Skip to content

updating dependenices and go version to address vulnerabilities #527

updating dependenices and go version to address vulnerabilities

updating dependenices and go version to address vulnerabilities #527

Workflow file for this run

name: Build, Test, Automerge and Tag
# This workflow runs on all PRs that are targetting the main branch.
#
# It runs the test suite. If the PR is a release PR, it automerges and tags the main branch with
# the corresonding new version.
on:
pull_request_target:
types: [opened, synchronize, reopened]
branches: [ main ]
jobs:
build-test-release:
name: Build artifacts
runs-on: ubuntu-latest
steps:
- name: Checkout main branch
uses: actions/checkout@v4
- name: Checkout PR branch
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
path: "chart-verifier"
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: ./chart-verifier/go.mod
- name: Ensure Modules
working-directory: ./chart-verifier
run: make tidy
- name: Build Binary
working-directory: ./chart-verifier
run: make bin
- name: Run tests
working-directory: ./chart-verifier
run: |
# Run go tests
make test
if [[ ! -z $(git status -s) ]]
then
echo "go test - errors running go tests : $(git status -s)"
exit 1
fi
- name: Set up Python 3.x
uses: ./.github/actions/setup-python
- name: Set up Python scripts on PR branch
working-directory: ./chart-verifier
run: |
# set up python requirements and scripts on PR branch
python3 -m venv ve1
cd scripts && ../ve1/bin/pip3 install -r requirements.txt && cd ..
cd scripts && ../ve1/bin/pip3 install . && cd ..
- name: Check if only release file in PR
working-directory: ./chart-verifier
id: check_version_in_PR
run: |
# check if release file only is included in PR
ve1/bin/release-checker --api-url=${{ github.event.pull_request._links.self.href }}
- name: Get Date
id: get-date
run: |
echo "date=$(/bin/date -u "+%Y%m%d")" | tee -a $GITHUB_OUTPUT
shell: bash
- uses: actions/cache@v4
id: cache
with:
path: ./chart-verifier/oc
key: ${{ steps.get-date.outputs.date }}
- name: Install oc
working-directory: ./chart-verifier
id: install-oc
run: |
# install oc
curl -sLO https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz
tar zxvf openshift-client-linux.tar.gz -C /usr/local/bin/
which oc
oc version --client=true
- name: Build podman Image
working-directory: ./chart-verifier
id: build_podman_image
run: |
# build a podman image
image_tag="test"
echo "Building container image using podman for the tests, tagging as $image_tag"
make build-image IMAGE_TAG=$image_tag
podman build -t quay.io/redhat-certification/chart-verifier:$image_tag .
echo "podman_image_tag=$image_tag" | tee -a $GITHUB_OUTPUT
- name: Create tarfile
id: create-tarfile
working-directory: ./chart-verifier
run: |
# create test tarball for the tests
ve1/bin/tar-file --release="test"
- name: Login to oc
working-directory: ./chart-verifier
env:
KUBECONFIG: /tmp/ci-kubeconfig
run: |
# oc login
API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d)
gpg --version
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
if [ $GITHUB_REPOSITORY == "redhat-certification/chart-verifier" ]; then
# TODO: temporarily allow for skipping TLS verification as the new cluster uses local-only certificates
# This if logic isn't removed to remind us to come back and swap this out when a valid cert is put in place.
oc login --insecure-skip-tls-verify --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER}
else
oc login --insecure-skip-tls-verify --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER}
fi
ve1/bin/sa-for-chart-testing --create charts-${{ github.event.number }} --token token.txt --server ${API_SERVER}
- name: Run the tests
working-directory: ./chart-verifier
env:
KUBECONFIG: /tmp/ci-kubeconfig
VERIFIER_TARBALL_NAME : ${{ steps.create-tarfile.outputs.tarball_full_name }}
PODMAN_IMAGE_TAG : ${{ steps.build_podman_image.outputs.podman_image_tag }}
id: run_test
run: |
# run pytest
ve1/bin/pytest -v --log-cli-level=WARNING --tb=short
- name: Delete Namespace
if: ${{ always() && steps.install-oc.conclusion == 'success' }}
working-directory: ./chart-verifier
env:
KUBECONFIG: /tmp/ci-kubeconfig
run: |
# delete the namespace
API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d)
oc login --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER}
ve1/bin/sa-for-chart-testing --delete charts-${{ github.event.number }}
- name: Set up Python scripts on main branch
run: |
# set up python requirements and scripts on main branch
echo $(pwd)
python3 -m venv ve1
cd scripts && ../ve1/bin/pip3 install -r requirements.txt && cd ..
cd scripts && ../ve1/bin/pip3 install . && cd ..
- name: Check for restricted files and user permissiom
id: check_authorization
run: |
# check for a restricted file and, if found, check user has permissiom
ve1/bin/check-user --api-url=${{ github.event.pull_request._links.self.href }} --user=${{ github.event.pull_request.user.login }}
- name: Check if version updated
id: check_version_updated
if: ${{ steps.check_version_in_PR.outputs.PR_includes_release == 'true' }}
run: |
# check if version file was changed
ve1/bin/release-checker --version=${{ steps.check_version_in_PR.outputs.PR_version }}
- name: Approve PR
id: approve_pr
if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
uses: hmarr/auto-approve-action@v4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Merge PR
id: merge_pr
if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
uses: pascalgn/automerge-action@v0.16.3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
MERGE_METHOD: squash
MERGE_LABELS: ""
- name: Get main branch sha
id: main_sha
if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
run: |
git fetch
export ORIGIN_MAIN_SHA=$(git rev-parse origin/main)
echo "origin_main_sha=$ORIGIN_MAIN_SHA" | tee -a $GITHUB_OUTPUT
- name: Create release tag
id: create_release_tag
if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
uses: mathieudutour/github-tag-action@v6.2
with:
# It is necessary to use a Personal Access Token here rather than the usual GITHUB_TOKEN, as this
# step should trigger the release.yaml workflow, and events (such as tags) triggered by the
# GITHUB_TOKEN cannot create a new workflow run. See:
# https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
# This Personal Access Token belongs to the openshift-helm-charts-bot account.
github_token: ${{ secrets.GH_HELM_BOT_TOKEN }}
custom_tag: ${{ steps.check_version_in_PR.outputs.PR_version }}
tag_prefix: ""
commit_sha: ${{ steps.main_sha.outputs.origin_main_sha }}