diff --git a/.github/workflows/ah-lint.yaml b/.github/workflows/ah-lint.yaml deleted file mode 100644 index b4401b25..00000000 --- a/.github/workflows/ah-lint.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: ArtifactHub Lint - -permissions: {} - -on: - pull_request: - branches: - - '*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - runs-on: ubuntu-latest - container: - image: artifacthub/ah - options: --user root - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Run ah lint - working-directory: ./charts/ - run: | - set -e - ah lint diff --git a/.github/workflows/check-actions.yaml b/.github/workflows/check-actions.yaml deleted file mode 100644 index cd4a19cd..00000000 --- a/.github/workflows/check-actions.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Check actions - -permissions: {} - -on: - pull_request: - branches: - - main - push: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Ensure SHA pinned actions - uses: zgosalvez/github-actions-ensure-sha-pinned-actions@ba37328d4ea95eaf8b3bd6c6cef308f709a5f2ec # v3.0.3 - with: - # slsa-github-generator requires using a semver tag for reusable workflows. - # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators - allowlist: | - slsa-framework/slsa-github-generator diff --git a/.github/workflows/codegen.yaml b/.github/workflows/codegen.yaml deleted file mode 100644 index 162f19aa..00000000 --- a/.github/workflows/codegen.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Verify codegen - -permissions: {} - -on: - pull_request: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version-file: go.mod - cache-dependency-path: go.sum - - name: Verify codegen - run: | - set -e - make verify-codegen diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml deleted file mode 100644 index cfaff7d2..00000000 --- a/.github/workflows/codeql.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: CodeQL - -permissions: {} - -on: - pull_request: - branches: - - main - push: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - runs-on: ubuntu-latest - permissions: - security-events: write - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 - with: - scan-type: fs - ignore-unfixed: false - format: sarif - output: trivy-results.sarif - severity: CRITICAL,HIGH,MEDIUM - scanners: vuln,secret - exit-code: '0' - vuln-type: os,library - env: - # Trivy is returning TOOMANYREQUESTS - # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577 - TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 - with: - sarif_file: trivy-results.sarif - category: code diff --git a/.github/workflows/conformance-tests.yaml b/.github/workflows/conformance-tests.yaml deleted file mode 100644 index 726bd9b0..00000000 --- a/.github/workflows/conformance-tests.yaml +++ /dev/null @@ -1,111 +0,0 @@ -name: E2E Tests - -permissions: {} - -on: - workflow_dispatch: {} - pull_request: - branches: - - "main" - - push: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - strategy: - fail-fast: false - matrix: - k8s-version: - - name: v1.25 - version: v1.25.16 - - name: v1.26 - version: v1.26.13 - - name: v1.27 - version: v1.27.10 - - name: v1.28 - version: v1.28.6 - - name: v1.29 - version: v1.29.1 - - name: v1.30 - version: v1.30.0 - tests: - - ^reports$ - runs-on: ubuntu-latest - name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }} - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Checkout kyverno/kyverno - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: kyverno/kyverno - path: kyverno - - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ~1.22.2 - - name: Install helm - id: helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - name: Install Tools - run: | - set -e - curl -LO "https://dl.k8s.io/release/${{ matrix.k8s-version.version }}/bin/linux/amd64/kubectl" - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - - name: Install kind - shell: bash - run: | - set -e - # For AMD64 / x86_64 - [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 - # For ARM64 - [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64 - chmod +x ./kind - sudo mv ./kind /usr/local/bin/kind - - name: Create kind cluster - run: | - set -e - kind create cluster --image kindest/node:${{ matrix.k8s-version.version }} --config ./.github/kind.yml - - name: Install report server testing - run: | - set -e - export HELM=${{ steps.helm.outputs.helm-path }} - make kind-install - - name: Wait for report server ready - run: | - set -e - kubectl wait --namespace reports-server --for=condition=ready pod --selector '!job-name' --timeout=120s - - name: Install latest kyverno - run: | - set -e - set -e - export HELM=${{ steps.helm.outputs.helm-path }} - curl https://raw.githubusercontent.com/kyverno/kyverno/refs/heads/main/scripts/config/standard/kyverno.yaml > values.yaml - helm install kyverno -n kyverno --create-namespace ./kyverno/charts/kyverno --wait --values values.yaml - - name: Wait for kyverno ready - run: | - set -e - kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=120s - - name: API Service status - run: | - set -e - kubectl get apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io - - name: Install Chainsaw - uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11 - - name: Test with Chainsaw - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - set -e - cd ./kyverno/test/conformance/chainsaw/reports && chainsaw test --config ./../../../../../.chainsaw.yaml --exclude-test-regex '^chainsaw$/^admission$/^label' - - name: Debug failure - if: failure() - uses: ./.github/actions/failure-logs diff --git a/.github/workflows/ct-lint.yaml b/.github/workflows/ct-lint.yaml deleted file mode 100644 index 03f59ea5..00000000 --- a/.github/workflows/ct-lint.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: CT Lint - -permissions: {} - -on: - pull_request: - branches: - - '*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - name: Set up Helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 - - name: Setup python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 - with: - python-version: 3.8 - - name: Set up chart-testing - uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - - name: Add missing Helm repositories - run: | - set -e - helm repo add cloudnative-pg https://cloudnative-pg.github.io/charts - helm repo update - - name: Run chart-testing (lint) - run: | - set -e - ct lint --target-branch=main --check-version-increment=false diff --git a/.github/workflows/helm-install.yaml b/.github/workflows/helm-install.yaml deleted file mode 100644 index 43dbddd3..00000000 --- a/.github/workflows/helm-install.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Helm install - -permissions: {} - -on: - pull_request: - branches: - - '*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Set up Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version-file: go.mod - cache-dependency-path: go.sum - - name: Create cluster - run: | - set -e - make kind-create - - name: Install chart - run: | - set -e - make kind-install diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml deleted file mode 100644 index 570273d3..00000000 --- a/.github/workflows/helm-release.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: helm-release - -permissions: {} - -on: - push: - tags: - - 'reports-server-chart-*' - -jobs: - helm-tests: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - name: Set up Helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 - - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 - with: - python-version: 3.8 - - name: Set up chart-testing - uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - - name: Run chart-testing (lint) - run: | - set -e - ct lint --target-branch=main --check-version-increment=false - - linter-artifacthub: - runs-on: ubuntu-latest - container: - image: artifacthub/ah - options: --user root - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Run ah lint - working-directory: ./charts/ - run: ah lint - - create-release: - runs-on: ubuntu-latest - needs: helm-tests - permissions: - contents: write - packages: write - id-token: write - pages: write - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Install Helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 - with: - version: v3.10.3 - - - name: Install Cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - - - name: Set version - run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV - - - name: Create charts tmp directory - run: | - mkdir charts-tmp - if [[ "$RELEASE_VERSION" = "reports-server-chart-"* ]]; then - cp -a charts/reports-server charts-tmp/reports-server - fi - - - name: Run chart-releaser - uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 #v1.7.0 - with: - token: "${{ secrets.GITHUB_TOKEN }}" - linting: off - charts_dir: charts-tmp - - - name: Login to GitHub Container Registry - run: | - helm registry login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io - - - name: Publish OCI Charts - run: | - for dir in `find charts-tmp -maxdepth 1 -mindepth 1 -type d -print`; do - chart=${dir##*/} - echo "Found chart: ${chart}" - helm package charts-tmp/${chart} --destination .dist - helm push .dist/${chart}-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts |& tee .digest - cosign login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io - cosign sign --yes ghcr.io/${{ github.repository_owner }}/charts/${chart}@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}') - done diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml deleted file mode 100644 index f3dcea49..00000000 --- a/.github/workflows/lint.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Lint - -permissions: {} - -on: - pull_request: - branches: - - main - push: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version-file: go.mod - cache-dependency-path: go.sum - - name: golangci-lint - uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0 - with: - skip-cache: true \ No newline at end of file diff --git a/.github/workflows/migration-tests.yaml b/.github/workflows/migration-tests.yaml deleted file mode 100644 index 665d791b..00000000 --- a/.github/workflows/migration-tests.yaml +++ /dev/null @@ -1,125 +0,0 @@ -name: Migration Tests - -permissions: {} - -on: - workflow_dispatch: {} - pull_request: - branches: - - "main" - - push: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - required: - strategy: - fail-fast: false - matrix: - k8s-version: - - name: v1.25 - version: v1.25.16 - - name: v1.26 - version: v1.26.13 - - name: v1.27 - version: v1.27.10 - - name: v1.28 - version: v1.28.6 - - name: v1.29 - version: v1.29.1 - - name: v1.30 - version: v1.30.0 - tests: - - ^reports$ - runs-on: ubuntu-latest - name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }} - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Checkout kyverno/kyverno - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: kyverno/kyverno - path: kyverno - - name: Setup Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ~1.22.2 - - name: Install helm - id: helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - name: Install Tools - run: | - set -e - curl -LO "https://dl.k8s.io/release/${{ matrix.k8s-version.version }}/bin/linux/amd64/kubectl" - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - - name: Install kind - shell: bash - run: | - set -e - # For AMD64 / x86_64 - [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 - # For ARM64 - [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64 - chmod +x ./kind - sudo mv ./kind /usr/local/bin/kind - - name: Create kind cluster - run: | - set -e - kind create cluster --image kindest/node:${{ matrix.k8s-version.version }} --config ./.github/kind.yml - - name: Install kyverno - run: | - set -e - export HELM=${{ steps.helm.outputs.helm-path }} - curl https://raw.githubusercontent.com/kyverno/kyverno/refs/heads/main/scripts/config/standard/kyverno.yaml > values.yaml - helm install kyverno -n kyverno --create-namespace ./kyverno/charts/kyverno --wait --values values.yaml - - name: Wait for kyverno ready - run: | - set -e - kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=120s - # - name: Install PSS policies - # run: | - # set -e - # export HELM=${{ steps.helm.outputs.helm-path }} - # make install-pss-policies - - name: API Service status before migation - run: | - set -e - kubectl get apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io - - name: Install report server - run: | - set -e - kubectl create ns reports-server - export HELM=${{ steps.helm.outputs.helm-path }} - make kind-install - - name: Wait for report server ready - run: | - set -e - kubectl wait --namespace reports-server --for=condition=ready pod --selector '!job-name' --timeout=120s - kubectl wait --for condition="available" apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io --timeout=120s - - name: Wait for kyverno to pick up the change - run: | - set -e - sleep 600 - - name: API Service status post migration - run: | - set -e - kubectl get apiservices v1alpha2.wgpolicyk8s.io v1.reports.kyverno.io - - name: Install Chainsaw - uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11 - - name: Test with Chainsaw - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - set -e - cd ./kyverno/test/conformance/chainsaw/reports && chainsaw test --config ./../../../../../.chainsaw.yaml --exclude-test-regex '^chainsaw$/^admission$/^label' - - name: Debug failure - if: failure() - uses: ./.github/actions/failure-logs diff --git a/.github/workflows/publish-images.yaml b/.github/workflows/publish-images.yaml deleted file mode 100644 index db3100a5..00000000 --- a/.github/workflows/publish-images.yaml +++ /dev/null @@ -1,75 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Publish images - -permissions: {} - -on: - push: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - publish-images: - runs-on: ubuntu-latest - permissions: - packages: write - id-token: write - outputs: - reports-server-digest: ${{ steps.publish-reports-server.outputs.digest }} - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - with: - build-cache-key: publish-images - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 30 - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - name: Install Cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - - name: Publish reports server - id: publish-reports-server - uses: ./.github/actions/publish-image - with: - makefile-target: ko-publish-reports-server - registry: ghcr.io - registry-username: ${{ github.actor }} - registry-password: ${{ secrets.GITHUB_TOKEN }} - repository: reports-server - version: ${{ github.ref_name }} - sign-image: true - sbom-name: reports-server - sbom-repository: ghcr.io/${{ github.repository_owner }}/reports-server/sbom - signature-repository: ghcr.io/${{ github.repository_owner }}/reports-server/signatures - main-path: . - generate-reports-server-provenance: - needs: publish-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - image: ghcr.io/${{ github.repository_owner }}/reports-server - digest: "${{ needs.publish-images.outputs.reports-server-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b6bdd082..4d126f1e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -27,114 +27,3 @@ jobs: secrets: registry_username: ${{ github.actor }} registry_password: ${{ secrets.GITHUB_TOKEN }} - # goreleaser: - # permissions: - # contents: write - # id-token: write - # packages: write - # pull-requests: write - # outputs: - # hashes: ${{ steps.hash.outputs.hashes }} - # image: ${{ steps.digest.outputs.image }} - # digest: ${{ steps.digest.outputs.digest }} - # runs-on: ubuntu-latest - # steps: - # - name: Free disk space - # uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 - # with: - # tool-cache: true - # android: true - # dotnet: true - # haskell: true - # large-packages: false - # docker-images: true - # swap-storage: false - # - name: Checkout - # uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - # with: - # fetch-depth: 0 - # - name: Fetch all tags - # run: | - # set -e - # git fetch --force --tags - # - name: Set up Go - # uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - # with: - # go-version-file: go.mod - # cache-dependency-path: go.sum - # - name: Install Cosign - # uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - # - name: Install Syft - # uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8 - # - name: Install Ko - # uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - # - name: Run GoReleaser - # id: goreleaser - # uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 - # with: - # distribution: goreleaser - # version: latest - # args: release --clean --timeout 90m - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # - name: Upload artifacts.json - # uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0 - # with: - # repo_token: ${{ secrets.GITHUB_TOKEN }} - # file: dist/artifacts.json - # asset_name: artifacts.json - # tag: ${{ github.ref }} - # - name: Upload metadata.json - # uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0 - # with: - # repo_token: ${{ secrets.GITHUB_TOKEN }} - # file: dist/metadata.json - # asset_name: metadata.json - # tag: ${{ github.ref }} - # - name: Generate subject - # id: hash - # env: - # ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" - # run: | - # set -euo pipefail - # checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') - # hashes=$(cat $checksum_file | base64 -w0) - # echo "hashes=$hashes" >> $GITHUB_OUTPUT - # - name: Image digest - # id: digest - # env: - # ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" - # run: | - # set -euo pipefail - # image_and_digest=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Docker Manifest") | .path') - # image=$(echo "${image_and_digest}" | cut -d'@' -f1 | cut -d':' -f1) - # digest=$(echo "${image_and_digest}" | cut -d'@' -f2) - # echo "image=$image" >> "$GITHUB_OUTPUT" - # echo "digest=$digest" >> "$GITHUB_OUTPUT" - - # # provenance: - # # needs: - # # - goreleaser - # # permissions: - # # actions: read - # # id-token: write - # # contents: write - # # uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 - # # with: - # # base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" - # # upload-assets: true - - # # image-provenance: - # # needs: - # # - goreleaser - # # permissions: - # # actions: read - # # id-token: write - # # packages: write - # # uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 - # # with: - # # image: ${{ needs.goreleaser.outputs.image }} - # # digest: ${{ needs.goreleaser.outputs.digest }} - # # registry-username: ${{ github.actor }} - # # secrets: - # # registry-password: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml index 999d6976..6e88aed2 100644 --- a/.github/workflows/reuse.yaml +++ b/.github/workflows/reuse.yaml @@ -37,30 +37,6 @@ jobs: with: fetch-depth: 0 - - name: Checkout image - if: ${{ inputs.tag == 'image'}} - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 - - - name: Unshallow - if: ${{ inputs.tag == 'image'}} - run: git fetch --prune --unshallow --tags - - - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version: ~1.23.1 - - - name: Install Cosign - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - - name: Cache Go modules - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - name: Log into ghcr.io uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: @@ -77,129 +53,12 @@ jobs: with: install: true - - name: Run Trivy vulnerability scanner in repo mode - if: ${{inputs.tag == 'release'}} - uses: aquasecurity/trivy-action@40c4ca9e7421287d0c5576712fdff370978f9c3c - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - name: Set Version if: ${{ inputs.tag == 'release'}} run: | echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV - - name: Generate SBOM JSON - if: ${{inputs.tag == 'release'}} - uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0 - with: - version: v1 - args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}} - - - name: Upload SBOM JSON - if: ${{inputs.tag == 'release'}} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: ${{inputs.image_name}}-bom-cdx - path: ${{inputs.image_name}}-v*-bom.cdx.json - - - name: Extract branch name - if: ${{inputs.tag == 'image'}} - shell: bash - run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" - id: extract_branch - - - name: Check branch - if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}} - id: check-branch - run: | - if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then - echo ::set-output name=match::true - fi - - - name: Debug Inputs - run: | - echo "Tag: ${{ inputs.tag }}" - echo "publish_command : ${{ inputs.publish_command}}" - echo "Digest Command: ${{ inputs.digest_command }}" - echo "Image Name: ${{ inputs.image_name }}" - echo "Repository: ${{ github.repository }}" - echo "Workflow: ${{ github.workflow }}" - echo "SHA: ${{ github.sha }}" - echo "secrets.GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}" - echo "github.actor: ${{ github.actor }}" - echo "Branch: ${{ steps.extract_branch.outputs.branch }}" - - - name: Docker images publish - if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} - run: make ${{inputs.publish_command}} FIPS_ENABLED=1 - - - name: get image digest - if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} - id: get-step-image - run: | - digest=$(make ${{inputs.digest_command}} FIPS_ENABLED=1) - echo "digest=${digest}" >> $GITHUB_ENV - - name: Docker release-images publish if: ${{inputs.tag == 'release' || inputs.tag == 'image' }} run: make ${{inputs.publish_command}} FIPS_ENABLED=1 - - name: Clear Sigstore TUF Cache - run: | - rm -rf ~/.sigstore - - - name: Get release-image digest - if: ${{ inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true') }} - id: get-step - run: | - digest=$(make ${{inputs.digest_command}} FIPS_ENABLED=1 2>/dev/null || true) - if [[ -z "$digest" ]]; then - echo "Error: Unable to generate digest. Ensure the repository exists and credentials are valid." >&2 - exit 1 - fi - echo "digest=$digest" >> $GITHUB_ENV - echo "Digest: $digest" - - - name: Debug Digest - run: | - echo "Digest: ${{ env.digest }}" - if [[ -z "${{ env.digest }}" || "${{ env.digest }}" == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ]]; then - echo "Error: Digest is empty or invalid." >&2 - exit 1 - fi - - - name: Sign image - if: ${{ inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main' }} - env: - COSIGN_EXPERIMENTAL: "true" - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures" - run: | - cosign sign --yes \ - -a "repo=${{ github.repository }}" \ - -a "workflow=${{ github.workflow }}" \ - -a "ref=${{ github.sha }}" \ - ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}@sha256:${digest} - - - name: Sign release-image - if: ${{ inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true') }} - env: - COSIGN_EXPERIMENTAL: "true" - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures" - digest: ${{ env.digest }} - run: | - echo "Signing with digest: $digest" - cosign sign --yes \ - -a "repo=${{ github.repository }}" \ - -a "workflow=${{ github.workflow }}" \ - -a "ref=${{ github.sha }}" \ - ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}@sha256:$digest - - - name: Attach SBOM - if: ${{inputs.tag == 'release'}} - env: - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom" - run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ghcr.io/${{ github.repository_owner }}/${{inputs.image_name}}@sha256:${{ env.digest }} diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml deleted file mode 100644 index 805f85eb..00000000 --- a/.github/workflows/tests.yaml +++ /dev/null @@ -1,51 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Tests - -permissions: {} - -on: - pull_request: - branches: - - main - push: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - unit-tests: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version-file: go.mod - cache-dependency-path: go.sum - # - name: Create test cluster - # run: | - # set -e - # make kind-cluster - - name: Run tests - run: | - set -e - make tests - - name: Upload Report to Codecov - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 - with: - files: ./coverage.out - fail_ci_if_error: true - verbose: true - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - - required: - needs: - - unit-tests - runs-on: ubuntu-latest - steps: - - run: echo "Required jobs success!" \ No newline at end of file diff --git a/Dockerfile.fips b/Dockerfile.fips index 905c687a..f2f80bdb 100644 --- a/Dockerfile.fips +++ b/Dockerfile.fips @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/oss/go/microsoft/golang:1.23.4-fips-cbl-mariner2.0 AS builder +FROM mcr.microsoft.com/oss/go/microsoft/golang:1.23.5-fips-cbl-mariner2.0 AS builder ENV GOPATH=/go \ PATH=/usr/local/go/bin:/go/bin:/usr/local/bin:/usr/bin:$PATH \ @@ -15,16 +15,13 @@ RUN mkdir -p /go && \ WORKDIR /app COPY . . -ARG BUILD_TAGS -ARG GOEXPERIMENT ARG LD_FLAGS -ARG MAIN_FILE ARG TARGETARCH -RUN GOOS=linux GOARCH=$TARGETARCH \ - BUILD_TAGS=${BUILD_TAGS} GOEXPERIMENT=${GOEXPERIMENT} \ +RUN GOOS=linux GOARCH="$TARGETARCH" \ + BUILD_TAGS=fips GOEXPERIMENT=systemcrypto \ CGO_ENABLED=1 FIPS_ENABLED=1 \ - go build -ldflags="${LD_FLAGS}" -o /app/reports-server ${MAIN_FILE} + go build -ldflags="${LD_FLAGS}" -o /app/reports-server ./ RUN groupadd --system appgroup && \ useradd --system --uid 1001 --gid appgroup --home-dir /nonexistent --shell /usr/sbin/nologin appuser && \ @@ -42,4 +39,4 @@ COPY --from=builder /etc/ssl/certs /etc/ssl/certs USER 1001 -ENTRYPOINT ["/reports-server"] \ No newline at end of file +ENTRYPOINT ["/reports-server"] diff --git a/Makefile b/Makefile index 576cf408..36fe27a7 100644 --- a/Makefile +++ b/Makefile @@ -298,8 +298,7 @@ ko-publish-reports-server: ko-login ## Build and publish reports-server image (w FIPS_ENABLED := 0 # Default to FIPS disabled ifeq ($(FIPS_ENABLED), 1) -# IMAGE_TAG := $(shell git describe --tags --abbrev=0) -IMAGE_TAG := "amit-fips" +IMAGE_TAG := $(shell git describe --tags --abbrev=0) BUILD_TAGS :="fips" LD_FLAGS :="-s -w" CGO_ENABLED := 1 @@ -331,9 +330,7 @@ docker-build-and-push-reports-server-fips: docker-buildx-builder --platform linux/amd64,linux/arm64 \ --tag $(REPO_REPORTS_SERVER_FIPS):$(IMAGE_TAG) \ . \ - --build-arg BUILD_TAGS=$(BUILD_TAGS) \ --build-arg LD_FLAGS=$(LD_FLAGS) \ - --build-arg MAIN_FILE=./ \ --push docker-get-reports-server-digest: