diff --git a/.circleci/config.yml b/.circleci/config.yml index 767fa7f5e..5f17ca7eb 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,7 +1,7 @@ version: 2.1 orbs: - architect: giantswarm/architect@4.29.0 + architect: giantswarm/architect@5.1.1 workflows: build: @@ -14,24 +14,9 @@ workflows: tags: only: /^v.*/ - - architect/push-to-docker: + - architect/push-to-registries: context: architect - name: push-cluster-operator-to-quay - image: "quay.io/giantswarm/cluster-operator" - username_envar: "QUAY_USERNAME" - password_envar: "QUAY_PASSWORD" - requires: - - go-build - filters: - tags: - only: /^v.*/ - - - architect/push-to-docker: - context: architect - name: push-cluster-operator-to-aliyun - image: "giantswarm-registry.cn-shanghai.cr.aliyuncs.com/giantswarm/cluster-operator" - username_envar: "ALIYUN_USERNAME" - password_envar: "ALIYUN_PASSWORD" + name: push-to-registries requires: - go-build filters: @@ -45,7 +30,7 @@ workflows: app_catalog_test: "control-plane-test-catalog" chart: "cluster-operator" requires: - - push-cluster-operator-to-quay + - push-to-registries filters: tags: only: /^v.*/ diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 000000000..925c90050 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,3 @@ +## Checklist + +- [ ] Update changelog in CHANGELOG.md. diff --git a/.github/workflows/zz_generated.add-team-labels.yaml b/.github/workflows/zz_generated.add-team-labels.yaml index 9e96e1d5d..97ba2aed3 100644 --- a/.github/workflows/zz_generated.add-team-labels.yaml +++ b/.github/workflows/zz_generated.add-team-labels.yaml @@ -14,9 +14,9 @@ jobs: mkdir -p artifacts wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \ -O artifacts/users.yaml \ - https://raw.githubusercontent.com/giantswarm/github/master/tools/issue-automation/user-mapping.yaml + https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/user-mapping.yaml - name: Upload Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: users path: artifacts/users.yaml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest needs: build_user_list steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 id: download-users with: name: users @@ -45,7 +45,7 @@ jobs: done echo "EOF" >> $GITHUB_ENV - name: Apply label to issue - if: ${{ env.LABEL != '' }} + if: ${{ env.LABEL != '' && env.LABEL != 'null' && env.LABEL != null }} uses: actions-ecosystem/action-add-labels@v1 with: github_token: ${{ secrets.ISSUE_AUTOMATION }} diff --git a/.github/workflows/zz_generated.add-to-project-board.yaml b/.github/workflows/zz_generated.add-to-project-board.yaml index 0392ed51f..32176b159 100644 --- a/.github/workflows/zz_generated.add-to-project-board.yaml +++ b/.github/workflows/zz_generated.add-to-project-board.yaml @@ -16,9 +16,9 @@ jobs: mkdir -p artifacts wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \ -O artifacts/users.yaml \ - https://raw.githubusercontent.com/giantswarm/github/master/tools/issue-automation/user-mapping.yaml + https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/user-mapping.yaml - name: Upload Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: users path: artifacts/users.yaml @@ -28,9 +28,9 @@ jobs: mkdir -p artifacts wget --header "Authorization: token ${{ secrets.ISSUE_AUTOMATION }}" \ -O artifacts/labels.yaml \ - https://raw.githubusercontent.com/giantswarm/github/master/tools/issue-automation/label-mapping.yaml + https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/label-mapping.yaml - name: Upload Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: labels path: artifacts/labels.yaml @@ -42,7 +42,7 @@ jobs: needs: build_user_list if: github.event.action == 'assigned' steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 id: download-users with: name: users @@ -56,7 +56,7 @@ jobs: echo "BOARD=${BOARD}" >> $GITHUB_ENV - name: Add issue to personal board - if: ${{ env.BOARD != 'null' && env.BOARD != '' }} + if: ${{ env.BOARD != 'null' && env.BOARD != '' && env.BOARD != null }} uses: actions/add-to-project@main with: project-url: ${{ env.BOARD }} @@ -68,7 +68,7 @@ jobs: needs: build_user_list if: github.event.action == 'labeled' steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 id: download-labels with: name: labels @@ -82,7 +82,7 @@ jobs: echo "BOARD=${BOARD}" >> $GITHUB_ENV - name: Add issue to team board - if: ${{ env.BOARD != 'null' && env.BOARD != '' }} + if: ${{ env.BOARD != 'null' && env.BOARD != '' && env.BOARD != null }} uses: actions/add-to-project@main with: project-url: ${{ env.BOARD }} diff --git a/.github/workflows/zz_generated.check_values_schema.yaml b/.github/workflows/zz_generated.check_values_schema.yaml index 014024dff..b6df649e5 100644 --- a/.github/workflows/zz_generated.check_values_schema.yaml +++ b/.github/workflows/zz_generated.check_values_schema.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@5.24.0 +# devctl@6.23.3 # name: 'Values and schema' on: @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 @@ -34,6 +34,12 @@ jobs: run: | for chart_yaml in helm/*/Chart.yaml; do helm_dir="${chart_yaml%/Chart.yaml}" + + if [ ! -f ${helm_dir}/values.schema.json ]; then + echo "Skipping validation for '${helm_dir}' folder, because 'values.schema.json' does not exist..." + continue + fi + values=${helm_dir}/values.yaml if [ -f ${helm_dir}/ci/ci-values.yaml ]; then # merge ci-values.yaml into values.yaml (providing required values) diff --git a/.github/workflows/zz_generated.create_release.yaml b/.github/workflows/zz_generated.create_release.yaml index 99146b0ba..07b7f5ed9 100644 --- a/.github/workflows/zz_generated.create_release.yaml +++ b/.github/workflows/zz_generated.create_release.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@5.24.0 +# devctl@6.23.3 # name: Create Release on: @@ -15,7 +15,7 @@ on: jobs: debug_info: name: Debug info - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Print github context JSON run: | @@ -24,7 +24,7 @@ jobs: EOF gather_facts: name: Gather facts - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 outputs: project_go_path: ${{ steps.get_project_go_path.outputs.path }} ref_version: ${{ steps.ref_version.outputs.refversion }} @@ -32,11 +32,10 @@ jobs: steps: - name: Get version id: get_version + env: + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | - title="$(cat <<- 'COMMIT_MESSAGE_END' | head -n 1 - - ${{ github.event.head_commit.message }} - COMMIT_MESSAGE_END - )" + title=$(echo -n "${COMMIT_MESSAGE}" | head -1) # Matches strings like: # # - "Release v1.2.3" @@ -53,7 +52,7 @@ jobs: echo "version=${version}" >> $GITHUB_OUTPUT - name: Checkout code if: ${{ steps.get_version.outputs.version != '' }} - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Get project.go path id: get_project_go_path if: ${{ steps.get_version.outputs.version != '' }} @@ -66,11 +65,10 @@ jobs: echo "path=${path}" >> $GITHUB_OUTPUT - name: Check if reference version id: ref_version + env: + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | - title="$(cat <<- 'COMMIT_MESSAGE_END' | head -n 1 - - ${{ github.event.head_commit.message }} - COMMIT_MESSAGE_END - )" + title=$(echo -n "${COMMIT_MESSAGE}" | head -1) if echo "${title}" | grep -qE '^release v[0-9]+\.[0-9]+\.[0-9]+([.-][^ .-][^ ]*)?( \(#[0-9]+\))?$' ; then version=$(echo "${title}" | cut -d ' ' -f 2) fi @@ -84,18 +82,18 @@ jobs: echo "refversion=${refversion}" >> $GITHUB_OUTPUT update_project_go: name: Update project.go - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 if: ${{ needs.gather_facts.outputs.version != '' && needs.gather_facts.outputs.project_go_path != '' && needs.gather_facts.outputs.ref_version != 'true' }} needs: - gather_facts steps: - name: Install architect - uses: giantswarm/install-binary-action@v1.1.0 + uses: giantswarm/install-binary-action@033b1a657eea23d9c42e77312b370e6125e4e38f # v2.0.0 with: binary: "architect" - version: "6.11.0" + version: "6.14.1" - name: Install semver - uses: giantswarm/install-binary-action@v1.1.0 + uses: giantswarm/install-binary-action@033b1a657eea23d9c42e77312b370e6125e4e38f # v2.0.0 with: binary: "semver" version: "3.2.0" @@ -103,7 +101,7 @@ jobs: tarball_binary_path: "*/src/${binary}" smoke_test: "${binary} --version" - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Update project.go id: update_project_go env: @@ -143,10 +141,19 @@ jobs: version: "${{ needs.gather_facts.outputs.version }}" title: "Bump version to ${{ steps.update_project_go.outputs.new_version }}" run: | - hub pull-request -f -m "${{ env.title }}" -b ${{ env.base }} -h ${{ env.branch }} -r ${{ github.actor }} + gh pr create --title "${{ env.title }}" --body "" --base ${{ env.base }} --head ${{ env.branch }} --reviewer ${{ github.actor }} + - name: Enable auto-merge for PR + env: + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" + base: "${{ github.ref }}" + branch: "${{ github.ref }}-version-bump" + version: "${{ needs.gather_facts.outputs.version }}" + title: "Bump version to ${{ steps.update_project_go.outputs.new_version }}" + run: | + gh pr merge --auto --squash "${{ env.branch }}" || echo "::warning::Auto-merge not allowed. Please adjust the repository settings." create_release: name: Create release - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 needs: - gather_facts if: ${{ needs.gather_facts.outputs.version }} @@ -154,7 +161,7 @@ jobs: upload_url: ${{ steps.create_gh_release.outputs.upload_url }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.sha }} - name: Ensure correct version in project.go @@ -165,7 +172,7 @@ jobs: grep -qE "version[[:space:]]*=[[:space:]]*\"$version\"" $file - name: Get Changelog Entry id: changelog_reader - uses: mindsers/changelog-reader-action@v2 + uses: mindsers/changelog-reader-action@32aa5b4c155d76c94e4ec883a223c947b2f02656 # v2.2.3 with: version: ${{ needs.gather_facts.outputs.version }} path: ./CHANGELOG.md @@ -184,23 +191,22 @@ jobs: git push "${REMOTE_REPO}" --tags - name: Create release id: create_gh_release - uses: actions/create-release@v1 + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 env: GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" with: body: ${{ steps.changelog_reader.outputs.changes }} - tag_name: "v${{ needs.gather_facts.outputs.version }}" - release_name: "v${{ needs.gather_facts.outputs.version }}" + tag: "v${{ needs.gather_facts.outputs.version }}" create-release-branch: name: Create release branch - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 needs: - gather_facts if: ${{ needs.gather_facts.outputs.version }} steps: - name: Install semver - uses: giantswarm/install-binary-action@v1.1.0 + uses: giantswarm/install-binary-action@033b1a657eea23d9c42e77312b370e6125e4e38f # v2.0.0 with: binary: "semver" version: "3.0.0" @@ -208,7 +214,7 @@ jobs: tarball_binary_path: "*/src/${binary}" smoke_test: "${binary} --version" - name: Check out the repository - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 # Clone the whole history, not just the most recent commit. - name: Fetch all tags and branches diff --git a/.github/workflows/zz_generated.create_release_pr.yaml b/.github/workflows/zz_generated.create_release_pr.yaml index a0d4dd34e..4c60aeeac 100644 --- a/.github/workflows/zz_generated.create_release_pr.yaml +++ b/.github/workflows/zz_generated.create_release_pr.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@5.24.0 +# devctl@6.23.3 # name: Create Release PR on: @@ -30,7 +30,7 @@ on: jobs: debug_info: name: Debug info - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Print github context JSON run: | @@ -39,7 +39,7 @@ jobs: EOF gather_facts: name: Gather facts - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 outputs: repo_name: ${{ steps.gather_facts.outputs.repo_name }} branch: ${{ steps.gather_facts.outputs.branch }} @@ -136,23 +136,23 @@ jobs: fi create_release_pr: name: Create release PR - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 needs: - gather_facts if: ${{ needs.gather_facts.outputs.skip != 'true' }} env: architect_flags: "--organisation ${{ github.repository_owner }} --project ${{ needs.gather_facts.outputs.repo_name }}" steps: - - uses: actions/setup-go@v3 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: '=1.18.1' - name: Install architect - uses: giantswarm/install-binary-action@v1.1.0 + uses: giantswarm/install-binary-action@033b1a657eea23d9c42e77312b370e6125e4e38f # v2.0.0 with: binary: "architect" version: "6.11.0" - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ needs.gather_facts.outputs.branch }} - name: Prepare release changes @@ -227,4 +227,4 @@ jobs: base: "${{ needs.gather_facts.outputs.base }}" version: "${{ needs.gather_facts.outputs.version }}" run: | - hub pull-request -f -m "Release v${{ env.version }}" -a ${{ github.actor }} -b ${{ env.base }} -h ${{ needs.gather_facts.outputs.branch }} + gh pr create --assignee ${{ github.actor }} --title "Release v${{ env.version }}" --body "" --base ${{ env.base }} --head "${{ needs.gather_facts.outputs.branch }}" diff --git a/.github/workflows/zz_generated.gitleaks.yaml b/.github/workflows/zz_generated.gitleaks.yaml index b60a8d2d5..9e8628b74 100644 --- a/.github/workflows/zz_generated.gitleaks.yaml +++ b/.github/workflows/zz_generated.gitleaks.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@5.24.0 +# devctl@6.23.3 # name: gitleaks @@ -10,8 +10,8 @@ jobs: gitleaks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: '0' - name: gitleaks-action - uses: zricethezav/gitleaks-action@v1.6.0 + uses: giantswarm/gitleaks-action@main diff --git a/.github/workflows/zz_generated.run_ossf_scorecard.yaml b/.github/workflows/zz_generated.run_ossf_scorecard.yaml new file mode 100644 index 000000000..43efbeb69 --- /dev/null +++ b/.github/workflows/zz_generated.run_ossf_scorecard.yaml @@ -0,0 +1,78 @@ +# DO NOT EDIT. Generated with: +# +# devctl@6.23.3 +# + +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '15 15 15 * *' + push: + branches: [ "main", "master" ] + workflow_dispatch: {} + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: results.sarif diff --git a/.nancy-ignore b/.nancy-ignore index 4ae9023cb..26fe05e4b 100644 --- a/.nancy-ignore +++ b/.nancy-ignore @@ -15,3 +15,12 @@ sonatype-2022-5436 CVE-2021-41803 sonatype-2022-6522 CVE-2020-8561 + +CVE-2024-24786 +CVE-2023-32731 +CVE-2023-3978 +CVE-2023-39325 +CVE-2023-47108 +CVE-2023-47090 +CVE-2023-29401 +CVE-2023-26125 diff --git a/CHANGELOG.md b/CHANGELOG.md index 67d0c95c5..4e473bb17 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added + +- Add global.podSecurityStandards.enforced value for PSS migration. + ## [5.6.1] - 2023-05-03 ### Fixed diff --git a/helm/cluster-operator/templates/psp.yaml b/helm/cluster-operator/templates/psp.yaml index b8ba19cab..6fd662458 100644 --- a/helm/cluster-operator/templates/psp.yaml +++ b/helm/cluster-operator/templates/psp.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.global.podSecurityStandards.enforced } apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -31,3 +32,4 @@ spec: hostNetwork: false hostIPC: false hostPID: false +{{- end }} diff --git a/helm/cluster-operator/templates/rbac.yaml b/helm/cluster-operator/templates/rbac.yaml index 81dc95586..224d70f50 100644 --- a/helm/cluster-operator/templates/rbac.yaml +++ b/helm/cluster-operator/templates/rbac.yaml @@ -154,6 +154,7 @@ roleRef: name: {{ include "resource.default.name" . }} apiGroup: rbac.authorization.k8s.io --- +{{- if not .Values.global.podSecurityStandards.enforced } apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -184,3 +185,4 @@ roleRef: kind: ClusterRole name: {{ include "resource.psp.name" . }} apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/helm/cluster-operator/values.schema.json b/helm/cluster-operator/values.schema.json index 8f24d78ae..dc6def811 100644 --- a/helm/cluster-operator/values.schema.json +++ b/helm/cluster-operator/values.schema.json @@ -172,6 +172,19 @@ } } } + }, + "global": { + "type": "object", + "properties": { + "podSecurityStandards": { + "type": "object", + "properties": { + "enforced": { + "type": "boolean" + } + } + } + } } } } diff --git a/helm/cluster-operator/values.yaml b/helm/cluster-operator/values.yaml index 74111eab8..e9a68d8af 100644 --- a/helm/cluster-operator/values.yaml +++ b/helm/cluster-operator/values.yaml @@ -71,3 +71,7 @@ podSecurityContext: securityContext: seccompProfile: type: RuntimeDefault + +global: + podSecurityStandards: + enforced: false diff --git a/pkg/project/project.go b/pkg/project/project.go index c94a10a81..fe4628c68 100644 --- a/pkg/project/project.go +++ b/pkg/project/project.go @@ -5,7 +5,8 @@ var ( gitSHA = "n/a" name = "cluster-operator" source = "https://github.com/giantswarm/cluster-operator" - version = "5.6.1" + + // version = "5.6.1" ) func Description() string { @@ -25,5 +26,5 @@ func Source() string { } func Version() string { - return version + return "5.6.1" }