diff --git a/.github/workflows/container-ci.yaml b/.github/workflows/container-ci.yaml index 34c91557..8afc941c 100644 --- a/.github/workflows/container-ci.yaml +++ b/.github/workflows/container-ci.yaml @@ -35,6 +35,10 @@ on: description: 'Enter Bash Env Variable Overrides in `KEY=VAL KEY2=VAL2` format:' required: false type: string + ref: + description: 'Enter Git Ref:' + required: true + type: string runner_label: description: 'Enter Validation Runner Label:' default: test-runner @@ -66,6 +70,9 @@ on: no_start: required: false type: boolean + ref: + required: true + type: string jobs: #################################################################################################### # Compose Build @@ -76,6 +83,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} - name: Set Matrix id: build-matrix run: echo "matrix=$(jq -c . < ${{ inputs.group_dir }}/.actions.json)" >> $GITHUB_OUTPUT @@ -93,6 +102,8 @@ jobs: group: ${{ steps.build-group.outputs.container-group }} steps: - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} if: ${{ !inputs.no_build }} - uses: docker/login-action@v3 with: @@ -136,6 +147,8 @@ jobs: fail-fast: false steps: - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} - uses: docker/login-action@v3 with: registry: ${{ secrets.REGISTRY }} @@ -164,6 +177,8 @@ jobs: matrix: ${{ steps.test-matrix.outputs.matrix }} steps: - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} - name: Get Recipes id: test-matrix run: echo "matrix=$(find ${{ inputs.group_dir }} -type f -name 'tests.yaml' -exec dirname {} \; | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT @@ -181,6 +196,8 @@ jobs: with: egress-policy: audit - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} - uses: docker/login-action@v3 with: registry: ${{ secrets.REGISTRY }} diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index b5c15d4b..c8db227d 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -25,14 +25,14 @@ on: [pull_request] permissions: contents: read concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} jobs: dependency-review: runs-on: ubuntu-latest permissions: pull-requests: write steps: - - uses: actions/checkout@v4 - - uses: actions/dependency-review-action@v4 - with: - comment-summary-in-pr: true + - uses: actions/checkout@v4 + - uses: actions/dependency-review-action@v4 + with: + comment-summary-in-pr: true diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index 10ac0a19..f2849b6b 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -15,7 +15,7 @@ name: Docker Description Publish on: push: - branches: [ "main" ] + branches: ["main"] permissions: read-all jobs: setup-matrix: @@ -23,10 +23,10 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - - uses: actions/checkout@v4 - - name: Set matrix data - id: set-matrix - run: echo "matrix=$(jq -c . < .github/dockerhub-readmes.json)" >> $GITHUB_OUTPUT + - uses: actions/checkout@v4 + - name: Set matrix data + id: set-matrix + run: echo "matrix=$(jq -c . < .github/dockerhub-readmes.json)" >> $GITHUB_OUTPUT publish-dockerhub-description: runs-on: ubuntu-latest needs: setup-matrix @@ -34,10 +34,10 @@ jobs: matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} fail-fast: false steps: - - uses: actions/checkout@v4 - - uses: peter-evans/dockerhub-description@v4 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - repository: ${{ matrix.readmes.repo-name }} - readme-filepath: ${{ matrix.readmes.fname }} + - uses: actions/checkout@v4 + - uses: peter-evans/dockerhub-description@v4 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_PASSWORD }} + repository: ${{ matrix.readmes.repo-name }} + readme-filepath: ${{ matrix.readmes.fname }} diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index f1a207e4..e927369d 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -21,7 +21,7 @@ on: - main permissions: read-all concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true jobs: mkdocs: @@ -31,17 +31,17 @@ jobs: id-token: write pages: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 - with: - python-version: 3.8 - cache: pip - - name: Install python requirements - run: python -m pip install -r docs/requirements.txt - - name: Build - run: mkdocs build --clean - - uses: actions/upload-pages-artifact@v3 - with: - path: site - - if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) - uses: actions/deploy-pages@v4 + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: 3.8 + cache: pip + - name: Install python requirements + run: python -m pip install -r docs/requirements.txt + - name: Build + run: mkdocs build --clean + - uses: actions/upload-pages-artifact@v3 + with: + path: site + - if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) + uses: actions/deploy-pages@v4 diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml index 947408a2..c9fa7f7d 100644 --- a/.github/workflows/gitleaks.yaml +++ b/.github/workflows/gitleaks.yaml @@ -16,8 +16,10 @@ name: gitleaks on: push: branches: - - main - pull_request: null + - main + pull_request_target: + types: [opened, edited, reopened, synchronize] + branches: [main] workflow_dispatch: null permissions: read-all jobs: @@ -25,10 +27,11 @@ jobs: name: gitleaks runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: gitleaks/gitleaks-action@v2 - env: - GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }} - GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: ${{ 'refs/pull/${{ github.event.number }}/merge' || 'main' }} + - uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml index 325d7006..134a6bf5 100644 --- a/.github/workflows/integration-test.yaml +++ b/.github/workflows/integration-test.yaml @@ -12,14 +12,15 @@ # See the License for the specific language governing permissions and # limitations under the License. ---- name: Integration Tests on: merge_group: null - pull_request: null + pull_request_target: + types: [opened, edited, reopened, synchronize] + branches: [main] permissions: read-all concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true jobs: group-diff: @@ -27,34 +28,34 @@ jobs: outputs: groups: ${{ steps.group-list.outputs.FOLDERS }} steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Output Modified Group Directories - id: group-list - run: | - # Get diff array filtered by specific filetypes - DIFF=$(git diff --diff-filter=d \ - --name-only ${{ github.event.merge_group.base_sha || github.event.pull_request.base.sha }}...${{ github.event.merge_group.head_sha || github.event.pull_request.head.sha }} \ - -- '*/*Dockerfile' '*.py' '*.yaml' '*.yml' '*.sh' '*/*requirements.txt' '*.json' | \ - jq -R '.' | jq -sc '.' \ - ) - # Search for compose files in each file to determine the container groups - DOCKER_COMPOSE_PATHS=() - for path in $(echo $DIFF | jq -r '.[]'); do - while [[ "$path" != "." ]]; do - DIR_PATH=$(dirname "$path") - if [ -n "$(find "$DIR_PATH" -name 'docker-compose.yaml' -print -quit)" ] && [ "$DIR_PATH" != "." ]; then - DOCKER_COMPOSE_PATHS+=("$DIR_PATH") - path="." - else - path="$DIR_PATH" - fi - done + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Output Modified Group Directories + id: group-list + run: | + # Get diff array filtered by specific filetypes + DIFF=$(git diff --diff-filter=d \ + --name-only ${{ github.event.merge_group.base_sha || github.event.pull_request.base.sha }}...${{ github.event.merge_group.head_sha || github.event.pull_request.head.sha }} \ + -- '*/*Dockerfile' '*.py' '*.yaml' '*.yml' '*.sh' '*/*requirements.txt' '*.json' | \ + jq -R '.' | jq -sc '.' \ + ) + # Search for compose files in each file to determine the container groups + DOCKER_COMPOSE_PATHS=() + for path in $(echo $DIFF | jq -r '.[]'); do + while [[ "$path" != "." ]]; do + DIR_PATH=$(dirname "$path") + if [ -n "$(find "$DIR_PATH" -name 'docker-compose.yaml' -print -quit)" ] && [ "$DIR_PATH" != "." ]; then + DOCKER_COMPOSE_PATHS+=("$DIR_PATH") + path="." + else + path="$DIR_PATH" + fi done - # Convert the array to a JSON array - DOCKER_COMPOSE_PATHS_JSON=$(printf '%s\n' "${DOCKER_COMPOSE_PATHS[@]}" | jq -R '.' | jq -sc 'unique_by(.)') - echo "FOLDERS=$DOCKER_COMPOSE_PATHS_JSON" >> $GITHUB_OUTPUT + done + # Convert the array to a JSON array + DOCKER_COMPOSE_PATHS_JSON=$(printf '%s\n' "${DOCKER_COMPOSE_PATHS[@]}" | jq -R '.' | jq -sc 'unique_by(.)') + echo "FOLDERS=$DOCKER_COMPOSE_PATHS_JSON" >> $GITHUB_OUTPUT pipeline-ci: needs: group-diff if: needs.group-diff.outputs.groups != '[""]' @@ -66,17 +67,18 @@ jobs: uses: ./.github/workflows/container-ci.yaml with: group_dir: ${{ matrix.group }} + ref: "refs/pull/${{ github.event.number }}/merge" secrets: inherit status-check: - needs: [ group-diff, pipeline-ci ] + needs: [group-diff, pipeline-ci] runs-on: ubuntu-latest if: always() steps: - - run: exit 1 - if: >- - ${{ - contains(needs.*.result, 'failure') - || contains(needs.*.result, 'cancelled') - || contains(needs.*.result, 'skipped') - && needs.group-diff.outputs.groups != '[""]' - }} + - run: exit 1 + if: >- + ${{ + contains(needs.*.result, 'failure') + || contains(needs.*.result, 'cancelled') + || contains(needs.*.result, 'skipped') + && needs.group-diff.outputs.groups != '[""]' + }} diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 42765f25..fdf4e5dd 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -12,37 +12,38 @@ # See the License for the specific language governing permissions and # limitations under the License. ---- name: Lint permissions: read-all on: merge_group: null - pull_request: null + pull_request_target: + types: [opened, edited, reopened, synchronize] + branches: [main] push: branches: - - develop - - main + - main concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true jobs: lint: name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: super-linter/super-linter/slim@v6.5.1 - env: - # To report GitHub Actions status checks - GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }} - GITHUB_ACTIONS_COMMAND_ARGS: '-ignore SC.*' - VALIDATE_BASH_EXEC: false - VALIDATE_CHECKOV: false - VALIDATE_HTML: false - VALIDATE_KUBERNETES_KUBECONFORM: false - VALIDATE_NATURAL_LANGUAGE: false - VALIDATE_PYTHON_FLAKE8: false - VALIDATE_PYTHON_MYPY: false - VALIDATE_PYTHON_RUFF: false + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: ${{ 'refs/pull/${{ github.event.number }}/merge' || 'main' }} + - uses: super-linter/super-linter/slim@v6.5.1 + env: + # To report GitHub Actions status checks + GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }} + GITHUB_ACTIONS_COMMAND_ARGS: '-ignore SC.*' + VALIDATE_BASH_EXEC: false + VALIDATE_CHECKOV: false + VALIDATE_HTML: false + VALIDATE_KUBERNETES_KUBECONFORM: false + VALIDATE_NATURAL_LANGUAGE: false + VALIDATE_PYTHON_FLAKE8: false + VALIDATE_PYTHON_MYPY: false + VALIDATE_PYTHON_RUFF: false diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index b56ec2ec..240202a4 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -20,9 +20,9 @@ name: Scorecard supply-chain security on: branch_protection_rule: schedule: - - cron: '0 6 * * 0' + - cron: '0 6 * * 0' push: - branches: [ "main" ] + branches: ["main"] workflow_dispatch: permissions: read-all jobs: @@ -35,20 +35,20 @@ jobs: contents: read actions: read steps: - - uses: actions/checkout@v4 - with: - persist-credentials: false - - uses: ossf/scorecard-action@v2.3.3 - with: - results_file: results.sarif - results_format: sarif - repo_token: ${{ secrets.ACTION_TOKEN }} - publish_results: true - - uses: actions/upload-artifact@v4 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - uses: github/codeql-action/upload-sarif@v3.25.3 - with: - sarif_file: results.sarif + - uses: actions/checkout@v4 + with: + persist-credentials: false + - uses: ossf/scorecard-action@v2.3.3 + with: + results_file: results.sarif + results_format: sarif + repo_token: ${{ secrets.ACTION_TOKEN }} + publish_results: true + - uses: actions/upload-artifact@v4 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + - uses: github/codeql-action/upload-sarif@v3.25.3 + with: + sarif_file: results.sarif diff --git a/.github/workflows/test-runner-ci.yaml b/.github/workflows/test-runner-ci.yaml index 291c2201..84dbd711 100644 --- a/.github/workflows/test-runner-ci.yaml +++ b/.github/workflows/test-runner-ci.yaml @@ -15,7 +15,9 @@ name: Test Runner CI on: merge_group: null - pull_request: + pull_request_target: + types: [opened, edited, reopened, synchronize] + branches: [main] paths: - 'test-runner/**' push: @@ -23,7 +25,7 @@ on: - main permissions: read-all concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true jobs: unit-test: @@ -34,6 +36,8 @@ jobs: fail-fast: true steps: - uses: actions/checkout@v4 + with: + ref: ${{ 'refs/pull/${{ github.event.number }}/merge' || 'main' }} - uses: docker/setup-buildx-action@v3 with: driver: docker @@ -63,6 +67,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + ref: ${{ 'refs/pull/${{ github.event.number }}/merge' || 'main' }} - uses: actions/setup-python@v5 with: python-version: "3.10" @@ -89,6 +95,8 @@ jobs: runs-on: k8-runners steps: - uses: actions/checkout@v4 + with: + ref: ${{ 'refs/pull/${{ github.event.number }}/merge' || 'main' }} - uses: docker/setup-buildx-action@v3 with: driver: docker diff --git a/.github/workflows/weekly-test.yaml b/.github/workflows/weekly-test.yaml index eb1d966c..c704e1e3 100644 --- a/.github/workflows/weekly-test.yaml +++ b/.github/workflows/weekly-test.yaml @@ -15,7 +15,7 @@ name: Weekly Tests on: schedule: - - cron: "0 0 * * 0" + - cron: "0 0 * * 0" workflow_dispatch: null permissions: read-all jobs: @@ -24,18 +24,18 @@ jobs: outputs: groups: ${{ steps.group-list.outputs.FOLDERS }} steps: - - uses: actions/checkout@v4 - - name: Output Group Directories - id: group-list - run: | - DOCKER_COMPOSE_PATHS=() - for path in $(find . -name 'docker-compose.yaml'); do - DIR_PATH=$(dirname "$path") - DOCKER_COMPOSE_PATHS+=("${DIR_PATH:2}") - done - # Convert the array to a JSON array - DOCKER_COMPOSE_PATHS_JSON=$(printf '%s\n' "${DOCKER_COMPOSE_PATHS[@]}" | uniq | jq -R '.' | jq -sc '.') - echo "FOLDERS=$DOCKER_COMPOSE_PATHS_JSON" >> $GITHUB_OUTPUT + - uses: actions/checkout@v4 + - name: Output Group Directories + id: group-list + run: | + DOCKER_COMPOSE_PATHS=() + for path in $(find . -name 'docker-compose.yaml'); do + DIR_PATH=$(dirname "$path") + DOCKER_COMPOSE_PATHS+=("${DIR_PATH:2}") + done + # Convert the array to a JSON array + DOCKER_COMPOSE_PATHS_JSON=$(printf '%s\n' "${DOCKER_COMPOSE_PATHS[@]}" | uniq | jq -R '.' | jq -sc '.') + echo "FOLDERS=$DOCKER_COMPOSE_PATHS_JSON" >> $GITHUB_OUTPUT pipeline-ci: needs: [get-groups] strategy: @@ -46,4 +46,5 @@ jobs: uses: ./.github/workflows/container-ci.yaml with: group_dir: ${{ matrix.group }} + ref: main secrets: inherit