feat(BA-4382): Add GitHub Action to periodically update the default seccomp profile #8791
Conversation
jopemachine
changed the title
There was a problem hiding this comment.
Pull request overview
This pull request adds a GitHub Action workflow to automatically update the default seccomp profile used by Backend.AI's runner component. The workflow is scheduled to run monthly and can also be triggered manually. It downloads the latest seccomp profile from the upstream moby/profiles repository, detects changes, and creates a pull request if updates are needed.
Changes:
- Created a new GitHub Actions workflow that runs monthly to check for and apply updates to the default seccomp profile
- Updated the seccomp update script to use the new upstream repository URL (moby/profiles instead of moby/moby) and improved curl error handling
- Workflow automatically creates PRs when profile updates are detected
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
.github/workflows/update-seccomp-profile.yml |
New workflow for automated monthly seccomp profile updates with manual trigger support |
scripts/update-default-seccomp.sh |
Updated to use moby/profiles repository and added better curl error handling with -fSs flags |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| uses: peter-evans/create-pull-request@v7 | ||
| with: | ||
| token: ${{ secrets.OCTODOG }} | ||
| commit-message: "chore: update default seccomp profile from upstream moby/moby" | ||
| branch: chore/update-seccomp-profile | ||
| title: "chore: update default seccomp profile from upstream moby/moby" | ||
| body: | | ||
| ## Summary | ||
| - Update `src/ai/backend/runner/default-seccomp.json` to the latest version from [moby/profiles](https://github.com/moby/profiles/blob/main/seccomp/default.json). | ||
|
|
||
| This PR was automatically created by the `update-seccomp-profile` workflow. | ||
| labels: auto-update |
There was a problem hiding this comment.
The workflow is missing the author field in the peter-evans/create-pull-request action. Following the convention established in other automated workflows (import-all-smi.yml and import-bssh.yml), this should be set to "Lablup Octodog [email protected]" to properly attribute automated PRs to the bot account.
| - Update `src/ai/backend/runner/default-seccomp.json` to the latest version from [moby/profiles](https://github.com/moby/profiles/blob/main/seccomp/default.json). | ||
|
|
||
| This PR was automatically created by the `update-seccomp-profile` workflow. | ||
| labels: auto-update |
There was a problem hiding this comment.
The workflow is missing the delete-branch: true parameter in the peter-evans/create-pull-request action. Following the convention in other automated workflows (import-all-smi.yml and import-bssh.yml), this parameter should be set to true to automatically clean up the branch after the PR is merged, preventing branch clutter from repeated automated runs.
| labels: auto-update | |
| labels: auto-update | |
| delete-branch: true |
| else | ||
| echo "changed=true" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
There was a problem hiding this comment.
The workflow is missing a news fragment creation step. Following the convention in other automated workflows (import-all-smi.yml and import-bssh.yml), a news fragment should be created in the changes/ directory (e.g., changes/.deps.md) before creating the PR. This ensures the seccomp profile update is properly tracked in release notes generated by towncrier.
| - name: Create news fragment | |
| if: steps.diff.outputs.changed == 'true' | |
| run: | | |
| mkdir -p changes | |
| cat > changes/.deps.md << 'EOF' | |
| - Update `src/ai/backend/runner/default-seccomp.json` to the latest default seccomp profile from upstream [moby/profiles](https://github.com/moby/profiles/blob/main/seccomp/default.json). | |
| EOF |
| commit-message: "chore: update default seccomp profile from upstream moby/moby" | ||
| branch: chore/update-seccomp-profile | ||
| title: "chore: update default seccomp profile from upstream moby/moby" |
There was a problem hiding this comment.
There's a discrepancy between the commit message/PR title and the PR body. The commit message refers to "moby/moby" as the source, but the PR body correctly references "moby/profiles". The commit message and title should be updated to reference "moby/profiles" to match both the actual source URL in the script (line 4 of update-default-seccomp.sh) and the body text.
| with: | ||
| token: ${{ secrets.OCTODOG }} | ||
| commit-message: "chore: update default seccomp profile from upstream moby/moby" | ||
| branch: chore/update-seccomp-profile |
There was a problem hiding this comment.
The branch name chore/update-seccomp-profile is static and will be reused across multiple workflow runs. If a previous PR from this workflow hasn't been merged yet and the workflow runs again (e.g., manually triggered), it could cause conflicts or unexpected behavior. Consider adding a timestamp or unique identifier to the branch name, such as chore/update-seccomp-profile-${{ github.run_number }} to avoid collisions between multiple workflow runs.
| branch: chore/update-seccomp-profile | |
| branch: chore/update-seccomp-profile-${{ github.run_number }} |
2 participants
resolves #8788 (BA-4382)
Checklist: (if applicable)
ai.backend.testdocsdirectory