diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index b2b3bd2..6f33ca3 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -19,10 +19,12 @@ jobs: steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup Golang uses: actions/setup-go@v5 with: go-version-file: go.mod + - name: Run golangci-lint uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0 with: @@ -30,10 +32,37 @@ jobs: args: --timeout 10m --verbose --issues-exit-code=0 only-new-issues: true + code-scan: + name: Code Scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.28.0 + continue-on-error: true + with: + scan-type: "fs" + ignore-unfixed: true + exit-code: "1" + format: "sarif" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH,MEDIUM" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "trivy-results.sarif" + govulncheck: runs-on: ubuntu-latest name: Run govulncheck steps: + # We only need to checkout as govuln does the go setup... + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - id: govulncheck uses: golang/govulncheck-action@v1 with: @@ -45,8 +74,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 # v3.5.3 - - name: Setup Go + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Setup Golang uses: actions/setup-go@v5 with: go-version-file: go.mod @@ -88,6 +118,7 @@ jobs: steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -95,24 +126,35 @@ jobs: uses: docker/setup-buildx-action@v3 with: platforms: ${{ matrix.platform }} + driver: docker-container + use: true - name: Build Images uses: docker/build-push-action@v6 with: context: . platforms: ${{ matrix.platform }} - load: true push: false tags: quay.io/jetstack/version-checker:${{github.sha}} cache-from: type=gha cache-to: type=gha,mode=max + # https://github.com/docker/buildx/issues/1714 + # Whilst trivy says it supports .tar etc, it wouldn't work in gha or locally on my machine. + outputs: |- + type=oci,tar=false,compression=uncompressed,dest=./.oci-image + attests: |- + type=sbom + type=provenance,mode=max - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.30.0 with: - image-ref: "quay.io/jetstack/version-checker:${{github.sha}}" + input: ./.oci-image format: "table" exit-code: "1" ignore-unfixed: true vuln-type: "os,library" severity: "CRITICAL,HIGH" + + - name: "Cleanup OCI Image from FS" + run: rm -rf ./.oci-image diff --git a/.github/workflows/helm-docs.yaml b/.github/workflows/helm-docs.yaml index 3af87f5..d53def8 100644 --- a/.github/workflows/helm-docs.yaml +++ b/.github/workflows/helm-docs.yaml @@ -4,8 +4,8 @@ on: workflow_call: push: paths: - - '!*.md' - - 'deploy/charts/version-checker/**' + - "!*.md" + - "deploy/charts/version-checker/**" branches: - main diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml index 43dd208..a5f9b8c 100644 --- a/.github/workflows/helm-test.yaml +++ b/.github/workflows/helm-test.yaml @@ -2,10 +2,10 @@ name: Test Helm Chart on: pull_request: paths: - - '!*.md' - - 'deploy/charts/version-checker/**' + - "!*.md" + - "deploy/charts/version-checker/**" branches: - - 'main' + - "main" concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -14,14 +14,19 @@ concurrency: jobs: lint: permissions: - contents: read # for actions/checkout to fetch code - pull-requests: read # for golangci/golangci-lint-action to fetch pull requests + contents: read # for actions/checkout to fetch code + pull-requests: read # for golangci/golangci-lint-action to fetch pull requests name: Lint Helm Chart runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup Golang + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + - uses: azure/setup-helm@v4 - run: helm lint deploy/charts/version-checker @@ -33,9 +38,12 @@ jobs: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: azure/setup-helm@v4 + - name: Setup Golang + uses: actions/setup-go@v5 with: - token: ${{ github.token }} + go-version-file: go.mod + + - uses: azure/setup-helm@v4 - name: Install helm Plugins run: | @@ -57,7 +65,9 @@ jobs: steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Install Kyverno CLI uses: kyverno/action-install-cli@v0.2.0 - - uses: azure/setup-helm@v4 - - run: kyverno apply -p https://github.com/kyverno/policies/pod-security/restricted --git-branch main --resource <(helm template deploy/charts/version-checker/) + + - run: |- + kyverno apply -p https://github.com/kyverno/policies/pod-security/restricted --git-branch main --resource <(helm template deploy/charts/version-checker/) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6debc21..25c546e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,15 +15,19 @@ jobs: prepare-release: # Don't push back to a tag! if: ${{ !startsWith(github.ref, 'refs/tags/') }} - name: Prepair release + name: Prepare release runs-on: ubuntu-latest permissions: pull-requests: write contents: write steps: - - uses: actions/checkout@v4 + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup Golang + uses: actions/setup-go@v5 with: - fetch-depth: 0 + go-version-file: go.mod + - uses: bhowell2/github-substring-action@1.0.2 id: release_number with: @@ -113,10 +117,8 @@ jobs: helm-release: runs-on: ubuntu-latest steps: - # Checkout our Repo - - uses: actions/checkout@v4 - with: - path: version-checker + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: checkout jetstack-charts uses: actions/checkout@v4 @@ -134,6 +136,9 @@ jobs: run: | helm package version-checker/deploy/charts/version-checker -d jetstack-charts/charts/ + - name: Login to Quay.io + run: echo "${{ secrets.QUAY_ROBOT_TOKEN }}" | helm registry login quay.io -u ${{ secrets.QUAY_USERNAME }} --password-stdin + - name: Creating PR if: startsWith(github.ref, 'refs/tags/') uses: peter-evans/create-pull-request@v7 @@ -149,10 +154,16 @@ jobs: base: main draft: ${{ !startsWith(github.ref, 'refs/tags/') }} + - name: Push to Quay + run: |- + helm push jetstack-charts/charts/version-checker-${{ github.ref_name }}.tgz oci://quay.io/quay.io/jetstack/version-checker/chart + docker-release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -178,6 +189,9 @@ jobs: tags: quay.io/jetstack/version-checker:${{github.ref_name}} cache-from: type=gha cache-to: type=gha,mode=max + attests: |- + type=sbom + type=provenance,mode=max github-release: name: Create/Update GitHub Release @@ -185,8 +199,6 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Create Release / Change Logs uses: softprops/action-gh-release@v2 with: