diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 677c436..5bec00c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,18 +37,19 @@ jobs: RUSTC_BOOTSTRAP: 1 steps: - name: Install host dependencies - run: | - sudo apt-get update - sudo apt-get install protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config + uses: awalsh128/cache-apt-pkgs-action@44c33b32f808cdddd5ac0366d70595ed63661ed8 # v1.3.1 + with: + packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config + version: 1.0 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - uses: dtolnay/rust-toolchain@1.74.0 - - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2.7.0 + - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 with: key: udeps cache-all-crates: "true" - - run: cargo install --locked cargo-udeps@0.1.39 + - uses: stackabletech/cargo-install-action@cargo-udeps - run: cargo udeps --workspace # This job evaluates the github environment to determine why this action is running and selects the appropriate @@ -110,7 +111,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - - uses: EmbarkStudios/cargo-deny-action@a50c7d5f86370e02fae8472c398f15a36e517bb8 # v1.5.4 + - uses: EmbarkStudios/cargo-deny-action@1e59595bed8fc55c969333d08d7817b36888f0c5 # v1.5.5 with: command: check ${{ matrix.checks }} @@ -131,16 +132,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Install host dependencies - run: | - sudo apt-get update - sudo apt-get install protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config + uses: awalsh128/cache-apt-pkgs-action@44c33b32f808cdddd5ac0366d70595ed63661ed8 # v1.3.1 + with: + packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config + version: 1.0 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - uses: dtolnay/rust-toolchain@1.74.0 with: components: clippy - - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2.7.0 + - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 with: key: clippy cache-all-crates: "true" @@ -164,16 +166,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Install host dependencies - run: | - sudo apt-get update - sudo apt-get install protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config + uses: awalsh128/cache-apt-pkgs-action@44c33b32f808cdddd5ac0366d70595ed63661ed8 # v1.3.1 + with: + packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config + version: 1.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - uses: dtolnay/rust-toolchain@1.74.0 with: components: rustfmt - - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2.7.0 + - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 with: key: doc cache-all-crates: "true" @@ -184,14 +188,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Install host dependencies - run: | - sudo apt-get update - sudo apt-get install protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config + uses: awalsh128/cache-apt-pkgs-action@44c33b32f808cdddd5ac0366d70595ed63661ed8 # v1.3.1 + with: + packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config + version: 1.0 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - uses: dtolnay/rust-toolchain@1.74.0 - - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2.7.0 + - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 with: key: test cache-all-crates: "true" @@ -209,7 +214,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # tag=v5.0.0 with: python-version: '3.11' - name: Install jinja2-cli @@ -220,7 +225,7 @@ jobs: run: git diff --exit-code - name: Git Diff showed uncommitted changes if: ${{ failure() }} - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | core.setFailed('Committed README are not up to date, please make sure to apply them to the templated partials, and re-commit!') @@ -240,9 +245,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Install host dependencies - run: | - sudo apt-get update - sudo apt-get install protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config + uses: awalsh128/cache-apt-pkgs-action@44c33b32f808cdddd5ac0366d70595ed63661ed8 # v1.3.1 + with: + packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config + version: 1.0 - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -250,11 +256,10 @@ jobs: - name: Set up Helm uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 with: - version: v3.6.2 + version: v3.13.3 - name: Set up cargo uses: dtolnay/rust-toolchain@1.74.0 - - name: Set up rust-cache - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2.7.0 + - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 with: key: charts cache-all-crates: "true" @@ -264,7 +269,7 @@ jobs: run: git diff --exit-code - name: Git Diff showed uncommitted changes if: ${{ failure() }} - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | core.setFailed('Committed charts were not up to date, please regenerate and re-commit!') @@ -296,16 +301,19 @@ jobs: env: NEXUS_PASSWORD: ${{ secrets.NEXUS_PASSWORD }} HELM_REPO: ${{ needs.select_helm_repo.outputs.helm_repository }} - OCI_REGISTRY_PASSWORD: ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }} - OCI_REGISTRY_USERNAME: "robot$stackable+github-action-build" + OCI_REGISTRY_SDP_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + OCI_REGISTRY_SDP_USERNAME: "robot$sdp+github-action-build" + OCI_REGISTRY_SDP_CHARTS_PASSWORD: ${{ secrets.HARBOR_ROBOT_SDP_CHARTS_GITHUB_ACTION_BUILD_SECRET }} + OCI_REGISTRY_SDP_CHARTS_USERNAME: "robot$sdp-charts+github-action-build" if: needs.select_helm_repo.outputs.helm_repository != 'skip' outputs: IMAGE_TAG: ${{ steps.printtag.outputs.IMAGE_TAG }} steps: - name: Install host dependencies - run: | - sudo apt-get update - sudo apt-get install protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config + uses: awalsh128/cache-apt-pkgs-action@44c33b32f808cdddd5ac0366d70595ed63661ed8 # v1.3.1 + with: + packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config + version: 1.0 - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -316,23 +324,25 @@ jobs: # This step checks if the current run was triggered by a push to a pr (or a pr being created). # If this is the case it changes the version of this project in all Cargo.toml files to include the suffix # "-pr" so that the published artifacts can be linked to this PR. + - uses: stackabletech/cargo-install-action@main + with: + crate: cargo-edit + bin: cargo-set-version - name: Update version if PR if: ${{ github.event_name == 'pull_request' }} - run: | - cargo install cargo-edit --version 0.11.11 - cargo set-version --offline --workspace 0.0.0-pr${{ github.event.pull_request.number }} + run: cargo set-version --offline --workspace 0.0.0-pr${{ github.event.pull_request.number }} # Recreate charts and publish charts and docker image. The "-e" is needed as we want to override the # default value in the makefile if called from this action, but not otherwise (i.e. when called locally). # This is needed for the HELM_REPO variable. - - name: Set up Cosign - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3 + - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # tag=v3.3.0 - name: Publish Docker image and Helm chart run: make -e publish # Output the name of the published image to the Job output for later use - id: printtag name: Output image name and tag run: echo "IMAGE_TAG=$(make -e print-docker-tag)" >> $GITHUB_OUTPUT + openshift_preflight: name: Run the OpenShift Preflight check on the published images needs: @@ -343,7 +353,7 @@ jobs: steps: - name: Install preflight run: | - wget https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.6.11/preflight-linux-amd64 + wget https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.7.2/preflight-linux-amd64 chmod +x preflight-linux-amd64 - name: Check container run: ./preflight-linux-amd64 check container "$IMAGE_TAG" > preflight.out diff --git a/.github/workflows/pr_reviewdog.yaml b/.github/workflows/pr_reviewdog.yaml index fd48c54..7821ff0 100644 --- a/.github/workflows/pr_reviewdog.yaml +++ b/.github/workflows/pr_reviewdog.yaml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984 # v4.6.1 + - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # tag=v5.0.0 with: python-version: "3.11" - uses: reviewdog/action-flake8@51c2708ac3e9463b4d27d0ba7d9e3ded608a6ad3 # v3.8.0 @@ -71,7 +71,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: reviewdog/action-misspell@cc799b020b057600b66eedf2b6e97ca26137de21 # v1.14.0 + - uses: reviewdog/action-misspell@4348e72b9038b006ffc37b6b0dd4421a2e9a68ef # v1.14.1 with: github_token: ${{ secrets.GITHUB_TOKEN }} locale: "US" @@ -80,7 +80,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: reviewdog/action-languagetool@445dede243efc5b874724a31f5c4f486efddbc35 # v1.12.0 + - uses: reviewdog/action-languagetool@0d1f05459d9d88744c06c58d389f0997bab95b59 # v1.13.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} level: info diff --git a/Makefile b/Makefile index 1743365..52ef3e5 100644 --- a/Makefile +++ b/Makefile @@ -16,9 +16,9 @@ VERSION := $(shell cargo metadata --format-version 1 | jq -r '.packages[] | sele DOCKER_REPO := docker.stackable.tech ORGANIZATION := stackable OCI_REGISTRY_HOSTNAME := oci.stackable.tech -OCI_REGISTRY_PROJECT_IMAGES := ${ORGANIZATION}/images -OCI_REGISTRY_PROJECT_CHARTS := ${ORGANIZATION}/charts -# this will be overwritten by an environmental variable if called from the github action +OCI_REGISTRY_PROJECT_IMAGES := sdp +OCI_REGISTRY_PROJECT_CHARTS := sdp-charts +# This will be overwritten by an environmental variable if called from the github action HELM_REPO := https://repo.stackable.tech/repository/helm-dev HELM_CHART_NAME := ${OPERATOR_NAME} HELM_CHART_ARTIFACT := target/helm/${OPERATOR_NAME}-${VERSION}.tgz @@ -34,7 +34,7 @@ docker-build: docker tag "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" "${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}" docker-publish: - # push to Nexus + # Push to Nexus echo "${NEXUS_PASSWORD}" | docker login --username github --password-stdin "${DOCKER_REPO}" DOCKER_OUTPUT=$$(docker push --all-tags "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}");\ # Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\ @@ -47,14 +47,14 @@ docker-publish: # Uses the keyless signing flow with Github Actions as identity provider\ cosign sign -y ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:@$$REPO_DIGEST_OF_IMAGE - # push to Harbor - # we need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) - docker login --username '${value OCI_REGISTRY_USERNAME}' --password '${OCI_REGISTRY_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' + # Push to Harbor + # We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) + docker login --username '${value OCI_REGISTRY_SDP_USERNAME}' --password '${OCI_REGISTRY_SDP_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' DOCKER_OUTPUT=$$(docker push --all-tags '${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}');\ # Obtain the digest of the pushed image from the output of `docker push`, because signing by tag is deprecated and will be removed from cosign in the future\ REPO_DIGEST_OF_IMAGE=$$(echo "$$DOCKER_OUTPUT" | awk '/^${VERSION}: digest: sha256:[0-9a-f]{64} size: [0-9]+$$/ { print $$3 }');\ if [ -z "$$REPO_DIGEST_OF_IMAGE" ]; then\ - echo 'Could not find repo digest for container image: ${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}';\ + echo 'Could not find repo digest for container image: ${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_IMAGES}/${OPERATOR_NAME}:${VERSION}';\ exit 1;\ fi;\ # This generates a signature and publishes it to the registry, next to the image\ @@ -68,12 +68,12 @@ print-docker-tag: @echo "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}" helm-publish: - # push to Nexus + # Push to Nexus curl --fail -u "github:${NEXUS_PASSWORD}" --upload-file "${HELM_CHART_ARTIFACT}" "${HELM_REPO}/" - # push to Harbor - # we need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) - helm registry login --username '${value OCI_REGISTRY_USERNAME}' --password '${OCI_REGISTRY_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' + # Push to Harbor + # We need to use "value" here to prevent the variable from being recursively expanded by make (username contains a dollar sign, since it's a Harbor bot) + helm registry login --username '${value OCI_REGISTRY_SDP_CHARTS_USERNAME}' --password '${OCI_REGISTRY_SDP_CHARTS_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}' # Obtain the digest of the pushed artifact from the output of `helm push`, because signing by tag is deprecated and will be removed from cosign in the future\ HELM_OUTPUT=$$(helm push '${HELM_CHART_ARTIFACT}' 'oci://${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_CHARTS}' 2>&1);\ REPO_DIGEST_OF_ARTIFACT=$$(echo "$$HELM_OUTPUT" | awk '/^Digest: sha256:[0-9a-f]{64}$$/ { print $$2 }');\ @@ -81,6 +81,8 @@ helm-publish: echo 'Could not find repo digest for helm chart: ${HELM_CHART_NAME}';\ exit 1;\ fi;\ + # Login to Harbor, needed for cosign to be able to push the signature for the Helm chart\ + docker login --username '${value OCI_REGISTRY_SDP_CHARTS_USERNAME}' --password '${OCI_REGISTRY_SDP_CHARTS_PASSWORD}' '${OCI_REGISTRY_HOSTNAME}';\ # This generates a signature and publishes it to the registry, next to the chart artifact\ # Uses the keyless signing flow with Github Actions as identity provider\ cosign sign -y ${OCI_REGISTRY_HOSTNAME}/${OCI_REGISTRY_PROJECT_CHARTS}/${HELM_CHART_NAME}:@$$REPO_DIGEST_OF_ARTIFACT