From 8c54f6dca2dfd72538ab284b5f6520ead94dd2c0 Mon Sep 17 00:00:00 2001 From: Christophe Jauffret Date: Tue, 21 Mar 2023 12:05:45 +0100 Subject: [PATCH] add CI tooling --- .github/ISSUE_TEMPLATE/bug_report.md | 26 ++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 21 +++++++ .github/PULL_REQUEST_TEMPLATE.md | 30 ++++++++++ .github/dependabot.yml | 18 ++++++ .github/release.yaml | 24 ++++++++ .github/workflows/build-dev.yaml | 35 +++++++++++ .github/workflows/codeql-analysis.yaml | 51 ++++++++++++++++ .github/workflows/release.yaml | 60 +++++++++++++++++++ .github/workflows/synopsys-schedule.yaml | 29 +++++++++ .github/workflows/synopsys.yaml | 30 ++++++++++ .github/workflows/trivy-scan.yaml | 56 +++++++++++++++++ Makefile | 2 +- README.md | 2 +- .../cmd.go | 0 .../main.go | 0 15 files changed, 382 insertions(+), 2 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 .github/dependabot.yml create mode 100644 .github/release.yaml create mode 100644 .github/workflows/build-dev.yaml create mode 100644 .github/workflows/codeql-analysis.yaml create mode 100644 .github/workflows/release.yaml create mode 100644 .github/workflows/synopsys-schedule.yaml create mode 100644 .github/workflows/synopsys.yaml create mode 100644 .github/workflows/trivy-scan.yaml rename cmd/{ntnx-system => cosi-driver-nutanix}/cmd.go (100%) rename cmd/{ntnx-system => cosi-driver-nutanix}/main.go (100%) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..09ca980 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,26 @@ +--- +name: Bug report +about: Tell us about a problem you are experiencing + +--- + +/kind bug + +**What steps did you take and what happened:** + +_A clear and concise description of what the bug is and how has this been tested. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration_ + + +**What did you expect to happen:** + + +**Anything else you would like to add:** + +_Miscellaneous information that will assist in solving the issue._ + + +**Environment:** + +- Nutanix objects version: +- Nutanix COSI version: +- Kubernetes version: (use `kubectl version`): diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..a150f1f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,21 @@ +--- +name: Feature enhancement request +about: Suggest an idea for this project + +--- + +/kind feature + +**Describe the solution you'd like** +[A clear and concise description of what you want to happen.] + + +**Anything else you would like to add:** +[Miscellaneous information that will assist in solving the issue.] + + +**Environment:** + +- Nutanix objects version: +- Nutanix COSI version: +- Kubernetes version: (use `kubectl version`): diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..1803986 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,30 @@ + + +**What this PR does / why we need it**: + +**Which issue(s) this PR fixes** *(optional, in `fixes #(, fixes #, ...)` format, will close the issue(s) when PR gets merged)*: +Fixes # + +**How Has This Been Tested?**: + +_Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration and test output_ + + +**Special notes for your reviewer**: + +_Please confirm that if this PR changes any image versions, then that's the sole change this PR makes._ + +**Release note**: + +```release-note + +``` \ No newline at end of file diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..dcc3cb2 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,18 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + # Enable version updates for Go modules + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "daily" + + # Enable version updates for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" \ No newline at end of file diff --git a/.github/release.yaml b/.github/release.yaml new file mode 100644 index 0000000..d3b94dc --- /dev/null +++ b/.github/release.yaml @@ -0,0 +1,24 @@ +# .github/release.yml + +changelog: + exclude: + labels: + - ignore-for-release + categories: + - title: Breaking Changes 🛠 + labels: + - Semver-Major + - breaking-change + - title: Exciting New Features 🎉 + labels: + - Semver-Minor + - enhancement + - title: Bug Fixes 🐛 + labels: + - bug + - title: Documentation 📖 + labels: + - documentation + - title: Other Changes + labels: + - "*" \ No newline at end of file diff --git a/.github/workflows/build-dev.yaml b/.github/workflows/build-dev.yaml new file mode 100644 index 0000000..127bef9 --- /dev/null +++ b/.github/workflows/build-dev.yaml @@ -0,0 +1,35 @@ +name: Test Build +env: + EXPORT_RESULT: true +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] +jobs: + build-container: + runs-on: ubuntu-latest + steps: + - run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event." + - run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}." + + - name: Checkout + uses: actions/checkout@v3 + + - name: Setup Go + uses: actions/setup-go@v4 + with: + go-version: "^1.19" + + - name: Test build + run: make build + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.9.2 + with: + scan-type: "fs" + ignore-unfixed: true + format: "table" + exit-code: "1" + vuln-type: "os,library" + severity: "CRITICAL,HIGH" \ No newline at end of file diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml new file mode 100644 index 0000000..83161a4 --- /dev/null +++ b/.github/workflows/codeql-analysis.yaml @@ -0,0 +1,51 @@ +name: "Code Scanning - Action" + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '30 1 * * 0' + +jobs: + CodeQL-Build: + runs-on: ubuntu-latest + + permissions: + # required for all workflows + security-events: write + + # only required for workflows in private repositories + actions: read + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + # Override language selection by uncommenting this and choosing your languages + # with: + # languages: go, javascript, csharp, python, cpp, java + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below). + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following + # three lines and modify them (or add more) to build your code if your + # project uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 \ No newline at end of file diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..d54704d --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,60 @@ +name: Generate release artefact + +on: + push: + tags: + - "v*.*.*" + +jobs: + build_release: + name: Build Release + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Get repository name + run: echo "REPOSITORY_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV + + - name: Setup Go + uses: actions/setup-go@v4 + with: + go-version: "^1.19" + + - name: Install tools + uses: redhat-actions/openshift-tools-installer@v1 + with: + source: "github" + kustomize: "latest" + ko: "latest" + + - name: Login to GHCR + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Docker meta + id: meta + uses: docker/metadata-action@v4 + with: + images: capi-nutanix + sep-tags: "," + sep-labels: "," + tags: | + type=semver,pattern=v{{version}} + type=semver,pattern=v{{major}}.{{minor}} + type=semver,pattern=v{{major}} + type=sha + + - name: Build container + env: + KO_DOCKER_REPO: ghcr.io/${{ github.repository }} + TAGS: ${{ steps.meta.outputs.tags }} + LABELS: ${{ steps.meta.outputs.labels }} + PLATFORMS: linux/amd64,linux/arm64,linux/arm + run: | + PTAGS=`echo $TAGS | sed 's/capi-nutanix://g'` + export SOURCE_DATE_EPOCH=$(date +%s) + ko build --bare --image-label "$LABELS" -t "$PTAGS" --platform=$PLATFORMS ./cmd/${{ env.REPOSITORY_NAME }} diff --git a/.github/workflows/synopsys-schedule.yaml b/.github/workflows/synopsys-schedule.yaml new file mode 100644 index 0000000..c352d95 --- /dev/null +++ b/.github/workflows/synopsys-schedule.yaml @@ -0,0 +1,29 @@ +name: Black Duck Intelligent Policy Check +on: + schedule: + - cron: "0 0 * * *" + +jobs: + security: + if: github.repository == 'nutanix-cloud-native/cosi-driver-nutanix' + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Setup Go + uses: actions/setup-go@v4 + with: + go-version: "^1.19" + + - name: Build Project + run: make build + + - name: Run Synopsys Detect + uses: synopsys-sig/detect-action@v0.3.4 + with: + scan-mode: INTELLIGENT + github-token: ${{ secrets.GITHUB_TOKEN }} + detect-version: 7.9.0 + blackduck-url: ${{ secrets.BLACKDUCK_URL }} + blackduck-api-token: ${{ secrets.BLACKDUCK_API_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/synopsys.yaml b/.github/workflows/synopsys.yaml new file mode 100644 index 0000000..67e40b2 --- /dev/null +++ b/.github/workflows/synopsys.yaml @@ -0,0 +1,30 @@ +name: Black Duck Policy Check +on: + pull_request: + branches: + - main + push: + +jobs: + security: + if: github.repository == 'nutanix-cloud-native/cosi-driver-nutanix' + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Setup Go + uses: actions/setup-go@v4 + with: + go-version: "^1.19" + + - name: Build Project + run: make build + + - name: Run Synopsys Detect + uses: synopsys-sig/detect-action@v0.3.4 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + detect-version: 7.9.0 + blackduck-url: ${{ secrets.BLACKDUCK_URL }} + blackduck-api-token: ${{ secrets.BLACKDUCK_API_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml new file mode 100644 index 0000000..d2c80de --- /dev/null +++ b/.github/workflows/trivy-scan.yaml @@ -0,0 +1,56 @@ +name: Trivy Scan + +on: + workflow_dispatch: + schedule: + - cron: "17 17 * * *" + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read + security-events: write + name: Scan + runs-on: "ubuntu-latest" + steps: + - name: Checkout Code + uses: actions/checkout@v3 + + - name: Get repository name + run: echo "REPOSITORY_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV + + - name: Setup Go + uses: actions/setup-go@v4 + with: + go-version: "^1.19" + + - name: Install tools + uses: redhat-actions/openshift-tools-installer@v1 + with: + source: "github" + kustomize: "latest" + ko: "latest" + + - name: Build container + env: + KO_DOCKER_REPO: ko.local + PLATFORMS: linux/amd64,linux/arm64,linux/arm + run: | + export SOURCE_DATE_EPOCH=$(date +%s) + ko build -B -t ${{ github.sha }} --platform=$PLATFORMS ./cmd/${{ env.REPOSITORY_NAME }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.9.2 + with: + image-ref: "ko.local/${{ env.REPOSITORY_NAME }}:${{ github.sha }}" + format: "sarif" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" \ No newline at end of file diff --git a/Makefile b/Makefile index 338a763..3b4f692 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -CMDS=ntnx-system +CMDS=cosi-driver-nutanix REGISTRY_NAME=quay.io/ntnxcosi IMAGE_TAGS=canary diff --git a/README.md b/README.md index a99a31f..ef092b4 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# k8s-ntnx-object-cosi +# COSI Driver Nutanix Nutanix COSI Driver provides reference implementation for Container Object Storage Interface (COSI) API for Nutanix Object Store ## Install CRDs diff --git a/cmd/ntnx-system/cmd.go b/cmd/cosi-driver-nutanix/cmd.go similarity index 100% rename from cmd/ntnx-system/cmd.go rename to cmd/cosi-driver-nutanix/cmd.go diff --git a/cmd/ntnx-system/main.go b/cmd/cosi-driver-nutanix/main.go similarity index 100% rename from cmd/ntnx-system/main.go rename to cmd/cosi-driver-nutanix/main.go