Skip to content

Commit

Permalink
Merge pull request #38 from eclipse-tractusx/main
Browse files Browse the repository at this point in the history 
build(release): merge main into dev
  • Loading branch information
@evegufy
evegufy authored Feb 16, 2024
2 parents 746140e + f0ea3ab commit 2ea617c
Show file tree
Hide file tree
Showing 31 changed files with 354 additions and 222 deletions.
7 changes: 7 additions & 0 deletions .github/workflows/chart-release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,14 @@ jobs:
helm dependency update
- name: Run chart-releaser
id: chart-release
uses: helm/[email protected]
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_SKIP_EXISTING: "true"

- name: Push git tag for release workflow to be triggered
uses: rickstaa/action-create-tag@a1c7777fcb2fee4f19b0f283ba888afa11678b72 # v1.7.2
with:
tag: v${{ steps.chart-release.outputs.chart_version }}
if: ${{ steps.chart-release.outputs.changed_charts }}
105 changes: 105 additions & 0 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
###############################################################
# Copyright (c) 2024 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
###############################################################

# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#

name: "CodeQL"

on:
push:
branches: [main]
paths:
- 'src/**'
pull_request:
paths:
- 'src/**'
schedule:
- cron: "0 0 * * *"
workflow_dispatch:

jobs:
analyze:
name: Analyze
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners
# Consider using larger runners for possible analysis time improvements.
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
language: ["csharp"]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
# Use only 'java' to analyze code written in Java, Kotlin or both
# Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
queries: +security-extended,security-and-quality

# Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
# Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup.
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227

# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.

# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.227
with:
category: "/language:${{matrix.language}}"
2 changes: 1 addition & 1 deletion .github/workflows/dependencies.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ jobs:
run: dotnet restore src

- name: List packages
run: dotnet list src package --include-transitive --interactive | grep ">" | grep -Pv "\s(Org|Microsoft|NuGet|System|runtime|docker|Docker|NETStandard)" | sed -E -e "s/\s+> ([a-zA-Z\.\-]+).+\s([0-9]+\.[0-9]+\.[0-9]+)\s*/nuget\/nuget\/\-\/\1\/\2/g" | awk '!seen[$0]++' > PACKAGES
run: dotnet list src package --include-transitive --interactive | grep ">" | grep -Pv "\s(Org.Eclipse.TractusX|Microsoft|NuGet|System|runtime|docker|Docker|NETStandard)" | sed -E -e "s/\s+> ([a-zA-Z\.\-]+).+\s([0-9]+\.[0-9]+\.[0-9]+)\s*/nuget\/nuget\/\-\/\1\/\2/g" | awk '!seen[$0]++' > PACKAGES

- name: Generate Dependencies file
run: java -jar ./scripts/download/org.eclipse.dash.licenses-1.0.2.jar PACKAGES -project automotive.tractusx -summary DEPENDENCIES || true
Expand Down
138 changes: 138 additions & 0 deletions .github/workflows/owasp-zap.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
###############################################################
# Copyright (c) 2024 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
###############################################################

name: "OWASP ZAP (DAST Scan)"

on:
push:
branches: [main]
paths:
- 'src/**'
pull_request:
paths:
- 'src/**'
schedule:
# Once a day
- cron: "0 0 * * *"
workflow_dispatch:
# Trigger manually
inputs:
node_image:
description: 'kindest/node image for k8s kind cluster'
# k8s version from 3.1 release as default
default: 'kindest/node:v1.27.3'
required: false
type: string

jobs:
owasp-zap-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0

- name: Kubernetes KinD Cluster
uses: container-tools/kind-action@0fc957b58d9a5bc9ca57a1b419324a2074c7653b # v2.0.3
with:
node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.27.3' }}
version: v0.20.0

- name: Set up Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: v3.5.0

- name: Build migration image
id: build-migration-image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
file: docker/Dockerfile-policy-hub-migrations
push: true
tags: kind-registry:5000/policy-hub-migrations:testing

- name: Build service image
id: build-service-image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
file: docker/Dockerfile-policy-hub-service
push: true
tags: kind-registry:5000/policy-hub-service:testing

- name: Add bitnami repo
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
- name: Update Helm dependencies
run: |
cd charts/policy-hub
helm dependency build
- name: Install the chart on KinD cluster
run: helm install testing -n apps --create-namespace --wait --set policyhub.image=kind-registry:5000/policy-hub-service:testing --set=policyhubmigrations.image=kind-registry:5000/policy-hub-migrations:testing --set=policyhub.swaggerEnabled=true charts/policy-hub

- name: Configure port forward to app in KinD
run: |
echo "Getting Agent IP..."
IP_ADDR=$(hostname -i)
echo "-> IP: $IP_ADDR"
echo "IP_ADDR=$IP_ADDR" >> $GITHUB_ENV
POD_NAME=$(kubectl get pods --namespace apps -l "app.kubernetes.io/name=policy-hub,app.kubernetes.io/instance=testing" -o jsonpath="{.items[0].metadata.name}")
CONTAINER_PORT=$(kubectl get pod --namespace apps $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Port-forwarding 0.0.0.0:8080 to $POD_NAME:$CONTAINER_PORT..."
kubectl --namespace apps port-forward $POD_NAME 8080:$CONTAINER_PORT --address 0.0.0.0 &
- name: Generating report skeletons
if: success() || failure()
run: |
touch report_md.md report_html.html
chmod a+w report_md.md report_html.html
ls -lrt
- name: Run ZAP scan
run: |
set +e
echo "Pulling ZAP image..."
docker pull ghcr.io/zaproxy/zaproxy:stable -q
echo "Starting ZAP Docker container..."
docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py -t http://$IP_ADDR:8080/api/policy-hub/swagger/v2/swagger.json -f openapi -w report_md.md -r report_html.html -T 1
echo "... done."
- name: Add Summary
if: success() || failure()
run: |
echo "Publishing Job summary... "
cat report_md.md >> $GITHUB_STEP_SUMMARY
- name: Upload HTML report
if: success() || failure()
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ZAP scan report
path: ./report_html.html
25 changes: 12 additions & 13 deletions .github/workflows/policy-hub-chart-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ on:
upgrade_from:
description: 'policyhub chart version to upgrade from'
# tbd
default: '0.1.0-rc.1'
default: '0.1.0-rc.2'
required: false
type: string

Expand Down Expand Up @@ -100,20 +100,19 @@ jobs:
fi
- name: Run chart-testing (lint)
run: ct lint --validate-maintainers=false --target-branch ${{ github.event.repository.default_branch }}
run: ct lint --validate-maintainers=false --check-version-increment=false --target-branch ${{ github.event.repository.default_branch }}

- name: Run service chart-testing (install)
run: ct install --charts charts/policy-hub --config charts/chart-testing-config.yaml --helm-extra-set-args "--set=policyhub.image=kind-registry:5000/policy-hub-service:testing --set=policyhubmigrations.image=kind-registry:5000/policy-hub-migrations:testing"
if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true'

# currently the update is commented out, at the moment we're working for the initial version, after that the update will be enabled
# Upgrade the released chart version with the locally available chart
# default value for event_name != workflow_dispatch
# - name: Run helm upgrade
# run: |
# helm repo add bitnami https://charts.bitnami.com/bitnami
# helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev
# helm install policy-hub-service tractusx-dev/policy-hub-service --version ${{ github.event.inputs.upgrade_from || '1.0.0' }}
# helm dependency update charts/policy-hub-service
# helm upgrade policy-hub-service charts/policy-hub-service
# if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true'
# Upgrade the released chart version with the locally available chart
# default value for event_name != workflow_dispatch
- name: Run helm upgrade
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev
helm install policy-hub tractusx-dev/policy-hub --version ${{ github.event.inputs.upgrade_from || '0.1.0-rc.2' }} --namespace upgrade --create-namespace
helm dependency update charts/policy-hub
helm upgrade policy-hub charts/policy-hub --set policyhub.image=kind-registry:5000/policy-hub-service:testing --set=policyhubmigrations.image=kind-registry:5000/policy-hub-migrations:testing --namespace upgrade
if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true'
1 change: 1 addition & 0 deletions .github/workflows/release-please.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,4 @@ jobs:
with:
target-branch: ${{ github.ref_name }}
release-type: simple
skip-github-release: true
Loading

0 comments on commit 2ea617c

Please sign in to comment.