Add seccomp codegen check to CI

austinvazquez · austinvazquez · commit 65052cfef733 · 2025-07-28T16:27:57.000-07:00
Signed-off-by: Austin Vazquez &lt;austin.vazquez@docker.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -101,3 +101,19 @@ jobs:
       run: |
         echo "One or more lint checks failed"
         exit 1
+
+  check-codegen:
+    name: Check seccomp code generation
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+
+      - name: Validate seccomp code generation
+        run: make validate-codegen
+ 
diff --git a/Makefile b/Makefile
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # Makefile for building and testing Moby profiles packages
+PROJECT_ROOT ?= $(shell pwd)
+SCRIPTDIR ?= $(PROJECT_ROOT)/script
 PACKAGES ?= apparmor seccomp
 CROSSBUILDS ?= linux/arm linux/arm64 linux/amd64 linux/ppc64le linux/s390x
 
@@ -32,9 +34,15 @@ crossbuild:
 test: CMD=go test -v ./...
 test: foreach
 
+.PHONY: validate-codegen
+validate-codegen:
+	@echo "Validating code generation..."
+	bash $(SCRIPTDIR)/validate/default-seccomp
+
 .PHONY: help
 help:
 	@echo "Available targets:"
-	@echo "  crossbuild     - Cross build all modules"
-	@echo "  test           - Run tests for all modules"
-	@echo "  help           - Display this help message"
+	@echo "  crossbuild       - Cross build all modules"
+	@echo "  test             - Run tests for all modules"
+	@echo "  validate-codegen - Validate code generation for seccomp"
+	@echo "  help             - Display this help message"
diff --git a/script/validate/default-seccomp b/script/validate/default-seccomp
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+# Copyright The Moby Authors.
+# SPDX-License-Identifier: Apache-2.0
+
+# This script validates that the seccomp profile generation is done correctly.
+
+# We run 'go generate' and see if we have a diff afterwards
+go generate ./seccomp/ > /dev/null
+# Let see if the working directory is clean
+diffs="$(git status --porcelain -- seccomp 2> /dev/null)"
+if [ "$diffs" ]; then
+	{
+		echo 'The result of go generate ./seccomp/ differs'
+		echo
+		echo "$diffs"
+		echo
+		echo 'Please re-run go generate ./seccomp/'
+		echo
+	} >&2
+	false
+else
+	echo 'Congratulations!  Seccomp profile generation is done correctly.'
+fi
