update workflows

Signed-off-by: Frank Jogeleit <[email protected]>
kyverno · Oct 6, 2024 · 893ff42 · 893ff42
1 parent 7660947
commit 893ff42
Show file tree

Hide file tree

Showing 6 changed files with 91 additions and 32 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -20,26 +20,56 @@ jobs:
   coverage:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.2.0
         with:
           go-version-file: go.mod
           cache-dependency-path: go.sum
 
-      - name: Get dependencies
-        run: go get -v -t -d ./...
+      - name: Check go.mod
+        run: |
+          set -e
+          go mod tidy && git diff --exit-code
+
+      - name: Check code format
+        run: |
+          set -e
+          make fmt
+          git diff --exit-code
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
 
       - name: Calc coverage
         run: make coverage
 
       - name: Convert coverage to lcov
-        uses: jandelgado/[email protected]
+        uses: jandelgado/gcov2lcov-action@c680c0f7c7442485f1749eb2a13e54a686e76eb5 #v1.0.9
 
       - name: Coveralls
-        uses: coverallsapp/github-action@v2.0.0
+        uses: coverallsapp/github-action@643bc377ffa44ace6394b2b5d0d3950076de9f63 # v2.3.0
         with:
           github-token: ${{ secrets.github_token }}
-          file: coverage.lcov
+          file: coverage.lcov
+
+  check-actions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b8f9a25a51fe633d9215ac7734854dc11cd299cb # v3.0.13
+        with:
+          # slsa-github-generator requires using a semver tag for reusable workflows. 
+          # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
+          allowlist: |
+            slsa-framework/slsa-github-generator
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@master
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Setup node env
-        uses: actions/setup-node@v2.1.2
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 #v4.0.4
         with:
           node-version: 16
 
@@ -32,9 +32,8 @@ jobs:
           cp index.yaml ./dist/index.yaml
           cp artifacthub-repo.yml ./dist/artifacthub-repo.yml
 
-
       - name: Deploy
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e #v4.0.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./dist

diff --git a/.github/workflows/helm-chart.yaml b/.github/workflows/helm-chart.yaml
@@ -5,7 +5,6 @@ on:
     # run pipeline on push on master
     branches:
       - main
-      - development
     paths:
       - "charts/**"
 
@@ -18,17 +17,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           fetch-depth: "0"
 
       - name: chart-testing (ct lint)
-        uses: helm/chart-testing-action@v2.0.1
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
 
       - name: Run Helm Chart lint
         run: |
-            ct lint --lint-conf=.github/ct_lintconf.yaml \
-                    --chart-yaml-schema=.github/ct_chart_schema.yaml \
-                    --target-branch=main --validate-maintainers=false \
-                    --check-version-increment=false \
-                    --chart-dirs charts
+          set -e
+          ct lint --lint-conf=.github/ct_lintconf.yaml \
+                  --chart-yaml-schema=.github/ct_chart_schema.yaml \
+                  --target-branch=main \
+                  --validate-maintainers=false \
+                  --check-version-increment=false \
+                  --chart-dirs charts
diff --git a/.github/workflows/release-chart.yaml b/.github/workflows/release-chart.yaml
@@ -3,7 +3,7 @@ name: release-chart
 on:
   push:
     tags:
-      - 'policy-reporter-preview-chart-v*'
+      - 'policy-reporter-chart-v*'
 
 jobs:
   helm-chart:
@@ -13,7 +13,7 @@ jobs:
       pages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           fetch-depth: 0
 
@@ -28,11 +28,38 @@ jobs:
           git config user.email "[email protected]"
 
       - name: Install Helm
-        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
         with:
-          version: v3.10.3
+          version: v3.16.1
+
+      - name: Prepare GPG key
+        run: |
+          gpg_dir=.cr-gpg
+          mkdir "$gpg_dir"
+          keyring="$gpg_dir/secring.gpg"
+          base64 -d <<< "$GPG_KEYRING_BASE64" > "$keyring"
+          passphrase_file="$gpg_dir/passphrase"
+          echo "$GPG_PASSPHRASE" > "$passphrase_file"
+          echo "CR_PASSPHRASE_FILE=$passphrase_file" >> "$GITHUB_ENV"
+          echo "CR_KEYRING=$keyring" >> "$GITHUB_ENV"
+        env:
+          GPG_KEYRING_BASE64: "${{ secrets.GPG_KEYRING_BASE64 }}" #Referring secrets of github above
+          GPG_PASSPHRASE: "${{ secrets.GPG_PASSPHRASE }}" 
 
       - name: Run chart-releaser
         uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
+        id: cr
         env:
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_KEY: "${{ secrets.CR_KEY }}"
+          CR_SIGN: true
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
+
+      - name: Push to OCI
+        run: |
+          set -e
+          output=$(helm push .cr-release-packages/policy-reporter-{{ steps.cr.outputs.chart_version }}.tgz oci://ghcr.io/kyverno/charts 2>&1)
+          digest=$( echo "$output" | grep Digest | cut -c9-)
+          cosign sign --yes ghcr.io/kyverno/charts/policy-reporter@$digest
diff --git a/.github/workflows/release-image.yaml b/.github/workflows/release-image.yaml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Push image
         id: params
@@ -32,24 +32,24 @@ jobs:
           echo "VERSION=$VERSION" >> "$GITHUB_ENV"
 
       - name: Login to Github Packages
-        uses: docker/login-action@v2
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.CR_PAT }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 #v3.7.1
         id: buildx
         with:
           install: true
           version: latest
 
       - name: Build image and push to GitHub Container Registry
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         id: push
         with:
           push: true
@@ -60,7 +60,7 @@ jobs:
             ghcr.io/kyverno/policy-reporter:${{ env.VERSION }}
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.2.0
         with:
           go-version-file: go.mod
           cache-dependency-path: go.sum
@@ -70,7 +70,7 @@ jobs:
           version: v1
           args: app -licenses -json -output policy-reporter-bom.cdx.json -main .
 
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: policy-reporter-bom-cdx
           path: policy-reporter-bom.cdx.json

diff --git a/test b/test
@@ -0,0 +1,2 @@
+Pushed: ghcr.io/fjogeleit/charts/policy-reporter-preview:3.0.0-beta.18
+Digest: sha256:ebc720b178dbbdc5def056e0d8c57a9475180d087c68c7afdf64ea5bbaff6eab
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Pushed: ghcr.io/fjogeleit/charts/policy-reporter-preview:3.0.0-beta.18
		Digest: sha256:ebc720b178dbbdc5def056e0d8c57a9475180d087c68c7afdf64ea5bbaff6eab