Skip to content

Commit

Permalink
temporary commit
Browse files Browse the repository at this point in the history
Signed-off-by: Bart Smykla <[email protected]>
  • Loading branch information
bartsmykla committed Dec 12, 2024
1 parent 9619470 commit 0d0f6e5
Showing 1 changed file with 33 additions and 153 deletions.
186 changes: 33 additions & 153 deletions .github/workflows/build-test-distribute.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -51,158 +51,38 @@ jobs:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
fetch-depth: 0
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version-file: go.mod
cache: false
- uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
with:
args: --fix=false --verbose
version: v1.61.0
- uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: |
${{ env.CI_TOOLS_DIR }}
key: ${{ runner.os }}-${{ runner.arch }}-devtools-${{ hashFiles('mk/dependencies/deps.lock') }}
restore-keys: |
${{ runner.os }}-${{ runner.arch }}-devtools
- run: |
make dev/tools
- run: |
make clean
- run: |
make check
- name: "Set metadata for downstream jobs"
id: metadata
run: |
echo "images=$(make images/info/release/json)" >> $GITHUB_OUTPUT
echo "registry=$(make docker/info/registry)" >> $GITHUB_OUTPUT
echo "version=$(make build/info/version)" >> $GITHUB_OUTPUT
echo "distribution_repository=$(make build/info/cloudsmith_repository)" >> $GITHUB_OUTPUT
# "make check" puts binaries in ./build/tools (see mk/generate.mk: $(POLICY_GEN)
# and $(RESOURCE_GEN)), which are unnecessarily included in the SBOM.
# Running the SCA step before "make check" might seem like a solution, but it
# generates report files (e.g., sbom.spdx.json, cve-report.json) in the working
# directory. These files cause "make check" to fail, as it checks if no files
# in the repository were modified, deleted, or added after its process.
# It doesn't recognize that the SBOM and CVE report files were added earlier
# and should be ignored. Since we currently can't change the working directory
# for the SCA step, it must run after "make check." Instead, we clean ./build
# after "make check" to exclude tool binaries from the SBOM.
- run: |
make clean/build
- name: "Generate SBOM and CVE report (Software Composition Analysis)"
id: sca-project
uses: Kong/public-shared-actions/security-actions/sca@0ccacffed804d85da3f938a1b78c12831935f992 # v2.8.0
env:
SYFT_SOURCE_NAME: ${{ github.repository }}
SYFT_SOURCE_VERSION: ${{ steps.metadata.outputs.version }}
with:
dir: .
config: .syft.yaml
upload-sbom-release-assets: true
test:
permissions:
contents: read
needs: ["check"]
uses: ./.github/workflows/_test.yaml
with:
FULL_MATRIX: ${{ needs.check.outputs.FULL_MATRIX }}
RUNNERS_BY_ARCH: ${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) && '{"amd64":"ubuntu-latest-kong","arm64":"ubuntu-latest-arm64-kong"}' || '{"amd64":"ubuntu-latest","arm64":""}' }}
secrets: inherit
build_publish:
permissions:
contents: read
id-token: write
needs: ["check", "test"]
uses: ./.github/workflows/_build_publish.yaml
if: ${{ fromJSON(needs.check.outputs.BUILD) }}
with:
FULL_MATRIX: ${{ needs.check.outputs.FULL_MATRIX }}
ALLOW_PUSH: ${{ needs.check.outputs.ALLOW_PUSH }}
IMAGE_ARTIFACT_NAME: "image_artifacts"
BINARY_ARTIFACT_NAME: "binary_artifacts"
IMAGES: ${{ needs.check.outputs.IMAGES }}
REGISTRY: ${{ needs.check.outputs.REGISTRY }}
NOTARY_REPOSITORY: ${{ needs.check.outputs.NOTARY_REPOSITORY }}
VERSION_NAME: ${{ needs.check.outputs.VERSION_NAME }}
secrets: inherit
provenance:
needs: ["check", "build_publish"]
if: ${{ github.ref_type == 'tag' }}
uses: ./.github/workflows/_provenance.yaml
secrets: inherit
permissions:
contents: write
id-token: write # For using token to sign images
actions: read # For getting workflow run info to build provenance
packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
with:
BINARY_ARTIFACTS_HASH_AS_FILE: ${{ needs.build_publish.outputs.BINARY_ARTIFACT_DIGEST_BASE64 }}
IMAGES: ${{ needs.check.outputs.IMAGES }}
REGISTRY: ${{ needs.check.outputs.REGISTRY }}
NOTARY_REPOSITORY: ${{ needs.check.outputs.NOTARY_REPOSITORY }}
IMAGE_DIGESTS: ${{ needs.build_publish.outputs.IMAGE_DIGESTS }}
distributions:
needs: ["build_publish", "check", "test", "provenance"]
timeout-minutes: 10
if: ${{ always() }}
runs-on: ubuntu-latest
permissions:
contents: read
actions: read # For getting workflow run info
env:
SECURITY_ASSETS_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets"
SECURITY_ASSETS_PACKAGE_NAME: "security-assets" # Cloudsmith package for hosting security assets
steps:
- name: "Halt due to previous failures"
run: |-
echo "results: ${{ toJson(needs.*.result) }}"
# for some reason, GH Action will always trigger a downstream job even if there are errors in an dependent job
# so we manually check it here. An example could be found here: https://github.com/kumahq/kuma/actions/runs/7044980149
[[ ${{ contains(needs.*.result, 'failure')|| contains(needs.*.result, 'cancelled') }} == "true" ]] && exit 1
echo "All dependent jobs succeeded"
- name: "Download all SBOM assets"
id: collect_sbom
if: ${{ needs.build_publish.result == 'success' }}
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}
pattern: "*sbom.{cyclonedx,spdx}.json"
merge-multiple: true
- name: Check PR title
# Check PR title against the Conventional Commits format using commitlint.
# For more details, see: https://www.conventionalcommits.org/en/v1.0.0/
# This ensures the PR title matches the conventonal commit title format
# as it will be usead as a commit name after squashing.
# See: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/about-pull-request-merges#merge-message-for-a-squash-merge.
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: "Download binary artifact provenance"
if: ${{ needs.provenance.result == 'success' && github.ref_type == 'tag' }}
id: collect_provenance
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}
pattern: ${{ github.event.repository.name }}.intoto.jsonl
merge-multiple: true
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: "Generate security assets TAR"
if: ${{ needs.build_publish.result == 'success' }}
id: security_assets_metadata
# Use an intermediate environment variable to safely handle the PR title
# and avoid potential injection risks. See:
# https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
TITLE: ${{ github.event.pull_request.title }}
run: |
cd ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}
find . -maxdepth 1 -type f \( -name '*sbom.*.json' -o -name '*.intoto.jsonl' \) -print | tar -cvzf ${{ env.SECURITY_ASSETS_PACKAGE_NAME }}.tar.gz -T -
ls -alR .
# Publish aggregated zip file of SBOMs and/or Binary Provenance to artifact regstry
- name: Push security assets to cloudsmith
id: push_security_assets
if: ${{ needs.provenance.result == 'success' || needs.build_publish.result == 'success' }}
uses: cloudsmith-io/action@7af394e0f8add4867bce109385962dafecad1b8d # v0.6.14
with:
api-key: ${{ secrets.CLOUDSMITH_API_KEY }}
command: "push"
format: "raw"
owner: "kong"
repo: "${{ needs.check.outputs.CLOUDSMITH_REPOSITORY }}"
version: "${{ needs.check.outputs.VERSION_NAME }}"
file: "${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}/${{ env.SECURITY_ASSETS_PACKAGE_NAME }}.tar.gz"
name: "${{ env.SECURITY_ASSETS_PACKAGE_NAME }}"
summary: "SLSA security artifacts for ${{ github.repository }}"
description: "SBOM and Binary artifact Provenance for ${{ github.repository }}"
use-executable: "false"
# Create a temporary commitlint configuration file
cat <<EOF > commitlint.config.js
module.exports = {
extends: ["@commitlint/config-conventional"],
helpUrl: "https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#commit-message-format",
rules: {
"body-max-line-length": [0],
"footer-max-line-length": [0],
"footer-leading-blank": [0],
"header-max-length": [0],
"scope-enum": [2, "never", [
"kumacp", "kumadp", "kumacni", "kumainit", "*", "madr", "test", "ci", "perf", "policies", "tests"
]],
"scope-empty": [2, "never"]
},
};
EOF
# Install commitlint CLI and configuration
npm install -g @commitlint/[email protected] @commitlint/[email protected]
# Validate the PR title. Use the intermediate variable to safely handle the title.
echo "$TITLE" | commitlint --config commitlint.config.js

0 comments on commit 0d0f6e5

Please sign in to comment.