diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml deleted file mode 100644 index e79c7fd39..000000000 --- a/.github/actions/build/action.yml +++ /dev/null @@ -1,173 +0,0 @@ -name: build -description: 'Build connaisseur image' -inputs: - image_registry: - description: 'Image registry to be used' - required: true - image_repo: - description: 'Image repository to be used' - required: true - image_tag: - description: 'Image tag to be used' - required: true - ref_tags: - description: 'Reference tags to be used' - required: true - image_labels: - description: 'Image labels to be used' - required: true - repo_owner: - description: 'Name of repository owner, e.g. "github.repository_owner" for ghcr.io' - required: true - repo_token: - description: 'Access token for repository owner, e.g. "secrets.GITHUB_TOKEN" for ghcr.io' - required: true - cosign_version: - description: 'Cosign version to be used' - required: true - cosign_private_key: - description: 'Cosign private key' - required: true - cosign_password: - description: 'Cosign private key password' - required: true -outputs: - cosign_public_key: - description: 'Cosign public key' - value: ${{ steps.verify.outputs.public_key }} -runs: - using: "composite" - steps: - - name: Install Cosign - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 (probably) - - name: Set up Docker buildx - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1 - - name: Login with registry - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 - with: - registry: ${{ inputs.image_registry }} - username: ${{ inputs.repo_owner }} - password: ${{ inputs.repo_token }} - - name: Generate tags - id: tags - run: | - echo "${{ inputs.ref_tags }}" - export PREFIX="${{ inputs.image_registry }}/${{ inputs.image_repo }}:" - TAGS="${PREFIX}${{ inputs.image_tag }},$(echo ${{ inputs.ref_tags }} | tr ' ' '\n' | awk '{print "${PREFIX}"$1}' | envsubst | tr '\n' ',')" - echo tags=${TAGS} >> ${GITHUB_OUTPUT} - shell: bash - - name: Build and push image - id: build - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 - with: - push: true - cache-from: type=gha - cache-to: type=gha,mode=max - file: build/Dockerfile - labels: ${{ inputs.image_labels }} - tags: ${{ steps.tags.outputs.tags }} - sbom: false # Duplicates SBOMs manually created below - provenance: false #TODO: Set to false, as resulting format is not OCI (GHCR) compliant (https://github.com/docker/build-push-action/issues/820) and causes problems with GHCR and e.g. image deletion (https://github.com/snok/container-retention-policy/issues/63) - - name: Create SBOM - uses: anchore/sbom-action@5ecf649a417b8ae17dc8383dc32d46c03f2312df # v0.15.1 - with: - image: ${{ inputs.image_registry }}/${{ inputs.image_repo }}@${{ steps.build.outputs.digest }} - format: cyclonedx-json - artifact-name: sbom.cdx - output-file: sbom.cdx - - name: Sign image - id: sign - run: | - cosign sign --key env://COSIGN_PRIVATE_KEY -a tag=${{ inputs.image_tag }} -y ${TAGS} - cosign attach sbom --sbom sbom.cdx --type cyclonedx ${TAGS} - cosign sign --key env://COSIGN_PRIVATE_KEY --attachment sbom -y ${TAGS} - env: - TAGS: ${{ inputs.image_registry }}/${{ inputs.image_repo }}@${{ steps.build.outputs.digest }} - COSIGN_PRIVATE_KEY: ${{ inputs.cosign_private_key }} - COSIGN_PASSWORD: ${{ inputs.cosign_password }} - shell: bash - - name: Verify build data - id: verify - run: | - mkdir ci - cosign public-key --key env://COSIGN_PRIVATE_KEY > ci/cosign.pub - PUBLIC_KEY="$(cat ci/cosign.pub)" - cosign tree ${TAGS} - PUBLIC_KEY=${PUBLIC_KEY} cosign verify --key env://PUBLIC_KEY ${TAGS} - PUBLIC_KEY=${PUBLIC_KEY} cosign verify --key env://PUBLIC_KEY --attachment sbom ${TAGS} - SIGNATURE=$(cosign triangulate ${TAGS}) - PUBLIC_KEY="${PUBLIC_KEY//$'\n'/'
'}" - SBOM="${SIGNATURE::-4}.sbom" - echo public_key="${PUBLIC_KEY}" >> ${GITHUB_OUTPUT} - echo signature=${SIGNATURE} >> ${GITHUB_OUTPUT} - echo sbom=${SBOM} >> ${GITHUB_OUTPUT} - env: - TAGS: ${{ inputs.image_registry }}/${{ inputs.image_repo }}@${{ steps.build.outputs.digest }} - COSIGN_PRIVATE_KEY: ${{ inputs.cosign_private_key }} - COSIGN_PASSWORD: ${{ inputs.cosign_password }} - shell: bash - - name: Upload public key - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: cosign.pub - path: ci/cosign.pub - - name: Show build and signature information - run: | - CONFIGURE="yq '. *+ load(\"test/integration/var-img.yaml\")' test/integration/ghcr-values.yaml > ghcr.yaml &&\n\t IMAGE=\"${{ inputs.image_registry }}/${{ inputs.image_repo }}\" TAG=\"${{ inputs.image_tag }}\" IMAGEPULLSECRET=\"\" envsubst < ghcr.yaml > update &&\n\t yq '. *+ load(\"update\")' -i charts/connaisseur/values.yaml &&\n\t rm ghcr.yaml update" - CONFIGURE=$(printf -- "${CONFIGURE}") - PUBLIC_KEY="${{ steps.verify.outputs.public_key }}" - PUBLIC_KEY="$(printf -- "${PUBLIC_KEY//'
'/'\n'}")" - HELM_PATCH="yq e '.kubernetes.deployment.image.repository = \"${{ inputs.image_registry }}/${{ inputs.image_repo }}\"' -i charts/connaisseur/values.yaml\nyq e '.kubernetes.deployment.image.tag = \"${{ inputs.image_tag }}\"' -i charts/connaisseur/values.yaml" - HELM_PATCH=$(printf -- "${HELM_PATCH}") - echo "# :building_construction: Build Information" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "
Build artifactsValue
Registry${{ inputs.image_registry }}
Repository${{ inputs.image_repo }}
Tags${{ inputs.image_tag }}, ${{ inputs.ref_tags }}
Workflow image${{ inputs.image_registry }}/${{ inputs.image_repo }}:${{ inputs.image_tag }}
All reference tags$(echo ${{ steps.tags.outputs.tags }} | tr ',' '\n')
Digest${{ steps.build.outputs.digest }}
Signature${{ steps.verify.outputs.signature }}
Public key${PUBLIC_KEY}
SBOM (cyclonedx-json)${{ steps.verify.outputs.sbom }}
" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "
:bookmark_tabs: Metadata" >> ${GITHUB_STEP_SUMMARY} - echo "
${{ steps.build.outputs.metadata }}
" >> ${GITHUB_STEP_SUMMARY} - echo "
" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "
:hammer_and_wrench: Use Build Artifacts" >> ${GITHUB_STEP_SUMMARY} - echo "(needs docker login via PAT with package:read permission)" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "
" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "
:mag: Verify Build" >> ${GITHUB_STEP_SUMMARY} - echo "(needs Docker login via PAT with package:read permission)" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "
" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "Let's start testing :rocket:" >> ${GITHUB_STEP_SUMMARY} - shell: bash diff --git a/.github/actions/context/action.yaml b/.github/actions/context/action.yaml deleted file mode 100644 index 62c482256..000000000 --- a/.github/actions/context/action.yaml +++ /dev/null @@ -1,152 +0,0 @@ -name: context -description: 'Get the current context' -inputs: - build_registry: - description: "Build registry to be used" - required: false - default: "ghcr.io" - build_repo: - description: "Base build repository to be used (non-protected branches will push to '${build_repo}-test')" - required: false - default: "${{ github.repository }}" -outputs: - chart_version: - description: "Connaisseur Helm chart version" - value: ${{ steps.get_context.outputs.CHART_VERSION }} - original_registry: - description: "Public Connaisseur registry" - value: ${{ steps.get_context.outputs.ORIGINAL_REGISTRY }} - original_repo: - description: "Public Connaisseur repo" - value: ${{ steps.get_context.outputs.ORIGINAL_REPO }} - original_tag: - description: "Current Connaisseur tag, i.e. version" - value: ${{ steps.get_context.outputs.ORIGINAL_TAG }} - original_image: - description: "Full Connaisseur image reference, i.e. registry + repository + tag" - value: ${{ steps.get_context.outputs.ORIGINAL_IMAGE }} - build_registry: - description: "Workflow build registry used for testing" - value: ${{ steps.get_context.outputs.BUILD_REGISTRY }} - build_repo: - description: "Workflow build repository used for testing" - value: ${{ steps.get_context.outputs.BUILD_REPO }} - build_tag: - description: "Workflow build tag used for testing (unique for each run)" - value: ${{ steps.show_context.outputs.BUILD_TAG }} - build_image: - description: "Workflow build image used for testing, i.e. registry + repository + tag" - value: ${{ steps.show_context.outputs.BUILD_IMAGE }} - ref_tags: - description: "All reference tags used for build" - value: ${{ steps.show_context.outputs.REF_TAGS }} - build_labels: - description: "Repository- and workflow-specific build labels" - value: ${{ steps.meta.outputs.labels }} -runs: - using: "composite" - steps: - - name: Get chart version - id: get_chart_version - uses: mikefarah/yq@47f4f8c7939f887e851b35f14def6741b8f5396e # v4.31.2 - with: - cmd: yq '.version' charts/connaisseur/Chart.yaml - - name: Get app version - id: get_app_version - uses: mikefarah/yq@47f4f8c7939f887e851b35f14def6741b8f5396e # v4.31.2 - with: - cmd: yq '.appVersion' charts/connaisseur/Chart.yaml - - name: Get original image - id: get_original_image_repository - uses: mikefarah/yq@47f4f8c7939f887e851b35f14def6741b8f5396e # v4.31.2 - with: - cmd: yq '.kubernetes.deployment.image.repository' charts/connaisseur/values.yaml - - name: Get context - id: get_context - run: | - GHREF=${{ github.ref }} - echo "github.ref is: ${GHREF}" - CHART_VERSION=${{ steps.get_chart_version.outputs.result }} - CONFIGURED_IMAGE_REPO=${{ steps.get_original_image_repository.outputs.result }} - ORIGINAL_REGISTRY=$(echo "${CONFIGURED_IMAGE_REPO}" | cut -d "/" -f 1) - ORIGINAL_REPO=$(echo "${CONFIGURED_IMAGE_REPO}" | cut -d "/" -f 2- | cut -d ":" -f 1) - ORIGINAL_TAG=v${{ steps.get_app_version.outputs.result }} - BUILD_REGISTRY=${{ inputs.build_registry }} - BUILD_REPO=${{ inputs.build_repo }} - if [[ "${GHREF}" != "refs/heads/master" && - "${GHREF}" != "refs/tags/v"* && - "${GHREF}" != "refs/heads/develop" - ]]; then - BUILD_REPO="${BUILD_REPO}-test" - fi - - echo CHART_VERSION=${CHART_VERSION} >> ${GITHUB_OUTPUT} - echo ORIGINAL_REGISTRY=${ORIGINAL_REGISTRY} >> ${GITHUB_OUTPUT} - echo ORIGINAL_REPO=${ORIGINAL_REPO} >> ${GITHUB_OUTPUT} - echo ORIGINAL_TAG=${ORIGINAL_TAG} >> ${GITHUB_OUTPUT} - echo ORIGINAL_IMAGE=${CONFIGURED_IMAGE_REPO}:${ORIGINAL_TAG} >> ${GITHUB_OUTPUT} - echo BUILD_REGISTRY=${BUILD_REGISTRY} >> ${GITHUB_OUTPUT} - echo BUILD_REPO=${BUILD_REPO} >> ${GITHUB_OUTPUT} - shell: bash - - name: Generate metadata - id: meta - uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0 - with: - images: ${{ steps.get_context.outputs.BUILD_REGISTRY }}/${{ steps.get_context.outputs.BUILD_REPO }} - flavor: | - latest=true - tags: | - type=schedule - type=ref,event=branch - type=ref,event=tag - type=ref,event=pr - type=sha - - name: Show context - id: show_context - run: | - PREFIX=$(echo "${{ steps.get_context.outputs.BUILD_REGISTRY }}/${{ steps.get_context.outputs.BUILD_REPO }}:" | sed 's%/%\/%g') - TAGS="${{ steps.meta.outputs.tags }}" - REF_TAGS="${TAGS//${PREFIX}/}" - BUILD_IMAGE=$(echo "${TAGS}" | tail -2 | head -1) - BUILD_TAG="${BUILD_IMAGE//${PREFIX}/}" - [[ ${BUILD_TAG} == "sha-"* ]] || exit 1 # check as parsing of the BUILD_TAG maybe fragile and dependent on docker/metadata-action priorities - REF_TAGS="${REF_TAGS//${BUILD_TAG}/}" - echo BUILD_TAG=${BUILD_TAG} >> ${GITHUB_OUTPUT} - echo BUILD_IMAGE=${BUILD_IMAGE} >> ${GITHUB_OUTPUT} - echo REF_TAGS=${REF_TAGS} >> ${GITHUB_OUTPUT} - echo "# :clipboard: Context" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "
Build ContextValue
Helm chart version${{ steps.get_context.outputs.CHART_VERSION }}
Original registry${{ steps.get_context.outputs.ORIGINAL_REGISTRY }}
Original repository${{ steps.get_context.outputs.ORIGINAL_REPO }}
Original tag${{ steps.get_context.outputs.ORIGINAL_TAG }}
Original image${{ steps.get_context.outputs.ORIGINAL_IMAGE }}
Build registry${{ steps.get_context.outputs.BUILD_REGISTRY }}
Build repository${{ steps.get_context.outputs.BUILD_REPO }}
Build tag${BUILD_TAG}
Build image${BUILD_IMAGE}
Ref tags${REF_TAGS}
All build images${{ steps.meta.outputs.tags }}
Build labels${{ steps.meta.outputs.labels }}
" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "
:pushpin: Context Variables References" >> ${GITHUB_STEP_SUMMARY} - echo "( job must run in workflow and needs: [context] mut be set for job)" >> ${GITHUB_STEP_SUMMARY} - echo "
    " >> ${GITHUB_STEP_SUMMARY} - echo "
  • Helm chart version: 
    ${{ needs.context.outputs.chart_version }}
    • " >> ${GITHUB_STEP_SUMMARY} - echo "
  • Original registry: 
    ${{ needs.context.outputs.original_registry }}
    • " >> ${GITHUB_STEP_SUMMARY} - echo "
  • Original repository: 
    ${{ needs.context.outputs.original_repo }}
    • " >> ${GITHUB_STEP_SUMMARY} - echo "
  • Original tag: 
    ${{ needs.context.outputs.original_tag }}
    • " >> ${GITHUB_STEP_SUMMARY} - echo "
  • Original image: 
    ${{ needs.context.outputs.original_image }}
    • " >> ${GITHUB_STEP_SUMMARY} - echo "
  • Build registry: 
    ${{ needs.context.outputs.build_registry }}
    • " >> ${GITHUB_STEP_SUMMARY} - echo "
  • Build repository: 
    ${{ needs.context.outputs.build_repo }}
    • " >> ${GITHUB_STEP_SUMMARY} - echo "
  • Build tag (workflow): 
    ${{ needs.context.outputs.build_tag }}
    • " >> ${GITHUB_STEP_SUMMARY} - echo "
  • Ref tags: 
    ${{ needs.context.outputs.ref_tags }}
    • " >> ${GITHUB_STEP_SUMMARY} - echo "
  • Build image: 
    ${{ needs.context.outputs.build_image }}
    • " >> ${GITHUB_STEP_SUMMARY} - echo "
  • Build labels: 
    ${{ needs.context.outputs.build_labels }}
    • " >> ${GITHUB_STEP_SUMMARY} - echo "
" >> ${GITHUB_STEP_SUMMARY} - echo "
" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "Let's start building :rocket:" >> ${GITHUB_STEP_SUMMARY} - shell: bash diff --git a/.github/workflows/.reusable-build.yml b/.github/workflows/.reusable-build.yml deleted file mode 100644 index 8dfdb31bf..000000000 --- a/.github/workflows/.reusable-build.yml +++ /dev/null @@ -1,99 +0,0 @@ -name: build - -permissions: {} - -on: - workflow_call: - inputs: - skip: - description: "Want to skip running certain jobs 'none', 'non-required', 'all'?" - type: string - default: "none" - outputs: - cosign_public_key: - description: "Cosign public key used for signing Connaisseur image" - value: ${{ jobs.build.outputs.cosign_public_key }} - chart_version: - description: "Connaisseur Helm chart version" - value: ${{ jobs.context.outputs.chart_version }} - original_registry: - description: "Public Connaisseur registry" - value: ${{ jobs.context.outputs.original_registry }} - original_repo: - description: "Public Connaisseur repo" - value: ${{ jobs.context.outputs.original_repo }} - original_tag: - description: "Current Connaisseur tag, i.e. version" - value: ${{ jobs.context.outputs.original_tag }} - original_image: - description: "Full Connaisseur image reference, i.e. registry + repository + tag" - value: ${{ jobs.context.outputs.original_image }} - build_registry: - description: "Workflow build registry used for testing" - value: ${{ jobs.context.outputs.build_registry }} - build_repo: - description: "Workflow build repository used for testing" - value: ${{ jobs.context.outputs.build_repo }} - build_tag: - description: "Workflow build tag used for testing (unique for each run)" - value: ${{ jobs.context.outputs.build_tag }} - branch_tag: - description: "Branch tag used for all builds on branch" - value: ${{ jobs.context.outputs.branch_tag }} - build_image: - description: "Workflow build image used for testing, i.e. registry + repository + tag" - value: ${{ jobs.context.outputs.build_image }} - build_labels: - description: "Repository- and workflow-specific build labels" - value: ${{ jobs.context.outputs.build_labels }} - -jobs: - context: - runs-on: ubuntu-latest - if: inputs.skip != 'all' - permissions: {} - outputs: - chart_version: ${{ steps.get_context.outputs.chart_version }} - original_registry: ${{ steps.get_context.outputs.original_registry }} - original_repo: ${{ steps.get_context.outputs.original_repo }} - original_image: ${{ steps.get_context.outputs.original_image }} - original_tag: ${{ steps.get_context.outputs.original_tag }} - build_registry: ${{ steps.get_context.outputs.build_registry }} - build_repo: ${{ steps.get_context.outputs.build_repo }} - build_tag: ${{ steps.get_context.outputs.build_tag }} - ref_tags: ${{ steps.get_context.outputs.ref_tags }} - build_image: ${{ steps.get_context.outputs.build_image }} - build_labels: ${{ steps.get_context.outputs.build_labels }} - steps: - - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Get context - id: get_context - uses: ./.github/actions/context - - build: - runs-on: ubuntu-latest - if: | - inputs.skip != 'non-required' && - inputs.skip != 'all' - needs: [context] - permissions: - packages: write - outputs: - cosign_public_key: ${{ steps.build.outputs.cosign_public_key }} - steps: - - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Build Connaisseur - id: build - uses: ./.github/actions/build - with: - image_registry: ${{ needs.context.outputs.build_registry }} - image_repo: ${{ needs.context.outputs.build_repo }} - image_tag: ${{ needs.context.outputs.build_tag }} - ref_tags: ${{ needs.context.outputs.ref_tags }} - image_labels: ${{ needs.context.outputs.build_labels }} - repo_owner: ${{ github.repository_owner }} - repo_token: ${{ secrets.GITHUB_TOKEN }} - cosign_private_key: ${{ secrets.COSIGN_PRIVATE_KEY }} - cosign_password: ${{ secrets.COSIGN_PASSWORD }} diff --git a/.github/workflows/.reusable-ci.yml b/.github/workflows/.reusable-ci.yml deleted file mode 100644 index 259fbd491..000000000 --- a/.github/workflows/.reusable-ci.yml +++ /dev/null @@ -1,178 +0,0 @@ -name: ci - -permissions: {} - -on: - workflow_call: - inputs: - skip_build: - description: "Want to skip running certain build jobs 'none', 'non-required', 'all'?" - type: string - default: "all" - required: false - skip_compliance_checks: - description: "Want to skip running certain compliance jobs 'none', 'non-required', 'all'?" - type: string - default: "all" - required: false - skip_unit_tests: - description: "Want to skip running certain unit test jobs 'none', 'non-required', 'all'?" - type: string - default: "all" - required: false - skip_sast: - description: "Want to skip running certain sast jobs 'none', 'non-required', 'all'?" - type: string - default: "all" - required: false - skip_sca: - description: "Want to skip running certain sca jobs 'none', 'non-required', 'all'?" - type: string - default: "all" - required: false - skip_docs: - description: "Want to skip running certain docs jobs 'none', 'non-required', 'all'?" - type: string - default: "all" - required: false - skip_integration_tests: - description: "Want to skip running certain integration test jobs 'none', 'non-required', 'all'?" - type: string - default: "all" - required: false - output_type: - description: 'Output either "sarif" (GITHUB_TOKEN with security-events:write) or print results as "table" and fail on error' - type: string - default: 'sarif' - required: false - -defaults: - run: - shell: bash - -jobs: - conditionals: - runs-on: ubuntu-latest - outputs: - skip_build: ${{ steps.conditionals.outputs.skip_build }} - skip_compliance_checks: ${{ steps.conditionals.outputs.skip_compliance_checks }} - skip_unit_tests: ${{ steps.conditionals.outputs.skip_unit_tests }} - skip_sast: ${{ steps.conditionals.outputs.skip_sast }} - skip_sca: ${{ steps.conditionals.outputs.skip_sca }} - skip_docs: ${{ steps.conditionals.outputs.skip_docs }} - skip_integration_tests: ${{ steps.conditionals.outputs.skip_integration_tests }} - output_type: ${{ steps.conditionals.outputs.output_type }} - steps: - - name: CI conditionals - id: conditionals - run: | - echo "skip_build=${{ inputs.skip_build }}" >> ${GITHUB_OUTPUT} - echo "skip_compliance_checks=${{ inputs.skip_compliance_checks }}" >> ${GITHUB_OUTPUT} - echo "skip_unit_tests=${{ inputs.skip_unit_tests }}" >> ${GITHUB_OUTPUT} - echo "skip_sast=${{ inputs.skip_sast }}" >> ${GITHUB_OUTPUT} - echo "skip_sca=${{ inputs.skip_sca }}" >> ${GITHUB_OUTPUT} - echo "skip_docs=${{ inputs.skip_docs }}" >> ${GITHUB_OUTPUT} - echo "skip_integration_tests=${{ inputs.skip_integration_tests }}" >> ${GITHUB_OUTPUT} - echo "output_type=${{ inputs.output_type }}" >> ${GITHUB_OUTPUT} - - name: Show conditionals - id: show_conditionals - run: | - get_output() { case "$1" in "none") echo ":white_check_mark:";; "non-required") echo ":information_source:";; "all") echo ":x:";; *) echo "Unknown value";; esac; } - echo "# :pencil: CI Settings" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - echo "
SettingValue
Run Docs$(get_output ${{ steps.conditionals.outputs.skip_docs }})
Run Build$(get_output ${{ steps.conditionals.outputs.skip_build }})
Run Compliance$(get_output ${{ steps.conditionals.outputs.skip_compliance_checks }})
Run Unit Tests$(get_output ${{ steps.conditionals.outputs.skip_unit_tests }})
Run SAST$(get_output ${{ steps.conditionals.outputs.skip_sast }})
Run SCA$(get_output ${{ steps.conditionals.outputs.skip_sca }})
Run Integration Tests$(get_output ${{ steps.conditionals.outputs.skip_integration_tests }})
Report type${{ steps.conditionals.outputs.output_type }}
" >> ${GITHUB_STEP_SUMMARY} - echo "($(get_output 'none') - run all jobs, $(get_output 'non-required') - run important/required jobs only, $(get_output 'all') - skip jobs)" >> ${GITHUB_STEP_SUMMARY} - echo "" >> ${GITHUB_STEP_SUMMARY} - - build: - uses: ./.github/workflows/.reusable-build.yml - needs: [conditionals] - permissions: - packages: write - secrets: inherit - with: - skip: ${{ needs.conditionals.outputs.skip_build }} - - compliance: - uses: ./.github/workflows/.reusable-compliance.yml - needs: [conditionals] - permissions: - contents: write - id-token: write - security-events: write - actions: read - checks: read - deployments: read - issues: read - discussions: read - packages: read - pages: read - pull-requests: read - repository-projects: read - statuses: read - attestations: read - secrets: inherit - with: - skip: ${{ needs.conditionals.outputs.skip_compliance_checks }} - - unit-test: - uses: ./.github/workflows/.reusable-unit-test.yml - needs: [conditionals] - with: - skip: ${{ needs.conditionals.outputs.skip_unit_tests }} - - sast: - uses: ./.github/workflows/.reusable-sast.yml - needs: [conditionals] - permissions: - security-events: write - pull-requests: read - with: - skip: ${{ needs.conditionals.outputs.skip_sast }} - output: ${{ needs.conditionals.outputs.output_type }} - - sca: - uses: ./.github/workflows/.reusable-sca.yml - needs: [conditionals, build] - permissions: - contents: write - security-events: write - packages: read - secrets: inherit - with: - registry: ${{ needs.build.outputs.build_registry }} - repo_owner: ${{ github.repository_owner }} - image: ${{ needs.build.outputs.build_image }} - skip: ${{ needs.conditionals.outputs.skip_sca }} - output: ${{ needs.conditionals.outputs.output_type }} - - docs: - uses: ./.github/workflows/.reusable-docs.yaml - needs: [conditionals] - permissions: - contents: write - with: - skip: ${{ needs.conditionals.outputs.skip_docs }} - - integration-test: - uses: ./.github/workflows/.reusable-integration-test.yml - needs: [conditionals, build] - permissions: - packages: read - secrets: inherit - with: - build_registry: ${{ needs.build.outputs.build_registry }} - repo_owner: ${{ github.repository_owner }} - build_image_repository: ${{ needs.build.outputs.build_registry }}/${{ needs.build.outputs.build_repo }} - build_tag: ${{ needs.build.outputs.build_tag }} - skip: ${{ needs.conditionals.outputs.skip_integration_tests }} - cosign_public_key: ${{ needs.build.outputs.cosign_public_key }} diff --git a/.github/workflows/00_pr.yml b/.github/workflows/00_pr.yml new file mode 100644 index 000000000..f0ecadde6 --- /dev/null +++ b/.github/workflows/00_pr.yml @@ -0,0 +1,36 @@ +name: pr + +permissions: {} + +on: + pull_request: + branches: + - master + - develop + push: # for testing + branches: + - ci/rework + +defaults: + run: + shell: bash + +jobs: + ci: + uses: ./.github/workflows/100_ci.yml + # permissions: + # packages: write + # contents: write + # id-token: write + # security-events: write + # actions: read + # checks: read + # deployments: read + # issues: read + # discussions: read + # pages: read + # pull-requests: read + # repository-projects: read + # statuses: read + # attestations: read + secrets: inherit diff --git a/.github/workflows/push.yml b/.github/workflows/01_push.yml similarity index 63% rename from .github/workflows/push.yml rename to .github/workflows/01_push.yml index 056377e22..bfa5053e5 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/01_push.yml @@ -14,7 +14,7 @@ defaults: jobs: ci: - uses: ./.github/workflows/.reusable-ci.yml + uses: ./.github/workflows/100_ci.yml permissions: packages: write contents: write @@ -31,12 +31,3 @@ jobs: statuses: read attestations: read secrets: inherit - with: - skip_build: "none" - skip_compliance_checks: "none" - skip_unit_tests: "none" - skip_sast: "none" - skip_sca: "none" - skip_docs: "none" - skip_integration_tests: "none" - output_type: "sarif" diff --git a/.github/workflows/release.yaml b/.github/workflows/03_release.yaml similarity index 92% rename from .github/workflows/release.yaml rename to .github/workflows/03_release.yaml index 040628bd3..422edc66e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/03_release.yaml @@ -26,7 +26,7 @@ jobs: echo "skip_integration_tests=${SKIP_INTEGRATION_TESTS}" >> ${GITHUB_OUTPUT} build: - uses: ./.github/workflows/.reusable-build.yml + uses: ./.github/workflows/101_build.yml permissions: packages: write secrets: inherit @@ -49,7 +49,7 @@ jobs: exit 1 integration-test: - uses: ./.github/workflows/.reusable-integration-test.yml + uses: ./.github/workflows/107_integration-test.yml needs: [conditionals, build, version-match] permissions: packages: read @@ -63,7 +63,7 @@ jobs: cosign_public_key: ${{ needs.build.outputs.cosign_public_key }} publish: - uses: ./.github/workflows/.reusable-publish.yml + uses: ./.github/workflows/200_publish.yml needs: [build, version-match, integration-test] permissions: contents: write diff --git a/.github/workflows/publish.yml b/.github/workflows/04_publish.yml similarity index 93% rename from .github/workflows/publish.yml rename to .github/workflows/04_publish.yml index f69d82f51..eef352506 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/04_publish.yml @@ -20,7 +20,7 @@ on: jobs: publish: - uses: ./.github/workflows/.reusable-publish.yml + uses: ./.github/workflows/200_publish.yml permissions: contents: write with: diff --git a/.github/workflows/nightly.yaml b/.github/workflows/05_nightly.yaml similarity index 65% rename from .github/workflows/nightly.yaml rename to .github/workflows/05_nightly.yaml index a89fc63ca..9ff322e53 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/05_nightly.yaml @@ -12,7 +12,7 @@ defaults: jobs: ci: - uses: ./.github/workflows/.reusable-ci.yml + uses: ./.github/workflows/100_ci.yml permissions: packages: write contents: write @@ -30,16 +30,13 @@ jobs: attestations: read secrets: inherit with: - skip_build: "none" - skip_compliance_checks: "none" - skip_unit_tests: "all" - skip_sast: "all" - skip_sca: "none" - skip_docs: "all" - skip_integration_tests: "all" + unit_tests: "none" + sast: "none" + docs: "none" + integration_tests: "none" output_type: "table" cleanup-registry: - uses: ./.github/workflows/.reusable-cleanup-registry.yml + uses: ./.github/workflows/201_cleanup-registry.yml needs: [ci] secrets: inherit diff --git a/.github/workflows/dockerhub-check.yml b/.github/workflows/06_dockerhub-check.yml similarity index 100% rename from .github/workflows/dockerhub-check.yml rename to .github/workflows/06_dockerhub-check.yml diff --git a/.github/workflows/100_ci.yml b/.github/workflows/100_ci.yml new file mode 100644 index 000000000..0d82cdefa --- /dev/null +++ b/.github/workflows/100_ci.yml @@ -0,0 +1,178 @@ +name: ci + +permissions: {} + +on: + workflow_call: + inputs: + build: + description: "Which build jobs should be run: 'all', 'required', 'none'?" + type: string + default: "all" + required: false + compliance_checks: + description: "Which compliance checks should be run: 'all', 'required', 'none'?" + type: string + default: "all" + required: false + unit_tests: + description: "Which unit tests should be run: 'all', 'required', 'none'?" + type: string + default: "all" + required: false + sast: + description: "Which sast jobs should be run: 'all', 'required', 'none'?" + type: string + default: "all" + required: false + sca: + description: "Which sca jobs should be run: 'all', 'required', 'none'?" + type: string + default: "all" + required: false + docs: + description: "Which doc jobs should be run: 'all', 'required', 'none'?" + type: string + default: "all" + required: false + integration_tests: + description: "Which integration tests should be run: 'all', 'required', 'none'?" + type: string + default: "all" + required: false + output_type: + description: 'Output either "sarif" (GITHUB_TOKEN with security-events:write) or print results as "table" and fail on error' + type: string + default: 'sarif' + required: false + +defaults: + run: + shell: bash + +jobs: + conditionals: + runs-on: ubuntu-latest + outputs: + build: ${{ steps.conditionals.outputs.build }} + compliance_checks: ${{ steps.conditionals.outputs.compliance_checks }} + unit_tests: ${{ steps.conditionals.outputs.unit_tests }} + sast: ${{ steps.conditionals.outputs.sast }} + sca: ${{ steps.conditionals.outputs.sca }} + docs: ${{ steps.conditionals.outputs.docs }} + integration_tests: ${{ steps.conditionals.outputs.integration_tests }} + output_type: ${{ steps.conditionals.outputs.output_type }} + steps: + - name: CI conditionals + id: conditionals + run: | + echo "build=${{ inputs.build }}" >> ${GITHUB_OUTPUT} + echo "compliance_checks=${{ inputs.compliance_checks }}" >> ${GITHUB_OUTPUT} + echo "unit_tests=${{ inputs.unit_tests }}" >> ${GITHUB_OUTPUT} + echo "sast=${{ inputs.sast }}" >> ${GITHUB_OUTPUT} + echo "sca=${{ inputs.sca }}" >> ${GITHUB_OUTPUT} + echo "docs=${{ inputs.docs }}" >> ${GITHUB_OUTPUT} + echo "integration_tests=${{ inputs.integration_tests }}" >> ${GITHUB_OUTPUT} + echo "output_type=${{ inputs.output_type }}" >> ${GITHUB_OUTPUT} + - name: Show conditionals + id: show_conditionals + run: | + get_output() { case "$1" in "all") echo ":white_check_mark:";; "required") echo ":information_source:";; "all") echo ":x:";; *) echo "Unknown value";; esac; } + echo "# :pencil: CI Settings" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "
SettingValue
Run Docs$(get_output ${{ steps.conditionals.outputs.docs }})
Run Build$(get_output ${{ steps.conditionals.outputs.build }})
Run Compliance$(get_output ${{ steps.conditionals.outputs.compliance_checks }})
Run Unit Tests$(get_output ${{ steps.conditionals.outputs.unit_tests }})
Run SAST$(get_output ${{ steps.conditionals.outputs.sast }})
Run SCA$(get_output ${{ steps.conditionals.outputs.sca }})
Run Integration Tests$(get_output ${{ steps.conditionals.outputs.integration_tests }})
Report type${{ steps.conditionals.outputs.output_type }}
" >> ${GITHUB_STEP_SUMMARY} + echo "($(get_output 'all') - run all jobs, $(get_output 'required') - run important/required jobs only, $(get_output 'none') - skip jobs)" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + + # build: + # uses: ./.github/workflows/101_build.yml + # needs: [conditionals] + # permissions: + # packages: write + # secrets: inherit + # with: + # run: ${{ needs.conditionals.outputs.build }} + + # compliance: + # uses: ./.github/workflows/102_compliance.yml + # needs: [conditionals] + # permissions: + # contents: write + # id-token: write + # security-events: write + # actions: read + # checks: read + # deployments: read + # issues: read + # discussions: read + # packages: read + # pages: read + # pull-requests: read + # repository-projects: read + # statuses: read + # attestations: read + # secrets: inherit + # with: + # run: ${{ needs.conditionals.outputs.compliance_checks }} + + # unit-test: + # uses: ./.github/workflows/unit-test.yml + # needs: [conditionals] + # with: + # skip: ${{ needs.conditionals.outputs.skip_unit_tests }} + + # sast: + # uses: ./.github/workflows/sast.yml + # needs: [conditionals] + # permissions: + # security-events: write + # pull-requests: read + # with: + # skip: ${{ needs.conditionals.outputs.skip_sast }} + # output: ${{ needs.conditionals.outputs.output_type }} + + # sca: + # uses: ./.github/workflows/sca.yml + # needs: [conditionals, build] + # permissions: + # contents: write + # security-events: write + # packages: read + # secrets: inherit + # with: + # registry: ${{ needs.build.outputs.build_registry }} + # repo_owner: ${{ github.repository_owner }} + # image: ${{ needs.build.outputs.build_image }} + # skip: ${{ needs.conditionals.outputs.skip_sca }} + # output: ${{ needs.conditionals.outputs.output_type }} + + # docs: + # uses: ./.github/workflows/docs.yaml + # needs: [conditionals] + # permissions: + # contents: write + # with: + # skip: ${{ needs.conditionals.outputs.skip_docs }} + + # integration-test: + # uses: ./.github/workflows/integration-test.yml + # needs: [conditionals, build] + # permissions: + # packages: read + # secrets: inherit + # with: + # build_registry: ${{ needs.build.outputs.build_registry }} + # repo_owner: ${{ github.repository_owner }} + # build_image_repository: ${{ needs.build.outputs.build_registry }}/${{ needs.build.outputs.build_repo }} + # build_tag: ${{ needs.build.outputs.build_tag }} + # skip: ${{ needs.conditionals.outputs.skip_integration_tests }} + # cosign_public_key: ${{ needs.build.outputs.cosign_public_key }} diff --git a/.github/workflows/101_build.yml b/.github/workflows/101_build.yml new file mode 100644 index 000000000..859afbe9e --- /dev/null +++ b/.github/workflows/101_build.yml @@ -0,0 +1,189 @@ +name: build + +permissions: {} + +on: + workflow_call: + inputs: + run: + description: "Which build jobs should be run: 'all', 'required', 'none'?" + type: string + default: "all" + outputs: + chart_version: + description: "Connaisseur Helm chart version" + value: ${{ jobs.context.outputs.chart_version }} + original_registry: + description: "Public Connaisseur registry" + value: ${{ jobs.context.outputs.original_registry }} + original_repo: + description: "Public Connaisseur repo" + value: ${{ jobs.context.outputs.original_repo }} + original_tag: + description: "Current Connaisseur tag, i.e. version" + value: ${{ jobs.context.outputs.original_tag }} + original_image: + description: "Full Connaisseur image reference, i.e. registry + repository + tag" + value: ${{ jobs.context.outputs.original_image }} + build_registry: + description: "Workflow build registry used for testing" + value: ${{ jobs.context.outputs.build_registry }} + build_repo: + description: "Workflow build repository used for testing" + value: ${{ jobs.context.outputs.build_repo }} + build_tag: + description: "Workflow build tag used for testing (unique for each run)" + value: ${{ jobs.context.outputs.build_tag }} + build_image: + description: "Workflow build image used for testing, i.e. registry + repository + tag" + value: ${{ jobs.context.outputs.build_image }} + build_labels: + description: "Repository- and workflow-specific build labels" + value: ${{ jobs.context.outputs.build_labels }} + +jobs: + context: + runs-on: ubuntu-latest + if: inputs.run != 'none' + permissions: {} + outputs: + chart_version: ${{ steps.get_context.outputs.CHART_VERSION }} + original_registry: ${{ steps.get_context.outputs.ORIGINAL_REGISTRY }} + original_repo: ${{ steps.get_context.outputs.ORIGINAL_REPO }} + original_image: ${{ steps.get_context.outputs.ORIGINAL_IMAGE }} + original_tag: ${{ steps.get_context.outputs.ORIGINAL_TAG }} + build_registry: ${{ steps.get_context.outputs.BUILD_REGISTRY }} + build_repo: ${{ steps.get_context.outputs.BUILD_REPO }} + build_tag: ${{ steps.get_context.outputs.BUILD_TAG }} + build_image: ${{ steps.get_context.outputs.BUILD_IMAGE }} + build_labels: ${{ steps.meta.outputs.labels }} + ref_tags: ${{ steps.get_context.outputs.REF_TAGS }} + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Get chart version + id: get_chart_version + uses: mikefarah/yq@47f4f8c7939f887e851b35f14def6741b8f5396e # v4.31.2 + with: + cmd: yq '.version' charts/connaisseur/Chart.yaml + - name: Get app version + id: get_app_version + uses: mikefarah/yq@47f4f8c7939f887e851b35f14def6741b8f5396e # v4.31.2 + with: + cmd: yq '.appVersion' charts/connaisseur/Chart.yaml + - name: Get original image + id: get_original_image_repository + uses: mikefarah/yq@47f4f8c7939f887e851b35f14def6741b8f5396e # v4.31.2 + with: + cmd: yq '.kubernetes.deployment.image.repository' charts/connaisseur/values.yaml + - name: Get context + id: get_context + run: | + GHREF=${{ github.ref }} + echo "github.ref is: ${GHREF}" + CHART_VERSION=${{ steps.get_chart_version.outputs.result }} + CONFIGURED_IMAGE_REPO=${{ steps.get_original_image_repository.outputs.result }} + ORIGINAL_REGISTRY=$(echo "${CONFIGURED_IMAGE_REPO}" | cut -d "/" -f 1) + ORIGINAL_REPO=$(echo "${CONFIGURED_IMAGE_REPO}" | cut -d "/" -f 2- | cut -d ":" -f 1) + ORIGINAL_TAG=v${{ steps.get_app_version.outputs.result }} + BUILD_REGISTRY="ghcr.io" + BUILD_REPO=${{ github.repository }} + if [[ "${GHREF}" != "refs/heads/master" && + "${GHREF}" != "refs/tags/v"* && + "${GHREF}" != "refs/heads/develop" + ]]; then + BUILD_REPO="${BUILD_REPO}-test" + fi + + echo CHART_VERSION=${CHART_VERSION} >> ${GITHUB_OUTPUT} + echo ORIGINAL_REGISTRY=${ORIGINAL_REGISTRY} >> ${GITHUB_OUTPUT} + echo ORIGINAL_REPO=${ORIGINAL_REPO} >> ${GITHUB_OUTPUT} + echo ORIGINAL_TAG=${ORIGINAL_TAG} >> ${GITHUB_OUTPUT} + echo ORIGINAL_IMAGE=${CONFIGURED_IMAGE_REPO}:${ORIGINAL_TAG} >> ${GITHUB_OUTPUT} + echo BUILD_REGISTRY=${BUILD_REGISTRY} >> ${GITHUB_OUTPUT} + echo BUILD_REPO=${BUILD_REPO} >> ${GITHUB_OUTPUT} + shell: bash + - name: Generate metadata + id: meta + uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0 + with: + images: ${{ steps.get_context.outputs.BUILD_REGISTRY }}/${{ steps.get_context.outputs.BUILD_REPO }} + flavor: | + latest=true + tags: | + type=schedule + type=ref,event=branch + type=ref,event=tag + type=ref,event=pr + type=sha + - name: Show context + id: show_context + run: | + PREFIX=$(echo "${{ steps.get_context.outputs.BUILD_REGISTRY }}/${{ steps.get_context.outputs.BUILD_REPO }}:" | sed 's%/%\/%g') + TAGS="${{ steps.meta.outputs.tags }}" + REF_TAGS="${TAGS//${PREFIX}/}" + BUILD_IMAGE=$(echo "${TAGS}" | tail -2 | head -1) + BUILD_TAG="${BUILD_IMAGE//${PREFIX}/}" + [[ ${BUILD_TAG} == "sha-"* ]] || exit 1 # check as parsing of the BUILD_TAG maybe fragile and dependent on docker/metadata-action priorities + REF_TAGS="${REF_TAGS//${BUILD_TAG}/}" + echo BUILD_TAG=${BUILD_TAG} >> ${GITHUB_OUTPUT} + echo BUILD_IMAGE=${BUILD_IMAGE} >> ${GITHUB_OUTPUT} + echo REF_TAGS=${REF_TAGS} >> ${GITHUB_OUTPUT} + echo "# :clipboard: Context" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "
Build ContextValue
Helm chart version${{ steps.get_context.outputs.CHART_VERSION }}
Original image${{ steps.get_context.outputs.ORIGINAL_IMAGE }}
Build image${BUILD_IMAGE}
All build images${{ steps.meta.outputs.tags }}
" >> ${GITHUB_STEP_SUMMARY} + shell: bash + + build: + runs-on: ubuntu-latest + if: inputs.run != 'none' + needs: [context] + permissions: + packages: write + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Set up Docker buildx + uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1 + - name: Login with registry + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 + with: + registry: ${{ needs.context.outputs.build_registry }} + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Generate tags + id: tags + run: | + echo "${{ needs.context.outputs.ref_tags }}" + export PREFIX="${{ needs.context.outputs.build_registry }}/${{ needs.context.outputs.build_repo }}:" + TAGS="${PREFIX}${{ needs.context.outputs.build_tag }},$(echo ${{ needs.context.outputs.ref_tags }} | tr ' ' '\n' | awk '{print "${PREFIX}"$1}' | envsubst | tr '\n' ',')" + echo tags=${TAGS} >> ${GITHUB_OUTPUT} + shell: bash + - name: Build and push image + id: build + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 + with: + push: true + cache-from: type=gha + cache-to: type=gha,mode=max + file: build/Dockerfile + labels: ${{ needs.context.outputs.build_labels }} + tags: ${{ steps.tags.outputs.tags }} + sbom: false # Duplicates SBOMs manually created below + provenance: false #TODO: Set to false, as resulting format is not OCI (GHCR) compliant (https://github.com/docker/build-push-action/issues/820) and causes problems with GHCR and e.g. image deletion (https://github.com/snok/container-retention-policy/issues/63) + - name: Show build information + run: | + echo "# :building_construction: Build Information" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + echo "
Build artifactsValue
Workflow image${{ needs.context.outputs.build_registry }}/${{ needs.context.outputs.build_repo }}:${{ needs.context.outputs.build_tag }}
All reference tags$(echo ${{ steps.tags.outputs.tags }} | tr ',' '\n')
Digest${{ steps.build.outputs.digest }}
" >> ${GITHUB_STEP_SUMMARY} + echo "" >> ${GITHUB_STEP_SUMMARY} + shell: bash diff --git a/.github/workflows/.reusable-compliance.yml b/.github/workflows/102_compliance.yml similarity index 60% rename from .github/workflows/.reusable-compliance.yml rename to .github/workflows/102_compliance.yml index 0fc309326..fdabee148 100644 --- a/.github/workflows/.reusable-compliance.yml +++ b/.github/workflows/102_compliance.yml @@ -3,49 +3,22 @@ name: compliance on: workflow_call: inputs: - skip: - description: "Want to skip running certain jobs 'none', 'non-required', 'all'?" + run: + description: "Which compliance checks should be run: 'all', 'required', 'none'?" type: string - default: "none" + default: "all" permissions: read-all jobs: - ossf-scorecard: - runs-on: ubuntu-latest - if: | - (github.ref_name == 'master' || github.event_name == 'pull_request') && - inputs.skip != 'non-required' && - inputs.skip != 'all' - permissions: - security-events: write - id-token: write - steps: - - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - name: Analyze - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 - with: - results_file: results.sarif - results_format: sarif - repo_token: ${{ secrets.SCORECARD_TOKEN }} - publish_results: ${{ github.ref_name == 'master' }} - - name: Upload - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 - with: - sarif_file: results.sarif - dependency-review: name: dependency review runs-on: ubuntu-latest if: | github.event_name == 'pull_request' && - inputs.skip != 'non-required' && - inputs.skip != 'all' + inputs.run != 'none' permissions: - contents: write + contents: read steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -56,7 +29,7 @@ jobs: runs-on: ubuntu-latest if: | github.event_name == 'pull_request' && - inputs.skip != 'all' + inputs.run != 'none' permissions: {} steps: - name: Checkout code diff --git a/.github/workflows/.reusable-unit-test.yml b/.github/workflows/103_unit-test.yml similarity index 100% rename from .github/workflows/.reusable-unit-test.yml rename to .github/workflows/103_unit-test.yml diff --git a/.github/workflows/.reusable-sast.yml b/.github/workflows/104_sast.yml similarity index 100% rename from .github/workflows/.reusable-sast.yml rename to .github/workflows/104_sast.yml diff --git a/.github/workflows/.reusable-sca.yml b/.github/workflows/105_sca.yml similarity index 100% rename from .github/workflows/.reusable-sca.yml rename to .github/workflows/105_sca.yml diff --git a/.github/workflows/.reusable-docs.yaml b/.github/workflows/106_docs.yaml similarity index 100% rename from .github/workflows/.reusable-docs.yaml rename to .github/workflows/106_docs.yaml diff --git a/.github/workflows/.reusable-integration-test.yml b/.github/workflows/107_integration-test.yml similarity index 100% rename from .github/workflows/.reusable-integration-test.yml rename to .github/workflows/107_integration-test.yml diff --git a/.github/workflows/.reusable-publish.yml b/.github/workflows/200_publish.yml similarity index 97% rename from .github/workflows/.reusable-publish.yml rename to .github/workflows/200_publish.yml index 8b8288cf1..6e8152b64 100644 --- a/.github/workflows/.reusable-publish.yml +++ b/.github/workflows/200_publish.yml @@ -55,7 +55,7 @@ jobs: git push https://${{ secrets.GITHUB_TOKEN }}@github.com/sse-secure-systems/connaisseur.git publish_docs: - uses: ./.github/workflows/.reusable-docs.yaml + uses: ./.github/workflows/106_docs.yaml needs: [publish_chart] permissions: contents: write diff --git a/.github/workflows/.reusable-cleanup-registry.yml b/.github/workflows/201_cleanup-registry.yml similarity index 100% rename from .github/workflows/.reusable-cleanup-registry.yml rename to .github/workflows/201_cleanup-registry.yml diff --git a/.github/workflows/nightly-build.yaml b/.github/workflows/nightly-build.yaml deleted file mode 100644 index 7fd0b5179..000000000 --- a/.github/workflows/nightly-build.yaml +++ /dev/null @@ -1,40 +0,0 @@ -name: nightly-build - -permissions: {} - -on: - schedule: - - cron: "30 1 * * *" - -defaults: - run: - shell: bash - -jobs: - ci: - uses: ./.github/workflows/.reusable-ci.yml - permissions: - packages: write - contents: write - id-token: write - security-events: write - actions: read - checks: read - deployments: read - issues: read - discussions: read - pages: read - pull-requests: read - repository-projects: read - statuses: read - attestations: read - secrets: inherit - with: - skip_build: "none" - skip_compliance_checks: "all" - skip_unit_tests: "all" - skip_sast: "all" - skip_sca: "none" - skip_docs: "all" - skip_integration_tests: "non-required" - output_type: "table" diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml deleted file mode 100644 index f729134ff..000000000 --- a/.github/workflows/pr.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: pr - -permissions: {} - -on: - pull_request: - branches: - - master - - develop - -defaults: - run: - shell: bash - -jobs: - ci: - uses: ./.github/workflows/.reusable-ci.yml - permissions: - packages: write - contents: write - id-token: write - security-events: write - actions: read - checks: read - deployments: read - issues: read - discussions: read - pages: read - pull-requests: read - repository-projects: read - statuses: read - attestations: read - secrets: inherit - with: - skip_build: 'none' - skip_compliance_checks: 'none' - skip_unit_tests: 'none' - skip_sast: 'none' - skip_sca: 'none' - skip_docs: 'none' - skip_integration_tests: 'none' - output_type: 'sarif'