diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 68e24a4b47..7abe415188 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,7 @@ updates: directory: "/" schedule: interval: "weekly" +- package-ecosystem: github-actions + directory: / + schedule: + interval: weekly diff --git a/.github/workflows/boilerplate.yaml b/.github/workflows/boilerplate.yaml index 61884dbc63..483f10f933 100644 --- a/.github/workflows/boilerplate.yaml +++ b/.github/workflows/boilerplate.yaml @@ -24,47 +24,9 @@ jobs: language: Bash steps: - - uses: actions/setup-go@v2 - with: - go-version: 1.17.x - - uses: actions/checkout@v2 - - name: Install Tools - run: | - TEMP_PATH="$(mktemp -d)" - cd $TEMP_PATH - - echo '::group::🐶 Installing reviewdog ... https://github.com/reviewdog/reviewdog' - curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b "${TEMP_PATH}" 2>&1 - echo '::endgroup::' - - echo '::group:: Installing boilerplate-check ... https://github.com/mattmoor/boilerplate-check' - go get github.com/mattmoor/boilerplate-check/cmd/boilerplate-check - echo '::endgroup::' - - echo "${TEMP_PATH}" >> $GITHUB_PATH - - - name: ${{ matrix.language }} license boilerplate - shell: bash - env: - REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }} - run: | - set -e - cd "${GITHUB_WORKSPACE}" || exit 1 - - echo '::group:: Running github.com/mattmoor/boilerplate-check for ${{ matrix.language }} with reviewdog 🐶 ...' - # Don't fail because of boilerplate-check - set +o pipefail - boilerplate-check check \ - --boilerplate ./hack/boilerplate/boilerplate.${{ matrix.extension }}.txt \ - --file-extension ${{ matrix.extension }} \ - --exclude "(vendor|third_party)/" | - reviewdog -efm="%A%f:%l: %m" \ - -efm="%C%.%#" \ - -name="${{ matrix.language }} headers" \ - -reporter="github-pr-check" \ - -filter-mode="diff_context" \ - -fail-on-error="true" \ - -level="error" - echo '::endgroup::' + - uses: chainguard-dev/actions/boilerplate@84c993eaf02da1c325854fb272a4df9184bd80fc # main + with: + extension: ${{ matrix.extension }} + language: ${{ matrix.language }} diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index a48c1b338b..0d6885f0a9 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -11,32 +11,5 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: Do Not Submit - shell: bash - env: - REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }} - run: | - set -e - cd "${GITHUB_WORKSPACE}" || exit 1 - - TEMP_PATH="$(mktemp -d)" - PATH="${TEMP_PATH}:$PATH" - - echo '::group::🐶 Installing reviewdog ... https://github.com/reviewdog/reviewdog' - curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b "${TEMP_PATH}" 2>&1 - echo '::endgroup::' - - echo '::group:: Running DO NOT SUBMIT with reviewdog 🐶 ...' - # Don't fail because of grep - set +o pipefail - find . -type f -not -path './vendor/*' -not -path './third_party/*' -not -path './.git/*' -not -path './.github/workflows/*' | - xargs grep -n "DO NOT SUBMIT" | - reviewdog -efm="%f:%l:%m" \ - -name="DO NOT SUBMIT" \ - -reporter="github-pr-check" \ - -filter-mode="added" \ - -fail-on-error="true" \ - -level="error" - - echo '::endgroup::' + - uses: actions/checkout@v2 + - uses: chainguard-dev/actions/donotsubmit@84c993eaf02da1c325854fb272a4df9184bd80fc # main diff --git a/.github/workflows/kind-e2e.yaml b/.github/workflows/kind-e2e.yaml index 4c16cfc935..032b9a9901 100644 --- a/.github/workflows/kind-e2e.yaml +++ b/.github/workflows/kind-e2e.yaml @@ -26,46 +26,16 @@ jobs: - name: Install ko run: go install ./ - - name: Configure KinD Cluster - run: | - # KinD configuration. - cat > kind.yaml < 127.0.0.1, to tell `ko` to publish to - # local reigstry, even when pushing $REGISTRY_NAME:$REGISTRY_PORT/some/image - sudo echo "127.0.0.1 $REGISTRY_NAME" | sudo tee -a /etc/hosts - - - name: Wait for ready nodes - run: | - kubectl wait --timeout=2m --for=condition=Ready nodes --all + k8s-version: v1.23.x + registry-authority: ${{ env.REGISTRY_NAME }}:${{ env.REGISTRY_PORT }} - name: Install Cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v1.3.1' + cosign-release: 'v1.5.1' - name: Run Smoke Test run: | @@ -101,14 +71,6 @@ jobs: exit 1 fi - - name: Collect logs - if: ${{ always() }} - run: | - mkdir -p /tmp/logs - kind export logs /tmp/logs - - name: Upload artifacts - if: ${{ always() }} - uses: actions/upload-artifact@v2 - with: - name: logs - path: /tmp/logs + - name: Collect diagnostics and upload + if: ${{ failure() }} + uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml index 8d77b8db1f..8765c4d4d8 100644 --- a/.github/workflows/style.yaml +++ b/.github/workflows/style.yaml @@ -6,214 +6,58 @@ on: jobs: - autoformat: - name: Auto-format and Check + gofmt: + name: check gofmt runs-on: ubuntu-latest - strategy: - fail-fast: false # Keep running if one leg fails. - matrix: - tool: - - goimports - - gofmt - - include: - - tool: gofmt - options: -s - - tool: goimports - importpath: golang.org/x/tools/cmd/goimports - steps: - uses: actions/setup-go@v2 with: go-version: 1.17.x - uses: actions/checkout@v2 + - uses: chainguard-dev/actions/gofmt@84c993eaf02da1c325854fb272a4df9184bd80fc # main + with: + args: -s - - name: Install Dependencies - if: ${{ matrix.importpath != '' }} - run: | - cd $(mktemp -d) - GO111MODULE=on go get ${{ matrix.importpath }} - - - name: ${{ matrix.tool }} ${{ matrix.options }} - run: > - ${{ matrix.tool }} ${{ matrix.options }} -w - $(find . - -path './vendor' -prune - -o -path './third_party' -prune - -o -name '*.pb.go' -prune - -o -name 'wire_gen.go' -prune - -o -type f -name '*.go' -print) - - - name: Verify ${{ matrix.tool }} - run: | - # From: https://backreference.org/2009/12/23/how-to-match-newlines-in-sed/ - # This is to leverage this workaround: - # https://github.com/actions/toolkit/issues/193#issuecomment-605394935 - function urlencode() { - sed ':begin;$!N;s/\n/%0A/;tbegin' - } - if [[ $(git diff-index --name-only HEAD --) ]]; then - for x in $(git diff-index --name-only HEAD --); do - echo "::error file=$x::Please run ${{ matrix.tool }} ${{ matrix.options }}.%0A$(git diff $x | urlencode)" - done - echo "${{ github.repository }} is out of style. Please run ${{ matrix.tool }} ${{ matrix.options }}." - exit 1 - fi - echo "${{ github.repository }} is formatted correctly." - - lint: - name: Lint + goimports: + name: check goimports runs-on: ubuntu-latest - steps: - uses: actions/setup-go@v2 with: go-version: 1.17.x - uses: actions/checkout@v2 + - uses: chainguard-dev/actions/goimports@84c993eaf02da1c325854fb272a4df9184bd80fc # main - - uses: golangci/golangci-lint-action@v2 - with: - version: v1.43 - - - name: Install Tools - env: - WOKE_VERSION: v0.5.0 - run: | - TEMP_PATH="$(mktemp -d)" - cd $TEMP_PATH - - echo '::group::🐶 Installing reviewdog ... https://github.com/reviewdog/reviewdog' - curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b "${TEMP_PATH}" 2>&1 - echo '::endgroup::' - - echo '::group:: Installing misspell ... https://github.com/client9/misspell' - go get github.com/client9/misspell/cmd/misspell - echo '::endgroup::' + lint: + name: Lint + runs-on: ubuntu-latest - echo '::group:: Installing woke ... https://github.com/get-woke/woke' - curl -sfL https://raw.githubusercontent.com/get-woke/woke/main/install.sh | sh -s -- -b "${TEMP_PATH}" "${WOKE_VERSION}" 2>&1 - echo '::endgroup::' + steps: + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.17.x - echo "${TEMP_PATH}" >> $GITHUB_PATH + - name: Check out code + uses: actions/checkout@v2 - - name: misspell + - uses: chainguard-dev/actions/trailing-space@84c993eaf02da1c325854fb272a4df9184bd80fc # main if: ${{ always() }} - env: - REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }} - run: | - set -e - cd "${GITHUB_WORKSPACE}" || exit 1 - - echo '::group:: Running github.com/client9/misspell with reviewdog 🐶 ...' - # Don't fail because of misspell - set +o pipefail - # Exclude generated and vendored files, plus some legacy - # paths until we update all .gitattributes - git ls-files | - git check-attr --stdin linguist-generated | grep -Ev ': (set|true)$' | cut -d: -f1 | - git check-attr --stdin linguist-vendored | grep -Ev ': (set|true)$' | cut -d: -f1 | - grep -Ev '^(vendor/|third_party/|.git)' | - xargs misspell -i importas -error | - reviewdog -efm="%f:%l:%c: %m" \ - -name="github.com/client9/misspell" \ - -reporter="github-pr-check" \ - -filter-mode="added" \ - -fail-on-error="true" \ - -level="error" - echo '::endgroup::' - - - name: trailing whitespace + - uses: chainguard-dev/actions/eof-newline@84c993eaf02da1c325854fb272a4df9184bd80fc # main if: ${{ always() }} - env: - REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }} - run: | - set -e - cd "${GITHUB_WORKSPACE}" || exit 1 - - echo '::group:: Flagging trailing whitespace with reviewdog 🐶 ...' - # Don't fail because of grep - set +o pipefail - - # Exclude generated and vendored files, plus some legacy - # paths until we update all .gitattributes - git ls-files | - git check-attr --stdin linguist-generated | grep -Ev ': (set|true)$' | cut -d: -f1 | - git check-attr --stdin linguist-vendored | grep -Ev ': (set|true)$' | cut -d: -f1 | - grep -Ev '^(vendor/|third_party/|.git)' | - xargs grep -nE " +$" | - reviewdog -efm="%f:%l:%m" \ - -name="trailing whitespace" \ - -reporter="github-pr-check" \ - -filter-mode="added" \ - -fail-on-error="true" \ - -level="error" - echo '::endgroup::' - - - name: EOF newline + - uses: reviewdog/action-misspell@v1 if: ${{ always() }} - env: - REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }} - run: | - set -e - cd "${GITHUB_WORKSPACE}" || exit 1 - - echo '::group:: Flagging missing EOF newlines with reviewdog 🐶 ...' - # Don't fail because of misspell - set +o pipefail - # Lint exclude rule: - # - nothing in vendor/ - # - nothing in third_party - # - nothing in .git/ - # - no *.ai (Adobe Illustrator) files. - LINT_FILES=$(git ls-files | - git check-attr --stdin linguist-generated | grep -Ev ': (set|true)$' | cut -d: -f1 | - git check-attr --stdin linguist-vendored | grep -Ev ': (set|true)$' | cut -d: -f1 | - grep -Ev '^(vendor/|third_party/|.git)' | - grep -v '\.ai$') - - for x in $LINT_FILES; do - # Based on https://stackoverflow.com/questions/34943632/linux-check-if-there-is-an-empty-line-at-the-end-of-a-file - if [[ -f $x && ! ( -s "$x" && -z "$(tail -c 1 $x)" ) ]]; then - # We add 1 to `wc -l` here because of this limitation (from the man page): - # Characters beyond the final character will not be included in the line count. - echo $x:$((1 + $(wc -l $x | tr -s ' ' | cut -d' ' -f 1))): Missing newline - fi - done | - reviewdog -efm="%f:%l: %m" \ - -name="EOF Newline" \ - -reporter="github-pr-check" \ - -filter-mode="added" \ - -fail-on-error="true" \ - -level="error" - - echo '::endgroup::' - - # This is mostly copied from https://github.com/get-woke/woke-action-reviewdog/blob/main/entrypoint.sh - # since their action is not yet released under a stable version. - - name: Language - if: ${{ always() && github.event_name == 'pull_request' }} - env: - REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }} - run: | - set -e - cd "${GITHUB_WORKSPACE}" || exit 1 - - # Create a minimal .wokeignore if none already exist. - if [ ! -f .wokeignore ]; then - cat > .wokeignore <