Add semantic release

.github/workflows/tests.yaml → .github/workflows/ci.yaml

@@ -1,4 +1,4 @@
-name: Run tests
+name: CI
 
 on:
   push:
@@ -9,19 +9,20 @@ on:
       - main
 
 jobs:
-  tests:
-    name: Run tests
+  build:
+    name: Build and tests
     runs-on: ubuntu-latest
 
     permissions:
-      contents: read
-      issues: read
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
       checks: write
-      pull-requests: write
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - uses: cachix/install-nix-action@v21
         with:
@@ -44,4 +45,20 @@ jobs:
 
       - name: Build executables for other platforms
         id: build-other-platforms
-        run: nix-shell --command "make build-other-platforms"
+        run: nix-shell --command "make build-other-platforms"
+
+      - name: Release - setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+
+      - name: Release - install dependencies
+        run: npm ci
+
+      - name: Release - verify installed dependencies
+        run: npm audit signatures
+
+      - name: Release - perform the release
+        run: npx semantic-release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -8,4 +8,5 @@ output-save
 .idea
 node_modules
 package-lock.json
-.trivycache
+.trivycache
+/test-reports/

.releaserc

@@ -0,0 +1,18 @@
+{
+    "plugins": [
+      "@semantic-release/commit-analyzer",
+      "@semantic-release/release-notes-generator",
+      [
+        "@semantic-release/github",
+        {
+          "assets": [
+            { "path": "build//bin/production-readiness-amd64.exe", "label": "Windows amd64 distribution" },
+            { "path": "build/bin/production-readiness-386.exe", "label": "Windows 386 distribution" },
+            { "path": "build/bin/production-readiness-amd64-darwin", "label": "Darwin amd64 distribution" },
+            { "path": "build/bin/production-readiness-amd64-linux ", "label": "Linux amd64 distribution" },
+            { "path": "build/bin/production-readiness-386-linux ", "label": "Linux 386 distribution" },
+          ]
+        }
+      ]
+    ]
+}

CONTRIBUTING.md

@@ -7,19 +7,20 @@ issue before making a change.  This saves everyone from wasted effort in the eve
 changes need some adjustment before they are ready for submission.
 All new code, including changes to existing code, should be tested and have a corresponding test added or updated where applicable.
 
-
 ## Prerequisites
 
 The following must be installed on your development machine:
 
-- `go` (>=1.15)
+- `go` (>=1.20)
 - `docker`
 - `kind`
 - `trivy`
 - `kubectl`
 
-This project uses [Go Modules](https://github.com/golang/go/wiki/Modules).
-
+You can use [nix](https://nixos.org/download.html) to make install the required tools by running:
+```
+nix-shell
+```
 
 ## Building and testing
 
@@ -44,7 +45,6 @@ To run unit tests only:
 make test
 ```
 
-
 ### Integrated tests
 
 Integrated tests will run an image scan against a local [Kind](https://kind.sigs.k8s.io/) cluster.
@@ -62,7 +62,38 @@ make integrated-test
 
 ## Releasing
 
-_To be defined_
+Use [semantic-release](https://github.com/semantic-release/github) to automate versioning, tag and 
+create GitHub releases based on the commit message.
+semantic-release works from release branches, not pull requests. As a result, nothing will be released on pull requests.
+
+Commit messages must follow [Angular Commit Message Conventions](https://github.com/angular/angular/blob/main/CONTRIBUTING.md#-commit-message-format)
+
+### Initial semantic release installation
+
+1. Make sure you're on the latest version of npm
+```
+npm install -g npm
+```
+
+2. Generate the `package.json`
+```
+npm init
+```
+
+3. Generate the `package-lock.json`
+```
+npm install --save-dev semantic-release
+```
+
+4. Commit both `package.json` and `package-lock.json`at the root of your repository
+
+### Local run
+
+Use the `dry-run` mode to check the changes `semantic-release` would perform
+```sh
+GITHUB_TOKEN=$(gh auth token) npx semantic-release --dry-run --branches=$(git rev-parse --abbrev-ref HEAD)
+```
+
 
 ## Contributor Code of Conduct
 

Makefile

@@ -54,12 +54,12 @@ test:
 
 .PHONY: build
 build: check test
-	@echo "build"
+	@echo "== build"
 	 GOOS=$(GOOS) GOARCH=$(GOARCH) go build -o $(buildDir)/bin/production-readiness -v github.com/coreeng/production-readiness/production-readiness/cmd
 
 .PHONY: build-other-platforms
 build-other-platforms:
-	@echo "build for other platforms"
+	@echo "== build for other platforms"
 	 GOOS=windows GOARCH=amd64 go build -o $(buildDir)/bin/production-readiness-amd64.exe -v github.com/coreeng/production-readiness/production-readiness/cmd
 	 GOOS=windows GOARCH=386 go build -o $(buildDir)/bin/production-readiness-386.exe -v github.com/coreeng/production-readiness/production-readiness/cmd
 	 GOOS=darwin GOARCH=amd64 go build -o $(buildDir)/bin/production-readiness-amd64-darwin -v github.com/coreeng/production-readiness/production-readiness/cmd

README.md

@@ -1,23 +1,29 @@
 # Production readiness
 
-This tool will help running diagnostic to have a better understanding of a cluster in term of security and best practises.
+This tool will help running diagnostic to have a better understanding of a cluster in terms of security and best practises.
+Use it to identify security vulnerabilities in your cluster and container images. 
 
-## Requirements
+## Prerequisites
 
-Installed [nix](https://nixos.org/download.html)
-After installation just run `nix-shell` from project directory and all required tools will be fetched.
-
-Cluster admin privileges for security compliance scan (trivy needs to create `trivy-tmp` namespace just for testing purposes)
+To prepare your environment you must install [trivy](https://github.com/aquasecurity/trivy) and `docker`
+as the image scan utility require both command line tools.
+We use [nix](https://nixos.org/download.html) to make it easier to install the required tools 
+and provide a reproducible dev environment.
+To use nix, install it and run `nix-shell` from the project directory.
 
 ## Cluster scan
 
-The `report` command can be used to perform container image and security compliance scans.
-It will generate an `HTML` report for all types of scans. Summary report can be opened by opening `index.html` in the browser.
+The `report` command will perform both [container image scan](#Container-image-scanning) and [security compliance scan](#Cluster-security-compliance-scanning).
+You can run either report individually by referring to the corresponding sections below. 
+
+The command will generate an `HTML` report for all types of scans. 
+The summary report can be opened by opening `index.html` in the browser.
 
 ### Usage 
 
-`production-readiness report  --context "sandbox-azure"`
-`--context` points to context to use from kube config file.
+```
+production-readiness report  --context <cluster-name>
+```
 
 ## Container Image scanning
 
@@ -34,11 +40,14 @@ Here is a sample report:
 
 ### Usage
 
-To prepare your environment you must install [trivy](https://github.com/aquasecurity/trivy) and `docker`
-as the image scan utility require both command line tools.
+To generate a report for a given cluster:
+```
+production-readiness scan --context <cluster-name>
+```
 
+To generate a report broken down per team name, specify the `label` used to identify the team name:
 ```
-production-readiness scan --context cluster-name --area-labels=area-name --teams-labels=team --image-name-replacement='mirror.registry:5000|registry.new.url,mirror-2.registry:5000|registry.new.url'
+production-readiness scan --context <cluster-name> --teams-labels=<label>
 ```
 
 Run `production-readiness scan --help` for a complete list of options available.
@@ -76,19 +85,13 @@ To run compliance scan just execute: `production-readiness cis-scan --context "s
 `--context` points to context to use from kube config file.
 Optional parameter `--benchmarks k8s-cis,k8s-nsa,k8s-pss-restricted` can be used to run specific scan type.
 
+### Limitations
 
-## Known bugs
-
-- Security compliance scans may not work on GCP if there is no CNI on the node in `/opt/cni/bin` location  
+- At the moment, cluster admin privileges is required by trivy as it needs to create `trivy-tmp` namespace just for testing purposes. The tool should be modified to work with 'read-only' permissions to the cluster or at least within a namespace we (CECG) own. We need to be super careful especially with live environments.
+- Security compliance scans may not work on GCP if there is no CNI on the node in `/opt/cni/bin` location
 
+## Roadmap
 
-### TODOs
-
-- [IMPORTANT!] We should not be requesting destructive access to the production as it may bring clients confidence down. The tool should be modified to work with 'read-only' permissions to the cluster or at least within a namespace we (CECG) own. We need to be super careful especially with live environments.
 - use trivy library rather than the command line (to prevent: "trivy": executable file not found in $PATH )
 - use docker library rather than the command line (to prevent: "docker": executable file not found in $PATH )
-- releasing
-
-
-## Linuxbench
-
+- release a versioning image, rather than requesting users to build it