Enable ntosebpfext workflows (#21)

Signed-off-by: Alan Jowett <[email protected]> Co-authored-by: Alan Jowett <[email protected]>
microsoft · Apr 22, 2024 · 337196d · 337196d
1 parent 670a441
commit 337196d
Show file tree

Hide file tree

Showing 13 changed files with 149 additions and 1,475 deletions.
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
@@ -0,0 +1,143 @@
+# Copyright (c) Microsoft Corporation
+# SPDX-License-Identifier: MIT
+
+# This is the top-level workflow that runs on each pull request and push to main.
+# It invokes other jobs to perform builds and run tests.
+# All jobs run in parallel, using build artifacts to synchronize jobs.
+#
+# If you add or remove any tests that use reusable-test.yml on a pull request,
+# you must update codecov.yml to match.
+
+name: CI/CD
+
+on:
+  # Run on a daily schedule to perform the full set of tests.
+  schedule:
+    - cron: '00 8 * * *'
+  # Run on pull request to validate code changes.
+  pull_request:
+  merge_group:
+  # Permit manual runs of the workflow.
+  workflow_dispatch:
+  # Run on push so we can capture the baseline code coverage.
+  push:
+    branches: [ main ]
+
+concurrency:
+  # Cancel any in-progress instance of this workflow (CI/CD) for the same PR.
+  # Allow running concurrently with any commits on any other branch.
+  # Using GITHUB_REF instead of GITHUB_SHA allows parallel runs on
+  # different branches with the same HEAD commit.
+  group: cicd-${{ github.event.schedule || github.event.pull_request.number || github.event.after || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write # Required to log in to Azure.
+  contents: read
+  checks: read  # Required by reusable-test.yml to check build status.
+  security-events: write # Required by codeql task.
+  issues: write # Required to create issues.
+
+jobs:
+  # Jobs to run on pull, push, and schedule.
+  # ---------------------------------------------------------------------------
+
+  # Perform the regular build.
+  regular:
+    # Always run this job.
+    if: github.event_name == 'schedule' || github.event_name == 'pull_request' || github.event_name == 'push' || github.event_name == 'merge_group' || github.event_name == 'workflow_dispatch'
+    uses: ./.github/workflows/reusable-build.yml
+    with:
+      ref: ${{ github.ref }}
+      build_artifact: Build-x64
+      configurations: '["Debug", "Release"]'
+
+  # Run the ntosebpfext unit tests in GitHub.
+  netebpf_ext_unit_tests:
+    # Always run this job.
+    needs: regular
+    if: github.event_name == 'schedule' || github.event_name == 'pull_request' || github.event_name == 'push' || github.event_name == 'merge_group' || github.event_name == 'workflow_dispatch'
+    uses: ./.github/workflows/reusable-test.yml
+    with:
+      name: netebpf_ext_unit_tests
+      pre_test: appverif -enable Exceptions Handles Heaps Leak Locks Memory SRWLock Threadpool TLS DangerousAPIs DirtyStacks TimeRollOver -for unit_tests.exe
+      test_command: .\ntosebpfext_unit.exe -d yes
+      build_artifact: Build-x64
+      environment: windows-2022
+      code_coverage: true
+      gather_dumps: true
+      capture_etw: true
+      leak_detection: true
+
+  ossar:
+    # Always run this job.
+    needs: regular
+    if: github.event_name == 'schedule' || github.event_name == 'pull_request' || github.event_name == 'push' || github.event_name == 'merge_group' || github.event_name == 'workflow_dispatch'
+    uses: ./.github/workflows/ossar-scan.yml
+    with:
+      build_artifact: Build-x64
+
+  # Additional jobs to run on pull and schedule only (skip push).
+  # ---------------------------------------------------------------------------
+  # Build with C++ static analyzer.
+  analyze:
+    # Only run on schedule and pull request.
+    if: github.event_name == 'schedule' || github.event_name == 'pull_request' || github.event_name == 'merge_group' || github.event_name == 'workflow_dispatch'
+    uses: ./.github/workflows/reusable-build.yml
+    with:
+      ref: ${{ github.ref }}
+      build_artifact: Build-x64-Analyze
+      # Analysis on external projects is conditional, as on small CI/CD VMs the compiler can run OOM
+      build_options: /p:Analysis='True' /p:AnalysisOnExternal='False'
+
+  # Build with C++ address sanitizer.
+  sanitize:
+    # Only run on schedule and pull request.
+    if: github.event_name == 'schedule' || github.event_name == 'pull_request' || github.event_name == 'merge_group' || github.event_name == 'workflow_dispatch'
+    uses: ./.github/workflows/reusable-build.yml
+    with:
+      ref: ${{ github.ref }}
+      build_artifact: Build-x64-Sanitize
+      build_options: /p:AddressSanitizer='True'
+
+  # Run the low memory simulator for ntosebpfext_unit tests.
+  fault_injection_ntosebpfext_unit:
+    needs: regular
+    if: github.event_name == 'schedule' || github.event_name == 'pull_request' || github.event_name == 'push' || github.event_name == 'merge_group' || github.event_name == 'workflow_dispatch'
+    uses: ./.github/workflows/reusable-test.yml
+    with:
+      name: ntosebpfext_fault_injection
+      test_command: .\ntosebpfext_unit.exe
+      build_artifact: Build-x64
+      environment: windows-2022
+      code_coverage: true
+      gather_dumps: true
+      fault_injection: true
+      leak_detection: true
+
+  # Additional jobs to run on a schedule only (skip push and pull request).
+  # ---------------------------------------------------------------------------
+  codeql:
+    # Only run during daily scheduled run
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    uses: ./.github/workflows/reusable-build.yml
+    with:
+      ref: ${{ github.ref }}
+      build_artifact: Build-x64-CodeQl
+      build_codeql: true
+
+
+  # Run the complete fault injection simulator for ntosebpfext in GitHub.
+  # Runs on a schedule as this takes a long time to run.
+  ntosebpfext_fault_injection_full:
+    needs: regular
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    uses: ./.github/workflows/reusable-test.yml
+    with:
+      name: ntosebpfext_fault_injection_full
+      test_command: .\ntosebpfext_unit.exe
+      build_artifact: Build-x64
+      environment: windows-2022
+      code_coverage: false
+      gather_dumps: true
+      fault_injection: true
diff --git a/.github/~workflows/dependency-review.yml → .github/workflows/dependency-review.yml b/.github/~workflows/dependency-review.yml → .github/workflows/dependency-review.yml
@@ -1,3 +1,6 @@
+# Copyright (c) Microsoft Corporation
+# SPDX-License-Identifier: MIT
+
 # Dependency Review Action
 #
 # This Action will scan dependency manifest files that change as part of a Pull Request,

diff --git a/.github/~workflows/nuget_update.yaml → .github/workflows/nuget_update.yaml b/.github/~workflows/nuget_update.yaml → .github/workflows/nuget_update.yaml
diff --git a/.github/~workflows/ossar-scan.yml → .github/workflows/ossar-scan.yml b/.github/~workflows/ossar-scan.yml → .github/workflows/ossar-scan.yml
diff --git a/.github/~workflows/reusable-build.yml → .github/workflows/reusable-build.yml b/.github/~workflows/reusable-build.yml → .github/workflows/reusable-build.yml
@@ -56,7 +56,7 @@ jobs:
     runs-on: windows-2022
     env:
       # Path to the solution file relative to the root of the project.
-      SOLUTION_FILE_PATH: ebpf-for-windows.sln
+      SOLUTION_FILE_PATH: ntosebpfext.sln
       BUILD_ARTIFACT_NAME: ${{inputs.build_artifact}}
       BUILD_CONFIGURATION: ${{matrix.configurations}}
       BUILD_PLATFORM: x64
@@ -145,74 +145,11 @@ jobs:
         path: packages
         key: ${{ runner.os }}-${{env.BUILD_PLATFORM}}-${{env.BUILD_CONFIGURATION}}-${{env.BUILD_ARTIFACT_NAME}}-${{ hashFiles('**/packages.config') }}-${{env.msvc_tools_version}}
 
-    - name: Cache verifier project
-      # The hash is based on the HEAD of the ebpf-verifier submodule, the Directory.Build.props file, and the build variant.
-      if: steps.skip_check.outputs.should_skip != 'true'
-      uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319
-      env:
-        cache-name: cache-verifier-project
-      with:
-        path: external/ebpf-verifier/build
-        key: ${{ runner.os }}-${{env.BUILD_PLATFORM}}-${{env.BUILD_CONFIGURATION}}-${{env.BUILD_ARTIFACT_NAME}}-${{ hashFiles('.git/modules/external/ebpf-verifier/HEAD') }}-${{ hashFiles('external/Directory.Build.props')}}-${{env.msvc_tools_version}}
-
-    - name: Configuring repo for first build
-      if: steps.skip_check.outputs.should_skip != 'true'
-      working-directory: ${{env.GITHUB_WORKSPACE}}
-      env:
-        CXXFLAGS: /ZH:SHA_256 ${{env.CXX_FLAGS}}
-        LDFLAGS: ${{env.LD_FLAGS}}
-      run: |
-        .\scripts\initialize_ebpf_repo.ps1
-
     - name: Build
       if: steps.skip_check.outputs.should_skip != 'true'
       working-directory: ${{env.GITHUB_WORKSPACE}}
       run: msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} /p:Platform=${{env.BUILD_PLATFORM}} ${{env.BUILD_OPTIONS}} ${{env.SOLUTION_FILE_PATH}}
 
-    - name: Check DLL dependencies for distributed binaries
-      if: steps.skip_check.outputs.should_skip != 'true' && ((inputs.build_artifact == 'Build-x64' && matrix.configurations == 'Debug') || (inputs.build_artifact == 'Build-x64-native-only' && matrix.configurations == 'NativeOnlyRelease'))
-      working-directory: ./${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}
-      run: |
-        ..\..\scripts\check_binary_dependencies.ps1 -BuildArtifact "${{inputs.build_artifact}}_${{env.BUILD_CONFIGURATION}}" -VsToolsPath "${{env.msvc_tools_path}}"
-
-    - name: Test the MSI
-      if: steps.skip_check.outputs.should_skip != 'true' && ((inputs.build_artifact == 'Build-x64' && matrix.configurations == 'Debug') || (inputs.build_artifact == 'Build-x64-native-only' && matrix.configurations == 'NativeOnlyRelease'))
-      working-directory: ./${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}
-      run: |
-        ..\..\scripts\check_msi_installation.ps1 -BuildArtifact "${{inputs.build_artifact}}_${{env.BUILD_CONFIGURATION}}" -MsiPath "ebpf-for-windows.msi"
-
-    - name: Copy LLVM libs for Fuzzing & Address Sanitizing
-      if: steps.skip_check.outputs.should_skip != 'true'
-      working-directory: ./${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}
-      shell: cmd
-      run: |
-        copy "${{env.msvc_tools_path}}\bin\Hostx64\x64\clang*" .
-
-    - name: Download demo Debug repository
-      if: steps.skip_check.outputs.should_skip != 'true' && (matrix.configurations == 'Debug' || matrix.configurations == 'NativeOnlyDebug')
-      working-directory: ${{env.GITHUB_WORKSPACE}}
-      run: Invoke-WebRequest https://github.com/microsoft/ebpf-for-windows-demo/releases/download/v0.0.2/${{env.BUILD_PLATFORM}}-Debug-cilium-xdp.zip -OutFile x64-${{env.BUILD_CONFIGURATION}}-cilium-xdp.zip
-
-    - name: Download demo Release repository
-      if: steps.skip_check.outputs.should_skip != 'true' && (matrix.configurations == 'Release' || matrix.configurations == 'NativeOnlyRelease')
-      working-directory: ${{env.GITHUB_WORKSPACE}}
-      run: Invoke-WebRequest https://github.com/microsoft/ebpf-for-windows-demo/releases/download/v0.0.2/${{env.BUILD_PLATFORM}}-Release-cilium-xdp.zip -OutFile x64-${{env.BUILD_CONFIGURATION}}-cilium-xdp.zip
-
-    # Download the bpf_performance repository artifacts.
-    - name: Download bpf_performance repository artifacts
-      if: steps.skip_check.outputs.should_skip != 'true'
-      working-directory: ${{env.GITHUB_WORKSPACE}}
-      run: |
-        cd ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}
-        Invoke-WebRequest https://github.com/microsoft/bpf_performance/releases/download/v0.0.6/build-Release-windows-2022.zip -OutFile bpf_performance.zip
-
-    - name: Extract artifacts to build path
-      if: steps.skip_check.outputs.should_skip != 'true' && matrix.configurations != 'FuzzerDebug'
-      working-directory: ${{env.GITHUB_WORKSPACE}}
-      run: |
-        cd ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}
-        tar -xf ..\..\x64-${{ matrix.configurations }}-cilium-xdp.zip
-
     - name: Zip Build Output
       if: always() && (steps.skip_check.outputs.should_skip != 'true')
       working-directory: ${{github.workspace}}
@@ -227,37 +164,6 @@ jobs:
         path: ${{github.workspace}}/build-${{ matrix.configurations }}.zip
         retention-days: 5
 
-    - name: Upload the MSI package
-      if: inputs.build_msi == true
-      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
-      with:
-        name: ebpf-for-windows - MSI installer (${{inputs.build_artifact}}_${{env.BUILD_CONFIGURATION}})
-        path: ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}/ebpf-for-windows.msi
-
-    - name: Build the NuGet package
-      if: inputs.build_nuget == true && matrix.configurations == 'Release' && steps.skip_check.outputs.should_skip != 'true'
-      working-directory: ${{env.GITHUB_WORKSPACE}}
-      run: msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} /p:Platform=${{env.BUILD_PLATFORM}} ${{env.SOLUTION_FILE_PATH}} ${{env.BUILD_OPTIONS}} /t:tools\nuget
-
-    - name: Upload the NuGet package
-      if: inputs.build_nuget == true && matrix.configurations == 'Release' && steps.skip_check.outputs.should_skip != 'true'
-      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
-      with:
-        name: ebpf-for-windows - NuGet package (${{inputs.build_artifact}}_${{env.BUILD_CONFIGURATION}})
-        path: ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}/eBPF-for-Windows.*.nupkg
-
-    - name: Build the NuGet Redist package
-      if: inputs.build_nuget == true && matrix.configurations == 'Release' && steps.skip_check.outputs.should_skip != 'true'
-      working-directory: ${{env.GITHUB_WORKSPACE}}
-      run: msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} /p:Platform=${{env.BUILD_PLATFORM}} ${{env.SOLUTION_FILE_PATH}} ${{env.BUILD_OPTIONS}} /t:tools\redist-package
-
-    - name: Upload the NuGet Redist package
-      if: inputs.build_nuget == true && matrix.configurations == 'Release' && steps.skip_check.outputs.should_skip != 'true'
-      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
-      with:
-        name: ebpf-for-windows - NuGet Redist package (${{inputs.build_artifact}}_${{env.BUILD_CONFIGURATION}})
-        path: ${{github.workspace}}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}/eBPF-for-Windows-Redist.*.nupkg
-
     - name: Check for crash dumps
       # Check for crash dumps even if the workflow failed.
       if: (success() || failure()) && (steps.skip_check.outputs.should_skip != 'true')