diff --git a/.github/workflows/jenkins-agent-ansible-pr.yaml b/.github/workflows/jenkins-agent-ansible-pr.yaml index 08afc72ab..5c7b7bd0a 100644 --- a/.github/workflows/jenkins-agent-ansible-pr.yaml +++ b/.github/workflows/jenkins-agent-ansible-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-ansible/** - .github/workflows/jenkins-agent-ansible-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-arachni-pr.yaml b/.github/workflows/jenkins-agent-arachni-pr.yaml index f308f1f51..106428a34 100644 --- a/.github/workflows/jenkins-agent-arachni-pr.yaml +++ b/.github/workflows/jenkins-agent-arachni-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-arachni/** - .github/workflows/jenkins-agent-arachni-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-argocd-pr.yaml b/.github/workflows/jenkins-agent-argocd-pr.yaml index 7dcc7b2ff..625835e49 100644 --- a/.github/workflows/jenkins-agent-argocd-pr.yaml +++ b/.github/workflows/jenkins-agent-argocd-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-argocd/** - .github/workflows/jenkins-agent-argocd-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-ci-pr.yaml b/.github/workflows/jenkins-agent-ci-pr.yaml index 451aaec99..41ec9c988 100644 --- a/.github/workflows/jenkins-agent-ci-pr.yaml +++ b/.github/workflows/jenkins-agent-ci-pr.yaml @@ -6,6 +6,10 @@ on: paths: - _test/kind/** - .github/workflows/jenkins-agent-ci-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-conftest-pr.yaml b/.github/workflows/jenkins-agent-conftest-pr.yaml index acaf46dde..39c589f00 100644 --- a/.github/workflows/jenkins-agent-conftest-pr.yaml +++ b/.github/workflows/jenkins-agent-conftest-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-conftest/** - .github/workflows/jenkins-agent-conftest-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-cosign-pr.yaml b/.github/workflows/jenkins-agent-cosign-pr.yaml index a8fc2086e..8995457d8 100644 --- a/.github/workflows/jenkins-agent-cosign-pr.yaml +++ b/.github/workflows/jenkins-agent-cosign-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-cosign/** - .github/workflows/jenkins-agent-cosign-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-erlang-pr.yaml b/.github/workflows/jenkins-agent-erlang-pr.yaml index 5f945d6c5..9122e0101 100644 --- a/.github/workflows/jenkins-agent-erlang-pr.yaml +++ b/.github/workflows/jenkins-agent-erlang-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-erlang/** - .github/workflows/jenkins-agent-erlang-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-golang-pr.yaml b/.github/workflows/jenkins-agent-golang-pr.yaml index 63b50ced0..eb5626eb9 100644 --- a/.github/workflows/jenkins-agent-golang-pr.yaml +++ b/.github/workflows/jenkins-agent-golang-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-golang/** - .github/workflows/jenkins-agent-golang-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-graalvm-pr.yaml b/.github/workflows/jenkins-agent-graalvm-pr.yaml index 4bdb21492..925ae907a 100644 --- a/.github/workflows/jenkins-agent-graalvm-pr.yaml +++ b/.github/workflows/jenkins-agent-graalvm-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-graalvm/** - .github/workflows/jenkins-agent-graalvm-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-gradle-pr.yaml b/.github/workflows/jenkins-agent-gradle-pr.yaml index 5b93086bb..5e8bf17d7 100644 --- a/.github/workflows/jenkins-agent-gradle-pr.yaml +++ b/.github/workflows/jenkins-agent-gradle-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-gradle/** - .github/workflows/jenkins-agent-gradle-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-helm-pr.yaml b/.github/workflows/jenkins-agent-helm-pr.yaml index a571c85dc..7a55d5b0f 100644 --- a/.github/workflows/jenkins-agent-helm-pr.yaml +++ b/.github/workflows/jenkins-agent-helm-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-helm/** - .github/workflows/jenkins-agent-helm-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-hugo-pr.yaml b/.github/workflows/jenkins-agent-hugo-pr.yaml index b019af9c8..f4511a890 100644 --- a/.github/workflows/jenkins-agent-hugo-pr.yaml +++ b/.github/workflows/jenkins-agent-hugo-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-hugo/** - .github/workflows/jenkins-agent-hugo-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-image-mgmt-pr.yaml b/.github/workflows/jenkins-agent-image-mgmt-pr.yaml index ea17540a6..a83288622 100644 --- a/.github/workflows/jenkins-agent-image-mgmt-pr.yaml +++ b/.github/workflows/jenkins-agent-image-mgmt-pr.yaml @@ -4,6 +4,10 @@ on: paths: - jenkins-agents/jenkins-agent-image-mgmt/** - .github/workflows/jenkins-agent-image-mgmt-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-image-mgmt-publish.yaml b/.github/workflows/jenkins-agent-image-mgmt-publish.yaml index a02b9b128..f1216eda9 100644 --- a/.github/workflows/jenkins-agent-image-mgmt-publish.yaml +++ b/.github/workflows/jenkins-agent-image-mgmt-publish.yaml @@ -4,6 +4,10 @@ on: paths: - jenkins-agents/jenkins-agent-image-mgmt/version.json - .github/workflows/jenkins-agent-image-mgmt-publish.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: @@ -11,6 +15,8 @@ jobs: image_name: jenkins-agent-image-mgmt REGISTRY: ${{ secrets.REGISTRY_URI }} runs-on: ubuntu-latest + permissions: + packages: write steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 diff --git a/.github/workflows/jenkins-agent-mongodb-pr.yaml b/.github/workflows/jenkins-agent-mongodb-pr.yaml index 13abc4094..694e8e4c6 100644 --- a/.github/workflows/jenkins-agent-mongodb-pr.yaml +++ b/.github/workflows/jenkins-agent-mongodb-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-mongodb/** - .github/workflows/jenkins-agent-mongodb-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-mvn-pr.yaml b/.github/workflows/jenkins-agent-mvn-pr.yaml index b6a13a2b2..5bdc76f2c 100644 --- a/.github/workflows/jenkins-agent-mvn-pr.yaml +++ b/.github/workflows/jenkins-agent-mvn-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-mvn/** - .github/workflows/jenkins-agent-mvn-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-npm-pr.yaml b/.github/workflows/jenkins-agent-npm-pr.yaml index 69e24ee7d..4fe56d662 100644 --- a/.github/workflows/jenkins-agent-npm-pr.yaml +++ b/.github/workflows/jenkins-agent-npm-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-npm/** - .github/workflows/jenkins-agent-npm-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-python-pr.yaml b/.github/workflows/jenkins-agent-python-pr.yaml index a7c3d819f..8fa3b2671 100644 --- a/.github/workflows/jenkins-agent-python-pr.yaml +++ b/.github/workflows/jenkins-agent-python-pr.yaml @@ -4,6 +4,10 @@ on: paths: - jenkins-agents/jenkins-agent-python/** - .github/workflows/jenkins-agent-python-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-python-publish.yaml b/.github/workflows/jenkins-agent-python-publish.yaml index 1235bf7a5..0773bfab7 100644 --- a/.github/workflows/jenkins-agent-python-publish.yaml +++ b/.github/workflows/jenkins-agent-python-publish.yaml @@ -4,6 +4,10 @@ on: paths: - jenkins-agents/jenkins-agent-python/version.json - .github/workflows/jenkins-agent-python-publish.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: @@ -11,6 +15,8 @@ jobs: image_name: jenkins-agent-python REGISTRY: ${{ secrets.REGISTRY_URI }} runs-on: ubuntu-latest + permissions: + packages: write steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 diff --git a/.github/workflows/jenkins-agent-ruby-pr.yaml b/.github/workflows/jenkins-agent-ruby-pr.yaml index 44f8c47bb..a51d1733e 100644 --- a/.github/workflows/jenkins-agent-ruby-pr.yaml +++ b/.github/workflows/jenkins-agent-ruby-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-ruby/** - .github/workflows/jenkins-agent-ruby-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-rust-pr.yaml b/.github/workflows/jenkins-agent-rust-pr.yaml index 29f33e5f3..b0884abd8 100644 --- a/.github/workflows/jenkins-agent-rust-pr.yaml +++ b/.github/workflows/jenkins-agent-rust-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-rust/** - .github/workflows/jenkins-agent-rust-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/.github/workflows/jenkins-agent-zap-pr.yaml b/.github/workflows/jenkins-agent-zap-pr.yaml index a352f427e..bb84743bf 100644 --- a/.github/workflows/jenkins-agent-zap-pr.yaml +++ b/.github/workflows/jenkins-agent-zap-pr.yaml @@ -5,6 +5,10 @@ on: paths: - jenkins-agents/jenkins-agent-zap/** - .github/workflows/jenkins-agent-zap-pr.yaml + +# Declare default permissions as read only. +permissions: read-all + jobs: build: env: diff --git a/_test/kind/setup.sh b/_test/kind/setup.sh index 69e3d7dd0..9c1f35615 100755 --- a/_test/kind/setup.sh +++ b/_test/kind/setup.sh @@ -3,7 +3,7 @@ set -euo pipefail AGENT=$1 -JENKINS_CHART_VERSION=${2:-3.11.10} +JENKINS_CHART_VERSION="4.9.1" AGENT_PATH="jenkins-agents/${AGENT}" SCRIPT_DIR=$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}" || realpath "${BASH_SOURCE[0]}")") @@ -61,6 +61,7 @@ then then kind create cluster --config ${SCRIPT_DIR}/kind-config.yaml fi + podman save ${AGENT}:latest | docker load docker tag localhost/${AGENT}:latest ${AGENT}:latest kind load docker-image ${AGENT}:latest @@ -71,13 +72,25 @@ then --for=condition=ready pod \ --selector=app.kubernetes.io/component=controller \ --timeout=90s + # Would like to find a cleaner approach to configure the podTemplate and Jenkins job below TPL_TEMP=$(mktemp -d) JENKINS_AGENT="${AGENT}" envsubst < ${SCRIPT_DIR}/jenkins-podtemplate.yaml > ${TPL_TEMP}/podtemplate.yaml JENKINS_AGENT="${AGENT}" JENKINSFILE=$(sed '2,$s/^/ /' ${AGENT_PATH}/Jenkinsfile.test) envsubst < ${SCRIPT_DIR}/jenkins-casc-config-scripts-template.yaml > ${TPL_TEMP}/jenkins-casc-config-scripts.yaml + # Use Helm to deploy and configure Jenkins helm repo add jenkinsci https://charts.jenkins.io --force-update helm repo update + echo "### Jenkins content will look like... ###" + helm template jenkins \ + --version ${JENKINS_CHART_VERSION} \ + -n jenkins --create-namespace \ + -f ${SCRIPT_DIR}/jenkins-values.yaml \ + -f ${TPL_TEMP}/podtemplate.yaml \ + -f ${TPL_TEMP}/jenkins-casc-config-scripts.yaml \ + jenkinsci/jenkins + + echo "### Jenkins install ###" helm install jenkins \ --version ${JENKINS_CHART_VERSION} \ -n jenkins --create-namespace \ @@ -85,7 +98,12 @@ then -f ${TPL_TEMP}/podtemplate.yaml \ -f ${TPL_TEMP}/jenkins-casc-config-scripts.yaml \ jenkinsci/jenkins - # Make sure Jenkins is available + + kubectl get statefulsets -n jenkins + kubectl describe statefulsets/jenkins -n jenkins + kubectl rollout status statefulsets/jenkins --watch=true --timeout=5m -n jenkins + + # Make sure Jenkins is available echo "### Wait for Jenkins instance to become ready ###" do_until "http://localhost/login" "" 200 300 "Timed out waiting for Jenkins to become ready..." @@ -97,6 +115,7 @@ then echo "Failed to create Jenkins Crumb, exiting..." exit 2 fi + token=$(curl -s http://localhost/me/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken --data 'newTokenName=foo' --user admin:${secret} -H "Jenkins-Crumb: ${crumb}" --cookie /tmp/cookies | jq -r '.data.tokenValue') if [ -z ${token} ] then @@ -127,7 +146,9 @@ then sleep 2 let "timeout += 2" done + get_build_logs + JOB_STATUS=$(curl -s http://localhost/job/containers-quickstarts/job/${AGENT}/lastBuild/api/json --user admin:${token} | jq -r '.result') kind delete cluster --name kind if [[ ${JOB_STATUS} != "SUCCESS" ]]