diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 50e984e..62f13db 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -2,6 +2,7 @@ version: 2 updates: - package-ecosystem: "gomod" + labels: ["dependencies"] directory: "/" schedule: interval: "monthly" @@ -20,6 +21,7 @@ updates: - dependency-name: "k8s.io/*" - dependency-name: "sigs.k8s.io/*" - package-ecosystem: "github-actions" + labels: ["dependencies"] directory: "/" schedule: interval: "monthly" @@ -28,6 +30,7 @@ updates: patterns: - "*" - package-ecosystem: "docker" + labels: ["dependencies"] directory: "/" schedule: interval: "monthly" diff --git a/.github/labels.yaml b/.github/labels.yaml new file mode 100644 index 0000000..31b78d8 --- /dev/null +++ b/.github/labels.yaml @@ -0,0 +1,13 @@ +# Configuration file to declaratively configure labels +# Ref: https://github.com/EndBug/label-sync#Config-files + +- name: area/generator + description: Artifact generation related issues and pull requests + color: '#00b140' +- name: area/storage + description: Artifact storage related issues and pull requests + color: '#4b0082' +- name: backport:release/v2.0.x + description: To be backported to release/v2.0.x + color: '#ffd700' + diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml new file mode 100644 index 0000000..4081bb1 --- /dev/null +++ b/.github/workflows/backport.yaml @@ -0,0 +1,12 @@ +name: backport +on: + pull_request_target: + types: [closed, labeled] +jobs: + backport: + permissions: + contents: write # for reading and creating branches. + pull-requests: write # for creating pull requests against release branches. + uses: fluxcd/gha-workflows/.github/workflows/backport.yaml@v0.4.0 + secrets: + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/code-scan.yaml b/.github/workflows/code-scan.yaml new file mode 100644 index 0000000..67cb6dc --- /dev/null +++ b/.github/workflows/code-scan.yaml @@ -0,0 +1,15 @@ +name: code-scan +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] +jobs: + analyze: + permissions: + contents: read # for reading the repository code. + security-events: write # for uploading the CodeQL analysis results. + uses: fluxcd/gha-workflows/.github/workflows/code-scan.yaml@v0.4.0 + secrets: + github-token: ${{ secrets.GITHUB_TOKEN }} + fossa-token: ${{ secrets.FOSSA_TOKEN }} diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 8a5cab7..b043fd1 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -1,36 +1,19 @@ name: e2e - on: pull_request: push: branches: - main - jobs: kind: runs-on: ubuntu-latest + permissions: + contents: read # for reading the repository code. steps: - - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Setup QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - - name: Setup Docker Buildx - id: buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - name: Setup Go - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + - name: Test suite setup + uses: fluxcd/gha-workflows/.github/actions/setup-kubernetes@v0.4.0 with: go-version: 1.25.x - cache-dependency-path: | - **/go.sum - **/go.mod - - name: Setup Kubernetes - uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0 - with: - version: v0.30.0 - cluster_name: kind - - name: Setup Kustomize - uses: fluxcd/pkg/actions/kustomize@main - name: Run tests run: make test - name: Check if working tree is dirty diff --git a/.github/workflows/labels-sync.yaml b/.github/workflows/labels-sync.yaml new file mode 100644 index 0000000..a463509 --- /dev/null +++ b/.github/workflows/labels-sync.yaml @@ -0,0 +1,16 @@ +name: sync-labels +on: + workflow_dispatch: + push: + branches: + - main + paths: + - .github/labels.yaml +jobs: + sync-labels: + permissions: + contents: read # for reading the labels file. + issues: write # for creating and updating labels. + uses: fluxcd/gha-workflows/.github/workflows/labels-sync.yaml@v0.4.0 + secrets: + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 79ad03f..9cc8d6e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,5 +1,4 @@ name: release - on: push: tags: @@ -10,153 +9,58 @@ on: description: 'image tag prefix' default: 'rc' required: true - -permissions: - contents: read - -env: - CONTROLLER: ${{ github.event.repository.name }} - jobs: release: - outputs: - hashes: ${{ steps.hash.outputs.hashes }} - image_url: ${{ steps.hash.outputs.image_url }} - image_digest: ${{ steps.hash.outputs.image_digest }} - runs-on: ubuntu-latest permissions: - contents: write # needed to write releases - id-token: write # needed for keyless signing - packages: write # needed for ghcr access - steps: - - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Setup Kustomize - uses: fluxcd/pkg/actions/kustomize@main - - name: Prepare - id: prep - run: | - VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}" - if [[ $GITHUB_REF == refs/tags/* ]]; then - VERSION=${GITHUB_REF/refs\/tags\//} - fi - echo "version=${VERSION}" >> $GITHUB_OUTPUT - - name: Setup Go - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 - with: - go-version: 1.25.x - cache-dependency-path: | - **/go.sum - **/go.mod - - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: anchore/sbom-action/download-syft@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5 - - name: Docker login ghcr.io - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - registry: ghcr.io - username: fluxcdbot - password: ${{ secrets.GHCR_TOKEN }} - - name: Docker login docker.io - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 - with: - username: fluxcdbot - password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }} - - name: Docker meta - id: meta - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 - with: - images: | - fluxcd/${{ env.CONTROLLER }} - ghcr.io/fluxcd/${{ env.CONTROLLER }} - tags: | - type=raw,value=${{ steps.prep.outputs.version }} - - name: Docker push - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 - id: build-push - with: - sbom: true - provenance: true - push: true - builder: ${{ steps.buildx.outputs.name }} - context: . - file: ./Dockerfile - platforms: linux/amd64,linux/arm/v7,linux/arm64 - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - - name: Sign images - env: - COSIGN_EXPERIMENTAL: 1 - run: | - cosign sign --yes fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }} - cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }} - - name: Generate release artifacts - if: startsWith(github.ref, 'refs/tags/v') - run: | - mkdir -p config/release - kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml - kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml - - name: GoReleaser publish signed SBOM - id: run-goreleaser - if: startsWith(github.ref, 'refs/tags/v') - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 - with: - version: latest - args: release --clean --skip=validate - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Generate SLSA hashes - id: hash - env: - ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" - run: | - set -euo pipefail - - hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) - echo "hashes=$hashes" >> $GITHUB_OUTPUT - - image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }} - image_digest=${{ steps.build-push.outputs.digest }} - echo "image_url=$image_url" >> $GITHUB_OUTPUT - echo "image_digest=$image_digest" >> $GITHUB_OUTPUT - + contents: write # for creating the GitHub release. + id-token: write # for creating OIDC tokens for signing. + packages: write # for pushing and signing container images. + uses: fluxcd/gha-workflows/.github/workflows/controller-release.yaml@v0.4.0 + with: + controller: ${{ github.event.repository.name }} + release-candidate-prefix: ${{ github.event.inputs.tag }} + secrets: + github-token: ${{ secrets.GITHUB_TOKEN }} + dockerhub-token: ${{ secrets.DOCKER_FLUXCD_PASSWORD }} release-provenance: needs: [release] permissions: - actions: read # To read the workflow path. - id-token: write # To sign the provenance. - contents: write # To add assets to the release. + actions: read # for detecting the Github Actions environment. + id-token: write # for creating OIDC tokens for signing. + contents: write # for uploading attestations to GitHub releases. + if: startsWith(github.ref, 'refs/tags/v') uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 with: provenance-name: "provenance.intoto.jsonl" - base64-subjects: "${{ needs.release.outputs.hashes }}" + base64-subjects: "${{ needs.release.outputs.release-digests }}" upload-assets: true - dockerhub-provenance: needs: [release] permissions: + contents: read # for reading the repository code. actions: read # for detecting the Github Actions environment. id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. + if: startsWith(github.ref, 'refs/tags/v') uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0 with: - image: ${{ needs.release.outputs.image_url }} - digest: ${{ needs.release.outputs.image_digest }} - registry-username: fluxcdbot + image: ${{ needs.release.outputs.image-name }} + digest: ${{ needs.release.outputs.image-digest }} + registry-username: ${{ github.repository_owner == 'fluxcd' && 'fluxcdbot' || github.repository_owner }} secrets: registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }} - ghcr-provenance: needs: [release] permissions: + contents: read # for reading the repository code. actions: read # for detecting the Github Actions environment. id-token: write # for creating OIDC tokens for signing. packages: write # for uploading attestations. + if: startsWith(github.ref, 'refs/tags/v') uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0 with: - image: ghcr.io/${{ needs.release.outputs.image_url }} - digest: ${{ needs.release.outputs.image_digest }} - registry-username: fluxcdbot + image: ghcr.io/${{ needs.release.outputs.image-name }} + digest: ${{ needs.release.outputs.image-digest }} + registry-username: fluxcdbot # not necessary for ghcr.io secrets: - registry-password: ${{ secrets.GHCR_TOKEN }} \ No newline at end of file + registry-password: ${{ secrets.GITHUB_TOKEN }} diff --git a/README.md b/README.md index f011295..bcb19bb 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,6 @@ # source-watcher +[![fossa](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fsource-watcher.svg?type=small)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fsource-watcher?ref=badge_small) [![test](https://github.com/fluxcd/source-watcher/workflows/e2e/badge.svg)](https://github.com/fluxcd/source-watcher/actions) [![report](https://goreportcard.com/badge/github.com/fluxcd/source-watcher)](https://goreportcard.com/report/github.com/fluxcd/source-watcher) [![license](https://img.shields.io/github/license/fluxcd/source-watcher.svg)](https://github.com/fluxcd/source-watcher/blob/main/LICENSE)