diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7f63f0828ca..e5f8044e170 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -9,18 +9,20 @@ on: schedule: - cron: '0 10 * * 1' +permissions: + contents: read + env: GOPROXY: https://proxy.golang.org/ GO_VERSION: 1.21.6 + jobs: CodeQL-Build: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache @@ -31,21 +33,17 @@ jobs: key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} cache: false - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 with: languages: go - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - name: Autobuild uses: github/codeql-action/autobuild@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 - - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 diff --git a/.github/workflows/label_check.yaml b/.github/workflows/label_check.yaml index bcca6be23fc..0141df7f1af 100644 --- a/.github/workflows/label_check.yaml +++ b/.github/workflows/label_check.yaml @@ -6,9 +6,13 @@ on: types: [opened, labeled, unlabeled, synchronize] branches: [main] +permissions: + contents: read + env: GOPROXY: https://proxy.golang.org/ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + jobs: # Ensures correct release-note labels are set: # - At least one label @@ -20,28 +24,29 @@ jobs: name: Check release-note label set runs-on: ubuntu-latest steps: - - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 - with: - mode: minimum - count: 1 - labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/deprecation, release-note/none-required" - - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 - with: - mode: maximum - count: 1 - labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/none-required" - - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 - with: - mode: maximum - count: 1 - labels: "release-note/deprecation, release-note/none-required" + - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 + with: + mode: minimum + count: 1 + labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/deprecation, release-note/none-required" + - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 + with: + mode: maximum + count: 1 + labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/none-required" + - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0 + with: + mode: maximum + count: 1 + labels: "release-note/deprecation, release-note/none-required" check-changelog: name: Check for changelog file - needs: - - check-label + needs: [check-label] runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: # * Module download cache diff --git a/.github/workflows/prbuild.yaml b/.github/workflows/prbuild.yaml index 3e653681476..ed0c0d1c80b 100644 --- a/.github/workflows/prbuild.yaml +++ b/.github/workflows/prbuild.yaml @@ -4,10 +4,13 @@ name: Build and Test Pull Request on: push: branches-ignore: - - "dependabot/**" + - "dependabot/**" pull_request: types: [opened, synchronize] +permissions: + contents: read + env: GOPROXY: https://proxy.golang.org/ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} @@ -16,83 +19,91 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: golangci-lint - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 - with: - version: v1.55.2 - # TODO: re-enable linting tools package once https://github.com/projectcontour/contour/issues/5077 - # is resolved - args: --build-tags=e2e,conformance,gcp,oidc,none - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - name: golangci-lint + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 + with: + version: v1.55.2 + # TODO: re-enable linting tools package once https://github.com/projectcontour/contour/issues/5077 + # is resolved + args: --build-tags=e2e,conformance,gcp,oidc,none + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} codespell: name: Codespell runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Codespell - uses: codespell-project/actions-codespell@94259cd8be02ad2903ba34a22d9c13de21a74461 # v2.0 - with: - skip: .git,*.png,*.woff,*.woff2,*.eot,*.ttf,*.jpg,*.ico,*.svg,./site/themes/contour/static/fonts/README.md,./vendor,./site/public,./hack/actions/check-changefile-exists.go,go.mod,go.sum - ignore_words_file: './.codespell.ignorewords' - check_filenames: true - check_hidden: true - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - name: Codespell + uses: codespell-project/actions-codespell@94259cd8be02ad2903ba34a22d9c13de21a74461 # v2.0 + with: + skip: .git,*.png,*.woff,*.woff2,*.eot,*.ttf,*.jpg,*.ico,*.svg,./site/themes/contour/static/fonts/README.md,./vendor,./site/public,./hack/actions/check-changefile-exists.go,go.mod,go.sum + ignore_words_file: './.codespell.ignorewords' + check_filenames: true + check_hidden: true + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} codegen: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: generate - run: | - make generate lint-yamllint lint-flags - ./hack/actions/check-uncommitted-codegen.sh - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: generate + run: | + make generate lint-yamllint lint-flags + ./hack/actions/check-uncommitted-codegen.sh + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} build-image: needs: - - lint - - codespell - - codegen + - lint + - codespell + - codegen runs-on: ubuntu-latest steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 with: @@ -128,56 +139,58 @@ jobs: # include defines an additional variable (the specific node # image to use) for each kubernetes_version value. include: - - kubernetes_version: "kubernetes:latest" - node_image: "docker.io/kindest/node:v1.29.0@sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570" - - kubernetes_version: "kubernetes:n-1" - node_image: "docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31" - - kubernetes_version: "kubernetes:n-2" - node_image: "docker.io/kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72" - - config_type: "ConfigmapConfiguration" - use_config_crd: "false" - - config_type: "ContourConfiguration" - use_config_crd: "true" + - kubernetes_version: "kubernetes:latest" + node_image: "docker.io/kindest/node:v1.29.0@sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570" + - kubernetes_version: "kubernetes:n-1" + node_image: "docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31" + - kubernetes_version: "kubernetes:n-2" + node_image: "docker.io/kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72" + - config_type: "ConfigmapConfiguration" + use_config_crd: "false" + - config_type: "ContourConfiguration" + use_config_crd: "true" steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Download image - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 - with: - name: image - path: image - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: e2e tests - env: - NODEIMAGE: ${{ matrix.node_image }} - LOAD_PREBUILT_IMAGE: "true" - USE_CONTOUR_CONFIGURATION_CRD: ${{ matrix.use_config_crd }} - run: | - export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" - make e2e - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - name: Download image + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 + with: + name: image + path: image + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: e2e tests + env: + NODEIMAGE: ${{ matrix.node_image }} + LOAD_PREBUILT_IMAGE: "true" + USE_CONTOUR_CONFIGURATION_CRD: ${{ matrix.use_config_crd }} + run: | + export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" + make e2e + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} upgrade: runs-on: ubuntu-latest needs: [build-image] @@ -191,170 +204,177 @@ jobs: # include defines an additional variable (the specific node # image to use) for each kubernetes_version value. include: - - kubernetes_version: "kubernetes:latest" - node_image: "docker.io/kindest/node:v1.29.0@sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570" - - kubernetes_version: "kubernetes:n-1" - node_image: "docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31" - - kubernetes_version: "kubernetes:n-2" - node_image: "docker.io/kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72" + - kubernetes_version: "kubernetes:latest" + node_image: "docker.io/kindest/node:v1.29.0@sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570" + - kubernetes_version: "kubernetes:n-1" + node_image: "docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31" + - kubernetes_version: "kubernetes:n-2" + node_image: "docker.io/kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72" steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - # Fetch history for all tags and branches so we can figure out most - # recent release tag. - fetch-depth: 0 - - name: Download image - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 - with: - name: image - path: image - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: upgrade tests - env: - NODEIMAGE: ${{ matrix.node_image }} - MULTINODE_CLUSTER: "true" - LOAD_PREBUILT_IMAGE: "true" - SKIP_GATEWAY_API_INSTALL: "true" - run: | - export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" - make upgrade - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + # Fetch history for all tags and branches so we can figure out most + # recent release tag. + fetch-depth: 0 + - name: Download image + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 + with: + name: image + path: image + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: upgrade tests + env: + NODEIMAGE: ${{ matrix.node_image }} + MULTINODE_CLUSTER: "true" + LOAD_PREBUILT_IMAGE: "true" + SKIP_GATEWAY_API_INSTALL: "true" + run: | + export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" + make upgrade + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} test-linux: needs: - - lint - - codespell - - codegen + - lint + - codespell + - codegen runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: test - run: | - make install - make check-coverage - - name: codeCoverage - if: ${{ success() }} - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 - with: - files: coverage.out - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: test + run: | + make install + make check-coverage + - name: codeCoverage + if: ${{ success() }} + uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 + with: + files: coverage.out + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} test-osx: needs: - - lint - - codespell - - codegen + - lint + - codespell + - codegen runs-on: macos-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Windows) - path: | - ~/go/pkg/mod - ~/Library/Caches/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: test - run: | - make install - make check-coverage - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Windows) + path: | + ~/go/pkg/mod + ~/Library/Caches/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: test + run: | + make install + make check-coverage + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} gateway-conformance: runs-on: ubuntu-latest needs: [build-image] steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Download image - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 - with: - name: image - path: image - - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - # * Module download cache - # * Build cache (Linux) - path: | - ~/go/pkg/mod - ~/.cache/go-build - key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ github.job }}-go- - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - cache: false - - name: add deps to path - run: | - ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin - echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH - - name: Gateway API conformance tests - env: - LOAD_PREBUILT_IMAGE: "true" - run: | - export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" - make gateway-conformance - - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 - with: - status: ${{ job.status }} - steps: ${{ toJson(steps) }} - channel: '#contour-ci-notifications' - if: ${{ failure() && github.ref == 'refs/heads/main' }} + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - name: Download image + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 + with: + name: image + path: image + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + # * Module download cache + # * Build cache (Linux) + path: | + ~/go/pkg/mod + ~/.cache/go-build + key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-${{ github.job }}-go- + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + cache: false + - name: add deps to path + run: | + ./hack/actions/install-kubernetes-toolchain.sh $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: Gateway API conformance tests + env: + LOAD_PREBUILT_IMAGE: "true" + run: | + export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(ls ./image/contour-*.tar | sed -E 's/.*contour-(.*).tar/\1/')" + make gateway-conformance + - uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 + with: + status: ${{ job.status }} + steps: ${{ toJson(steps) }} + channel: '#contour-ci-notifications' + if: ${{ failure() && github.ref == 'refs/heads/main' }} diff --git a/.github/workflows/request-reviews.yaml b/.github/workflows/request-reviews.yaml index 5c1a70060d4..e1edc0c37ae 100644 --- a/.github/workflows/request-reviews.yaml +++ b/.github/workflows/request-reviews.yaml @@ -4,11 +4,14 @@ on: pull_request_target: types: [opened, ready_for_review, reopened] +permissions: + contents: read + jobs: request-reviews: runs-on: ubuntu-latest steps: - - uses: necojackarc/auto-request-review@6a51cebffe2c084705d9a7b394abd802e0119633 # v0.12.0 - with: - token: ${{ secrets.PAT_FOR_AUTO_REQUEST_REVIEW }} - config: .github/reviewers.yaml + - uses: necojackarc/auto-request-review@6a51cebffe2c084705d9a7b394abd802e0119633 # v0.12.0 + with: + token: ${{ secrets.PAT_FOR_AUTO_REQUEST_REVIEW }} + config: .github/reviewers.yaml diff --git a/.github/workflows/welcome-new-contributors.yaml b/.github/workflows/welcome-new-contributors.yaml index 9a5fa8c58d3..4e9fb0d5c5c 100644 --- a/.github/workflows/welcome-new-contributors.yaml +++ b/.github/workflows/welcome-new-contributors.yaml @@ -3,12 +3,14 @@ name: 'Welcome New Contributors' on: issues: types: [opened] + # Workloads with pull_request_target and the GitHub Token secret should never include executing untrusted code + # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target + # And https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ pull_request_target: types: [opened] -# Workloads with pull_request_target and the GitHub Token secret should never include executing untrusted code -# See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target -# And https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ +permissions: + contents: read jobs: welcome-new-contributor: @@ -17,17 +19,17 @@ jobs: issues: write pull-requests: write steps: - - name: 'Greet the contributor' - uses: garg3133/welcome-new-contributors@a38583ed8282e23d63d7bf919ca2d9fb95300ca6 # v1.2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - issue-message: > - Hey @contributor_name! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! - We are glad to have you here and to have your input on Contour. - You can also join us on [our mailing list](https://groups.google.com/g/project-contour) and [in our channel](https://kubernetes.slack.com/archives/C8XRH2R4J) - in the [Kubernetes Slack Workspace](https://communityinviter.com/apps/kubernetes/community) - pr-message: > - Hi @contributor_name! Welcome to our community and thank you for opening your first Pull Request. - Someone will review it soon. Thank you for committing to making Contour better. - You can also join us on [our mailing list](https://groups.google.com/g/project-contour) and [in our channel](https://kubernetes.slack.com/archives/C8XRH2R4J) - in the [Kubernetes Slack Workspace](https://communityinviter.com/apps/kubernetes/community) + - name: 'Greet the contributor' + uses: garg3133/welcome-new-contributors@a38583ed8282e23d63d7bf919ca2d9fb95300ca6 # v1.2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + issue-message: > + Hey @contributor_name! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! + We are glad to have you here and to have your input on Contour. + You can also join us on [our mailing list](https://groups.google.com/g/project-contour) and [in our channel](https://kubernetes.slack.com/archives/C8XRH2R4J) + in the [Kubernetes Slack Workspace](https://communityinviter.com/apps/kubernetes/community) + pr-message: > + Hi @contributor_name! Welcome to our community and thank you for opening your first Pull Request. + Someone will review it soon. Thank you for committing to making Contour better. + You can also join us on [our mailing list](https://groups.google.com/g/project-contour) and [in our channel](https://kubernetes.slack.com/archives/C8XRH2R4J) + in the [Kubernetes Slack Workspace](https://communityinviter.com/apps/kubernetes/community)