Merge branch 'main' into cgr-publish

tektoncd · Jan 24, 2024 · d1b1e4c · d1b1e4c
2 parents 6bd6a37 + 97ffba2
commit d1b1e4c
Show file tree

Hide file tree

Showing 2,201 changed files with 201,814 additions and 52,096 deletions.
diff --git a/.envrc.sample b/.envrc.sample
@@ -0,0 +1,7 @@
+# shellcheck shell=bash
+# This is an example of a .envrc file for use with direnv
+#
+# See https://direnv.net/#getting-started for more information on how to get
+# started with direnv
+export GOMAXPROCS=6
+export KO_DOCKER_REPO=gcr.io/tektoncd/pipeline
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -48,6 +48,15 @@ updates:
     ignore:
     - dependency-name: "k8s.io/*"
       update-types: ["version-update:semver-major", "version-update:semver-minor"]
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+    - "ok-to-test"
+    - "dependencies"
+    - "release-note-none"
+    - "kind/misc"
   - package-ecosystem: "docker"
     directory: "/tekton"
     schedule:
@@ -60,4 +69,4 @@ updates:
     groups:
       all:
         patterns:
-          - "*"
+          - "*"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -11,12 +11,23 @@
 #
 name: "CodeQL"
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ main ]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+      - '**/*.yaml'
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ main ]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+      - '**/*.yaml'
   schedule:
     - cron: '30 20 * * 2'
 
@@ -38,11 +49,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +64,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -67,4 +78,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,62 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '23 0 * * 4'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/woke.yml b/.github/workflows/woke.yml
@@ -0,0 +1,30 @@
+name: 'woke'
+
+permissions:
+  contents: read
+
+on:
+  - pull_request
+jobs:
+  woke:
+    name: 'woke'
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@ae82ed4ae04587b665efad2f206578aa6f0e8539 # v42.0.0
+        with:
+          write_output_files: true
+          files: |
+            **
+
+      - name: 'woke'
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: get-woke/woke-action@b2ec032c4a2c912142b38a6a453ad62017813ed0 # v0
+        with:
+          # Cause the check to fail on any broke rules
+          fail-on-error: true
+          woke-args: ${{ steps.changed_files.outputs.all_changed_files }}
diff --git a/.gitignore b/.gitignore
@@ -60,3 +60,6 @@ test/pullrequest/pullrequest-init
 
 # Backup of API reference docs generated by sed
 docs/pipeline-api.md.backup
+
+# Ignore .env files
+/.env
diff --git a/.wokeignore b/.wokeignore
@@ -0,0 +1,5 @@
+go.mod
+go.sum
+vendor
+config/dummy.go
+.wokeignore
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -95,6 +95,11 @@ You must install these tools:
    > **Note** Linter findings are dependent on your installed Go version. Match
    the version in [`go.mod`](go.mod) to match the findings in your PR.
 
+1. (Optional)
+   [`woke`](https://docs.getwoke.tech/installation/) is executed for every pull 
+   request. To ensure your work does not contain offensive language, you may 
+   want to install and run this tool locally.
+
 ### Configure environment
 
 To [build, deploy and run your Tekton Objects with `ko`](#install-pipeline), you'll need to set these environment variables:
@@ -164,8 +169,11 @@ The Tekton project requires that you develop (commit) code changes to branches t
 
         ```shell
         git remote add upstream [email protected]:tektoncd/pipeline.git
+        ```
 
-        # Optional: Prevent accidental pushing of commits by changing the upstream URL to `no_push`
+    1. Optional: Prevent accidental pushing of commits by changing the upstream URL to `no_push`
+
+        ```shell
         git remote set-url --push upstream no_push
         ```
 
@@ -221,7 +229,7 @@ as follows.
     ```yaml
     kubectl create secret generic ${SECRET_NAME} \
     --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
-    --type=kubernetes.io/dockerconfigjson
+    --type=kubernetes.io/dockerconfigjson \
     --namespace=tekton-pipelines
     ```
    See [Configuring authentication for Docker](./docs/auth.md#configuring-authentication-for-docker)
@@ -271,9 +279,9 @@ The recommended minimum development configuration is:
   - 8 GB of (actual or virtualized) platform memory
 - Node autoscaling, up to 3 nodes
 
-#### Using [KinD](https://kind.sigs.k8s.io/)
+#### Using [Kind](https://kind.sigs.k8s.io/)
 
-[KinD](https://kind.sigs.k8s.io/) is a great tool for working with Kubernetes clusters locally. It is particularly useful to quickly test code against different cluster [configurations](https://kind.sigs.k8s.io/docs/user/quick-start/#advanced).
+[Kind](https://kind.sigs.k8s.io/) is a great tool for working with Kubernetes clusters locally. It is particularly useful to quickly test code against different cluster [configurations](https://kind.sigs.k8s.io/docs/user/quick-start/#advanced).
 
 1. Install [required tools](./DEVELOPMENT.md#install-tools) (note: may require a newer version of Go).
 2. Install [Docker](https://www.docker.com/get-started).
@@ -353,7 +361,7 @@ While iterating on code changes to the project, you may need to:
     - Update your (external) dependencies with: `./hack/update-deps.sh`
     - Update your type definitions with: `./hack/update-codegen.sh`
     -  Update your OpenAPI specs with: `./hack/update-openapigen.sh`
-1. Update or [add new CRD types](#adding-new-types) as needed
+1. Update or [add new CRD types](#adding-new-crd-types) as needed
 1. Update, [add and run tests](./test/README.md#tests)
 
 To make changes to these CRDs, you will probably interact with:

diff --git a/Makefile b/Makefile
@@ -7,8 +7,10 @@ TESTPKGS = $(shell env GO111MODULE=on $(GO) list -f \
 			'{{ if or .TestGoFiles .XTestGoFiles }}{{ .ImportPath }}{{ end }}' \
 			$(PKGS))
 BIN      = $(CURDIR)/.bin
+WOKE 	?= go run -modfile go.mod github.com/get-woke/woke
 
 GOLANGCI_VERSION = v1.52.2
+WOKE_VERSION     = v0.19.0
 
 GO           = go
 TIMEOUT_UNIT = 5m
@@ -185,6 +187,14 @@ goimports: | $(GOIMPORTS) ; $(info $(M) running goimports…) ## Run goimports
 fmt: ; $(info $(M) running gofmt…) @ ## Run gofmt on all source files
 	$Q $(GO) fmt $(PKGS)
 
+WOKE = $(BIN)/woke
+$(BIN)/woke: ; $(info $(M) getting woke $(WOKE_VERSION))
+	cd tools; GOBIN=$(BIN) go install github.com/get-woke/woke@$(WOKE_VERSION)
+
+.PHONY: woke 
+woke: | $(WOKE) ; $(info $(M) running woke...) @ ## Run woke
+	$Q $(WOKE) -c https://github.com/canonical/Inclusive-naming/raw/main/config.yml
+
 # Misc
 
 .PHONY: clean

diff --git a/OWNERS b/OWNERS
@@ -2,3 +2,6 @@
 
 approvers:
 - pipeline-approvers
+
+reviewers:
+- pipeline-reviewers
diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES
@@ -10,6 +10,19 @@ aliases:
   - lbernick
   - abayer
   - wlynch
+  - yongxuanzhang
+  - chitrangpatel
+  - jeromeJu
+
+  pipeline-reviewers:
+  - afrittoli
+  - bobcatfish
+  - dibyom
+  - vdemeester
+  - pritidesai
+  - jerop
+  - abayer
+  # - wlynch (feel free to /cc me into PRs as needed)
 
   apis-approvers:
   - afrittoli
@@ -27,10 +40,6 @@ aliases:
   - afrittoli
   - bobcatfish
   - vdemeester
-  productivity-reviewers:
-  - dibyom
-  - dlorenc
-  - ImJasonH
 
 # Alumni ❤️
 # tejal29

diff --git a/README.md b/README.md
@@ -62,6 +62,15 @@ deprecated and the earliest date they'll be removed._
 
 ## Migrating
 
+### v1beta1 to v1
+
+Several Tekton CRDs and API spec fields, including ClusterTask CRD and Pipeline
+Resources fields, were updated or deprecated during the migration from `v1beta1`
+to `v1`.
+
+For users migrating their Tasks and Pipelines from `v1beta1` to `v1`, check
+out [the v1beta1 to v1 migration guide](./docs/migrating-v1beta1-to-v1.md).
+
 ### v1alpha1 to v1beta1
 
 In the move from v1alpha1 to v1beta1 several spec fields and Tekton