From 806fb1cdcd587a2263016354126420532232d683 Mon Sep 17 00:00:00 2001 From: Marcin Bruzda <94437843+mbruzda-splunk@users.noreply.github.com> Date: Thu, 29 Aug 2024 16:14:43 +0200 Subject: [PATCH 1/7] feat: update appinpsect_cli_action to 2.8 --- .github/workflows/reusable-build-test-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 55be6e2b..d3691d86 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -806,7 +806,7 @@ jobs: name: package-splunkbase path: build/package/ - name: Scan - uses: splunk/appinspect-cli-action@v2.7 + uses: splunk/appinspect-cli-action@v2.8 with: app_path: build/package/ included_tags: ${{ matrix.tags }} From 309101f6ebe059bb2445c4aec0efd34f696d0b23 Mon Sep 17 00:00:00 2001 From: Adam Wownysz <150446614+awownysz-splunk@users.noreply.github.com> Date: Thu, 29 Aug 2024 17:45:04 +0200 Subject: [PATCH 2/7] chore: adjust workflow trigger on develop (#317) Adjusting workflow trigger on `develop` branch to revert unnecessary change in https://github.com/splunk/addonfactory-workflow-addon-release/pull/309 --- .../workflows/reusable-build-test-release.yml | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index d3691d86..3d522ed8 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -19,11 +19,6 @@ on: description: 'Version of release in the form of "x.x.x" string, specified by user instead of automatically generated semantic release' type: string default: "" - execute-tests-on-push-to-develop: - required: false - description: 'Flag to run all tests on push to develop branch' - type: string - default: 'false' execute-tests-on-push-to-release: required: false description: 'Flag to run all tests on push to release branch' @@ -173,10 +168,8 @@ jobs: fi ;; "push") - if ${{ github.ref_name == 'main' }} || - ${{ github.ref_name == 'develop' && inputs.execute-tests-on-push-to-develop == 'true' }} || - ${{ startsWith(github.ref_name, 'release/') && inputs.execute-tests-on-push-to-release == 'true' }} || - ${{ github.ref_type == 'tag' }} ; then + if ${{ github.ref_name == 'main' }} || ${{ github.ref_name == 'develop' }} || ${{ github.ref_type == 'tag' }} || + ${{ startsWith(github.ref_name, 'release/') && inputs.execute-tests-on-push-to-release == 'true' }} ; then for test_type in "${TESTSET[@]}"; do EXECUTE_LABELED["$test_type"]="true" done @@ -1858,10 +1851,7 @@ jobs: ${{ needs.setup.outputs.directory-path }}/diag* run-scripted-input-tests-full-matrix: - if: | - ( !cancelled() && needs.build.result == 'success' && needs.test-inventory.outputs.scripted_inputs == 'true' ) && - ( github.base_ref == 'main' || github.ref_name == 'main' || ( github.ref_name == 'develop' && inputs.execute-tests-on-push-to-develop == 'true' ) || ( startsWith(github.ref_name, 'release/') && inputs.execute-tests-on-push-to-release == 'true' ) ) && - ( needs.setup-workflow.outputs.execute-scripted_inputs-labeled == 'true' ) + if: ${{ !cancelled() && needs.build.result == 'success' && needs.test-inventory.outputs.scripted_inputs == 'true' && ( github.base_ref == 'main' || github.ref_name == 'main' ) && needs.setup-workflow.outputs.execute-scripted_inputs-labeled == 'true' }} needs: - build - test-inventory From 171543f1a9d7adacede6a26386d8e9f581543a67 Mon Sep 17 00:00:00 2001 From: mkolasinski-splunk <105011638+mkolasinski-splunk@users.noreply.github.com> Date: Fri, 30 Aug 2024 10:32:30 +0200 Subject: [PATCH 3/7] chore: remove branch conditions from scripted-inputs-tests (#319) --- .github/workflows/reusable-build-test-release.yml | 2 +- .gitignore | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 3d522ed8..e4caa775 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -1851,7 +1851,7 @@ jobs: ${{ needs.setup.outputs.directory-path }}/diag* run-scripted-input-tests-full-matrix: - if: ${{ !cancelled() && needs.build.result == 'success' && needs.test-inventory.outputs.scripted_inputs == 'true' && ( github.base_ref == 'main' || github.ref_name == 'main' ) && needs.setup-workflow.outputs.execute-scripted_inputs-labeled == 'true' }} + if: ${{ !cancelled() && needs.build.result == 'success' && needs.test-inventory.outputs.scripted_inputs == 'true' && needs.setup-workflow.outputs.execute-scripted_inputs-labeled == 'true' }} needs: - build - test-inventory diff --git a/.gitignore b/.gitignore index ebd5b9e6..0d01ccd8 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ actionlint +.idea From 30fa54adc8b5495aa66ea0b15633e88724ea1df2 Mon Sep 17 00:00:00 2001 From: mkolasinski-splunk <105011638+mkolasinski-splunk@users.noreply.github.com> Date: Fri, 30 Aug 2024 10:59:05 +0200 Subject: [PATCH 4/7] fix: unique name for diag artifacts for marker runs (#322) Test run: https://github.com/splunk/splunk-add-on-for-google-cloud-platform/pull/757 --- .github/workflows/reusable-build-test-release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index e4caa775..caa4c1ef 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -1615,7 +1615,7 @@ jobs: - uses: actions/upload-artifact@v4 if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }} with: - name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.browser }} ${{ matrix.vendor-version.image }} tests diag + name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.browser }} ${{ matrix.vendor-version.image }} ${{ matrix.marker }} tests diag path: | ${{ needs.setup.outputs.directory-path }}/diag* @@ -1835,7 +1835,7 @@ jobs: uses: dorny/test-reporter@v1.9.1 if: ${{ !cancelled() }} with: - name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} test report + name: splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ matrix.marker }} test report path: "${{ needs.setup.outputs.directory-path }}/test-results/*.xml" reporter: java-junit - name: pull diag from s3 bucket @@ -1846,7 +1846,7 @@ jobs: - uses: actions/upload-artifact@v4 if: ${{ failure() && steps.test_report.outputs.conclusion == 'failure' }} with: - name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} tests diag + name: archive splunk ${{ matrix.splunk.version }}${{ secrets.OTHER_TA_REQUIRED_CONFIGS }} ${{ env.TEST_TYPE }} ${{ matrix.vendor-version.image }} ${{ matrix.marker }} tests diag path: | ${{ needs.setup.outputs.directory-path }}/diag* From fb4c2f82089a05161a592dfb8df81ad1d448d765 Mon Sep 17 00:00:00 2001 From: mkolasinski-splunk <105011638+mkolasinski-splunk@users.noreply.github.com> Date: Fri, 30 Aug 2024 11:00:04 +0200 Subject: [PATCH 5/7] deps: bump k8s-manifests version (#320) --- .github/workflows/reusable-build-test-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index caa4c1ef..e6e70bcb 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -33,7 +33,7 @@ on: required: false description: "branch for k8s manifests to run the tests on" type: string - default: "v3.0.4" + default: "v3.0.5" scripted-inputs-os-list: required: false description: "list of OS used for scripted input tests" From 273675b1d45780621f8a464e6a557dac4c326799 Mon Sep 17 00:00:00 2001 From: mkolasinski-splunk <105011638+mkolasinski-splunk@users.noreply.github.com> Date: Fri, 30 Aug 2024 11:26:29 +0200 Subject: [PATCH 6/7] fix: update path for argo logs pull from s3 (#321) tests: https://github.com/splunk/splunk-add-on-for-google-cloud-platform/actions/runs/10619286231 --- .github/workflows/reusable-build-test-release.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index e6e70bcb..58469a67 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -1134,7 +1134,7 @@ jobs: fi echo "pulling logs" mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs - aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive + aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/workflows/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive - uses: actions/upload-artifact@v4 if: ${{ !cancelled() }} with: @@ -1353,7 +1353,7 @@ jobs: fi echo "pulling logs" mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs - aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive + aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/workflows/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive - uses: actions/upload-artifact@v4 if: ${{ !cancelled() }} with: @@ -1586,7 +1586,7 @@ jobs: fi echo "pulling logs" mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs - aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive + aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/workflows/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive - uses: actions/upload-artifact@v4 if: ${{ !cancelled() }} with: @@ -1817,7 +1817,7 @@ jobs: fi echo "pulling logs" mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs - aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive + aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/workflows/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive - uses: actions/upload-artifact@v4 if: ${{ !cancelled() }} with: @@ -2042,7 +2042,7 @@ jobs: fi echo "pulling logs" mkdir -p ${{ needs.setup.outputs.directory-path }}/argo-logs - aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive + aws s3 cp s3://${{ needs.setup.outputs.s3-bucket }}/workflows/${WORKFLOW_NAME}/ ${{ needs.setup.outputs.directory-path }}/argo-logs/ --recursive - uses: actions/upload-artifact@v4 if: ${{ !cancelled() }} with: From d875027d91a7c3a24d1d68a4d4136f780d5d10e9 Mon Sep 17 00:00:00 2001 From: dvarasani-crest <151819886+dvarasani-crest@users.noreply.github.com> Date: Fri, 30 Aug 2024 15:05:30 +0530 Subject: [PATCH 7/7] refactor: use reusable workflow for semgrep (#311) Updated the build-test-release workflow to use [sast-scan](https://github.com/splunk/sast-scanning) owned by product security team instead of using custom implementation. Ref: https://splunk.atlassian.net/browse/ADDON-72309 Test workflow run: https://github.com/splunk/splunk-add-on-for-servicenow/actions/runs/10596615468 Tested on PR: https://github.com/splunk/splunk-add-on-for-servicenow/pull/751 Workflow is not tested for the failure scenario because we need to have blocker findings by the semgrep in order to fail the workflow. Currently all rules are in monitor mode so any findings by the semgrep will be non-blocker resulting in semgrep stage to pass everytime. Discussion with the semgrep team: https://splunk.slack.com/archives/C011ELTV7FG/p1724923496371529 --- .../workflows/reusable-build-test-release.yml | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 58469a67..68950815 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -305,19 +305,11 @@ jobs: with: extra_args: -x .github/workflows/exclude-patterns.txt --json --only-verified version: 3.77.0 - + semgrep: - runs-on: ubuntu-latest - name: security-sast-semgrep - container: - image: returntocorp/semgrep - steps: - - uses: actions/checkout@v4 - - name: Semgrep - id: semgrep - run: semgrep ci - env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_PUBLISH_TOKEN }} + uses: splunk/sast-scanning/.github/workflows/sast-scan.yml@main + secrets: + SEMGREP_KEY: ${{ secrets.SEMGREP_PUBLISH_TOKEN }} test-inventory: runs-on: ubuntu-latest