feat(all): release security and workflow updates

projectcapsule · Oct 18, 2023 · bb47225 · bb47225
1 parent c30de4b
commit bb47225
Show file tree

Hide file tree

Showing 37 changed files with 1,018 additions and 300 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -15,6 +15,4 @@ following ourselves these points:
 - explain what and why in the body, if more than a trivial change, wrapping at
   72 characters
 
-If you have any issue or question, reach out us!
-https://clastix.slack.com >>> #capsule channel 
 -->
diff --git a/.github/actions/exists/action.yaml b/.github/actions/exists/action.yaml
@@ -0,0 +1,21 @@
+name: Checks if an input is defined
+
+description: Checks if an input is defined and outputs 'true' or 'false'.
+
+inputs:
+  value:
+    description: value to test
+    required: true
+
+outputs:
+  result:
+    description: outputs 'true' or 'false' if input value is defined or not
+    value: ${{ steps.check.outputs.result }}
+
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      id: check
+      run: |
+        echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT
diff --git a/.github/actions/setup-caches/action.yaml b/.github/actions/setup-caches/action.yaml
@@ -0,0 +1,20 @@
+name: Setup caches
+
+description: Setup caches for go modules and build cache.
+
+inputs:
+  build-cache-key:
+    description: build cache prefix
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
+      with:
+        path: ~/go/pkg/mod
+        key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
+    - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
+      if: ${{ inputs.build-cache-key }}
+      with:
+        path: ~/.cache/go-build
+        key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
diff --git a/.github/configs/ct.yaml b/.github/configs/ct.yaml
@@ -1,5 +1,5 @@
 remote: origin
-target-branch: master
+target-branch: main
 chart-dirs:
   - charts
 helm-extra-args: "--timeout 600s"  

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
+    rebase-strategy: disabled
+    commit-message:
+      prefix: "feat(deps)"
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    rebase-strategy: disabled
+    commit-message:
+      prefix: "ci"
diff --git a/.github/workflows/check-actions.yml b/.github/workflows/check-actions.yml
@@ -0,0 +1,24 @@
+name: Check actions
+permissions: {}
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4
+        with:
+          # slsa-github-generator requires using a semver tag for reusable workflows. 
+          # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
+          allowlist: |
+            slsa-framework/slsa-github-generator
diff --git a/.github/workflows/check-commit.yml b/.github/workflows/check-commit.yml
@@ -0,0 +1,23 @@
+name: Check Commit
+permissions: {}
+
+on:
+  push:
+    branches: [ "*" ]
+  pull_request:
+    branches: [ "*" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  commit_lint:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+      - uses: wagoid/commitlint-github-action@6319f54d83768b60acd6fd60e61007ccc583e62f #v5.4.3
+        with:
+          firstParent: true
diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
@@ -0,0 +1,38 @@
+name: Codecov
+permissions: {}
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  codecov:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - name: Setup caches
+        uses: ./.github/actions/setup-caches
+        timeout-minutes: 5
+        continue-on-error: true
+        with:
+          build-cache-key: codecov
+      - name: Check secret
+        id: checksecret
+        uses: ./.github/actions/exists
+        with:
+          value: ${{ secrets.CODECOV_TOKEN }}
+      - name: Generate Code Coverage Report
+        if: steps.checksecret.outputs.result == 'true'
+        run: make test
+      - name: Upload Report to Codecov
+        if: steps.checksecret.outputs.result == 'true'
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
+        with:
+          file: ./coverage.out
+          fail_ci_if_error: true
+          verbose: true
diff --git a/.github/workflows/ci.yml → .github/workflows/diff.yml b/.github/workflows/ci.yml → .github/workflows/diff.yml
@@ -1,40 +1,25 @@
-name: CI
+name: Diff checks
+permissions: {}
 
 on:
   push:
     branches: [ "*" ]
   pull_request:
     branches: [ "*" ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  commit_lint:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@v2
-        with:
-          firstParent: true
-  golangci:
-    name: lint
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v2
-      - name: Run golangci-lint
-        uses: golangci/[email protected]
-        with:
-          version: v1.51.2
-          only-new-issues: false
-          args: --timeout 5m --config .golangci.yml
   diff:
     name: diff
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: '1.19'
       - run: make installer

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -0,0 +1,33 @@
+name: Build images
+permissions: {}
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-images:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - name: Setup caches
+        uses: ./.github/actions/setup-caches
+        timeout-minutes: 5
+        continue-on-error: true
+        with:
+          build-cache-key: build-images
+      - name: ko build
+        run: REPOSITORY=${GITHUB_REPOSITORY} make ko-build-all
+      - name: Trivy Scan Image
+        uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml