From 9179dc54e3193e7a55067ddc6eeab8a8e4aaffdf Mon Sep 17 00:00:00 2001 From: Makito Date: Thu, 9 Jan 2025 14:35:21 +0800 Subject: [PATCH] chore(ci): workflow security audit --- .../actions/select-gateway-image/action.yml | 6 +- .github/dependabot.yml | 1 - .github/workflows/.reusable_build.yml | 3 - ..._tests_oss.yml => .reusable_e2e_tests.yml} | 27 +++-- .github/workflows/.reusable_e2e_tests_ee.yml | 110 ------------------ .github/workflows/.reusable_test_image.yml | 54 +++------ .github/workflows/release.yml | 42 +++---- .github/workflows/test.yml | 31 ++--- .../specs-ee/plugins/01-Plugins.spec.ts | 11 -- 9 files changed, 57 insertions(+), 228 deletions(-) rename .github/workflows/{.reusable_e2e_tests_oss.yml => .reusable_e2e_tests.yml} (86%) delete mode 100644 .github/workflows/.reusable_e2e_tests_ee.yml delete mode 100644 tests/playwright/specs-ee/plugins/01-Plugins.spec.ts diff --git a/.github/actions/select-gateway-image/action.yml b/.github/actions/select-gateway-image/action.yml index d9122b6..06477c5 100644 --- a/.github/actions/select-gateway-image/action.yml +++ b/.github/actions/select-gateway-image/action.yml @@ -4,9 +4,6 @@ description: inputs: current-image: description: If this optional input is not empty, the action will select the provided image. - enterprise: - description: Whether or not to use enterprise Gateway images. - default: 'false' # a string instead of a boolean outputs: image: @@ -19,8 +16,7 @@ runs: id: select-image shell: bash env: - DEFAULT_GATEWAY_IMAGE: |- - ${{ format('{0}', inputs.enterprise) == 'true' && 'kong/kong-gateway-internal:nightly-ubuntu' || 'kong/kong:master-ubuntu' }} + DEFAULT_GATEWAY_IMAGE: kong/kong:master-ubuntu run: | GATEWAY_IMAGE="${{ inputs.current-image }}" diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fa15a44..2dd3161 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,7 +9,6 @@ registries: npm: type: npm-registry url: https://registry.npmjs.org - token: ${{secrets.NPM_TOKEN_PRIVATE_READ}} replaces-base: true updates: diff --git a/.github/workflows/.reusable_build.yml b/.github/workflows/.reusable_build.yml index 623f039..03579f2 100644 --- a/.github/workflows/.reusable_build.yml +++ b/.github/workflows/.reusable_build.yml @@ -5,9 +5,6 @@ name: Install Dependencies, Run Lint & Build on: workflow_call: -env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN_PRIVATE_READ }} - jobs: lint: name: Run lint diff --git a/.github/workflows/.reusable_e2e_tests_oss.yml b/.github/workflows/.reusable_e2e_tests.yml similarity index 86% rename from .github/workflows/.reusable_e2e_tests_oss.yml rename to .github/workflows/.reusable_e2e_tests.yml index 9262e75..9ebba7d 100644 --- a/.github/workflows/.reusable_e2e_tests_oss.yml +++ b/.github/workflows/.reusable_e2e_tests.yml @@ -1,6 +1,6 @@ # This is a BASE reusable workflow used by other workflows for E2E testing with Gateway CE -name: Run E2E Tests - OSS +name: Run E2E Tests on: workflow_call: @@ -13,9 +13,9 @@ on: retries: type: number default: 0 - -env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN_PRIVATE_READ }} + load-test-image-from-artifact: + type: boolean + default: false jobs: e2e-tests: @@ -72,15 +72,20 @@ jobs: pnpm install:e2e pnpm playwright install chromium - - name: Log in to GitHub Container Registry - timeout-minutes: 1 - uses: docker/login-action@v2 + - name: Download test image + if: ${{ inputs.load-test-image-from-artifact }} + timeout-minutes: 5 + uses: actions/download-artifact@v4 with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + name: docker-test-image + + - name: Load test image + if: ${{ inputs.load-test-image-from-artifact }} + run: | + gunzip -c docker-test-image.tar.gz | docker load - name: Select Gateway image + if: ${{ !inputs.load-test-image-from-artifact }} id: select-gateway-image uses: ./.github/actions/select-gateway-image with: @@ -114,7 +119,7 @@ jobs: docker compose -f .ci/docker-compose.yml logs exit $_compose_exit - - name: Run E2E tests - OSS + - name: Run E2E tests timeout-minutes: 10 env: KM_TEST_GUI_URL: ${{ inputs.base-url }} diff --git a/.github/workflows/.reusable_e2e_tests_ee.yml b/.github/workflows/.reusable_e2e_tests_ee.yml deleted file mode 100644 index 1724f5e..0000000 --- a/.github/workflows/.reusable_e2e_tests_ee.yml +++ /dev/null @@ -1,110 +0,0 @@ -# This is a BASE reusable workflow used by other workflows for E2E testing with Gateway EE - -name: Run E2E Tests - EE - -on: - workflow_call: - inputs: - base-url: - type: string - default: http://localhost:8002 - gateway-image: - type: string - retries: - type: number - default: 0 - -env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN_PRIVATE_READ }} - -jobs: - e2e-tests: - strategy: - matrix: - suite: - - plugins - fail-fast: false - name: ${{ matrix.suite }} - runs-on: ${{ vars.RUNS_ON }} - - steps: - - name: Checkout source code - uses: actions/checkout@v3 - - - uses: pnpm/action-setup@v2 # version is determined from the packageManager field in package.json by default. - - - name: Download assets - timeout-minutes: 5 - uses: actions/download-artifact@v4 - with: - name: assets - - - name: Unpack assets - run: tar xzvf ./assets.tar.gz - - - id: setup-node - name: Setup Node - timeout-minutes: 5 - uses: actions/setup-node@v3 - with: - node-version-file: ".nvmrc" - cache: pnpm - - - name: Install Playwright - timeout-minutes: 10 - run: | - pnpm install:e2e - pnpm playwright install chromium - - - name: Log in to GitHub Container Registry - timeout-minutes: 1 - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Log in to Docker Hub - timeout-minutes: 1 - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 - with: - username: ${{ secrets.DOCKER_PULL_USER }} - password: ${{ secrets.DOCKER_PULL_PASSWORD }} - - - name: Select Gateway image - id: select-gateway-image - uses: ./.github/actions/select-gateway-image - with: - current-image: ${{ inputs.gateway-image }} - enterprise: true - - - name: Start Kong - timeout-minutes: 10 - working-directory: ${{ github.workspace }} - env: - GATEWAY_IMAGE: ${{ steps.select-gateway-image.outputs.image }} - run: | - _compose_exit=0 - docker compose -f .ci/docker-compose.yml up -d kong --wait || _compose_exit=$? - docker compose -f .ci/docker-compose.yml logs - exit $_compose_exit - - - name: Run E2E tests - EE - timeout-minutes: 10 - env: - KM_TEST_GUI_URL: ${{ inputs.base-url }} - run: | - pnpm test:e2e \ - --pass-with-no-tests \ - --retries ${{ inputs.retries }} \ - --reporter=list \ - ${{ format('specs-ee/{0}/', matrix.suite) }} - - - name: Upload results - if: ${{ !cancelled() }} - continue-on-error: true - uses: actions/upload-artifact@v4 - with: - name: results-${{ matrix.suite }} - path: tests/playwright/test-results/ - retention-days: 1 diff --git a/.github/workflows/.reusable_test_image.yml b/.github/workflows/.reusable_test_image.yml index 20446a3..d263690 100644 --- a/.github/workflows/.reusable_test_image.yml +++ b/.github/workflows/.reusable_test_image.yml @@ -1,8 +1,8 @@ # This is a reusable workflow -# This workflow builds the test image for testing purposes and pushes it to ghcr.io +# This workflow builds the test image for testing purposes -name: Build and Push Test Image to GHCR +name: Build Test Image on: workflow_call: @@ -10,24 +10,17 @@ on: gateway-image: description: Name of the Gateway image (base) to use type: string - enterprise: - description: Whether or not to use enterprise Gateway images - type: boolean - default: false outputs: image: description: Name of the Gateway test image being built - value: ${{ jobs.build-and-push-test-image.outputs.image }} + value: ${{ jobs.build-test-image.outputs.image }} jobs: - build-and-push-test-image: - name: Build and push test image + build-test-image: + name: Build test image runs-on: ${{ vars.RUNS_ON }} - permissions: - contents: read - packages: write outputs: - image: ${{ steps.build-and-push.outputs.image }} + image: ${{ steps.build-and-save.outputs.image }} steps: - name: Checkout source code @@ -47,23 +40,6 @@ jobs: uses: ./.github/actions/select-gateway-image with: current-image: ${{ inputs.gateway-image }} - enterprise: ${{ format('{0}', inputs.enterprise) }} # ensure it is a string - - - name: Log in to Docker Hub - if: ${{ format('{0}', inputs.enterprise) == 'true' }} - timeout-minutes: 1 - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 - with: - username: ${{ secrets.DOCKER_PULL_USER }} - password: ${{ secrets.DOCKER_PULL_PASSWORD }} - - - name: Log in to GitHub Container Registry - timeout-minutes: 1 - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - name: Pull and inspect base image timeout-minutes: 5 @@ -71,15 +47,21 @@ jobs: docker pull ${{ steps.select-gateway-image.outputs.image }} docker inspect ${{ steps.select-gateway-image.outputs.image }} - - name: Build and push image - id: build-and-push + - name: Build and save image + id: build-and-save env: GATEWAY_IMAGE: ${{ steps.select-gateway-image.outputs.image }} - GATEWAY_TEST_IMAGE: |- - ghcr.io/kong/${{ format('{0}', inputs.enterprise) == 'true' && 'kong-admin-kong-ee' || 'kong-manager' }}:${{ github.sha }} - + GATEWAY_TEST_IMAGE: kong/internal-testing-kong-manager:${{ github.sha }} # Image name here is only used for internal testing run: | export KONG_MANAGER_BUILD_SHA1=$(cat dist/build.sha1) docker compose -f .ci/docker-compose.yml build kong-test-image - docker compose -f .ci/docker-compose.yml push kong-test-image + docker save kong-test-image | gzip > docker-test-image.tar.gz echo "image=$GATEWAY_TEST_IMAGE" >> $GITHUB_OUTPUT + + - name: Upload test image + timeout-minutes: 5 + uses: actions/upload-artifact@v4 + with: + name: docker-test-image + path: ./docker-test-image.tar.gz + if-no-files-found: error # It's meaningless to continue if the image is missing diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a126591..9a0caf2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,8 @@ on: tags-ignore: - nightly + pull_request: # TODO: REMOVE ME BEFORE MERGING + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -17,42 +19,25 @@ jobs: uses: ./.github/workflows/.reusable_build.yml secrets: inherit - build-and-push-test-image-oss: - name: Build and Push Test Image to GHCR - OSS - uses: ./.github/workflows/.reusable_test_image.yml - needs: build - secrets: inherit - - build-and-push-test-image-ee: - name: Build and Push Test Image to GHCR - EE + build-test-image: + name: Build Test Image uses: ./.github/workflows/.reusable_test_image.yml needs: build secrets: inherit - with: - enterprise: true - - e2e-tests-oss: - name: E2E Tests - OSS - needs: build-and-push-test-image-oss - uses: ./.github/workflows/.reusable_e2e_tests_oss.yml - with: - gateway-image: ${{ needs.build-and-push-test-image-oss.outputs.image }} - secrets: inherit - e2e-tests-ee: - name: E2E Tests - EE - needs: build-and-push-test-image-ee - uses: ./.github/workflows/.reusable_e2e_tests_ee.yml + e2e-tests: + name: E2E Tests + needs: build-test-image + uses: ./.github/workflows/.reusable_e2e_tests.yml with: - gateway-image: ${{ needs.build-and-push-test-image-ee.outputs.image }} + gateway-image: ${{ needs.build-test-image.outputs.image }} + load-test-image-from-artifact: true secrets: inherit release: name: Release runs-on: ${{ vars.RUNS_ON }} - needs: [e2e-tests-oss, e2e-tests-ee] - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN_PRIVATE_READ }} + needs: e2e-tests steps: - name: Checkout source code @@ -78,11 +63,12 @@ jobs: run: bash .ci/release-non-nightly.sh - name: Release nightly - if: github.ref == 'refs/heads/main' + if: | + true || github.ref == 'refs/heads/main' timeout-minutes: 5 env: GH_TOKEN: ${{ github.token }} GH_REPOSITORY: ${{ github.repository }} - RELEASE_TAG_NAME: nightly + RELEASE_TAG_NAME: test-nightly # nightly RELEASE_TARGET: ${{ github.sha }} run: bash .ci/release-nightly.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 54fd9f2..e1fd502 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,32 +13,17 @@ jobs: uses: ./.github/workflows/.reusable_build.yml secrets: inherit - build-and-push-test-image-oss: - name: Build and Push Test Image to GHCR - OSS + build-test-image: + name: Build Test Image uses: ./.github/workflows/.reusable_test_image.yml needs: build secrets: inherit - build-and-push-test-image-ee: - name: Build and Push Test Image to GHCR - EE - uses: ./.github/workflows/.reusable_test_image.yml - needs: build - secrets: inherit - with: - enterprise: true - - e2e-tests-oss: - name: E2E Tests - OSS - needs: build-and-push-test-image-oss - uses: ./.github/workflows/.reusable_e2e_tests_oss.yml - with: - gateway-image: ${{ needs.build-and-push-test-image-oss.outputs.image }} - secrets: inherit - - e2e-tests-ee: - name: E2E Tests - EE - needs: build-and-push-test-image-ee - uses: ./.github/workflows/.reusable_e2e_tests_ee.yml + e2e-tests: + name: E2E Tests + needs: build-test-image + uses: ./.github/workflows/.reusable_e2e_tests.yml with: - gateway-image: ${{ needs.build-and-push-test-image-ee.outputs.image }} + gateway-image: ${{ needs.build-test-image.outputs.image }} + load-test-image-from-artifact: true secrets: inherit diff --git a/tests/playwright/specs-ee/plugins/01-Plugins.spec.ts b/tests/playwright/specs-ee/plugins/01-Plugins.spec.ts deleted file mode 100644 index 834dd9e..0000000 --- a/tests/playwright/specs-ee/plugins/01-Plugins.spec.ts +++ /dev/null @@ -1,11 +0,0 @@ -import { expect } from '@playwright/test' -import baseTest from '@pw/base-test' - -const test = baseTest() - -test.describe('PLACEHOLDER', () => { - test.skip('is enterprise edition', async ({ page }) => { - await page.goto('/') - await expect(page.locator('[aria-label="Gateway"] .info-list')).toContainText('enterprise') - }) -})