Merge remote-tracking branch 'origin/main' into issue-187

.github/dependabot.yml

@@ -4,10 +4,23 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-    open-pull-requests-limit: 0
-
+    groups:
+      "GitHub Actions":
+        patterns:
+          - "*"
   - package-ecosystem: "gomod"
     directory: "/"
     schedule:
       interval: "weekly"
-    open-pull-requests-limit: 0
+    groups:
+      "Go Dependencies":
+        patterns:
+          - "*"
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      "Container Images":
+        patterns:
+          - "*"

.github/workflows/build-test.yaml

@@ -3,6 +3,8 @@ on:
   pull_request:
     branches:
       - 'main'
+    paths:
+      - "!README.md"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -18,24 +20,38 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Setup Golang
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.0
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804      # v4.0.0
+        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86      # v6.1.0
         with:
           version: v1.54
           args: --timeout 10m --exclude SA5011 --verbose --issues-exit-code=0
           only-new-issues: true
 
+  govulncheck:
+    runs-on: ubuntu-latest
+    name: Run govulncheck
+    steps:
+      - id: govulncheck
+        uses: golang/govulncheck-action@v1
+        with:
+           go-version-file: go.mod
+           go-package: ./...
+
   test:
     name: Run unit tests for Go packages
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v3 # v3.5.3
+      uses: actions/checkout@v4 # v3.5.3
     - name: Setup Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: go.mod
 
     - name: Download and required packages
       run: |
@@ -49,8 +65,11 @@ jobs:
       with:
         config: ./.testcoverage.yml
 
+    - name: Trigger Coverage update
+      uses: ./coverage-badge.yaml
+
     - name: Generate code coverage artifacts
-      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      uses: actions/upload-artifact@v4
       with:
         name: code-coverage
         path: coverage.out
@@ -69,7 +88,7 @@ jobs:
     name: Build Images
     steps:
     - name: Checkout code
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v3
 
@@ -79,7 +98,7 @@ jobs:
         platforms: ${{ matrix.platform }}
 
     - name: Build Images
-      uses: docker/build-push-action@v4
+      uses: docker/build-push-action@v6
       with:
         context: .
         platforms: ${{ matrix.platform }}
@@ -90,7 +109,7 @@ jobs:
         cache-to: type=gha,mode=max
 
     - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/trivy-action@0.19.0
+      uses: aquasecurity/trivy-action@0.24.0
       with:
         image-ref: 'quay.io/jetstack/version-checker:${{github.sha}}'
         format: 'table'

.github/workflows/coverage-badge.yaml

@@ -0,0 +1,55 @@
+name: Generate code coverage badge
+
+on:
+  workflow_dispatch: # Here for Testing
+  workflow_call:
+
+permissions:
+  contents: write
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Update coverage badge
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal access token.
+          fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository.
+
+      - name: Setup go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: 'go.mod'
+
+      - name: Run Test
+        run: |
+          go test -v ./... -covermode=count -coverprofile=coverage.out
+          go tool cover -func=coverage.out -o=coverage.out
+
+      - name: Go Coverage Badge  # Pass the `coverage.out` output to this action
+        uses: tj-actions/coverage-badge-go@v2
+        with:
+          filename: coverage.out
+
+      - name: Verify Changed files
+        uses: tj-actions/verify-changed-files@v17
+        id: verify-changed-files
+        with:
+          files: README.md
+
+      - name: Commit changes
+        if: steps.verify-changed-files.outputs.files_changed == 'true'
+        run: |
+          git config --local user.email "[email protected]"
+          git config --local user.name "GitHub Action"
+          git add README.md
+          git commit -m "docs: Updated coverage badge."
+
+      - name: Push changes
+        if: steps.verify-changed-files.outputs.files_changed == 'true'
+        uses: ad-m/github-push-action@master
+        with:
+          github_token: ${{ github.token }}
+          branch: ${{ github.head_ref }}

.github/workflows/helm-docs.yaml

@@ -1,5 +1,7 @@
 name: Generate Helm Docs
 on:
+  # Allow other workflows to trigger
+  workflow_call:
   push:
     paths:
       - '!*.md'
@@ -19,12 +21,12 @@ jobs:
       contents: write
       pull-requests: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
       - name: Check for values.yaml changes
-        uses: dorny/paths-filter@v2
+        uses: dorny/paths-filter@v3
         id: filter
         with:
           filters: |
@@ -43,7 +45,7 @@ jobs:
           cd deploy/charts/version-checker
           helm-docs
       - name: Check for README.md changes
-        uses: dorny/paths-filter@v2
+        uses: dorny/paths-filter@v3
         id: filter-readme
         with:
           base: HEAD
@@ -64,4 +66,4 @@ jobs:
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           branch: ${{ github.head_ref }}
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}

.github/workflows/helm-test.yaml

@@ -20,9 +20,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - uses: azure/setup-helm@v3
+      - uses: azure/setup-helm@v4
 
       - run: helm lint deploy/charts/version-checker
 
@@ -31,9 +31,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - uses: azure/setup-helm@v3
+      - uses: azure/setup-helm@v4
         with:
           token: ${{ github.token }}
 
@@ -50,3 +50,14 @@ jobs:
             exit 0
           fi
           helm unittest deploy/charts/version-checker
+
+  security_policies:
+    name: Verify that the Helm chart complies with the pod security standards
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Install Kyverno CLI
+        uses: kyverno/[email protected]
+      - uses: azure/setup-helm@v4
+      - run: kyverno apply -p https://github.com/kyverno/policies/pod-security/restricted --git-branch main --resource <(helm template deploy/charts/version-checker/)