diff --git a/.github/workflows/ci-docs-shim.yaml b/.github/workflows/ci-docs-shim.yaml index be02cfa..3089d2b 100644 --- a/.github/workflows/ci-docs-shim.yaml +++ b/.github/workflows/ci-docs-shim.yaml @@ -6,15 +6,13 @@ on: types: [milestoned, opened, synchronize] jobs: - run-test: - name: ${{ matrix.type }} ${{ matrix.flavor }} - runs-on: "ubuntu-latest" - timeout-minutes: 20 + validate: strategy: matrix: - flavor: [upstream, registry1, unicorn] type: [install, upgrade] - steps: - - name: Shim for ${{ matrix.type }} ${{ matrix.flavor }} - run: | - echo "Documentation-only change detected; marking ${{ matrix.type }} ${{ matrix.flavor }} as successful." + flavor: [upstream, registry1, unicorn] + uses: defenseunicorns/uds-common/.github/workflows/callable-ci-docs-shim.yaml@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 + with: + flavor: ${{ matrix.flavor }} + type: ${{ matrix.type }} + secrets: inherit # Inherits all secrets from the parent workflow. diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index 3b08979..16072c8 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -1,15 +1,10 @@ name: Metadata on: - # This workflow is triggered on pull requests to the main branch. pull_request: branches: [main] types: [milestoned, opened, edited, synchronize] - # This allows other repositories to call this workflow in a reusable way - workflow_call: - jobs: validate: - name: Validate - uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 + uses: defenseunicorns/uds-common/.github/workflows/callable-commitlint.yaml@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index a61bc01..d4a6dde 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -3,33 +3,10 @@ name: Scan on: # This workflow is triggered on pull requests to the main branch. pull_request: - branches: [main] - types: [milestoned, opened, synchronize] + # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow). + types: [milestoned, opened, reopened, synchronize] jobs: validate: - runs-on: ubuntu-latest - name: Lint - permissions: - contents: read # Allows reading the repo contents - - steps: - - name: Checkout - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - fetch-depth: 0 - - - name: Environment setup - uses: defenseunicorns/uds-common/.github/actions/setup@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 - with: - registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} - registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} - ghToken: ${{ secrets.GITHUB_TOKEN }} - - - name: Install lint deps - run: | - uds run lint:deps - - - name: Lint the repository - run: | - uds run lint:yaml + uses: defenseunicorns/uds-common/.github/workflows/callable-lint.yaml@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 + secrets: inherit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..ead8a14 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,46 @@ +name: Release + +on: + push: + branches: + - main + +# Permissions for the GITHUB_TOKEN used by the workflow. +permissions: + contents: read # Allows reading the content of the repository. + packages: read # Allows reading the content of the repository's packages. + id-token: write + +jobs: + tag-new-version: + permissions: write-all + runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release-flag.outputs.release_created }} + steps: + - name: Create Release Tag + id: tag + uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3 + - id: release-flag + run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> "$GITHUB_OUTPUT" + + publish: + permissions: + contents: read # Allows reading the content of the repository. + packages: write # Allows reading the content of the repository's packages. + id-token: write + needs: tag-new-version + if: ${{ needs.tag-new-version.outputs.release_created == 'true' }} + strategy: + matrix: + flavor: [upstream, registry1, unicorn] + architecture: [amd64, arm64] + exclude: + - flavor: registry1 + architecture: arm64 + uses: defenseunicorns/uds-common/.github/workflows/callable-publish.yaml@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 + with: + flavor: ${{ matrix.flavor }} + runsOn: ${{ matrix.architecture == 'arm64' && 'uds-swf-ubuntu-arm64-4-core' || 'uds-swf-ubuntu-big-boy-4-core' }} + reports-path: "tests/.playwright/reports/" + secrets: inherit # Inherits all secrets from the parent workflow. diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index c567996..a177f87 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -11,40 +11,11 @@ on: permissions: read-all jobs: - analysis: - name: Scorecards analysis - runs-on: ubuntu-latest + validate: permissions: # Needed to upload the results to code-scanning dashboard. security-events: write # Used to receive a badge. id-token: write - - steps: - - name: "Checkout code" - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - persist-credentials: false - - - name: "Run analysis" - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 - with: - results_file: results.sarif - results_format: sarif - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - publish_results: true - - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - - name: "Upload artifact" - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 - with: - sarif_file: results.sarif + uses: defenseunicorns/uds-common/.github/workflows/callable-scorecard.yaml@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 + secrets: inherit diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml deleted file mode 100644 index 7c8bac2..0000000 --- a/.github/workflows/tag-and-release.yaml +++ /dev/null @@ -1,51 +0,0 @@ -name: Publish UDS Package Jenkins - -on: - push: - branches: - - main - -jobs: - tag-new-version: - name: Tag New Version - permissions: write-all - runs-on: ubuntu-latest - outputs: - release_created: ${{ steps.release-flag.outputs.release_created }} - steps: - - name: Create release tag - id: tag - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1 - - id: release-flag - run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> $GITHUB_OUTPUT - - publish-package: - needs: tag-new-version - if: ${{ needs.tag-new-version.outputs.release_created == 'true' }} - runs-on: ubuntu-latest - name: Publish package - strategy: - matrix: - flavor: [upstream, registry1, unicorn] - - permissions: write-all - - steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - - - name: Environment setup - uses: defenseunicorns/uds-common/.github/actions/setup@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 - with: - registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} - registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} - ghToken: ${{ secrets.GITHUB_TOKEN }} - chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - - - name: Publish Package - run: uds run -f tasks/publish.yaml package --set FLAVOR=${{ matrix.flavor }} --no-progress - - - name: Save logs - if: always() - uses: defenseunicorns/uds-common/.github/actions/save-logs@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 - with: - suffix: '${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }}' diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index eade696..5c59eea 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -34,12 +34,11 @@ permissions: packages: read jobs: - flavor-test: - name: Test-Flavor + check-flavor: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: test-flavor uses: defenseunicorns/uds-common/.github/actions/test-flavor@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 @@ -47,104 +46,17 @@ jobs: outputs: upgrade-flavors: ${{ steps.test-flavor.outputs.upgrade-flavors }} - deploy-test: - # TODO: need to fix how actions work in uds-common before this can be used - # needs: flavor-test - # permissions: write-all - # uses: defenseunicorns/uds-common/.github/workflows/test-deploy.yaml@callable_workflow_fix #@24c8a2a48eeb33773b76b3587c489cb17496c9e0 # v0.12.0 - # with: - # upgrade-flavors: ${{ needs.flavor-test.outputs.upgrade-flavors }} - # flavor: ${{ matrix.flavor }} - # type: ${{ matrix.type }} - # runs-on: ubuntu-latest - # clean-runner: false - # upload-reports: playwright - # timeout: 25 - # secrets: inherit # Inherits all secrets from the parent workflow. - # strategy: - # fail-fast: true - # matrix: - # type: [install, upgrade] - # flavor: [upstream, registry1, unicorn] - - - name: ${{ matrix.type }} ${{ matrix.flavor }} - runs-on: ubuntu-latest - timeout-minutes: 25 + validate: + needs: check-flavor strategy: fail-fast: false matrix: - flavor: [upstream, registry1, unicorn] type: [install, upgrade] - - steps: - - name: Checkout repository - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - - - name: Environment setup - uses: defenseunicorns/uds-common/.github/actions/setup@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 - with: - registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} - registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} - ghToken: ${{ secrets.GITHUB_TOKEN }} - chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - - - name: Playwright setup - uses: defenseunicorns/uds-common/.github/actions/playwright@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 - - - name: Test - uses: defenseunicorns/uds-common/.github/actions/test-deploy@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 - with: - upgrade-flavors: ${{ needs.flavor-test.outputs.upgrade-flavors }} - flavor: ${{ matrix.flavor }} - type: ${{ matrix.type }} - - - name: Save logs - if: always() - uses: defenseunicorns/uds-common/.github/actions/save-logs@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 - with: - suffix: ${{ matrix.type }}-${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }} - - - name: Print cluster info - if: always() - shell: bash -e -o pipefail {0} - run: | - kubectl get nodes -o wide - - - name: Print pod info - if: always() - shell: bash -e -o pipefail {0} - run: | - kubectl get pods -A -o wide - - - name: Print service info - if: always() - shell: bash -e -o pipefail {0} - run: | - kubectl get svc -A -o wide - - - name: Print events - if: always() - shell: bash -e -o pipefail {0} - run: | - kubectl get events -A -o wide - - - name: Print Jenkins pod logs - if: always() - shell: bash -e -o pipefail {0} - run: | - kubectl logs jenkins-0 -n jenkins - - - name: Upload screenshot on failure - if: failure() - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4 - with: - name: playwright-screenshot - path: tests/screenshots/* - - - name: Upload video on failure - if: failure() - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4 - with: - name: playwright-video - path: tests/.playwright/output/* + flavor: [upstream, unicorn, registry1] + uses: defenseunicorns/uds-common/.github/workflows/callable-test.yaml@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 + with: + upgrade-flavors: ${{ needs.check-flavor.outputs.upgrade-flavors }} + flavor: ${{ matrix.flavor }} + type: ${{ matrix.type }} + reports-path: "tests/.playwright/reports/" + secrets: inherit # Inherits all secrets from the parent workflow. diff --git a/tasks.yaml b/tasks.yaml index 8d20dc4..1697862 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -1,97 +1,82 @@ includes: - cleanup: ./tasks/cleanup.yaml - test: ./tasks/test.yaml + - publish: ./tasks/publish.yaml - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/create.yaml - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/lint.yaml - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/pull.yaml - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/deploy.yaml - - upgrade: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/upgrade.yaml - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/setup.yaml + - actions: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/actions.yaml + - badge: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/badge.yaml + - upgrade: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/upgrade.yaml + - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/compliance.yaml tasks: - name: default - description: Create K3D Cluster with UDS-Core + Jenkins + description: Create K3D Cluster with lite UDS-Core + Jenkins actions: - - task: create-jenkins-test-bundle + - task: create-dev-package - task: setup:k3d-test-cluster - # TODO: Remove pinned version after uds-common releases 0.12.1 or later - with: - version: 0.26.1 - - task: deploy:test-bundle + - task: create-deploy-test-bundle - name: default-full - description: Create K3D Cluster with UDS-Core + Jenkins + description: Create K3D Cluster with full UDS-Core + Jenkins actions: - - task: create-jenkins-test-bundle + - task: create-dev-package - task: setup:k3d-full-cluster - # TODO: Remove pinned version after uds-common releases 0.12.1 or later - with: - version: 0.26.1 - - task: deploy:test-bundle + - task: create-deploy-test-bundle - - name: create-jenkins-package - description: Create UDS Jenkins Package + - name: create-dev-package + description: Create the Jenkins package actions: - task: create:package with: options: "--skip-sbom" - - name: create-jenkins-test-bundle - description: Create a local UDS Jenkins bundle + - name: create-deploy-test-bundle + description: Test and validate cluster is deployed with Jenkins actions: - - task: create-jenkins-package + - task: dependencies:create - task: create:test-bundle - - - name: create-jenkins-latest-release-bundle - description: Create UDS Jenkins bundle based on the latest release - actions: - - task: pull:latest-package-release - with: - spoof_release: "true" - - task: create:test-bundle - - - name: setup-cluster - description: Setup a K3D cluster with UDS-Core-Slim - actions: - - task: setup:k3d-test-cluster - # TODO: Remove pinned version after uds-common releases 0.12.1 or later - with: - version: 0.26.1 + - task: deploy:test-bundle + - task: setup:create-doug-user + - task: test:all - name: dev - description: Create then deploy local jenkins bundle + description: Create and deploy the bundle on an existing cluster (for iteration/dev speed) actions: - - task: create-jenkins-test-bundle + - task: create-dev-package + - task: create:test-bundle - task: deploy:test-bundle -# CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names +# CI will execute the following (via uds-common/.github/workflows/callable-[test|publish].yaml) so they need to be here with these names - name: test-package description: Test the Jenkins package from the current branch actions: - - task: create-jenkins-test-bundle + - task: create-dev-package - task: setup:k3d-test-cluster - # TODO: Remove pinned version after uds-common releases 0.12.1 or later - with: - version: 0.26.1 - - task: deploy:test-bundle - - task: setup:create-doug-user - - task: test:health-check - - task: test:ingress - - task: test:ui + - task: create-deploy-test-bundle + - task: compliance:validate - name: test-upgrade description: Test an upgrade from the latest released package to the current branch actions: - task: upgrade:create-latest-tag-bundle - task: setup:k3d-test-cluster - # TODO: Remove pinned version after uds-common releases 0.12.1 or later - with: - version: 0.26.1 - - task: deploy:test-bundle - - task: create-jenkins-test-bundle - task: deploy:test-bundle - - task: setup:create-doug-user - - task: test:health-check - - task: test:ingress - - task: test:ui + - task: compliance:validate + - task: create-dev-package + - task: create-deploy-test-bundle + - task: compliance:validate + - task: compliance:evaluate + + - name: publish-package + description: Build and publish the packages + actions: + - task: actions:determine-arch + - task: publish:build-package + - task: create-deploy-test-bundle + if: ${{ and (ne .variables.FLAVOR "upstream") (ne .variables.ARCH "arm64") }} + - task: publish:publish-package diff --git a/tasks/publish.yaml b/tasks/publish.yaml index a3ba501..45cf1a3 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -1,39 +1,20 @@ includes: - - dependencies: ./dependencies.yaml + - test: ./test.yaml - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/create.yaml + - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/deploy.yaml - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/publish.yaml + - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/setup.yaml tasks: - - name: package - description: Build and publish the packages + - name: build-package + description: Build package actions: - - description: Create the AMD64 package - task: create:package - with: - architecture: amd64 - - - description: Publish the packages - task: publish:package - with: - # x-release-please-start-version - version: "5.6.1-uds.0" - # x-release-please-end + - task: create:package - - name: test-bundle - description: Build and publish the test bundles + - name: publish-package + description: Publish the packages actions: - - description: Create the AMD64 deps package - task: dependencies:create - with: - architecture: amd64 - - - description: Create the AMD64 bundle - task: create:test-bundle - with: - architecture: amd64 - - - description: Publish the bundles - task: publish:test-bundle + - task: publish:package with: # x-release-please-start-version version: "5.6.1-uds.0" diff --git a/tasks/test.yaml b/tasks/test.yaml index dfe00c3..4a5c68d 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -1,4 +1,10 @@ tasks: + - name: all + actions: + - task: health-check + - task: ingress + - task: ui + - name: health-check actions: - description: Jenkins StatefulSet Health Check