diff --git a/.github/actions/repo_access/action.yaml b/.github/actions/repo_access/action.yaml new file mode 100644 index 00000000..2201f279 --- /dev/null +++ b/.github/actions/repo_access/action.yaml @@ -0,0 +1,32 @@ +name: 'Setup repo access' +description: 'Setups authenticate to GitHub repos' +inputs: + DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB: + required: true + description: "DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB secret" +outputs: {} +runs: + using: "composite" + steps: + - name: Configure jetstack/venafi-connection-lib repo pull access + shell: bash + run: | + mkdir ~/.ssh + chmod 700 ~/.ssh + + echo "${{ inputs.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}" > ~/.ssh/venafi_connection_lib_id + chmod 600 ~/.ssh/venafi_connection_lib_id + + cat <> ~/.ssh/config + Host venafi-connection-lib.github.com + HostName github.com + IdentityFile ~/.ssh/venafi_connection_lib_id + IdentitiesOnly yes + EOT + + cat <> ~/.gitconfig + [url "git@venafi-connection-lib.github.com:jetstack/venafi-connection-lib"] + insteadOf = https://github.com/jetstack/venafi-connection-lib + EOT + + echo "GOPRIVATE=github.com/jetstack/venafi-connection-lib" >> $GITHUB_ENV diff --git a/.github/workflows/chart-test.yaml b/.github/workflows/chart-test.yaml deleted file mode 100644 index f5ed532b..00000000 --- a/.github/workflows/chart-test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -name: Chart Testing - -on: - push: - branches-ignore: - - master - pull_request: - branches: - - "*" - -jobs: - unittest: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: d3adb5/helm-unittest-action@v2 - with: - flags: "--color --strict" - helm-version: v3.12.3 - # This has to be second as helm may not be installed until after above action - # source: https://github.com/marketplace/actions/helm-unit-tests#examples - - run: helm lint deploy/charts/jetstack-agent - - run: helm lint deploy/charts/venafi-kubernetes-agent diff --git a/.github/workflows/release-master.yml b/.github/workflows/release-master.yml deleted file mode 100644 index c19d302d..00000000 --- a/.github/workflows/release-master.yml +++ /dev/null @@ -1,138 +0,0 @@ -# if changing this name, also update promotion.yaml -name: release-master - -on: - push: - branches: - - master - tags: - - v* -jobs: - vet: - name: vet - runs-on: ubuntu-22.04 - container: golang:1.22 - steps: - - name: "Add GitHub to the SSH known hosts file" - run: | - mkdir -p -m 0700 /root/.ssh - cat </root/.ssh/known_hosts - github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl - github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= - github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= - EOF - chmod 600 /root/.ssh/known_hosts - touch /root/.ssh/config - - uses: webfactory/ssh-agent@v0.9.0 - with: - ssh-private-key: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }} - - uses: actions/checkout@v4 - - run: make vet - shell: bash - test: - name: go test - runs-on: ubuntu-22.04 - container: golang:1.22 - steps: - - name: "Add GitHub to the SSH known hosts file" - run: | - mkdir -p -m 0700 /root/.ssh - cat </root/.ssh/known_hosts - github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl - github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= - github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= - EOF - chmod 600 /root/.ssh/known_hosts - touch /root/.ssh/config - - uses: webfactory/ssh-agent@v0.9.0 - with: - ssh-private-key: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }} - - uses: actions/checkout@v4 - - name: Adding github workspace as safe directory - # See issue https://github.com/actions/checkout/issues/760 - run: git config --global --add safe.directory $GITHUB_WORKSPACE - - run: make test - docker_build: - name: docker_build - runs-on: ubuntu-22.04 - container: - image: docker:23 - options: -t - # Setting up dind service container - services: - docker: - image: docker:23-dind - env: - DOCKER_DRIVER: overlay - DOCKER_HOST: tcp://localhost:2375 - permissions: - contents: read - packages: write - id-token: write - steps: - - name: Install Tools - # Installing 'bash' because it's required by the 'cosign-installer' action - # and 'coreutils' because the 'slsa-provenance-action' requires a version - # of 'base64' that supports the -w flag. - run: apk add --update make git jq rsync curl bash coreutils go - - uses: webfactory/ssh-agent@v0.9.0 - with: - ssh-private-key: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }} - - name: Adding github workspace as safe directory - # See issue https://github.com/actions/checkout/issues/760 - run: git config --global --add safe.directory $GITHUB_WORKSPACE - - name: Install cosign - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 - - name: Install Syft - uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a - - uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - driver-opts: image=moby/buildkit:master - - name: Login to quay.io - uses: docker/login-action@v3 - with: - registry: quay.io - username: ${{ secrets.QUAY_USER }} - password: ${{ secrets.QUAY_PASSWORD }} - - name: Login to ghcr.io - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push - run: | - make push-docker-image - make push-docker-image DOCKER_IMAGE=quay.io/jetstack/venafi-agent - - name: Sign - run: | - make sign-docker-image - make sign-docker-image DOCKER_IMAGE=quay.io/jetstack/venafi-agent - - name: SBOM - run: | - make sbom-docker-image - make sbom-docker-image DOCKER_IMAGE=quay.io/jetstack/venafi-agent - # The slsa-provenance-action generates a full attestation from an artifact - # as the subject. However, cosign only expects the predicate portion of - # the attestation and figures out the subject itself from the image. - # - # So, we generate a fake artifact and then strip everything but the - # predicate out from the generated attestation. - - name: Create mock artifact - run: echo "foobar" > mock - - name: Generate provenance - uses: philips-labs/SLSA-Provenance-Action@v0.9.0 - with: - command: generate - subcommand: files - arguments: --artifact-path mock - - name: Extract predicate - run: jq '.predicate' provenance.json > predicate.json - - name: Attest - run: | - make attest-docker-image - make attest-docker-image DOCKER_IMAGE=quay.io/jetstack/venafi-agent diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ab98f947..ba0d1ac3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,3 @@ ---- name: release on: push: @@ -9,19 +8,21 @@ env: VERSION: ${{ github.ref_name }} jobs: - build_images: + artifacts: runs-on: ubuntu-latest permissions: contents: read # needed for checkout - packages: write # needed for push images - id-token: write # needed for keyless signing - - env: - GOPRIVATE: github.com/jetstack/venafi-connection-lib + id-token: write # needed for keyless signing & google auth steps: - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: ./.github/actions/repo_access + with: + DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }} - id: go-version run: | @@ -31,33 +32,19 @@ jobs: with: go-version: ${{ steps.go-version.outputs.result }} - - name: Configure jetstack/venafi-connection-lib repo pull access - run: | - mkdir ~/.ssh - chmod 700 ~/.ssh - - echo "${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}" > ~/.ssh/venafi_connection_lib_id - chmod 600 ~/.ssh/venafi_connection_lib_id - - cat <> ~/.ssh/config - Host venafi-connection-lib.github.com - HostName github.com - IdentityFile ~/.ssh/venafi_connection_lib_id - IdentitiesOnly yes - EOT - - cat <> ~/.gitconfig - [url "git@venafi-connection-lib.github.com:jetstack/venafi-connection-lib"] - insteadOf = https://github.com/jetstack/venafi-connection-lib - EOT - - - uses: actions/cache@v4 + - uses: docker/login-action@v3 with: - path: _bin/downloaded - key: downloaded-${{ runner.os }}-${{ hashFiles('make/_shared/tools/00_mod.mk') }}-${{ hashFiles('make/_shared/kind/00_kind_image_versions.mk') }} + registry: quay.io + username: ${{ secrets.QUAY_USER }} + password: ${{ secrets.QUAY_PASSWORD }} + - uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - id: release - run: make release + run: make -j release - uses: actions/upload-artifact@v4 with: @@ -102,7 +89,7 @@ jobs: --draft \ --verify-tag \ --notes-file .notes-file - + gh release upload "$VERSION" \ --repo="$GITHUB_REPOSITORY" \ "${{ steps.chart_download.outputs.download-path }}/${{ needs.build_images.outputs.RELEASE_HELM_CHART_NAME }}-${{ needs.build_images.outputs.RELEASE_HELM_CHART_VERSION }}.tgz" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml deleted file mode 100644 index 30938a43..00000000 --- a/.github/workflows/test.yml +++ /dev/null @@ -1,55 +0,0 @@ -# Run unit-tests -# -# These actions are skipped for draft PRs. -# See https://github.community/t/dont-run-actions-on-draft-pull-requests/16817/19 -name: test-unit -on: - push: - branches: [main] - pull_request: - types: [opened, synchronize, reopened, ready_for_review] -jobs: - unit-tests: - permissions: - contents: write - id-token: write - runs-on: ubuntu-22.04 - timeout-minutes: 15 - - env: - GOPRIVATE: github.com/jetstack/venafi-connection-lib - steps: - - name: Configure jetstack/venafi-connection-lib repo pull access - run: | - mkdir ~/.ssh - chmod 700 ~/.ssh - - echo "${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}" > ~/.ssh/venafi_connection_lib_id - chmod 600 ~/.ssh/venafi_connection_lib_id - - cat <> ~/.ssh/config - Host venafi-connection-lib.github.com - HostName github.com - IdentityFile ~/.ssh/venafi_connection_lib_id - IdentitiesOnly yes - EOT - - cat <> ~/.gitconfig - [url "git@venafi-connection-lib.github.com:jetstack/venafi-connection-lib"] - insteadOf = https://github.com/jetstack/venafi-connection-lib - EOT - - - uses: actions/checkout@v4 - with: - # Full git history is needed to get a Git tags which are used to - # calculate a valid semver for the Helm chart - fetch-depth: 0 - - uses: actions/setup-go@v5 - with: - go-version-file: go.mod - cache: true - - uses: actions/cache@v4 - with: - path: _bin/downloaded - key: downloaded-${{ runner.os }}-${{ hashFiles('make/_shared/tools/00_mod.mk') }}-${{ hashFiles('make/_shared/kind/00_kind_image_versions.mk') }} - - run: make test-unit diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml new file mode 100644 index 00000000..b7be5c91 --- /dev/null +++ b/.github/workflows/tests.yaml @@ -0,0 +1,65 @@ +name: tests +on: + push: + branches: [main] + pull_request: {} +jobs: + verify: + runs-on: ubuntu-latest + timeout-minutes: 15 + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: ./.github/actions/repo_access + with: + DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }} + + - id: go-version + run: | + make print-go-version >> "$GITHUB_OUTPUT" + + - uses: actions/setup-go@v5 + with: + go-version: ${{ steps.go-version.outputs.result }} + + - uses: actions/cache@v4 + with: + path: _bin/downloaded + key: downloaded-${{ runner.os }}-${{ hashFiles('klone.yaml') }}-verify + + - run: make -j verify + + test-unit: + runs-on: ubuntu-latest + timeout-minutes: 15 + + permissions: + contents: read # needed for checkout + id-token: write # needed for google auth + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: ./.github/actions/repo_access + with: + DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }} + + - id: go-version + run: | + make print-go-version >> "$GITHUB_OUTPUT" + + - uses: actions/setup-go@v5 + with: + go-version: ${{ steps.go-version.outputs.result }} + + - uses: actions/cache@v4 + with: + path: _bin/downloaded + key: downloaded-${{ runner.os }}-${{ hashFiles('klone.yaml') }}-test-unit + + - run: make -j test-unit