From 89e297c8e1d9e30bd7c09aa98b1b1f434bdac8af Mon Sep 17 00:00:00 2001 From: Francois Allard Date: Tue, 24 Mar 2026 12:37:31 +0100 Subject: [PATCH 1/5] feat: add support for arm --- .github/workflows/ci.yml | 38 ++++++++++++++++++++++++++++---------- Dockerfile | 2 +- 2 files changed, 29 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6e7c652..d12a640 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,6 +17,9 @@ jobs: build-and-test: runs-on: ubuntu-24.04 timeout-minutes: 10 + strategy: + matrix: + arch: [amd64, arm64] steps: - name: Enable egress filtering uses: bullfrogsec/bullfrog@78a54a1a4c3d3325fe01846f60b630b6ee7bcf06 # v0.9.3 @@ -38,7 +41,13 @@ jobs: run: sudo apt-get update && sudo apt-get install -y libnetfilter-queue-dev - name: Build - run: make build + run: docker build --tag agent-builder --build-arg BUILDOS=linux --build-arg BUILDARCH=${{ matrix.arch }} . + + - name: Extract binary + run: | + docker rm --force agent || true + docker run --name agent agent-builder + docker cp agent:/agent/agent . - name: Test (CI) run: make test.ci @@ -46,7 +55,7 @@ jobs: - name: Upload agent binary uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: - name: agent + name: agent-${{ matrix.arch }} path: agent retention-days: 1 @@ -76,20 +85,29 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: Download agent binary + - name: Download amd64 binary + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + with: + name: agent-amd64 + path: agent-amd64 + + - name: Download arm64 binary uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: - name: agent + name: agent-arm64 + path: agent-arm64 - name: Create Release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - tar -czf agent.tar.gz agent + tar -czf agent-amd64.tar.gz -C agent-amd64 agent + tar -czf agent-arm64.tar.gz -C agent-arm64 agent gh release create ${{ github.ref_name }} \ --title "${{ github.ref_name }}" \ --notes "See [CHANGELOG.md](https://github.com/bullfrogsec/agent/blob/main/CHANGELOG.md)" \ - agent.tar.gz + agent-amd64.tar.gz \ + agent-arm64.tar.gz test-integration-audit: runs-on: ubuntu-24.04 @@ -102,7 +120,7 @@ jobs: - name: Download agent binary uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: - name: agent + name: agent-amd64 - name: Install dependencies run: sudo apt-get update && sudo apt-get install -y libnetfilter-queue-dev nftables @@ -124,7 +142,7 @@ jobs: - name: Download agent binary uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: - name: agent + name: agent-amd64 - name: Install dependencies run: sudo apt-get update && sudo apt-get install -y libnetfilter-queue-dev nftables @@ -146,7 +164,7 @@ jobs: - name: Download agent binary uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: - name: agent + name: agent-amd64 - name: Install dependencies run: sudo apt-get update && sudo apt-get install -y libnetfilter-queue-dev nftables @@ -168,7 +186,7 @@ jobs: - name: Download agent binary uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: - name: agent + name: agent-amd64 - name: Install dependencies run: sudo apt-get update && sudo apt-get install -y libnetfilter-queue-dev nftables diff --git a/Dockerfile b/Dockerfile index 4e0b477..09a5108 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.11-bookworm@sha256:fc58bb98c4b7ebc8211c94df9dee40489e48363c69071bceca91aa59023b0dee +FROM golang:1.24.11-bookworm ARG BUILDOS ARG BUILDARCH From ef1cf9e34502de4c84db1e30533f4896bbff6d3d Mon Sep 17 00:00:00 2001 From: Francois Allard Date: Tue, 24 Mar 2026 12:45:53 +0100 Subject: [PATCH 2/5] bump to golang 1.24.13 --- Dockerfile | 2 +- go.mod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 09a5108..58228ba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.11-bookworm +FROM golang:1.24.13-bookworm ARG BUILDOS ARG BUILDARCH diff --git a/go.mod b/go.mod index 08fd847..adb698e 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module github.com/bullfrogsec/agent go 1.24.0 -toolchain go1.24.11 +toolchain go1.24.13 require github.com/AkihiroSuda/go-netfilter-queue v0.0.0-20230310003200-24cd054ca0f8 From 0a0029810b8d9b504e0c551ba9b9561926aedfc3 Mon Sep 17 00:00:00 2001 From: Francois Allard Date: Tue, 24 Mar 2026 12:51:28 +0100 Subject: [PATCH 3/5] ci: use arm runner --- .github/workflows/ci.yml | 12 +++++++----- Dockerfile | 6 +----- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d12a640..735c40d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,11 +15,15 @@ permissions: jobs: build-and-test: - runs-on: ubuntu-24.04 + runs-on: ${{ matrix.runner }} timeout-minutes: 10 strategy: matrix: - arch: [amd64, arm64] + include: + - arch: amd64 + runner: ubuntu-24.04 + - arch: arm64 + runner: ubuntu-24.04-arm steps: - name: Enable egress filtering uses: bullfrogsec/bullfrog@78a54a1a4c3d3325fe01846f60b630b6ee7bcf06 # v0.9.3 @@ -41,10 +45,8 @@ jobs: run: sudo apt-get update && sudo apt-get install -y libnetfilter-queue-dev - name: Build - run: docker build --tag agent-builder --build-arg BUILDOS=linux --build-arg BUILDARCH=${{ matrix.arch }} . - - - name: Extract binary run: | + docker build --tag agent-builder . docker rm --force agent || true docker run --name agent agent-builder docker cp agent:/agent/agent . diff --git a/Dockerfile b/Dockerfile index 58228ba..490ffa3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,5 @@ FROM golang:1.24.13-bookworm -ARG BUILDOS -ARG BUILDARCH -ARG BUILDNAME - WORKDIR /agent RUN apt-get update @@ -11,4 +7,4 @@ RUN apt-get install --yes libnetfilter-queue-dev COPY . ./ -RUN env GOOS=$BUILDOS GOARCH=$BUILDARCH go build -trimpath -ldflags=-buildid= -o agent ./cmd/agent +RUN go build -trimpath -ldflags=-buildid= -o agent ./cmd/agent From 9076473b9e4a2d418a6ed603a82651795dd85fe9 Mon Sep 17 00:00:00 2001 From: Francois Allard Date: Tue, 24 Mar 2026 12:53:13 +0100 Subject: [PATCH 4/5] skip bullfrog for arm until we support it --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 735c40d..3b8624e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,6 +26,7 @@ jobs: runner: ubuntu-24.04-arm steps: - name: Enable egress filtering + if: matrix.arch == 'amd64' uses: bullfrogsec/bullfrog@78a54a1a4c3d3325fe01846f60b630b6ee7bcf06 # v0.9.3 with: egress-policy: block From ceb6cd25d1d2f3d044e0f17792e1bcf35b3f0170 Mon Sep 17 00:00:00 2001 From: Francois Allard Date: Tue, 24 Mar 2026 13:01:13 +0100 Subject: [PATCH 5/5] run tests on arm64 --- .github/workflows/ci.yml | 44 ++++++++++++++++++++++++++++++++-------- 1 file changed, 36 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3b8624e..21ffa7b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -113,9 +113,16 @@ jobs: agent-arm64.tar.gz test-integration-audit: - runs-on: ubuntu-24.04 + runs-on: ${{ matrix.runner }} needs: build-and-test timeout-minutes: 5 + strategy: + matrix: + include: + - arch: amd64 + runner: ubuntu-24.04 + - arch: arm64 + runner: ubuntu-24.04-arm steps: - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -123,7 +130,7 @@ jobs: - name: Download agent binary uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: - name: agent-amd64 + name: agent-${{ matrix.arch }} - name: Install dependencies run: sudo apt-get update && sudo apt-get install -y libnetfilter-queue-dev nftables @@ -135,9 +142,16 @@ jobs: run: make test.integration.audit test-integration-block: - runs-on: ubuntu-24.04 + runs-on: ${{ matrix.runner }} needs: build-and-test timeout-minutes: 5 + strategy: + matrix: + include: + - arch: amd64 + runner: ubuntu-24.04 + - arch: arm64 + runner: ubuntu-24.04-arm steps: - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -145,7 +159,7 @@ jobs: - name: Download agent binary uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: - name: agent-amd64 + name: agent-${{ matrix.arch }} - name: Install dependencies run: sudo apt-get update && sudo apt-get install -y libnetfilter-queue-dev nftables @@ -157,9 +171,16 @@ jobs: run: make test.integration.block test-integration-block-dns-any: - runs-on: ubuntu-24.04 + runs-on: ${{ matrix.runner }} needs: build-and-test timeout-minutes: 5 + strategy: + matrix: + include: + - arch: amd64 + runner: ubuntu-24.04 + - arch: arm64 + runner: ubuntu-24.04-arm steps: - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -167,7 +188,7 @@ jobs: - name: Download agent binary uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: - name: agent-amd64 + name: agent-${{ matrix.arch }} - name: Install dependencies run: sudo apt-get update && sudo apt-get install -y libnetfilter-queue-dev nftables @@ -179,9 +200,16 @@ jobs: run: make test.integration.block-dns-any test-integration-docker-block: - runs-on: ubuntu-24.04 + runs-on: ${{ matrix.runner }} needs: build-and-test timeout-minutes: 5 + strategy: + matrix: + include: + - arch: amd64 + runner: ubuntu-24.04 + - arch: arm64 + runner: ubuntu-24.04-arm steps: - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -189,7 +217,7 @@ jobs: - name: Download agent binary uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: - name: agent-amd64 + name: agent-${{ matrix.arch }} - name: Install dependencies run: sudo apt-get update && sudo apt-get install -y libnetfilter-queue-dev nftables