ci: check generated seccomp files match

intrigus-lgtm · intrigus-lgtm · commit d9693c1be36d · 2025-11-03T15:54:55.000+01:00
Check that the *.seccomppolicy and *_seccomp.h files match.
diff --git a/.github/workflows/check_seccomp.yml b/.github/workflows/check_seccomp.yml
@@ -0,0 +1,33 @@
+name: Check Generated Seccomp Files
+on:
+  pull_request:
+
+permissions: {}
+
+jobs:
+  check-seccomp:
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+
+    steps:
+      - name: Checkout current commit
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Setup Python environment
+        run: |
+          python -m venv venv && venv/bin/pip install edn_format
+
+      - name: Check generated seccomp files
+        run: |
+          set -e
+          source venv/bin/activate
+          make seccomp-policies
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Generated seccomp files are out of date. Please run 'make seccomp-policies' and commit the changes."
+            git --no-pager diff
+            exit 1
+          else
+            echo "All generated seccomp files are up to date."
+          fi
