mirror of
https://github.com/anthropic-experimental/sandbox-runtime.git
synced 2026-06-02 12:29:30 +08:00
7f650392ee
* Bake BPF filter into apply-seccomp, build in CI
The unix-block BPF filter is now generated as a C header at build time
and compiled directly into apply-seccomp. The separate .bpf file is gone,
as is the TS machinery that found, loaded, and tracked it.
vendor/seccomp/build.ts compiles the BPF generator, runs it for both
x64 and arm64, writes the bytes into unix-block-bpf.h, then compiles
apply-seccomp with that header #included. An #if defined(__x86_64__) /
#elif defined(__aarch64__) block in the header picks the right filter
at compile time.
The built binaries are no longer committed. release.yml runs a matrix
job on both an x64 and an arm64 runner, each building apply-seccomp
for its own architecture, uploading the result as an artifact. The
publish job downloads both into vendor/seccomp/{x64,arm64}/ before
npm publish, keeping the tarball layout unchanged.
* Build seccomp binaries in docker-tests CI job
* Remove stale references to on-disk BPF filter file
The two fail-closed tests in pid-namespace-isolation now test execve
failure instead of filter-file validation, since apply-seccomp no longer
takes a filter argument. README still described .bpf files in
vendor/seccomp/.
* Bump version to 0.0.47
84 lines
2.3 KiB
YAML
84 lines
2.3 KiB
YAML
name: Release
|
|
|
|
on:
|
|
release:
|
|
types: [published]
|
|
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
|
|
jobs:
|
|
build-seccomp:
|
|
name: Build seccomp (${{ matrix.arch }})
|
|
runs-on: ${{ matrix.runner }}
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- arch: x64
|
|
runner: ubuntu-latest
|
|
- arch: arm64
|
|
runner: ubuntu-24.04-arm
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: oven-sh/setup-bun@v2
|
|
with:
|
|
bun-version: 1.3.1
|
|
- run: sudo apt-get update && sudo apt-get install -y gcc libseccomp-dev
|
|
- run: npm run build:seccomp
|
|
- uses: actions/upload-artifact@v4
|
|
with:
|
|
name: seccomp-${{ matrix.arch }}
|
|
path: vendor/seccomp/${{ matrix.arch }}
|
|
if-no-files-found: error
|
|
|
|
publish:
|
|
name: Publish to npm
|
|
needs: build-seccomp
|
|
runs-on: ubuntu-latest
|
|
environment: npm
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Verify release tag is on main
|
|
run: |
|
|
git fetch origin main
|
|
if ! git merge-base --is-ancestor "$GITHUB_SHA" origin/main; then
|
|
echo "::error::Release tag points to a commit not on main. Refusing to publish unreviewed code."
|
|
exit 1
|
|
fi
|
|
|
|
- name: Verify tag matches package.json version
|
|
run: |
|
|
TAG_VERSION="${GITHUB_REF_NAME#v}"
|
|
PKG_VERSION=$(node -p "require('./package.json').version")
|
|
if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
|
|
echo "::error::Tag version ($TAG_VERSION) doesn't match package.json ($PKG_VERSION)"
|
|
exit 1
|
|
fi
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '18'
|
|
registry-url: 'https://registry.npmjs.org'
|
|
|
|
- uses: actions/download-artifact@v4
|
|
with:
|
|
name: seccomp-x64
|
|
path: vendor/seccomp/x64
|
|
- uses: actions/download-artifact@v4
|
|
with:
|
|
name: seccomp-arm64
|
|
path: vendor/seccomp/arm64
|
|
- run: chmod +x vendor/seccomp/*/apply-seccomp
|
|
|
|
- run: npm install
|
|
- run: npm run clean && npm run build
|
|
|
|
- name: Publish to npm
|
|
run: npm publish --provenance --access public
|
|
env:
|
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|