Skip to content

Commit

Permalink
Merge branch 'main' into issue_80
Browse files Browse the repository at this point in the history
  • Loading branch information
@VedRatan
VedRatan authored May 31, 2024
2 parents 917f6f3 + 51a0c5b commit a286508
Show file tree
Hide file tree
Showing 12 changed files with 200 additions and 83 deletions.
29 changes: 29 additions & 0 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"

- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "weekly"

- package-ecosystem: "gomod"
directory: "/pkg/adapter/nimbus-kubearmor"
schedule:
interval: "weekly"

- package-ecosystem: "gomod"
directory: "/pkg/adapter/nimbus-netpol"
schedule:
interval: "weekly"

- package-ecosystem: "gomod"
directory: "/pkg/adapter/nimbus-kyverno"
schedule:
interval: "weekly"
42 changes: 0 additions & 42 deletions .github/workflows/latest-charts-release.yaml
View file

This file was deleted.

35 changes: 28 additions & 7 deletions .github/workflows/latest-release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,10 @@
# Copyright 2023 Authors of Nimbus

name: Latest release

on:
push:
branches:
- main
- "v*"
create:
branches:
- "v*"

permissions: read-all

Expand All @@ -19,21 +14,47 @@ concurrency:
cancel-in-progress: true

jobs:
files-changed:
name: Detect what files changed
runs-on: ubuntu-latest
timeout-minutes: 5
outputs:
nimbus: ${{ steps.filter.outputs.nimbus}}
adapters: ${{ steps.filter.outputs.adapters }}
steps:
- uses: actions/checkout@v4
- uses: dorny/[email protected]
id: filter
with:
filters: |
nimbus:
- 'cmd/**'
- 'internal/**'
- 'pkg/processor/**'
- 'Dockerfile'
- 'Makefile'
adapters:
- 'pkg/adapter/**'
release-nimbus-image:
if: github.repository == '5GSEC/nimbus'
needs: files-changed
if: ${{ github.repository == '5GSEC/nimbus' && needs.files-changed.outputs.nimbus == 'true' }}
name: Build and push nimbus image
uses: ./.github/workflows/release-image.yaml
with:
WORKING_DIRECTORY: .
NAME: nimbus
secrets: inherit

release-adapters-image:
if: github.repository == '5GSEC/nimbus'
needs: files-changed
if: ${{ github.repository == '5GSEC/nimbus' && needs.files-changed.outputs.adapters == 'true' }}
strategy:
matrix:
adapters: [ "nimbus-kubearmor", "nimbus-netpol", "nimbus-kyverno" ]
name: Build and push ${{ matrix.adapters }} adapter's image
uses: ./.github/workflows/release-image.yaml
with:
WORKING_DIRECTORY: ./pkg/adapter/${{ matrix.adapters }}
NAME: ${{ matrix.adapters }}
secrets: inherit
63 changes: 49 additions & 14 deletions .github/workflows/pr-checks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,51 @@ on:
permissions: read-all

jobs:
files-changed:
name: Detect what files changed
runs-on: ubuntu-latest
timeout-minutes: 5
outputs:
nimbus: ${{ steps.filter.outputs.nimbus}}
adapters: ${{ steps.filter.outputs.adapters }}
steps:
- uses: actions/checkout@v4
- uses: dorny/[email protected]
id: filter
with:
filters: |
nimbus:
- 'api/**'
- 'cmd/**'
- 'internal/**'
- 'pkg/processor/**'
- 'tests/controllers/**'
- 'Dockerfile'
- 'Makefile'
adapters:
- 'pkg/adapter/**'
license:
name: License
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4

- name: Check License Header
uses: apache/skywalking-eyes@a790ab8dd23a7f861c18bd6aaa9b012e3a234bce
uses: apache/skywalking-eyes@3ea9df11bb3a5a85665377d1fd10c02edecf2c40
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

static-checks:
needs: files-changed
if: ${{ needs.files-changed.outputs.nimbus == 'true' || needs.files-changed.outputs.adapters == 'true' }}
name: Static checks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4

- name: Setup go
uses: actions/setup-go@v4
uses: actions/setup-go@v5
with:
go-version: '1.22'

Expand All @@ -49,14 +75,16 @@ jobs:
skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778

go-sec:
needs: files-changed
if: ${{ needs.files-changed.outputs.nimbus == 'true' || needs.files-changed.outputs.adapters == 'true' }}
runs-on: ubuntu-latest
permissions:
security-events: write
env:
GO111MODULE: on
steps:
- name: Checkout Source
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Run Gosec Security Scanner
uses: securego/gosec@master
Expand All @@ -65,22 +93,26 @@ jobs:
args: '-no-fail -fmt sarif -out results.sarif ./...'

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif

build-nimbus-image:
needs: files-changed
if: ${{ needs.files-changed.outputs.nimbus == 'true' }}
name: Build Nimbus Operator image
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- name: Checkout source code
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Build image
run: make docker-build

build-adapters-image:
needs: files-changed
if: ${{ needs.files-changed.outputs.adapters == 'true' }}
strategy:
matrix:
adapters: [ "nimbus-kubearmor", "nimbus-netpol", "nimbus-kyverno" ]
Expand All @@ -89,13 +121,15 @@ jobs:
timeout-minutes: 20
steps:
- name: Checkout source code
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Build image
working-directory: ./pkg/adapter/${{ matrix.adapters }}
run: make docker-build

chainsaw-integration-tests:
integration-tests:
needs: files-changed
if: ${{ needs.files-changed.outputs.nimbus == 'true' }}
name: Integration-Test
runs-on: ubuntu-latest
steps:
Expand All @@ -104,7 +138,7 @@ jobs:

- name: Install helm
id: helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
token: ${{ secrets.GITHUB_TOKEN }}

Expand All @@ -130,16 +164,18 @@ jobs:
- name: Run Tests
run: make integration-test

chainsaw-e2e-tests:
e2e-tests:
needs: files-changed
if: ${{ needs.files-changed.outputs.nimbus == 'true' || needs.files-changed.outputs.adapters == 'true' }}
name: E2E-Test
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Install helm
id: helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
token: ${{ secrets.GITHUB_TOKEN }}

Expand Down Expand Up @@ -179,7 +215,6 @@ jobs:
run: |
kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/config/crds/kyverno/kyverno.io_clusterpolicies.yaml
kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/config/crds/kyverno/kyverno.io_policies.yaml
- name: Install Nimbus
run: |
Expand Down
17 changes: 16 additions & 1 deletion .github/workflows/release-image.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,18 @@ on:
description: 'current working directory'
required: true
type: string
NAME:
description: 'app name'
required: true
type: string

jobs:
release-image:
timeout-minutes: 30
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
Expand All @@ -41,6 +45,17 @@ jobs:
echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
fi
- name: Build image
run: make docker-build TAG=${{ steps.tag.outputs.tag }}
working-directory: ${{ inputs.WORKING_DIRECTORY }}

- name: Scan image
uses: anchore/scan-action@v3
with:
image: '5gsec/${{ inputs.NAME }}:${{ steps.tag.outputs.tag }}'
severity-cutoff: critical
output-format: sarif

- name: Build and push image
working-directory: ${{ inputs.WORKING_DIRECTORY }}
run: make docker-buildx TAG=${{ steps.tag.outputs.tag }}
Loading

0 comments on commit a286508

Please sign in to comment.