From 859ea336489bdd3a7aa59eb6b583069b6ffa34a6 Mon Sep 17 00:00:00 2001 From: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com> Date: Fri, 1 Dec 2023 17:14:33 -0500 Subject: [PATCH] Use separate `sonarcloud.yaml` This follows the convention from our other repos. Signed-off-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com> --- .github/workflows/gosec.yaml | 27 ++++ .github/workflows/sonarcloud.yaml | 30 +--- .github/workflows/workflow.yaml | 226 ++++++++++++++++++++---------- 3 files changed, 183 insertions(+), 100 deletions(-) create mode 100644 .github/workflows/gosec.yaml diff --git a/.github/workflows/gosec.yaml b/.github/workflows/gosec.yaml new file mode 100644 index 00000000000..6daaebb4d94 --- /dev/null +++ b/.github/workflows/gosec.yaml @@ -0,0 +1,27 @@ +name: GoSec scan + +on: + push: + branches: + - master + - release-[0-9]+.[0-9]+ + pull_request: + branches: + - master + - release-[0-9]+.[0-9]+ + +jobs: + gosec: + runs-on: ubuntu-latest + steps: + - name: Checkout Gatekeeper + uses: actions/checkout@v4 + - name: Run Gosec Security Scanner + uses: securego/gosec@v2.15.0 + with: + args: -no-fail -fmt sonarqube -out gosec.json -stdout -exclude-dir=.go -exclude-dir=test ./... + - name: Upload artifacts + uses: actions/upload-artifact@v3 + with: + name: artifacts + path: gosec.json diff --git a/.github/workflows/sonarcloud.yaml b/.github/workflows/sonarcloud.yaml index d17ee396c6b..a0ab7c66130 100644 --- a/.github/workflows/sonarcloud.yaml +++ b/.github/workflows/sonarcloud.yaml @@ -1,34 +1,14 @@ name: Sonarcloud scan on: - push: - branches: - - master - - release-[0-9]+.[0-9]+ - pull_request: - branches: - - master - - release-[0-9]+.[0-9]+ + workflow_run: + workflows: + - GoSec scan + types: + - completed jobs: - gosec: - runs-on: ubuntu-latest - name: GoSec Scan - steps: - - name: Checkout Gatekeeper - uses: actions/checkout@v4 - - name: Run Gosec Security Scanner - uses: securego/gosec@v2.15.0 - with: - args: -no-fail -fmt sonarqube -out gosec.json -stdout -exclude-dir=.go -exclude-dir=test ./... - - name: Upload artifacts - uses: actions/upload-artifact@v3 - with: - name: artifacts - path: gosec.json - sonarcloud: - needs: [ gosec ] uses: stolostron/governance-policy-framework/.github/workflows/sonarcloud.yml@main secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index 9c639428238..7d04d2c3d22 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -1,4 +1,4 @@ -name: build_test_release +name: build_test on: push: paths-ignore: @@ -23,73 +23,104 @@ on: - "**.md" - "!cmd/build/helmify/static/README.md" -env: - GITHUB_REPO: open-policy-agent/gatekeeper - IMAGE_REPO: openpolicyagent/gatekeeper - CRD_IMAGE_REPO: openpolicyagent/gatekeeper-crds - GATOR_IMAGE_REPO: openpolicyagent/gator +permissions: read-all jobs: lint: name: "Lint" - runs-on: ubuntu-latest - timeout-minutes: 5 - permissions: - contents: read + runs-on: ubuntu-22.04 + timeout-minutes: 7 steps: - - name: Set up Go 1.19 - uses: actions/setup-go@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - go-version: 1.19 + egress-policy: audit + - name: Set up Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: "1.21" + check-latest: true - name: Check out code into the Go module directory - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # source: https://github.com/golangci/golangci-lint-action - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: # version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version - version: v1.48.0 + version: v1.51.2 test: name: "Unit test" - runs-on: ubuntu-latest - timeout-minutes: 10 - permissions: - contents: read + runs-on: ubuntu-22.04 + timeout-minutes: 20 steps: - - name: Set up Go 1.19 - uses: actions/setup-go@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - go-version: 1.19 + egress-policy: audit + - name: Set up Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: "1.21" + check-latest: true - name: Check out code into the Go module directory - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Unit test + run: make native-test + + - name: Codecov Upload + uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 + with: + flags: unittests + file: ./cover.out + fail_ci_if_error: false + + check_manifest: + name: "Check codegen and manifest" + runs-on: ubuntu-22.04 + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: Check out code into the Go module directory + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.5.2 + - name: Set up Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: "1.21" + check-latest: true + - name: Check go.mod and manifests run: | - curl -L -O "https://github.com/kubernetes-sigs/kubebuilder/releases/download/v${KUBEBUILDER_VERSION}/kubebuilder_${KUBEBUILDER_VERSION}_linux_amd64.tar.gz" &&\ - tar -zxvf kubebuilder_${KUBEBUILDER_VERSION}_linux_amd64.tar.gz &&\ - sudo mv kubebuilder_${KUBEBUILDER_VERSION}_linux_amd64 /usr/local/kubebuilder - make native-test - env: - KUBEBUILDER_VERSION: 2.3.1 + # there should be no additional manifest or go.mod changes + go mod tidy + git diff --exit-code + make generate manifests + git diff --exit-code gator_test: name: "Test Gator" - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 timeout-minutes: 5 - permissions: - contents: read steps: - - name: Set up Go 1.19 - uses: actions/setup-go@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - go-version: 1.19 + egress-policy: audit + - name: Set up Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: "1.21" + check-latest: true - name: Check out code into the Go module directory - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Download e2e dependencies run: | @@ -102,22 +133,25 @@ jobs: build_test: name: "Build and Test" - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 timeout-minutes: 15 - permissions: - contents: read strategy: matrix: - KUBERNETES_VERSION: ["1.23.13", "1.24.7", "1.25.3", "1.26.0"] + KUBERNETES_VERSION: ["1.25.8", "1.26.3", "1.27.1", "1.28.0"] steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Check out code into the Go module directory - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - - name: Set up Go 1.19 - uses: actions/setup-go@v3 + - name: Set up Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: 1.19 - + go-version: "1.21" + check-latest: true - name: Bootstrap e2e run: | mkdir -p $GITHUB_WORKSPACE/bin @@ -126,11 +160,18 @@ jobs: - name: Run e2e run: | - make e2e-build-load-image IMG=gatekeeper-e2e:latest CRD_IMG=gatekeeper-crds:latest - make deploy IMG=gatekeeper-e2e:latest USE_LOCAL_IMG=true - go mod tidy - # there should be no additional manifest or go.mod changes - git diff --exit-code + make docker-buildx \ + IMG=gatekeeper-e2e:latest + + make e2e-build-load-externaldata-image + + kind load docker-image --name kind \ + gatekeeper-e2e:latest + + make deploy \ + IMG=gatekeeper-e2e:latest \ + USE_LOCAL_IMG=true + make test-e2e - name: Save logs @@ -140,7 +181,7 @@ jobs: kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json - name: Upload artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: ${{ always() }} with: name: logs @@ -149,17 +190,20 @@ jobs: helm_build_test: name: "[Helm] Build and Test" - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 timeout-minutes: 15 - permissions: - contents: read strategy: matrix: HELM_VERSION: ["3.7.2"] GATEKEEPER_NAMESPACE: ["gatekeeper-system", "custom-namespace"] steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Check out code into the Go module directory - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Bootstrap e2e run: | @@ -169,9 +213,30 @@ jobs: - name: Run e2e run: | - make e2e-build-load-image IMG=gatekeeper-e2e-helm:latest CRD_IMG=gatekeeper-crds:latest GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} - make e2e-helm-deploy HELM_REPO=gatekeeper-e2e-helm HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest HELM_VERSION=${{ matrix.HELM_VERSION }} GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} - make test-e2e GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} + make docker-buildx \ + IMG=gatekeeper-e2e:latest \ + GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} + + make docker-buildx-crds \ + CRD_IMG=gatekeeper-crds:latest \ + GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} + + make e2e-build-load-externaldata-image \ + GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} + + kind load docker-image --name kind \ + gatekeeper-e2e:latest \ + gatekeeper-crds:latest + + make e2e-helm-deploy \ + HELM_REPO=gatekeeper-e2e \ + HELM_CRD_REPO=gatekeeper-crds \ + HELM_RELEASE=latest \ + HELM_VERSION=${{ matrix.HELM_VERSION }} \ + GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} + + make test-e2e \ + GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} - name: Save logs if: ${{ always() }} @@ -181,7 +246,7 @@ jobs: kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l run=dummy-provider --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-dummy-provider.json - name: Upload artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: ${{ always() }} with: name: helm-logs @@ -190,19 +255,23 @@ jobs: build_test_generator_expansion: name: "[Generator Resource Expansion] Build and Test" - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 timeout-minutes: 15 - permissions: - contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Check out code into the Go module directory - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - - name: Set up Go 1.19 - uses: actions/setup-go@v3 + - name: Set up Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: 1.19 - + go-version: "1.21" + check-latest: true - name: Bootstrap e2e run: | mkdir -p $GITHUB_WORKSPACE/bin @@ -211,11 +280,19 @@ jobs: - name: Run e2e run: | - make e2e-build-load-image IMG=gatekeeper-e2e:latest CRD_IMG=gatekeeper-crds:latest - make deploy IMG=gatekeeper-e2e:latest USE_LOCAL_IMG=true ENABLE_GENERATOR_EXPANSION=true - go mod tidy - # there should be no additional manifest or go.mod changes - git diff --exit-code + make docker-buildx \ + IMG=gatekeeper-e2e:latest + + make e2e-build-load-externaldata-image + + kind load docker-image --name kind \ + gatekeeper-e2e:latest + + make deploy \ + IMG=gatekeeper-e2e:latest \ + USE_LOCAL_IMG=true \ + ENABLE_GENERATOR_EXPANSION=true + make test-e2e ENABLE_GENERATOR_EXPANSION_TESTS=1 - name: Save logs @@ -225,10 +302,9 @@ jobs: kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-generatorexpansion-audit.json - name: Upload artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: ${{ always() }} with: name: generatorexpansion-logs path: | logs-*.json -