From c1e5121a82756fbc5c2d13981acdb539b6da3fed Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 09:16:43 +0100 Subject: [PATCH 01/15] . --- .github/workflows/assert-signed-commits.yaml | 15 ----------- .github/workflows/ci.yaml | 28 +++++++++++++++++++- 2 files changed, 27 insertions(+), 16 deletions(-) delete mode 100644 .github/workflows/assert-signed-commits.yaml diff --git a/.github/workflows/assert-signed-commits.yaml b/.github/workflows/assert-signed-commits.yaml deleted file mode 100644 index 405ee22ab..000000000 --- a/.github/workflows/assert-signed-commits.yaml +++ /dev/null @@ -1,15 +0,0 @@ -name: Check signed commits in PR -on: - pull_request_target: - pull_request: - -jobs: - check-signed-commits: - name: Check signed commits in PR - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write - steps: - - name: Check signed commits in PR - uses: 1Password/check-signed-commits-action@v1 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 7bd734e10..24ce7974f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -4,7 +4,6 @@ on: workflow_call: workflow_dispatch: - jobs: # lint: # runs-on: ubuntu-20.04 @@ -22,10 +21,36 @@ jobs: # skip-pkg-cache: true # skip-build-cache: true + check-signed-commits: + name: Check signed commits in PR + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - name: Check signed commits in PR + uses: 1Password/check-signed-commits-action@v1 + + security_scan: + name: Security Scan + runs-on: ubuntu-22.04 + timeout-minutes: 45 + needs: [check-signed-commits] + steps: + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.20.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL' + build_test: name: Build and Test runs-on: ubuntu-22.04 timeout-minutes: 45 + needs: [security_scan] steps: - uses: actions/checkout@v4 with: @@ -60,6 +85,7 @@ jobs: smoke_test: name: Smoke Test runs-on: ubuntu-22.04 + needs: [security_scan] # The docker compose has a healthcheck on the JIMM container. # So if the compose returns with exit code 0 then the JIMM server successfully started. steps: From b64de20442fc3be12097fa8db03b463e43fa4d7f Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 09:18:21 +0100 Subject: [PATCH 02/15] . --- .github/workflows/ci.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 24ce7974f..697297829 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,6 +1,7 @@ name: CI on: pull_request: + pull_request_target: workflow_call: workflow_dispatch: From 25143c48bc0543ce172ea24d7b3993193c8121d5 Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 09:37:26 +0100 Subject: [PATCH 03/15] . --- .github/workflows/ci.yaml | 1 - .github/workflows/jaas-snap-release.yaml | 15 --------- .github/workflows/jimmctl-snap-release.yaml | 16 ---------- ...-release.yaml => release-server-rock.yaml} | 3 +- .github/workflows/release-snaps.yaml | 32 +++++++++++++++++++ .github/workflows/snap-release.yaml | 4 ++- .github/workflows/snap.yaml | 29 ----------------- 7 files changed, 36 insertions(+), 64 deletions(-) delete mode 100644 .github/workflows/jaas-snap-release.yaml delete mode 100644 .github/workflows/jimmctl-snap-release.yaml rename .github/workflows/{server-oci-release.yaml => release-server-rock.yaml} (94%) create mode 100644 .github/workflows/release-snaps.yaml delete mode 100644 .github/workflows/snap.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 697297829..032807fb6 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -36,7 +36,6 @@ jobs: name: Security Scan runs-on: ubuntu-22.04 timeout-minutes: 45 - needs: [check-signed-commits] steps: - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@0.20.0 diff --git a/.github/workflows/jaas-snap-release.yaml b/.github/workflows/jaas-snap-release.yaml deleted file mode 100644 index faee78705..000000000 --- a/.github/workflows/jaas-snap-release.yaml +++ /dev/null @@ -1,15 +0,0 @@ -name: Release jaas snap - -on: - workflow_dispatch: - push: - tags: - - 'v3*' - -jobs: - build-and-release: - uses: ./.github/workflows/snap-release.yaml - with: - folder: jaas - release-channel: 3/edge - secrets: inherit diff --git a/.github/workflows/jimmctl-snap-release.yaml b/.github/workflows/jimmctl-snap-release.yaml deleted file mode 100644 index 60c79eb10..000000000 --- a/.github/workflows/jimmctl-snap-release.yaml +++ /dev/null @@ -1,16 +0,0 @@ -name: Release jimmctl snap - -on: - workflow_dispatch: - push: - tags: - - 'v3*' - -jobs: - build-and-release: - uses: ./.github/workflows/snap-release.yaml - with: - folder: jimmctl - release-channel: 3/edge - secrets: inherit - diff --git a/.github/workflows/server-oci-release.yaml b/.github/workflows/release-server-rock.yaml similarity index 94% rename from .github/workflows/server-oci-release.yaml rename to .github/workflows/release-server-rock.yaml index ab4d24034..13820b91a 100644 --- a/.github/workflows/server-oci-release.yaml +++ b/.github/workflows/release-server-rock.yaml @@ -1,5 +1,4 @@ -# Publish the OCI image to ghcr -name: Publish server image +name: Release Server ROCK on: # Note that when running via workflow_dispatch, the github.ref_name diff --git a/.github/workflows/release-snaps.yaml b/.github/workflows/release-snaps.yaml new file mode 100644 index 000000000..da9629038 --- /dev/null +++ b/.github/workflows/release-snaps.yaml @@ -0,0 +1,32 @@ +name: Release Snaps + +on: + workflow_dispatch: + push: + tags: + - 'v3*' + +jobs: + build-and-release-jimmctl: + uses: ./.github/workflows/snap-release.yaml + with: + folder: jimmctl + release-channel: 3/edge + secrets: inherit + + build-and-release-jaas-plugin: + uses: ./.github/workflows/snap-release.yaml + with: + folder: jaas + release-channel: 3/edge + secrets: inherit + + + build-and-release-jimm-server: + uses: ./.github/workflows/snap-release.yaml + with: + jobs: build # Only build, this snap isn't released to snapcraft + folder: jimm + release-channel: 3/edge # Not used for this snap + secrets: inherit + diff --git a/.github/workflows/snap-release.yaml b/.github/workflows/snap-release.yaml index c6ad178bd..cfc3a49e4 100644 --- a/.github/workflows/snap-release.yaml +++ b/.github/workflows/snap-release.yaml @@ -1,4 +1,6 @@ -name: Release snap +# Release Snap is a composite workflow used within other workflows +# to reuse the logic of building and publishging a snap in one. +name: Release Snap on: workflow_call: diff --git a/.github/workflows/snap.yaml b/.github/workflows/snap.yaml deleted file mode 100644 index 91596ab34..000000000 --- a/.github/workflows/snap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -name: BuildSnap -on: - workflow_call: - workflow_dispatch: -env: - GH_AUTH: ${{ secrets.GH_AUTH }} - GH_USER: ${{ secrets.GH_USER }} - -jobs: - build-snap: - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - fetch-tags: true - - run: git fetch --prune - - uses: actions/setup-go@v4 - with: - go-version-file: 'go.mod' - - run: sudo snap install snapcraft --channel=7.x/stable --classic - - run: mkdir -p snap - - run: cp ./snaps/jimm/snapcraft.yaml ./snap/snapcraft.yaml - - run: snapcraft snap --destructive-mode --output jimm.snap - - uses: actions/upload-artifact@v3 - with: - name: jimm-snap - path: ./*.snap - if-no-files-found: error From 0a49ab407926bc4ec997400427f8656e4057a2c4 Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 09:50:49 +0100 Subject: [PATCH 04/15] . --- .github/workflows/ci.yaml | 9 ++++++++- .github/workflows/release-snaps.yaml | 1 - 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 032807fb6..d2b4f7ac1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -44,7 +44,14 @@ jobs: ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' - severity: 'CRITICAL' + severity: 'LOW' + + # TODO(ale8k): Setup GH security + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: 'trivy-results.sarif' + build_test: name: Build and Test diff --git a/.github/workflows/release-snaps.yaml b/.github/workflows/release-snaps.yaml index da9629038..5f5ebf422 100644 --- a/.github/workflows/release-snaps.yaml +++ b/.github/workflows/release-snaps.yaml @@ -21,7 +21,6 @@ jobs: release-channel: 3/edge secrets: inherit - build-and-release-jimm-server: uses: ./.github/workflows/snap-release.yaml with: From e394c50a18e84ef950b6c79e78731cfd0d255e5e Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 09:53:59 +0100 Subject: [PATCH 05/15] . --- .github/workflows/ci.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d2b4f7ac1..97fc57def 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -42,9 +42,10 @@ jobs: with: scan-type: 'fs' ignore-unfixed: true - format: 'sarif' + format: 'table' # Sarif for uploading output: 'trivy-results.sarif' - severity: 'LOW' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + exit-code: '1' # TODO(ale8k): Setup GH security # - name: Upload Trivy scan results to GitHub Security tab From b5d8d4b9060fd2280b87f35fd3723a4a73537274 Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 09:57:02 +0100 Subject: [PATCH 06/15] . --- .github/workflows/ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 97fc57def..e9dcc816a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -42,8 +42,8 @@ jobs: with: scan-type: 'fs' ignore-unfixed: true - format: 'table' # Sarif for uploading - output: 'trivy-results.sarif' + format: 'table' + # output: 'trivy-results.sarif' # TODO(ale8k) Turn on when uploading to gh and change above line to sarif severity: 'LOW,MEDIUM,HIGH,CRITICAL' exit-code: '1' From 31e64dd4706c90fe5ad78a14f4f6a13d29715950 Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 10:00:47 +0100 Subject: [PATCH 07/15] . --- .github/workflows/ci.yaml | 108 +++++++++++++++++++------------------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e9dcc816a..6a4ca05c5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -54,58 +54,58 @@ jobs: # sarif_file: 'trivy-results.sarif' - build_test: - name: Build and Test - runs-on: ubuntu-22.04 - timeout-minutes: 45 - needs: [security_scan] - steps: - - uses: actions/checkout@v4 - with: - fetch-tags: true - fetch-depth: 0 - - uses: actions/setup-go@v4 - with: - go-version-file: 'go.mod' - - name: Install dependencies - run: sudo apt-get update -y && sudo apt-get install -y gcc git-core gnupg build-essential - - run: sudo snap install juju-db --channel 4.4/stable - - name: Add volume files - run: | - touch ./local/vault/approle.json - touch ./local/vault/roleid.txt - touch ./local/vault/vault.env - - name: Create test certs - run: make certs - - name: Start test environment - run: docker compose up -d --wait - - name: Build and Test - run: go test -mod readonly ./... -timeout 1h -cover - env: - JIMM_DSN: postgresql://jimm:jimm@localhost:5432/jimm - JIMM_TEST_PGXDSN: postgresql://jimm:jimm@localhost:5432/jimm - PGHOST: localhost - PGPASSWORD: jimm - PGSSLMODE: disable - PGUSER: jimm - PGPORT: 5432 + # build_test: + # name: Build and Test + # runs-on: ubuntu-22.04 + # timeout-minutes: 45 + # needs: [security_scan] + # steps: + # - uses: actions/checkout@v4 + # with: + # fetch-tags: true + # fetch-depth: 0 + # - uses: actions/setup-go@v4 + # with: + # go-version-file: 'go.mod' + # - name: Install dependencies + # run: sudo apt-get update -y && sudo apt-get install -y gcc git-core gnupg build-essential + # - run: sudo snap install juju-db --channel 4.4/stable + # - name: Add volume files + # run: | + # touch ./local/vault/approle.json + # touch ./local/vault/roleid.txt + # touch ./local/vault/vault.env + # - name: Create test certs + # run: make certs + # - name: Start test environment + # run: docker compose up -d --wait + # - name: Build and Test + # run: go test -mod readonly ./... -timeout 1h -cover + # env: + # JIMM_DSN: postgresql://jimm:jimm@localhost:5432/jimm + # JIMM_TEST_PGXDSN: postgresql://jimm:jimm@localhost:5432/jimm + # PGHOST: localhost + # PGPASSWORD: jimm + # PGSSLMODE: disable + # PGUSER: jimm + # PGPORT: 5432 - smoke_test: - name: Smoke Test - runs-on: ubuntu-22.04 - needs: [security_scan] - # The docker compose has a healthcheck on the JIMM container. - # So if the compose returns with exit code 0 then the JIMM server successfully started. - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v4 - with: - go-version-file: 'go.mod' - - name: Add volume files - run: | - touch ./local/vault/approle.json - touch ./local/vault/roleid.txt - touch ./local/vault/vault.env - - run: go version - - run: go mod vendor - - run: docker compose --profile dev up -d --wait --timestamps + # smoke_test: + # name: Smoke Test + # runs-on: ubuntu-22.04 + # needs: [security_scan] + # # The docker compose has a healthcheck on the JIMM container. + # # So if the compose returns with exit code 0 then the JIMM server successfully started. + # steps: + # - uses: actions/checkout@v4 + # - uses: actions/setup-go@v4 + # with: + # go-version-file: 'go.mod' + # - name: Add volume files + # run: | + # touch ./local/vault/approle.json + # touch ./local/vault/roleid.txt + # touch ./local/vault/vault.env + # - run: go version + # - run: go mod vendor + # - run: docker compose --profile dev up -d --wait --timestamps From 1bab6b4adb4a16b5a85d5b852f0415c77024b371 Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 10:04:40 +0100 Subject: [PATCH 08/15] . --- .github/workflows/ci.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6a4ca05c5..6e3d8b70d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -37,6 +37,10 @@ jobs: runs-on: ubuntu-22.04 timeout-minutes: 45 steps: + - uses: actions/checkout@v4 + with: + fetch-tags: true + fetch-depth: 0 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@0.20.0 with: From 90c98d9159a8625fa3a88dbb6cb37350892072d8 Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 10:07:51 +0100 Subject: [PATCH 09/15] . --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6e3d8b70d..6262b026c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -48,7 +48,7 @@ jobs: ignore-unfixed: true format: 'table' # output: 'trivy-results.sarif' # TODO(ale8k) Turn on when uploading to gh and change above line to sarif - severity: 'LOW,MEDIUM,HIGH,CRITICAL' + severity: 'CRITICAL' exit-code: '1' # TODO(ale8k): Setup GH security From 94253ac5573a2418643f0189e2e1a12504731c51 Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 10:20:19 +0100 Subject: [PATCH 10/15] . --- .github/workflows/ci.yaml | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6262b026c..ea2fbf448 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -6,22 +6,6 @@ on: workflow_dispatch: jobs: - # lint: - # runs-on: ubuntu-20.04 - # continue-on-error: true - # steps: - # - uses: actions/checkout@v3 - # - uses: actions/setup-go@v4 - # with: - # go-version-file: 'go.mod' - # - name: golangci-lint - # uses: golangci/golangci-lint-action@v3 - # with: - # # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version - # version: latest - # skip-pkg-cache: true - # skip-build-cache: true - check-signed-commits: name: Check signed commits in PR runs-on: ubuntu-latest @@ -41,6 +25,10 @@ jobs: with: fetch-tags: true fetch-depth: 0 + + - name: Run govulncheck + uses: golang/govulncheck-action@v1 + - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@0.20.0 with: From 377d44c3e24a3f27b5ab1e0d5ed54811df79410e Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 10:28:43 +0100 Subject: [PATCH 11/15] . --- .github/workflows/ci.yaml | 109 +++++++++++++++++++------------------- 1 file changed, 54 insertions(+), 55 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ea2fbf448..1c07ad6de 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -45,59 +45,58 @@ jobs: # with: # sarif_file: 'trivy-results.sarif' + build_test: + name: Build and Test + runs-on: ubuntu-22.04 + timeout-minutes: 45 + needs: [security_scan] + steps: + - uses: actions/checkout@v4 + with: + fetch-tags: true + fetch-depth: 0 + - uses: actions/setup-go@v4 + with: + go-version-file: 'go.mod' + - name: Install dependencies + run: sudo apt-get update -y && sudo apt-get install -y gcc git-core gnupg build-essential + - run: sudo snap install juju-db --channel 4.4/stable + - name: Add volume files + run: | + touch ./local/vault/approle.json + touch ./local/vault/roleid.txt + touch ./local/vault/vault.env + - name: Create test certs + run: make certs + - name: Start test environment + run: docker compose up -d --wait + - name: Build and Test + run: go test -mod readonly ./... -timeout 1h -cover + env: + JIMM_DSN: postgresql://jimm:jimm@localhost:5432/jimm + JIMM_TEST_PGXDSN: postgresql://jimm:jimm@localhost:5432/jimm + PGHOST: localhost + PGPASSWORD: jimm + PGSSLMODE: disable + PGUSER: jimm + PGPORT: 5432 - # build_test: - # name: Build and Test - # runs-on: ubuntu-22.04 - # timeout-minutes: 45 - # needs: [security_scan] - # steps: - # - uses: actions/checkout@v4 - # with: - # fetch-tags: true - # fetch-depth: 0 - # - uses: actions/setup-go@v4 - # with: - # go-version-file: 'go.mod' - # - name: Install dependencies - # run: sudo apt-get update -y && sudo apt-get install -y gcc git-core gnupg build-essential - # - run: sudo snap install juju-db --channel 4.4/stable - # - name: Add volume files - # run: | - # touch ./local/vault/approle.json - # touch ./local/vault/roleid.txt - # touch ./local/vault/vault.env - # - name: Create test certs - # run: make certs - # - name: Start test environment - # run: docker compose up -d --wait - # - name: Build and Test - # run: go test -mod readonly ./... -timeout 1h -cover - # env: - # JIMM_DSN: postgresql://jimm:jimm@localhost:5432/jimm - # JIMM_TEST_PGXDSN: postgresql://jimm:jimm@localhost:5432/jimm - # PGHOST: localhost - # PGPASSWORD: jimm - # PGSSLMODE: disable - # PGUSER: jimm - # PGPORT: 5432 - - # smoke_test: - # name: Smoke Test - # runs-on: ubuntu-22.04 - # needs: [security_scan] - # # The docker compose has a healthcheck on the JIMM container. - # # So if the compose returns with exit code 0 then the JIMM server successfully started. - # steps: - # - uses: actions/checkout@v4 - # - uses: actions/setup-go@v4 - # with: - # go-version-file: 'go.mod' - # - name: Add volume files - # run: | - # touch ./local/vault/approle.json - # touch ./local/vault/roleid.txt - # touch ./local/vault/vault.env - # - run: go version - # - run: go mod vendor - # - run: docker compose --profile dev up -d --wait --timestamps + smoke_test: + name: Smoke Test + runs-on: ubuntu-22.04 + needs: [security_scan] + # The docker compose has a healthcheck on the JIMM container. + # So if the compose returns with exit code 0 then the JIMM server successfully started. + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v4 + with: + go-version-file: 'go.mod' + - name: Add volume files + run: | + touch ./local/vault/approle.json + touch ./local/vault/roleid.txt + touch ./local/vault/vault.env + - run: go version + - run: go mod vendor + - run: docker compose --profile dev up -d --wait --timestamps From 47ce85d489d2a0625a898cba9960c8d0674ec000 Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 10:29:20 +0100 Subject: [PATCH 12/15] . --- .github/workflows/snap-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snap-release.yaml b/.github/workflows/snap-release.yaml index cfc3a49e4..43ae5d616 100644 --- a/.github/workflows/snap-release.yaml +++ b/.github/workflows/snap-release.yaml @@ -1,5 +1,5 @@ # Release Snap is a composite workflow used within other workflows -# to reuse the logic of building and publishging a snap in one. +# to reuse the logic of building and publishing a snap in one. name: Release Snap on: From bb325cf00c8aab6377572294489e538861f5641c Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 10:34:50 +0100 Subject: [PATCH 13/15] . --- .github/workflows/ci.yaml | 33 ++++++++++++++++++++++++--------- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1c07ad6de..afc403bfa 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -21,7 +21,8 @@ jobs: runs-on: ubuntu-22.04 timeout-minutes: 45 steps: - - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v4 with: fetch-tags: true fetch-depth: 0 @@ -51,25 +52,35 @@ jobs: timeout-minutes: 45 needs: [security_scan] steps: - - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v4 with: fetch-tags: true fetch-depth: 0 - - uses: actions/setup-go@v4 + + - name: Setup Go + uses: actions/setup-go@v4 with: go-version-file: 'go.mod' + - name: Install dependencies run: sudo apt-get update -y && sudo apt-get install -y gcc git-core gnupg build-essential - - run: sudo snap install juju-db --channel 4.4/stable + + - name: Install juju-db + run: sudo snap install juju-db --channel 4.4/stable + - name: Add volume files run: | touch ./local/vault/approle.json touch ./local/vault/roleid.txt touch ./local/vault/vault.env + - name: Create test certs run: make certs + - name: Start test environment run: docker compose up -d --wait + - name: Build and Test run: go test -mod readonly ./... -timeout 1h -cover env: @@ -88,15 +99,19 @@ jobs: # The docker compose has a healthcheck on the JIMM container. # So if the compose returns with exit code 0 then the JIMM server successfully started. steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v4 + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Go + uses: actions/setup-go@v4 with: go-version-file: 'go.mod' + - name: Add volume files run: | touch ./local/vault/approle.json touch ./local/vault/roleid.txt touch ./local/vault/vault.env - - run: go version - - run: go mod vendor - - run: docker compose --profile dev up -d --wait --timestamps + + - name: Run Smoke Test + run: docker compose --profile dev up -d --wait --timestamps From 0daaa042087802dad87d9254a589bbf10550eb23 Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 10:36:17 +0100 Subject: [PATCH 14/15] . --- .github/workflows/ci.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index afc403bfa..8c436839f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -27,8 +27,9 @@ jobs: fetch-tags: true fetch-depth: 0 - - name: Run govulncheck - uses: golang/govulncheck-action@v1 + # TODO(ale8k): Currently hanging forever, not sure why? + # - name: Run govulncheck + # uses: golang/govulncheck-action@v1 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@0.20.0 From 0852928b2f388482774d45242305204476db37b5 Mon Sep 17 00:00:00 2001 From: ale8k Date: Fri, 14 Jun 2024 14:23:54 +0100 Subject: [PATCH 15/15] check signed commits revert --- .github/workflows/check-signed-commits.yaml | 13 +++++++++++++ .github/workflows/ci.yaml | 11 ----------- 2 files changed, 13 insertions(+), 11 deletions(-) create mode 100644 .github/workflows/check-signed-commits.yaml diff --git a/.github/workflows/check-signed-commits.yaml b/.github/workflows/check-signed-commits.yaml new file mode 100644 index 000000000..4265fe5e1 --- /dev/null +++ b/.github/workflows/check-signed-commits.yaml @@ -0,0 +1,13 @@ +name: Check signed commits +on: pull_request_target + +jobs: + check-signed-commits: + name: Check signed commits in PR + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - name: Check signed commits in PR + uses: 1Password/check-signed-commits-action@v1 \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8c436839f..13b0a1e50 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,21 +1,10 @@ name: CI on: pull_request: - pull_request_target: workflow_call: workflow_dispatch: jobs: - check-signed-commits: - name: Check signed commits in PR - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write - steps: - - name: Check signed commits in PR - uses: 1Password/check-signed-commits-action@v1 - security_scan: name: Security Scan runs-on: ubuntu-22.04