diff --git a/.github/workflows/bulwark-gitleaks.yaml b/.github/workflows/bulwark-gitleaks.yaml deleted file mode 100644 index 70d251b5..00000000 --- a/.github/workflows/bulwark-gitleaks.yaml +++ /dev/null @@ -1,38 +0,0 @@ -name: BulwarkGitLeaks - -on: - pull_request: - workflow_dispatch: - -concurrency: - group: gitleaks-${{ github.ref }} - cancel-in-progress: true - -jobs: - gitleaks-pr-scan: - runs-on: [self-hosted, Linux, X64, validator] - container: - image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest - env: - REPO: ${{ github.event.repository.name }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITLEAKS_CONFIG: /workspace/config.toml - steps: - - name: run-bulwark-gitleaks-scan - shell: sh - env: - BRANCH: ${{ github.head_ref || github.ref_name }} - run: /workspace/bulwark -name CodeSASTGitLeaks -organization validator-labs -target $REPO -tags "branch:$BRANCH,options:--log-opts origin..HEAD" - - - name: check-result - shell: sh - run: | - resultPath=./$REPO/gitleaks.json - cat $resultPath | grep -v \"Match\"\: | grep -v \"Secret\"\: - total_failed_tests=`cat $resultPath | grep \"Fingerprint\"\: | wc -l` - if [ "$total_failed_tests" -gt 0 ]; then - echo "GitLeaks validation check failed with above findings..." - exit 1 - else - echo "GitLeaks validation check passed" - fi \ No newline at end of file diff --git a/.github/workflows/bulwark-golicences.yaml b/.github/workflows/bulwark-golicences.yaml deleted file mode 100644 index 7aa8c1d6..00000000 --- a/.github/workflows/bulwark-golicences.yaml +++ /dev/null @@ -1,31 +0,0 @@ -name: GoLicenses - -on: - pull_request: - workflow_dispatch: - -concurrency: - group: golicenses-${{ github.ref }} - cancel-in-progress: true - -jobs: - golicense-pr-scan: - runs-on: [self-hosted, Linux, X64, validator] - container: - image: gcr.io/spectro-images-public/golang:1.22-alpine - steps: - - name: checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - - - name: Set up Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 - with: - cache: false - go-version-file: go.mod - - - name: install-golicenses - run: go install github.com/google/go-licenses@latest - - - name: golicense-scan - run: | - go-licenses check ./... \ No newline at end of file diff --git a/.github/workflows/bulwark-gosec.yaml b/.github/workflows/bulwark-gosec.yaml deleted file mode 100644 index 6169f38b..00000000 --- a/.github/workflows/bulwark-gosec.yaml +++ /dev/null @@ -1,49 +0,0 @@ -name: BulwarkGoSec - -on: - pull_request: - workflow_dispatch: - -concurrency: - group: gosec-${{ github.ref }} - cancel-in-progress: true - -jobs: - gosec-pr-scan: - runs-on: [self-hosted, Linux, X64, validator] - container: - image: gcr.io/spectro-dev-public/bulwark/gosec:latest - env: - REPO: ${{ github.event.repository.name }} - steps: - - name: checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - - - name: Set up Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 - with: - cache: false - go-version-file: go.mod - - - name: run-gosec-scan - shell: sh - env: - BRANCH: ${{ github.head_ref || github.ref_name }} - GO111MODULE: on - run: /workspace/bulwark -name CodeSASTGoSec -verbose -organization validator-labs -target $REPO -tags "branch:$BRANCH" - - - name: check-result - shell: sh - run: | - resultPath=$REPO-result.json - issues=$(cat $resultPath | jq -r '.Stats.found') - echo "Found ${issues} issues" - echo "Issues by Rule ID" - jq -r '.Issues | group_by (.rule_id)[] | {rule: .[0].rule_id, count: length}' $resultPath - if [ "$issues" -gt 0 ]; then - echo "GoSec SAST scan failed with below findings..." - cat $resultPath - exit 1 - else - echo "GoSec SAST scan passed" - fi \ No newline at end of file diff --git a/.github/workflows/bulwark-govulncheck.yaml b/.github/workflows/bulwark-govulncheck.yaml deleted file mode 100644 index b2c47be5..00000000 --- a/.github/workflows/bulwark-govulncheck.yaml +++ /dev/null @@ -1,26 +0,0 @@ -name: GoVulnCheck - -on: - pull_request: - workflow_dispatch: - -concurrency: - group: govulncheck-${{ github.ref }} - cancel-in-progress: true - -jobs: - govulncheck-pr-scan: - runs-on: [self-hosted, Linux, X64, validator] - container: - image: gcr.io/spectro-images-public/golang:1.22-alpine - steps: - - name: install-govulncheck - run: GOBIN=/usr/local/bin go install golang.org/x/vuln/cmd/govulncheck@latest - - - name: checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - - - name: govulncheck-scan - run: | - go version - govulncheck -mode source ./... \ No newline at end of file diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml new file mode 100644 index 00000000..4db2fe13 --- /dev/null +++ b/.github/workflows/gitleaks.yaml @@ -0,0 +1,10 @@ +name: GitLeaks + +on: + pull_request: + workflow_dispatch: + +jobs: + call-gitleaks: + uses: validator-labs/workflows/.github/workflows/gitleaks.yaml@main + secrets: inherit diff --git a/.github/workflows/golicences.yaml b/.github/workflows/golicences.yaml new file mode 100644 index 00000000..b66a90c1 --- /dev/null +++ b/.github/workflows/golicences.yaml @@ -0,0 +1,10 @@ +name: GoLicenses + +on: + pull_request: + workflow_dispatch: + +jobs: + call-golicenses: + uses: validator-labs/workflows/.github/workflows/golicenses.yaml@main + secrets: inherit diff --git a/.github/workflows/gosec.yaml b/.github/workflows/gosec.yaml new file mode 100644 index 00000000..b499c537 --- /dev/null +++ b/.github/workflows/gosec.yaml @@ -0,0 +1,10 @@ +name: GoSec + +on: + pull_request: + workflow_dispatch: + +jobs: + call-gosec: + uses: validator-labs/workflows/.github/workflows/gosec.yaml@main + secrets: inherit diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml new file mode 100644 index 00000000..be0fdac0 --- /dev/null +++ b/.github/workflows/govulncheck.yaml @@ -0,0 +1,10 @@ +name: GoVulnCheck + +on: + pull_request: + workflow_dispatch: + +jobs: + call-govulncheck: + uses: validator-labs/workflows/.github/workflows/govulncheck.yaml@main + secrets: inherit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index fa336fea..e7b182df 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -5,105 +5,8 @@ on: branches: - main - '[0-9]+.[0-9]+.x' - workflow_dispatch: - -env: - REGISTRY: quay.io - GITHUB_PAGES_BRANCH: gh_pages - -defaults: - run: - shell: bash jobs: - release-please: - permissions: - contents: write # for google-github-actions/release-please-action to create release commit - pull-requests: write # for google-github-actions/release-please-action to create release PR - runs-on: [self-hosted, Linux, X64, validator] - outputs: - releases_created: ${{ steps.release.outputs.releases_created }} - tag_name: ${{ steps.release.outputs.tag_name }} - # Release-please creates a PR that tracks all changes - steps: - - name: Checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - - - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4 - id: release - with: - token: ${{ secrets.PAT }} - - release-charts: - needs: release-please - permissions: - contents: write - runs-on: [self-hosted, Linux, X64, validator] - if: needs.release-please.outputs.releases_created == 'true' - steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - - name: Publish Helm chart - uses: stefanprodan/helm-gh-pages@master - with: - token: ${{ secrets.PAT }} - charts_dir: chart - owner: validator-labs - branch: ${{ env.GITHUB_PAGES_BRANCH }} - commit_username: validator-labs-bot - commit_email: bot@noreply.validator-labs.io - - build-container: - if: needs.release-please.outputs.releases_created == 'true' - needs: - - release-please - runs-on: [self-hosted, Linux, X64, validator] - permissions: - contents: write - packages: write - id-token: write - env: - IMAGE_TAG: quay.io/validator-labs/validator:${{ needs.release-please.outputs.tag_name }} - IMAGE_NAME: validator - steps: - - name: Checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - with: - submodules: recursive - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3 - - - name: Login to GitHub Container Registry - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3 - with: - registry: "quay.io" - username: ${{ secrets.QUAY_USER }} - password: ${{ secrets.QUAY_TOKEN }} - - - name: Build Docker Image - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5 - with: - context: . - file: ./Dockerfile - platforms: linux/amd64,linux/arm64 - target: production - tags: | - ${{ env.IMAGE_TAG }} - builder: ${{ steps.buildx.outputs.name }} - push: true - cache-from: type=gha,scope=${{ github.ref_name }}-${{ env.IMAGE_TAG }} - cache-to: type=gha,scope=${{ github.ref_name }}-${{ env.IMAGE_TAG }} - - - name: Generate SBOM - uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0 - with: - image: ${{ env.IMAGE_TAG }} - artifact-name: sbom-${{ env.IMAGE_NAME }} - output-file: ./sbom-${{ env.IMAGE_NAME }}.spdx.json - - - name: Attach SBOM to release - uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2 - with: - tag_name: ${{ needs.release-please.outputs.tag_name }} - files: ./sbom-${{ env.IMAGE_NAME }}.spdx.json + call-release: + uses: validator-labs/workflows/.github/workflows/release.yaml@main + secrets: inherit diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 2de0748c..69343e74 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -7,82 +7,7 @@ on: pull_request: workflow_dispatch: -concurrency: - group: test-${{ github.ref }} - cancel-in-progress: true - jobs: - test: - name: Run Unit & Integration Tests - runs-on: [self-hosted, Linux, X64, validator] - steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - - - name: Set up Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 - with: - cache: false - go-version-file: go.mod - - - name: Set up Helm - run: make helm - - - name: Test - run: make test - - - name: Workaround for https://github.com/codecov/feedback/issues/263 - run: | - git config --global --add safe.directory "$GITHUB_WORKSPACE" - - - name: Codecov - uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4 - with: - file: ./cover.out - fail_ci_if_error: true - token: ${{ secrets.CODECOV_TOKEN }} - - test-chart: - name: Run Helm Chart Tests - runs-on: [self-hosted, Linux, X64, validator] - if: "!(contains(github.head_ref, 'release-please') || contains(github.ref, 'release-please'))" - steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - with: - fetch-depth: 0 - - - name: Set up Helm - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4 - with: - version: v3.11.2 - - - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5 - with: - python-version: '3.9' - check-latest: true - - - name: Set up chart-testing - uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - - - name: Run chart-testing (list-changed) - id: list-changed - run: | - set -ex - changed=$(ct list-changed --chart-dirs chart --target-branch ${{ github.event.repository.default_branch }}) - echo $changed - if [[ -n "$changed" ]]; then - echo "changed=true" >> "$GITHUB_OUTPUT" - fi - - - name: Run chart-testing (lint) - if: steps.list-changed.outputs.changed == 'true' - run: | - cd $GITHUB_WORKSPACE - ct lint --validate-maintainers=false --check-version-increment=false --chart-dirs chart --target-branch ${{ github.event.repository.default_branch }} - - - name: Create kind cluster - if: steps.list-changed.outputs.changed == 'true' - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - - - name: Run chart-testing (install) - if: steps.list-changed.outputs.changed == 'true' - run: ct install --chart-dirs chart --target-branch ${{ github.event.repository.default_branch }} + call-test: + uses: validator-labs/workflows/.github/workflows/test.yaml@main + secrets: inherit diff --git a/Makefile b/Makefile index 5336e300..8b2a0a0a 100644 --- a/Makefile +++ b/Makefile @@ -66,7 +66,7 @@ vet: ## Run go vet against code. go vet ./... .PHONY: test -test: manifests generate fmt vet envtest ## Run tests. +test: manifests generate fmt vet envtest helm ## Run tests. KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out ##@ Build