Skip to content

Commit

Permalink
initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@Arvind644
Arvind644 committed May 8, 2023
0 parents commit 4c8ec4b
Show file tree
Hide file tree
Showing 25 changed files with 1,575 additions and 0 deletions.
6 changes: 6 additions & 0 deletions .cr.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
# cr.yaml
# Set to true for GPG signing
sign: true
# UID of the GPG key to use
key: Steve Taylor
17 changes: 17 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
- package-ecosystem: "gomod" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "daily"

- package-ecosystem: "docker" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "daily"
27 changes: 27 additions & 0 deletions .github/linters/.golangci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
# See https://github.com/golangci/golangci-lint#config-file
run:
issues-exit-code: 1
tests: false

linters:
enable:
- misspell
- gofmt
- gosec
- unconvert
- gocyclo
- goconst
- goimports
- gocritic
- typecheck

linters-settings:
misspell:
locale: US
ignore-words:
- cancelled

max-issues-per-linter: 0
max-same-issues: 0
fix: true
15 changes: 15 additions & 0 deletions .github/linters/.jscpd.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"threshold": 0,
"reporters": ["html", "markdown"],
"ignore": [
"**/node_modules/**",
"**/.git/**",
"**/.rbenv/**",
"**/.venv/**",
"**/*cache*/**",
"**/.github/**",
"**/.idea/**",
"**/report/**",
"**/*.svg"
]
}
261 changes: 261 additions & 0 deletions .github/workflows/build-push-chart.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,261 @@
---
name: Build/Push Image and Release Charts

on:
pull_request:
paths-ignore:
- "chart/**/Chart.yaml"
- "chart/**/values.yaml"
push:
branches:
- main
paths-ignore:
- "chart/**/Chart.yaml"
- "chart/**/values.yaml"

permissions: read-all

jobs:
setenv:
runs-on: ubuntu-latest

outputs:
short_sha: ${{ steps.env.outputs.short_sha }}
chart_version: ${{ steps.env.outputs.chart_version }}
image_version: ${{ steps.env.outputs.image_version }}
image_tag: ${{ steps.env.outputs.image_tag }}
image_repo_tag: ${{ steps.env.outputs.image_repo_tag }}
image_repository: ${{ steps.env.outputs.image_repository }}
registry: ${{ steps.env.outputs.registry }}
branch: ${{ steps.env.outputs.branch }}
compname: ${{ steps.env.outputs.compname }}
dhurl: ${{ steps.env.outputs.dhurl }}
gh_handle: ${{ steps.env.outputs.gh_handle }}

steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Checkout
id: checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
fetch-depth: 1

- name: Export env
id: env
env:
DHURL: https://console.deployhub.com
REGISTRY: quay.io
BRANCH: ${{ github.head_ref || github.ref_name }}
run: |
BRANCH=$(echo "${{ env.BRANCH }}" | cut -d'/' -f1)
#BASE_VERSION=$(curl -s "https://ortelius.github.io/${{ github.event.repository.name }}/index.yaml" | grep version: | awk '{print $2}' | cut -f1-2 -d. | sort -u -r --version-sort | head -1)
BASE_VERSION="11.0"
SHORT_SHA=$(echo ${{ github.sha }} | cut -c 1-6)
{
echo "dhurl=${{ env.DHURL }}"
echo "branch=${BRANCH}"
echo "chart_version=${BASE_VERSION}.${{ github.run_number }}"
echo "compname=${{ github.event.repository.name }}"
echo "image_repo_tag=${{ env.REGISTRY }}/${{ github.repository }}:${BRANCH}-v${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}"
echo "image_repository=${{ env.REGISTRY }}/${{ github.repository }}"
echo "image_tag=${BRANCH}-v${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}"
echo "image_version=${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}"
echo "registry=${{ env.REGISTRY }}"
echo "short_sha=${SHORT_SHA}"
echo "gh_handle=$GITHUB_ACTOR"
} >> "$GITHUB_OUTPUT"
release:
runs-on: ubuntu-latest
needs: setenv

outputs:
digest: ${{ steps.build.outputs.digest }}

steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Checkout
id: checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

- name: Login to Quay
if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
id: login
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: ${{ needs.setenv.outputs.registry }}
username: ${{ secrets.QUAY_USERID }}
password: ${{ secrets.QUAY_PASSWORD }}

- name: Build and Push Docker Image
if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
id: build
uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
with:
push: true
tags: ${{ needs.setenv.outputs.image_repo_tag }}

- name: Build Docker Image
if: ${{ !(github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main') }}
id: build_only
uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
with:
tags: ${{ needs.setenv.outputs.image_repo_tag }}

trivy:
runs-on: ubuntu-latest
needs: [setenv, release]

permissions:
security-events: write
statuses: write

if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # master
with:
image-ref: ${{ needs.setenv.outputs.image_repo_tag }}
format: "sarif"
output: "trivy-results.sarif"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
if: always()
with:
sarif_file: "trivy-results.sarif"

helm:
runs-on: ubuntu-latest
needs: [setenv, release]

permissions:
security-events: write
statuses: write
contents: write

if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Checkout
id: checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

- name: Configure Git
id: git
run: |
git config user.name "${{ needs.setenv.outputs.gh_handle }}"
git config user.email "${{ needs.setenv.outputs.gh_handle }}@users.noreply.github.com"
- name: Update Values and Chart
id: chart
uses: fjogeleit/yaml-update-action@d98ee6a10a971effea75480e3f315e4dacc89a23 # main
with:
commitChange: false
changes: |
{
"chart/${{ github.event.repository.name }}/values.yaml":
{
"image.repository": "${{ needs.setenv.outputs.image_repository }}",
"image.tag": "${{ needs.setenv.outputs.image_tag }}",
"image.sha": "${{ needs.release.outputs.digest }}"
},
"chart/${{ needs.setenv.outputs.compname }}/Chart.yaml":
{
"version": "${{ needs.setenv.outputs.chart_version }}",
"appVersion": "${{ needs.setenv.outputs.chart_version }}"
}
}
- name: Install Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: v3.10.0

- name: Prepare GPG key
run: |
gpg_dir=.cr-gpg
mkdir "$gpg_dir"
keyring="$gpg_dir/secring.gpg"
base64 -d <<< "$GPG_KEYRING_BASE64" > "$keyring"
passphrase_file="$gpg_dir/passphrase"
echo "$GPG_PASSPHRASE" > "$passphrase_file"
echo "CR_PASSPHRASE_FILE=$passphrase_file" >> "$GITHUB_ENV"
echo "CR_KEYRING=$keyring" >> "$GITHUB_ENV"
env:
GPG_KEYRING_BASE64: "${{ secrets.GPG_KEYRING_BASE64 }}"
GPG_PASSPHRASE: "${{ secrets.GPG_PASSPHRASE }}"

- name: Run chart-releaser
uses: helm/chart-releaser-action@98bccfd32b0f76149d188912ac8e45ddd3f8695f # v1.4.1
with:
charts_dir: chart
config: .cr.yaml
env:
CR_TOKEN: "${{ secrets.HELM_INDEXER_TOKEN }}"

- name: Trigger Rebuild of Main Chart
uses: benc-uk/workflow-dispatch@798e70c97009500150087d30d9f11c5444830385 # v1.2.2
with:
workflow: generate-main-chart.yml
repo: ortelius/scec-charts
token: ${{ secrets.HELM_INDEXER_TOKEN }}

sbom:
runs-on: ubuntu-latest
needs: [setenv, release]

if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Checkout
id: checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

- name: Generate SBOM
uses: anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
id: sbom
with:
format: cyclonedx-json
output-file: /tmp/cyclonedx.json
image: ${{ needs.setenv.outputs.image_repo_tag }}

- name: Update Compnent
id: updatecomp
env:
DHURL: ${{ needs.setenv.outputs.dhurl }}
DHUSER: ${{ secrets.DHUSER }}
DHPASS: ${{ secrets.DHPASS }}
GIT_BRANCH: ${{ needs.setenv.outputs.branch }}
CHART_VERSION: ${{ needs.setenv.outputs.chart_version }}
COMPNAME: ${{ needs.setenv.outputs.compname }}
DIGEST: ${{ needs.release.outputs.digest }}
IMAGE_REPO: ${{ needs.setenv.outputs.image_repository }}
IMAGE_REPO_TAG: ${{ needs.setenv.outputs.image_repo_tag }}
IMAGE_TAG: ${{ needs.setenv.outputs.image_tag }}
IMAGE_VERSION: ${{ needs.setenv.outputs.image_version }}
SHORT_SHA: ${{ needs.setenv.outputs.short_sha }}

run: |
pip install ortelius-cli
dh updatecomp --rsp component.toml --deppkg cyclonedx@/tmp/cyclonedx.json
39 changes: 39 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
---
name: "CodeQL"

on:
push:
branches: ["main"]
pull_request:
schedule:
- cron: "30 1 * * *"

permissions: read-all

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Checkout repository
uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0

- name: Initialize CodeQL
uses: github/codeql-action/init@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
with:
languages: "go"

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7
with:
category: "/language:go"
Loading

0 comments on commit 4c8ec4b

Please sign in to comment.