From d5e51e35c851beccc591667039b4fc94fd27197a Mon Sep 17 00:00:00 2001 From: Aleksandr Rybolovlev Date: Thu, 13 Apr 2023 16:51:55 +0200 Subject: [PATCH] Update workflows (#63) --- .github/workflows/build.yml | 182 ++++++++++---------- .github/workflows/docker-image-release.yaml | 2 + .github/workflows/docker-scan.yaml | 86 ++++----- .github/workflows/docker-security-scan.yaml | 78 ++++----- .github/workflows/labeler.yml | 68 ++++---- .github/workflows/tag-release.yaml | 3 +- .release/release-metadata.hcl | 8 +- .release/security-scan.hcl | 24 +-- 8 files changed, 227 insertions(+), 224 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 41c0d23..b29959e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,98 +1,98 @@ -name: build +# name: build -on: - workflow_dispatch: +# on: +# workflow_dispatch: -env: - BIN_NAME: ${{ vars.BIN_NAME }} - PKG_NAME: 'docker-operator' - DOCKER_HUB_REPO: 'arybolovlev/docker-operator' +# env: +# BIN_NAME: ${{ vars.BIN_NAME }} +# PKG_NAME: 'docker-operator' +# DOCKER_HUB_REPO: 'arybolovlev/docker-operator' -jobs: - set-product-version: - runs-on: ubuntu-latest - outputs: - product-version: ${{ steps.set-product-version.outputs.product-version }} - steps: - - name: Checkout repository - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - - name: Set product version - id: set-product-version - uses: hashicorp/actions-set-product-version@06bddb8ee70f0dda2e21c39b5f0913d36cc9d657 # v1 +# jobs: +# set-product-version: +# runs-on: ubuntu-latest +# outputs: +# product-version: ${{ steps.set-product-version.outputs.product-version }} +# steps: +# - name: Checkout repository +# uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 +# - name: Set product version +# id: set-product-version +# uses: hashicorp/actions-set-product-version@06bddb8ee70f0dda2e21c39b5f0913d36cc9d657 # v1 - generate-metadata-file: - needs: set-product-version - runs-on: ubuntu-latest - env: - METADATA_FILE_NAME: 'metadata.json' - outputs: - filepath: ${{ steps.generate-metadata-file.outputs.filepath }} - steps: - - name: Checkout repository - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - - name: Generate metadata file - id: generate-metadata-file - uses: hashicorp/actions-generate-metadata@fdbc8803a0e53bcbb912ddeee3808329033d6357 # v1.1.1 - with: - version: ${{ needs.set-product-version.outputs.product-version }} - product: ${{ env.PKG_NAME }} - repositoryOwner: 'hashicorp' - metadataFileName: ${{ env.METADATA_FILE_NAME }} - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: metadata.json - path: ${{ env.METADATA_FILE_NAME }} +# generate-metadata-file: +# needs: set-product-version +# runs-on: ubuntu-latest +# env: +# METADATA_FILE_NAME: 'metadata.json' +# outputs: +# filepath: ${{ steps.generate-metadata-file.outputs.filepath }} +# steps: +# - name: Checkout repository +# uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 +# - name: Generate metadata file +# id: generate-metadata-file +# uses: hashicorp/actions-generate-metadata@fdbc8803a0e53bcbb912ddeee3808329033d6357 # v1.1.1 +# with: +# version: ${{ needs.set-product-version.outputs.product-version }} +# product: ${{ env.PKG_NAME }} +# repositoryOwner: 'hashicorp' +# metadataFileName: ${{ env.METADATA_FILE_NAME }} +# - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 +# with: +# name: metadata.json +# path: ${{ env.METADATA_FILE_NAME }} - build: - name: Go Linux ${{ matrix.arch }} build - needs: [set-product-version] - runs-on: ubuntu-latest - outputs: - go-version: ${{ steps.set-up-go.outputs.go-version }} - strategy: - matrix: - arch: ["amd64", "arm64"] - steps: - - name: Checkout repository - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - - name: Setup Go - id: set-up-go - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 - with: - go-version-file: 'go.mod' - - name: Go build - uses: hashicorp/actions-go-build@e20c6be7bf010e40e930dab20e6da63176725ec1 # v0.1.9 - with: - product_name: ${{ env.PKG_NAME }} - product_version: ${{ needs.set-product-version.outputs.product-version }} - bin_name: ${{ env.BIN_NAME }} - go_version: ${{ steps.set-up-go.outputs.go-version }} - os: linux - arch: ${{ matrix.arch }} - reproducible: report - instructions: | - go build -trimpath -o $BIN_PATH main.go +# build: +# name: Go Linux ${{ matrix.arch }} build +# needs: [set-product-version] +# runs-on: ubuntu-latest +# outputs: +# go-version: ${{ steps.set-up-go.outputs.go-version }} +# strategy: +# matrix: +# arch: ["amd64", "arm64"] +# steps: +# - name: Checkout repository +# uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 +# - name: Setup Go +# id: set-up-go +# uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 +# with: +# go-version-file: 'go.mod' +# - name: Go build +# uses: hashicorp/actions-go-build@e20c6be7bf010e40e930dab20e6da63176725ec1 # v0.1.9 +# with: +# product_name: ${{ env.PKG_NAME }} +# product_version: ${{ needs.set-product-version.outputs.product-version }} +# bin_name: ${{ env.BIN_NAME }} +# go_version: ${{ steps.set-up-go.outputs.go-version }} +# os: linux +# arch: ${{ matrix.arch }} +# reproducible: report +# instructions: | +# go build -trimpath -o $BIN_PATH main.go - build-docker: - name: Docker ${{ matrix.arch }} build - needs: [build, set-product-version] - runs-on: ubuntu-latest - strategy: - matrix: - arch: ["amd64", "arm64"] +# build-docker: +# name: Docker ${{ matrix.arch }} build +# needs: [build, set-product-version] +# runs-on: ubuntu-latest +# strategy: +# matrix: +# arch: ["amd64", "arm64"] - steps: - - name: Checkout repository - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 - - name: Docker build - uses: hashicorp/actions-docker-build@5e6230693cdbf8a6485b36f17740447ad28bf353 # v1.3.4 - env: - VERSION: ${{ needs.set-product-version.outputs.product-version }} - GO_VERSION: ${{ needs.build.outputs.go-version }} - with: - version: ${{ env.VERSION }} - bin_name: ${{ env.BIN_NAME }} - target: release-default - arch: ${{ matrix.arch }} - tags: | - docker.io/${{ env.DOCKER_HUB_REPO }}:${{ env.VERSION }} +# steps: +# - name: Checkout repository +# uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 +# - name: Docker build +# uses: hashicorp/actions-docker-build@5e6230693cdbf8a6485b36f17740447ad28bf353 # v1.3.4 +# env: +# VERSION: ${{ needs.set-product-version.outputs.product-version }} +# GO_VERSION: ${{ needs.build.outputs.go-version }} +# with: +# version: ${{ env.VERSION }} +# bin_name: ${{ env.BIN_NAME }} +# target: release-default +# arch: ${{ matrix.arch }} +# tags: | +# docker.io/${{ env.DOCKER_HUB_REPO }}:${{ env.VERSION }} diff --git a/.github/workflows/docker-image-release.yaml b/.github/workflows/docker-image-release.yaml index 32fcc34..f6ffead 100644 --- a/.github/workflows/docker-image-release.yaml +++ b/.github/workflows/docker-image-release.yaml @@ -2,6 +2,8 @@ name: Build and Publish Docker Image on: push: + branches: + - 'main' tags: - "v[0-9]+.[0-9]+.[0-9]+*" diff --git a/.github/workflows/docker-scan.yaml b/.github/workflows/docker-scan.yaml index c99a009..9956e0a 100644 --- a/.github/workflows/docker-scan.yaml +++ b/.github/workflows/docker-scan.yaml @@ -1,51 +1,51 @@ -name: Scan Docker Image +# name: Scan Docker Image -on: - workflow_dispatch: +# on: +# workflow_dispatch: -env: - DOCKER_IMAGE: docker-operator - BIN_NAME: docker-operator +# env: +# DOCKER_IMAGE: docker-operator +# BIN_NAME: docker-operator -jobs: - release-docker-hub: - runs-on: ubuntu-latest - steps: - - name: Docker image metadata - id: meta - uses: docker/metadata-action@v4 - with: - images: ${{ env.DOCKER_IMAGE }} - tags: | - type=sha,format=long +# jobs: +# release-docker-hub: +# runs-on: ubuntu-latest +# steps: +# - name: Docker image metadata +# id: meta +# uses: docker/metadata-action@v4 +# with: +# images: ${{ env.DOCKER_IMAGE }} +# tags: | +# type=sha,format=long - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - with: - platforms: amd64 +# - name: Set up QEMU +# uses: docker/setup-qemu-action@v2 +# with: +# platforms: amd64 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 +# - name: Set up Docker Buildx +# uses: docker/setup-buildx-action@v2 - - name: Build and load Docker image - uses: docker/build-push-action@v3 - with: - platforms: linux/amd64 - push: false - load: true - tags: ${{ steps.meta.outputs.tags }} +# - name: Build and load Docker image +# uses: docker/build-push-action@v3 +# with: +# platforms: linux/amd64 +# push: false +# load: true +# tags: ${{ steps.meta.outputs.tags }} - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - scan-type: image - format: sarif - image-ref: ${{ steps.meta.outputs.tags }} - output: 'trivy-results.sarif' - exit-code: '1' +# - name: Run Trivy vulnerability scanner +# uses: aquasecurity/trivy-action@master +# with: +# scan-type: image +# format: sarif +# image-ref: ${{ steps.meta.outputs.tags }} +# output: 'trivy-results.sarif' +# exit-code: '1' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - category: 'Trivy Security Scan' - sarif_file: 'trivy-results.sarif' +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v2 +# with: +# category: 'Trivy Security Scan' +# sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/docker-security-scan.yaml b/.github/workflows/docker-security-scan.yaml index 0eea768..8cb0d20 100644 --- a/.github/workflows/docker-security-scan.yaml +++ b/.github/workflows/docker-security-scan.yaml @@ -1,46 +1,46 @@ -name: Security Scan Docker Image +# name: Security Scan Docker Image -on: - pull_request_review: - types: [submitted] - workflow_dispatch: +# on: +# pull_request_review: +# types: [submitted] +# workflow_dispatch: -env: - DOCKER_IMAGE: docker-operator +# env: +# DOCKER_IMAGE: docker-operator -jobs: - security-scan-docker-image: - if: github.event.review.state == 'approved' - runs-on: ubuntu-latest - steps: - - name: Docker image metadata - id: meta - uses: docker/metadata-action@v4 - with: - images: ${{ env.DOCKER_IMAGE }} - tags: | - type=sha,format=long +# jobs: +# security-scan-docker-image: +# if: github.event.review.state == 'approved' +# runs-on: ubuntu-latest +# steps: +# - name: Docker image metadata +# id: meta +# uses: docker/metadata-action@v4 +# with: +# images: ${{ env.DOCKER_IMAGE }} +# tags: | +# type=sha,format=long - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - with: - platforms: amd64 +# - name: Set up QEMU +# uses: docker/setup-qemu-action@v2 +# with: +# platforms: amd64 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 +# - name: Set up Docker Buildx +# uses: docker/setup-buildx-action@v2 - - name: Build and load Docker image - uses: docker/build-push-action@v3 - with: - platforms: linux/amd64 - push: false - load: true - tags: ${{ steps.meta.outputs.tags }} +# - name: Build and load Docker image +# uses: docker/build-push-action@v3 +# with: +# platforms: linux/amd64 +# push: false +# load: true +# tags: ${{ steps.meta.outputs.tags }} - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - scan-type: image - format: table - image-ref: ${{ steps.meta.outputs.tags }} - exit-code: '1' +# - name: Run Trivy vulnerability scanner +# uses: aquasecurity/trivy-action@master +# with: +# scan-type: image +# format: table +# image-ref: ${{ steps.meta.outputs.tags }} +# exit-code: '1' diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 2c38775..0700e69 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -1,36 +1,36 @@ -name: "PR Labeler" -on: - pull_request_target: - branches: - - main +# name: "PR Labeler" +# on: +# pull_request_target: +# branches: +# - main -permissions: - issues: write - pull-requests: write +# permissions: +# issues: write +# pull-requests: write -jobs: - triage: - runs-on: ubuntu-latest - steps: - - name: Label the PR size - uses: codelytv/pr-size-labeler@54ef36785e9f4cb5ecf1949cfc9b00dbb621d761 # v1.8.1 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - xs_label: 'size/XS' - xs_max_size: '30' - s_label: 'size/S' - s_max_size: '60' - m_label: 'size/M' - m_max_size: '150' - l_label: 'size/L' - l_max_size: '300' - xl_label: 'size/XL' - message_if_xl: > - This PR exceeds the recommended size of 1000 lines. - Please make sure you are NOT addressing multiple issues with one PR. - Note this PR might be rejected due to its size. - #github_api_url: 'api.github.com' - - uses: actions/labeler@v4 - with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" - sync-labels: true +# jobs: +# triage: +# runs-on: ubuntu-latest +# steps: +# - name: Label the PR size +# uses: codelytv/pr-size-labeler@54ef36785e9f4cb5ecf1949cfc9b00dbb621d761 # v1.8.1 +# with: +# github_token: ${{ secrets.GITHUB_TOKEN }} +# xs_label: 'size/XS' +# xs_max_size: '30' +# s_label: 'size/S' +# s_max_size: '60' +# m_label: 'size/M' +# m_max_size: '150' +# l_label: 'size/L' +# l_max_size: '300' +# xl_label: 'size/XL' +# message_if_xl: > +# This PR exceeds the recommended size of 1000 lines. +# Please make sure you are NOT addressing multiple issues with one PR. +# Note this PR might be rejected due to its size. +# #github_api_url: 'api.github.com' +# - uses: actions/labeler@v4 +# with: +# repo-token: "${{ secrets.GITHUB_TOKEN }}" +# sync-labels: true diff --git a/.github/workflows/tag-release.yaml b/.github/workflows/tag-release.yaml index 926a43b..f3553b4 100644 --- a/.github/workflows/tag-release.yaml +++ b/.github/workflows/tag-release.yaml @@ -1,11 +1,12 @@ name: Tag Release + on: - workflow_dispatch: push: branches: - main paths: - version/VERSION + jobs: tag_release: runs-on: ubuntu-latest diff --git a/.release/release-metadata.hcl b/.release/release-metadata.hcl index 349de21..463bfda 100644 --- a/.release/release-metadata.hcl +++ b/.release/release-metadata.hcl @@ -1,4 +1,4 @@ -url_docker_registry_dockerhub = "https://hub.docker.com/r/arybolovlev/docker-operator" -url_license = "https://github.com/arybolovlev/docker-operator/blob/main/LICENSE" -url_project_website = "https://github.com/arybolovlev/docker-operator" -url_source_repository = "https://github.com/arybolovlev/docker-operator" +// url_docker_registry_dockerhub = "https://hub.docker.com/r/arybolovlev/docker-operator" +// url_license = "https://github.com/arybolovlev/docker-operator/blob/main/LICENSE" +// url_project_website = "https://github.com/arybolovlev/docker-operator" +// url_source_repository = "https://github.com/arybolovlev/docker-operator" diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl index 7b80a44..2dfab27 100644 --- a/.release/security-scan.hcl +++ b/.release/security-scan.hcl @@ -1,13 +1,13 @@ -container { - dependencies = false - alpine_secdb = false - secrets = false -} +// container { +// dependencies = false +// alpine_secdb = false +// secrets = false +// } -binary { - secrets = false - go_modules = false - osv = false - oss_index = false - nvd = false -} +// binary { +// secrets = false +// go_modules = false +// osv = false +// oss_index = false +// nvd = false +// }