From 893ff425281ffd0c88f74cd79ef10d5bb38bc252 Mon Sep 17 00:00:00 2001 From: Frank Jogeleit Date: Sun, 6 Oct 2024 12:29:10 +0200 Subject: [PATCH] update workflows Signed-off-by: Frank Jogeleit --- .github/workflows/ci.yaml | 46 +++++++++++++++++++++++----- .github/workflows/docs.yaml | 7 ++--- .github/workflows/helm-chart.yaml | 17 +++++----- .github/workflows/release-chart.yaml | 37 +++++++++++++++++++--- .github/workflows/release-image.yaml | 14 ++++----- test | 2 ++ 6 files changed, 91 insertions(+), 32 deletions(-) create mode 100644 test diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 59a4e87dd..55f0985b4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -20,26 +20,56 @@ jobs: coverage: runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v3 + - name: Checkout + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.2.0 with: go-version-file: go.mod cache-dependency-path: go.sum - - name: Get dependencies - run: go get -v -t -d ./... + - name: Check go.mod + run: | + set -e + go mod tidy && git diff --exit-code + + - name: Check code format + run: | + set -e + make fmt + git diff --exit-code + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' - name: Calc coverage run: make coverage - name: Convert coverage to lcov - uses: jandelgado/gcov2lcov-action@v1.0.9 + uses: jandelgado/gcov2lcov-action@c680c0f7c7442485f1749eb2a13e54a686e76eb5 #v1.0.9 - name: Coveralls - uses: coverallsapp/github-action@v2.0.0 + uses: coverallsapp/github-action@643bc377ffa44ace6394b2b5d0d3950076de9f63 # v2.3.0 with: github-token: ${{ secrets.github_token }} - file: coverage.lcov \ No newline at end of file + file: coverage.lcov + + check-actions: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - name: Ensure SHA pinned actions + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b8f9a25a51fe633d9215ac7734854dc11cd299cb # v3.0.13 + with: + # slsa-github-generator requires using a semver tag for reusable workflows. + # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators + allowlist: | + slsa-framework/slsa-github-generator \ No newline at end of file diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 18853b2f1..912f3c8dc 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -10,10 +10,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@master + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Setup node env - uses: actions/setup-node@v2.1.2 + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 #v4.0.4 with: node-version: 16 @@ -32,9 +32,8 @@ jobs: cp index.yaml ./dist/index.yaml cp artifacthub-repo.yml ./dist/artifacthub-repo.yml - - name: Deploy - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e #v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./dist diff --git a/.github/workflows/helm-chart.yaml b/.github/workflows/helm-chart.yaml index bdc4b288a..9c74a8267 100644 --- a/.github/workflows/helm-chart.yaml +++ b/.github/workflows/helm-chart.yaml @@ -5,7 +5,6 @@ on: # run pipeline on push on master branches: - main - - development paths: - "charts/**" @@ -18,17 +17,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: "0" - name: chart-testing (ct lint) - uses: helm/chart-testing-action@v2.0.1 + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: Run Helm Chart lint run: | - ct lint --lint-conf=.github/ct_lintconf.yaml \ - --chart-yaml-schema=.github/ct_chart_schema.yaml \ - --target-branch=main --validate-maintainers=false \ - --check-version-increment=false \ - --chart-dirs charts + set -e + ct lint --lint-conf=.github/ct_lintconf.yaml \ + --chart-yaml-schema=.github/ct_chart_schema.yaml \ + --target-branch=main \ + --validate-maintainers=false \ + --check-version-increment=false \ + --chart-dirs charts diff --git a/.github/workflows/release-chart.yaml b/.github/workflows/release-chart.yaml index df5277615..1326640ee 100644 --- a/.github/workflows/release-chart.yaml +++ b/.github/workflows/release-chart.yaml @@ -3,7 +3,7 @@ name: release-chart on: push: tags: - - 'policy-reporter-preview-chart-v*' + - 'policy-reporter-chart-v*' jobs: helm-chart: @@ -13,7 +13,7 @@ jobs: pages: write steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: fetch-depth: 0 @@ -28,11 +28,38 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Install Helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 with: - version: v3.10.3 + version: v3.16.1 + + - name: Prepare GPG key + run: | + gpg_dir=.cr-gpg + mkdir "$gpg_dir" + keyring="$gpg_dir/secring.gpg" + base64 -d <<< "$GPG_KEYRING_BASE64" > "$keyring" + passphrase_file="$gpg_dir/passphrase" + echo "$GPG_PASSPHRASE" > "$passphrase_file" + echo "CR_PASSPHRASE_FILE=$passphrase_file" >> "$GITHUB_ENV" + echo "CR_KEYRING=$keyring" >> "$GITHUB_ENV" + env: + GPG_KEYRING_BASE64: "${{ secrets.GPG_KEYRING_BASE64 }}" #Referring secrets of github above + GPG_PASSPHRASE: "${{ secrets.GPG_PASSPHRASE }}" - name: Run chart-releaser uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 + id: cr env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + CR_KEY: "${{ secrets.CR_KEY }}" + CR_SIGN: true + + - name: Install Cosign + uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 + + - name: Push to OCI + run: | + set -e + output=$(helm push .cr-release-packages/policy-reporter-{{ steps.cr.outputs.chart_version }}.tgz oci://ghcr.io/kyverno/charts 2>&1) + digest=$( echo "$output" | grep Digest | cut -c9-) + cosign sign --yes ghcr.io/kyverno/charts/policy-reporter@$digest \ No newline at end of file diff --git a/.github/workflows/release-image.yaml b/.github/workflows/release-image.yaml index 945a02c36..cb61b80d1 100644 --- a/.github/workflows/release-image.yaml +++ b/.github/workflows/release-image.yaml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Push image id: params @@ -32,24 +32,24 @@ jobs: echo "VERSION=$VERSION" >> "$GITHUB_ENV" - name: Login to Github Packages - uses: docker/login-action@v2 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.CR_PAT }} - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 #v3.7.1 id: buildx with: install: true version: latest - name: Build image and push to GitHub Container Registry - uses: docker/build-push-action@v3 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 id: push with: push: true @@ -60,7 +60,7 @@ jobs: ghcr.io/kyverno/policy-reporter:${{ env.VERSION }} - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.2.0 with: go-version-file: go.mod cache-dependency-path: go.sum @@ -70,7 +70,7 @@ jobs: version: v1 args: app -licenses -json -output policy-reporter-bom.cdx.json -main . - - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: policy-reporter-bom-cdx path: policy-reporter-bom.cdx.json diff --git a/test b/test new file mode 100644 index 000000000..9d9b6e177 --- /dev/null +++ b/test @@ -0,0 +1,2 @@ +Pushed: ghcr.io/fjogeleit/charts/policy-reporter-preview:3.0.0-beta.18 +Digest: sha256:ebc720b178dbbdc5def056e0d8c57a9475180d087c68c7afdf64ea5bbaff6eab