kubewarden · flavio · Dec 20, 2022 · Dec 16, 2022 · Dec 16, 2022 · Dec 16, 2022
@@ -0,0 +1,62 @@
+
+categories:
+  - title: '⚠️  Breaking changes'
+    labels:
+      - 'kind/major'
+      - 'kind/breaking-change'
+  - title: '🚀 Features'
+    labels:
+      - 'kind/enhancement'
+  - title: '🐛 Bug Fixes'
+    labels:
+      - 'kind/bug'
+  - title: '🧰 Maintenance'
+    labels:
+      - 'kind/chore'
+      - 'area/dependencies'
+
+exclude-labels:
+  - duplicate
+  - invalid
+  - later
+  - wontfix
+  - kind/question
+  - skip-changelog
+
+change-template: '- $TITLE (#$NUMBER)'
+change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
+name-template: 'v$RESOLVED_VERSION'
+template: |
+  $CHANGES
+
+autolabeler:
+    # Tag any PR with "!" in the subject as major update. In other words, breaking change
+  - label: 'kind/breaking-change'
+    title: '/.*!:.*/'
+  - label: 'area/dependencies'
+    title: 'chore(deps)'
+  - label: 'kind/enhancement'
+    title: 'feat'
+  - label: 'kind/bug'
+    title: 'fix'
+  - label: 'kind/chore'
+    title: 'chore'
+
+version-resolver:
+  major:
+    labels:
+      - 'kind/major'
+      - 'kind/breaking-change'
+  minor:
+    labels:
+      - 'kind/minor'
+      - 'kind/feature'
+      - 'kind/enhancement'
+  patch:
+    labels:
+      - 'area/dependencies'
+      - 'kind/patch'
+      - 'kind/fix'
+      - 'kind/bug'
+      - 'kind/chore'
+  default: patch
@@ -0,0 +1,33 @@
+name: CI
+
+on:
+  workflow_call:
+  push:
+  pull_request:
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  unit_tests:
+    name: Unit tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        with:
+          go-version: '1.19'
+      - run: make unit-tests
+
+  golangci:
+    name: Golangci-lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        with:
+          go-version: '1.19'
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: v1.49.0
@@ -0,0 +1,52 @@
+name: Build container image
+# to depend on other workflows, or provide container image for all branches
+
+on:
+  workflow_call:
+    outputs:
+      digest:
+        description: "Container image digest"
+        value: ${{jobs.build.outputs.digest}}
+  push:
+    branches:
+      - "*"
+
+jobs:
+  build:
+    name: Build
+    uses: kubewarden/audit-scanner/.github/workflows/reusable-container-image.yml@main
+    permissions:
+      packages: write
+    with:
+      push-image: true
+
+  sign:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      id-token: write
+    needs: build
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: sigstore/cosign-installer@main
+      - name: Sign the images
+        run: |
+          cosign sign \
+            ${{needs.build.outputs.repository}}@${{needs.build.outputs.digest}}
+        env:
+          COSIGN_EXPERIMENTAL: 1
+
+      - uses: sigstore/cosign-installer@main
+      - name: Sign the SBOM
+        run: |
+          tag=$(echo '${{needs.build.outputs.digest}}' | sed 's/:/-/g')
+          cosign sign \
+            "${{needs.build.outputs.repository}}:$tag.sbom"
+        env:
+          COSIGN_EXPERIMENTAL: 1
@@ -0,0 +1,20 @@
+---
+name: fossa scanning
+on:
+  push:
+    tags:
+    - 'v*'
+    branches:
+    - 'main'
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  fossa-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: fossas/[email protected]
+        with:
+          api-key: ${{secrets.FOSSA_API_TOKEN}}
@@ -0,0 +1,32 @@
+name: Scorecards supply-chain security
+on:
+  push:
+    branches: [ main ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/[email protected]
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          publish_results: true
@@ -0,0 +1,37 @@
+name: Release Drafter
+
+on:
+  workflow_dispatch:
+  push:
+    # branches to consider in the event; optional, defaults to all
+    branches:
+      - main
+  # pull_request event is required only for autolabeler
+  pull_request:
+    # Only following types are handled by the action, but one can default to all as well
+    types: [opened, reopened, synchronize]
+  # pull_request_target event is required for autolabeler to support PRs from forks
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  update_release_draft:
+    permissions:
+      # write permission is required to create a github release
+      contents: write
+      # write permission is required for autolabeler
+      # otherwise, read permission is required at least
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      # Drafts your next Release notes as Pull Requests are merged into "master"
+      - uses: release-drafter/release-drafter@v5
+        # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
+        # with:
+        #   config-name: my-config.yml
+        #   disable-autolabeler: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,145 @@
+name: audit-scanner release
+on:
+  push:
+    tags:
+    - 'v*'
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  ci:
+    uses: kubewarden/audit-scanner/.github/workflows/ci.yml@main
+    permissions: read-all
+
+  container-build:
+    uses: kubewarden/audit-scanner/.github/workflows/container-build.yml@main
+    permissions:
+      id-token: write
+      packages: write
+  release:
+    permissions:
+      id-token: write
+      contents: write
+    name: Create release
+    runs-on: ubuntu-latest
+    needs:
+      - ci
+      - container-build
+    steps:
+      - name: Install Golang
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.19'
+
+      - name: Install the bom command
+        shell: bash
+        run: go install sigs.k8s.io/bom/cmd/[email protected]
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Retrieve tag name
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        run: |
+          echo TAG_NAME=$(echo ${{ github.ref_name }}) >> $GITHUB_ENV
+
+      - name: Create SBOM file
+        shell: bash
+        run: |
+          bom generate -n https://kubewarden.io/kubewarden.spdx \
+            --image "ghcr.io/${{github.repository_owner}}/audit-scanner@${{ needs.container-build.outputs.digest }}" \
+            . > audit-scanner-sbom.spdx
+
+      - name: Sign BOM file
+        run: |
+          cosign sign-blob --output-certificate audit-scanner-sbom.spdx.cert \
+            --output-signature audit-scanner-sbom.spdx.sig \
+            audit-scanner-sbom.spdx
+        env:
+          COSIGN_EXPERIMENTAL: 1
+
+      - name: Get latest release tag
+        id: get_last_release_tag
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let release = await github.rest.repos.getLatestRelease({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+            });
+
+            if (release.status  === 200 ) {
+              core.setOutput('old_release_tag', release.data.tag_name)
+              return
+            }
+            core.setFailed("Cannot find latest release")
+
+      - name: Get release ID from the release created by release drafter
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let releases = await github.rest.repos.listReleases({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+            });
+            for (const release of releases.data) {
+              if (release.draft) {
+                      core.info(release)
+                      core.exportVariable('RELEASE_ID', release.id)
+                      return
+              }
+            }
+            core.setFailed(`Draft release not found`)
+
+      - name: Upload release assets
+        id: upload_release_assets
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let fs = require('fs');
+            let files = ['audit-scanner-sbom.spdx', 'audit-scanner-sbom.spdx.cert', 'audit-scanner-sbom.spdx.sig', "CRDS.tar.gz"]
+            const {RELEASE_ID} = process.env
+
+            for (const file of files) {
+              let file_data = fs.readFileSync(file);
+
+              let response = await github.rest.repos.uploadReleaseAsset({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                release_id: `${RELEASE_ID}`,
+                name: file,
+                data: file_data,
+              });
+              // store the crds asset id used it in the helm chart update
+              if (file === "CRDS.tar.gz") {
+                core.setOutput('crds_asset_id', response.data.id)
+              }
+            }
+
+      - name: Publish release
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const {RELEASE_ID} = process.env
+            const {TAG_NAME} = process.env
+            github.rest.repos.updateRelease({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              release_id: `${RELEASE_ID}`,
+              draft: false,
+              tag_name: `${TAG_NAME}`,
+              name: `${TAG_NAME}`
+            });
+
+      # TODO
+      # - name: Trigger chart update
+      #   uses: peter-evans/repository-dispatch@26b39ed245ab8f31526069329e112ab2fb224588
+      #   with:
+      #     token: ${{ secrets.HELM_CHART_REPO_ACCESS_TOKEN }}
+      #     repository: "${{github.repository_owner}}/helm-charts"
+      #     event-type: update-chart
+      #     client-payload: '{"version": "${{ github.ref_name }}", "oldVersion": "${{ steps.get_last_release_tag.outputs.old_release_tag }}", "repository": "${{ github.repository }}"}'