From 4303c7319bd53a7f582a83bedeb0794d25a68e69 Mon Sep 17 00:00:00 2001 From: Schubert Anselme Date: Wed, 9 Oct 2024 09:45:24 -0400 Subject: [PATCH] ci: Update github actions Signed-off-by: Schubert Anselme --- .github/build/img/Dockerfile | 58 -------------------- .github/workflows/cicd.yml | 14 ++--- .github/workflows/gate/devos.yml | 14 ----- .github/workflows/gate/sonarqube.yml | 28 ---------- .github/workflows/gate/trivy.yml | 21 -------- .github/workflows/ondemand/bot.yml | 46 ---------------- .github/workflows/ondemand/cleanup.yml | 68 ------------------------ .github/workflows/ondemand/scorecard.yml | 44 --------------- .github/workflows/scorecard.yml | 9 ++-- .github/workflows/sonarqube.yml | 2 +- .github/workflows/trivy.yml | 4 ++ 11 files changed, 18 insertions(+), 290 deletions(-) delete mode 100644 .github/build/img/Dockerfile delete mode 100644 .github/workflows/gate/devos.yml delete mode 100644 .github/workflows/gate/sonarqube.yml delete mode 100644 .github/workflows/gate/trivy.yml delete mode 100644 .github/workflows/ondemand/bot.yml delete mode 100644 .github/workflows/ondemand/cleanup.yml delete mode 100644 .github/workflows/ondemand/scorecard.yml diff --git a/.github/build/img/Dockerfile b/.github/build/img/Dockerfile deleted file mode 100644 index 69bf879..0000000 --- a/.github/build/img/Dockerfile +++ /dev/null @@ -1,58 +0,0 @@ -FROM ubuntu:24.10 - -ENV DEBIAN_FRONTEND=noninteractive -ENV X11VNC_SKIP_DISPLAY=="" - -RUN apt-get update -y && \ - apt-get install --no-install-recommends -y \ - ansible \ - ca-certificates \ - cron \ - curl \ - dbus \ - file \ - git \ - git-lfs \ - gnupg2 \ - icewm \ - iproute2 \ - libvirt-clients \ - libvirt-daemon \ - libvirt-daemon-system \ - openssl \ - protobuf-compiler \ - protobuf-compiler-grpc \ - python3-openstackclient \ - software-properties-common \ - ssh \ - systemd \ - unzip \ - vim \ - x11vnc \ - xauth \ - xinit \ - xterm \ - xvfb \ - zsh && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* && \ - echo "exec icewm" > ~/.xinitrc && chmod +x ~/.xinitrc - -COPY config/systemd/x11vnc.service /lib/systemd/system/x11vnc.service -RUN systemctl enable x11vnc.service - -COPY config/systemd/journal-to-tty.service /lib/systemd/system/journal-to-tty.service -RUN systemctl enable journal-to-tty.service - -RUN useradd -m devos - -# todo: checksum downloaded binaries -COPY scripts/init-devos.sh /tmp/init-devos.sh -COPY scripts/install-docker.sh /tmp/install-docker.sh -RUN chmod +x \ - /tmp/init-devos.sh \ - /tmp/install-docker.sh && /tmp/init-devos.sh - -CMD ["/sbin/init"] -USER devos -HEALTHCHECK NONE diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 8507029..110b945 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -16,17 +16,19 @@ jobs: issues: write pull-requests: write repository-projects: write - - sonarqube: - uses: ./.github/workflows/sonarqube.yml - trivy: - uses: ./.github/workflows/trivy.yml # devos: # uses: ./.github/workflows/devos.yml - + trivy: + uses: ./.github/workflows/trivy.yml + permissions: + contents: write + id-token: write + security-events: write scorecard: uses: ./.github/workflows/scorecard.yml permissions: contents: write id-token: write security-events: write + sonarqube: + uses: ./.github/workflows/sonarqube.yml diff --git a/.github/workflows/gate/devos.yml b/.github/workflows/gate/devos.yml deleted file mode 100644 index 30005dd..0000000 --- a/.github/workflows/gate/devos.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: DevOS - -on: - - workflow_call - -permissions: read-all - -jobs: - airskiff: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - run: hack/run diff --git a/.github/workflows/gate/sonarqube.yml b/.github/workflows/gate/sonarqube.yml deleted file mode 100644 index 9998ff8..0000000 --- a/.github/workflows/gate/sonarqube.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: SonarQube - -on: - workflow_call: - inputs: - sonarqube: - type: boolean - default: false - description: Run SonarQube Quality Gate - -permissions: read-all - -jobs: - sonarqube: - runs-on: ubuntu-latest - if: ${{ inputs.sonarqube }} - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 - with: - fetch-depth: 0 - persist-credentials: false - - name: SonarQube Quality Gate - uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496 # v1.1.0 https://github.com/SonarSource/sonarqube-quality-gate-action/commit/d304d050d930b02a896b0f85935344f023928496 - timeout-minutes: 5 - env: - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/gate/trivy.yml b/.github/workflows/gate/trivy.yml deleted file mode 100644 index 37ad735..0000000 --- a/.github/workflows/gate/trivy.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Trivy - -on: - - workflow_call - -permissions: read-all - -jobs: - trivy: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 - with: - fetch-depth: 0 - persist-credentials: false - - name: Trivy Scan - uses: ./.github/actions/trivy - # with: - # generate-sbom: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }} - # upload-scan-result: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }} diff --git a/.github/workflows/ondemand/bot.yml b/.github/workflows/ondemand/bot.yml deleted file mode 100644 index c517a73..0000000 --- a/.github/workflows/ondemand/bot.yml +++ /dev/null @@ -1,46 +0,0 @@ -name: Bot - -on: - - workflow_call - -permissions: - issues: write - pull-requests: write - repository-projects: write - -jobs: - dependabot: - runs-on: ubuntu-latest - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} - steps: - - name: Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34 # v2.2.0 https://github.com/dependabot/fetch-metadata/commit/dbb049abf0d677abbd7f7eee0375145b417fdd34 - with: - alert-lookup: true - compat-lookup: true - - - name: Approve a PR - shell: bash - run: | - gh pr checkout "$PR_URL" - - if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];then - gh pr review --approve "$PR_URL" - else - echo "PR already approved, skipping additional approvals to minimize emails/notification noise."; - fi - env: - GITHUB_TOKEN: ${{ github.token }} - PR_URL: ${{ github.event.pull_request.html_url }} - - - name: Enable auto-merge for Dependabot PRs - if: ${{ steps.metadata.outputs.update-type == 'version-update:semver-patch' }} - shell: bash - run: gh pr merge --auto --merge "$PR_URL" - env: - GITHUB_TOKEN: ${{ github.token }} - PR_URL: ${{ github.event.pull_request.html_url }} - - # todo: raise issue on failure for cron job - # todo: update issue on job run failure diff --git a/.github/workflows/ondemand/cleanup.yml b/.github/workflows/ondemand/cleanup.yml deleted file mode 100644 index b040a8f..0000000 --- a/.github/workflows/ondemand/cleanup.yml +++ /dev/null @@ -1,68 +0,0 @@ -name: Cleanup - -on: - pull_request: - types: - - closed - schedule: - - cron: 30 1 * * 6 - workflow_call: - inputs: - branch: - type: string - description: Branch to cleanup (e.g. refs/pull/1/merge) - default: ${{ github.ref }} - workflow_dispatch: {} - -permissions: read-all - -jobs: - stale: - runs-on: ubuntu-latest - if: ${{ github.event_name == 'schedule' }} - permissions: - contents: write - issues: write - pull-requests: write - steps: - - name: Cleanup stale issues and PRs - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 https://github.com/actions/stale/commit/28ca1036281a5e5922ead5184a1bbf96e5fc984e - with: - any-of-labels: needs-more-info,needs-demo - days-before-close: 5 - days-before-pr-close: -1 - days-before-stale: 30 - exempt-all-pr-assignees: true - exempt-all-pr-milestones: true - exempt-issue-milestones: future,alpha,beta - stale-issue-label: no-issue-activity - stale-issue-message: Message to comment on stale issues. If none provided, will not mark issues stale - stale-pr-label: no-pr-activity - stale-pr-message: Message to comment on stale PRs. If none provided, will not mark PRs stale - - cache: - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 - with: - fetch-depth: 0 - persist-credentials: false - - name: Cleanup cache - shell: bash - run: ./scripts/delete-gh-actions-cache.sh - if: ${{ github.event_name == 'pull_request' && github.event.action == 'closed' }} - env: - BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - REPO: ${{ github.repository }} - - name: Cleanup cache - shell: bash - run: ./scripts/delete-gh-actions-cache.sh - if: ${{ github.event_name != 'pull_request' }} - env: - BRANCH: ${{ inputs.branch || github.ref }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - REPO: ${{ github.repository }} diff --git a/.github/workflows/ondemand/scorecard.yml b/.github/workflows/ondemand/scorecard.yml deleted file mode 100644 index 266d2b9..0000000 --- a/.github/workflows/ondemand/scorecard.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: Scorecard - -on: - workflow_call: - inputs: - score-card-token: - type: string - description: GitHub token for Scorecard to use for publishing results - publish-results: - type: boolean - description: Whether to publish results to OpenSSF REST API - -permissions: - contents: write - id-token: write - security-events: write - -jobs: - analysis: - runs-on: ubuntu-latest - if: ${{ github.ref == 'refs/heads/main' }} - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 - with: - fetch-depth: 0 - persist-credentials: false - - - name: Run analysis - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 https://github.com/ossf/scorecard-action/commit/62b2cac7ed8198b15735ed49ab1e5cf35480ba46 - with: - publish_results: true - results_file: results.sarif - results_format: sarif - - - name: Upload artifact - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 - with: - path: results.sarif - - - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@b8efe4dc6ab6d31abe3ec159420d2a4916880800 # v3.26.6 https://github.com/github/codeql-action/commit/b8efe4dc6ab6d31abe3ec159420d2a4916880800 - with: - sarif_file: results.sarif diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 266d2b9..02d6787 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -10,15 +10,16 @@ on: type: boolean description: Whether to publish results to OpenSSF REST API -permissions: - contents: write - id-token: write - security-events: write +permissions: read-all jobs: analysis: runs-on: ubuntu-latest if: ${{ github.ref == 'refs/heads/main' }} + permissions: + contents: write + id-token: write + security-events: write steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index 9998ff8..be5dbd7 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -24,5 +24,5 @@ jobs: uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496 # v1.1.0 https://github.com/SonarSource/sonarqube-quality-gate-action/commit/d304d050d930b02a896b0f85935344f023928496 timeout-minutes: 5 env: - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + # SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 555feab..d110160 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -8,6 +8,10 @@ permissions: read-all jobs: trivy: runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + security-events: write steps: - name: Checkout code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332