From 4a28db93b6ac399e1b9e450b724efda23f9c6fee Mon Sep 17 00:00:00 2001 From: github-actions Date: Fri, 9 Aug 2024 11:06:01 +0000 Subject: [PATCH] Align files --- .../zz_generated.add-team-labels.yaml | 53 ++++++++ .../zz_generated.add-to-project-board.yaml | 89 +++++++++++++ .../zz_generated.create_release.yaml | 89 +++++++------ .../zz_generated.create_release_pr.yaml | 126 +++++++++++++----- .github/workflows/zz_generated.gitleaks.yaml | 8 +- .../zz_generated.run_ossf_scorecard.yaml | 80 +++++++++++ CODEOWNERS | 2 + LICENSE | 2 +- Makefile | 6 +- SECURITY.md | 2 +- 10 files changed, 381 insertions(+), 76 deletions(-) create mode 100644 .github/workflows/zz_generated.add-team-labels.yaml create mode 100644 .github/workflows/zz_generated.add-to-project-board.yaml create mode 100644 .github/workflows/zz_generated.run_ossf_scorecard.yaml create mode 100644 CODEOWNERS diff --git a/.github/workflows/zz_generated.add-team-labels.yaml b/.github/workflows/zz_generated.add-team-labels.yaml new file mode 100644 index 00000000..02e46428 --- /dev/null +++ b/.github/workflows/zz_generated.add-team-labels.yaml @@ -0,0 +1,53 @@ +name: Add appropriate labels to issue + +on: + issues: + types: [assigned] + +jobs: + build_user_list: + name: Get yaml config of GS users + runs-on: ubuntu-latest + steps: + - name: Get user-mapping + run: | + mkdir -p artifacts + wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \ + -O artifacts/users.yaml \ + https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/user-mapping.yaml + - name: Upload Artifact + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: users + path: artifacts/users.yaml + retention-days: 1 + + add_label: + name: Add team label when assigned + runs-on: ubuntu-latest + needs: build_user_list + steps: + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + id: download-users + with: + name: users + - name: Find team label based on user names + run: | + event_assignee=$(cat $GITHUB_EVENT_PATH | jq -r .assignee.login | tr '[:upper:]' '[:lower:]') + echo "Issue assigned to: ${event_assignee}" + + TEAMS=$(cat ${{steps.download-users.outputs.download-path}}/users.yaml | tr '[:upper:]' '[:lower:]' | yq ".${event_assignee}.teams" -o csv | tr ',' ' ') + + echo "LABEL<> $GITHUB_ENV + for team in ${TEAMS}; do + echo "Team: ${team} | Label: team/${team}" + echo "team/${team}" >> $GITHUB_ENV + done + echo "EOF" >> $GITHUB_ENV + - name: Apply label to issue + if: ${{ env.LABEL != '' && env.LABEL != 'null' && env.LABEL != null }} + uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 # v1.1.3 + with: + github_token: ${{ secrets.ISSUE_AUTOMATION }} + labels: | + ${{ env.LABEL }} diff --git a/.github/workflows/zz_generated.add-to-project-board.yaml b/.github/workflows/zz_generated.add-to-project-board.yaml new file mode 100644 index 00000000..cd99027b --- /dev/null +++ b/.github/workflows/zz_generated.add-to-project-board.yaml @@ -0,0 +1,89 @@ +name: Add Issue to Project when assigned + +on: + issues: + types: + - assigned + - labeled + +jobs: + build_user_list: + name: Get yaml config of GS users + runs-on: ubuntu-latest + steps: + - name: Get user-mapping + run: | + mkdir -p artifacts + wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \ + -O artifacts/users.yaml \ + https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/user-mapping.yaml + - name: Upload Artifact + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: users + path: artifacts/users.yaml + retention-days: 1 + - name: Get label-mapping + run: | + mkdir -p artifacts + wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \ + -O artifacts/labels.yaml \ + https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/label-mapping.yaml + - name: Upload Artifact + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: labels + path: artifacts/labels.yaml + retention-days: 1 + + add_to_personal_board: + name: Add issue to personal board + runs-on: ubuntu-latest + needs: build_user_list + if: github.event.action == 'assigned' + steps: + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + id: download-users + with: + name: users + - name: Find personal board based on user names + run: | + event_assignee=$(cat $GITHUB_EVENT_PATH | jq -r .assignee.login | tr '[:upper:]' '[:lower:]') + echo "Issue assigned to: ${event_assignee}" + + BOARD=($(cat ${{steps.download-users.outputs.download-path}}/users.yaml | tr '[:upper:]' '[:lower:]' | yq ".${event_assignee}.personalboard")) + echo "Personal board URL: ${BOARD}" + + echo "BOARD=${BOARD}" >> $GITHUB_ENV + - name: Add issue to personal board + if: ${{ env.BOARD != 'null' && env.BOARD != '' && env.BOARD != null }} + uses: actions/add-to-project@9bfe908f2eaa7ba10340b31e314148fcfe6a2458 # v1.0.1 + with: + project-url: ${{ env.BOARD }} + github-token: ${{ secrets.ISSUE_AUTOMATION }} + + add_to_team_board: + name: Add issue to team board + runs-on: ubuntu-latest + needs: build_user_list + if: github.event.action == 'labeled' + steps: + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 + id: download-labels + with: + name: labels + - name: Find team board based on label + run: | + event_label=$(cat $GITHUB_EVENT_PATH | jq -r .label.name | tr '[:upper:]' '[:lower:]') + echo "Issue labelled with: ${event_label}" + + BOARD=($(cat ${{steps.download-labels.outputs.download-path}}/labels.yaml | tr '[:upper:]' '[:lower:]' | yq ".[\"${event_label}\"].projectboard")) + echo "Team board URL: ${BOARD}" + + echo "BOARD=${BOARD}" >> $GITHUB_ENV + - name: Add issue to team board + if: ${{ env.BOARD != 'null' && env.BOARD != '' && env.BOARD != null }} + uses: actions/add-to-project@9bfe908f2eaa7ba10340b31e314148fcfe6a2458 # v1.0.1 + with: + project-url: ${{ env.BOARD }} + github-token: ${{ secrets.ISSUE_AUTOMATION }} diff --git a/.github/workflows/zz_generated.create_release.yaml b/.github/workflows/zz_generated.create_release.yaml index 8ea06045..b945e95a 100644 --- a/.github/workflows/zz_generated.create_release.yaml +++ b/.github/workflows/zz_generated.create_release.yaml @@ -1,6 +1,8 @@ # DO NOT EDIT. Generated with: # -# devctl@5.3.0 +# devctl +# +# https://github.com/giantswarm/devctl/blob/1a381db95a01773e471818a4ce56ad16ad5d6111/pkg/gen/input/workflows/internal/file/create_release.yaml.template # name: Create Release on: @@ -15,7 +17,7 @@ on: jobs: debug_info: name: Debug info - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Print github context JSON run: | @@ -24,7 +26,7 @@ jobs: EOF gather_facts: name: Gather facts - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 outputs: project_go_path: ${{ steps.get_project_go_path.outputs.path }} ref_version: ${{ steps.ref_version.outputs.refversion }} @@ -32,11 +34,10 @@ jobs: steps: - name: Get version id: get_version + env: + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | - title="$(cat <<- 'COMMIT_MESSAGE_END' | head -n 1 - - ${{ github.event.head_commit.message }} - COMMIT_MESSAGE_END - )" + title=$(echo -n "${COMMIT_MESSAGE}" | head -1) # Matches strings like: # # - "Release v1.2.3" @@ -50,10 +51,10 @@ jobs: fi version="${version#v}" # Strip "v" prefix. echo "version=\"${version}\"" - echo "::set-output name=version::${version}" + echo "version=${version}" >> $GITHUB_OUTPUT - name: Checkout code if: ${{ steps.get_version.outputs.version != '' }} - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Get project.go path id: get_project_go_path if: ${{ steps.get_version.outputs.version != '' }} @@ -63,14 +64,13 @@ jobs: path='' fi echo "path=\"$path\"" - echo "::set-output name=path::${path}" + echo "path=${path}" >> $GITHUB_OUTPUT - name: Check if reference version id: ref_version + env: + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | - title="$(cat <<- 'COMMIT_MESSAGE_END' | head -n 1 - - ${{ github.event.head_commit.message }} - COMMIT_MESSAGE_END - )" + title=$(echo -n "${COMMIT_MESSAGE}" | head -1) if echo "${title}" | grep -qE '^release v[0-9]+\.[0-9]+\.[0-9]+([.-][^ .-][^ ]*)?( \(#[0-9]+\))?$' ; then version=$(echo "${title}" | cut -d ' ' -f 2) fi @@ -81,21 +81,21 @@ jobs: refversion=true fi echo "refversion =\"${refversion}\"" - echo "::set-output name=refversion::${refversion}" + echo "refversion=${refversion}" >> $GITHUB_OUTPUT update_project_go: name: Update project.go - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 if: ${{ needs.gather_facts.outputs.version != '' && needs.gather_facts.outputs.project_go_path != '' && needs.gather_facts.outputs.ref_version != 'true' }} needs: - gather_facts steps: - name: Install architect - uses: giantswarm/install-binary-action@v1.0.0 + uses: giantswarm/install-binary-action@033b1a657eea23d9c42e77312b370e6125e4e38f # v2.0.0 with: binary: "architect" - version: "6.1.0" + version: "6.14.1" - name: Install semver - uses: giantswarm/install-binary-action@v1.0.0 + uses: giantswarm/install-binary-action@033b1a657eea23d9c42e77312b370e6125e4e38f # v2.0.0 with: binary: "semver" version: "3.2.0" @@ -103,7 +103,7 @@ jobs: tarball_binary_path: "*/src/${binary}" smoke_test: "${binary} --version" - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Update project.go id: update_project_go env: @@ -114,37 +114,48 @@ jobs: version="${{ needs.gather_facts.outputs.version }}" new_version="$(semver bump patch $version)-dev" echo "version=\"$version\" new_version=\"$new_version\"" - echo "::set-output name=new_version::${new_version}" + echo "new_version=${new_version}" >> $GITHUB_OUTPUT sed -Ei "s/(version[[:space:]]*=[[:space:]]*)\"${version}\"/\1\"${new_version}\"/" $file if git diff --exit-code $file ; then echo "error: no changes in \"$file\"" >&2 exit 1 fi + - name: Set up git identity + run: | + git config --local user.email "dev@giantswarm.io" + git config --local user.name "taylorbot" - name: Commit changes run: | file="${{ needs.gather_facts.outputs.project_go_path }}" - git config --local user.email "action@github.com" - git config --local user.name "GitHub Action" git add $file git commit -m "Bump version to ${{ steps.update_project_go.outputs.new_version }}" - name: Push changes env: - REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" + REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git" branch: "${{ github.ref }}-version-bump" run: | git push "${REMOTE_REPO}" HEAD:${{ env.branch }} - name: Create PR env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" base: "${{ github.ref }}" branch: "${{ github.ref }}-version-bump" version: "${{ needs.gather_facts.outputs.version }}" title: "Bump version to ${{ steps.update_project_go.outputs.new_version }}" run: | - hub pull-request -f -m "${{ env.title }}" -b ${{ env.base }} -h ${{ env.branch }} -r ${{ github.actor }} + gh pr create --title "${{ env.title }}" --body "" --base ${{ env.base }} --head ${{ env.branch }} --reviewer ${{ github.actor }} + - name: Enable auto-merge for PR + env: + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" + base: "${{ github.ref }}" + branch: "${{ github.ref }}-version-bump" + version: "${{ needs.gather_facts.outputs.version }}" + title: "Bump version to ${{ steps.update_project_go.outputs.new_version }}" + run: | + gh pr merge --auto --squash "${{ env.branch }}" || echo "::warning::Auto-merge not allowed. Please adjust the repository settings." create_release: name: Create release - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 needs: - gather_facts if: ${{ needs.gather_facts.outputs.version }} @@ -152,7 +163,7 @@ jobs: upload_url: ${{ steps.create_gh_release.outputs.upload_url }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ github.sha }} - name: Ensure correct version in project.go @@ -163,39 +174,41 @@ jobs: grep -qE "version[[:space:]]*=[[:space:]]*\"$version\"" $file - name: Get Changelog Entry id: changelog_reader - uses: mindsers/changelog-reader-action@v2 + uses: mindsers/changelog-reader-action@32aa5b4c155d76c94e4ec883a223c947b2f02656 # v2.2.3 with: version: ${{ needs.gather_facts.outputs.version }} path: ./CHANGELOG.md + - name: Set up git identity + run: | + git config --local user.email "dev@giantswarm.io" + git config --local user.name "taylorbot" - name: Create tag run: | version="${{ needs.gather_facts.outputs.version }}" - git config --local user.name "github-actions" git tag "v$version" ${{ github.sha }} - name: Push tag env: - REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" + REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git" run: | git push "${REMOTE_REPO}" --tags - name: Create release id: create_gh_release - uses: actions/create-release@v1 + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" with: body: ${{ steps.changelog_reader.outputs.changes }} - tag_name: "v${{ needs.gather_facts.outputs.version }}" - release_name: "v${{ needs.gather_facts.outputs.version }}" + tag: "v${{ needs.gather_facts.outputs.version }}" create-release-branch: name: Create release branch - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 needs: - gather_facts if: ${{ needs.gather_facts.outputs.version }} steps: - name: Install semver - uses: giantswarm/install-binary-action@v1.0.0 + uses: giantswarm/install-binary-action@033b1a657eea23d9c42e77312b370e6125e4e38f # v2.0.0 with: binary: "semver" version: "3.0.0" @@ -203,7 +216,7 @@ jobs: tarball_binary_path: "*/src/${binary}" smoke_test: "${binary} --version" - name: Check out the repository - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 # Clone the whole history, not just the most recent commit. - name: Fetch all tags and branches diff --git a/.github/workflows/zz_generated.create_release_pr.yaml b/.github/workflows/zz_generated.create_release_pr.yaml index 1f409d59..4b56ecb1 100644 --- a/.github/workflows/zz_generated.create_release_pr.yaml +++ b/.github/workflows/zz_generated.create_release_pr.yaml @@ -1,6 +1,8 @@ # DO NOT EDIT. Generated with: # -# devctl@5.3.0 +# devctl +# +# https://github.com/giantswarm/devctl/blob/1a381db95a01773e471818a4ce56ad16ad5d6111/pkg/gen/input/workflows/internal/file/create_release_pr.yaml.template # name: Create Release PR on: @@ -30,7 +32,7 @@ on: jobs: debug_info: name: Debug info - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Print github context JSON run: | @@ -39,12 +41,12 @@ jobs: EOF gather_facts: name: Gather facts - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 outputs: repo_name: ${{ steps.gather_facts.outputs.repo_name }} branch: ${{ steps.gather_facts.outputs.branch }} base: ${{ steps.gather_facts.outputs.base }} - is_major: ${{ steps.gather_facts.outputs.is_major }} + needs_major_bump: ${{ steps.gather_facts.outputs.needs_major_bump }} skip: ${{ steps.pr_exists.outputs.skip }} version: ${{ steps.gather_facts.outputs.version }} steps: @@ -52,7 +54,7 @@ jobs: id: gather_facts run: | head="${{ inputs.branch || github.event.ref }}" - echo "::set-output name=branch::${head}" + echo "branch=${head}" >> $GITHUB_OUTPUT head="${head#refs/heads/}" # Strip "refs/heads/" prefix. if [[ $(echo "$head" | grep -o '#' | wc -l) -gt 1 ]]; then @@ -65,8 +67,20 @@ jobs: version="$(echo $head | awk -F# '{print $NF}')" if [[ $version =~ ^major|minor|patch$ ]]; then - gh auth login --with-token <<<$(echo -n ${{ secrets.GITHUB_TOKEN }}) - version_parts=($(gh api "repos/${{ github.repository }}/releases/latest" --jq '.tag_name[1:] | split(".") | .[0], .[1], .[2]')) + gh auth login --with-token <<<$(echo -n ${{ secrets.TAYLORBOT_GITHUB_ACTION }}) + gh_api_get_latest_release_version() + { + if ! version="$(gh api "repos/$1/releases/latest" --jq '.tag_name[1:] | split(".") | .[0], .[1], .[2]')" + then + case "$version" in + *Not\ Found*) echo Assuming v0.0.0, hooray first release! >&2 ; version="0 0 0" ;; + *) version="" ; return 1 ;; + esac + fi + echo "$version" + } + + version_parts=($(gh_api_get_latest_release_version "${{ github.repository }}")) version_major=${version_parts[0]} version_minor=${version_parts[1]} version_patch=${version_parts[2]} @@ -82,7 +96,9 @@ jobs: version_major=$((version_major+1)) version_minor=0 version_patch=0 - echo "::set-output name=is_major::true" + if [[ "${version_major}" != "1" ]]; then + echo "needs_major_bump=true" >> $GITHUB_OUTPUT + fi ;; *) echo "Unknown Semver level provided" @@ -95,74 +111,122 @@ jobs: version_major=$(echo "${version}" | cut -d "." -f 1) version_minor=$(echo "${version}" | cut -d "." -f 2) version_patch=$(echo "${version}" | cut -d "." -f 3) - if [[ $version_minor = 0 && $version_patch = 0 ]]; then - echo "::set-output name=is_major::true" + # This will help us detect versions with suffixes as majors, i.e 3.0.0-alpha1. + # Even though it's a pre-release, it's still a major. + if [[ $version_minor = 0 && $version_patch =~ ^0.* && $version_major != 1 ]]; then + echo "needs_major_bump=true" >> $GITHUB_OUTPUT fi fi repo_name="$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" echo "repo_name=\"$repo_name\" base=\"$base\" head=\"$head\" version=\"$version\"" - echo "::set-output name=repo_name::${repo_name}" - echo "::set-output name=base::${base}" - echo "::set-output name=head::${head}" - echo "::set-output name=version::${version}" + echo "repo_name=${repo_name}" >> $GITHUB_OUTPUT + echo "base=${base}" >> $GITHUB_OUTPUT + echo "head=${head}" >> $GITHUB_OUTPUT + echo "version=${version}" >> $GITHUB_OUTPUT - name: Check if PR exists id: pr_exists env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" run: | - if gh pr view --repo ${{ github.repository }} ${{ steps.gather_facts.outputs.branch }} | grep -i 'state:[[:space:]]*open' >/dev/null; then - gh pr view --repo ${{ github.repository }} ${{ steps.gather_facts.outputs.branch }} - echo "::set-output name=skip::true" + head="${{ steps.gather_facts.outputs.branch }}" + branch="${head#refs/heads/}" # Strip "refs/heads/" prefix. + if gh pr view --repo "${{ github.repository }}" "${branch}" --json state --jq .state | grep -i 'open' > /dev/null; then + gh pr view --repo "${{ github.repository }}" "${branch}" + echo "skip=true" >> $GITHUB_OUTPUT else - echo "::set-output name=skip::false" + echo "skip=false" >> $GITHUB_OUTPUT fi create_release_pr: name: Create release PR - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 needs: - gather_facts if: ${{ needs.gather_facts.outputs.skip != 'true' }} env: architect_flags: "--organisation ${{ github.repository_owner }} --project ${{ needs.gather_facts.outputs.repo_name }}" steps: - - uses: actions/setup-go@v3 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: '=1.18.1' - name: Install architect - uses: giantswarm/install-binary-action@v1.0.0 + uses: giantswarm/install-binary-action@033b1a657eea23d9c42e77312b370e6125e4e38f # v2.0.0 with: binary: "architect" - version: "6.1.0" + version: "6.11.0" - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ needs.gather_facts.outputs.branch }} - name: Prepare release changes run: | architect prepare-release ${{ env.architect_flags }} --version "${{ needs.gather_facts.outputs.version }}" + - name: Update version field in Chart.yaml + run: | + # Define chart_dir + repository="${{ needs.gather_facts.outputs.repo_name }}" + chart="helm/${repository}" + + # Check chart directory. + if [ ! -d "${chart}" ] + then + echo "Could not find chart directory '${chart}', adding app suffix." + + # Add app suffix. + chart="helm/${repository}-app" + + # Check chart directory with app suffix. + if [ ! -d "${chart}" ] + then + echo "Could not find chart directory '${chart}', removing app suffix." + + # Remove app suffix. + chart="helm/${repository%-app}" + + if [ ! -d "${chart}" ] + then + # Print error. + echo "Could not find chart directory '${chart}', doing nothing." + fi + fi + fi + + # Define chart YAML. + chart_yaml="${chart}/Chart.yaml" + + # Check chart YAML. + if [ -f "${chart_yaml}" ] + then + # check if version in Chart.yaml is templated using architect + if [ $(grep -c "^version:.*\.Version.*$" "${chart_yaml}") = "0" ]; then + yq -i '.version = "${{ needs.gather_facts.outputs.version }}"' "${chart_yaml}" + fi + fi + - name: Bump go module defined in go.mod if needed run: | - if [ "${{ needs.gather_facts.outputs.is_major }}" = true ] && test -f "go.mod"; then - go install github.com/marwan-at-work/mod/cmd/mod@v0.4.1 + if [ "${{ needs.gather_facts.outputs.needs_major_bump }}" = true ] && test -f "go.mod"; then + go install github.com/marwan-at-work/mod/cmd/mod@v0.5.0 mod upgrade fi + - name: Set up git identity + run: | + git config --local user.email "dev@giantswarm.io" + git config --local user.name "taylorbot" - name: Create release commit env: version: "${{ needs.gather_facts.outputs.version }}" run: | - git config --local user.email "action@github.com" - git config --local user.name "github-actions" git add -A git commit -m "Release v${{ env.version }}" - name: Push changes env: - remote_repo: "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" + remote_repo: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git" run: | git push "${remote_repo}" HEAD:${{ needs.gather_facts.outputs.branch }} - name: Create PR env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" base: "${{ needs.gather_facts.outputs.base }}" version: "${{ needs.gather_facts.outputs.version }}" run: | - hub pull-request -f -m "Release v${{ env.version }}" -a ${{ github.actor }} -b ${{ env.base }} -h ${{ needs.gather_facts.outputs.branch }} + gh pr create --assignee ${{ github.actor }} --title "Release v${{ env.version }}" --body "" --base ${{ env.base }} --head "${{ needs.gather_facts.outputs.branch }}" diff --git a/.github/workflows/zz_generated.gitleaks.yaml b/.github/workflows/zz_generated.gitleaks.yaml index 31185a72..69609bfe 100644 --- a/.github/workflows/zz_generated.gitleaks.yaml +++ b/.github/workflows/zz_generated.gitleaks.yaml @@ -1,6 +1,8 @@ # DO NOT EDIT. Generated with: # -# devctl@5.3.0 +# devctl +# +# https://github.com/giantswarm/devctl/blob/1a381db95a01773e471818a4ce56ad16ad5d6111/pkg/gen/input/workflows/internal/file/gitleaks.yaml.template # name: gitleaks @@ -10,8 +12,8 @@ jobs: gitleaks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: '0' - name: gitleaks-action - uses: zricethezav/gitleaks-action@v1.6.0 + uses: giantswarm/gitleaks-action@main diff --git a/.github/workflows/zz_generated.run_ossf_scorecard.yaml b/.github/workflows/zz_generated.run_ossf_scorecard.yaml new file mode 100644 index 00000000..475ca603 --- /dev/null +++ b/.github/workflows/zz_generated.run_ossf_scorecard.yaml @@ -0,0 +1,80 @@ +# DO NOT EDIT. Generated with: +# +# devctl +# +# https://github.com/giantswarm/devctl/blob/0773061f94d5eac8a0e5b8f253bc15cc35a34066/pkg/gen/input/workflows/internal/file/run_ossf_scorecard.yaml.template +# + +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '15 15 15 * *' + push: + branches: [ "main", "master" ] + workflow_dispatch: {} + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9 + with: + sarif_file: results.sarif diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 00000000..bd96d49d --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,2 @@ +# generated by giantswarm/github actions - changes will be overwritten +* @giantswarm/team-phoenix diff --git a/LICENSE b/LICENSE index c1b046f0..93a66740 100644 --- a/LICENSE +++ b/LICENSE @@ -186,7 +186,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright 2016 - 2021 Giant Swarm GmbH + Copyright 2016 - 2024 Giant Swarm GmbH Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/Makefile b/Makefile index 407485d0..76d53dae 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,8 @@ # DO NOT EDIT. Generated with: # -# devctl@4.12.0 +# devctl +# +# https://github.com/giantswarm/devctl/blob/6a704f7e2a8b0f09e82b5bab88f17971af849711/pkg/gen/input/makefile/internal/file/Makefile.template # include Makefile.*.mk @@ -20,4 +22,4 @@ include Makefile.*.mk .PHONY: help help: ## Display this help. - @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z%\\\/_0-9-]+:.*?##/ { printf " \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) diff --git a/SECURITY.md b/SECURITY.md index 060f6b54..c017318d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,4 +2,4 @@ ## Reporting a Vulnerability -Please visit https://www.giantswarm.io/responsible-disclosure for information on reporting security issues. +Please visit for information on reporting security issues.