diff --git a/.circleci/config.yml b/.circleci/config.yml index f749bc382..62d6ad3c1 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,6 +1,6 @@ version: 2.1 orbs: - architect: giantswarm/architect@4.27.0 + architect: giantswarm/architect@5.0.1 workflows: build: @@ -13,42 +13,12 @@ workflows: tags: only: /^v.*/ - - architect/push-to-docker: - context: "architect" - name: push-app-operator-to-docker - image: "docker.io/giantswarm/app-operator" - username_envar: "DOCKER_USERNAME" - password_envar: "DOCKER_PASSWORD" - requires: - - go-build - # Needed to trigger job also on git tag. - filters: - tags: - only: /^v.*/ - - - architect/push-to-docker: - context: architect - name: push-app-operator-to-quay - image: "quay.io/giantswarm/app-operator" - username_envar: "QUAY_USERNAME" - password_envar: "QUAY_PASSWORD" - requires: - - go-build - filters: - # Trigger the job also on git tag. - tags: - only: /^v.*/ - - - architect/push-to-docker: + - architect/push-to-registries: context: architect - name: push-app-operator-to-aliyun - image: "registry-intl.cn-shanghai.aliyuncs.com/giantswarm/app-operator" - username_envar: "ALIYUN_USERNAME" - password_envar: "ALIYUN_PASSWORD" + name: push-to-registries requires: - go-build filters: - # Trigger the job also on git tag. tags: only: /^v.*/ @@ -59,7 +29,7 @@ workflows: app_catalog_test: "control-plane-test-catalog" chart: "app-operator" requires: - - push-app-operator-to-quay + - push-to-registries filters: tags: only: /^v.*/ @@ -67,6 +37,7 @@ workflows: - architect/integration-test: context: architect name: basic-integration-test + install-app-platform: false setup-script: "integration/setup/setup.sh" test-dir: "integration/test/app/basic" requires: @@ -106,8 +77,8 @@ workflows: app_name: "app-operator" app_collection_repo: "aws-app-collection" requires: - - push-app-operator-to-aliyun - push-app-operator-to-control-plane-app-catalog + - push-to-registries filters: branches: ignore: /.*/ @@ -129,9 +100,9 @@ workflows: - architect/push-to-app-collection: context: architect - name: push-app-operator-to-openstack-app-collection + name: push-app-operator-to-vsphere-app-collection app_name: "app-operator" - app_collection_repo: "openstack-app-collection" + app_collection_repo: "vsphere-app-collection" requires: - push-app-operator-to-control-plane-app-catalog filters: @@ -140,11 +111,12 @@ workflows: tags: only: /^v.*/ + - architect/push-to-app-collection: + name: push-to-cloud-director-app-collection context: architect - name: push-app-operator-to-vsphere-app-collection app_name: "app-operator" - app_collection_repo: "vsphere-app-collection" + app_collection_repo: "cloud-director-app-collection" requires: - push-app-operator-to-control-plane-app-catalog filters: @@ -153,12 +125,11 @@ workflows: tags: only: /^v.*/ - - architect/push-to-app-collection: - name: push-to-cloud-director-app-collection context: architect + name: push-to-capa-app-collection app_name: "app-operator" - app_collection_repo: "cloud-director-app-collection" + app_collection_repo: "capa-app-collection" requires: - push-app-operator-to-control-plane-app-catalog filters: @@ -169,9 +140,9 @@ workflows: - architect/push-to-app-collection: context: architect - name: push-to-capa-app-collection + name: push-to-capz-app-collection app_name: "app-operator" - app_collection_repo: "capa-app-collection" + app_collection_repo: "capz-app-collection" requires: - push-app-operator-to-control-plane-app-catalog filters: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 000000000..925c90050 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,3 @@ +## Checklist + +- [ ] Update changelog in CHANGELOG.md. diff --git a/.github/workflows/pre_commit_go.yaml b/.github/workflows/pre_commit_go.yaml index 9fa339da6..f3a28963e 100644 --- a/.github/workflows/pre_commit_go.yaml +++ b/.github/workflows/pre_commit_go.yaml @@ -3,23 +3,23 @@ name: pre-commit on: pull_request: push: - branches: [master] + branches: [main] jobs: pre-commit: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 - uses: actions/setup-python@v4 - uses: actions/setup-go@v3 with: - go-version: "1.18.4" + go-version: "1.21" - name: Install goimports run: | go install golang.org/x/tools/cmd/goimports@latest - name: Install golangci-lint env: - GOLANGCI_LINT_VERSION: "v1.47.2" + GOLANGCI_LINT_VERSION: "v1.54.2" run: | curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | \ sudo sh -s -- -b $GOPATH/bin ${GOLANGCI_LINT_VERSION} diff --git a/.github/workflows/zz_generated.add-team-labels.yaml b/.github/workflows/zz_generated.add-team-labels.yaml index 9e96e1d5d..97ba2aed3 100644 --- a/.github/workflows/zz_generated.add-team-labels.yaml +++ b/.github/workflows/zz_generated.add-team-labels.yaml @@ -14,9 +14,9 @@ jobs: mkdir -p artifacts wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \ -O artifacts/users.yaml \ - https://raw.githubusercontent.com/giantswarm/github/master/tools/issue-automation/user-mapping.yaml + https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/user-mapping.yaml - name: Upload Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: users path: artifacts/users.yaml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest needs: build_user_list steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 id: download-users with: name: users @@ -45,7 +45,7 @@ jobs: done echo "EOF" >> $GITHUB_ENV - name: Apply label to issue - if: ${{ env.LABEL != '' }} + if: ${{ env.LABEL != '' && env.LABEL != 'null' && env.LABEL != null }} uses: actions-ecosystem/action-add-labels@v1 with: github_token: ${{ secrets.ISSUE_AUTOMATION }} diff --git a/.github/workflows/zz_generated.add-to-project-board.yaml b/.github/workflows/zz_generated.add-to-project-board.yaml index 0392ed51f..32176b159 100644 --- a/.github/workflows/zz_generated.add-to-project-board.yaml +++ b/.github/workflows/zz_generated.add-to-project-board.yaml @@ -16,9 +16,9 @@ jobs: mkdir -p artifacts wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \ -O artifacts/users.yaml \ - https://raw.githubusercontent.com/giantswarm/github/master/tools/issue-automation/user-mapping.yaml + https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/user-mapping.yaml - name: Upload Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: users path: artifacts/users.yaml @@ -28,9 +28,9 @@ jobs: mkdir -p artifacts wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \ -O artifacts/labels.yaml \ - https://raw.githubusercontent.com/giantswarm/github/master/tools/issue-automation/label-mapping.yaml + https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/label-mapping.yaml - name: Upload Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: labels path: artifacts/labels.yaml @@ -42,7 +42,7 @@ jobs: needs: build_user_list if: github.event.action == 'assigned' steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 id: download-users with: name: users @@ -56,7 +56,7 @@ jobs: echo "BOARD=${BOARD}" >> $GITHUB_ENV - name: Add issue to personal board - if: ${{ env.BOARD != 'null' && env.BOARD != '' }} + if: ${{ env.BOARD != 'null' && env.BOARD != '' && env.BOARD != null }} uses: actions/add-to-project@main with: project-url: ${{ env.BOARD }} @@ -68,7 +68,7 @@ jobs: needs: build_user_list if: github.event.action == 'labeled' steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 id: download-labels with: name: labels @@ -82,7 +82,7 @@ jobs: echo "BOARD=${BOARD}" >> $GITHUB_ENV - name: Add issue to team board - if: ${{ env.BOARD != 'null' && env.BOARD != '' }} + if: ${{ env.BOARD != 'null' && env.BOARD != '' && env.BOARD != null }} uses: actions/add-to-project@main with: project-url: ${{ env.BOARD }} diff --git a/.github/workflows/zz_generated.check_values_schema.yaml b/.github/workflows/zz_generated.check_values_schema.yaml index 3b11afd39..01e779bcd 100644 --- a/.github/workflows/zz_generated.check_values_schema.yaml +++ b/.github/workflows/zz_generated.check_values_schema.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@5.15.0 +# devctl@6.18.2 # name: 'Values and schema' on: @@ -9,8 +9,11 @@ on: - master - main paths: - - 'helm/**/values.yaml' - - 'helm/**/values.schema.json' + - 'helm/**/values.yaml' # default helm chart values + - 'helm/**/values.schema.json' # schema + - 'helm/**/ci/ci-values.yaml' # overrides for CI (can contain required entries) + + push: {} jobs: check: @@ -18,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 @@ -29,6 +32,22 @@ jobs: - name: 'Check if values.yaml is a valid instance of values.schema.json' run: | - HELM_DIR=$(dirname $(git diff --name-only origin/${GITHUB_BASE_REF} origin/${GITHUB_HEAD_REF} \ - | grep 'helm/[-a-z].*\/values\.' | head -1)) - ${HOME}/yajsv -s ${HELM_DIR}/values.schema.json ${HELM_DIR}/values.yaml + for chart_yaml in helm/*/Chart.yaml; do + helm_dir="${chart_yaml%/Chart.yaml}" + + if [ ! -f ${helm_dir}/values.schema.json ]; then + echo "Skipping validation for '${helm_dir}' folder, because 'values.schema.json' does not exist..." + continue + fi + + values=${helm_dir}/values.yaml + if [ -f ${helm_dir}/ci/ci-values.yaml ]; then + # merge ci-values.yaml into values.yaml (providing required values) + echo -e "\nMerged values:\n==============" + yq '. *= load("'${helm_dir}'/ci/ci-values.yaml")' ${helm_dir}/values.yaml | tee ${helm_dir}/combined-values.yaml + echo -e "\n==============\n" + values=${helm_dir}/combined-values.yaml + fi + + ${HOME}/yajsv -s ${helm_dir}/values.schema.json ${values} + done diff --git a/.github/workflows/zz_generated.create_release.yaml b/.github/workflows/zz_generated.create_release.yaml index 31eee2e62..b9cd7f769 100644 --- a/.github/workflows/zz_generated.create_release.yaml +++ b/.github/workflows/zz_generated.create_release.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@5.15.0 +# devctl@6.18.2 # name: Create Release on: @@ -15,7 +15,7 @@ on: jobs: debug_info: name: Debug info - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Print github context JSON run: | @@ -24,7 +24,7 @@ jobs: EOF gather_facts: name: Gather facts - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 outputs: project_go_path: ${{ steps.get_project_go_path.outputs.path }} ref_version: ${{ steps.ref_version.outputs.refversion }} @@ -32,11 +32,10 @@ jobs: steps: - name: Get version id: get_version + env: + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | - title="$(cat <<- 'COMMIT_MESSAGE_END' | head -n 1 - - ${{ github.event.head_commit.message }} - COMMIT_MESSAGE_END - )" + title=$(echo -n "${COMMIT_MESSAGE}" | head -1) # Matches strings like: # # - "Release v1.2.3" @@ -53,7 +52,7 @@ jobs: echo "version=${version}" >> $GITHUB_OUTPUT - name: Checkout code if: ${{ steps.get_version.outputs.version != '' }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Get project.go path id: get_project_go_path if: ${{ steps.get_version.outputs.version != '' }} @@ -66,11 +65,10 @@ jobs: echo "path=${path}" >> $GITHUB_OUTPUT - name: Check if reference version id: ref_version + env: + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | - title="$(cat <<- 'COMMIT_MESSAGE_END' | head -n 1 - - ${{ github.event.head_commit.message }} - COMMIT_MESSAGE_END - )" + title=$(echo -n "${COMMIT_MESSAGE}" | head -1) if echo "${title}" | grep -qE '^release v[0-9]+\.[0-9]+\.[0-9]+([.-][^ .-][^ ]*)?( \(#[0-9]+\))?$' ; then version=$(echo "${title}" | cut -d ' ' -f 2) fi @@ -84,18 +82,18 @@ jobs: echo "refversion=${refversion}" >> $GITHUB_OUTPUT update_project_go: name: Update project.go - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 if: ${{ needs.gather_facts.outputs.version != '' && needs.gather_facts.outputs.project_go_path != '' && needs.gather_facts.outputs.ref_version != 'true' }} needs: - gather_facts steps: - name: Install architect - uses: giantswarm/install-binary-action@v1.0.0 + uses: giantswarm/install-binary-action@v1.1.0 with: binary: "architect" - version: "6.1.0" + version: "6.14.1" - name: Install semver - uses: giantswarm/install-binary-action@v1.0.0 + uses: giantswarm/install-binary-action@v1.1.0 with: binary: "semver" version: "3.2.0" @@ -103,7 +101,7 @@ jobs: tarball_binary_path: "*/src/${binary}" smoke_test: "${binary} --version" - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Update project.go id: update_project_go env: @@ -122,8 +120,8 @@ jobs: fi - name: Set up git identity run: | - git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --local user.name "github-actions[bot]" + git config --local user.email "dev@giantswarm.io" + git config --local user.name "taylorbot" - name: Commit changes run: | file="${{ needs.gather_facts.outputs.project_go_path }}" @@ -131,22 +129,22 @@ jobs: git commit -m "Bump version to ${{ steps.update_project_go.outputs.new_version }}" - name: Push changes env: - REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" + REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git" branch: "${{ github.ref }}-version-bump" run: | git push "${REMOTE_REPO}" HEAD:${{ env.branch }} - name: Create PR env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" base: "${{ github.ref }}" branch: "${{ github.ref }}-version-bump" version: "${{ needs.gather_facts.outputs.version }}" title: "Bump version to ${{ steps.update_project_go.outputs.new_version }}" run: | - hub pull-request -f -m "${{ env.title }}" -b ${{ env.base }} -h ${{ env.branch }} -r ${{ github.actor }} + gh pr create --title "${{ env.title }}" --body "" --base ${{ env.base }} --head ${{ env.branch }} --reviewer ${{ github.actor }} create_release: name: Create release - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 needs: - gather_facts if: ${{ needs.gather_facts.outputs.version }} @@ -154,7 +152,7 @@ jobs: upload_url: ${{ steps.create_gh_release.outputs.upload_url }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.sha }} - name: Ensure correct version in project.go @@ -171,36 +169,35 @@ jobs: path: ./CHANGELOG.md - name: Set up git identity run: | - git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --local user.name "github-actions[bot]" + git config --local user.email "dev@giantswarm.io" + git config --local user.name "taylorbot" - name: Create tag run: | version="${{ needs.gather_facts.outputs.version }}" git tag "v$version" ${{ github.sha }} - name: Push tag env: - REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" + REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git" run: | git push "${REMOTE_REPO}" --tags - name: Create release id: create_gh_release - uses: actions/create-release@v1 + uses: ncipollo/release-action@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" with: body: ${{ steps.changelog_reader.outputs.changes }} - tag_name: "v${{ needs.gather_facts.outputs.version }}" - release_name: "v${{ needs.gather_facts.outputs.version }}" + tag: "v${{ needs.gather_facts.outputs.version }}" create-release-branch: name: Create release branch - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 needs: - gather_facts if: ${{ needs.gather_facts.outputs.version }} steps: - name: Install semver - uses: giantswarm/install-binary-action@v1.0.0 + uses: giantswarm/install-binary-action@v1.1.0 with: binary: "semver" version: "3.0.0" @@ -208,7 +205,7 @@ jobs: tarball_binary_path: "*/src/${binary}" smoke_test: "${binary} --version" - name: Check out the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 # Clone the whole history, not just the most recent commit. - name: Fetch all tags and branches diff --git a/.github/workflows/zz_generated.create_release_pr.yaml b/.github/workflows/zz_generated.create_release_pr.yaml index 350b60e97..24a6a3199 100644 --- a/.github/workflows/zz_generated.create_release_pr.yaml +++ b/.github/workflows/zz_generated.create_release_pr.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@5.15.0 +# devctl@6.18.2 # name: Create Release PR on: @@ -30,7 +30,7 @@ on: jobs: debug_info: name: Debug info - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Print github context JSON run: | @@ -39,12 +39,12 @@ jobs: EOF gather_facts: name: Gather facts - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 outputs: repo_name: ${{ steps.gather_facts.outputs.repo_name }} branch: ${{ steps.gather_facts.outputs.branch }} base: ${{ steps.gather_facts.outputs.base }} - is_major: ${{ steps.gather_facts.outputs.is_major }} + needs_major_bump: ${{ steps.gather_facts.outputs.needs_major_bump }} skip: ${{ steps.pr_exists.outputs.skip }} version: ${{ steps.gather_facts.outputs.version }} steps: @@ -65,7 +65,7 @@ jobs: version="$(echo $head | awk -F# '{print $NF}')" if [[ $version =~ ^major|minor|patch$ ]]; then - gh auth login --with-token <<<$(echo -n ${{ secrets.GITHUB_TOKEN }}) + gh auth login --with-token <<<$(echo -n ${{ secrets.TAYLORBOT_GITHUB_ACTION }}) gh_api_get_latest_release_version() { if ! version="$(gh api "repos/$1/releases/latest" --jq '.tag_name[1:] | split(".") | .[0], .[1], .[2]')" @@ -94,7 +94,9 @@ jobs: version_major=$((version_major+1)) version_minor=0 version_patch=0 - echo "is_major=true" >> $GITHUB_OUTPUT + if [[ "${version_major}" != "1" ]]; then + echo "needs_major_bump=true" >> $GITHUB_OUTPUT + fi ;; *) echo "Unknown Semver level provided" @@ -109,8 +111,8 @@ jobs: version_patch=$(echo "${version}" | cut -d "." -f 3) # This will help us detect versions with suffixes as majors, i.e 3.0.0-alpha1. # Even though it's a pre-release, it's still a major. - if [[ $version_minor = 0 && $version_patch =~ ^0.* ]]; then - echo "is_major=true" >> $GITHUB_OUTPUT + if [[ $version_minor = 0 && $version_patch =~ ^0.* && $version_major != 1 ]]; then + echo "needs_major_bump=true" >> $GITHUB_OUTPUT fi fi repo_name="$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" @@ -122,17 +124,19 @@ jobs: - name: Check if PR exists id: pr_exists env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" run: | - if gh pr view --repo ${{ github.repository }} ${{ steps.gather_facts.outputs.branch }} | grep -i 'state:[[:space:]]*open' >/dev/null; then - gh pr view --repo ${{ github.repository }} ${{ steps.gather_facts.outputs.branch }} + head="${{ steps.gather_facts.outputs.branch }}" + branch="${head#refs/heads/}" # Strip "refs/heads/" prefix. + if gh pr view --repo "${{ github.repository }}" "${branch}" --json state --jq .state | grep -i 'open' > /dev/null; then + gh pr view --repo "${{ github.repository }}" "${branch}" echo "skip=true" >> $GITHUB_OUTPUT else echo "skip=false" >> $GITHUB_OUTPUT fi create_release_pr: name: Create release PR - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 needs: - gather_facts if: ${{ needs.gather_facts.outputs.skip != 'true' }} @@ -143,12 +147,12 @@ jobs: with: go-version: '=1.18.1' - name: Install architect - uses: giantswarm/install-binary-action@v1.0.0 + uses: giantswarm/install-binary-action@v1.1.0 with: binary: "architect" - version: "6.1.0" + version: "6.11.0" - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ needs.gather_facts.outputs.branch }} - name: Prepare release changes @@ -198,14 +202,14 @@ jobs: - name: Bump go module defined in go.mod if needed run: | - if [ "${{ needs.gather_facts.outputs.is_major }}" = true ] && test -f "go.mod"; then - go install github.com/marwan-at-work/mod/cmd/mod@v0.4.2 + if [ "${{ needs.gather_facts.outputs.needs_major_bump }}" = true ] && test -f "go.mod"; then + go install github.com/marwan-at-work/mod/cmd/mod@v0.5.0 mod upgrade fi - name: Set up git identity run: | - git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --local user.name "github-actions[bot]" + git config --local user.email "dev@giantswarm.io" + git config --local user.name "taylorbot" - name: Create release commit env: version: "${{ needs.gather_facts.outputs.version }}" @@ -214,13 +218,13 @@ jobs: git commit -m "Release v${{ env.version }}" - name: Push changes env: - remote_repo: "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" + remote_repo: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git" run: | git push "${remote_repo}" HEAD:${{ needs.gather_facts.outputs.branch }} - name: Create PR env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" base: "${{ needs.gather_facts.outputs.base }}" version: "${{ needs.gather_facts.outputs.version }}" run: | - hub pull-request -f -m "Release v${{ env.version }}" -a ${{ github.actor }} -b ${{ env.base }} -h ${{ needs.gather_facts.outputs.branch }} + gh pr create --assignee ${{ github.actor }} --title "Release v${{ env.version }}" --body "" --base ${{ env.base }} --head "${{ needs.gather_facts.outputs.branch }}" diff --git a/.github/workflows/zz_generated.gitleaks.yaml b/.github/workflows/zz_generated.gitleaks.yaml index 3cddf8550..95c751a4a 100644 --- a/.github/workflows/zz_generated.gitleaks.yaml +++ b/.github/workflows/zz_generated.gitleaks.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@5.15.0 +# devctl@6.18.2 # name: gitleaks @@ -10,8 +10,8 @@ jobs: gitleaks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: '0' - name: gitleaks-action - uses: zricethezav/gitleaks-action@v1.6.0 + uses: giantswarm/gitleaks-action@main diff --git a/.github/workflows/zz_generated.run_ossf_scorecard.yaml b/.github/workflows/zz_generated.run_ossf_scorecard.yaml new file mode 100644 index 000000000..8be5ee456 --- /dev/null +++ b/.github/workflows/zz_generated.run_ossf_scorecard.yaml @@ -0,0 +1,78 @@ +# DO NOT EDIT. Generated with: +# +# devctl@6.18.2 +# + +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '15 15 15 * *' + push: + branches: [ "main", "master" ] + workflow_dispatch: {} + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.3.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + with: + sarif_file: results.sarif diff --git a/helm/app-operator/values.schema.json b/helm/app-operator/values.schema.json new file mode 100644 index 000000000..35f9d0012 --- /dev/null +++ b/helm/app-operator/values.schema.json @@ -0,0 +1,246 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "app": { + "type": "object", + "properties": { + "dependencyWaitTimeoutMinutes": { + "type": "integer" + }, + "watchNamespace": { + "type": "string" + }, + "workloadClusterID": { + "type": "string" + } + } + }, + "bootstrapMode": { + "type": "object", + "properties": { + "apiServerPodPort": { + "type": "integer" + }, + "enabled": { + "type": "boolean" + } + } + }, + "deployment": { + "type": "object", + "properties": { + "management": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "workload": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + } + } + }, + "global": { + "type": "object", + "properties": { + "podSecurityStandards": { + "type": "object", + "properties": { + "enforced": { + "type": "boolean" + } + } + } + } + }, + "groupID": { + "type": "integer" + }, + "helm": { + "type": "object", + "properties": { + "http": { + "type": "object", + "properties": { + "clientTimeout": { + "type": "string" + } + } + } + } + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "array", + "items": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + }, + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "operatorkit": { + "type": "object", + "properties": { + "resyncPeriod": { + "type": "string" + } + } + }, + "podSecurityContext": { + "type": "object", + "properties": { + "runAsNonRoot": { + "type": "boolean" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + } + } + }, + "port": { + "type": "integer" + }, + "project": { + "type": "object", + "properties": { + "branch": { + "type": "string" + }, + "commit": { + "type": "string" + } + } + }, + "protocol": { + "type": "string" + }, + "provider": { + "type": "object", + "properties": { + "kind": { + "type": "string" + } + } + }, + "registry": { + "type": "object", + "properties": { + "domain": { + "type": "string" + } + } + }, + "replicas": { + "type": "integer" + }, + "securityContext": { + "type": "object", + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "type": "object", + "properties": { + "drop": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "privileged": { + "type": "boolean" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "seccompProfile": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + } + } + }, + "userID": { + "type": "integer" + }, + "verticalPodAutoscaler": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + } + } +}