Skip to content

Commit

Permalink
chore(deps): updated all dependencies and fixed megalinter workflow (#74
Browse files Browse the repository at this point in the history 
)

* chore(deps): update all non-major dependencies

* chore(deps): update github-actions

* chore(deps): update container-images

* chore: added dotnet-tools manifest with dotnet outdated

* chore(deps): updated major deps

* chore(deps): updated megalinter to latest to fix trivy

* ci: fix iter8 workflow by manually downloading the cli

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
@chgl @renovate
chgl and renovate[bot] authored Oct 4, 2023
1 parent 5f51f70 commit 865d36d
Show file tree
Hide file tree
Showing 23 changed files with 147 additions and 102 deletions.
14 changes: 14 additions & 0 deletions .config/dotnet-tools.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"version": 1,
"isRoot": true,
"tools": {
"dotnet-outdated-tool": {
"version": "4.5.3",
"commands": ["dotnet-outdated"]
},
"csharpier": {
"version": "0.25.0",
"commands": ["dotnet-csharpier"]
}
}
}
26 changes: 14 additions & 12 deletions .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ jobs:
cache-to: type=gha,mode=max

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0
with:
image-ref: ${{ fromJson(steps.container_meta.outputs.json).tags[0] }}
severity: "CRITICAL,HIGH"
Expand Down Expand Up @@ -129,7 +129,7 @@ jobs:
- name: Upload container images
if: ${{ github.event_name == 'pull_request' }}
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: container-image-artifacts
path: |
Expand Down Expand Up @@ -288,7 +288,14 @@ jobs:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3

- uses: iter8-tools/iter8@9b867240dcaa77858d2458f52a3845e47ea2c657 # v0.13.17
- name: install iter8 cli
env:
ITER8_CLI_URL: "https://github.com/iter8-tools/iter8/releases/download/v0.13.18/iter8-linux-amd64.tar.gz"
run: |
curl -LSs "${ITER8_CLI_URL}" | tar xz
mv linux-amd64/iter8 /usr/local/bin/iter8
chmod +x /usr/local/bin/iter8
iter8 version
- name: Create KinD cluster
uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
Expand All @@ -313,15 +320,12 @@ jobs:
env:
IMAGE_TAG: ${{ needs.build.outputs.api-image-version }}
run: |
helm repo add miracum https://miracum.github.io/charts
helm repo update
helm install \
--set="image.tag=${IMAGE_TAG}" \
-f tests/iter8/values.yaml \
--wait \
--timeout=15m \
--version=^1.0.0 \
vfps miracum/vfps
vfps oci://ghcr.io/miracum/charts/vfps
- name: Launch iter8 experiment
run: kubectl apply -f tests/iter8/experiment.yaml
Expand Down Expand Up @@ -358,7 +362,7 @@ jobs:

- name: Upload report
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: iter8-report.html
path: |
Expand All @@ -372,7 +376,7 @@ jobs:
- name: Upload cluster dump
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: kind-cluster-dump.txt
path: |
Expand Down Expand Up @@ -419,14 +423,12 @@ jobs:
- test-api-container
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
id-token: write
packages: write # for uploading attestations.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
with:
image: ${{ needs.build.outputs.api-image-name }}
digest: ${{ needs.build.outputs.api-image-digest }}
registry-username: ${{ github.actor }}
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
compile-generator: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
6 changes: 3 additions & 3 deletions .github/workflows/codeql.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2
uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -57,7 +57,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2
uses: github/codeql-action/autobuild@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2

# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
Expand All @@ -70,6 +70,6 @@ jobs:
# ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2
uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2
with:
category: "/language:${{matrix.language}}"
2 changes: 1 addition & 1 deletion .github/workflows/lint-pr-title.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
name: Lint PR title
runs-on: ubuntu-22.04
steps:
- uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 # v5.2.0
- uses: amannn/action-semantic-pull-request@47b15d52c5c30e94a17ec87eb8dd51ff5221fed9 # v5.3.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/mega-linter.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,8 @@ name: MegaLinter
on:
# Trigger mega-linter at every push. Action will also be visible from Pull Requests to master
pull_request:
branches: [master, main]
branches: [master]

# Declare default permissions as read only.
permissions: read-all

env: # Comment env block if you do not want to apply fixes
Expand All @@ -31,27 +30,28 @@ jobs:
steps:
# Git Checkout
- name: Checkout Code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances

# MegaLinter
- name: MegaLinter
id: ml
# You can override MegaLinter flavor used to have faster performances
# More info at https://oxsecurity.github.io/megalinter/flavors/
uses: oxsecurity/megalinter@93700f8c21c59ea784a32abe23896e49e54463b8 # v6.22.2
uses: oxsecurity/megalinter@a87b2872713c6bdde46d2473c5d7ed23e5752dc2 # v7.4.0
env:
# All available variables are described in documentation
# https://oxsecurity.github.io/megalinter/configuration/
VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
VALIDATE_ALL_CODEBASE: "true"
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY

# Upload MegaLinter artifacts
- name: Archive production artifacts
if: ${{ success() }} || ${{ failure() }}
uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # tag=v2
if: ${{ always() }}
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: MegaLinter reports
path: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-please.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
pull-requests: write

steps:
- uses: google-github-actions/release-please-action@ca6063f4ed81b55db15b8c42d1b6f7925866342d # v3.7.11
- uses: google-github-actions/release-please-action@4c5670f886fe259db4d11222f7dff41c1382304d # v3.7.12
with:
token: ${{ secrets.MIRACUM_BOT_SEMANTIC_RELEASE_TOKEN }}
release-type: simple
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/scorecards.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,14 +59,14 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
uses: github/codeql-action/upload-sarif@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
with:
sarif_file: results.sarif
4 changes: 2 additions & 2 deletions .github/workflows/trivy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
runs-on: "ubuntu-22.04"
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0
with:
image-ref: ghcr.io/${{ github.repository }}:latest
format: "template"
Expand All @@ -31,6 +31,6 @@ jobs:
severity: "CRITICAL,HIGH"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2
uses: github/codeql-action/upload-sarif@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2
with:
sarif_file: "trivy-results.sarif"
3 changes: 3 additions & 0 deletions .kics.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
exclude-paths:
- "tests/"
- "src/Vfps/Protos/vfps/api/v1/*.proto"
1 change: 1 addition & 0 deletions .markdownlintignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
CHANGELOG.md
18 changes: 17 additions & 1 deletion .mega-linter.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,26 @@ DISABLE:

DISABLE_LINTERS:
- REPOSITORY_DEVSKIM
- SPELL_LYCHEE

SHOW_ELAPSED_TIME: true
FILEIO_REPORTER: false
# DISABLE_ERRORS: true # Uncomment if you want MegaLinter to detect errors but not block CI to pass

REPOSITORY_TRIVY_ARGUMENTS:
- "--severity='HIGH,CRITICAL'"
- "--severity=MEDIUM,HIGH,CRITICAL"

REPOSITORY_CHECKOV_ARGUMENTS:
- "--skip-path=tests/"

IGNORE_GITIGNORED_FILES: true

REPOSITORY_KICS_ARGUMENTS:
- --fail-on=HIGH

REPOSITORY_KICS_CONFIG_FILE: .kics.yaml

MARKDOWN_MARKDOWN_TABLE_FORMATTER_ARGUMENTS:
- -p 0

REPOSITORY_TRIVY_CONFIG_FILE: .trivy.yaml
3 changes: 3 additions & 0 deletions .trivy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
scan:
skip-dirs:
- tests/
6 changes: 6 additions & 0 deletions .trivyignore
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
# iter8 requires access to secrets
AVD-KSV-0041
KSV041

# OK, already covered by hadolint
AVD-DS-0002

# no update yet. blocking build.
CVE-2023-4911
9 changes: 6 additions & 3 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
# syntax=docker/dockerfile:1.4
FROM mcr.microsoft.com/dotnet/nightly/aspnet:7.0.10-jammy-chiseled@sha256:8b0546dca6b23e438af6454a3242ffc4a3344a872e791e738f0a1be5fa4343b3 AS runtime
# kics false positive "Missing User Instruction": <https://docs.kics.io/latest/queries/dockerfile-queries/fd54f200-402c-4333-a5a4-36ef6709af2f/>
# kics-scan ignore-line
FROM mcr.microsoft.com/dotnet/nightly/aspnet:7.0.11-jammy-chiseled@sha256:8b2a9b9a8d3c424a368aa347f333d4653e9ed6eb78c9af70e450b5cc514bf3b8 AS runtime
WORKDIR /opt/vfps
EXPOSE 8080/tcp 8081/tcp 8082/tcp
USER 65534:65534
Expand All @@ -9,7 +11,7 @@ ENV DOTNET_ENVIRONMENT="Production" \
ASPNETCORE_URLS="" \
DOTNET_BUNDLE_EXTRACT_BASE_DIR=/tmp

FROM mcr.microsoft.com/dotnet/sdk:7.0.400-jammy@sha256:fff616cce9131105bd3a09bd7033e8604ac761490a703c5ece071751c155b218 AS build
FROM mcr.microsoft.com/dotnet/sdk:7.0.401-jammy@sha256:49f2cb277dc4b089d9d7642f06afae0f2da10224be55ea2a64eb8af798ec4994 AS build
WORKDIR /build
ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 \
PATH="/root/.dotnet/tools:${PATH}"
Expand Down Expand Up @@ -68,12 +70,13 @@ FROM build AS stress-test
WORKDIR /opt/vfps-stress
# https://github.com/hadolint/hadolint/pull/815 isn't yet in mega-linter
# hadolint ignore=DL3022
COPY --from=docker.io/bitnami/kubectl:1.27.5@sha256:f8c9112ed8e93374559de09ddb2f4459a8677a3e478206e23efae674dff0dc1f /opt/bitnami/kubectl/bin/kubectl /usr/bin/kubectl
COPY --from=docker.io/bitnami/kubectl:1.28.2@sha256:52a1c97ff9f4e82bce5f15cca73f9f454b70910afbf241ae0ecb5d60956fec05 /opt/bitnami/kubectl/bin/kubectl /usr/bin/kubectl

COPY tests/chaos/chaos.yaml /tmp/
COPY --from=build-stress-test /build/publish .
# currently running into <https://github.com/dotnet/runtime/issues/80619>
# when running as non-root.

# hadolint ignore=DL3002
USER 0:0
ENTRYPOINT ["dotnet"]
Expand Down
30 changes: 15 additions & 15 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,21 +58,21 @@ See <https://github.com/miracum/charts/tree/master/charts/vfps> for a production

Available configuration options which can be set as environment variables:

| Variable | Type | Default | Description |
| -------------------------------------------------- | ------------ | ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ConnectionStrings__PostgreSQL` | `string` | `""` | Connection string to the PostgreSQL database. See <https://www.npgsql.org/doc/connection-string-parameters.html> for options. |
| `ForceRunDatabaseMigrations` | `bool` | `false` | Run database migrations as part of the startup. Only recommended when a single replica of the application is used. |
| `Tracing__IsEnabled` | `bool` | `false` | Enable distributed tracing support. |
| `Tracing__Exporter` | `string` | `"jaeger"` | The tracing export format. One of `jaeger`, `otlp`. |
| `Tracing__ServiceName` | `string` | `"vfps"` | Tracing service name. |
| `Tracing__RootSampler` | `string` | `"AlwaysOnSampler"` | Tracing parent root sampler. One of `AlwaysOnSampler`, `AlwaysOffSampler`, `TraceIdRatioBasedSampler` |
| `Tracing__SamplingProbability` | `double` | `0.1` | Sampling probability to use if `Tracing__RootSampler` is set to `TraceIdRatioBasedSampler`. |
| `Tracing__Jaeger` | `object` | `{}` | Jaeger exporter options. See <https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/src/OpenTelemetry.Exporter.Jaeger/README.md#options-properties>. |
| `Tracing__Otlp__Endpoint` | `string` | `""` | The OTLP gRPC Endpoint URL. |
| `Pseudonymization__Caching__Namespaces__IsEnabled` | `bool` | `false` | Set to `true` to enable namespace caching. |
| `Pseudonymization__Caching__Pseudonyms__IsEnabled` | `bool` | `false` | Set to `true` to enable pseudonym caching. |
| `Pseudonymization__Caching__SizeLimit` | `int` | `65534` | Maximum number of entries in the cache. The cache is shared between the pseudonyms and namespaces. |
| `Pseudonymization__Caching__AbsoluteExpiration` | `D.HH:mm:nn` | `0.01:00:00` | Time after which a cache entry expires. |
| Variable | Type | Default | Description |
| -------------------------------------------------- | ------------ | ------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
| `ConnectionStrings__PostgreSQL` | `string` | `""` | Connection string to the PostgreSQL database. See <https://www.npgsql.org/doc/connection-string-parameters.html> for options. |
| `ForceRunDatabaseMigrations` | `bool` | `false` | Run database migrations as part of the startup. Only recommended when a single replica of the application is used. |
| `Tracing__IsEnabled` | `bool` | `false` | Enable distributed tracing support. |
| `Tracing__Exporter` | `string` | `"jaeger"` | The tracing export format. One of `jaeger`, `otlp`. |
| `Tracing__ServiceName` | `string` | `"vfps"` | Tracing service name. |
| `Tracing__RootSampler` | `string` | `"AlwaysOnSampler"` | Tracing parent root sampler. One of `AlwaysOnSampler`, `AlwaysOffSampler`, `TraceIdRatioBasedSampler` |
| `Tracing__SamplingProbability` | `double` | `0.1` | Sampling probability to use if `Tracing__RootSampler` is set to `TraceIdRatioBasedSampler`. |
| `Tracing__Jaeger` | `object` | `{}` | Jaeger exporter options. |
| `Tracing__Otlp__Endpoint` | `string` | `""` | The OTLP gRPC Endpoint URL. |
| `Pseudonymization__Caching__Namespaces__IsEnabled` | `bool` | `false` | Set to `true` to enable namespace caching. |
| `Pseudonymization__Caching__Pseudonyms__IsEnabled` | `bool` | `false` | Set to `true` to enable pseudonym caching. |
| `Pseudonymization__Caching__SizeLimit` | `int` | `65534` | Maximum number of entries in the cache. The cache is shared between the pseudonyms and namespaces. |
| `Pseudonymization__Caching__AbsoluteExpiration` | `D.HH:mm:nn` | `0.01:00:00` | Time after which a cache entry expires. |

## Observability

Expand Down
Loading

0 comments on commit 865d36d

Please sign in to comment.