diff --git a/.github/workflows/ci-docs-shim.yaml b/.github/workflows/ci-docs-shim.yaml index 0c62b88c..4bb9ae6d 100644 --- a/.github/workflows/ci-docs-shim.yaml +++ b/.github/workflows/ci-docs-shim.yaml @@ -1,4 +1,4 @@ -name: CI Docs Shim +name: CI Doc Shim on: pull_request: @@ -6,15 +6,14 @@ on: types: [milestoned, opened, synchronize] jobs: - run-test: + validate: name: ${{ matrix.type }} ${{ matrix.flavor }} - runs-on: "ubuntu-latest" - timeout-minutes: 20 strategy: matrix: - flavor: [upstream, registry1] type: [install, upgrade] - steps: - - name: Shim for ${{ matrix.type }} ${{ matrix.flavor }} - run: | - echo "Documentation-only change detected; marking ${{ matrix.type }} ${{ matrix.flavor }} as successful." + flavor: [upstream, registry1, unicorn] + uses: defenseunicorns/uds-common/.github/workflows/callable-ci-docs-shim.yaml@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 + with: + flavor: ${{ matrix.flavor }} + type: ${{ matrix.type }} + secrets: inherit # Inherits all secrets from the parent workflow. diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index 6c55a9a2..e8fb8af6 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -1,4 +1,4 @@ -name: Metadata +name: PR Title Check on: pull_request: @@ -7,5 +7,4 @@ on: jobs: validate: - name: Validate - uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 + uses: defenseunicorns/uds-common/.github/workflows/callable-commitlint.yaml@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 83357f71..da1fa447 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,35 +1,13 @@ -name: Scan +name: Lint on: # This workflow is triggered on pull requests to the main branch. pull_request: branches: [main] - types: [milestoned, opened, synchronize] + # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow). + types: [milestoned, opened, reopened, synchronize] jobs: validate: - runs-on: ubuntu-latest - name: Lint - permissions: - contents: read # Allows reading the repo contents - - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - - name: Environment setup - uses: defenseunicorns/uds-common/.github/actions/setup@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 - with: - registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} - registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} - ghToken: ${{ secrets.GITHUB_TOKEN }} - - - name: Install lint deps - run: | - uds run lint:deps - - - name: Lint the repository - run: | - uds run lint:yaml + uses: defenseunicorns/uds-common/.github/workflows/callable-lint.yaml@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 + secrets: inherit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 00000000..ead8a14a --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,46 @@ +name: Release + +on: + push: + branches: + - main + +# Permissions for the GITHUB_TOKEN used by the workflow. +permissions: + contents: read # Allows reading the content of the repository. + packages: read # Allows reading the content of the repository's packages. + id-token: write + +jobs: + tag-new-version: + permissions: write-all + runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release-flag.outputs.release_created }} + steps: + - name: Create Release Tag + id: tag + uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3 + - id: release-flag + run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> "$GITHUB_OUTPUT" + + publish: + permissions: + contents: read # Allows reading the content of the repository. + packages: write # Allows reading the content of the repository's packages. + id-token: write + needs: tag-new-version + if: ${{ needs.tag-new-version.outputs.release_created == 'true' }} + strategy: + matrix: + flavor: [upstream, registry1, unicorn] + architecture: [amd64, arm64] + exclude: + - flavor: registry1 + architecture: arm64 + uses: defenseunicorns/uds-common/.github/workflows/callable-publish.yaml@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 + with: + flavor: ${{ matrix.flavor }} + runsOn: ${{ matrix.architecture == 'arm64' && 'uds-swf-ubuntu-arm64-4-core' || 'uds-swf-ubuntu-big-boy-4-core' }} + reports-path: "tests/.playwright/reports/" + secrets: inherit # Inherits all secrets from the parent workflow. diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 557b01eb..fd722716 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -11,40 +11,23 @@ on: permissions: read-all jobs: - analysis: - name: Scorecards analysis - runs-on: ubuntu-latest + validate: permissions: + actions: read + attestations: read + checks: read + contents: read + deployments: read + discussions: read + issues: read + packages: read + pages: read + pull-requests: read + repository-projects: read + statuses: read # Needed to upload the results to code-scanning dashboard. security-events: write # Used to receive a badge. id-token: write - - steps: - - name: "Checkout code" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: "Run analysis" - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 - with: - results_file: results.sarif - results_format: sarif - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - publish_results: true - - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - - name: "Upload artifact" - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 - with: - sarif_file: results.sarif + uses: defenseunicorns/uds-common/.github/workflows/callable-scorecard.yaml@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 + secrets: inherit diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml deleted file mode 100644 index 05452ed9..00000000 --- a/.github/workflows/tag-and-release.yaml +++ /dev/null @@ -1,62 +0,0 @@ -name: Publish UDS Package Sonarqube - -on: - push: - branches: - - main - -jobs: - tag-new-version: - name: Tag New Version - permissions: write-all - runs-on: ubuntu-latest - outputs: - release_created: ${{ steps.release-flag.outputs.release_created }} - steps: - - name: Create release tag - id: tag - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3 - - id: release-flag - run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> $GITHUB_OUTPUT - - publish-package: - needs: tag-new-version - if: ${{ needs.tag-new-version.outputs.release_created == 'true' }} - runs-on: ${{ matrix.architecture == 'arm64' && 'uds-swf-ubuntu-arm64-4-core' || 'uds-swf-ubuntu-big-boy-4-core' }} - strategy: - matrix: - flavor: [upstream, unicorn, registry1] - architecture: [amd64, arm64] - exclude: - - flavor: registry1 - architecture: arm64 - name: Publish ${{ matrix.flavor }} ${{ matrix.architecture }} - - permissions: - contents: read - packages: write - id-token: write - - steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Environment setup - uses: defenseunicorns/uds-common/.github/actions/setup@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 - with: - registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} - registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} - ghToken: ${{ secrets.GITHUB_TOKEN }} - chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - - - name: Publish Package - run: uds run -f tasks/publish.yaml package --set FLAVOR=${{ matrix.flavor }} --no-progress - - - name: Debug Output - if: ${{ always() }} - uses: defenseunicorns/uds-common/.github/actions/debug-output@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 - - - name: Save logs - if: always() - uses: defenseunicorns/uds-common/.github/actions/save-logs@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 - with: - suffix: ${{ matrix.flavor }}-${{ matrix.architecture }}-${{ github.run_id }}-${{ github.run_attempt }} diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 5cabc7ad..6800edd8 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,82 +1,57 @@ name: Test on: + # This workflow is triggered on pull requests to the main branch. pull_request: branches: [main] - types: [milestoned, opened, synchronize] + # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow). + types: [milestoned, opened, reopened, synchronize] paths-ignore: - "**.md" - "**.jpg" - "**.png" - "**.gif" - "**.svg" - - "adr/**" - - "docs/**" - - ".gitignore" - - "renovate.json" - - ".release-please-config.json" - - "release-please-config.json" - - "oscal-component.yaml" - - "CODEOWNERS" - - "LICENSE" - - "CONTRIBUTING.md" - - "SECURITY.md" + - adr/** + - docs/** + - .gitignore + - renovate.json + - .release-please-config.json + - release-please-config.json + - CODEOWNERS + - LICENSE + - CONTRIBUTING.md + - SECURITY.md # Abort prior jobs in the same workflow / PR concurrency: group: test-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read - id-token: write - jobs: - run-test: - name: ${{ matrix.type }} ${{ matrix.flavor }} - runs-on: uds-swf-ubuntu-big-boy-4-core - timeout-minutes: 20 - strategy: - matrix: - flavor: [upstream, unicorn, registry1] - type: [install, upgrade] - # do not run upgrade tests for unicorn - # TODO @marshall: remove after first unicorn release - exclude: - - flavor: unicorn - type: upgrade - + check-flavor: + runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Environment setup - uses: defenseunicorns/uds-common/.github/actions/setup@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 - with: - registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} - registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} - ghToken: ${{ secrets.GITHUB_TOKEN }} - chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - name: Test - uses: defenseunicorns/uds-common/.github/actions/test@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 - with: - flavor: ${{ matrix.flavor }} - type: ${{ matrix.type }} + - name: test-flavor + uses: defenseunicorns/uds-common/.github/actions/test-flavor@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 + id: test-flavor + outputs: + upgrade-flavors: ${{ steps.test-flavor.outputs.upgrade-flavors }} - - name: Debug Output - if: ${{ always() }} - uses: defenseunicorns/uds-common/.github/actions/debug-output@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 - - - name: Save logs - if: always() - uses: defenseunicorns/uds-common/.github/actions/save-logs@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 - with: - suffix: ${{ matrix.type }}-${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }} - - - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - if: always() - with: - name: playwright-report-${{ matrix.type }}-${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }} - path: tests/.playwright/reports/ - retention-days: 30 + validate: + needs: check-flavor + strategy: + fail-fast: false + matrix: + type: [install, upgrade] + flavor: [upstream, unicorn, registry1] + uses: defenseunicorns/uds-common/.github/workflows/callable-test.yaml@86886015d1edc43036b3dd000fbd972a384beb8f # v1.0.0 + with: + upgrade-flavors: ${{ needs.check-flavor.outputs.upgrade-flavors }} + flavor: ${{ matrix.flavor }} + type: ${{ matrix.type }} + reports-path: "tests/.playwright/reports/" + secrets: inherit # Inherits all secrets from the parent workflow. diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml deleted file mode 100644 index 75e11f8d..00000000 --- a/.pre-commit-config.yaml +++ /dev/null @@ -1,53 +0,0 @@ -repos: - - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 - hooks: - - id: check-added-large-files - args: ["--maxkb=1024"] - - id: check-merge-conflict - - id: detect-aws-credentials - args: - - "--allow-missing-credentials" - - id: detect-private-key - exclude: | - (?x)^( - kustomizations/bigbang/environment-bb/values-bigbang.enc.yaml - )$ - - id: end-of-file-fixer - exclude: "^kustomizations/bigbang/vendor/.*$" - - id: fix-byte-order-marker - - id: trailing-whitespace - exclude: "^kustomizations/bigbang/vendor/.*$" - args: [--markdown-linebreak-ext=md] - - id: check-yaml - exclude: | - (?x)^( - charts/raw/templates/resources.yaml - )$ - args: - - "--allow-multiple-documents" - - repo: https://github.com/sirosen/fix-smartquotes - rev: 0.2.0 - hooks: - - id: fix-smartquotes - - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.29.1 - hooks: - - id: check-jsonschema - name: "Validate Zarf Configs Against Schema" - files: "zarf.yaml" - types: [yaml] - args: - [ - "--schemafile", - "https://raw.githubusercontent.com/defenseunicorns/zarf/v0.37.0/zarf.schema.json", - "--no-cache" - ] - - repo: https://github.com/golangci/golangci-lint - rev: v1.59.1 - hooks: - - id: golangci-lint - - repo: https://github.com/renovatebot/pre-commit-hooks - rev: 38.13.0 - hooks: - - id: renovate-config-validator diff --git a/commitlint.config.js b/commitlint.config.js deleted file mode 100644 index 8567d51d..00000000 --- a/commitlint.config.js +++ /dev/null @@ -1 +0,0 @@ -module.exports = { extends: ["@commitlint/config-conventional"] }; \ No newline at end of file diff --git a/release-please-config.json b/release-please-config.json index f6ba8517..3a9daae2 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -15,7 +15,7 @@ "prerelease-type": "uds", "extra-files": [ "bundle/uds-bundle.yaml", - "tasks/publish.yaml", + "tasks.yaml", "zarf.yaml" ] } diff --git a/src/monitoring-image/curl.sh b/src/monitoring-image/curl.sh index b0741521..0e0bebaf 100755 --- a/src/monitoring-image/curl.sh +++ b/src/monitoring-image/curl.sh @@ -2,6 +2,6 @@ set -e -cp /jmx_prometheus_javaagent-$JMX_PROMETHEUS_PLUGIN_VERSION.jar /data/jmx_prometheus_javaagent.jar +cp "/jmx_prometheus_javaagent-$JMX_PROMETHEUS_PLUGIN_VERSION.jar" /data/jmx_prometheus_javaagent.jar echo "finished loading jmx prometheus plugin" diff --git a/tasks.yaml b/tasks.yaml index 96ff84ea..fa51d7dc 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -2,67 +2,82 @@ includes: - cleanup: ./tasks/cleanup.yaml - dependencies: ./tasks/dependencies.yaml - test: ./tasks/test.yaml - - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/create.yaml - - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/lint.yaml - - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/pull.yaml - - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/deploy.yaml - - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/setup.yaml + - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/create.yaml + - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/lint.yaml + - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/pull.yaml + - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/deploy.yaml + - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/setup.yaml + - actions: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/actions.yaml + - badge: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/badge.yaml + - upgrade: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/upgrade.yaml + - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.0.0/tasks/compliance.yaml tasks: - name: default description: Create K3D Cluster with UDS-Core (Dev) and SonarQube actions: - - task: create-sq-test-bundle + - task: create-dev-package - task: setup:k3d-test-cluster - - task: deploy:test-bundle + - task: create-deploy-test-bundle - - name: create-sq-package + - name: create-dev-package description: Create the SonarQube package actions: - task: create:package with: options: "--skip-sbom" - - name: create-sq-test-bundle - description: Create a local UDS SonarQube bundle - actions: - - task: create-sq-package - - task: dependencies:create - - task: create:test-bundle - - - name: create-sq-latest-release-bundle - description: Create UDS SonarQube bundle based on the latest release + - name: create-deploy-test-bundle + description: Test and validate cluster is deployed with SonarQube actions: - - task: pull:latest-package-release - with: - spoof_release: "true" - task: dependencies:create - task: create:test-bundle + - task: deploy:test-bundle + - task: setup:create-doug-user + - task: test:all - name: dev description: Create and deploy the bundle against an existing cluster actions: - - task: create-sq-test-bundle + - task: create-dev-package + - task: create:test-bundle - task: deploy:test-bundle -# CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names +# CI will execute the following (via uds-common/.github/workflows/callable-[test|publish].yaml) so they need to be here with these names - name: test-package description: Test the health of a SonarQube deployment actions: - - task: create-sq-test-bundle + - task: create-dev-package - task: setup:k3d-test-cluster - - task: deploy:test-bundle - - task: setup:create-doug-user - - task: test:all + - task: create-deploy-test-bundle + - task: compliance:validate - name: test-upgrade description: Test an upgrade from the latest released package to the current branch actions: - - task: create-sq-latest-release-bundle + - task: upgrade:create-latest-tag-bundle + with: + dep_commands: ./uds run dependencies:create - task: setup:k3d-test-cluster - task: deploy:test-bundle - task: setup:create-doug-user - - task: create-sq-test-bundle - - task: deploy:test-bundle - - task: test:all + - task: compliance:validate + - task: create-dev-package + - task: create-deploy-test-bundle + - task: compliance:validate + - task: compliance:evaluate + + - name: publish-package + description: Build and publish the packages + actions: + - task: actions:determine-arch + - task: create:package + - task: setup:k3d-test-cluster + - task: create-deploy-test-bundle + - description: Publish the package + task: publish:package + with: + # x-release-please-start-version + version: "10.6.0-uds.1" + # x-release-please-end diff --git a/tasks/dependencies.yaml b/tasks/dependencies.yaml index db1acbcf..e04371df 100644 --- a/tasks/dependencies.yaml +++ b/tasks/dependencies.yaml @@ -2,4 +2,4 @@ tasks: - name: create description: Create the Dependency Zarf Package(s) actions: - - cmd: uds zarf package create src/namespace/ --confirm --no-progress --architecture=${UDS_ARCH} --skip-sbom + - cmd: uds zarf package create src/namespace/ --confirm --no-progress --architecture="${UDS_ARCH}" --skip-sbom diff --git a/tasks/publish.yaml b/tasks/publish.yaml deleted file mode 100644 index af34ecbc..00000000 --- a/tasks/publish.yaml +++ /dev/null @@ -1,26 +0,0 @@ -includes: - - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/create.yaml - - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/publish.yaml - - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/setup.yaml - - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/deploy.yaml - - dependencies: ./dependencies.yaml - - test: ./test.yaml - -tasks: - - name: package - description: Build and publish the packages - actions: - - task: create:package - - task: dependencies:create - - task: create:test-bundle - - task: setup:k3d-test-cluster - - task: deploy:test-bundle - - task: setup:create-doug-user - - task: test:all - - - description: Publish the packages - task: publish:package - with: - # x-release-please-start-version - version: "10.6.0-uds.1" - # x-release-please-end