with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
        with:

        language: ['java']
        # Learn more...
        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection

    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
      with:
        # We must fetch at least the immediate parents so that if this is

        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
        uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.11.6
        with:

name: "Code scanning - action"

on:
  push:
    branches: [ main, master, release ]
  schedule:
    - cron: '0 5 * * *'

permissions:
  contents: read

jobs:
  CodeQL-Build:

    permissions:
      actions: read  # for github/codeql-action/init to get workflow details
      contents: read  # for actions/checkout to fetch code
      security-events: write  # for github/codeql-action/analyze to upload SARIF results

        language: ['java']
        # Learn more...
        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection

    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
      with:
        # We must fetch at least the immediate parents so that if this is

        language: ['java']
        # Learn more...
        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection

    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
      with:
        # We must fetch at least the immediate parents so that if this is

        run: |
          sudo sysctl net.ipv6.conf.all.disable_ipv6=0
          sudo sysctl net.ipv6.conf.default.disable_ipv6=0
          make verify-healing
          make verify-healing-inconsistent-versions
          make verify-healing-with-root-disks

to apply to all top level resources annotations: {} # Additional volumeMounts to the ztunnel container volumeMounts: [] # Additional volumes to the ztunnel pod volumes: [] # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). podAnnotations: prometheus.io/port: "15020" prometheus.io/scrape: "true" # Additional labels to apply on the pod level podLabels: {} # Pod resource configuration resources: requests: cpu: 500m memory: 2048Mi # List...

concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  build:
    name: Go ${{ matrix.go-version }} on ${{ matrix.os }} - healing
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        go-version: [1.21.x]
        os: [ubuntu-latest]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:

      excludeInboundPorts: ""
      includeInboundPorts: "*"
      # istio egress capture allowlist
      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
      # be allowed by the sidecar