DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

CI updates (#9440)

Browse source 
* add labels to dependabot prs

Signed-off-by: cpanato <ctadeu@gmail.com>

* sync hashes and versions dependabot can update the version comment now

Signed-off-by: cpanato <ctadeu@gmail.com>

Signed-off-by: cpanato <ctadeu@gmail.com>
This commit is contained in:
Carlos Tadeu Panato Junior 2022-12-22 16:37:26 +01:00 committed by João Henri
parent 87c9fefaf6
commit 3aa908b588
10 changed files with 86 additions and 77 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
.github/dependabot.yml vendored
View file

@ -5,7 +5,15 @@ updates:
directory: "/"
schedule:
interval: "weekly"
labels:
- "area/dependency"
- "release-note-none"
- "ok-to-test"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
interval: "weekly"
labels:
- "area/dependency"
- "release-note-none"
- "ok-to-test"

4
.github/workflows/depreview.yaml vendored
View file

@ -9,6 +9,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: 'Dependency Review'
uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 #v2.0.2
uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 # v3.0.2

10
.github/workflows/docs.yaml vendored
View file

@ -22,11 +22,10 @@ jobs:
charts: ${{ steps.filter.outputs.charts }}
steps:
- name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter
with:
token: ${{ secrets.GITHUB_TOKEN }}
@ -47,11 +46,10 @@ jobs:
contents: write # needed to write releases
steps:
- name: Checkout master
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: Deploy
uses: ./.github/actions/mkdocs
env:
PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

14
.github/workflows/helm.yaml vendored
View file

@ -22,11 +22,10 @@ jobs:
charts: ${{ steps.filter.outputs.charts }}
steps:
- name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter
with:
token: ${{ secrets.GITHUB_TOKEN }}
@ -49,9 +48,8 @@ jobs:
(needs.changes.outputs.charts == 'true')
steps:
- name: Checkout master
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
with:
# Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896
fetch-depth: 0
@ -61,12 +59,12 @@ jobs:
run: |
git config --global user.name "$GITHUB_ACTOR"
git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Helm Chart Releaser
uses: helm/chart-releaser-action@98bccfd32b0f76149d188912ac8e45ddd3f8695f #v1.4.1
uses: helm/chart-releaser-action@98bccfd32b0f76149d188912ac8e45ddd3f8695f # v1.4.1
env:
CR_SKIP_EXISTING: "false"
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
with:
charts_dir: charts
charts_dir: charts

13
.github/workflows/junit-reports.yaml vendored
View file

@ -1,4 +1,5 @@
name: 'E2E Test Report'
on:
workflow_run:
workflows: ['CI'] # runs after CI workflow
@ -8,9 +9,9 @@ jobs:
report:
runs-on: ubuntu-latest
steps:
- uses: dorny/test-reporter@v1
with:
artifact: /e2e-test-reports-(.*)/
name: JEST Tests $1 # Name of the check run which will be created
path: 'report*.xml' # Path to test results (inside artifact .zip)
reporter: jest-junit # Format of test results
- uses: dorny/test-reporter@c9b3d0e2bd2a4e96aaf424dbaa31c46b42318226 # v1.6.0
with:
artifact: /e2e-test-reports-(.*)/
name: JEST Tests $1 # Name of the check run which will be created
path: 'report*.xml' # Path to test results (inside artifact .zip)
reporter: jest-junit # Format of test results

7
.github/workflows/perftest.yaml vendored
View file

@ -1,4 +1,5 @@
name: Performance Test
on:
workflow_dispatch:
inputs:
@ -18,7 +19,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: Install K6
run: |
@ -33,7 +34,7 @@ jobs:
mkdir $HOME/.kube
make dev-env
podName=`kubectl -n ingress-nginx get po | grep -i controller | awk '{print $1}'`
if [[ -z ${podName} ]] ; then
if [[ -z ${podName} ]] ; then
sleep 5
fi
kubectl wait pod -n ingress-nginx --for condition=Ready $podName
@ -46,7 +47,7 @@ jobs:
kubectl create ing k6 --class nginx \
--rule test.ingress-nginx-controller.ga/*=k6:80
podName=`kubectl get po | grep -i k6 | awk '{print $1}'`
if [[ -z ${podName} ]] ; then
if [[ -z ${podName} ]] ; then
sleep 5
fi
kubectl wait pod --for condition=Ready $podName

9
.github/workflows/plugin.yaml vendored
View file

@ -17,17 +17,18 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: 1.19.4
go-version: 1.19
check-latest: true
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v3.0.0
uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0
with:
version: latest
args: release --rm-dist

4
.github/workflows/project.yml vendored
View file

@ -11,9 +11,9 @@ jobs:
runs-on: ubuntu-latest
permissions:
repository-projects: write
issues: write
issues: write
steps:
- uses: actions/add-to-project@960fbad431afda394cfcf8743445e741acd19e85 #v0.4.0
- uses: actions/add-to-project@960fbad431afda394cfcf8743445e741acd19e85 # v0.4.0
with:
project-url: https://github.com/orgs/kubernetes/projects/104
github-token: ${{ secrets.PROJECT_WRITER }}

20
.github/workflows/scorecards.yml vendored
View file

@ -1,11 +1,13 @@
name: Scorecards supply-chain security
on:
# Only the default branch is supported.
branch_protection_rule:
schedule:
- cron: '20 11 * * 5'
push:
branches: [ "main" ]
branches:
- "main"
# Declare default permissions as read only.
permissions: read-all
@ -22,15 +24,15 @@ jobs:
# Needs for private repositories.
contents: read
actions: read
steps:
- name: "Checkout code"
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.0
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@937ffa90d79c7d720498178154ad4c7ba1e4ad8c # v1.1.1
uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
with:
results_file: results.sarif
results_format: sarif
@ -41,22 +43,22 @@ jobs:
# repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
# Publish the results for public repositories to enable scorecard badges. For more details, see
# https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories, `publish_results` will automatically be set to `false`, regardless
# https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories, `publish_results` will automatically be set to `false`, regardless
# of the value entered here.
publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.0.0
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.14
uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.1.37
with:
sarif_file: results.sarif

72
.github/workflows/vulnerability-scans.yaml vendored
View file

@ -22,7 +22,7 @@ jobs:
versions: ${{ steps.version.outputs.TAGS }}
steps:
- name: Checkout code
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
with:
fetch-depth: 0
@ -46,47 +46,47 @@ jobs:
scan:
runs-on: ubuntu-latest
needs: version
needs: version
strategy:
matrix:
versions: ${{ fromJSON(needs.version.outputs.versions) }}
steps:
- name: Checkout code
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- name: Checkout code
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- shell: bash
id: test
run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}"
- shell: bash
id: test
run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}"
- name: Scan image with AquaSec/Trivy
id: scan
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 #v0.5.1
with:
image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
format: 'sarif'
output: trivy-results-${{ matrix.versions }}.sarif
exit-code: 0
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
- name: Scan image with AquaSec/Trivy
id: scan
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0
with:
image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
format: 'sarif'
output: trivy-results-${{ matrix.versions }}.sarif
exit-code: 0
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
- name: Output Sarif File
shell: bash
run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
- name: Output Sarif File
shell: bash
run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
# This step checks out a copy of your repository.
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394
with:
token: ${{ github.token }}
# Path to SARIF file relative to the root of the repository
sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
# This step checks out a copy of your repository.
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.1.37
with:
token: ${{ github.token }}
# Path to SARIF file relative to the root of the repository
sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
- name: Vulz Count
shell: bash
run: |
TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length')
echo "TRIVY_COUNT: $TRIVY_COUNT"
echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY
echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY
- name: Vulz Count
shell: bash
run: |
TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length')
echo "TRIVY_COUNT: $TRIVY_COUNT"
echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY
echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY