diff --git a/.circleci/config.yml b/.circleci/config.yml index c050cb0ca..62d6ad3c1 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,6 +1,6 @@ version: 2.1 orbs: - architect: giantswarm/architect@4.31.0 + architect: giantswarm/architect@5.0.1 workflows: build: @@ -13,42 +13,12 @@ workflows: tags: only: /^v.*/ - - architect/push-to-docker: - context: "architect" - name: push-app-operator-to-docker - image: "docker.io/giantswarm/app-operator" - username_envar: "DOCKER_USERNAME" - password_envar: "DOCKER_PASSWORD" - requires: - - go-build - # Needed to trigger job also on git tag. - filters: - tags: - only: /^v.*/ - - - architect/push-to-docker: - context: architect - name: push-app-operator-to-quay - image: "quay.io/giantswarm/app-operator" - username_envar: "QUAY_USERNAME" - password_envar: "QUAY_PASSWORD" - requires: - - go-build - filters: - # Trigger the job also on git tag. - tags: - only: /^v.*/ - - - architect/push-to-docker: + - architect/push-to-registries: context: architect - name: push-app-operator-to-aliyun - image: "giantswarm-registry.cn-shanghai.cr.aliyuncs.com/giantswarm/app-operator" - username_envar: "ALIYUN_USERNAME" - password_envar: "ALIYUN_PASSWORD" + name: push-to-registries requires: - go-build filters: - # Trigger the job also on git tag. tags: only: /^v.*/ @@ -59,7 +29,7 @@ workflows: app_catalog_test: "control-plane-test-catalog" chart: "app-operator" requires: - - push-app-operator-to-quay + - push-to-registries filters: tags: only: /^v.*/ @@ -107,8 +77,8 @@ workflows: app_name: "app-operator" app_collection_repo: "aws-app-collection" requires: - - push-app-operator-to-aliyun - push-app-operator-to-control-plane-app-catalog + - push-to-registries filters: branches: ignore: /.*/ @@ -168,6 +138,19 @@ workflows: tags: only: /^v.*/ + - architect/push-to-app-collection: + context: architect + name: push-to-capz-app-collection + app_name: "app-operator" + app_collection_repo: "capz-app-collection" + requires: + - push-app-operator-to-control-plane-app-catalog + filters: + branches: + ignore: /.*/ + tags: + only: /^v.*/ + - architect/push-to-app-collection: context: architect name: push-to-gcp-app-collection diff --git a/.github/workflows/pre_commit_go.yaml b/.github/workflows/pre_commit_go.yaml index 7f2ddf40a..f3a28963e 100644 --- a/.github/workflows/pre_commit_go.yaml +++ b/.github/workflows/pre_commit_go.yaml @@ -3,7 +3,7 @@ name: pre-commit on: pull_request: push: - branches: [master] + branches: [main] jobs: pre-commit: @@ -13,13 +13,13 @@ jobs: - uses: actions/setup-python@v4 - uses: actions/setup-go@v3 with: - go-version: "1.18.4" + go-version: "1.21" - name: Install goimports run: | go install golang.org/x/tools/cmd/goimports@latest - name: Install golangci-lint env: - GOLANGCI_LINT_VERSION: "v1.47.2" + GOLANGCI_LINT_VERSION: "v1.54.2" run: | curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | \ sudo sh -s -- -b $GOPATH/bin ${GOLANGCI_LINT_VERSION} diff --git a/.github/workflows/zz_generated.add-team-labels.yaml b/.github/workflows/zz_generated.add-team-labels.yaml index 4a2db906d..97ba2aed3 100644 --- a/.github/workflows/zz_generated.add-team-labels.yaml +++ b/.github/workflows/zz_generated.add-team-labels.yaml @@ -16,7 +16,7 @@ jobs: -O artifacts/users.yaml \ https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/user-mapping.yaml - name: Upload Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: users path: artifacts/users.yaml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest needs: build_user_list steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 id: download-users with: name: users diff --git a/.github/workflows/zz_generated.add-to-project-board.yaml b/.github/workflows/zz_generated.add-to-project-board.yaml index ae6b3986f..32176b159 100644 --- a/.github/workflows/zz_generated.add-to-project-board.yaml +++ b/.github/workflows/zz_generated.add-to-project-board.yaml @@ -18,7 +18,7 @@ jobs: -O artifacts/users.yaml \ https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/user-mapping.yaml - name: Upload Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: users path: artifacts/users.yaml @@ -30,7 +30,7 @@ jobs: -O artifacts/labels.yaml \ https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/label-mapping.yaml - name: Upload Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: labels path: artifacts/labels.yaml @@ -42,7 +42,7 @@ jobs: needs: build_user_list if: github.event.action == 'assigned' steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 id: download-users with: name: users @@ -68,7 +68,7 @@ jobs: needs: build_user_list if: github.event.action == 'labeled' steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 id: download-labels with: name: labels diff --git a/.github/workflows/zz_generated.check_values_schema.yaml b/.github/workflows/zz_generated.check_values_schema.yaml index c450aeeaa..01e779bcd 100644 --- a/.github/workflows/zz_generated.check_values_schema.yaml +++ b/.github/workflows/zz_generated.check_values_schema.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@6.9.0 +# devctl@6.18.2 # name: 'Values and schema' on: @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 diff --git a/.github/workflows/zz_generated.create_release.yaml b/.github/workflows/zz_generated.create_release.yaml index 57c5dd5ca..b9cd7f769 100644 --- a/.github/workflows/zz_generated.create_release.yaml +++ b/.github/workflows/zz_generated.create_release.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@6.9.0 +# devctl@6.18.2 # name: Create Release on: @@ -32,11 +32,10 @@ jobs: steps: - name: Get version id: get_version + env: + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | - title="$(cat <<- 'COMMIT_MESSAGE_END' | head -n 1 - - ${{ github.event.head_commit.message }} - COMMIT_MESSAGE_END - )" + title=$(echo -n "${COMMIT_MESSAGE}" | head -1) # Matches strings like: # # - "Release v1.2.3" @@ -53,7 +52,7 @@ jobs: echo "version=${version}" >> $GITHUB_OUTPUT - name: Checkout code if: ${{ steps.get_version.outputs.version != '' }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Get project.go path id: get_project_go_path if: ${{ steps.get_version.outputs.version != '' }} @@ -66,11 +65,10 @@ jobs: echo "path=${path}" >> $GITHUB_OUTPUT - name: Check if reference version id: ref_version + env: + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | - title="$(cat <<- 'COMMIT_MESSAGE_END' | head -n 1 - - ${{ github.event.head_commit.message }} - COMMIT_MESSAGE_END - )" + title=$(echo -n "${COMMIT_MESSAGE}" | head -1) if echo "${title}" | grep -qE '^release v[0-9]+\.[0-9]+\.[0-9]+([.-][^ .-][^ ]*)?( \(#[0-9]+\))?$' ; then version=$(echo "${title}" | cut -d ' ' -f 2) fi @@ -93,7 +91,7 @@ jobs: uses: giantswarm/install-binary-action@v1.1.0 with: binary: "architect" - version: "6.11.0" + version: "6.14.1" - name: Install semver uses: giantswarm/install-binary-action@v1.1.0 with: @@ -103,7 +101,7 @@ jobs: tarball_binary_path: "*/src/${binary}" smoke_test: "${binary} --version" - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Update project.go id: update_project_go env: @@ -143,7 +141,7 @@ jobs: version: "${{ needs.gather_facts.outputs.version }}" title: "Bump version to ${{ steps.update_project_go.outputs.new_version }}" run: | - hub pull-request -f -m "${{ env.title }}" -b ${{ env.base }} -h ${{ env.branch }} -r ${{ github.actor }} + gh pr create --title "${{ env.title }}" --body "" --base ${{ env.base }} --head ${{ env.branch }} --reviewer ${{ github.actor }} create_release: name: Create release runs-on: ubuntu-22.04 @@ -154,7 +152,7 @@ jobs: upload_url: ${{ steps.create_gh_release.outputs.upload_url }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.sha }} - name: Ensure correct version in project.go @@ -184,13 +182,12 @@ jobs: git push "${REMOTE_REPO}" --tags - name: Create release id: create_gh_release - uses: actions/create-release@v1 + uses: ncipollo/release-action@v1 env: GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" with: body: ${{ steps.changelog_reader.outputs.changes }} - tag_name: "v${{ needs.gather_facts.outputs.version }}" - release_name: "v${{ needs.gather_facts.outputs.version }}" + tag: "v${{ needs.gather_facts.outputs.version }}" create-release-branch: name: Create release branch @@ -208,7 +205,7 @@ jobs: tarball_binary_path: "*/src/${binary}" smoke_test: "${binary} --version" - name: Check out the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 # Clone the whole history, not just the most recent commit. - name: Fetch all tags and branches diff --git a/.github/workflows/zz_generated.create_release_pr.yaml b/.github/workflows/zz_generated.create_release_pr.yaml index 6f07166ea..24a6a3199 100644 --- a/.github/workflows/zz_generated.create_release_pr.yaml +++ b/.github/workflows/zz_generated.create_release_pr.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@6.9.0 +# devctl@6.18.2 # name: Create Release PR on: @@ -152,7 +152,7 @@ jobs: binary: "architect" version: "6.11.0" - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ needs.gather_facts.outputs.branch }} - name: Prepare release changes @@ -227,4 +227,4 @@ jobs: base: "${{ needs.gather_facts.outputs.base }}" version: "${{ needs.gather_facts.outputs.version }}" run: | - hub pull-request -f -m "Release v${{ env.version }}" -a ${{ github.actor }} -b ${{ env.base }} -h ${{ needs.gather_facts.outputs.branch }} + gh pr create --assignee ${{ github.actor }} --title "Release v${{ env.version }}" --body "" --base ${{ env.base }} --head "${{ needs.gather_facts.outputs.branch }}" diff --git a/.github/workflows/zz_generated.gitleaks.yaml b/.github/workflows/zz_generated.gitleaks.yaml index 2c70a482b..95c751a4a 100644 --- a/.github/workflows/zz_generated.gitleaks.yaml +++ b/.github/workflows/zz_generated.gitleaks.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@6.9.0 +# devctl@6.18.2 # name: gitleaks @@ -10,8 +10,8 @@ jobs: gitleaks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: '0' - name: gitleaks-action - uses: zricethezav/gitleaks-action@v1.6.0 + uses: giantswarm/gitleaks-action@main diff --git a/.github/workflows/zz_generated.run_ossf_scorecard.yaml b/.github/workflows/zz_generated.run_ossf_scorecard.yaml new file mode 100644 index 000000000..8be5ee456 --- /dev/null +++ b/.github/workflows/zz_generated.run_ossf_scorecard.yaml @@ -0,0 +1,78 @@ +# DO NOT EDIT. Generated with: +# +# devctl@6.18.2 +# + +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '15 15 15 * *' + push: + branches: [ "main", "master" ] + workflow_dispatch: {} + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.3.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + with: + sarif_file: results.sarif