From c48e649a7c6b3ddf13bb73aca378c3959ca15535 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 16 Aug 2024 20:03:29 -0500 Subject: [PATCH 01/12] gha: cleanup codeql-analysis --- .github/workflows/codeql-analysis.yml | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6c50684..7fd7466 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,5 +1,5 @@ -name: "Code Scanning - Action" - +--- +name: codeql-analysis on: push: branches: [main] @@ -16,29 +16,16 @@ on: # │ │ │ │ │ # * * * * * - cron: '30 1 * * 0' - jobs: - CodeQL-Build: - # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest + codeql: runs-on: ubuntu-latest - permissions: # required for all workflows security-events: write - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + - uses: actions/checkout@v3 + - uses: github/codeql-action/init@v2 with: languages: go - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 \ No newline at end of file + - uses: github/codeql-action/autobuild@v2 + - uses: github/codeql-action/analyze@v2 From 0aceeb821e4705a2c09795e2b7932a351e41ec24 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 16 Aug 2024 20:04:02 -0500 Subject: [PATCH 02/12] gha: fix branch to run codeql-analysis --- .github/workflows/codeql-analysis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7fd7466..0671a20 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -2,9 +2,9 @@ name: codeql-analysis on: push: - branches: [main] + branches: [master] pull_request: - branches: [main] + branches: [master] schedule: # ┌───────────── minute (0 - 59) # │ ┌───────────── hour (0 - 23) From 0fbafe1e938d8b13305f842638ceb6c75e66ac54 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 16 Aug 2024 20:07:46 -0500 Subject: [PATCH 03/12] gha: update codeql-analysis to latest actions --- .github/workflows/codeql-analysis.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0671a20..6273863 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -23,9 +23,9 @@ jobs: # required for all workflows security-events: write steps: - - uses: actions/checkout@v3 - - uses: github/codeql-action/init@v2 + - uses: actions/checkout@v4 + - uses: github/codeql-action/init@v3 with: languages: go - - uses: github/codeql-action/autobuild@v2 - - uses: github/codeql-action/analyze@v2 + - uses: github/codeql-action/autobuild@v3 + - uses: github/codeql-action/analyze@v3 From fa7a9645d2a968aaea3befdcb907ca2723ee7ad3 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 16 Aug 2024 20:10:30 -0500 Subject: [PATCH 04/12] gha: cleanup docker-image --- .github/workflows/docker-image.yaml | 34 ++++++++++------------------- 1 file changed, 12 insertions(+), 22 deletions(-) diff --git a/.github/workflows/docker-image.yaml b/.github/workflows/docker-image.yaml index 55a67a3..a57099b 100644 --- a/.github/workflows/docker-image.yaml +++ b/.github/workflows/docker-image.yaml @@ -1,42 +1,34 @@ --- -name: Build Docker image +name: docker-image on: push: - tags: - - '*' - branches: - - "master" - paths-ignore: - - 'charts/**' + tags: ['*'] + branches: ['master'] + paths-ignore: ['charts/**'] jobs: build: runs-on: ubuntu-latest steps: - - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} aws-region: us-west-2 - - name: get secrets from aws sm - uses: aws-actions/aws-secretsmanager-get-secrets@v2 + - uses: aws-actions/aws-secretsmanager-get-secrets@v2 with: secret-ids: | ,sdlc/prod/github/dockerhub_token parse-json-secrets: true - uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + - uses: docker/setup-qemu-action@v3 + - uses: docker/setup-buildx-action@v3 with: driver-opts: image=moby/buildkit:v0.10.3,network=host - - name: Set Release Date + - name: Set build date run: | echo "BUILT_AT=$(date --rfc-3339=date)" >> ${GITHUB_ENV} - - name: Docker meta + - uses: docker/metadata-action@v5 id: docker_meta - uses: docker/metadata-action@v5 with: # list of Docker images to use as base name for tags images: | @@ -48,13 +40,11 @@ jobs: tags: | type=sha,prefix={{branch}}-,format=short,enable={{is_default_branch}} type=semver,pattern={{raw}} - - name: Login to DockerHub - uses: docker/login-action@v3 + - uses: docker/login-action@v3 with: username: vectorizedbot password: ${{ env.DOCKERHUB_TOKEN }} - - name: Build and push - uses: docker/build-push-action@v6 + - uses: docker/build-push-action@v6 with: provenance: false push: true From 17bb06fc9655b59b9c6ce0d88f055661123e9103 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 16 Aug 2024 20:14:23 -0500 Subject: [PATCH 05/12] gha: update docker-image to use latest driver-opts image --- .github/workflows/docker-image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-image.yaml b/.github/workflows/docker-image.yaml index a57099b..4258fa1 100644 --- a/.github/workflows/docker-image.yaml +++ b/.github/workflows/docker-image.yaml @@ -23,7 +23,7 @@ jobs: - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 with: - driver-opts: image=moby/buildkit:v0.10.3,network=host + driver-opts: image=moby/buildkit:v0.15.2,network=host - name: Set build date run: | echo "BUILT_AT=$(date --rfc-3339=date)" >> ${GITHUB_ENV} From 72f6c7dbb9020bd3f6f5cd721ed89ba1825a0efd Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 16 Aug 2024 20:16:48 -0500 Subject: [PATCH 06/12] gha: rename to goreleaser.yml for consistency --- .github/workflows/{go-releaser.yaml => goreleaser.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{go-releaser.yaml => goreleaser.yml} (100%) diff --git a/.github/workflows/go-releaser.yaml b/.github/workflows/goreleaser.yml similarity index 100% rename from .github/workflows/go-releaser.yaml rename to .github/workflows/goreleaser.yml From 8a6edbeb60056eeb5352b6ff6a0880edeb2acf6b Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 16 Aug 2024 20:18:17 -0500 Subject: [PATCH 07/12] gha: cleanup goreleaser --- .github/workflows/goreleaser.yml | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml index 795f75a..2573e7a 100644 --- a/.github/workflows/goreleaser.yml +++ b/.github/workflows/goreleaser.yml @@ -1,26 +1,19 @@ -name: GoReleaser - +--- +name: goreleaser on: push: - tags: - - '*' - + tags: ['*'] jobs: goreleaser: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v3 + - uses: actions/checkout@v3 with: fetch-depth: 0 - - - name: Set up Go - uses: actions/setup-go@v3 + - uses: actions/setup-go@v3 with: go-version-file: 'go.mod' - - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v2 + - uses: goreleaser/goreleaser-action@v2 if: startsWith(github.ref, 'refs/tags/') with: version: latest From b22bf9dad940f95cecb39fd599e4e8cf617286f6 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 16 Aug 2024 20:19:48 -0500 Subject: [PATCH 08/12] gha: update goreleaser to latest actions --- .github/workflows/goreleaser.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml index 2573e7a..1b4e764 100644 --- a/.github/workflows/goreleaser.yml +++ b/.github/workflows/goreleaser.yml @@ -7,13 +7,13 @@ jobs: goreleaser: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: actions/setup-go@v3 + - uses: actions/setup-go@v5 with: go-version-file: 'go.mod' - - uses: goreleaser/goreleaser-action@v2 + - uses: goreleaser/goreleaser-action@v6 if: startsWith(github.ref, 'refs/tags/') with: version: latest From 1a2c09f89c9cf5658ad782412306e39da8ba98e5 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 16 Aug 2024 21:05:38 -0500 Subject: [PATCH 09/12] goreleaser: update to ver 2 config file --- .goreleaser.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 40bf771..bc968bd 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,3 +1,5 @@ +--- +version: 2 release: name_template: '{{.Version}} / {{time "2006-01-02"}}' prerelease: auto @@ -9,7 +11,7 @@ release: docker pull redpandadata/kminion:{{ .Tag }} ``` changelog: - skip: false + disable: false use: github filters: # Commit messages matching the regexp listed here will be removed from the changelog @@ -20,7 +22,6 @@ changelog: - '^go.mod:' - '^.github:' - 'Merge branch' - builds: - id: kminion binary: kminion @@ -33,6 +34,5 @@ builds: - arm64 ldflags: - -s -w -X main.version={{.Version}} -X main.builtAt={{.Date}} -X main.commit={{.Commit}} - checksum: name_template: 'checksums.txt' From f6dbff471656d68084abfec3a516a7d1faab71ed Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 16 Aug 2024 20:22:55 -0500 Subject: [PATCH 10/12] gha: rename to docker-image.yml for consistency --- .github/workflows/{docker-image.yaml => docker-image.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{docker-image.yaml => docker-image.yml} (100%) diff --git a/.github/workflows/docker-image.yaml b/.github/workflows/docker-image.yml similarity index 100% rename from .github/workflows/docker-image.yaml rename to .github/workflows/docker-image.yml From 1d45edbf3583072c4d0714fb1e268c1e867017ef Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 16 Aug 2024 20:50:22 -0500 Subject: [PATCH 11/12] gha: fix driver-opts list syntax See https://github.com/docker/setup-buildx-action#inputs --- .github/workflows/docker-image.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 4258fa1..f44563c 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -23,7 +23,9 @@ jobs: - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 with: - driver-opts: image=moby/buildkit:v0.15.2,network=host + driver-opts: | + image=moby/buildkit:v0.15.2 + network=host - name: Set build date run: | echo "BUILT_AT=$(date --rfc-3339=date)" >> ${GITHUB_ENV} From 3410afc77fb70b11f9ede9a33ace6f1c26c56542 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Fri, 16 Aug 2024 20:25:08 -0500 Subject: [PATCH 12/12] gha: update docker-image to use oidc --- .github/workflows/docker-image.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index f44563c..33cb767 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -5,15 +5,17 @@ on: tags: ['*'] branches: ['master'] paths-ignore: ['charts/**'] +permissions: + id-token: write + contents: read jobs: build: runs-on: ubuntu-latest steps: - uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }} - aws-region: us-west-2 + aws-region: ${{ vars.RP_AWS_CRED_REGION }} + role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} - uses: aws-actions/aws-secretsmanager-get-secrets@v2 with: secret-ids: |