.

Updates #12625

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I2b0185bae05a843b5257980fc6bde732b1bdd93f
2024-06-26 13:55:07 -04:00
Percy Wegmann
730f0368d0 ssh/tailssh: replace incubator process with su instead of running su as child
This allows the SSH_AUTH_SOCK environment variable to work inside of
su and agent forwarding to succeed.

Fixes #12467

Signed-off-by: Percy Wegmann <percy@tailscale.com>
2024-06-20 10:11:03 -05:00
Jordan Whited
65888d95c9
derp/xdp,cmd/xdpderper: initial skeleton (#12390)
This commit introduces a userspace program for managing an experimental
eBPF XDP STUN server program. derp/xdp contains the eBPF pseudo-C along
with a Go pkg for loading it and exporting its metrics.
cmd/xdpderper is a package main user of derp/xdp.

Updates tailscale/corp#20689

Signed-off-by: Jordan Whited <jordan@tailscale.com>
2024-06-14 08:45:24 -07:00
Andrew Lytvynov
13e1355546
scripts/installer.sh: remove unnecessary escaping in grep (#11950)
Updates #11263

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2024-05-01 11:09:10 -06:00
Brad Fitzpatrick
b9adbe2002 net/{interfaces,netmon}, all: merge net/interfaces package into net/netmon
In prep for most of the package funcs in net/interfaces to become
methods in a long-lived netmon.Monitor that can cache things.  (Many
of the funcs are very heavy to call regularly, whereas the long-lived
netmon.Monitor can subscribe to things from the OS and remember
answers to questions it's asked regularly later)

Updates tailscale/corp#10910
Updates tailscale/corp#18960
Updates #7967
Updates #3299

Change-Id: Ie4e8dedb70136af2d611b990b865a822cd1797e5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-28 07:34:52 -07:00
Brad Fitzpatrick
a1abd12f35 cmd/tailscaled, net/tstun: build for aix/ppc64
At least in userspace-networking mode.

Fixes #11361

Change-Id: I78d33f0f7e05fe9e9ee95b97c99b593f8fe498f2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-04-13 11:03:22 -07:00
Will Norris
1d2af801fa .github/workflows: remove go-licenses action
This is now handled by an action running in corp.

Updates tailscale/corp#18803

Signed-off-by: Will Norris <will@tailscale.com>
2024-03-29 19:38:13 -07:00
Irbe Krumina
06e22a96b1
.github/workflows: fix path filter for 'Kubernetes manifests' test job (#11520)
Updates#cleanup

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-03-25 19:44:30 +00:00
James Tucker
7e17aeb36b .github/workflows: fix regular breakage of go toolchains
This server recently had a common ansible applied, which added a
periodic /tmp cleaner, as is needed on other CI machines to deal with
test tempfile leakage. The setting of $HOME to /tmp means that the go
toolchain in there was regularly getting pruned by the tmp cleaner, but
often incompletely, because it was also in use.

Move HOME to a runner owned directory.

Updates #11248

Signed-off-by: James Tucker <james@tailscale.com>
2024-02-28 08:17:35 -08:00
James Tucker
c9b6d19fc9 .github/workflows: fix typo in XDG_CACHE_HOME
This appears to be one of the contributors to this CI target regularly
entering a bad state with a partially written toolchain.

Updates #self

Signed-off-by: James Tucker <james@tailscale.com>
2024-02-23 16:44:29 -08:00
Andrew Dunham
6f6383f69e .github: fuzzing is now unbroken
Updates #cleanup

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I10dca601c79411b412180a46b3f82136e40544b0
2024-02-09 17:02:58 -05:00
Brad Fitzpatrick
c424e192c0 .github/workflows: temporarily disable broken oss-fuzz action
Updates #11064
Updates #11058

Change-Id: I63acc13dece3379a0b2df573afecfd245b7cd6c2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-02-07 18:10:15 -08:00
Brad Fitzpatrick
9612001cf4 .github/workflows: update golangci-lint for Go 1.22
Updates #11058

Change-Id: I3785c1f1bea4a4663e7e5fb6d209d3caedae436d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-02-07 18:10:15 -08:00
James Tucker
0b16620b80 .github/workflows: add privileged tests workflow
We had missed regressions from privileged tests not running, now they
can run.

Updates #cleanup
Signed-off-by: James Tucker <james@tailscale.com>
2024-02-07 14:45:22 -08:00
James Tucker
7e3bcd297e go.mod,wgengine/netstack: bump gvisor
Updates #8043

Signed-off-by: James Tucker <james@tailscale.com>
2024-01-19 18:23:53 -08:00
James Tucker
457102d070 go.mod: bump most deps for start of cycle
Plan9 CI is disabled. 3p dependencies do not build for the target.
Contributor enthusiasm appears to have ceased again, and no usage has
been made.

Skipped gvisor, nfpm, and k8s.

Updates #5794
Updates #8043

Signed-off-by: James Tucker <james@tailscale.com>
2024-01-19 16:51:39 -08:00
Irbe Krumina
2aec4f2c43
./github/workflows/kubemanifests.yaml: fix the paths whose changes should trigger test runs (#10885)
Updates#cleanup

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2024-01-19 01:51:10 +00:00
Andrew Lytvynov
7df9af2f5c
.github/workflows/govulncheck: migrate to a Github App (#10793)
Send failures to a new channel using a github app token instead of
webhook URL.

Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2024-01-09 11:51:08 -08:00
Irbe Krumina
1a08ea5990
cmd/k8s-operator: operator can create subnetrouter (#9505)
* k8s-operator,cmd/k8s-operator,Makefile,scripts,.github/workflows: add Connector kube CRD.

Connector CRD allows users to configure the Tailscale Kubernetes operator
to deploy a subnet router to expose cluster CIDRs or
other CIDRs available from within the cluster
to their tailnet.

Also adds various CRD related machinery to
generate CRD YAML, deep copy implementations etc.

Engineers will now have to run
'make kube-generate-all` after changing kube files
to ensure that all generated files are up to date.

* cmd/k8s-operator,k8s-operator: reconcile Connector resources

Reconcile Connector resources, create/delete subnetrouter resources in response to changes to Connector(s).

Connector reconciler will not be started unless
ENABLE_CONNECTOR env var is set to true.
This means that users who don't want to use the alpha
Connector custom resource don't have to install the Connector
CRD to their cluster.
For users who do want to use it the flow is:
- install the CRD
- install the operator (via Helm chart or using static manifests).
For Helm users set .values.enableConnector to true, for static
manifest users, set ENABLE_CONNECTOR to true in the static manifest.

Updates tailscale/tailscale#502


Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2023-12-14 13:51:59 +00:00
Sonia Appasamy
cc6729a0bc .github/workflows: add webclient workflow
Add workflow to run yarn lint/test/format-check against the web
client on pull requests.

Updates #10261

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2023-12-06 13:21:27 -05:00
Irbe Krumina
49fd0a62c9
cmd/k8s-operator: generate static kube manifests from the Helm chart. (#10436)
* cmd/k8s-operator: generate static manifests from Helm charts

This is done to ensure that there is a single source of truth
for the operator kube manifests.
Also adds linux node selector to the static manifests as
this was added as a default to the Helm chart.

Static manifests can now be generated by running
`go generate tailscale.com/cmd/k8s-operator`.

Updates tailscale/tailscale#9222

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2023-12-04 10:18:07 +00:00
Percy Wegmann
17501ea31a ci: report test coverage to coveralls.io
This records test coverage for the amd64 no race tests and uploads the
results to coveralls.io.

Updates #cleanup

Signed-off-by: Ox Cart <ox.to.a.cart@gmail.com>
2023-11-21 09:08:37 -06:00
Will Norris
33147c4591 .github: build gocross using regular GOPROXY settings
This `go get` action has been running very slowly, and I'm pretty sure
it's because we're building gocross on the first `./tool/go` run, and
because we've set `GOPROXY=direct`, it's going directly to GitHub to
fetch all of the gocross dependencies.

Updates #cleanup

Signed-off-by: Will Norris <will@tailscale.com>
2023-11-16 09:46:48 -08:00
Will Norris
7399e56acd .github: add action for updating web-client-prebuilt module
Updates tailscale/corp#14335

Signed-off-by: Will Norris <will@tailscale.com>
2023-11-14 09:30:08 -08:00
dependabot[bot]
b1a0caf056 .github: Bump actions/checkout from 3 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-01 13:26:33 -07:00
Irbe Krumina
c2b87fcb46
cmd/k8s-operator/deploy/chart,.github/workflows: use helm chart API v2 (#10055)
API v1 is compatible with helm v2 and v2 is not.
However, helm v2 (the Tiller deployment mechanism) was deprecated in 2020
and no-one should be using it anymore.
This PR also adds a CI lint test for helm chart

Updates tailscale/tailscale#9222

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
2023-11-01 16:15:18 +00:00
Will Norris
42abf13843 .github: run tests on all PRs, regardless of branch name
The branch name selector "*" doesn't match branches with a "/" in their
name. The vast majority of our PRs are against the main (or previously,
master) branch anyway, so this will have minimal impact. But in the rare
cases that we want to open a PR against a branch with a "/" in the name,
tests should still run.

```
gh pr list --limit 9999 --state all --json baseRefName | \
  jq -cs '.[] | group_by(.baseRefName) |
    map({ base: .[0].baseRefName, count: map(.baseRefName) | length}) |
    sort_by(-.count) | .[]'

{"base":"main","count":4593}
{"base":"master","count":226}
{"base":"release-branch/1.48","count":4}
{"base":"josh-and-adrian-io_uring","count":3}
{"base":"release-branch/1.30","count":3}
{"base":"release-branch/1.32","count":3}
{"base":"release-branch/1.20","count":2}
{"base":"release-branch/1.26","count":2}
{"base":"release-branch/1.34","count":2}
{"base":"release-branch/1.38","count":2}
{"base":"Aadi/speedtest-tailscaled","count":1}
{"base":"josh/io_uring","count":1}
{"base":"maisem/hi","count":1}
{"base":"rel-144","count":1}
{"base":"release-branch/1.18","count":1}
{"base":"release-branch/1.2","count":1}
{"base":"release-branch/1.22","count":1}
{"base":"release-branch/1.24","count":1}
{"base":"release-branch/1.4","count":1}
{"base":"release-branch/1.46","count":1}
{"base":"release-branch/1.8","count":1}
{"base":"web-client-main","count":1}
```

Updates #cleanup

Signed-off-by: Will Norris <will@tailscale.com>
2023-10-26 10:47:39 -07:00
James Tucker
237b4b5a2a .github/workflows: add checklocks
Currently the checklocks step is not configured to fail, as we do not
yet have the appropriate annotations.

Updates tailscale/corp#14381

Signed-off-by: James Tucker <james@tailscale.com>
2023-10-25 16:39:31 -07:00
James Tucker
afb72ecd73 .github/workflows: update golangci-lint
Updates #cleanup
Signed-off-by: James Tucker <james@tailscale.com>
2023-10-18 14:17:35 -07:00
Brad Fitzpatrick
1fc3573446 ipn/{conffile,ipnlocal}: start booting tailscaled from a config file w/ auth key
Updates #1412

Change-Id: Icd880035a31df59797b8379f4af19da5c4c453e2
Co-authored-by: Maisem Ali <maisem@tailscale.com>
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-10-17 07:12:49 -07:00
Brad Fitzpatrick
4dec0c6eb9 tstest, tstest/integration, github/workflows: shard integration tests
Over four jobs for now.

Updates #cleanup

Change-Id: Ic2b1a739a454916893945a3f9efc480d6fcbd70b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-10-16 20:09:24 -07:00
Maisem Ali
e6ab7d3c14 cmd/testwrapper: parse args better
Previously we were just smushing together args and not trying
to parse the values at all. This resulted in the args to testwrapper
being limited and confusing.

This makes it so that testwrapper parses flags in the exact format as `go test`
command and passes them down in the provided order. It uses tesing.Init to
register flags that `go test` understands, however those are not the only
flags understood by `go test` (such as `-exec`) so we register these separately.

Updates tailscale/corp#14975

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2023-10-16 17:33:50 -07:00
Brad Fitzpatrick
56ebcd1ed4 .github/workflows: break up race builder a bit more
Move the compilation of everything to its own job too, separate
from test execution.

Updates #7894

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-10-14 19:28:31 -07:00
Brad Fitzpatrick
18e2936d25 github/workflows: move race tests to their own job
They're slow. Make them their own job that can run in parallel.

Also, only run them in race mode. No need to run them on 386
or non-race amd64.

Updates #7894

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-10-14 14:08:58 -07:00
Brad Fitzpatrick
c363b9055d tstest/integration: add tests for tun mode (requiring root)
Updates #7894

Change-Id: Iff0b07b21ae28c712dd665b12918fa28d6f601d0
Co-authored-by: Maisem Ali <maisem@tailscale.com>
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-10-14 13:52:30 -07:00
Andrew Lytvynov
7ce1c6f981
.github/workflows: fix slack-action format in govulncheck.yml (#9390)
Currently slack messages for errors fail:
https://github.com/tailscale/tailscale/actions/runs/6159104272/job/16713248204

```
Error: Unexpected token
 in JSON at position 151
```

This is likely due to the line break in the text. Restructure the
message to use separate title/text and fix the slack webhook body.

Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2023-09-13 14:36:40 -07:00
Maisem Ali
3280c81c95 .github,cmd/gitops-pusher: update to checkout@v4
checkout@v3 is broken:
actions/checkout#1448

Updates #cleanup

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2023-09-04 15:12:57 -07:00
Brad Fitzpatrick
346445acdd .github/workflows: only run bench all on packages with benchmarks
Drops time by several minutes.

Also, on top of that: skip building variant CLIs on the race builder
(29s), and getting qemu (15s).

Updates #9182

Change-Id: I979e02ab8c0daeebf5200459c9e4458a1f62f728
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-08-31 21:52:18 -07:00
Maisem Ali
1f12b3aedc .github: do not use testwrapper for benchmarks
Updates #9182

Signed-off-by: Maisem Ali <maisem@tailscale.com>
2023-08-31 15:23:41 -07:00
Brad Fitzpatrick
98a5116434 all: adjust some build tags for plan9
I'm not saying it works, but it compiles.

Updates #5794

Change-Id: I2f3c99732e67fe57a05edb25b758d083417f083e
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2023-08-24 15:42:35 -07:00
shayne
46b0c9168f
.github: update flakehub workflow to support existing tags (#9067)
This adds a workflow_dispatch input to the update-flakehub workflow that
allows the user to specify an existing tag to publish to FlakeHub. This
is useful for publishing a version of a package that has already been
tagged in the repository.

Updates #9008

Signed-off-by: Shayne Sweeney <shayne@tailscale.com>
2023-08-24 11:09:16 -04:00
shayne
7825074444
.github: fix flakehub-publish-tagged.yml glob (#9066)
The previous regex was too advanced for GitHub Actions. They only
support a simpler glob syntax.

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet

Updates #9008

Signed-off-by: Shayne Sweeney <shayne@tailscale.com>
2023-08-24 10:50:25 -04:00