Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 2e2eab4
Showing
30 changed files
with
1,871 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
## Current situation | ||
<!--- Shortly describe the current situation --> | ||
|
||
## Proposal | ||
<!--- Describe what this PR is intended to achieve --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
name: main | ||
|
||
on: | ||
push: | ||
branches: | ||
- master | ||
- main | ||
|
||
permissions: {} | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: Checkout | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | ||
- name: Setup Go | ||
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | ||
with: | ||
go-version: 1.20.5 | ||
- name: Restore Go cache | ||
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 | ||
with: | ||
path: ~/go/pkg/mod | ||
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | ||
restore-keys: | | ||
${{ runner.os }}-go- | ||
- name: Tests | ||
run: make test | ||
- name: Send go coverage report | ||
uses: shogo82148/actions-goveralls@7b1bd2871942af030d707d6574e5f684f9891fb2 # v1.8.0 | ||
with: | ||
path-to-profile: coverage.out |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
name: pr-actions | ||
|
||
permissions: {} | ||
|
||
on: | ||
pull_request: | ||
branches: | ||
- 'master' | ||
|
||
jobs: | ||
ensure-sha-pinned: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: Checkout | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- name: Ensure SHA pinned actions | ||
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@99589360fda82ecfac331cc6bfc9d7d74487359c # v2.1.6 | ||
with: | ||
# slsa-github-generator requires using a semver tag for reusable workflows. | ||
# See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators | ||
allowlist: | | ||
slsa-framework/slsa-github-generator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
name: pr-build | ||
|
||
on: | ||
pull_request: | ||
types: | ||
- opened | ||
- synchronize | ||
- reopened | ||
|
||
permissions: {} | ||
|
||
jobs: | ||
lint-chart: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: Checkout | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- name: Set up Helm | ||
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 #v3.5 | ||
with: | ||
version: v3.4.0 | ||
|
||
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 | ||
with: | ||
python-version: 3.7 | ||
|
||
- name: Set up chart-testing | ||
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 | ||
|
||
- name: Run chart-testing (lint) | ||
run: ct lint --target-branch=master --chart-dirs chart --check-version-increment=false | ||
|
||
lint: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: Checkout | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | ||
- name: Setup Go | ||
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | ||
with: | ||
go-version: 1.20.5 | ||
- name: Restore Go cache | ||
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 | ||
with: | ||
path: ~/go/pkg/mod | ||
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | ||
restore-keys: | | ||
${{ runner.os }}-go- | ||
- name: fmt | ||
run: make fmt | ||
- name: vet | ||
run: make vet | ||
- name: lint | ||
run: make lint | ||
- name: Check if working tree is dirty | ||
run: | | ||
if [[ $(git diff --stat) != '' ]]; then | ||
git --no-pager diff | ||
echo 'run make test and commit changes' | ||
exit 1 | ||
fi | ||
build: | ||
runs-on: ubuntu-latest | ||
outputs: | ||
profiles: ${{ steps.profiles.outputs.profiles }} | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: Checkout | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | ||
- name: Setup Go | ||
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | ||
with: | ||
go-version: 1.20.5 | ||
- name: Restore Go cache | ||
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 | ||
with: | ||
path: ~/go/pkg/mod | ||
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | ||
restore-keys: | | ||
${{ runner.os }}-go- | ||
- name: Run tests | ||
run: make test | ||
- name: Build binary | ||
run: make build | ||
- name: Send go coverage report | ||
uses: shogo82148/actions-goveralls@7b1bd2871942af030d707d6574e5f684f9891fb2 # v1.8.0 | ||
with: | ||
path-to-profile: coverage.out | ||
- name: Check if working tree is dirty | ||
run: | | ||
if [[ $(git diff --stat) != '' ]]; then | ||
git --no-pager diff | ||
echo 'run make test and commit changes' | ||
exit 1 | ||
fi | ||
- name: Build container image | ||
run: | | ||
make docker-build |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
name: pr-dependency-review | ||
on: [pull_request] | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
dependency-review: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: 'Checkout Repository' | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- name: 'Dependency Review' | ||
uses: actions/dependency-review-action@7bbfa034e752445ea40215fff1c3bf9597993d3f # v3.1.3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
name: pr-label | ||
on: pull_request | ||
|
||
permissions: {} | ||
|
||
jobs: | ||
size-label: | ||
runs-on: ubuntu-latest | ||
if: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' }} | ||
permissions: | ||
pull-requests: write | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: size-label | ||
uses: "pascalgn/size-label-action@b1f4946f381d38d3b5960f76b514afdfef39b609" | ||
env: | ||
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
name: pr-nancy | ||
|
||
on: | ||
pull_request: | ||
branches: | ||
- 'master' | ||
|
||
permissions: {} | ||
|
||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.ref }} | ||
cancel-in-progress: true | ||
|
||
jobs: | ||
nancy: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: Checkout | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | ||
- name: Setup Go | ||
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | ||
with: | ||
go-version: 1.20.5 | ||
- name: Restore Go cache | ||
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 | ||
with: | ||
path: ~/go/pkg/mod | ||
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | ||
restore-keys: | | ||
${{ runner.os }}-go- | ||
- name: WriteGoList | ||
run: go list -json -m all > go.list | ||
- name: Nancy SAST Scan | ||
uses: sonatype-nexus-community/nancy-github-action@726e338312e68ecdd4b4195765f174d3b3ce1533 # v1.0.3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
name: pr-stale | ||
on: | ||
schedule: | ||
- cron: '30 1 * * *' | ||
|
||
permissions: {} | ||
|
||
jobs: | ||
stale: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
issues: write | ||
steps: | ||
- uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 | ||
with: | ||
days-before-close: '120' | ||
stale-pr-label: stale | ||
repo-token: ${{ github.token }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
name: pr-trivy | ||
on: pull_request | ||
|
||
permissions: {} | ||
|
||
jobs: | ||
trivy: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: Trivy fs scan | ||
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0 | ||
with: | ||
scan-type: 'fs' | ||
ignore-unfixed: true | ||
format: 'sarif' | ||
output: 'trivy-results.sarif' | ||
severity: 'CRITICAL,HIGH' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
name: rebase | ||
|
||
on: | ||
pull_request: | ||
types: [opened] | ||
issue_comment: | ||
types: [created] | ||
|
||
permissions: {} | ||
|
||
jobs: | ||
rebase: | ||
if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && (github.event.comment.author_association == 'CONTRIBUTOR' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER') | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: write # needed to force push | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: Checkout the latest code | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | ||
with: | ||
fetch-depth: 0 | ||
- name: Automatic Rebase | ||
uses: cirrus-actions/rebase@b87d48154a87a85666003575337e27b8cd65f691 # 1.8 | ||
env: | ||
GITHUB_TOKEN: ${{ github.token }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
name: release | ||
on: | ||
push: | ||
tags: | ||
- 'v*' | ||
|
||
permissions: {} | ||
|
||
jobs: | ||
release: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: write # needed to write releases | ||
id-token: write # needed for keyless signing | ||
packages: write # needed for ghcr access | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: Checkout code | ||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | ||
with: | ||
fetch-depth: 0 | ||
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | ||
with: | ||
go-version: 1.20.5 | ||
- name: Docker Login | ||
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
- name: Setup Cosign | ||
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | ||
- uses: anchore/sbom-action/download-syft@fd74a6fb98a204a1ad35bbfae0122c1a302ff88b # v0.15.0 | ||
- name: Create release and SBOM | ||
if: startsWith(github.ref, 'refs/tags/v') | ||
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 | ||
with: | ||
version: latest | ||
args: release --rm-dist --skip-validate | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
Oops, something went wrong.