From ca1d58a7e3857a34e7adc7d3971244539e8fa74b Mon Sep 17 00:00:00 2001 From: github-actions Date: Thu, 14 Mar 2024 10:57:41 +0000 Subject: [PATCH] Align files --- .github/workflows/pre_commit_go.yaml | 26 +++ .../zz_generated.add-team-labels.yaml | 53 +++++ .../zz_generated.add-to-project-board.yaml | 89 ++++++++ .../zz_generated.check_values_schema.yaml | 69 +++--- .../zz_generated.create_release.yaml | 82 +++---- .../zz_generated.create_release_pr.yaml | 78 ++++--- .github/workflows/zz_generated.gitleaks.yaml | 6 +- .../zz_generated.run_ossf_scorecard.yaml | 78 +++++++ .pre-commit-config.yaml | 6 +- CODEOWNERS | 2 + DCO | 36 ++++ LICENSE | 201 ++++++++++++++++++ Makefile | 134 +----------- Makefile.gen.app.mk | 46 ++++ Makefile.gen.go.mk | 114 ++++++++++ SECURITY.md | 5 + 16 files changed, 792 insertions(+), 233 deletions(-) create mode 100644 .github/workflows/pre_commit_go.yaml create mode 100644 .github/workflows/zz_generated.add-team-labels.yaml create mode 100644 .github/workflows/zz_generated.add-to-project-board.yaml create mode 100644 .github/workflows/zz_generated.run_ossf_scorecard.yaml create mode 100644 CODEOWNERS create mode 100644 DCO create mode 100644 LICENSE create mode 100644 Makefile.gen.app.mk create mode 100644 Makefile.gen.go.mk create mode 100644 SECURITY.md diff --git a/.github/workflows/pre_commit_go.yaml b/.github/workflows/pre_commit_go.yaml new file mode 100644 index 0000000..f3a2896 --- /dev/null +++ b/.github/workflows/pre_commit_go.yaml @@ -0,0 +1,26 @@ +name: pre-commit + +on: + pull_request: + push: + branches: [main] + +jobs: + pre-commit: + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-python@v4 + - uses: actions/setup-go@v3 + with: + go-version: "1.21" + - name: Install goimports + run: | + go install golang.org/x/tools/cmd/goimports@latest + - name: Install golangci-lint + env: + GOLANGCI_LINT_VERSION: "v1.54.2" + run: | + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | \ + sudo sh -s -- -b $GOPATH/bin ${GOLANGCI_LINT_VERSION} + - uses: pre-commit/action@v3.0.0 diff --git a/.github/workflows/zz_generated.add-team-labels.yaml b/.github/workflows/zz_generated.add-team-labels.yaml new file mode 100644 index 0000000..97ba2ae --- /dev/null +++ b/.github/workflows/zz_generated.add-team-labels.yaml @@ -0,0 +1,53 @@ +name: Add appropriate labels to issue + +on: + issues: + types: [assigned] + +jobs: + build_user_list: + name: Get yaml config of GS users + runs-on: ubuntu-latest + steps: + - name: Get user-mapping + run: | + mkdir -p artifacts + wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \ + -O artifacts/users.yaml \ + https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/user-mapping.yaml + - name: Upload Artifact + uses: actions/upload-artifact@v4 + with: + name: users + path: artifacts/users.yaml + retention-days: 1 + + add_label: + name: Add team label when assigned + runs-on: ubuntu-latest + needs: build_user_list + steps: + - uses: actions/download-artifact@v4 + id: download-users + with: + name: users + - name: Find team label based on user names + run: | + event_assignee=$(cat $GITHUB_EVENT_PATH | jq -r .assignee.login | tr '[:upper:]' '[:lower:]') + echo "Issue assigned to: ${event_assignee}" + + TEAMS=$(cat ${{steps.download-users.outputs.download-path}}/users.yaml | tr '[:upper:]' '[:lower:]' | yq ".${event_assignee}.teams" -o csv | tr ',' ' ') + + echo "LABEL<> $GITHUB_ENV + for team in ${TEAMS}; do + echo "Team: ${team} | Label: team/${team}" + echo "team/${team}" >> $GITHUB_ENV + done + echo "EOF" >> $GITHUB_ENV + - name: Apply label to issue + if: ${{ env.LABEL != '' && env.LABEL != 'null' && env.LABEL != null }} + uses: actions-ecosystem/action-add-labels@v1 + with: + github_token: ${{ secrets.ISSUE_AUTOMATION }} + labels: | + ${{ env.LABEL }} diff --git a/.github/workflows/zz_generated.add-to-project-board.yaml b/.github/workflows/zz_generated.add-to-project-board.yaml new file mode 100644 index 0000000..32176b1 --- /dev/null +++ b/.github/workflows/zz_generated.add-to-project-board.yaml @@ -0,0 +1,89 @@ +name: Add Issue to Project when assigned + +on: + issues: + types: + - assigned + - labeled + +jobs: + build_user_list: + name: Get yaml config of GS users + runs-on: ubuntu-latest + steps: + - name: Get user-mapping + run: | + mkdir -p artifacts + wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \ + -O artifacts/users.yaml \ + https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/user-mapping.yaml + - name: Upload Artifact + uses: actions/upload-artifact@v4 + with: + name: users + path: artifacts/users.yaml + retention-days: 1 + - name: Get label-mapping + run: | + mkdir -p artifacts + wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \ + -O artifacts/labels.yaml \ + https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/label-mapping.yaml + - name: Upload Artifact + uses: actions/upload-artifact@v4 + with: + name: labels + path: artifacts/labels.yaml + retention-days: 1 + + add_to_personal_board: + name: Add issue to personal board + runs-on: ubuntu-latest + needs: build_user_list + if: github.event.action == 'assigned' + steps: + - uses: actions/download-artifact@v4 + id: download-users + with: + name: users + - name: Find personal board based on user names + run: | + event_assignee=$(cat $GITHUB_EVENT_PATH | jq -r .assignee.login | tr '[:upper:]' '[:lower:]') + echo "Issue assigned to: ${event_assignee}" + + BOARD=($(cat ${{steps.download-users.outputs.download-path}}/users.yaml | tr '[:upper:]' '[:lower:]' | yq ".${event_assignee}.personalboard")) + echo "Personal board URL: ${BOARD}" + + echo "BOARD=${BOARD}" >> $GITHUB_ENV + - name: Add issue to personal board + if: ${{ env.BOARD != 'null' && env.BOARD != '' && env.BOARD != null }} + uses: actions/add-to-project@main + with: + project-url: ${{ env.BOARD }} + github-token: ${{ secrets.ISSUE_AUTOMATION }} + + add_to_team_board: + name: Add issue to team board + runs-on: ubuntu-latest + needs: build_user_list + if: github.event.action == 'labeled' + steps: + - uses: actions/download-artifact@v4 + id: download-labels + with: + name: labels + - name: Find team board based on label + run: | + event_label=$(cat $GITHUB_EVENT_PATH | jq -r .label.name | tr '[:upper:]' '[:lower:]') + echo "Issue labelled with: ${event_label}" + + BOARD=($(cat ${{steps.download-labels.outputs.download-path}}/labels.yaml | tr '[:upper:]' '[:lower:]' | yq ".[\"${event_label}\"].projectboard")) + echo "Team board URL: ${BOARD}" + + echo "BOARD=${BOARD}" >> $GITHUB_ENV + - name: Add issue to team board + if: ${{ env.BOARD != 'null' && env.BOARD != '' && env.BOARD != null }} + uses: actions/add-to-project@main + with: + project-url: ${{ env.BOARD }} + github-token: ${{ secrets.ISSUE_AUTOMATION }} diff --git a/.github/workflows/zz_generated.check_values_schema.yaml b/.github/workflows/zz_generated.check_values_schema.yaml index 03f532f..32b4dae 100644 --- a/.github/workflows/zz_generated.check_values_schema.yaml +++ b/.github/workflows/zz_generated.check_values_schema.yaml @@ -1,46 +1,53 @@ # DO NOT EDIT. Generated with: # -# devctl@5.8.0 +# devctl@6.21.0 # -name: 'Check if values schema file has been updated' -on: pull_request +name: 'Values and schema' +on: + pull_request: + branches: + - master + - main + paths: + - 'helm/**/values.yaml' # default helm chart values + - 'helm/**/values.schema.json' # schema + - 'helm/**/ci/ci-values.yaml' # overrides for CI (can contain required entries) + + push: {} jobs: check: - name: 'Check values.yaml and its schema in PR' + name: 'validate values.yaml against values.schema.json' runs-on: ubuntu-latest steps: - - name: 'Checkout' - uses: actions/checkout@v3 - - name: 'Check if values.schema.json was updated' - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - VALUES_FILE_CHANGED="false" - SCHEMA_FILE_CHANGED="false" - - echo "Comparing ${GITHUB_BASE_REF}...${GITHUB_HEAD_REF}" + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 - changed_files=$(gh api "repos/{owner}/{repo}/compare/${GITHUB_BASE_REF}...${GITHUB_HEAD_REF}" --jq ".files[] | .filename") - - if grep -q "values.schema.json" <<< $(git ls-tree -r --name-only ${GITHUB_SHA}); then + - name: Install validator + run: | + wget -q -O ${HOME}/yajsv https://github.com/neilpa/yajsv/releases/download/v1.4.1/yajsv.linux.amd64 + chmod +x ${HOME}/yajsv - if grep -q "values.yaml" <<< "${changed_files}" ; then - VALUES_FILE_CHANGED="true" - fi + - name: 'Check if values.yaml is a valid instance of values.schema.json' + run: | + for chart_yaml in helm/*/Chart.yaml; do + helm_dir="${chart_yaml%/Chart.yaml}" - if grep -q "values.schema.json" <<< "${changed_files}" ; then - SCHEMA_FILE_CHANGED="true" + if [ ! -f ${helm_dir}/values.schema.json ]; then + echo "Skipping validation for '${helm_dir}' folder, because 'values.schema.json' does not exist..." + continue fi - if [ $VALUES_FILE_CHANGED != $SCHEMA_FILE_CHANGED ]; then - echo "FAILED: values.yaml was updated but values.schema.json hasn't been regenerated" - echo "Please refer to this document: https://intranet.giantswarm.io/docs/organizational-structure/teams/cabbage/app-updates/helm-values-schema/" - exit 1 + values=${helm_dir}/values.yaml + if [ -f ${helm_dir}/ci/ci-values.yaml ]; then + # merge ci-values.yaml into values.yaml (providing required values) + echo -e "\nMerged values:\n==============" + yq '. *= load("'${helm_dir}'/ci/ci-values.yaml")' ${helm_dir}/values.yaml | tee ${helm_dir}/combined-values.yaml + echo -e "\n==============\n" + values=${helm_dir}/combined-values.yaml fi - echo "PASSED: values.yaml and values.schema.json both appear to have been updated" - exit 0 - fi - - echo "INFO: values.schema.json not present in this repo - nothing to do" + ${HOME}/yajsv -s ${helm_dir}/values.schema.json ${values} + done diff --git a/.github/workflows/zz_generated.create_release.yaml b/.github/workflows/zz_generated.create_release.yaml index 2972a7b..81e70d8 100644 --- a/.github/workflows/zz_generated.create_release.yaml +++ b/.github/workflows/zz_generated.create_release.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@5.8.0 +# devctl@6.21.0 # name: Create Release on: @@ -15,7 +15,7 @@ on: jobs: debug_info: name: Debug info - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Print github context JSON run: | @@ -24,7 +24,7 @@ jobs: EOF gather_facts: name: Gather facts - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 outputs: project_go_path: ${{ steps.get_project_go_path.outputs.path }} ref_version: ${{ steps.ref_version.outputs.refversion }} @@ -32,11 +32,10 @@ jobs: steps: - name: Get version id: get_version + env: + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | - title="$(cat <<- 'COMMIT_MESSAGE_END' | head -n 1 - - ${{ github.event.head_commit.message }} - COMMIT_MESSAGE_END - )" + title=$(echo -n "${COMMIT_MESSAGE}" | head -1) # Matches strings like: # # - "Release v1.2.3" @@ -50,10 +49,10 @@ jobs: fi version="${version#v}" # Strip "v" prefix. echo "version=\"${version}\"" - echo "::set-output name=version::${version}" + echo "version=${version}" >> $GITHUB_OUTPUT - name: Checkout code if: ${{ steps.get_version.outputs.version != '' }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Get project.go path id: get_project_go_path if: ${{ steps.get_version.outputs.version != '' }} @@ -63,14 +62,13 @@ jobs: path='' fi echo "path=\"$path\"" - echo "::set-output name=path::${path}" + echo "path=${path}" >> $GITHUB_OUTPUT - name: Check if reference version id: ref_version + env: + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | - title="$(cat <<- 'COMMIT_MESSAGE_END' | head -n 1 - - ${{ github.event.head_commit.message }} - COMMIT_MESSAGE_END - )" + title=$(echo -n "${COMMIT_MESSAGE}" | head -1) if echo "${title}" | grep -qE '^release v[0-9]+\.[0-9]+\.[0-9]+([.-][^ .-][^ ]*)?( \(#[0-9]+\))?$' ; then version=$(echo "${title}" | cut -d ' ' -f 2) fi @@ -81,21 +79,21 @@ jobs: refversion=true fi echo "refversion =\"${refversion}\"" - echo "::set-output name=refversion::${refversion}" + echo "refversion=${refversion}" >> $GITHUB_OUTPUT update_project_go: name: Update project.go - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 if: ${{ needs.gather_facts.outputs.version != '' && needs.gather_facts.outputs.project_go_path != '' && needs.gather_facts.outputs.ref_version != 'true' }} needs: - gather_facts steps: - name: Install architect - uses: giantswarm/install-binary-action@v1.0.0 + uses: giantswarm/install-binary-action@v2.0.0 with: binary: "architect" - version: "6.1.0" + version: "6.14.1" - name: Install semver - uses: giantswarm/install-binary-action@v1.0.0 + uses: giantswarm/install-binary-action@v2.0.0 with: binary: "semver" version: "3.2.0" @@ -103,7 +101,7 @@ jobs: tarball_binary_path: "*/src/${binary}" smoke_test: "${binary} --version" - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Update project.go id: update_project_go env: @@ -114,7 +112,7 @@ jobs: version="${{ needs.gather_facts.outputs.version }}" new_version="$(semver bump patch $version)-dev" echo "version=\"$version\" new_version=\"$new_version\"" - echo "::set-output name=new_version::${new_version}" + echo "new_version=${new_version}" >> $GITHUB_OUTPUT sed -Ei "s/(version[[:space:]]*=[[:space:]]*)\"${version}\"/\1\"${new_version}\"/" $file if git diff --exit-code $file ; then echo "error: no changes in \"$file\"" >&2 @@ -122,8 +120,8 @@ jobs: fi - name: Set up git identity run: | - git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --local user.name "github-actions[bot]" + git config --local user.email "dev@giantswarm.io" + git config --local user.name "taylorbot" - name: Commit changes run: | file="${{ needs.gather_facts.outputs.project_go_path }}" @@ -131,22 +129,31 @@ jobs: git commit -m "Bump version to ${{ steps.update_project_go.outputs.new_version }}" - name: Push changes env: - REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" + REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git" branch: "${{ github.ref }}-version-bump" run: | git push "${REMOTE_REPO}" HEAD:${{ env.branch }} - name: Create PR env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" + base: "${{ github.ref }}" + branch: "${{ github.ref }}-version-bump" + version: "${{ needs.gather_facts.outputs.version }}" + title: "Bump version to ${{ steps.update_project_go.outputs.new_version }}" + run: | + gh pr create --title "${{ env.title }}" --body "" --base ${{ env.base }} --head ${{ env.branch }} --reviewer ${{ github.actor }} + - name: Enable auto-merge for PR + env: + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" base: "${{ github.ref }}" branch: "${{ github.ref }}-version-bump" version: "${{ needs.gather_facts.outputs.version }}" title: "Bump version to ${{ steps.update_project_go.outputs.new_version }}" run: | - hub pull-request -f -m "${{ env.title }}" -b ${{ env.base }} -h ${{ env.branch }} -r ${{ github.actor }} + gh pr merge --auto --squash "${{ env.branch }}" || echo "::warning::Auto-merge not allowed. Please adjust the repository settings." create_release: name: Create release - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 needs: - gather_facts if: ${{ needs.gather_facts.outputs.version }} @@ -154,7 +161,7 @@ jobs: upload_url: ${{ steps.create_gh_release.outputs.upload_url }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.sha }} - name: Ensure correct version in project.go @@ -171,36 +178,35 @@ jobs: path: ./CHANGELOG.md - name: Set up git identity run: | - git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --local user.name "github-actions[bot]" + git config --local user.email "dev@giantswarm.io" + git config --local user.name "taylorbot" - name: Create tag run: | version="${{ needs.gather_facts.outputs.version }}" git tag "v$version" ${{ github.sha }} - name: Push tag env: - REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" + REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git" run: | git push "${REMOTE_REPO}" --tags - name: Create release id: create_gh_release - uses: actions/create-release@v1 + uses: ncipollo/release-action@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" with: body: ${{ steps.changelog_reader.outputs.changes }} - tag_name: "v${{ needs.gather_facts.outputs.version }}" - release_name: "v${{ needs.gather_facts.outputs.version }}" + tag: "v${{ needs.gather_facts.outputs.version }}" create-release-branch: name: Create release branch - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 needs: - gather_facts if: ${{ needs.gather_facts.outputs.version }} steps: - name: Install semver - uses: giantswarm/install-binary-action@v1.0.0 + uses: giantswarm/install-binary-action@v2.0.0 with: binary: "semver" version: "3.0.0" @@ -208,7 +214,7 @@ jobs: tarball_binary_path: "*/src/${binary}" smoke_test: "${binary} --version" - name: Check out the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 # Clone the whole history, not just the most recent commit. - name: Fetch all tags and branches diff --git a/.github/workflows/zz_generated.create_release_pr.yaml b/.github/workflows/zz_generated.create_release_pr.yaml index 197c305..d08d72e 100644 --- a/.github/workflows/zz_generated.create_release_pr.yaml +++ b/.github/workflows/zz_generated.create_release_pr.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@5.8.0 +# devctl@6.21.0 # name: Create Release PR on: @@ -30,7 +30,7 @@ on: jobs: debug_info: name: Debug info - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Print github context JSON run: | @@ -39,12 +39,12 @@ jobs: EOF gather_facts: name: Gather facts - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 outputs: repo_name: ${{ steps.gather_facts.outputs.repo_name }} branch: ${{ steps.gather_facts.outputs.branch }} base: ${{ steps.gather_facts.outputs.base }} - is_major: ${{ steps.gather_facts.outputs.is_major }} + needs_major_bump: ${{ steps.gather_facts.outputs.needs_major_bump }} skip: ${{ steps.pr_exists.outputs.skip }} version: ${{ steps.gather_facts.outputs.version }} steps: @@ -52,7 +52,7 @@ jobs: id: gather_facts run: | head="${{ inputs.branch || github.event.ref }}" - echo "::set-output name=branch::${head}" + echo "branch=${head}" >> $GITHUB_OUTPUT head="${head#refs/heads/}" # Strip "refs/heads/" prefix. if [[ $(echo "$head" | grep -o '#' | wc -l) -gt 1 ]]; then @@ -65,8 +65,20 @@ jobs: version="$(echo $head | awk -F# '{print $NF}')" if [[ $version =~ ^major|minor|patch$ ]]; then - gh auth login --with-token <<<$(echo -n ${{ secrets.GITHUB_TOKEN }}) - version_parts=($(gh api "repos/${{ github.repository }}/releases/latest" --jq '.tag_name[1:] | split(".") | .[0], .[1], .[2]')) + gh auth login --with-token <<<$(echo -n ${{ secrets.TAYLORBOT_GITHUB_ACTION }}) + gh_api_get_latest_release_version() + { + if ! version="$(gh api "repos/$1/releases/latest" --jq '.tag_name[1:] | split(".") | .[0], .[1], .[2]')" + then + case "$version" in + *Not\ Found*) echo Assuming v0.0.0, hooray first release! >&2 ; version="0 0 0" ;; + *) version="" ; return 1 ;; + esac + fi + echo "$version" + } + + version_parts=($(gh_api_get_latest_release_version "${{ github.repository }}")) version_major=${version_parts[0]} version_minor=${version_parts[1]} version_patch=${version_parts[2]} @@ -82,7 +94,9 @@ jobs: version_major=$((version_major+1)) version_minor=0 version_patch=0 - echo "::set-output name=is_major::true" + if [[ "${version_major}" != "1" ]]; then + echo "needs_major_bump=true" >> $GITHUB_OUTPUT + fi ;; *) echo "Unknown Semver level provided" @@ -95,30 +109,34 @@ jobs: version_major=$(echo "${version}" | cut -d "." -f 1) version_minor=$(echo "${version}" | cut -d "." -f 2) version_patch=$(echo "${version}" | cut -d "." -f 3) - if [[ $version_minor = 0 && $version_patch = 0 ]]; then - echo "::set-output name=is_major::true" + # This will help us detect versions with suffixes as majors, i.e 3.0.0-alpha1. + # Even though it's a pre-release, it's still a major. + if [[ $version_minor = 0 && $version_patch =~ ^0.* && $version_major != 1 ]]; then + echo "needs_major_bump=true" >> $GITHUB_OUTPUT fi fi repo_name="$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" echo "repo_name=\"$repo_name\" base=\"$base\" head=\"$head\" version=\"$version\"" - echo "::set-output name=repo_name::${repo_name}" - echo "::set-output name=base::${base}" - echo "::set-output name=head::${head}" - echo "::set-output name=version::${version}" + echo "repo_name=${repo_name}" >> $GITHUB_OUTPUT + echo "base=${base}" >> $GITHUB_OUTPUT + echo "head=${head}" >> $GITHUB_OUTPUT + echo "version=${version}" >> $GITHUB_OUTPUT - name: Check if PR exists id: pr_exists env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" run: | - if gh pr view --repo ${{ github.repository }} ${{ steps.gather_facts.outputs.branch }} | grep -i 'state:[[:space:]]*open' >/dev/null; then - gh pr view --repo ${{ github.repository }} ${{ steps.gather_facts.outputs.branch }} - echo "::set-output name=skip::true" + head="${{ steps.gather_facts.outputs.branch }}" + branch="${head#refs/heads/}" # Strip "refs/heads/" prefix. + if gh pr view --repo "${{ github.repository }}" "${branch}" --json state --jq .state | grep -i 'open' > /dev/null; then + gh pr view --repo "${{ github.repository }}" "${branch}" + echo "skip=true" >> $GITHUB_OUTPUT else - echo "::set-output name=skip::false" + echo "skip=false" >> $GITHUB_OUTPUT fi create_release_pr: name: Create release PR - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 needs: - gather_facts if: ${{ needs.gather_facts.outputs.skip != 'true' }} @@ -129,12 +147,12 @@ jobs: with: go-version: '=1.18.1' - name: Install architect - uses: giantswarm/install-binary-action@v1.0.0 + uses: giantswarm/install-binary-action@v2.0.0 with: binary: "architect" - version: "6.1.0" + version: "6.11.0" - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ needs.gather_facts.outputs.branch }} - name: Prepare release changes @@ -184,14 +202,14 @@ jobs: - name: Bump go module defined in go.mod if needed run: | - if [ "${{ needs.gather_facts.outputs.is_major }}" = true ] && test -f "go.mod"; then - go install github.com/marwan-at-work/mod/cmd/mod@v0.4.2 + if [ "${{ needs.gather_facts.outputs.needs_major_bump }}" = true ] && test -f "go.mod"; then + go install github.com/marwan-at-work/mod/cmd/mod@v0.5.0 mod upgrade fi - name: Set up git identity run: | - git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --local user.name "github-actions[bot]" + git config --local user.email "dev@giantswarm.io" + git config --local user.name "taylorbot" - name: Create release commit env: version: "${{ needs.gather_facts.outputs.version }}" @@ -200,13 +218,13 @@ jobs: git commit -m "Release v${{ env.version }}" - name: Push changes env: - remote_repo: "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git" + remote_repo: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git" run: | git push "${remote_repo}" HEAD:${{ needs.gather_facts.outputs.branch }} - name: Create PR env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" base: "${{ needs.gather_facts.outputs.base }}" version: "${{ needs.gather_facts.outputs.version }}" run: | - hub pull-request -f -m "Release v${{ env.version }}" -a ${{ github.actor }} -b ${{ env.base }} -h ${{ needs.gather_facts.outputs.branch }} + gh pr create --assignee ${{ github.actor }} --title "Release v${{ env.version }}" --body "" --base ${{ env.base }} --head "${{ needs.gather_facts.outputs.branch }}" diff --git a/.github/workflows/zz_generated.gitleaks.yaml b/.github/workflows/zz_generated.gitleaks.yaml index 89ffd13..057a4e7 100644 --- a/.github/workflows/zz_generated.gitleaks.yaml +++ b/.github/workflows/zz_generated.gitleaks.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@5.8.0 +# devctl@6.21.0 # name: gitleaks @@ -10,8 +10,8 @@ jobs: gitleaks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: '0' - name: gitleaks-action - uses: zricethezav/gitleaks-action@v1.6.0 + uses: giantswarm/gitleaks-action@main diff --git a/.github/workflows/zz_generated.run_ossf_scorecard.yaml b/.github/workflows/zz_generated.run_ossf_scorecard.yaml new file mode 100644 index 0000000..bfea0f8 --- /dev/null +++ b/.github/workflows/zz_generated.run_ossf_scorecard.yaml @@ -0,0 +1,78 @@ +# DO NOT EDIT. Generated with: +# +# devctl@6.21.0 +# + +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '15 15 15 * *' + push: + branches: [ "main", "master" ] + workflow_dispatch: {} + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.3.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3 + with: + sarif_file: results.sarif diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index aead1ec..7110aba 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -8,7 +8,7 @@ repos: args: [ --format=json ] - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.3.0 + rev: v4.5.0 hooks: - id: check-added-large-files # check for unresolved merge conflicts @@ -20,7 +20,7 @@ repos: - id: trailing-whitespace - repo: https://github.com/dnephin/pre-commit-golang - rev: v0.5.0 + rev: v0.5.1 hooks: - id: go-fmt - id: go-mod-tidy @@ -28,4 +28,4 @@ repos: # timeout is needed for CI args: [ -E, gosec, -E, goconst, -E, govet, --timeout, 300s ] - id: go-imports - args: [ -local, github.com/giantswarm/template-operator ] + args: [ -local, github.com/giantswarm/aws-crossplane-cluster-config-operator ] diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..bd96d49 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,2 @@ +# generated by giantswarm/github actions - changes will be overwritten +* @giantswarm/team-phoenix diff --git a/DCO b/DCO new file mode 100644 index 0000000..716561d --- /dev/null +++ b/DCO @@ -0,0 +1,36 @@ +Developer Certificate of Origin +Version 1.1 + +Copyright (C) 2004, 2006 The Linux Foundation and its contributors. +660 York Street, Suite 102, +San Francisco, CA 94110 USA + +Everyone is permitted to copy and distribute verbatim copies of this +license document, but changing it is not allowed. + + +Developer's Certificate of Origin 1.1 + +By making a contribution to this project, I certify that: + +(a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + +(b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + +(c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + +(d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..93a6674 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2016 - 2024 Giant Swarm GmbH + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Makefile b/Makefile index d2685bc..8835dd6 100644 --- a/Makefile +++ b/Makefile @@ -1,24 +1,9 @@ +# DO NOT EDIT. Generated with: +# +# devctl@6.21.0 +# -# Image URL to use all building/pushing image targets -IMG ?= quay.io/giantswarm/aws-crossplane-cluster-config-operator:latest -# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. -ENVTEST_K8S_VERSION = 1.23 - -# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) -ifeq (,$(shell go env GOBIN)) -GOBIN=$(shell go env GOPATH)/bin -else -GOBIN=$(shell go env GOBIN) -endif - -# Setting SHELL to bash allows bash commands to be executed by recipes. -# This is a requirement for 'setup-envtest.sh' in the test target. -# Options are set to exit when a recipe line exits non-zero or a piped command fails. -SHELL = /usr/bin/env bash -o pipefail -.SHELLFLAGS = -ec - -.PHONY: all -all: build +include Makefile.*.mk ##@ General @@ -35,111 +20,4 @@ all: build .PHONY: help help: ## Display this help. - @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) - -##@ Development - -.PHONY: fmt -fmt: ## Run go fmt against code. - go fmt ./... - -.PHONY: vet -vet: ## Run go vet against code. - go vet ./... - -.PHONY: test -test: fmt vet envtest ## Run tests. - KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./... -coverprofile cover.out - -##@ Build - -.PHONY: build -build: fmt vet ## Build manager binary. - go build -o bin/manager main.go - -.PHONY: run -run: fmt vet ## Run a controller from your host. - go run ./main.go - -.PHONY: docker-build -docker-build: test ## Build docker image with the manager. - docker build -t ${IMG} . - -.PHONY: docker-push -docker-push: ## Push docker image with the manager. - docker push ${IMG} - -##@ Deployment - -ifndef ignore-not-found - ignore-not-found = false -endif - -.PHONY: install -install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. - $(KUSTOMIZE) build config/crd | kubectl apply -f - - -.PHONY: uninstall -uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. - $(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f - - -.PHONY: render -render: architect - mkdir -p $(shell pwd)/helm/rendered - cp -r $(shell pwd)/helm/aws-crossplane-cluster-config-operator $(shell pwd)/helm/rendered/ - $(ARCHITECT) helm template --dir $(shell pwd)/helm/rendered/aws-crossplane-cluster-config-operator - -.PHONY: deploy -deploy: render ## Deploy controller to the K8s cluster specified in ~/.kube/config. - KUBECONFIG=$(KUBECONFIG) helm upgrade --install \ - --namespace giantswarm \ - --set image.tag=latest \ - --set image.pullPolicy=Always \ - --set managementClusterRole="giantswarm-snail-capa-controller" \ - --set baseDomain="gaws.gigantic.io" \ - --wait \ - aws-crossplane-cluster-config-operator helm/rendered/aws-crossplane-cluster-config-operator - -.PHONY: undeploy -undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. - KUBECONFIG="$(KUBECONFIG)" helm uninstall \ - --namespace giantswarm \ - aws-crossplane-cluster-config-operator - - -##@ Build Dependencies - -## Location to install dependencies to -LOCALBIN ?= $(shell pwd)/bin -$(LOCALBIN): - mkdir -p $(LOCALBIN) - -## Tool Binaries -KUSTOMIZE ?= $(LOCALBIN)/kustomize -CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen -ENVTEST ?= $(LOCALBIN)/setup-envtest - -## Tool Versions -KUSTOMIZE_VERSION ?= v3.8.7 -CONTROLLER_TOOLS_VERSION ?= v0.8.0 - -KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" -.PHONY: kustomize -kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. -$(KUSTOMIZE): $(LOCALBIN) - curl -s $(KUSTOMIZE_INSTALL_SCRIPT) | bash -s -- $(subst v,,$(KUSTOMIZE_VERSION)) $(LOCALBIN) - -.PHONY: controller-gen -controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. -$(CONTROLLER_GEN): $(LOCALBIN) - GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) - -.PHONY: envtest -envtest: $(ENVTEST) ## Download envtest-setup locally if necessary. -$(ENVTEST): $(LOCALBIN) - GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest - -ARCHITECT = $(LOCALBIN)/architect -.PHONY: architect -architect: ## Download architect locally if necessary. - GOBIN=$(LOCALBIN) go install github.com/giantswarm/architect@latest + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z%\\\/_0-9-]+:.*?##/ { printf " \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) diff --git a/Makefile.gen.app.mk b/Makefile.gen.app.mk new file mode 100644 index 0000000..9909aa1 --- /dev/null +++ b/Makefile.gen.app.mk @@ -0,0 +1,46 @@ +# DO NOT EDIT. Generated with: +# +# devctl@6.21.0 +# + +##@ App + +YQ=docker run --rm -u $$(id -u) -v $${PWD}:/workdir mikefarah/yq:4.29.2 +HELM_DOCS=docker run --rm -u $$(id -u) -v $${PWD}:/helm-docs jnorwood/helm-docs:v1.11.0 + +ifdef APPLICATION +DEPS := $(shell find $(APPLICATION)/charts -maxdepth 2 -name "Chart.yaml" -printf "%h\n") +endif + +.PHONY: lint-chart check-env update-chart helm-docs update-deps $(DEPS) + +lint-chart: IMAGE := giantswarm/helm-chart-testing:v3.0.0-rc.1 +lint-chart: check-env ## Runs ct against the default chart. + @echo "====> $@" + rm -rf /tmp/$(APPLICATION)-test + mkdir -p /tmp/$(APPLICATION)-test/helm + cp -a ./helm/$(APPLICATION) /tmp/$(APPLICATION)-test/helm/ + architect helm template --dir /tmp/$(APPLICATION)-test/helm/$(APPLICATION) + docker run -it --rm -v /tmp/$(APPLICATION)-test:/wd --workdir=/wd --name ct $(IMAGE) ct lint --validate-maintainers=false --charts="helm/$(APPLICATION)" + rm -rf /tmp/$(APPLICATION)-test + +update-chart: check-env ## Sync chart with upstream repo. + @echo "====> $@" + vendir sync + $(MAKE) update-deps + +update-deps: check-env $(DEPS) ## Update Helm dependencies. + cd $(APPLICATION) && helm dependency update + +$(DEPS): check-env ## Update main Chart.yaml with new local dep versions. + dep_name=$(shell basename $@) && \ + new_version=`$(YQ) .version $(APPLICATION)/charts/$$dep_name/Chart.yaml` && \ + $(YQ) -i e "with(.dependencies[]; select(.name == \"$$dep_name\") | .version = \"$$new_version\")" $(APPLICATION)/Chart.yaml + +helm-docs: check-env ## Update $(APPLICATION) README. + $(HELM_DOCS) -c $(APPLICATION) -g $(APPLICATION) + +check-env: +ifndef APPLICATION + $(error APPLICATION is not defined) +endif diff --git a/Makefile.gen.go.mk b/Makefile.gen.go.mk new file mode 100644 index 0000000..5cb21c8 --- /dev/null +++ b/Makefile.gen.go.mk @@ -0,0 +1,114 @@ +# DO NOT EDIT. Generated with: +# +# devctl@6.21.0 +# + +APPLICATION := $(shell go list -m | cut -d '/' -f 3) +BUILDTIMESTAMP := $(shell date -u '+%FT%TZ') +GITSHA1 := $(shell git rev-parse --verify HEAD) +MODULE := $(shell go list -m) +OS := $(shell go env GOOS) +SOURCES := $(shell find . -name '*.go') +VERSION := $(shell architect project version) +ifeq ($(OS), linux) +EXTLDFLAGS := -static +endif +LDFLAGS ?= -w -linkmode 'auto' -extldflags '$(EXTLDFLAGS)' \ + -X '$(shell go list -m)/pkg/project.buildTimestamp=${BUILDTIMESTAMP}' \ + -X '$(shell go list -m)/pkg/project.gitSHA=${GITSHA1}' + +.DEFAULT_GOAL := build + +##@ Go + +.PHONY: build build-darwin build-darwin-64 build-linux build-linux-arm64 build-windows-amd64 +build: $(APPLICATION) ## Builds a local binary. + @echo "====> $@" +build-darwin: $(APPLICATION)-darwin ## Builds a local binary for darwin/amd64. + @echo "====> $@" +build-darwin-arm64: $(APPLICATION)-darwin-arm64 ## Builds a local binary for darwin/arm64. + @echo "====> $@" +build-linux: $(APPLICATION)-linux ## Builds a local binary for linux/amd64. + @echo "====> $@" +build-linux-arm64: $(APPLICATION)-linux-arm64 ## Builds a local binary for linux/arm64. + @echo "====> $@" +build-windows-amd64: $(APPLICATION)-windows-amd64.exe ## Builds a local binary for windows/amd64. + @echo "====> $@" + +$(APPLICATION): $(APPLICATION)-v$(VERSION)-$(OS)-amd64 + @echo "====> $@" + cp -a $< $@ + +$(APPLICATION)-darwin: $(APPLICATION)-v$(VERSION)-darwin-amd64 + @echo "====> $@" + cp -a $< $@ + +$(APPLICATION)-darwin-arm64: $(APPLICATION)-v$(VERSION)-darwin-arm64 + @echo "====> $@" + cp -a $< $@ + +$(APPLICATION)-linux: $(APPLICATION)-v$(VERSION)-linux-amd64 + @echo "====> $@" + cp -a $< $@ + +$(APPLICATION)-linux-arm64: $(APPLICATION)-v$(VERSION)-linux-arm64 + @echo "====> $@" + cp -a $< $@ + +$(APPLICATION)-windows-amd64.exe: $(APPLICATION)-v$(VERSION)-windows-amd64.exe + @echo "====> $@" + cp -a $< $@ + +$(APPLICATION)-v$(VERSION)-%-amd64: $(SOURCES) + @echo "====> $@" + CGO_ENABLED=0 GOOS=$* GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o $@ . + +$(APPLICATION)-v$(VERSION)-%-arm64: $(SOURCES) + @echo "====> $@" + CGO_ENABLED=0 GOOS=$* GOARCH=arm64 go build -ldflags "$(LDFLAGS)" -o $@ . + +$(APPLICATION)-v$(VERSION)-windows-amd64.exe: $(SOURCES) + @echo "====> $@" + CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags "$(LDFLAGS)" -o $@ . + +.PHONY: install +install: ## Install the application. + @echo "====> $@" + go install -ldflags "$(LDFLAGS)" . + +.PHONY: run +run: ## Runs go run main.go. + @echo "====> $@" + go run -ldflags "$(LDFLAGS)" -race . + +.PHONY: clean +clean: ## Cleans the binary. + @echo "====> $@" + rm -f $(APPLICATION)* + go clean + +.PHONY: imports +imports: ## Runs goimports. + @echo "====> $@" + goimports -local $(MODULE) -w . + +.PHONY: lint +lint: ## Runs golangci-lint. + @echo "====> $@" + golangci-lint run -E gosec -E goconst --timeout=15m ./... + +.PHONY: nancy +nancy: ## Runs nancy (requires v1.0.37 or newer). + @echo "====> $@" + CGO_ENABLED=0 go list -json -deps ./... | nancy sleuth --skip-update-check --quiet --exclude-vulnerability-file ./.nancy-ignore --additional-exclude-vulnerability-files ./.nancy-ignore.generated + +.PHONY: test +test: ## Runs go test with default values. + @echo "====> $@" + go test -ldflags "$(LDFLAGS)" -race ./... + +.PHONY: build-docker +build-docker: build-linux ## Builds docker image to registry. + @echo "====> $@" + cp -a $(APPLICATION)-linux $(APPLICATION) + docker build -t ${APPLICATION}:${VERSION} . diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..060f6b5 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,5 @@ +# Security Policy + +## Reporting a Vulnerability + +Please visit https://www.giantswarm.io/responsible-disclosure for information on reporting security issues.