From ef0c7f6a6c04eee4d5b84e1d3bb4abe9c6be812c Mon Sep 17 00:00:00 2001 From: Christian Bianchi Date: Tue, 16 Apr 2024 08:52:20 +0200 Subject: [PATCH] [backport] imds v2 fixes --- .circleci/config.yml | 2 +- .../zz_generated.add-team-labels.yaml | 4 +- .../zz_generated.add-to-project-board.yaml | 8 +- .../zz_generated.create_release.yaml | 45 ++++++----- .../zz_generated.create_release_pr.yaml | 8 +- .github/workflows/zz_generated.gitleaks.yaml | 4 +- .../zz_generated.run_ossf_scorecard.yaml | 78 +++++++++++++++++++ 7 files changed, 117 insertions(+), 32 deletions(-) create mode 100644 .github/workflows/zz_generated.run_ossf_scorecard.yaml diff --git a/.circleci/config.yml b/.circleci/config.yml index cfc595c4..661db5ef 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,7 +1,7 @@ version: 2.1 orbs: - architect: giantswarm/architect@4.35.6 + architect: giantswarm/architect@5.1.1 workflows: test: diff --git a/.github/workflows/zz_generated.add-team-labels.yaml b/.github/workflows/zz_generated.add-team-labels.yaml index 4a2db906..97ba2aed 100644 --- a/.github/workflows/zz_generated.add-team-labels.yaml +++ b/.github/workflows/zz_generated.add-team-labels.yaml @@ -16,7 +16,7 @@ jobs: -O artifacts/users.yaml \ https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/user-mapping.yaml - name: Upload Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: users path: artifacts/users.yaml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest needs: build_user_list steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 id: download-users with: name: users diff --git a/.github/workflows/zz_generated.add-to-project-board.yaml b/.github/workflows/zz_generated.add-to-project-board.yaml index ae6b3986..32176b15 100644 --- a/.github/workflows/zz_generated.add-to-project-board.yaml +++ b/.github/workflows/zz_generated.add-to-project-board.yaml @@ -18,7 +18,7 @@ jobs: -O artifacts/users.yaml \ https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/user-mapping.yaml - name: Upload Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: users path: artifacts/users.yaml @@ -30,7 +30,7 @@ jobs: -O artifacts/labels.yaml \ https://raw.githubusercontent.com/giantswarm/github/main/tools/issue-automation/label-mapping.yaml - name: Upload Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: labels path: artifacts/labels.yaml @@ -42,7 +42,7 @@ jobs: needs: build_user_list if: github.event.action == 'assigned' steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 id: download-users with: name: users @@ -68,7 +68,7 @@ jobs: needs: build_user_list if: github.event.action == 'labeled' steps: - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@v4 id: download-labels with: name: labels diff --git a/.github/workflows/zz_generated.create_release.yaml b/.github/workflows/zz_generated.create_release.yaml index 4e5d7d9f..07b7f5ed 100644 --- a/.github/workflows/zz_generated.create_release.yaml +++ b/.github/workflows/zz_generated.create_release.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@6.17.1 +# devctl@6.23.3 # name: Create Release on: @@ -32,11 +32,10 @@ jobs: steps: - name: Get version id: get_version + env: + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | - title="$(cat <<- 'COMMIT_MESSAGE_END' | head -n 1 - - ${{ github.event.head_commit.message }} - COMMIT_MESSAGE_END - )" + title=$(echo -n "${COMMIT_MESSAGE}" | head -1) # Matches strings like: # # - "Release v1.2.3" @@ -53,7 +52,7 @@ jobs: echo "version=${version}" >> $GITHUB_OUTPUT - name: Checkout code if: ${{ steps.get_version.outputs.version != '' }} - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Get project.go path id: get_project_go_path if: ${{ steps.get_version.outputs.version != '' }} @@ -66,11 +65,10 @@ jobs: echo "path=${path}" >> $GITHUB_OUTPUT - name: Check if reference version id: ref_version + env: + COMMIT_MESSAGE: ${{ github.event.head_commit.message }} run: | - title="$(cat <<- 'COMMIT_MESSAGE_END' | head -n 1 - - ${{ github.event.head_commit.message }} - COMMIT_MESSAGE_END - )" + title=$(echo -n "${COMMIT_MESSAGE}" | head -1) if echo "${title}" | grep -qE '^release v[0-9]+\.[0-9]+\.[0-9]+([.-][^ .-][^ ]*)?( \(#[0-9]+\))?$' ; then version=$(echo "${title}" | cut -d ' ' -f 2) fi @@ -90,12 +88,12 @@ jobs: - gather_facts steps: - name: Install architect - uses: giantswarm/install-binary-action@v1.1.0 + uses: giantswarm/install-binary-action@033b1a657eea23d9c42e77312b370e6125e4e38f # v2.0.0 with: binary: "architect" - version: "6.13.0" + version: "6.14.1" - name: Install semver - uses: giantswarm/install-binary-action@v1.1.0 + uses: giantswarm/install-binary-action@033b1a657eea23d9c42e77312b370e6125e4e38f # v2.0.0 with: binary: "semver" version: "3.2.0" @@ -103,7 +101,7 @@ jobs: tarball_binary_path: "*/src/${binary}" smoke_test: "${binary} --version" - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Update project.go id: update_project_go env: @@ -144,6 +142,15 @@ jobs: title: "Bump version to ${{ steps.update_project_go.outputs.new_version }}" run: | gh pr create --title "${{ env.title }}" --body "" --base ${{ env.base }} --head ${{ env.branch }} --reviewer ${{ github.actor }} + - name: Enable auto-merge for PR + env: + GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" + base: "${{ github.ref }}" + branch: "${{ github.ref }}-version-bump" + version: "${{ needs.gather_facts.outputs.version }}" + title: "Bump version to ${{ steps.update_project_go.outputs.new_version }}" + run: | + gh pr merge --auto --squash "${{ env.branch }}" || echo "::warning::Auto-merge not allowed. Please adjust the repository settings." create_release: name: Create release runs-on: ubuntu-22.04 @@ -154,7 +161,7 @@ jobs: upload_url: ${{ steps.create_gh_release.outputs.upload_url }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ github.sha }} - name: Ensure correct version in project.go @@ -165,7 +172,7 @@ jobs: grep -qE "version[[:space:]]*=[[:space:]]*\"$version\"" $file - name: Get Changelog Entry id: changelog_reader - uses: mindsers/changelog-reader-action@v2 + uses: mindsers/changelog-reader-action@32aa5b4c155d76c94e4ec883a223c947b2f02656 # v2.2.3 with: version: ${{ needs.gather_facts.outputs.version }} path: ./CHANGELOG.md @@ -184,7 +191,7 @@ jobs: git push "${REMOTE_REPO}" --tags - name: Create release id: create_gh_release - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 env: GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}" with: @@ -199,7 +206,7 @@ jobs: if: ${{ needs.gather_facts.outputs.version }} steps: - name: Install semver - uses: giantswarm/install-binary-action@v1.1.0 + uses: giantswarm/install-binary-action@033b1a657eea23d9c42e77312b370e6125e4e38f # v2.0.0 with: binary: "semver" version: "3.0.0" @@ -207,7 +214,7 @@ jobs: tarball_binary_path: "*/src/${binary}" smoke_test: "${binary} --version" - name: Check out the repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 # Clone the whole history, not just the most recent commit. - name: Fetch all tags and branches diff --git a/.github/workflows/zz_generated.create_release_pr.yaml b/.github/workflows/zz_generated.create_release_pr.yaml index 4c3edcd1..4c60aeea 100644 --- a/.github/workflows/zz_generated.create_release_pr.yaml +++ b/.github/workflows/zz_generated.create_release_pr.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@6.17.1 +# devctl@6.23.3 # name: Create Release PR on: @@ -143,16 +143,16 @@ jobs: env: architect_flags: "--organisation ${{ github.repository_owner }} --project ${{ needs.gather_facts.outputs.repo_name }}" steps: - - uses: actions/setup-go@v3 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: '=1.18.1' - name: Install architect - uses: giantswarm/install-binary-action@v1.1.0 + uses: giantswarm/install-binary-action@033b1a657eea23d9c42e77312b370e6125e4e38f # v2.0.0 with: binary: "architect" version: "6.11.0" - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{ needs.gather_facts.outputs.branch }} - name: Prepare release changes diff --git a/.github/workflows/zz_generated.gitleaks.yaml b/.github/workflows/zz_generated.gitleaks.yaml index b02c5ff6..9e8628b7 100644 --- a/.github/workflows/zz_generated.gitleaks.yaml +++ b/.github/workflows/zz_generated.gitleaks.yaml @@ -1,6 +1,6 @@ # DO NOT EDIT. Generated with: # -# devctl@6.17.1 +# devctl@6.23.3 # name: gitleaks @@ -10,7 +10,7 @@ jobs: gitleaks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: '0' - name: gitleaks-action diff --git a/.github/workflows/zz_generated.run_ossf_scorecard.yaml b/.github/workflows/zz_generated.run_ossf_scorecard.yaml new file mode 100644 index 00000000..43efbeb6 --- /dev/null +++ b/.github/workflows/zz_generated.run_ossf_scorecard.yaml @@ -0,0 +1,78 @@ +# DO NOT EDIT. Generated with: +# +# devctl@6.23.3 +# + +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '15 15 15 * *' + push: + branches: [ "main", "master" ] + workflow_dispatch: {} + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: results.sarif