MultiMx · github-actions · Jan 7, 2026 · Jan 7, 2026 · Jan 7, 2026 · Jan 7, 2026
diff --git a/.github/actions/go-cache/action.sh b/.github/actions/go-cache/action.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+#
+# This script sets up cigocacher, but should never fail the build if unsuccessful.
+# It expects to run on a GitHub-hosted runner, and connects to cigocached over a
+# private Azure network that is configured at the runner group level in GitHub.
+#
+# Usage: ./action.sh
+# Inputs:
+#   URL: The cigocached server URL.
+#   HOST: The cigocached server host to dial.
+# Outputs:
+#   success: Whether cigocacher was set up successfully.
+
+set -euo pipefail
+
+if [ -z "${GITHUB_ACTIONS:-}" ]; then
+    echo "This script is intended to run within GitHub Actions"
+    exit 1
+fi
+
+if [ -z "${URL:-}" ]; then
+    echo "No cigocached URL is set, skipping cigocacher setup"
+    exit 0
+fi
+
+BIN_PATH="$(PATH="$PATH:$HOME/bin" command -v cigocacher || true)"
+if [ -z "${BIN_PATH}" ]; then
+  echo "cigocacher not found in PATH, attempting to build or fetch it"
+
+  GOPATH=$(command -v go || true)
+  if [ -z "${GOPATH}" ]; then
+    if [ ! -f "tool/go" ]; then
+      echo "Go not available, unable to proceed"
+      exit 1
+    fi
+    GOPATH="./tool/go"
+  fi
+
+  BIN_PATH="${RUNNER_TEMP:-/tmp}/cigocacher$(${GOPATH} env GOEXE)"
+  if [ -d "cmd/cigocacher" ]; then
+    echo "cmd/cigocacher found locally, building from local source"
+    "${GOPATH}" build -o "${BIN_PATH}" ./cmd/cigocacher
+  else
+    echo "cmd/cigocacher not found locally, fetching from tailscale.com/cmd/cigocacher"
+    "${GOPATH}" build -o "${BIN_PATH}" tailscale.com/cmd/cigocacher
+  fi
+fi
+
+CIGOCACHER_TOKEN="$("${BIN_PATH}" --auth --cigocached-url "${URL}" --cigocached-host "${HOST}" )"
+if [ -z "${CIGOCACHER_TOKEN:-}" ]; then
+    echo "Failed to fetch cigocacher token, skipping cigocacher setup"
+    exit 0
+fi
+
+echo "Fetched cigocacher token successfully"
+echo "::add-mask::${CIGOCACHER_TOKEN}"
+
+echo "GOCACHEPROG=${BIN_PATH} --cache-dir ${CACHE_DIR} --cigocached-url ${URL} --cigocached-host ${HOST} --token ${CIGOCACHER_TOKEN}" >> "${GITHUB_ENV}"
+echo "success=true" >> "${GITHUB_OUTPUT}"
diff --git a/.github/actions/go-cache/action.yml b/.github/actions/go-cache/action.yml
@@ -0,0 +1,35 @@
+name: go-cache
+description: Set up build to use cigocacher
+
+inputs:
+  cigocached-url:
+    description: URL of the cigocached server
+    required: true
+  cigocached-host:
+    description: Host to dial for the cigocached server
+    required: true
+  checkout-path:
+    description: Path to cloned repository
+    required: true
+  cache-dir:
+    description: Directory to use for caching
+    required: true
+
+outputs:
+  success:
+    description: Whether cigocacher was set up successfully
+    value: ${{ steps.setup.outputs.success }}
+
+runs:
+  using: composite
+  steps:
+    - name: Setup cigocacher
+      id: setup
+      shell: bash
+      env:
+        URL: ${{ inputs.cigocached-url }}
+        HOST: ${{ inputs.cigocached-host }}
+        CACHE_DIR: ${{ inputs.cache-dir }}
+      working-directory: ${{ inputs.checkout-path }}
+      # https://github.com/orgs/community/discussions/25910
+      run: $GITHUB_ACTION_PATH/action.sh
diff --git a/.github/workflows/checklocks.yml b/.github/workflows/checklocks.yml
@@ -18,7 +18,7 @@ jobs:
     runs-on: [ ubuntu-latest ]
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Build checklocks
         run: ./tool/go build -o /tmp/checklocks gvisor.dev/gvisor/tools/checklocks/cmd/checklocks

diff --git a/.github/workflows/cigocacher.yml b/.github/workflows/cigocacher.yml
@@ -0,0 +1,73 @@
+name: Build cigocacher
+
+on:
+  # Released on-demand. The commit will be used as part of the tag, so generally
+  # prefer to release from main where the commit is stable in linear history.
+  workflow_dispatch:
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        GOOS: ["linux", "darwin", "windows"]
+        GOARCH: ["amd64", "arm64"]
+    runs-on: ubuntu-24.04
+    env:
+      GOOS: "${{ matrix.GOOS }}"
+      GOARCH: "${{ matrix.GOARCH }}"
+      CGO_ENABLED: "0"
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - name: Build
+      run: |
+        OUT="cigocacher$(./tool/go env GOEXE)"
+        ./tool/go build -o "${OUT}" ./cmd/cigocacher/
+        tar -zcf cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}.tar.gz "${OUT}"
+
+    - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      with:
+        name: cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}
+        path: cigocacher-${{ matrix.GOOS }}-${{ matrix.GOARCH }}.tar.gz
+
+  release:
+    runs-on: ubuntu-24.04
+    needs: build
+    permissions:
+      contents: write
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        with:
+          pattern: 'cigocacher-*'
+          merge-multiple: true
+      # This step is a simplified version of actions/create-release and
+      # actions/upload-release-asset, which are archived and unmaintained.
+      - name: Create release
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+
+            const { data: release } = await github.rest.repos.createRelease({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              tag_name: `cmd/cigocacher/${{ github.sha }}`,
+              name: `cigocacher-${{ github.sha }}`,
+              draft: false,
+              prerelease: true,
+              target_commitish: `${{ github.sha }}`
+            });
+
+            const files = fs.readdirSync('.').filter(f => f.endsWith('.tar.gz'));
+
+            for (const file of files) {
+              await github.rest.repos.uploadReleaseAsset({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                release_id: release.id,
+                name: file,
+                data: fs.readFileSync(file)
+              });
+              console.log(`Uploaded ${file}`);
+            }
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -45,17 +45,17 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     # Install a more recent Go that understands modern go.mod content.
     - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
       with:
         go-version-file: go.mod
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
+      uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -66,7 +66,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
+      uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -80,4 +80,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
+      uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
diff --git a/.github/workflows/docker-base.yml b/.github/workflows/docker-base.yml
@@ -0,0 +1,29 @@
+name: "Validate Docker base image"
+on: 
+  workflow_dispatch:
+  pull_request:
+    paths:
+    - "Dockerfile.base"
+    - ".github/workflows/docker-base.yml"
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - name: "build and test"
+      run: |
+        set -e
+        IMG="test-base:$(head -c 8 /dev/urandom | xxd -p)"
+        docker build -t "$IMG" -f Dockerfile.base .
+
+        iptables_version=$(docker run --rm "$IMG" iptables --version)
+        if [[ "$iptables_version" != *"(legacy)"* ]]; then
+            echo "ERROR: Docker base image should contain legacy iptables; found ${iptables_version}"
+            exit 1
+        fi
+
+        ip6tables_version=$(docker run --rm "$IMG" ip6tables --version)
+        if [[ "$ip6tables_version" != *"(legacy)"* ]]; then
+            echo "ERROR: Docker base image should contain legacy ip6tables; found ${ip6tables_version}"
+            exit 1
+        fi
diff --git a/.github/workflows/docker-file-build.yml b/.github/workflows/docker-file-build.yml
@@ -4,12 +4,10 @@ on:
     branches:
     - main
   pull_request:
-    branches:
-      - "*"
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: "Build Docker image"
       run: docker build .
diff --git a/.github/workflows/flakehub-publish-tagged.yml b/.github/workflows/flakehub-publish-tagged.yml
@@ -17,11 +17,11 @@ jobs:
       id-token: "write"
       contents: "read"
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
-      - uses: "DeterminateSystems/nix-installer-action@main"
-      - uses: "DeterminateSystems/flakehub-push@main"
+      - uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+      - uses: DeterminateSystems/flakehub-push@71f57208810a5d299fc6545350981de98fdbc860 # v6
         with:
           visibility: "public"
           tag: "${{ inputs.tag }}"
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -2,7 +2,11 @@ name: golangci-lint
 on:
   # For now, only lint pull requests, not the main branches.
   pull_request:
-
+    paths:
+      - ".github/workflows/golangci-lint.yml"
+      - "**.go"
+      - "go.mod"
+      - "go.sum"
   # TODO(andrew): enable for main branch after an initial waiting period.
   #push:
   #  branches:
@@ -23,17 +27,21 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: go.mod
-          cache: false
+          cache: true
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0
+        uses: golangci/golangci-lint-action@b7bcab6379029e905e3f389a6bf301f1bc220662 # head as of 2026-03-04
         with:
-          version: v2.0.2
+          version: v2.10.1
 
           # Show only new issues if it's a pull request.
           only-new-issues: true
+
+          # Loading packages with a cold cache takes a while:
+          args: --timeout=10m
+
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install govulncheck
         run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest
@@ -24,7 +24,7 @@ jobs:
 
       - name: Post to slack
         if: failure() && github.event_name == 'schedule'
-        uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
         with:
           method: chat.postMessage
           token: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}

diff --git a/.github/workflows/installer.yml b/.github/workflows/installer.yml
@@ -10,8 +10,6 @@ on:
       - scripts/installer.sh
       - .github/workflows/installer.yml
   pull_request:
-    branches:
-      - "*"
     paths:
       - scripts/installer.sh
       - .github/workflows/installer.yml
@@ -60,6 +58,14 @@ jobs:
           # Check a few images with wget rather than curl.
           - { image: "debian:oldstable-slim", deps: "wget" }
           - { image: "debian:sid-slim", deps: "wget" }
+          - { image: "debian:stable-slim", deps: "curl" }
+          - { image: "ubuntu:24.04", deps: "curl" }
+          - { image: "fedora:latest", deps: "curl" }
+          # Test TAILSCALE_VERSION pinning on a subset of distros.
+          # Skip Alpine as community repos don't reliably keep old versions.
+          - { image: "debian:stable-slim", deps: "curl", version: "1.80.0" }
+          - { image: "ubuntu:24.04", deps: "curl", version: "1.80.0" }
+          - { image: "fedora:latest", deps: "curl", version: "1.80.0" }
     runs-on: ubuntu-latest
     container:
       image: ${{ matrix.image }}
@@ -93,22 +99,28 @@ jobs:
         contains(matrix.image, 'parrotsec') ||
         contains(matrix.image, 'kalilinux')
     - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: run installer
       run: scripts/installer.sh
+      env:
+        TAILSCALE_VERSION: ${{ matrix.version }}
       # Package installation can fail in docker because systemd is not running
       # as PID 1, so ignore errors at this step. The real check is the
       # `tailscale --version` command below.
       continue-on-error: true
     - name: check tailscale version
-      run: tailscale --version
+      run: |
+        tailscale --version
+        if [ -n "${{ matrix.version }}" ]; then
+          tailscale --version | grep -q "^${{ matrix.version }}" || { echo "Version mismatch!"; exit 1; }
+        fi
   notify-slack:
     needs: test
     runs-on: ubuntu-latest
     steps:
       - name: Notify Slack of failure on scheduled runs
         if: failure() && github.event_name == 'schedule'
-        uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
         with:
           webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
           webhook-type: incoming-webhook

diff --git a/.github/workflows/kubemanifests.yaml b/.github/workflows/kubemanifests.yaml
@@ -17,7 +17,7 @@ jobs:
     runs-on: [ ubuntu-latest ]
     steps:
     - name: Check out code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: Build and lint Helm chart
       run: |
         eval `./tool/go run ./cmd/mkversion`