Merge pull request #1 from stackrox/master

rebasing fork
acravn · Sep 18, 2024 · 815e853 · 815e853
2 parents b33deef + 58206ac
commit 815e853
Show file tree

Hide file tree

Showing 1,074 changed files with 255,480 additions and 22,444 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,5 +1,5 @@
 {
-	"image":"quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.2",
+	"image":"quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.4",
 	"containerEnv":{
 		"CI":"true"
 	},

diff --git a/.github/actions/cache-ui-dependencies/action.yaml b/.github/actions/cache-ui-dependencies/action.yaml
@@ -2,17 +2,17 @@ name: Cache UI Dependencies
 description: Cache UI Dependencies
 inputs:
   lockFile:
-    description: Where the yarn lock is written
+    description: Where the package lock is written
     required: true
-    default: "ui/apps/platform/yarn.lock"
+    default: "ui/apps/platform/package-lock.json"
 runs:
   using: composite
   steps:
     - name: Cache UI Dependencies
       uses: actions/cache@v3
       with:
         path: |
-          /github/home/.cache/yarn
+          /github/home/.npm
           /github/home/.cache/Cypress
           /usr/local/share/.cache
         key: npm-v2-${{ hashFiles(inputs.lockFile) }}
diff --git a/.github/actions/download-artifact-with-retry/action.yaml b/.github/actions/download-artifact-with-retry/action.yaml
@@ -2,10 +2,13 @@ name: Download artifact with retry
 description: Retry wrapper of download-artifact
 inputs:
   name:
-    description: 'Name of the artifact to download. If unspecified, all artifacts for the run are downloaded.'
+    description: 'Name of the artifact to download. If unspecified, all artifacts for the run are downloaded. Optional.'
     required: false
   path:
-    description: 'Destination path. Supports basic tilde expansion. Defaults to $GITHUB_WORKSPACE'
+    description: 'Destination path. Supports basic tilde expansion. Optional. Defaults to $GITHUB_WORKSPACE.'
+    required: false
+  pattern:
+    description: 'A glob pattern to the artifacts that should be downloaded. Ignored if name is specified. Optional.'
     required: false
 runs:
   using: composite
@@ -15,16 +18,19 @@ runs:
       with:
         name: ${{ inputs.name }}
         path: ${{ inputs.path }}
+        pattern: ${{ inputs.pattern }}
       continue-on-error: true
     - id: download-artifact-try2
       if: steps.download-artifact-try1.outcome == 'failure'
       uses: actions/download-artifact@v4
       with:
         name: ${{ inputs.name }}
         path: ${{ inputs.path }}
+        pattern: ${{ inputs.pattern }}
       continue-on-error: true
     - if: steps.download-artifact-try2.outcome == 'failure'
       uses: actions/download-artifact@v4
       with:
         name: ${{ inputs.name }}
         path: ${{ inputs.path }}
+        pattern: ${{ inputs.pattern }}
diff --git a/.github/actions/junit2jira/action.yaml b/.github/actions/junit2jira/action.yaml
@@ -21,6 +21,10 @@ inputs:
     description: 'Minimal number of failed issues that will result in reporting a single cumulative Jira issue.'
     required: false
     default: '5'
+outputs:
+  new-jiras:
+    description: 'Bool indicating if new issues were found'
+    value: ${{ steps.run.outputs.NEW_JIRAS }}
 runs:
   using: "composite"
   steps:
@@ -37,6 +41,7 @@ runs:
         chmod +x junit2jira
       fi
   - name: Check files
+    id: run
     shell: bash
     env:
       GCP_SERVICE_ACCOUNT_STACKROX_CI: ${{ inputs.gcp-account }}
@@ -50,6 +55,7 @@ runs:
         echo "Will create JIRA issues for JUnit failures found in ${{ inputs.directory }}"
       fi
       csv_output="$(mktemp --suffix=.csv)"
+      summary_file="$(mktemp --suffix=.json)"
       ./junit2jira \
           -base-link "${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}" \
           -build-id "${{ github.run_id }}"  \
@@ -60,8 +66,11 @@ runs:
           -junit-reports-dir "${{ inputs.directory }}" \
           -orchestrator "${{ runner.name }} ${{ runner.os }}-${{ runner.arch }}" \
           -threshold "${{ inputs.threshold }}" \
+          -summary-output "${summary_file}" \
           "${extra_args[@]}"
 
+      echo "NEW_JIRAS=$(jq -r '.newJIRAs > 0' "${summary_file}")" >> "$GITHUB_OUTPUT"
+
       source scripts/ci/lib.sh
       setup_gcp
       save_test_metrics "${csv_output}"
diff --git a/.github/workflows/batch-load-test-metrics.yml b/.github/workflows/batch-load-test-metrics.yml
@@ -11,7 +11,7 @@ jobs:
   batch-load-test-metrics:
     runs-on: ubuntu-latest
     container:
-      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.4
     steps:
     - name: Checkout
       uses: actions/checkout@v4

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -80,9 +80,11 @@ jobs:
         branding: [ RHACS_BRANDING, STACKROX_BRANDING ]
     env:
       ROX_PRODUCT_BRANDING: ${{ matrix.branding }}
+      # For consistency with `image/rhel/konflux.Dockerfile`, see comment there.
+      UI_PKG_INSTALL_EXTRA_ARGS: --ignore-scripts
     runs-on: ubuntu-latest
     container:
-      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.4
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -109,12 +111,12 @@ jobs:
           name: ui-${{env.ROX_PRODUCT_BRANDING}}-build
           path: |
             ui/build
-            ui/apps/platform/yarn.lock
+            ui/apps/platform/package-lock.json
 
   pre-build-cli:
     runs-on: ubuntu-latest
     container:
-      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.4
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -152,7 +154,7 @@ jobs:
     needs: define-job-matrix
     runs-on: ubuntu-latest
     container:
-      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.4
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -217,7 +219,7 @@ jobs:
   pre-build-docs:
     runs-on: ubuntu-latest
     container:
-      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.4
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -274,7 +276,7 @@ jobs:
       GO_BINARIES_BUILD_ARTIFACT: ""
       ROX_PRODUCT_BRANDING: ""
     container:
-      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.4
       env:
         QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }}
         QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }}
@@ -452,7 +454,7 @@ jobs:
     env:
       ROX_PRODUCT_BRANDING: ""
     container:
-      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.4
       env:
         QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }}
         QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }}
@@ -542,7 +544,7 @@ jobs:
   build-and-push-operator:
     runs-on: ubuntu-latest
     container:
-      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.4
       env:
         QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
         QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
@@ -625,7 +627,7 @@ jobs:
       ARTIFACT_DIR: junit-reports/
     runs-on: ubuntu-latest
     container:
-      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.4
     needs:
     - pre-build-cli
     - pre-build-go-binaries

diff --git a/.github/workflows/ci-failures-report.yml b/.github/workflows/ci-failures-report.yml
@@ -14,7 +14,7 @@ jobs:
   report-e2e-failures-to-slack:
     runs-on: ubuntu-latest
     container:
-      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.4
     steps:
     - name: Checkout
       uses: actions/checkout@v4

diff --git a/.github/workflows/cut-rc.yml b/.github/workflows/cut-rc.yml
@@ -200,7 +200,7 @@ jobs:
         if: failure() && steps.cherry-pick.outputs.bad-cherries != ''
         env:
           SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-        uses: slackapi/slack-github-action@v1.26.0
+        uses: slackapi/slack-github-action@v1.27.0
         with:
           channel-id: ${{ needs.properties.outputs.slack-channel }}
           payload: >-
@@ -278,7 +278,7 @@ jobs:
       - name: Post to Slack
         env:
           SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-        uses: slackapi/slack-github-action@v1.26.0
+        uses: slackapi/slack-github-action@v1.27.0
         with:
           channel-id: ${{ needs.properties.outputs.slack-channel }}
           payload: >-

diff --git a/.github/workflows/emailsender-central-compatibility.yaml b/.github/workflows/emailsender-central-compatibility.yaml
@@ -0,0 +1,73 @@
+
+name: emailsender-central-compatibility
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - 'central/notifiers/email/**'
+      - 'central/notifiers/acscsemail/**'
+      - '.github/workflows/emailsender-central-compatibility.yaml'
+
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths:
+      - 'central/notifiers/email/**'
+      - 'central/notifiers/acscsemail/**'
+      - '.github/workflows/emailsender-central-compatibility.yaml'
+
+jobs:
+  e2e-test-on-kind:
+    timeout-minutes: 60
+    name: "Test on kind cluster"
+    runs-on: ubuntu-latest
+    if: ${{ !github.event.pull_request.head.repo.fork }} # do not run for PRs from forks
+    permissions:
+      id-token: write
+      contents: read
+    environment: development
+    steps:
+      - name: Cancel Previous Runs
+        uses: n1hility/cancel-previous-runs@v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up Go 1.21
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.21"
+      - name: Cache go module
+        uses: actions/cache@v4
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Login to Quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }}
+          password: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }}
+      - name: Checkout stackrox/acs-fleet-manager repository
+        uses: actions/checkout@v4
+        with:
+          repository: stackrox/acs-fleet-manager
+          path: acs-fleet-manager
+          ref: main
+          fetch-depth: 0
+      - name: Checkout stackrox/stackrox repository
+        uses: actions/checkout@v4
+        with:
+          repository: stackrox/stackrox
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: stackrox
+          fetch-depth: 0
+      - name: Create Kind cluster"
+        uses: helm/kind-action@v1
+        with:
+          cluster_name: kind
+      - name: Run Test
+        env:
+          IMG_WAIT_TIMEOUT_SECONDS: 2100
+        run: acs-fleet-manager/scripts/ci/central_compatibility/entrypoint.sh
diff --git a/.github/workflows/finish-release.yml b/.github/workflows/finish-release.yml
@@ -141,7 +141,7 @@ jobs:
       - name: Post to Slack
         env:
           SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-        uses: slackapi/slack-github-action@v1.26.0
+        uses: slackapi/slack-github-action@v1.27.0
         with:
           channel-id: ${{ needs.properties.outputs.slack-channel }}
           payload: >-

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -35,7 +35,7 @@ jobs:
   openshift-ci-lint:
     runs-on: ubuntu-latest
     container:
-      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.4
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/notify-milestone-change.yml b/.github/workflows/notify-milestone-change.yml
@@ -68,7 +68,7 @@ jobs:
       - name: Send Slack notification
         env:
           SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
-        uses: slackapi/slack-github-action@v1.26.0
+        uses: slackapi/slack-github-action@v1.27.0
         with:
           channel-id: ${{ needs.properties.outputs.slack-channel }}
           payload: >-

diff --git a/.github/workflows/release-ci.yaml b/.github/workflows/release-ci.yaml
@@ -143,3 +143,25 @@ jobs:
           tar xzf cli-build.tgz
           scripts/ci/lib.sh \
             publish_roxctl "${STACKROX_TAG}"
+
+  publish-openapispec:
+    needs: [build, check-scanner-version, check-collector-version, check-is-release]
+    if: needs.check-is-release.outputs.is_release == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.ref_name }}
+      - uses: 'google-github-actions/auth@v2'
+        with:
+          credentials_json: '${{ secrets.GCLOUD_SERVICE_ACCOUNT_CI_ROX }}'
+      - name: 'Set up Cloud SDK'
+        uses: 'google-github-actions/setup-gcloud@v2'
+      - name: Publish OpenAPI spec to Google Cloud storage
+        env:
+          STACKROX_TAG: ${{ github.ref_name }}
+        run: |
+          scripts/ci/lib.sh \
+            publish_openapispec "${STACKROX_TAG}"
diff --git a/.github/workflows/scanner-build.yaml b/.github/workflows/scanner-build.yaml
@@ -66,7 +66,7 @@ jobs:
       # race-condition-debug - built with -race
       matrix: ${{ fromJson(needs.define-scanner-job-matrix.outputs.matrix).build_and_push }}
     container:
-      image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.4
     steps:
     - name: Checkout
       uses: actions/checkout@v4
@@ -123,7 +123,7 @@ jobs:
     needs: pre-build-scanner-go-binary
     runs-on: ubuntu-latest
     container:
-      image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.4
     if: contains(github.event.pull_request.labels.*.name, 'scan-go-binaries')
     env:
       ARTIFACT_DIR: junit-reports/
@@ -177,7 +177,7 @@ jobs:
       # race-condition-debug - built with -race
       matrix: ${{ fromJson(needs.define-scanner-job-matrix.outputs.matrix).build_and_push }}
     container:
-      image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.4
       env:
         QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
         QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
@@ -251,7 +251,7 @@ jobs:
       # race-condition-debug
       matrix: ${{ fromJson(needs.define-scanner-job-matrix.outputs.matrix).push_manifests }}
     container:
-      image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.4
       env:
         QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
         QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}

diff --git a/.github/workflows/scanner-db-init-dump.yaml b/.github/workflows/scanner-db-init-dump.yaml
@@ -9,7 +9,7 @@ jobs:
   build-updater:
     runs-on: ubuntu-latest
     container:
-      image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.2
+      image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.4
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4