From c7e0daa4ef03aa12e2cc100b2a9fd0e380b59e2a Mon Sep 17 00:00:00 2001 From: Jigar Joshi Date: Tue, 7 Jan 2025 14:32:57 +0530 Subject: [PATCH 1/2] workflow disabled and made manual as per the reuqired run --- .github/workflows/check-actions.yaml | 28 -- .github/workflows/cli.yaml | 86 ----- .github/workflows/codecov.yaml | 46 --- .github/workflows/comment-commands.yaml | 26 -- .github/workflows/conformance.yaml | 5 +- .github/workflows/devcontainer-build.yaml | 32 -- .github/workflows/fossa.yml | 41 --- .github/workflows/helm-release.yaml | 114 ------ .github/workflows/helm-test.yaml | 65 ---- .github/workflows/images-build.yaml | 40 -- .github/workflows/images-publish.yaml | 231 ------------ .github/workflows/lint.yaml | 47 --- .github/workflows/load-testing.yml | 326 ----------------- .github/workflows/nancy.yaml | 37 -- .github/workflows/pr-update.yaml | 33 -- .github/workflows/release.yaml | 345 ------------------ .../workflows/report-on-vulnerabilities.yaml | 109 ------ .github/workflows/scorecard.yaml | 45 --- .github/workflows/sonarcloud.yaml | 43 --- .github/workflows/tests.yaml | 38 -- .github/workflows/verify-codegen.yaml | 36 -- 21 files changed, 1 insertion(+), 1772 deletions(-) delete mode 100644 .github/workflows/check-actions.yaml delete mode 100644 .github/workflows/cli.yaml delete mode 100644 .github/workflows/codecov.yaml delete mode 100644 .github/workflows/comment-commands.yaml delete mode 100644 .github/workflows/devcontainer-build.yaml delete mode 100644 .github/workflows/fossa.yml delete mode 100644 .github/workflows/helm-release.yaml delete mode 100644 .github/workflows/helm-test.yaml delete mode 100644 .github/workflows/images-build.yaml delete mode 100644 .github/workflows/images-publish.yaml delete mode 100644 .github/workflows/lint.yaml delete mode 100644 .github/workflows/load-testing.yml delete mode 100644 .github/workflows/nancy.yaml delete mode 100644 .github/workflows/pr-update.yaml delete mode 100644 .github/workflows/release.yaml delete mode 100644 .github/workflows/report-on-vulnerabilities.yaml delete mode 100644 .github/workflows/scorecard.yaml delete mode 100644 .github/workflows/sonarcloud.yaml delete mode 100644 .github/workflows/tests.yaml delete mode 100644 .github/workflows/verify-codegen.yaml diff --git a/.github/workflows/check-actions.yaml b/.github/workflows/check-actions.yaml deleted file mode 100644 index 74c3485fa58c..000000000000 --- a/.github/workflows/check-actions.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Check actions - -permissions: {} - -on: - push: - branches: - - '*' - pull_request: - branches: - - 'main' - - 'release*' - -jobs: - check: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Ensure SHA pinned actions - uses: zgosalvez/github-actions-ensure-sha-pinned-actions@ba37328d4ea95eaf8b3bd6c6cef308f709a5f2ec # v3.0.3 - with: - # slsa-github-generator requires using a semver tag for reusable workflows. - # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators - allowlist: | - slsa-framework/slsa-github-generator diff --git a/.github/workflows/cli.yaml b/.github/workflows/cli.yaml deleted file mode 100644 index 03028fae4f04..000000000000 --- a/.github/workflows/cli.yaml +++ /dev/null @@ -1,86 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: cli - -permissions: {} - -on: - push: - branches: - - 'main' - - 'release*' - pull_request: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - cli-test: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - with: - build-cache-key: cli-test - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - - name: Setup TEST_GIT_BRANCH - run: | - if [[ ${{ github.event_name }} == "push" ]] - then - echo "TEST_GIT_BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV - elif [[ ${{ github.event_name }} == "pull_request" ]] - then - echo "TEST_GIT_BRANCH=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV - fi - - name: Test CLI - run: | - KYVERNO_KUBECTL_VALIDATE=false VERSION=${{ github.ref_name }} make test-cli - - name: Test CLI (failures) - run: | - CLI_PATH=$PWD/cmd/cli/kubectl-kyverno/kubectl-kyverno - $CLI_PATH test ./test/cli/test-fail/missing-policy && exit 1 || exit 0 - $CLI_PATH test ./test/cli/test-fail/missing-rule && exit 1 || exit 0 - $CLI_PATH test ./test/cli/test-fail/missing-resource && exit 1 || exit 0 - - kubectl-validate-cli-test: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - with: - build-cache-key: cli-test - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - - name: Setup TEST_GIT_BRANCH - run: | - if [[ ${{ github.event_name }} == "push" ]] - then - echo "TEST_GIT_BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV - elif [[ ${{ github.event_name }} == "pull_request" ]] - then - echo "TEST_GIT_BRANCH=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV - fi - - name: Test CLI - run: | - VERSION=${{ github.ref_name }} make test-cli - - name: Test CLI (failures) - run: | - CLI_PATH=$PWD/cmd/cli/kubectl-kyverno/kubectl-kyverno - KYVERNO_KUBECTL_VALIDATE=true $CLI_PATH test ./test/cli/test-fail/missing-policy && exit 1 || exit 0 - KYVERNO_KUBECTL_VALIDATE=true $CLI_PATH test ./test/cli/test-fail/missing-rule && exit 1 || exit 0 - KYVERNO_KUBECTL_VALIDATE=true $CLI_PATH test ./test/cli/test-fail/missing-resource && exit 1 || exit 0 diff --git a/.github/workflows/codecov.yaml b/.github/workflows/codecov.yaml deleted file mode 100644 index 8384c3991e60..000000000000 --- a/.github/workflows/codecov.yaml +++ /dev/null @@ -1,46 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Codecov - -permissions: {} - -on: - push: - branches: - - '*' - pull_request: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - codecov: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - with: - build-cache-key: codecov - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - with: - free-disk-space: false - - name: Generate Code Coverage Report - run: make code-cov-report - - name: Upload Report to Codecov - uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4.0.1 - with: - files: ./coverage.out - fail_ci_if_error: true - verbose: true - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/comment-commands.yaml b/.github/workflows/comment-commands.yaml deleted file mode 100644 index 775552708ee8..000000000000 --- a/.github/workflows/comment-commands.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Issue and PR comment commands - -permissions: {} - -on: - issue_comment: - types: - - created - - edited - -jobs: - execute: - runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: write - steps: - - uses: jpmcb/prow-github-actions@f4d01dd4b13f289014c23fe5a19878a2479cb35b # v1.1.3 - with: - prow-commands: '/assign - /unassign - /lgtm - /milestone' - github-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index de5b69deda1c..a03fe769c95d 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -5,10 +5,7 @@ name: Conformance tests permissions: {} on: - pull_request: - branches: - - "main" - - "release*" + workflow_dispatch: concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/devcontainer-build.yaml b/.github/workflows/devcontainer-build.yaml deleted file mode 100644 index 1dc3ec0fca2d..000000000000 --- a/.github/workflows/devcontainer-build.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Build devcontainer - -permissions: {} - -on: - pull_request: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - devcontainer-build: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Build devcontainer image - run: docker build .devcontainer - - name: Trivy Scan Image - uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml deleted file mode 100644 index bce2c2021507..000000000000 --- a/.github/workflows/fossa.yml +++ /dev/null @@ -1,41 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: FOSSA - -permissions: {} - -on: - push: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - fossa-scan: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Check secret - id: checksecret - uses: ./.github/actions/is-defined - with: - value: ${{ secrets.FOSSA_API_KEY }} - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - - name: Setup build env - if: steps.checksecret.outputs.result == 'true' - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - with: - free-disk-space: false - - name: Run FOSSA analysis - if: steps.checksecret.outputs.result == 'true' - uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 - with: - api-key: ${{ secrets.FOSSA_API_KEY }} diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml deleted file mode 100644 index 9466c8218e8b..000000000000 --- a/.github/workflows/helm-release.yaml +++ /dev/null @@ -1,114 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: helm-release - -permissions: {} - -on: - push: - tags: - - 'kyverno-chart-v*' - - 'kyverno-policies-chart-v*' - - 'kyverno-chart-*' - - 'kyverno-policies-chart-*' - -jobs: - helm-tests: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 - with: - python-version: 3.7 - - name: Set up chart-testing - uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - - name: Run chart-testing (lint) - run: ct lint --target-branch=main --check-version-increment=false --validate-maintainers=false - - linter-artifacthub: - runs-on: ubuntu-latest - container: - image: artifacthub/ah - options: --user root - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Run ah lint - working-directory: ./charts/ - run: ah lint - - create-release: - runs-on: ubuntu-latest - needs: helm-tests - permissions: - contents: write - packages: write - id-token: write - pages: write - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - - - name: Install Helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 - with: - version: v3.10.3 - - - name: Install Cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - - - name: Set version - run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV - - - name: Create charts tmp directory - run: | - mkdir charts-tmp - if [[ "$RELEASE_VERSION" = "kyverno-policies-chart-v"* ]]; then - cp -a charts/kyverno-policies charts-tmp/kyverno-policies - fi - if [[ "$RELEASE_VERSION" = "kyverno-chart-v"* ]]; then - cp -a charts/kyverno charts-tmp/kyverno - fi - if [[ "$RELEASE_VERSION" = "kyverno-policies-chart-"* ]]; then - cp -a charts/kyverno-policies charts-tmp/kyverno-policies - fi - if [[ "$RELEASE_VERSION" = "kyverno-chart-"* ]]; then - cp -a charts/kyverno charts-tmp/kyverno - fi - - - name: Run chart-releaser - uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 #v1.7.0 - with: - token: "${{ secrets.GITHUB_TOKEN }}" - linting: off - charts_dir: charts-tmp - - - name: Login to GitHub Container Registry - run: | - helm registry login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io - - - name: Publish OCI Charts - run: | - for dir in `find charts-tmp -maxdepth 1 -mindepth 1 -type d -print`; do - chart=${dir##*/} - echo "Found chart: ${chart}" - helm package charts-tmp/${chart} --destination .dist - helm push .dist/${chart}-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts |& tee .digest - cosign login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io - cosign sign --yes ghcr.io/${{ github.repository_owner }}/charts/${chart}@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}') - done diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml deleted file mode 100644 index 41d5a89ced84..000000000000 --- a/.github/workflows/helm-test.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: helm-test - -permissions: {} - -on: - pull_request: - branches: - - main - - release* - paths: - - charts/** - - .github/workflows/helm-test.yaml - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - helm-tests: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - with: - build-cache-key: helm-tests - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - - name: Setup python - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 - with: - python-version: 3.7 - - name: Set up chart-testing - uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - - name: Run chart-testing (lint) - run: | - if [[ $(ct list-changed --target-branch=main) ]]; - then - ct lint --target-branch=main --check-version-increment=false --validate-maintainers=false - fi - - name: Setup test env - uses: ./.github/actions/setup-test-env - - name: Helm test - run: make helm-test - - name: Debug failure - if: failure() - uses: ./.github/actions/kyverno-logs - - linter-artifacthub: - runs-on: ubuntu-latest - container: - image: artifacthub/ah - options: --user root - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Run ah lint - working-directory: ./charts/ - run: ah lint diff --git a/.github/workflows/images-build.yaml b/.github/workflows/images-build.yaml deleted file mode 100644 index 0460b4ec670e..000000000000 --- a/.github/workflows/images-build.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Build images - -permissions: {} - -on: - push: - branches: - - '*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - build-images: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - with: - build-cache-key: build-images - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - - name: ko build - run: VERSION=${{ github.ref_name }} make ko-build-all - - name: Trivy Scan Image - uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' diff --git a/.github/workflows/images-publish.yaml b/.github/workflows/images-publish.yaml deleted file mode 100644 index 94e937a9eb36..000000000000 --- a/.github/workflows/images-publish.yaml +++ /dev/null @@ -1,231 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Publish images - -permissions: {} - -on: - push: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - publish-images: - runs-on: ubuntu-latest - permissions: - packages: write - id-token: write - outputs: - kyverno-digest: ${{ steps.publish-kyverno.outputs.digest }} - kyverno-init-digest: ${{ steps.publish-kyverno-init.outputs.digest }} - background-controller-digest: ${{ steps.publish-background-controller.outputs.digest }} - cleanup-controller-digest: ${{ steps.publish-cleanup-controller.outputs.digest }} - cli-digest: ${{ steps.publish-cli.outputs.digest }} - reports-controller-digest: ${{ steps.publish-reports-controller.outputs.digest }} - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - with: - build-cache-key: publish-images - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 30 - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - name: Install Cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - - name: Publish kyverno - id: publish-kyverno - uses: ./.github/actions/publish-image - with: - makefile-target: ko-publish-kyverno - registry: ghcr.io - registry-username: ${{ github.actor }} - registry-password: ${{ secrets.GITHUB_TOKEN }} - repository: ${{ github.repository_owner }} - version: ${{ github.ref_name }} - sign-image: true - sbom-name: kyverno - sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom - signature-repository: ghcr.io/${{ github.repository_owner }}/signatures - main-path: ./cmd/kyverno - - name: Publish kyverno-init - id: publish-kyverno-init - uses: ./.github/actions/publish-image - with: - makefile-target: ko-publish-kyverno-init - registry: ghcr.io - registry-username: ${{ github.actor }} - registry-password: ${{ secrets.GITHUB_TOKEN }} - repository: ${{ github.repository_owner }} - version: ${{ github.ref_name }} - sign-image: true - sbom-name: kyverno-init - sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom - signature-repository: ghcr.io/${{ github.repository_owner }}/signatures - main-path: ./cmd/kyverno-init - - name: Publish background-controller - id: publish-background-controller - uses: ./.github/actions/publish-image - with: - makefile-target: ko-publish-background-controller - registry: ghcr.io - registry-username: ${{ github.actor }} - registry-password: ${{ secrets.GITHUB_TOKEN }} - repository: ${{ github.repository_owner }} - version: ${{ github.ref_name }} - sign-image: true - sbom-name: background-controller - sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom - signature-repository: ghcr.io/${{ github.repository_owner }}/signatures - main-path: ./cmd/background-controller - - name: Publish cleanup-controller - id: publish-cleanup-controller - uses: ./.github/actions/publish-image - with: - makefile-target: ko-publish-cleanup-controller - registry: ghcr.io - registry-username: ${{ github.actor }} - registry-password: ${{ secrets.GITHUB_TOKEN }} - repository: ${{ github.repository_owner }} - version: ${{ github.ref_name }} - sign-image: true - sbom-name: cleanup-controller - sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom - signature-repository: ghcr.io/${{ github.repository_owner }}/signatures - main-path: ./cmd/cleanup-controller - - name: Publish cli - id: publish-cli - uses: ./.github/actions/publish-image - with: - makefile-target: ko-publish-cli - registry: ghcr.io - registry-username: ${{ github.actor }} - registry-password: ${{ secrets.GITHUB_TOKEN }} - repository: ${{ github.repository_owner }} - version: ${{ github.ref_name }} - sign-image: true - sbom-name: cli - sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom - signature-repository: ghcr.io/${{ github.repository_owner }}/signatures - main-path: ./cmd/cli/kubectl-kyverno - - name: Publish reports-controller - id: publish-reports-controller - uses: ./.github/actions/publish-image - with: - makefile-target: ko-publish-reports-controller - registry: ghcr.io - registry-username: ${{ github.actor }} - registry-password: ${{ secrets.GITHUB_TOKEN }} - repository: ${{ github.repository_owner }} - version: ${{ github.ref_name }} - sign-image: true - sbom-name: reports-controller - sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom - signature-repository: ghcr.io/${{ github.repository_owner }}/signatures - main-path: ./cmd/reports-controller - - generate-kyverno-provenance: - needs: publish-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - image: ghcr.io/${{ github.repository_owner }}/kyverno - digest: "${{ needs.publish-images.outputs.kyverno-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} - - generate-kyverno-init-provenance: - needs: publish-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - image: ghcr.io/${{ github.repository_owner }}/kyvernopre - digest: "${{ needs.publish-images.outputs.kyverno-init-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} - - generate-background-controller-provenance: - needs: publish-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - image: ghcr.io/${{ github.repository_owner }}/background-controller - digest: "${{ needs.publish-images.outputs.background-controller-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} - - generate-cleanup-controller-provenance: - needs: publish-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - image: ghcr.io/${{ github.repository_owner }}/cleanup-controller - digest: "${{ needs.publish-images.outputs.cleanup-controller-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} - - generate-kyverno-cli-provenance: - needs: publish-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - image: ghcr.io/${{ github.repository_owner }}/kyverno-cli - digest: "${{ needs.publish-images.outputs.cli-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} - - generate-reports-controller-provenance: - needs: publish-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - image: ghcr.io/${{ github.repository_owner }}/reports-controller - digest: "${{ needs.publish-images.outputs.reports-controller-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml deleted file mode 100644 index c4e296bdfe21..000000000000 --- a/.github/workflows/lint.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Lint - -permissions: {} - -on: - push: - branches: - - '*' - pull_request: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - tests: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - with: - build-cache-key: lint - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - - name: golangci-lint - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 - with: - version: v1.54.2 - skip-cache: true - - name: go fmt check - run: make fmt-check - - name: goimports check - run: make imports-check - - name: Checking unused pkgs using go mod tidy - run: make unused-package-check - - name: Go vet - run: make vet diff --git a/.github/workflows/load-testing.yml b/.github/workflows/load-testing.yml deleted file mode 100644 index 504f526f918e..000000000000 --- a/.github/workflows/load-testing.yml +++ /dev/null @@ -1,326 +0,0 @@ -name: Load Tests - -permissions: {} - -on: - release: - types: [published] - pull_request: - branches: - - "main" - - "release*" - schedule: - - cron: "27 0 * * 0" - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - define-matrix: - runs-on: ubuntu-latest - outputs: - tests: ${{ steps.set-tests.outputs.tests }} - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set Tests - id: set-tests - run: echo "tests=$(jq -c . < ./test/load/k6/${{ github.event_name }}-matrix.json)" >> $GITHUB_OUTPUT - - prepare-images: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - with: - build-cache-key: build-images - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - with: - free-disk-space: false - - name: ko build - shell: bash - run: | - set -e - VERSION=${{ github.ref_name }} make docker-save-image-all - - name: upload images archive - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 - with: - name: kyverno.tar - path: kyverno.tar - retention-days: 1 - if-no-files-found: error - - old-load-test: - if: github.event_name == 'pull_request' - needs: - - prepare-images - outputs: - p95: ${{ steps.extract-p95.outputs.p95 }} - runs-on: ubuntu-latest - permissions: - packages: read - strategy: - fail-fast: false - matrix: - k8s-version: [v1.31.0] - steps: - - name: Checkout kyverno/kyverno - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Checkout kyverno/load-testing - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - repository: kyverno/load-testing - path: load-testing - - name: Install Helm - id: helm - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - - name: Create Kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - node_image: kindest/node:${{ matrix.k8s-version }} - cluster_name: kind - config: ./scripts/config/kind/default.yaml - - name: Download kyverno images archive - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: kyverno.tar - - name: Load Kyverno images archive in Kind cluster - shell: bash - run: | - set -e - kind load image-archive kyverno.tar --name kind - - name: Install Kyverno - shell: bash - run: | - set -e - export HELM=${{ steps.helm.outputs.helm-path }} - export USE_CONFIG=default-with-profiling - $HELM repo add kyverno https://kyverno.github.io/kyverno/ - $HELM repo update - export INSTALL_VERSION=$($HELM search repo kyverno/kyverno -o json | jq -r '.[0].version') - export EXPLICIT_INSTALL_SETTINGS='--set admissionController.replicas=1 --set admissionController.resources.requests.cpu=100m --set admissionController.resources.limits.cpu=1500m --set admissionController.resources.requests.memory=128Mi --set admissionController.resources.limits.memory=384Mi' - make kind-install-kyverno-from-repo - - name: Wait for kyverno ready - uses: ./.github/actions/kyverno-wait-ready - - name: Install K6 - shell: bash - run: | - set -e - go install go.k6.io/xk6/cmd/xk6@latest - $(go env GOPATH)/bin/xk6 build --with github.com/grafana/xk6-dashboard@latest - mkdir -p $HOME/.local/bin && mv ./k6 $HOME/.local/bin - echo "$HOME/.local/bin" >> $GITHUB_PATH - - name: Run load tests using K6 - shell: bash - run: | - set -e - mkdir -p report - KYVERNO_NODE_IP=$(kubectl get nodes -o jsonpath='{.items[?(@.metadata.labels.kubernetes\.io/hostname=="kind-control-plane")].status.addresses[?(@.type=="InternalIP")].address}') - curl -s "http://$KYVERNO_NODE_IP:30950/debug/pprof/profile?seconds=90" > report/cpu.pprof & - cd load-testing - ./k6/run.sh k6/tests/kyverno-pss.js -e SCENARIO=average --out dashboard=export=load-report.html - wait %1 || true - mv load-report.html ../report - - name: Extract P(95) - id: extract-p95 - shell: bash - run: | - set -e - echo "p95=$(grep http_req_duration load-testing/test-output.log | awk -F 'p\\(95\\)=' '{split($2,a,\"ms\"); print a[1]}')" >> $GITHUB_OUTPUT - echo $GITHUB_OUTPUT - - name: Debug failure - if: failure() - uses: ./.github/actions/kyverno-logs - - load-test: - if: github.event_name == 'pull_request' - needs: - - prepare-images - - old-load-test - runs-on: ubuntu-latest - permissions: - packages: read - strategy: - fail-fast: false - matrix: - k8s-version: [v1.31.0] - steps: - - name: Checkout kyverno/kyverno - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Checkout kyverno/load-testing - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - repository: kyverno/load-testing - path: load-testing - - name: Install Helm - id: helm - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - - name: Create Kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - node_image: kindest/node:${{ matrix.k8s-version }} - cluster_name: kind - config: ./scripts/config/kind/default.yaml - - name: Download kyverno images archive - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: kyverno.tar - - name: Load Kyverno images archive in Kind cluster - shell: bash - run: | - set -e - kind load image-archive kyverno.tar --name kind - - name: Install Kyverno - shell: bash - run: | - set -e - export HELM=${{ steps.helm.outputs.helm-path }} - export USE_CONFIG=default-with-profiling - export EXPLICIT_INSTALL_SETTINGS='--set admissionController.replicas=1 --set admissionController.resources.requests.cpu=100m --set admissionController.resources.limits.cpu=1500m --set admissionController.resources.requests.memory=128Mi --set admissionController.resources.limits.memory=384Mi' - make kind-install-kyverno - - name: Wait for kyverno ready - uses: ./.github/actions/kyverno-wait-ready - - name: Install K6 - shell: bash - run: | - set -e - go install go.k6.io/xk6/cmd/xk6@latest - $(go env GOPATH)/bin/xk6 build --with github.com/grafana/xk6-dashboard@latest - mkdir -p $HOME/.local/bin && mv ./k6 $HOME/.local/bin - echo "$HOME/.local/bin" >> $GITHUB_PATH - - name: Run load tests using K6 - shell: bash - run: | - set -e - mkdir -p report - KYVERNO_NODE_IP=$(kubectl get nodes -o jsonpath='{.items[?(@.metadata.labels.kubernetes\.io/hostname=="kind-control-plane")].status.addresses[?(@.type=="InternalIP")].address}') - curl -s "http://$KYVERNO_NODE_IP:30950/debug/pprof/profile?seconds=90" > report/cpu.pprof & - cd load-testing - ./k6/run.sh k6/tests/kyverno-pss.js -e SCENARIO=average --out dashboard=export=load-report.html - wait %1 || true - mv load-report.html ../report - - name: Compare P(95) - shell: bash - run: | - set -e - echo "Old P(95): ${{ needs.old-load-test.outputs.p95 }}" - OLD_NUM=${{ needs.old-load-test.outputs.p95 }} - NEW_NUM=$(grep http_req_duration load-testing/test-output.log | awk -F 'p\\(95\\)=' '{split($2,a,"ms"); print a[1]}') - echo "$OLD_NUM to $NEW_NUM" - if [ $(echo "$OLD_NUM < $NEW_NUM" | bc) -eq 1 ]; then - echo "P(95) increased from $OLD_NUM to $NEW_NUM" - exit 1 - fi - - name: Archive Report - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 - with: - name: load-test-report.html - path: report - - name: Debug failure - if: failure() - uses: ./.github/actions/kyverno-logs - - scale-test: - if: github.event_name == 'pull_request' - needs: - - define-matrix - - prepare-images - runs-on: ubuntu-latest - permissions: - packages: read - strategy: - fail-fast: false - matrix: - k8s-version: [v1.31.0] - test: ${{ fromJson(needs.define-matrix.outputs.tests) }} - steps: - - name: Checkout kyverno/kyverno - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Checkout kyverno/load-testing - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - repository: kyverno/load-testing - path: load-testing - - name: Install Helm - id: helm - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - - name: Create Kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - node_image: kindest/node:${{ matrix.k8s-version }} - cluster_name: kind - config: ./scripts/config/kind/default.yaml - - name: Download kyverno images archive - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: kyverno.tar - - name: Load Kyverno images archive in Kind cluster - shell: bash - run: | - set -e - kind load image-archive kyverno.tar --name kind - - name: Install Metrics Server and Prometheus - shell: bash - run: | - set -e - export HELM=${{ steps.helm.outputs.helm-path }} - make dev-lab-metrics-server dev-lab-prometheus - - name: Install Kyverno - shell: bash - run: | - set -e - export HELM=${{ steps.helm.outputs.helm-path }} - export USE_CONFIG=default-with-profiling - export EXPLICIT_INSTALL_SETTINGS='--set admissionController.replicas=${{ matrix.test.replicas }} --set admissionController.serviceMonitor.enabled=true --set reportsController.serviceMonitor.enabled=true --set admissionController.container.resources.requests.cpu=${{ matrix.test.cpu_request }} --set admissionController.container.resources.requests.memory=${{ matrix.test.memory_request }} --set admissionController.container.resources.limits.memory=${{ matrix.test.memory_limit }} --set reportsController.resources.limits.memory=10Gi' - make kind-install-kyverno - - name: Wait for kyverno ready - uses: ./.github/actions/kyverno-wait-ready - - name: Install K6 - shell: bash - run: | - set -e - go install go.k6.io/xk6/cmd/xk6@latest - $(go env GOPATH)/bin/xk6 build --with github.com/grafana/xk6-dashboard@latest - mkdir -p $HOME/.local/bin && mv ./k6 $HOME/.local/bin - echo "$HOME/.local/bin" >> $GITHUB_PATH - - name: Run load tests using K6 - shell: bash - run: | - set -e - mkdir -p report - KYVERNO_NODE_IP=$(kubectl get nodes -o jsonpath='{.items[?(@.metadata.labels.kubernetes\.io/hostname=="kind-control-plane")].status.addresses[?(@.type=="InternalIP")].address}') - curl -s "http://$KYVERNO_NODE_IP:30950/debug/pprof/profile?seconds=30" > report/cpu.pprof & - cd load-testing - ./k6/run.sh k6/tests/${{ matrix.test.name }}.js -e SCENARIO=${{ matrix.test.scenario }} --vus ${{ matrix.test.concurrent_connections }} --iterations ${{ matrix.test.total_iterations }} ${{ matrix.test.extra_options }} --out dashboard=export=load-report.html - wait %1 || true - mv load-report.html ../report - - name: Collect Resource Metrics - shell: bash - run: | - set -e - kubectl port-forward --address 127.0.0.1 svc/kube-prometheus-stack-prometheus 9090:9090 -n monitoring & - sleep 3 - curl -s "http://127.0.0.1:9090/prometheus/api/v1/query?query=$(echo -n "rate(container_cpu_usage_seconds_total{image=\"$(make kind-admission-controller-image-name)\"}[1m])" | jq -sRr @uri)" > report/cpu-usage.json - curl -s "http://127.0.0.1:9090/prometheus/api/v1/query?query=$(echo -n "max_over_time(container_memory_working_set_bytes{image=\"$(make kind-admission-controller-image-name)\"}[1m])/(2^20)" | jq -sRr @uri)" > report/memory-usage.json - kill %1 || true - - name: Collect Report Metrics - shell: bash - run: | - set -e - sleep 60 - ./test/load/k6/reports-size-in-etcd.sh > report/reports-size-in-etcd.txt - - name: Archive Report - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 - with: - name: report-${{ matrix.k8s-version }}-${{ matrix.test.name }}-${{ matrix.test.scenario }}-${{ matrix.test.replicas }}-${{ matrix.test.cpu_request }}-${{ matrix.test.memory_request }}-${{ matrix.test.memory_limit }}-${{ matrix.test.concurrent_connections }} - path: report - - name: Debug failure - # if: failure() - uses: ./.github/actions/kyverno-logs diff --git a/.github/workflows/nancy.yaml b/.github/workflows/nancy.yaml deleted file mode 100644 index d0d0dc2e0045..000000000000 --- a/.github/workflows/nancy.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Nancy - -permissions: {} - -on: - push: - branches: - - '*' - pull_request: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - nancy: - runs-on: ubuntu-latest - name: Nancy - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - - name: WriteGoList - run: go list -json -deps ./... > go.list - - name: Nancy SAST Scan - uses: sonatype-nexus-community/nancy-github-action@726e338312e68ecdd4b4195765f174d3b3ce1533 # v1.0.3 diff --git a/.github/workflows/pr-update.yaml b/.github/workflows/pr-update.yaml deleted file mode 100644 index 116ac89ce7e9..000000000000 --- a/.github/workflows/pr-update.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: PR update - -permissions: {} - -on: - push: - branches: - - 'main' - - 'release-*' - -jobs: - autoupdate: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Check secret - id: checksecret - uses: ./.github/actions/is-defined - with: - value: ${{ secrets.PR_UPDATE_TOKEN }} - - name: Automatically update PR - if: steps.checksecret.outputs.result == 'true' - uses: adRise/update-pr-branch@cd305ecbd76bf63056c9400ce2c725293fc3e0c0 # v0.7.0 - with: - token: ${{ secrets.PR_UPDATE_TOKEN }} - base: ${{ github.ref_name }} - required_approval_count: 1 - require_passed_checks: false - sort: updated - direction: asc diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml deleted file mode 100644 index a25386e06fdf..000000000000 --- a/.github/workflows/release.yaml +++ /dev/null @@ -1,345 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: releaser - -permissions: {} - -on: - push: - tags: - - 'v*' - -jobs: - release-images: - runs-on: ubuntu-latest - permissions: - packages: write - id-token: write - outputs: - kyverno-digest: ${{ steps.release-kyverno.outputs.digest }} - kyverno-init-digest: ${{ steps.release-kyverno-init.outputs.digest }} - background-controller-digest: ${{ steps.release-background-controller.outputs.digest }} - cleanup-controller-digest: ${{ steps.release-cleanup-controller.outputs.digest }} - cli-digest: ${{ steps.release-cli.outputs.digest }} - reports-controller-digest: ${{ steps.release-reports-controller.outputs.digest }} - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - with: - build-cache-key: release-images - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 30 - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - name: Install Cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - - name: Publish kyverno - id: release-kyverno - uses: ./.github/actions/publish-image - with: - makefile-target: ko-publish-kyverno - registry: ghcr.io - registry-username: ${{ github.actor }} - registry-password: ${{ secrets.GITHUB_TOKEN }} - repository: ${{ github.repository_owner }} - version: ${{ github.ref_name }} - sign-image: true - sbom-name: kyverno - sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom - signature-repository: ghcr.io/${{ github.repository_owner }}/signatures - main-path: ./cmd/kyverno - - name: Publish kyverno-init - id: release-kyverno-init - uses: ./.github/actions/publish-image - with: - makefile-target: ko-publish-kyverno-init - registry: ghcr.io - registry-username: ${{ github.actor }} - registry-password: ${{ secrets.GITHUB_TOKEN }} - repository: ${{ github.repository_owner }} - version: ${{ github.ref_name }} - sign-image: true - sbom-name: kyverno-init - sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom - signature-repository: ghcr.io/${{ github.repository_owner }}/signatures - main-path: ./cmd/kyverno-init - - name: Publish background-controller - id: release-background-controller - uses: ./.github/actions/publish-image - with: - makefile-target: ko-publish-background-controller - registry: ghcr.io - registry-username: ${{ github.actor }} - registry-password: ${{ secrets.GITHUB_TOKEN }} - repository: ${{ github.repository_owner }} - version: ${{ github.ref_name }} - sign-image: true - sbom-name: background-controller - sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom - signature-repository: ghcr.io/${{ github.repository_owner }}/signatures - main-path: ./cmd/background-controller - - name: Publish cleanup-controller - id: release-cleanup-controller - uses: ./.github/actions/publish-image - with: - makefile-target: ko-publish-cleanup-controller - registry: ghcr.io - registry-username: ${{ github.actor }} - registry-password: ${{ secrets.GITHUB_TOKEN }} - repository: ${{ github.repository_owner }} - version: ${{ github.ref_name }} - sign-image: true - sbom-name: cleanup-controller - sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom - signature-repository: ghcr.io/${{ github.repository_owner }}/signatures - main-path: ./cmd/cleanup-controller - - name: Publish cli - id: release-cli - uses: ./.github/actions/publish-image - with: - makefile-target: ko-publish-cli - registry: ghcr.io - registry-username: ${{ github.actor }} - registry-password: ${{ secrets.GITHUB_TOKEN }} - repository: ${{ github.repository_owner }} - version: ${{ github.ref_name }} - sign-image: true - sbom-name: cli - sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom - signature-repository: ghcr.io/${{ github.repository_owner }}/signatures - main-path: ./cmd/cli/kubectl-kyverno - - name: Publish reports-controller - id: release-reports-controller - uses: ./.github/actions/publish-image - with: - makefile-target: ko-publish-reports-controller - registry: ghcr.io - registry-username: ${{ github.actor }} - registry-password: ${{ secrets.GITHUB_TOKEN }} - repository: ${{ github.repository_owner }} - version: ${{ github.ref_name }} - sign-image: true - sbom-name: reports-controller - sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom - signature-repository: ghcr.io/${{ github.repository_owner }}/signatures - main-path: ./cmd/reports-controller - - generate-kyverno-provenance: - needs: release-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - image: ghcr.io/${{ github.repository_owner }}/kyverno - digest: "${{ needs.release-images.outputs.kyverno-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} - - generate-kyverno-init-provenance: - needs: release-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - image: ghcr.io/${{ github.repository_owner }}/kyvernopre - digest: "${{ needs.release-images.outputs.kyverno-init-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} - - generate-background-controller-provenance: - needs: release-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - image: ghcr.io/${{ github.repository_owner }}/background-controller - digest: "${{ needs.release-images.outputs.background-controller-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} - - generate-cleanup-controller-provenance: - needs: release-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - image: ghcr.io/${{ github.repository_owner }}/cleanup-controller - digest: "${{ needs.release-images.outputs.cleanup-controller-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} - - generate-kyverno-cli-provenance: - needs: release-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - image: ghcr.io/${{ github.repository_owner }}/kyverno-cli - digest: "${{ needs.release-images.outputs.cli-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} - - generate-reports-controller-provenance: - needs: release-images - permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read # To read the workflow path. - # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 - with: - image: ghcr.io/${{ github.repository_owner }}/reports-controller - digest: "${{ needs.release-images.outputs.reports-controller-digest }}" - registry-username: ${{ github.actor }} - secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} - - create-release: - runs-on: ubuntu-latest - needs: release-images - permissions: - contents: write - id-token: write - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 30 - - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0 - - name: Install Cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - - name: Make Release - env: - VERSION: ${{ github.ref_name }} - run: | - rm -rf release - mkdir release - make release-notes > release/release-notes.out - cat release/release-notes.out - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 - with: - version: latest - args: release --clean --timeout 90m --release-notes=release/release-notes.out - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - push-and-sign-install-manifest: - runs-on: ubuntu-latest - needs: create-release - permissions: - contents: write # needed to write releases - id-token: write # needed for keyless signing - packages: write # needed for ghcr access - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - - name: Setup Flux CLI - uses: fluxcd/flux2/action@5c5c15ea212b8f029a110f9975851d25c8272695 # v2.2.2 - with: - version: 0.35.0 - - name: Install Cosign - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - - name: Build yaml manifest - run: VERSION=${{ github.ref_name }} make codegen-manifest-release - - name: Upload install manifest - uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # 2.7.0 - with: - repo_token: ${{ secrets.GITHUB_TOKEN }} - file: .manifest/release.yaml - asset_name: install.yaml - tag: ${{ github.ref }} - - name: Upload CRD manifest - uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # 2.7.0 - with: - repo_token: ${{ secrets.GITHUB_TOKEN }} - file: config/crds/**/*.yaml - file_glob: true - tag: ${{ github.ref }} - - name: Login to GHCR - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Push manifests to GHCR with Flux - env: - CR_PAT_ARTIFACTS: ${{ secrets.GITHUB_TOKEN }} - run: | - set -e - mkdir -p config/.release-manifests - cp .manifest/release.yaml config/.release-manifests/install.yaml - cd config/.release-manifests/ && \ - flux push artifact oci://ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ github.ref_name }} \ - --path="." \ - --source="$(git config --get remote.origin.url)" \ - --revision="${{ github.ref_name }}/$(git rev-parse HEAD)" - - name: Sign manifests in GHCR with Cosign - run: | - cosign sign --yes ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ github.ref_name }} - - release-cli-via-krew: - runs-on: ubuntu-latest - needs: create-release - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - - name: Check Tag - id: check-tag - run: | - if [[ ${{ github.event.ref }} =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "match=true" >> $GITHUB_OUTPUT - fi - - name: Update new version in krew-index - if: steps.check-tag.outputs.match == 'true' - uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46 diff --git a/.github/workflows/report-on-vulnerabilities.yaml b/.github/workflows/report-on-vulnerabilities.yaml deleted file mode 100644 index 06dd49626139..000000000000 --- a/.github/workflows/report-on-vulnerabilities.yaml +++ /dev/null @@ -1,109 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: report-on-vulnerabilities - -permissions: {} - -on: - workflow_dispatch: {} - schedule: - - cron: '23 2 * * *' # Every day at 02:23 - -env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} - -jobs: - scan: - runs-on: ubuntu-latest - outputs: - results: ${{ steps.parse-results.outputs.results }} - steps: - - name: Get Branches Name - id: get-branches - run: | - all_branches=$(curl -s https://api.github.com/repos/${{ env.IMAGE_NAME }}/branches | jq -r '.[].name | select(startswith("release-"))' | sort -rV | head -n 2) - releasebranch1=$(echo "$all_branches" | sed -n 1p) - releasebranch2=$(echo "$all_branches" | sed -n 2p) - - echo "releasebranch1=$releasebranch1" >> $GITHUB_OUTPUT - echo "releasebranch2=$releasebranch2" >> $GITHUB_OUTPUT - - - name: Scan for vulnerabilities in latest image - uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.8.0 (Trivy v0.34.0) - - with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest - format: json - ignore-unfixed: false - severity: HIGH,CRITICAL - output: scan1.json - - - name: Scan for vulnerabilities in latest-1 image - uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.8.0 (Trivy v0.34.0) - with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get-branches.outputs.releasebranch1 }} - format: json - ignore-unfixed: false - severity: HIGH,CRITICAL - output: scan2.json - - - name: Scan for vulnerabilities in latest-2 image - uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.8.0 (Trivy v0.34.0) - with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get-branches.outputs.releasebranch2 }} - format: json - ignore-unfixed: false - severity: HIGH,CRITICAL - output: scan3.json - - - name: Merge scan results - id: merge-results - run: | - jq -s add scan1.json scan2.json scan3.json > scan.json - cat scan.json - - - name: Parse scan results - id: parse-results - continue-on-error: true - run: | - VULNS=$(cat scan.json | jq '.Results[] | select(.Target=="ko-app/kyverno").Vulnerabilities | length') - if [[ $VULNS -eq 0 ]] - then - echo "No vulnerabilities found, halting" - echo "results=nothing" >> $GITHUB_OUTPUT - else - echo "Vulnerabilities found, creating issue" - echo "results=found" >> $GITHUB_OUTPUT - fi - - - name: Upload vulnerability scan report - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - if: steps.parse-results.outputs.results == 'found' - with: - name: scan.json - path: scan.json - if-no-files-found: error - - open-issue: - runs-on: ubuntu-latest - if: needs.scan.outputs.results == 'found' - needs: scan - permissions: - issues: write - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Download scan - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: scan.json - - name: Set scan output - id: set-scan-output - run: echo "results=$(cat scan.json | jq -c)" >> $GITHUB_OUTPUT - - uses: JasonEtco/create-an-issue@e27dddc79c92bc6e4562f268fffa5ed752639abd # v2.9.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - RESULTS: ${{ steps.set-scan-output.outputs.results }} - with: - filename: .github/ISSUE_TEMPLATE/VULN-TEMPLATE.md diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml deleted file mode 100644 index d7b207a3ea5d..000000000000 --- a/.github/workflows/scorecard.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Scorecards supply-chain security - -permissions: {} - -on: - schedule: - - cron: '30 1 * * 6' - push: - branches: - - main - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - analysis: - runs-on: ubuntu-latest - permissions: - security-events: write - id-token: write - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - name: Run analysis - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 - with: - results_file: results.sarif - results_format: sarif - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - publish_results: true - - name: Upload artifact - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 - with: - sarif_file: results.sarif diff --git a/.github/workflows/sonarcloud.yaml b/.github/workflows/sonarcloud.yaml deleted file mode 100644 index 97ab5ef21578..000000000000 --- a/.github/workflows/sonarcloud.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Sonarcloud workflow - -permissions: {} - -on: - push: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - sonarcloud: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Check secret - id: checksecret - uses: ./.github/actions/is-defined - with: - value: ${{ secrets.SONAR_TOKEN }} - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - - name: Setup build env - if: steps.checksecret.outputs.result == 'true' - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - with: - free-disk-space: false - - name: SonarCloud Scan - if: steps.checksecret.outputs.result == 'true' - uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1 - env: - GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml deleted file mode 100644 index 7a699c87adaa..000000000000 --- a/.github/workflows/tests.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Tests - -permissions: {} - -on: - push: - branches: - - '*' - pull_request: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - tests: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - with: - build-cache-key: tests - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - with: - free-disk-space: false - - name: Unit test - run: make test-unit diff --git a/.github/workflows/verify-codegen.yaml b/.github/workflows/verify-codegen.yaml deleted file mode 100644 index de9ec4223feb..000000000000 --- a/.github/workflows/verify-codegen.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json - -name: Verify codegen - -permissions: {} - -on: - push: - branches: - - '*' - pull_request: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - verify-codegen: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Setup caches - uses: ./.github/actions/setup-caches - timeout-minutes: 5 - continue-on-error: true - with: - build-cache-key: verify-codegen - - name: Setup build env - uses: ./.github/actions/setup-build-env - timeout-minutes: 10 - - name: Verify generated code is up to date - run: make verify-codegen From 8fb35f592b62ac4892baac9dc0e25790af50dc01 Mon Sep 17 00:00:00 2001 From: Jigar Joshi Date: Tue, 7 Jan 2025 19:17:04 +0530 Subject: [PATCH 2/2] workflow_dispatch added to the lint job --- .github/workflows/lint.yaml | 48 +++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/lint.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 000000000000..5c417088a0cf --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,48 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: Lint + +permissions: {} + +on: + push: + branches: + - '*' + pull_request: + branches: + - 'main' + - 'release*' + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + tests: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: lint + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + - name: golangci-lint + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 + with: + version: v1.54.2 + skip-cache: true + - name: go fmt check + run: make fmt-check + - name: goimports check + run: make imports-check + - name: Checking unused pkgs using go mod tidy + run: make unused-package-check + - name: Go vet + run: make vet