Feature/exec

.github/workflows/build.yaml

@@ -11,12 +11,15 @@ on:
         required: false
         type: string
         default: ""
-        description: "Branch/tag/commit of k8sstormcenter/storage to use (leave empty to keep go.mod default)"
+        description: "Storage image tag to resolve (maps to go/<tag> Git tag). Leave empty to auto-detect latest."
       PLATFORMS:
         type: boolean
         required: false
         default: false
         description: "Build for both amd64 and arm64"
+  push:
+    branches:
+      - test/localtestbuild
 
 jobs:
   build:
@@ -30,20 +33,75 @@ jobs:
         with:
           submodules: recursive
 
+      - name: Resolve build parameters
+        id: params
+        env:
+          REPO_OWNER: ${{ github.repository_owner }}
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "image_tag=${{ inputs.IMAGE_TAG }}" >> "$GITHUB_OUTPUT"
+            STORAGE_REF="${{ inputs.STORAGE_REF }}"
+          else
+            # Push trigger: derive tag from short commit SHA
+            echo "image_tag=dev-${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
+            STORAGE_REF=""
+          fi
+
+          # If no STORAGE_REF given, auto-detect the most recent go/ tag on storage
+          if [ -z "$STORAGE_REF" ]; then
+            echo "Auto-detecting latest storage go/ tag..."
+            STORAGE_REF=$(git ls-remote --tags "https://github.com/${REPO_OWNER}/storage.git" 'refs/tags/go/*' \
+              | awk '{print $2}' | sed 's|refs/tags/go/||' | sort -V | tail -1)
+            if [ -n "$STORAGE_REF" ]; then
+              echo "Auto-detected storage ref: ${STORAGE_REF}"
+            else
+              echo "No go/ tags found on storage — will use default go.mod dependency"
+            fi
+          fi
+          echo "storage_ref=${STORAGE_REF}" >> "$GITHUB_OUTPUT"
+
       - uses: actions/setup-go@v5
         with:
           go-version: "1.25"
 
+      - name: Resolve storage commit hash
+        if: ${{ steps.params.outputs.storage_ref != '' }}
+        id: resolve-storage
+        env:
+          STORAGE_REF: ${{ steps.params.outputs.storage_ref }}
+          REPO_OWNER: ${{ github.repository_owner }}
+        run: |
+          # The storage build.yaml creates a git tag "go/<IMAGE_TAG>" specifically
+          # for Go module resolution. Try that first, then fall back to raw ref.
+          GO_TAG="go/${STORAGE_REF}"
+          echo "Looking up git tag '${GO_TAG}' on ${REPO_OWNER}/storage..."
+          COMMIT=$(git ls-remote "https://github.com/${REPO_OWNER}/storage.git" "refs/tags/${GO_TAG}" | awk '{print $1}')
+
+          if [ -z "$COMMIT" ]; then
+            echo "Tag '${GO_TAG}' not found, trying raw ref '${STORAGE_REF}'..."
+            COMMIT=$(git ls-remote "https://github.com/${REPO_OWNER}/storage.git" "refs/tags/${STORAGE_REF}" "refs/heads/${STORAGE_REF}" | head -1 | awk '{print $1}')
+          fi
+
+          if [ -z "$COMMIT" ]; then
+            echo "::error::Could not resolve '${STORAGE_REF}' to a commit. Make sure the storage build ran first (it creates the go/ tag)."
+            exit 1
+          fi
+
+          SHORT=$(echo "$COMMIT" | cut -c1-12)
+          echo "Resolved to commit ${COMMIT} (${SHORT})"
+          echo "commit=${COMMIT}" >> "$GITHUB_OUTPUT"
+
       - name: Update storage dependency
-        if: ${{ inputs.STORAGE_REF != '' }}
+        if: ${{ steps.params.outputs.storage_ref != '' }}
         env:
-          STORAGE_REF: ${{ inputs.STORAGE_REF }}
+          COMMIT: ${{ steps.resolve-storage.outputs.commit }}
+          REPO_OWNER: ${{ github.repository_owner }}
         run: |
-          echo "Replacing github.com/kubescape/storage with github.com/k8sstormcenter/storage@${STORAGE_REF}"
-          go mod edit -replace "github.com/kubescape/storage=github.com/k8sstormcenter/storage@${STORAGE_REF}"
-          GOPROXY=direct GONOSUMCHECK="github.com/k8sstormcenter/*" go mod tidy
+          echo "Replacing github.com/kubescape/storage with github.com/${REPO_OWNER}/storage@${COMMIT}"
+          go mod edit -replace "github.com/kubescape/storage=github.com/${REPO_OWNER}/storage@${COMMIT}"
+          GONOSUMDB=github.com/k8sstormcenter/*,github.com/matthyx/* GONOSUMCHECK=github.com/k8sstormcenter/*,github.com/matthyx/* go mod tidy
           echo "Resolved storage version:"
-          grep "k8sstormcenter/storage" go.sum | head -1
+          grep "${REPO_OWNER}/storage" go.sum | head -1
 
       - name: Ensure ig is installed
         run: |
@@ -54,7 +112,7 @@ jobs:
         run: make gadgets
 
       - name: Set up QEMU
-        if: ${{ inputs.PLATFORMS }}
+        if: ${{ github.event_name == 'workflow_dispatch' && inputs.PLATFORMS }}
         uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
@@ -72,7 +130,7 @@ jobs:
         with:
           context: .
           file: build/Dockerfile
-          tags: ghcr.io/${{ github.repository_owner }}/node-agent:${{ inputs.IMAGE_TAG }}
-          build-args: image_version=${{ inputs.IMAGE_TAG }}
-          platforms: ${{ inputs.PLATFORMS && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
+          tags: ghcr.io/${{ github.repository_owner }}/node-agent:${{ steps.params.outputs.image_tag }}
+          build-args: image_version=${{ steps.params.outputs.image_tag }}
+          platforms: ${{ (github.event_name == 'workflow_dispatch' && inputs.PLATFORMS) && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
           push: true

Makefile

@@ -20,6 +20,23 @@ docker-build: gadgets
 docker-push: docker-build
 	docker push $(IMAGE):$(TAG)
 
+STORAGE_LOCAL_PATH ?= ../storage
+
+.PHONY: local
+local:
+	go mod edit -replace "github.com/kubescape/storage=$(STORAGE_LOCAL_PATH)"
+	GONOSUMDB=github.com/matthyx/* GONOSUMCHECK=github.com/matthyx/* go mod tidy
+
+.PHONY: unlocal
+unlocal:
+	go mod edit -dropreplace "github.com/kubescape/storage"
+	GONOSUMDB=github.com/matthyx/* GONOSUMCHECK=github.com/matthyx/* GOFLAGS=-mod=mod go mod tidy
+
+.PHONY: test
+test: local
+	go test ./pkg/rulemanager/cel/libraries/applicationprofile/... -v -count=1
+	@$(MAKE) unlocal
+
 gadgets:
 	$(foreach img,$(KUBESCAPE_GADGETS),$(MAKE) -C ./pkg/ebpf/gadgets/$(img) build IMAGE=$(img) TAG=latest;)
 	$(foreach img,$(GADGETS),sudo ig image pull ghcr.io/inspektor-gadget/gadget/$(img):$(VERSION);)