chore: bump github/codeql-action from 2.3.3 to 2.3.5 #658

Workflow file for this run

.github/workflows/workflow.yaml at c14e1b5

	name: build_test
	on:
	push:
	paths-ignore:
	- ".github/workflows/website.yaml"
	- "docs/**"
	- "library/**"
	- "demo/**"
	- "deprecated/**"
	- "example/**"
	- "website/**"
	- "**.md"
	- "!cmd/build/helmify/static/README.md"
	pull_request:
	paths-ignore:
	- ".github/workflows/website.yaml"
	- "docs/**"
	- "library/**"
	- "demo/**"
	- "deprecated/**"
	- "example/**"
	- "website/**"
	- "**.md"
	- "!cmd/build/helmify/static/README.md"

	permissions: read-all

	jobs:
	lint:
	name: "Lint"
	runs-on: ubuntu-22.04
	timeout-minutes: 5
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
	with:
	egress-policy: audit

	- name: Set up Go 1.20
	uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
	with:
	go-version: "1.20"

	- name: Check out code into the Go module directory
	uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab

	# source: https://github.com/golangci/golangci-lint-action
	- name: golangci-lint
	uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # v3.4.0
	with:
	# version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
	version: v1.51.2

	test:
	name: "Unit test"
	runs-on: ubuntu-22.04
	timeout-minutes: 10
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
	with:
	egress-policy: audit

	- name: Set up Go 1.20
	uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
	with:
	go-version: "1.20"

	- name: Check out code into the Go module directory
	uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab

	- name: Unit test
	run: make native-test

	- name: Codecov Upload
	uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
	with:
	flags: unittests
	file: ./cover.out
	fail_ci_if_error: false

	check_manifest:
	name: "Check codegen and manifest"
	runs-on: ubuntu-22.04
	timeout-minutes: 10
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
	with:
	egress-policy: audit

	- name: Check out code into the Go module directory
	uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
	- name: Set up Go 1.20
	uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
	with:
	go-version: "1.20"
	- name: Check go.mod and manifests
	run: \|
	# there should be no additional manifest or go.mod changes
	go mod tidy
	git diff --exit-code
	make generate manifests
	git diff --exit-code

	gator_test:
	name: "Test Gator"
	runs-on: ubuntu-22.04
	timeout-minutes: 5
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
	with:
	egress-policy: audit

	- name: Set up Go 1.20
	uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
	with:
	go-version: "1.20"

	- name: Check out code into the Go module directory
	uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab

	- name: Download e2e dependencies
	run: \|
	mkdir -p $GITHUB_WORKSPACE/bin
	echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
	make e2e-dependencies KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }}

	- name: gator test
	run: make test-gator-containerized

	build_test:
	name: "Build and Test"
	runs-on: ubuntu-22.04
	timeout-minutes: 15
	strategy:
	matrix:
	KUBERNETES_VERSION: ["1.24.12", "1.25.8", "1.26.3", "1.27.1"]
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
	with:
	egress-policy: audit

	- name: Check out code into the Go module directory
	uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab

	- name: Set up Go 1.20
	uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
	with:
	go-version: "1.20"

	- name: Bootstrap e2e
	run: \|
	mkdir -p $GITHUB_WORKSPACE/bin
	echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
	make e2e-bootstrap KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }}

	- name: Run e2e
	run: \|
	make docker-buildx \
	IMG=gatekeeper-e2e:latest

	make e2e-build-load-externaldata-image

	kind load docker-image --name kind \
	gatekeeper-e2e:latest

	make deploy \
	IMG=gatekeeper-e2e:latest \
	USE_LOCAL_IMG=true

	make test-e2e

	- name: Save logs
	if: ${{ always() }}
	run: \|
	kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json
	kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json

	- name: Upload artifacts
	uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
	if: ${{ always() }}
	with:
	name: logs
	path: \|
	logs-*.json

	helm_build_test:
	name: "[Helm] Build and Test"
	runs-on: ubuntu-22.04
	timeout-minutes: 15
	strategy:
	matrix:
	HELM_VERSION: ["3.7.2"]
	GATEKEEPER_NAMESPACE: ["gatekeeper-system", "custom-namespace"]
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
	with:
	egress-policy: audit

	- name: Check out code into the Go module directory
	uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab

	- name: Bootstrap e2e
	run: \|
	mkdir -p $GITHUB_WORKSPACE/bin
	echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
	make e2e-bootstrap

	- name: Run e2e
	run: \|
	make docker-buildx \
	IMG=gatekeeper-e2e:latest \
	GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}

	make docker-buildx-crds \
	CRD_IMG=gatekeeper-crds:latest \
	GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}

	make e2e-build-load-externaldata-image \
	GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}

	kind load docker-image --name kind \
	gatekeeper-e2e:latest \
	gatekeeper-crds:latest

	make e2e-helm-deploy \
	HELM_REPO=gatekeeper-e2e \
	HELM_CRD_REPO=gatekeeper-crds \
	HELM_RELEASE=latest \
	HELM_VERSION=${{ matrix.HELM_VERSION }} \
	GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}

	make test-e2e \
	GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}

	- name: Save logs
	if: ${{ always() }}
	run: \|
	kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=controller-manager --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-controller.json
	kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=audit-controller --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-audit.json
	kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l run=dummy-provider --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-dummy-provider.json

	- name: Upload artifacts
	uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
	if: ${{ always() }}
	with:
	name: helm-logs
	path: \|
	logs-*.json

	build_test_generator_expansion:
	name: "[Generator Resource Expansion] Build and Test"
	runs-on: ubuntu-22.04
	timeout-minutes: 15

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
	with:
	egress-policy: audit

	- name: Check out code into the Go module directory
	uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab

	- name: Set up Go 1.20
	uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
	with:
	go-version: "1.20"

	- name: Bootstrap e2e
	run: \|
	mkdir -p $GITHUB_WORKSPACE/bin
	echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
	make e2e-bootstrap

	- name: Run e2e
	run: \|
	make docker-buildx \
	IMG=gatekeeper-e2e:latest

	make e2e-build-load-externaldata-image

	kind load docker-image --name kind \
	gatekeeper-e2e:latest

	make deploy \
	IMG=gatekeeper-e2e:latest \
	USE_LOCAL_IMG=true \
	ENABLE_GENERATOR_EXPANSION=true

	go mod tidy
	# there should be no additional manifest or go.mod changes
	git diff --exit-code
	make test-e2e ENABLE_GENERATOR_EXPANSION_TESTS=1

	- name: Save logs
	if: ${{ always() }}
	run: \|
	kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-generatorexpansion-controller.json
	kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-generatorexpansion-audit.json

	- name: Upload artifacts
	uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
	if: ${{ always() }}
	with:
	name: generatorexpansion-logs
	path: \|
	logs-*.json

	scan_vulnerabilities:
	name: "[Trivy] Scan for vulnerabilities"
	runs-on: ubuntu-22.04
	timeout-minutes: 15
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
	with:
	egress-policy: audit

	- name: Check out code into the Go module directory
	uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab

	- name: Download trivy
	run: \|
	pushd $(mktemp -d)
	wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
	tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
	echo "$(pwd)" >> $GITHUB_PATH
	env:
	TRIVY_VERSION: "0.41.0"

	- name: Run trivy on git repository
	run: \|
	trivy fs --format table --ignore-unfixed --skip-dirs website --scanners vuln .

	- name: Build docker images
	run: \|
	make docker-buildx \
	IMG=gatekeeper-e2e:latest

	make docker-buildx-crds \
	CRD_IMG=gatekeeper-crds:latest

	- name: Run trivy on images
	run: \|
	for img in "gatekeeper-e2e:latest" "gatekeeper-crds:latest"; do
	trivy image --ignore-unfixed --vuln-type="os,library" "${img}"
	done

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: bump github/codeql-action from 2.3.3 to 2.3.5 #658

Workflow file

chore: bump github/codeql-action from 2.3.3 to 2.3.5 #658

Jobs

Run details

Workflow file for this run