From 455f79bde34c0f8269bba0b494bdd03b07a32f9b Mon Sep 17 00:00:00 2001 From: OpenShift Helm Charts Bot <83200018+openshift-helm-charts-bot@users.noreply.github.com> Date: Mon, 19 Aug 2024 08:40:19 -0500 Subject: [PATCH] Release-1.7.4 (#1572) Co-authored-by: openshift-helm-charts-bot <41898282+github-actions[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 20 ++--- .github/workflows/check-contributor.yml | 2 +- .github/workflows/ci-enabled.yml | 4 +- .github/workflows/mercury_bot.yml | 4 +- .github/workflows/owners.yml | 2 +- .github/workflows/python-style.yml | 2 +- .github/workflows/test-cluster-access.yml | 5 -- .github/workflows/test.yml | 4 +- .github/workflows/version_check.yml | 4 +- scripts/requirements.txt | 2 +- scripts/src/precheck/submission.py | 15 ++++ scripts/src/precheck/submission_test.py | 16 ++++ .../saforcharttesting/saforcharttesting.py | 78 +++++++------------ 13 files changed, 78 insertions(+), 80 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 33dfd47a79..7be1e6952d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,11 +4,6 @@ on: pull_request_target: types: [opened, synchronize, reopened, edited, ready_for_review, labeled] -env: - # Temporary workaround. See - # https://github.com/redhat-actions/openshift-tools-installer/issues/105 - ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true - jobs: setup: name: Setup CI @@ -392,7 +387,7 @@ jobs: - name: Approve PR id: approve_pr if: ${{ steps.check_report.conclusion == 'success' }} - uses: hmarr/auto-approve-action@v3 + uses: hmarr/auto-approve-action@v4 with: # The token we use for this changes for the Sandbox repository because the sandbox repository # receives PRs from the openshift-helm-charts-bot, and that same bot cannot approve its own @@ -456,9 +451,9 @@ jobs: - name: Block until there is no running workflow if: ${{ needs.setup.outputs.run_build == 'true' }} - uses: softprops/turnstyle@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + uses: softprops/turnstyle@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} - name: Configure Git if: ${{ needs.setup.outputs.run_build == 'true' }} @@ -486,17 +481,16 @@ jobs: # The release tag format is -- - name: Create GitHub release if: ${{ needs.chart-verifier.outputs.web_catalog_only == 'False' }} - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@v2 with: + token: ${{ secrets.GITHUB_TOKEN }} tag_name: ${{ needs.chart-verifier.outputs.release_tag }} files: | ${{ steps.prepare-chart-release.outputs.report_file }} ${{ steps.prepare-chart-release.outputs.public_key_file }} ${{ steps.prepare-chart-release.outputs.path_to_chart_tarball }} ${{ steps.prepare-chart-release.outputs.prov_file_name }} - fail_on_unmatched_files: true - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + fail_on_unmatched_files: true - name: Update Helm repository index if: ${{ needs.setup.outputs.run_build == 'true' }} diff --git a/.github/workflows/check-contributor.yml b/.github/workflows/check-contributor.yml index fff3b1bca3..0b92c8ef46 100644 --- a/.github/workflows/check-contributor.yml +++ b/.github/workflows/check-contributor.yml @@ -37,7 +37,7 @@ jobs: outputs: is-repo-owner: ${{ steps.populate-output.outputs.is-repo-owner }} name: Contributor is repo owner - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Checkout repository base uses: actions/checkout@v4 diff --git a/.github/workflows/ci-enabled.yml b/.github/workflows/ci-enabled.yml index e4a36ef02a..ab4839ac5a 100644 --- a/.github/workflows/ci-enabled.yml +++ b/.github/workflows/ci-enabled.yml @@ -18,7 +18,7 @@ name: Ensure CI is Enabled # # next_task: # needs: ensure_ci_enabled -# runs-on: ubuntu-latest +# runs-on: ubuntu-22.04 # steps: # - ... @@ -31,7 +31,7 @@ on: jobs: fail_if_ci_disabled: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - name: Check enablement value run: | diff --git a/.github/workflows/mercury_bot.yml b/.github/workflows/mercury_bot.yml index c712bfdd28..dbd0a69e28 100644 --- a/.github/workflows/mercury_bot.yml +++ b/.github/workflows/mercury_bot.yml @@ -18,7 +18,7 @@ on: jobs: owners-file-check: name: OWNERS file PR checker - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 if: github.event.pull_request.draft == false && github.actor == 'redhat-mercury-bot' steps: - name: Checkout @@ -188,7 +188,7 @@ jobs: if: | steps.check_for_owners.outputs.merge_pr == 'true' && steps.safe-to-merge.outputs.merge_pr == 'true' - uses: hmarr/auto-approve-action@v3 + uses: hmarr/auto-approve-action@v4 with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/owners.yml b/.github/workflows/owners.yml index f57b360276..34185881b0 100644 --- a/.github/workflows/owners.yml +++ b/.github/workflows/owners.yml @@ -7,7 +7,7 @@ on: jobs: owners-metrics: name: Send Owner Metrics - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 if: github.actor == 'redhat-mercury-bot' env: SEGMENT_WRITE_KEY: ${{ secrets.SEGMENT_WRITE_KEY }} diff --git a/.github/workflows/python-style.yml b/.github/workflows/python-style.yml index 78e9cd3f48..aebf86fe25 100644 --- a/.github/workflows/python-style.yml +++ b/.github/workflows/python-style.yml @@ -8,7 +8,7 @@ on: jobs: enforce: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - name: Checkout code uses: actions/checkout@v4 diff --git a/.github/workflows/test-cluster-access.yml b/.github/workflows/test-cluster-access.yml index c83e234e57..3d2b2598db 100644 --- a/.github/workflows/test-cluster-access.yml +++ b/.github/workflows/test-cluster-access.yml @@ -6,11 +6,6 @@ name: Test Cluster Access on: workflow_dispatch: -env: - # Temporary workaround. See - # https://github.com/redhat-actions/openshift-tools-installer/issues/105 - ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true - jobs: test-cluster-access: name: Test Cluster Access diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 705389e669..d2b6b9d2b2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -34,7 +34,7 @@ jobs: workflow-test: name: Workflow Test needs: [check-contributor] - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 if: | github.event.pull_request.draft == false && needs.check-contributor.outputs.is-repo-owner == 'true' @@ -147,7 +147,7 @@ jobs: - name: Approve PR id: approve_pr if: ${{ steps.check_if_release_pr.outputs.charts_release_branch == 'true' }} - uses: hmarr/auto-approve-action@v3 + uses: hmarr/auto-approve-action@v4 with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/version_check.yml b/.github/workflows/version_check.yml index 5f12cdd687..2e0a7c28b9 100644 --- a/.github/workflows/version_check.yml +++ b/.github/workflows/version_check.yml @@ -28,7 +28,7 @@ on: jobs: check-ocp: name: Check OpenShift Version - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: check schedule and main repository @@ -248,7 +248,7 @@ jobs: if: ${{ always() }} needs: check-ocp name: Check Chart Verifier Version - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: check schedule and main repository id: check_repo diff --git a/scripts/requirements.txt b/scripts/requirements.txt index 8e7b8f29e9..19226da324 100644 --- a/scripts/requirements.txt +++ b/scripts/requirements.txt @@ -15,7 +15,7 @@ packaging==24.1 parse==1.20.2 parse-type==0.6.2 pluggy==1.5.0 -psutil==5.9.8 +psutil==6.0.0 PyGithub==2.3.0 pyparsing==3.1.2 pytest==8.2.2 diff --git a/scripts/src/precheck/submission.py b/scripts/src/precheck/submission.py index 6a7043cf50..0a5d989a3c 100644 --- a/scripts/src/precheck/submission.py +++ b/scripts/src/precheck/submission.py @@ -51,6 +51,10 @@ class ReleaseTagError(SubmissionError): pass +class ChartError(Exception): + pass + + @dataclass class Chart: """Represents a Helm Chart @@ -80,6 +84,17 @@ def register_chart_info(self, category, organization, name, version): ) raise VersionError(msg) + # Red Hat charts must carry the Red Hat prefix. + if organization == "redhat": + if not name.startswith("redhat-"): + msg = f"[ERROR] Charts provided by Red Hat must have their name begin with the redhat- prefix. I.e. redhat-{name}" + raise ChartError(msg) + + # Non Red Hat charts must not carry the Red Hat prefix. + if organization != "redhat" and name.startswith("redhat-"): + msg = f"[ERROR] The redhat- prefix is reserved for charts provided by Red Hat. Your chart: {name}" + raise ChartError(msg) + self.category = category self.organization = organization self.name = name diff --git a/scripts/src/precheck/submission_test.py b/scripts/src/precheck/submission_test.py index b4be69c75f..7446024ff1 100644 --- a/scripts/src/precheck/submission_test.py +++ b/scripts/src/precheck/submission_test.py @@ -221,6 +221,22 @@ class SubmissionInitScenario: ], excepted_exception=pytest.raises(submission.VersionError), ), + # Invalid PR references a Chart from redhat without the "redhat-" prefix + SubmissionInitScenario( + api_url="https://api.github.com/repos/openshift-helm-charts/charts/pulls/103", + modified_files=[ + f"charts/{expected_category}/redhat/{expected_name}/{expected_version}/report.yaml" + ], + excepted_exception=pytest.raises(submission.ChartError), + ), + # Invalid PR references a Chart with the "redhat-" prefix from another organization + SubmissionInitScenario( + api_url="https://api.github.com/repos/openshift-helm-charts/charts/pulls/103", + modified_files=[ + f"charts/{expected_category}/{expected_organization}/redhat-{expected_name}/{expected_version}/report.yaml" + ], + excepted_exception=pytest.raises(submission.ChartError), + ), ] diff --git a/scripts/src/saforcharttesting/saforcharttesting.py b/scripts/src/saforcharttesting/saforcharttesting.py index 431ec20b80..a0f16b1147 100644 --- a/scripts/src/saforcharttesting/saforcharttesting.py +++ b/scripts/src/saforcharttesting/saforcharttesting.py @@ -2,7 +2,6 @@ import base64 import json import os -import re import subprocess import sys import tempfile @@ -29,7 +28,7 @@ kind: Secret type: kubernetes.io/service-account-token metadata: - name: token-${name} + name: ${name} namespace: ${name} annotations: kubernetes.io/service-account.name: ${name} @@ -242,65 +241,44 @@ def delete_clusterrolebinding(name): sys.exit(1) -def write_sa_token(namespace, token): - secret_found = False - secrets = [] +def write_sa_token(namespace, token_file): + """Write's the service account token to token_file.""" + token_found = False for i in range(7): + # On retry, wait a little extra time before starting to give the cluster + # time to process the resources created before this. + if i > 0: + time.sleep(5) + print(f"[INFO] looking for service account token (retry {i})") out = subprocess.run( - ["oc", "get", "serviceaccount", namespace, "-n", namespace, "-o", "json"], + ["oc", "get", "secret", namespace, "-n", namespace, "-o", "json"], capture_output=True, ) stdout = out.stdout.decode("utf-8") if out.returncode != 0: stderr = out.stderr.decode("utf-8") if stderr.strip(): - print("[ERROR] retrieving ServiceAccount:", namespace, stderr) - time.sleep(10) - else: - sa = json.loads(stdout) - if len(sa["secrets"]) >= 2: - secrets = sa["secrets"] - secret_found = True - break - else: - pattern = r"Tokens:\s+([A-Za-z0-9-]+)" - dout = subprocess.run( - ["oc", "describe", "serviceaccount", namespace, "-n", namespace], - capture_output=True, - ) - dstdout = dout.stdout.decode("utf-8") - match = re.search(pattern, dstdout) - if match: - token_name = match.group(1) - else: - print("[ERROR] Token not found, Exiting") - sys.exit(1) - secrets.append({"name": token_name}) - secret_found = True - break - time.sleep(10) + print("[ERROR] retrieving token secret:", namespace, stderr) + continue - if not secret_found: - print("[ERROR] retrieving ServiceAccount:", namespace, stderr) - sys.exit(1) + secret = json.loads(stdout) + token = secret.get("data", {}).get("token", None) - for secret in secrets: - out = subprocess.run( - ["oc", "get", "secret", secret["name"], "-n", namespace, "-o", "json"], - capture_output=True, + if not token: + print("[ERROR] token not yet found in secret:", namespace) + continue + + token_found = True + break + + if not token_found: + print( + "[ERROR] all attempts to find service account token have failed:", namespace ) - stdout = out.stdout.decode("utf-8") - if out.returncode != 0: - stderr = out.stderr.decode("utf-8") - if stderr.strip(): - print("[ERROR] retrieving secret:", secret["name"], stderr) - continue - else: - sec = json.loads(stdout) - if sec["type"] == "kubernetes.io/service-account-token": - content = sec["data"]["token"] - with open(token, "w") as fd: - fd.write(base64.b64decode(content).decode("utf-8")) + sys.exit(1) + + with open(token_file, "w") as fd: + fd.write(base64.b64decode(token).decode("utf-8")) def switch_project_context(namespace, token, api_server):