From 455b694ad7f3b95b9e15175495950c6ee05e1362 Mon Sep 17 00:00:00 2001 From: Friedrich Wilken Date: Wed, 24 Jan 2024 12:08:36 +0100 Subject: [PATCH 01/11] add bump-sec-scanners-config-reusable.yml --- .../bump-sec-scanners-config-reusable.yml | 157 ++++++++++++++++++ 1 file changed, 157 insertions(+) create mode 100644 .github/workflows/bump-sec-scanners-config-reusable.yml diff --git a/.github/workflows/bump-sec-scanners-config-reusable.yml b/.github/workflows/bump-sec-scanners-config-reusable.yml new file mode 100644 index 0000000..6f2172c --- /dev/null +++ b/.github/workflows/bump-sec-scanners-config-reusable.yml @@ -0,0 +1,157 @@ +# This is a reusbale workflow to bump the 'sec-scanners-config.' +# +# It will do so by using the script `hack/scripts/render-sec-scanners-config.sh`, that is not part of the workflow. +# If you want to run this workflow against a repo the script must exist in that repo. This is by design, because every repo +# will require a specfic sec-scanners-config.yaml. +# +# To create a PR and monitor it, this workflow will require a classic github personal access token (pat) passed +# as a secret named `BOT_PAT`. The token must be configured to have all rights for `repo`, `user` and `workflow`. +# Further reads: +# Setting a secret for a repo: https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions +# +# If changes were done by the script, the workflow will create a PR and wait for it to be merged. +# The waiting will happen with a timeout that can be set via the input of `timeout`. The units are seconds. +# It has a default value if 3600 (seconds (= 1 hour)). +# +# Examples of using this workflow: +# 1. Set all awailable inputs and secrets. +# +# jobs: +# call-this-workflow: +# uses: kyma-project/eventing-tools/.github/workflows/bump-sec-scanners-config-reusable.yml@main +# with: +# timeout: 3600 # 1 hour +# secrets: +# BOT_PAT: ${{ secrets.my_pat }} +# +# 2. Minimal setup: +# +# jobs: +# call-this-workflow::working_dir: g +# uses: kyma-project/eventing-tools/.github/workflows/bump-sec-scanners-config-reusable.yml@main +# secrets: +# BOT_PAT: ${{ secrets.my_pat }} + +name: Lint code (reusable) + +on: + workflow_call: + inputs: + timeout: + required: false + type: number + description: The time in seconds this workflow will wait for a resulting PR to be merged. + default: 3600 # 1 hour + secrets: + BOT_PAT: + required: true + +jobs: + bump: + name: Bump sec-scanners-config.yaml + runs-on: ubuntu-latest + env: + REPO: ${{ github.repository }} + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Render sec-scanners-config.yaml + shell: bash + # Where ever you use this workflow, the script hack/scripts/render-sec-scanners-config.sh must exist. + run: ./hack/scripts/render-sec-scanners-config.sh + + # Check if there are changes so we can determin if all following steps can be skipped. + - name: Check For Changes + shell: bash + run: | + if [ -z "$(git status --porcelain)" ]; then + echo "No changes found. No need to create a PR" + else + echo "Changes found. Creating a PR and waiting for it to be merged." + echo "create_pr=true" >> $GITHUB_ENV + fi + + - name: Set Up Git + if: ${{ env.create_pr == 'true' }} + env: + GH_TOKEN: ${{ secrets.BOT_PAT }} + shell: bash + run: | + # set git username + ghusername=$(curl -H "Authorization: token ${GH_TOKEN}" https://api.github.com/user) + git config user.name "${ghusername}" + # set git mail address + ghmailaddress=$(curl -H "Authorization: token ${GH_TOKEN}" https://api.github.com/email) + git config user.email "${ghmailaddress}" + # set remote url + git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git" + + - name: Set All Variables + if: ${{ env.create_pr == 'true' }} + shell: bash + run: | + CURRENT_BRANCH="$(git rev-parse --abbrev-ref HEAD)" + echo "current branch: ${CURRENT_BRANCH}" + echo "CURRENT_BRANCH=${CURRENT_BRANCH}" >> $GITHUB_ENV + + PR_DATE="$(date '+%Y-%m-%d-%H-%M-%S')" + echo "pr date: ${PR_DATE}" + echo "PR_DATE=${PR_DATE}" >> $GITHUB_ENV + + BRANCH_NAME="sec-scanners-bump-${CURRENT_BRANCH}-${PR_DATE}" + echo "name of the new branch: ${BRANCH_NAME}" + echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITHUB_ENV + + - name: Create a Pull Request + if: ${{ env.create_pr == 'true' }} + env: + CURRENT_BRANCH: ${{ env.CURRENT_BRANCH }} + PR_DATE: ${{ env.PR_DATE }} + BRANCH_NAME: ${{ env.BRANCH_NAME }} + GH_TOKEN: ${{ secrets.BOT_PAT }} + shell: bash + run: | + # Create a new branch for our changes. + git checkout -b "${BRANCH_NAME}" + + # Stage the changes to sec-scanner-config.yaml and create a commit. + git add sec-scanners-config.yaml + git commit -m "auto-bump sec-scanners-config: ${PR_DATE}" + + # Push the changes to origin, as defined earlier. + git push origin "$BRANCH_NAME" + + # Create a PR. + BODY="This is an auto-generated PR to bump the sec-scanners-config.yml on ${REPO}." + PR_URL=$(gh pr create --base "${CURRENT_BRANCH}" --head "${BRANCH_NAME}" --title "Bump sec-scanners-config on ${CURRENT_BRANCH}" --body "${BODY}") + echo "PR_URL=${PR_URL}" >> $GITHUB_ENV + + - name: USER INTERACTION REQUIRED + shell: bash + env: + PR_URL: ${{ env.PR_URL }} + run: | + echo "please review ${PR_URL}" + + - name: Wait for PR to be Merged + shell: bash + env: + TIMEOUT: ${{ inputs.timeout }} + PR_URL: ${{ env.PR_URL }} + GH_TOKEN: ${{ secrets.BOT_PAT }} + run: | + end_time=$((SECONDS+${TIMEOUT})) + + while [ $SECONDS -lt $end_time ]; do + pr_state=$(gh pr view ${PR_URL} --json state --jq '.state') + if [ "$pr_state" == "MERGED" ]; then + echo "PR has been merged!" + exit 0 + fi + sleep 10 + done + + echo "Timeout reached. PR not merged within the specified time." + exit 1 From 81f89bde4bf7af83110ddf5c4691ca010ad49bc6 Mon Sep 17 00:00:00 2001 From: Friedrich Wilken Date: Wed, 24 Jan 2024 12:24:36 +0100 Subject: [PATCH 02/11] fix seplling --- .github/workflows/bump-sec-scanners-config-reusable.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bump-sec-scanners-config-reusable.yml b/.github/workflows/bump-sec-scanners-config-reusable.yml index 6f2172c..9a76e61 100644 --- a/.github/workflows/bump-sec-scanners-config-reusable.yml +++ b/.github/workflows/bump-sec-scanners-config-reusable.yml @@ -11,7 +11,7 @@ # # If changes were done by the script, the workflow will create a PR and wait for it to be merged. # The waiting will happen with a timeout that can be set via the input of `timeout`. The units are seconds. -# It has a default value if 3600 (seconds (= 1 hour)). +# It has a default value of 3600 (seconds (= 1 hour)). # # Examples of using this workflow: # 1. Set all awailable inputs and secrets. From f2643e1de1f06b569affc1cf9786e7479e8770a0 Mon Sep 17 00:00:00 2001 From: Friedrich Wilken Date: Wed, 24 Jan 2024 12:26:02 +0100 Subject: [PATCH 03/11] add missing if-statements --- .github/workflows/bump-sec-scanners-config-reusable.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/bump-sec-scanners-config-reusable.yml b/.github/workflows/bump-sec-scanners-config-reusable.yml index 9a76e61..3d79326 100644 --- a/.github/workflows/bump-sec-scanners-config-reusable.yml +++ b/.github/workflows/bump-sec-scanners-config-reusable.yml @@ -129,6 +129,7 @@ jobs: echo "PR_URL=${PR_URL}" >> $GITHUB_ENV - name: USER INTERACTION REQUIRED + if: ${{ env.create_pr == 'true' }} shell: bash env: PR_URL: ${{ env.PR_URL }} @@ -136,6 +137,7 @@ jobs: echo "please review ${PR_URL}" - name: Wait for PR to be Merged + if: ${{ env.create_pr == 'true' }} shell: bash env: TIMEOUT: ${{ inputs.timeout }} From 0aa1fc959403d7983e1f854998c469c876efa778 Mon Sep 17 00:00:00 2001 From: Friedrich Wilken Date: Wed, 24 Jan 2024 13:09:17 +0100 Subject: [PATCH 04/11] fix typos --- .github/workflows/bump-sec-scanners-config-reusable.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bump-sec-scanners-config-reusable.yml b/.github/workflows/bump-sec-scanners-config-reusable.yml index 3d79326..072a8b2 100644 --- a/.github/workflows/bump-sec-scanners-config-reusable.yml +++ b/.github/workflows/bump-sec-scanners-config-reusable.yml @@ -1,4 +1,4 @@ -# This is a reusbale workflow to bump the 'sec-scanners-config.' +# This is a reusbale workflow to bump the 'sec-scanners-config.yaml' # # It will do so by using the script `hack/scripts/render-sec-scanners-config.sh`, that is not part of the workflow. # If you want to run this workflow against a repo the script must exist in that repo. This is by design, because every repo @@ -32,7 +32,7 @@ # secrets: # BOT_PAT: ${{ secrets.my_pat }} -name: Lint code (reusable) +name: bump sec-scanner-config.yaml (reusable) on: workflow_call: From 73a6da166099d6c86dcabce3f09a3dd9ced0b249 Mon Sep 17 00:00:00 2001 From: Friedrich Wilken Date: Wed, 24 Jan 2024 13:12:43 +0100 Subject: [PATCH 05/11] fix typo --- .github/workflows/bump-sec-scanners-config-reusable.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bump-sec-scanners-config-reusable.yml b/.github/workflows/bump-sec-scanners-config-reusable.yml index 072a8b2..953ecae 100644 --- a/.github/workflows/bump-sec-scanners-config-reusable.yml +++ b/.github/workflows/bump-sec-scanners-config-reusable.yml @@ -32,7 +32,7 @@ # secrets: # BOT_PAT: ${{ secrets.my_pat }} -name: bump sec-scanner-config.yaml (reusable) +name: bump sec-scanners-config.yaml (reusable) on: workflow_call: From e365d9b0b0e65877d6556d941385fb71fec991f5 Mon Sep 17 00:00:00 2001 From: Friedrich Wilken Date: Wed, 24 Jan 2024 15:00:07 +0100 Subject: [PATCH 06/11] add step to print out file content --- .github/workflows/bump-sec-scanners-config-reusable.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/bump-sec-scanners-config-reusable.yml b/.github/workflows/bump-sec-scanners-config-reusable.yml index 953ecae..1cc20e9 100644 --- a/.github/workflows/bump-sec-scanners-config-reusable.yml +++ b/.github/workflows/bump-sec-scanners-config-reusable.yml @@ -73,6 +73,11 @@ jobs: echo "create_pr=true" >> $GITHUB_ENV fi + - name: Print out content of sec-scanners-config.yaml + if: ${{ env.create_pr == 'true' }} + shell: bash + run: cat sec-scanners-config.yaml + - name: Set Up Git if: ${{ env.create_pr == 'true' }} env: From b9d3bb450306b55718f2a806574be41a578f01df Mon Sep 17 00:00:00 2001 From: Friedrich Wilken Date: Wed, 24 Jan 2024 15:00:33 +0100 Subject: [PATCH 07/11] fix typo --- .github/workflows/bump-sec-scanners-config-reusable.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bump-sec-scanners-config-reusable.yml b/.github/workflows/bump-sec-scanners-config-reusable.yml index 1cc20e9..53217cf 100644 --- a/.github/workflows/bump-sec-scanners-config-reusable.yml +++ b/.github/workflows/bump-sec-scanners-config-reusable.yml @@ -73,7 +73,7 @@ jobs: echo "create_pr=true" >> $GITHUB_ENV fi - - name: Print out content of sec-scanners-config.yaml + - name: Print Content of sec-scanners-config.yaml if: ${{ env.create_pr == 'true' }} shell: bash run: cat sec-scanners-config.yaml From cf9db6e6c8620a84bd63689dead76958c66ada78 Mon Sep 17 00:00:00 2001 From: Friedrich Wilken Date: Wed, 24 Jan 2024 15:58:23 +0100 Subject: [PATCH 08/11] add version tag --- .../bump-sec-scanners-config-reusable.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/bump-sec-scanners-config-reusable.yml b/.github/workflows/bump-sec-scanners-config-reusable.yml index 53217cf..eaaa0e6 100644 --- a/.github/workflows/bump-sec-scanners-config-reusable.yml +++ b/.github/workflows/bump-sec-scanners-config-reusable.yml @@ -4,6 +4,9 @@ # If you want to run this workflow against a repo the script must exist in that repo. This is by design, because every repo # will require a specfic sec-scanners-config.yaml. # +# The script `render-sec-scanners-config.sh` will in all cases require a version that is used to tag the corresponding image +# of the controller. For this reason, passing the input `version_tag` is required. +# # To create a PR and monitor it, this workflow will require a classic github personal access token (pat) passed # as a secret named `BOT_PAT`. The token must be configured to have all rights for `repo`, `user` and `workflow`. # Further reads: @@ -20,6 +23,7 @@ # call-this-workflow: # uses: kyma-project/eventing-tools/.github/workflows/bump-sec-scanners-config-reusable.yml@main # with: +# version_tag: 2.3.4 # timeout: 3600 # 1 hour # secrets: # BOT_PAT: ${{ secrets.my_pat }} @@ -29,6 +33,8 @@ # jobs: # call-this-workflow::working_dir: g # uses: kyma-project/eventing-tools/.github/workflows/bump-sec-scanners-config-reusable.yml@main +# with: +# version_tag: 2.3.4 # secrets: # BOT_PAT: ${{ secrets.my_pat }} @@ -37,6 +43,10 @@ name: bump sec-scanners-config.yaml (reusable) on: workflow_call: inputs: + version_tag: + required: true + type: string + description: The semantic version number, that will be used to tag the main image in the sec scanner config. timeout: required: false type: number @@ -58,9 +68,11 @@ jobs: uses: actions/checkout@v4 - name: Render sec-scanners-config.yaml + env: + VERSION_TAG: ${{ inputs.version_tag }} shell: bash # Where ever you use this workflow, the script hack/scripts/render-sec-scanners-config.sh must exist. - run: ./hack/scripts/render-sec-scanners-config.sh + run: ./hack/scripts/render-sec-scanners-config.sh "${VERSION_TAG}" # Check if there are changes so we can determin if all following steps can be skipped. - name: Check For Changes From 732b253b099183199ea8edff4ff3794f94262534 Mon Sep 17 00:00:00 2001 From: Friedrich Wilken Date: Thu, 25 Jan 2024 10:13:33 +0100 Subject: [PATCH 09/11] address some review comments --- .../bump-sec-scanners-config-reusable.yml | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/bump-sec-scanners-config-reusable.yml b/.github/workflows/bump-sec-scanners-config-reusable.yml index eaaa0e6..0ad4861 100644 --- a/.github/workflows/bump-sec-scanners-config-reusable.yml +++ b/.github/workflows/bump-sec-scanners-config-reusable.yml @@ -1,4 +1,4 @@ -# This is a reusbale workflow to bump the 'sec-scanners-config.yaml' +# This is a reusable workflow to bump the 'sec-scanners-config.yaml' # # It will do so by using the script `hack/scripts/render-sec-scanners-config.sh`, that is not part of the workflow. # If you want to run this workflow against a repo the script must exist in that repo. This is by design, because every repo @@ -82,16 +82,18 @@ jobs: echo "No changes found. No need to create a PR" else echo "Changes found. Creating a PR and waiting for it to be merged." - echo "create_pr=true" >> $GITHUB_ENV + echo "CREATE_PR=true" >> $GITHUB_ENV fi - name: Print Content of sec-scanners-config.yaml - if: ${{ env.create_pr == 'true' }} + if: ${{ always() }} shell: bash - run: cat sec-scanners-config.yaml + run: | + FILE="sec-scanners-config.yaml" + [ -f "${FILE}" ] && cat "${FILE}" || echo "${FILE} not found." - name: Set Up Git - if: ${{ env.create_pr == 'true' }} + if: ${{ env.CREATE_PR == 'true' }} env: GH_TOKEN: ${{ secrets.BOT_PAT }} shell: bash @@ -106,7 +108,7 @@ jobs: git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git" - name: Set All Variables - if: ${{ env.create_pr == 'true' }} + if: ${{ env.CREATE_PR == 'true' }} shell: bash run: | CURRENT_BRANCH="$(git rev-parse --abbrev-ref HEAD)" @@ -122,7 +124,7 @@ jobs: echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITHUB_ENV - name: Create a Pull Request - if: ${{ env.create_pr == 'true' }} + if: ${{ env.CREATE_PR == 'true' }} env: CURRENT_BRANCH: ${{ env.CURRENT_BRANCH }} PR_DATE: ${{ env.PR_DATE }} @@ -146,7 +148,7 @@ jobs: echo "PR_URL=${PR_URL}" >> $GITHUB_ENV - name: USER INTERACTION REQUIRED - if: ${{ env.create_pr == 'true' }} + if: ${{ env.CREATE_PR == 'true' }} shell: bash env: PR_URL: ${{ env.PR_URL }} @@ -154,7 +156,7 @@ jobs: echo "please review ${PR_URL}" - name: Wait for PR to be Merged - if: ${{ env.create_pr == 'true' }} + if: ${{ env.CREATE_PR == 'true' }} shell: bash env: TIMEOUT: ${{ inputs.timeout }} From 76b8ff500a929e538f78b6562facfe63f46d06b9 Mon Sep 17 00:00:00 2001 From: Friedrich Wilken Date: Thu, 25 Jan 2024 10:22:04 +0100 Subject: [PATCH 10/11] handle closed PRs --- .github/workflows/bump-sec-scanners-config-reusable.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/bump-sec-scanners-config-reusable.yml b/.github/workflows/bump-sec-scanners-config-reusable.yml index 0ad4861..32af35b 100644 --- a/.github/workflows/bump-sec-scanners-config-reusable.yml +++ b/.github/workflows/bump-sec-scanners-config-reusable.yml @@ -167,7 +167,9 @@ jobs: while [ $SECONDS -lt $end_time ]; do pr_state=$(gh pr view ${PR_URL} --json state --jq '.state') - if [ "$pr_state" == "MERGED" ]; then + if [ "$pr_state" == "CLOSED" ]; then + echo "ERROR! PR has been closed!" + elif [ "$pr_state" == "MERGED" ]; then echo "PR has been merged!" exit 0 fi From 28e056540c4620feec3f0017c7a52c4ff3521a26 Mon Sep 17 00:00:00 2001 From: Friedrich Wilken Date: Thu, 25 Jan 2024 10:32:54 +0100 Subject: [PATCH 11/11] exit 1 if pr was closed --- .github/workflows/bump-sec-scanners-config-reusable.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/bump-sec-scanners-config-reusable.yml b/.github/workflows/bump-sec-scanners-config-reusable.yml index 32af35b..8bcc5e0 100644 --- a/.github/workflows/bump-sec-scanners-config-reusable.yml +++ b/.github/workflows/bump-sec-scanners-config-reusable.yml @@ -14,7 +14,9 @@ # # If changes were done by the script, the workflow will create a PR and wait for it to be merged. # The waiting will happen with a timeout that can be set via the input of `timeout`. The units are seconds. -# It has a default value of 3600 (seconds (= 1 hour)). +# It has a default value of 3600 (seconds (= 1 hour)). Note that GitHub Action jobs will automatically fail after 6 hours: +# Further reads: +# Default limits for GitHub Actions: https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits # # Examples of using this workflow: # 1. Set all awailable inputs and secrets. @@ -169,6 +171,7 @@ jobs: pr_state=$(gh pr view ${PR_URL} --json state --jq '.state') if [ "$pr_state" == "CLOSED" ]; then echo "ERROR! PR has been closed!" + exit 1 elif [ "$pr_state" == "MERGED" ]; then echo "PR has been merged!" exit 0