diff --git a/.github/.kodiak.toml b/.github/.kodiak.toml index ded81e43d..b64a5f6fc 100644 --- a/.github/.kodiak.toml +++ b/.github/.kodiak.toml @@ -15,4 +15,4 @@ strip_html_comments = true # default: false always = true # default: false [approve] -auto_approve_usernames = ["1gtm", "tamalsaha"] +auto_approve_usernames = ["tamalsaha", "1gtm", "1gtm-app[bot]"] \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a304a22b1..780db9fd7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -73,11 +73,11 @@ jobs: - name: Create Kubernetes ${{ matrix.k8s }} cluster id: kind - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0 + uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0 with: version: v0.31.0 config: hack/kubernetes/kind.yaml - image: kindest/node:${{ matrix.k8s }} + node_image: kindest/node:${{ matrix.k8s }} - name: Prepare cluster for testing id: local-path diff --git a/.github/workflows/cve-report.yml b/.github/workflows/cve-report.yml index 5e3d72c80..4bce84393 100644 --- a/.github/workflows/cve-report.yml +++ b/.github/workflows/cve-report.yml @@ -16,33 +16,24 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Set up Go - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 + - name: Generate LGTM App token + id: lgtm-app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: - go-version: '1.25' - - - name: Prepare git - env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - set -x - git config --global user.name "1gtm" - git config --global user.email "1gtm@appscode.com" - git config --global \ - url."https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com".insteadOf \ - "https://github.com" - # git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: installer + permission-contents: write + permission-pull-requests: write - name: Install trivy + env: + TRIVY_VERSION: 0.70.0 run: | - # wget https://github.com/aquasecurity/trivy/releases/download/v0.18.3/trivy_0.18.3_Linux-64bit.deb - # sudo dpkg -i trivy_0.18.3_Linux-64bit.deb - sudo apt-get install -y --no-install-recommends wget apt-transport-https gnupg lsb-release - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list - sudo apt-get update - sudo apt-get install -y --no-install-recommends trivy + curl -fsSL -o trivy.deb "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.deb" + sudo dpkg -i trivy.deb + rm trivy.deb - name: Install image packer run: | @@ -60,13 +51,15 @@ jobs: --src=catalog/editor-charts.yaml \ --src=catalog/feature-charts.yaml \ --src=catalog/reusable-ui-charts.yaml - git add catalog/README.md || true - git commit -s -a -m "Update cve report $(date --rfc-3339=date)" - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: - token: ${{ secrets.LGTM_GITHUB_TOKEN }} + token: ${{ steps.lgtm-app-token.outputs.token }} + commit-message: Update cve report + author: ${{ github.actor }} <${{ github.actor }}@appscode.com> + committer: ${{ github.actor }} <${{ github.actor }}@appscode.com> + signoff: true title: Update cve report branch: update-cve-report delete-branch: true diff --git a/.github/workflows/publish-oci.yml b/.github/workflows/publish-oci.yml index cb836268c..5b93fd6ee 100644 --- a/.github/workflows/publish-oci.yml +++ b/.github/workflows/publish-oci.yml @@ -18,8 +18,7 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 1 - fetch-tags: true + fetch-depth: 0 - name: Set up QEMU id: qemu @@ -30,12 +29,20 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.GHCRX_APP_CLIENT_ID }} + private-key: ${{ secrets.GHCRX_APP_PRIVATE_KEY }} + owner: appscode-charts + - name: Log in to the GitHub Container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io - username: 1gtm - password: ${{ secrets.LGTM_GITHUB_TOKEN }} + username: ${{ github.actor }} + password: ${{ steps.app-token.outputs.token }} - name: Install Helm 3 run: | @@ -43,9 +50,9 @@ jobs: - name: Clone charts repository env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CHART_REPOSITORY: github.com/appscode/charts + GITHUB_USER: 1gtm + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + CHART_REPOSITORY: ${{ secrets.CHART_REPOSITORY }} run: | url="https://${GITHUB_USER}:${GITHUB_TOKEN}@${CHART_REPOSITORY}.git" cd $RUNNER_WORKSPACE @@ -56,9 +63,8 @@ jobs: - name: Publish OCI charts env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CHART_REPOSITORY: github.com/appscode/charts + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + CHART_REPOSITORY: ${{ secrets.CHART_REPOSITORY }} run: | export REGISTRY_0=oci://ghcr.io/appscode-charts ./hack/scripts/update-chart-dependencies.sh diff --git a/.github/workflows/release-tracker.yml b/.github/workflows/release-tracker.yml index 344877c38..e2c1a9407 100644 --- a/.github/workflows/release-tracker.yml +++ b/.github/workflows/release-tracker.yml @@ -11,32 +11,24 @@ concurrency: jobs: build: + if: github.event.pull_request.merged == true runs-on: ubuntu-24.04 - permissions: - contents: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - name: Prepare git - env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - git config --global user.name "${GITHUB_USER}" - git config --global user.email "${GITHUB_USER}@appscode.com" - git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git - - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin + - name: Generate LGTM App token + id: lgtm-app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + client-id: ${{ secrets.LGTM_APP_CLIENT_ID }} + private-key: ${{ secrets.LGTM_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: CHANGELOG + permission-pull-requests: write - name: Update release tracker - if: | - github.event.action == 'closed' && - github.event.pull_request.merged == true env: GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.lgtm-app-token.outputs.token }} run: | ./hack/scripts/update-release-tracker.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e5bbdc26b..72a0f4a5a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,17 +15,13 @@ jobs: build: name: Build runs-on: ubuntu-24.04 + permissions: + contents: write steps: - name: Check out code into the Go module directory uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 1 - fetch-tags: true - - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin + fetch-depth: 0 - name: Install Helm 3 run: | @@ -33,8 +29,8 @@ jobs: - name: Clone charts repository env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_USER: 1gtm + GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} CHART_REPOSITORY: ${{ secrets.CHART_REPOSITORY }} run: | url="https://${GITHUB_USER}:${GITHUB_TOKEN}@${CHART_REPOSITORY}.git" @@ -46,8 +42,7 @@ jobs: - name: Package env: - GITHUB_USER: ${{ github.actor }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }} CHART_REPOSITORY: ${{ secrets.CHART_REPOSITORY }} run: | ./hack/scripts/update-chart-dependencies.sh diff --git a/.github/workflows/sync-gcp-mp.yml b/.github/workflows/sync-gcp-mp.yml index 2e602576e..60deffd8c 100644 --- a/.github/workflows/sync-gcp-mp.yml +++ b/.github/workflows/sync-gcp-mp.yml @@ -41,7 +41,7 @@ jobs: gcloud auth configure-docker us-docker.pkg.dev - name: Log into GHCR - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: 1gtm diff --git a/.github/workflows/update-local-repo.yaml b/.github/workflows/update-local-repo.yml similarity index 90% rename from .github/workflows/update-local-repo.yaml rename to .github/workflows/update-local-repo.yml index ecdcdd2ba..9b04d6a11 100644 --- a/.github/workflows/update-local-repo.yaml +++ b/.github/workflows/update-local-repo.yml @@ -35,11 +35,6 @@ jobs: chmod +x uibuilder-tools sudo mv ./uibuilder-tools /usr/local/bin/uibuilder-tools - - name: Install GitHub CLI - run: | - curl -fsSL https://github.com/github/hub/raw/master/script/get | bash -s 2.14.1 - sudo mv bin/hub /usr/local/bin - - name: Prepare git env: GITHUB_USER: ${{ github.actor }} diff --git a/Makefile b/Makefile index 52f6b53dd..2eb4848d4 100644 --- a/Makefile +++ b/Makefile @@ -26,7 +26,7 @@ API_GROUPS ?= installer:v1alpha1 # This version-strategy uses git tags to set the version string git_branch := $(shell git rev-parse --abbrev-ref HEAD) -git_tag := $(shell git describe --exact-match --abbrev=0 2>/dev/null || echo "") +git_tag := $(shell git describe --tags --exact-match --abbrev=0 2>/dev/null || echo "") commit_hash := $(shell git rev-parse --verify HEAD) commit_timestamp := $(shell date --date="@$$(git show -s --format=%ct)" --utc +%FT%T) diff --git a/hack/scripts/open-pr.sh b/hack/scripts/open-pr.sh index 679da9899..c769c706f 100755 --- a/hack/scripts/open-pr.sh +++ b/hack/scripts/open-pr.sh @@ -36,7 +36,7 @@ pr_branch=${GITHUB_REPOSITORY}@${GITHUB_SHA:0:8} git checkout -b $pr_branch git commit -a -s -m "Update crds for $pr_branch" git push -u origin HEAD -hub pull-request \ - --labels automerge \ - --message "Update crds for $pr_branch" \ - --message "$(git show -s --format=%b)" +gh pr create \ + --label automerge \ + --title "Update crds for $pr_branch" \ + --body "$(git show -s --format=%b)" diff --git a/hack/scripts/trigger.sh b/hack/scripts/trigger.sh index f39f30c3c..ae4c87c6d 100755 --- a/hack/scripts/trigger.sh +++ b/hack/scripts/trigger.sh @@ -60,7 +60,7 @@ git checkout -b $PR_BRANCH git add --all git commit -a -s -m "$COMMIT_MSG" -m "/skip-trigger" git push -u origin HEAD -hub pull-request \ - --labels automerge \ - --message "$COMMIT_MSG" \ - --message "$(git show -s --format=%b)" +gh pr create \ + --label automerge \ + --title "$COMMIT_MSG" \ + --body "$(git show -s --format=%b)" diff --git a/hack/scripts/update-release-tracker.sh b/hack/scripts/update-release-tracker.sh index 181aebfca..12fee4000 100755 --- a/hack/scripts/update-release-tracker.sh +++ b/hack/scripts/update-release-tracker.sh @@ -69,4 +69,4 @@ case $GITHUB_BASE_REF in ;; esac -hub api "$api_url" -f body="$msg" +gh api "$api_url" -f body="$msg"