Merge branch 'master' into update-azure-sdk-libraries

.github/workflows/atlas-image-build.yaml

@@ -18,10 +18,10 @@ jobs:
     outputs:
       changed: ${{ steps.changed-files.outputs.any_changed }}
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
-      - uses: tj-actions/changed-files@6ee9cdc5816333acda68e01cf12eedc619e28316 # v39
+      - uses: tj-actions/changed-files@8238a4103220c636f2dad328ead8a7c8dbe316a3 # v39.2.0
         name: Get changed files
         id: changed-files
         with:

.github/workflows/dependendy-review.yml

@@ -15,6 +15,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v3

.github/workflows/grype-vulnerability-scanner.yaml

@@ -7,7 +7,7 @@ jobs:
       - name: Create repo directory before checking out latest code
         run: mkdir -p repo
       - name: Checkout the latest code
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           ref: master
           path: repo
@@ -51,7 +51,7 @@ jobs:
       - name: Create repo directory before checking out latest code
         run: mkdir -p repo
       - name: Checkout the latest code
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           ref: master
           path: repo

.github/workflows/main.yaml

@@ -9,19 +9,19 @@ jobs:
   gomod:
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
     - run: make go-mod-tidy
     - run: make go-mod-download
     - run: tar -cvf ./src.tar.gz ./ # preserve file permissions
-    - uses: actions/upload-artifact@v3
+    - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: src
         path: ./src.tar.gz
   lint:
     runs-on: ubuntu-20.04
     needs: gomod
     steps:
-    - uses: actions/download-artifact@v3
+    - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
       with:
         name: src
     - run: tar -xvf ./src.tar.gz
@@ -34,7 +34,7 @@ jobs:
       matrix:
         testSuite: [test, integration-test, helm-test]
     steps:
-    - uses: actions/download-artifact@v3
+    - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
       with:
         name: src
     - uses: helm/[email protected]
@@ -58,7 +58,7 @@ jobs:
       matrix:
         bin: [controller, kanctl, kando]
     steps:
-    - uses: actions/download-artifact@v3
+    - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
       with:
         name: src
     - run: tar -xvf ./src.tar.gz
@@ -67,7 +67,7 @@ jobs:
     runs-on: ubuntu-20.04
     needs: gomod
     steps:
-    - uses: actions/download-artifact@v3
+    - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
       with:
         name: src
     - run: tar -xvf ./src.tar.gz
@@ -79,7 +79,7 @@ jobs:
     permissions:
       packages: write
     steps:
-    - uses: actions/download-artifact@v3
+    - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
       with:
         name: src
     - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0

.github/workflows/ossf-scorecard.yml

@@ -26,7 +26,7 @@ jobs:
     steps:
       -
         name: "Checkout repo"
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           persist-credentials: false
       -
@@ -39,12 +39,12 @@ jobs:
       -
         # Upload the results to GitHub's code scanning dashboard.
         name: "Upload to results to dashboard"
-        uses: github/codeql-action/upload-sarif@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7
+        uses: github/codeql-action/upload-sarif@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8
         with:
           sarif_file: results.sarif
       -
         name: "Upload analysis results as 'Job Artifact'"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/stale.yaml

@@ -1,3 +1,5 @@
+name: Manage Stale Issues and PRs
+
 on:
   schedule:
   - cron: "0 0 * * *"

.github/workflows/triage-issues.yaml

@@ -0,0 +1,41 @@
+name: Triage Issues
+
+on:
+  issues:
+    types:
+    - opened
+    - reopened
+
+jobs:
+  triage:
+    if: github.repository == 'kanisterio/kanister'
+    name: Triage
+    permissions:
+      issues: write
+    runs-on: ubuntu-latest
+    steps:
+    -
+      name: Add label
+      uses: actions-ecosystem/[email protected]
+      with:
+        labels: "triage"
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+    -
+      name: Add comment
+      uses: actions-ecosystem/[email protected]
+      if: github.event.action == 'opened'
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        body: |
+          Thanks for opening this issue :+1:. The team will review it shortly.
+
+          If this is a bug report, make sure to include clear instructions how on to reproduce the problem with [minimal reproducible examples](https://stackoverflow.com/help/minimal-reproducible-example), where possible. If this is a security report, please review our security policy as outlined in [SECURITY.md](https://github.com/kanisterio/kanister/blob/master/SECURITY.md).
+
+          If you haven't already, please take a moment to review our project's [Code of Conduct](https://github.com/kanisterio/kanister/blob/master/CODE_OF_CONDUCT.md) document.
+    -
+      name: Update project
+      uses: alex-page/[email protected]
+      with:
+        repo-token: ${{ secrets.GH_TOKEN }} # must use a PAT here
+        project: Kanister
+        column: To Be Triaged

.github/workflows/triage-prs.yaml

@@ -0,0 +1,41 @@
+name: Triage
+
+on:
+  pull_request:
+    types:
+    - opened
+    - reopened
+
+permissions:
+  contents: read
+
+jobs:
+  pull-requests-comment:
+    name: Comment and Triage
+    # The entire job is skipped for @dependabot
+    if: github.repository == 'kanisterio/kanister' && github.actor != 'dependabot[bot]'
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    -
+      name: Comment
+      uses: actions-ecosystem/[email protected]
+      # Avoid adding a comment when the PR is on the same repo.
+      if: github.event.action == 'opened' && github.event.pull_request.head.repo.fork
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        body: |
+          Thanks for submitting this pull request :tada:. The team will review it soon and get back to you.
+
+          If you haven't already, please take a moment to review our project [contributing guideline](https://github.com/kanisterio/kanister/blob/master/CONTRIBUTING.md) and [Code of Conduct](https://github.com/kanisterio/kanister/blob/master/CODE_OF_CONDUCT.md) document.
+    -
+      name: Update status in project
+      uses: alex-page/[email protected]
+      # This only works for PRs opened in the same repo and not by dependabot.
+      # Other PRs don't get the necessary credentials.
+      if: github.repository == 'kanisterio/kanister' && !github.event.pull_request.head.repo.fork
+      with:
+        repo-token: ${{ secrets.GH_TOKEN }}
+        project: Kanister
+        column: In Progress

.goreleaser.yml

@@ -63,8 +63,8 @@ dockers:
   build_flag_templates:
   - "--build-arg=kan_tools_version={{ .Tag }}"
 # Refers to https://github.com/kopia/kopia/commit/3551f743d762f2ffe669523272d1c8d734120b79
-  - "--build-arg=kopiaBuildCommit=3551f74"
-  - "--build-arg=kopiaRepoOrg=kopia"
+  - "--build-arg=kopia_build_commit=3551f74"
+  - "--build-arg=kopia_repo_org=kopia"
   extra_files:
   - 'LICENSE'
 - ids:

docker/tools/Dockerfile

@@ -1,11 +1,26 @@
 # Build Kopia binary
-FROM golang:1.19-bullseye AS builder
+FROM golang:1.21-bullseye AS builder
 
 ARG kopia_build_commit=master
 ARG kopia_repo_org=kopia
 ENV CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GO_EXTLINK_ENABLED=0
 RUN apt-get install git
 
+# Build restic binary from source - released version
+# This will allow us to bring in security fixes without relying on the official
+# image which is released once every quarter
+WORKDIR /
+
+RUN git clone https://github.com/restic/restic.git
+
+ENV GITHUB_REPOSITORY=https://github.com/restic/restic
+
+WORKDIR /restic
+
+RUN git checkout v0.16.0
+RUN go run build.go
+
+# Build kopia binary from specific commit
 WORKDIR /
 
 RUN git clone https://github.com/${kopia_repo_org}/kopia.git
@@ -14,7 +29,6 @@ ENV GITHUB_REPOSITORY=https://github.com/${kopia_repo_org}/kopia
 
 WORKDIR /kopia
 
-# Build kopia binary from specific commit
 RUN git checkout ${kopia_build_commit}
 RUN GO111MODULE=on GOOS=linux GOARCH=amd64 go build -o kopia \
   -ldflags="-X github.com/kopia/kopia/repo.BuildVersion=$(git show --no-patch --format='%cs-%h') \
@@ -45,11 +59,11 @@ LABEL name="kanister-tools" \
     vendor="Kanister" \
     version="${kan_tools_version}" \
     release="${kan_tools_version}" \
-    summary="Microservice for application-specific data management for Kubernetes" \
-    maintainer="Tom Manville<[email protected]>" \
-    description="Kanister tools for application-specific data management"
+    summary="Operator for data protection workflow management on Kubernetes" \
+    maintainer="Pavan N Devaraj<[email protected]>" \
+    description="Tools for application-specific data protection"
 
-COPY --from=restic/restic:0.15.2 /usr/bin/restic /usr/local/bin/restic
+COPY --from=builder /restic/restic /usr/local/bin/restic
 COPY --from=builder /kopia/kopia /usr/local/bin/kopia
 COPY LICENSE /licenses/LICENSE
 

examples/aws-rds/postgresql/README.md

@@ -9,7 +9,7 @@ This example is to demonstrate how Kanister can be integrated with AWS RDS insta
 ## Prerequisites
 
 - Kubernetes 1.10+
-- Kanister controller version 0.95.0 installed in your cluster
+- Kanister controller version 0.96.0 installed in your cluster
 - Kanctl CLI installed (https://docs.kanister.io/tooling.html#kanctl)
 
 ## Create RDS instance on AWS

examples/aws-rds/postgresql/rds-postgres-blueprint.yaml

@@ -14,7 +14,7 @@ actions:
     - func: KubeTask
       name: backupSnapshots
       args:
-        image: "ghcr.io/kanisterio/postgres-kanister-tools:0.95.0"
+        image: "ghcr.io/kanisterio/postgres-kanister-tools:0.96.0"
         namespace: "{{ .Object.metadata.namespace }}"
         command:
           - bash
@@ -53,7 +53,7 @@ actions:
     - func: KubeTask
       name: restoreSnapshots
       args:
-        image: "ghcr.io/kanisterio/postgres-kanister-tools:0.95.0"
+        image: "ghcr.io/kanisterio/postgres-kanister-tools:0.96.0"
         namespace: "{{ .Object.metadata.namespace }}"
         command:
           - bash
@@ -90,7 +90,7 @@ actions:
     - func: KubeTask
       name: restoreSnapshots
       args:
-        image: "ghcr.io/kanisterio/postgres-kanister-tools:0.95.0"
+        image: "ghcr.io/kanisterio/postgres-kanister-tools:0.96.0"
         namespace: "{{ .Namespace.Name }}"
         command:
           - bash

examples/aws-rds/postgresql/rds-postgres-dump-blueprint.yaml

@@ -66,7 +66,7 @@ actions:
       name: deleteBackup
       args:
         namespace: "{{ .Namespace.Name }}"
-        image: ghcr.io/kanisterio/kanister-tools:0.95.0
+        image: ghcr.io/kanisterio/kanister-tools:0.96.0
         command:
           - bash
           - -o

examples/cassandra/README.md

@@ -7,7 +7,7 @@ As the official documentation of [Cassandra](http://cassandra.apache.org/) says,
 * Kubernetes 1.9+
 * Kubernetes beta APIs enabled only if `podDisruptionBudget` is enabled
 * PV support on the underlying infrastructure
-* Kanister controller version 0.95.0 installed in your cluster, let's say in namespace `<kanister-operator-namespace>`
+* Kanister controller version 0.96.0 installed in your cluster, let's say in namespace `<kanister-operator-namespace>`
 * Kanctl CLI installed (https://docs.kanister.io/tooling.html#kanctl)
 
 To install kanister and related tools you can follow [this](https://docs.kanister.io/install.html#install) link.
@@ -29,7 +29,7 @@ $ helm repo add bitnami https://charts.bitnami.com/bitnami
 $ helm repo update
 # remove app-namespace with the namespace you want to deploy the Cassandra app in
 $ kubectl create ns <app-namespace>
-$ helm install cassandra bitnami/cassandra --namespace <app-namespace> --set image.repository=kanisterio/cassandra --set image.tag=0.95.0 --set cluster.replicaCount=2 --set image.registry=ghcr.io --set image.pullPolicy=Always
+$ helm install cassandra bitnami/cassandra --namespace <app-namespace> --set image.repository=kanisterio/cassandra --set image.tag=0.96.0 --set cluster.replicaCount=2 --set image.registry=ghcr.io --set image.pullPolicy=Always
 
 
 ```