feat: Support policies in folders for reusable workflows #138
Conversation
viccuad
changed the title
viccuad
force-pushed
the
monorepo
branch
2 times, most recently
from
251cbf0 to
da6b4c2
Compare
| required: false | ||
| default: v0.32.0 | ||
| default: v0.65.0 |
There was a problem hiding this comment.
wow that was an old version, maybe we should use some updatecli here
policy-release/action.yml
Outdated
| runs: | ||
| using: "composite" | ||
| steps: | ||
| - | ||
| name: Login to GitHub Container Registry | ||
| - id: calculate-version |
There was a problem hiding this comment.
This should go in the monorepo action instead.
We should also use a policy version variable here to make this agnostic.
The rationale is that we want to decouple the reusable actions from whatever logic we have in the other repositories.
There was a problem hiding this comment.
We should also use a policy version variable here to make this agnostic.
It's not as simple, as the GH release needs to match the git tag that it was triggered with (and use the correct OCI_TAG), only when the trigger of this workflow was indeed from a tag (e.g: v0.1.0) instead of the "monorepo tag" (policy/v0.1.0 edited into 0.1.0).
Instead of again recalculating the version from the "monorepo tag", as we do in the monorepo workflow definition, here I just add a new, non-required policy-version input, that when present changes the behaviour.
I can take this out of the action, but that means passing that information through the reusable workflows, and potentially editing workflows of the policies we have, as that breaks backwards compatibility.
There was a problem hiding this comment.
After a talk, I think you are right and the calculate_version step can be dropped. Let me see.
There was a problem hiding this comment.
Added some comments that remove the calculate-version from the policy-release action, and expect this calculation to have been taken place in the workflows, by now making policy-release.inputs.policy-version required.
Hence, amended the workflows to always calculate-version and pass this value down the chain.
Since the workflows inputs haven't changed, this is still a backwards compatible fix WRT workflows API/ABI.
(If this is is approved, I will rebase the fixup commit and drop the "DROP" commit on the rebase as expected).
|
@viccuad note: DCO is missing |
|
Thanks! The DCO is missing on the |
| @@ -40,7 +40,7 @@ jobs: | |||
| run: echo "version=$(sed -n 's,^version = \"\(.*\)\",\1,p' Cargo.toml)" >> $GITHUB_OUTPUT | |||
| shell: bash | |||
| - name: Check that artifacthub-pkg.yml is up-to-date | |||
| uses: kubewarden/github-actions/check-artifacthub@v3.3.5 | |||
| uses: viccuad/github-actions/check-artifacthub@main | |||
There was a problem hiding this comment.
Just remember to update that for the kubewarden org repository
Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
`policy-working-dir` defaults to `.` for backwards compat. `version` gets calculated depending if `policy-version` was set, or we have a tag that is the version, for backwards compat. Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
`policy-working-dir` defaults to `.` for backwards compat. `version` was and continues to be set, either being a tag or coming from a `policy-version` (the second element of a tag as `PolicyName/v0.1.0`). This is because we need a version to be able to call `VERSION=foo make artifacthub-pkg.yml`. Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
…y-rego `policy-working-dir` defaults to `.` for backwards compat. If `policy-version` is set, we use it for `version`. If not, we see if there's a valid version tag that triggered the workflow, and use that for `version` for backwards compat. Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
`policy-working-dir` defaults to `.` for backwards compat. `policy-version` is new. If set, it's used, if not, we take the github.ref which is expected to be a tag, for backwards compat with non-monorepo policy releases. Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
`policy-working-dir` defaults to `.` for backwards compat. Note that, while we do `git push --force`, monorepo release jobs run with concurrency 1. Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
This is needed to run the unit tests of the monorepo opa policies. Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
It may be that it doesn't exist even, like in the monorepo case. Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
This makes releases named "<tag>", e.g: like https://github.com/kubewarden/policy-server/releases/tag/v1.19.0 Instead of releases named "Release <tag>", e.g: https://github.com/kubewarden/verify-image-signatures/releases/tag/v0.3.0 Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
By expecting as input of `policy-release` GHA, we push up the stack the calculations of it. policy-release `input.policy-version` will always be in the form of `0.1.0`. Since now it's required, add it to all reusable workflows that call it. No change on those workflows is needed, they were already calculating their versions in their `calculate-version` steps. Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
|
Rebased with a new Rerun the test workflow runs, which are passing, and updated their links in the PR body. |
Now that policy-release.input.policy-version is required, always calculate-version. For the left side of the &&: policy-release will push `:latest` for main runs, and `:v0.1.0` for tags. Hence we don't need to check if the run was triggered by a tag. For the right side of the &&: We may want to push an artifact irrespectively if we want it published on artifacthub, hence we don't need to check for inputs.artifacthub. It may happen that for a run triggered without a tag, policy-version will be empty or a previous existent tag, but it will not get used by neither check-artifacthub nor policy-release anyways. Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
|
Found a bug when running tests from PRs in |
viccuad
force-pushed
the
monorepo
branch
3 times, most recently
from
ffc0a25 to
0698fff
Compare
|
Ready for merge. The bug happened when, on PRs (not a run from branch nor a run from a tag), the This is now fixed, see https://github.com/kubewarden/github-actions/compare/ffc0a258bac24630fede41f0f7c2de2f771eb9e1..0698fff8784455d9278bf36fc845a9f1989eb91e. |
policy-release/action.yml
Outdated
| shell: bash | ||
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | ||
| if: ${{ ! startsWith(github.ref, 'refs/heads/') }} | ||
| env: | ||
| COSIGN_EXPERIMENTAL: 1 |
There was a problem hiding this comment.
As far as I can remember, we use this env to allow keyless signing. This is not necessary anymore. Therefore, we can remove this COSIGN_EXPERIMENTAL env var.
There was a problem hiding this comment.
True! Done in c3c3a10.
Newer versions of cosign don't need this env var anymore. Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
|
Tagged in main as |
Description
Fix kubewarden/kubewarden-controller#806
Recommend review by commit.
See also working monorepo repo at https://github.com/viccuad/rego-policies.
Test
For monorepo policies:
ControllerContainerBlockSSHPort/v0.0.3because artifacthub-pkg.yml hasn't been updated:
https://github.com/viccuad/rego-policies/actions/runs/12352787565/job/34470569919
ControllerContainerBlockSSHPort/v0.0.4:https://github.com/viccuad/rego-policies/actions/runs/12352849151
For Normal policies:
https://github.com/viccuad/disallow-service-loadbalancer-policy/actions/runs/12352648538
https://github.com/viccuad/disallow-service-loadbalancer-policy/actions/runs/12352648552
https://github.com/viccuad/disallow-service-loadbalancer-policy/actions/runs/12352705437/job/34470302880
https://github.com/viccuad/disallow-service-loadbalancer-policy/actions/runs/12352738499
Additional Information
Tradeoff
Potential improvement
TODO:
DROPcommit, consuming my fork of kubewarden/github-actions for testing, and instead bump versions for release.