TrueChartsClone/.github/workflows/daily.yaml

398 lines
18 KiB
YAML
Raw Normal View History

name: "Chore: Daily Tasks"
on:
schedule:
2023-03-16 10:09:35 +00:00
- cron: "0 0 * * *"
workflow_dispatch:
permissions:
issues: write
pull-requests: write
concurrency:
group: lock
jobs:
generate-readme:
runs-on: ubuntu-latest
name: "Generate readme files"
container:
image: ghcr.io/truecharts/devcontainer:3.1.10@sha256:c239addf725eb5cedf79517f8089fdafdc32b5270d1893ee87ae6e511b9bcae3
steps:
- name: Checkout
chore(deps): update github-actions (#11844) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | digest | `c85c95e` -> `f43a0e5` | | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.5.3` -> `v3.6.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://togithub.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://togithub.com/actions/checkout/pull/579) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi41Ny40IiwidXBkYXRlZEluVmVyIjoiMzYuNTcuNCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciJ9-->
2023-08-24 15:23:11 +00:00
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
token: ${{ secrets.BOT_TOKEN }}
fetch-depth: 1
- name: Setting repo parent dir as safe safe.directory
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: generate readme.md
shell: bash
run: |
for train in stable operators SCALE incubator games enterprise develop non-free deprecated dependency core; do
for chart in charts/${train}/*; do
if [ -d "${chart}" ]; then
echo "Generating readme.md for ${train}/${chart}"
cp "templates/README.md.tpl" "${chart}/README.md"
sed -i "s/TRAINPLACEHOLDER/${train}/" "${chart}/README.md"
sed -i "s/CHARTPLACEHOLDER/${chartname}/" "${chart}/README.md"
fi
done
done
- name: generate HelmIgnore
shell: bash
run: |
for train in stable operators SCALE incubator games enterprise develop non-free deprecated dependency core; do
for chart in charts/${train}/*; do
if [ -d "${chart}" ]; then
echo "Attempting to sync HelmIgnore file for: ${chartname}"
rm -rf ${chart}/.helmignore
cp templates/chart/.helmignore ${chart}/
fi
done
done
- name: Checkout
chore(deps): update github-actions (#11844) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | digest | `c85c95e` -> `f43a0e5` | | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.5.3` -> `v3.6.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://togithub.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://togithub.com/actions/checkout/pull/579) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi41Ny40IiwidXBkYXRlZEluVmVyIjoiMzYuNTcuNCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciJ9-->
2023-08-24 15:23:11 +00:00
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
repository: truecharts/website
path: website
fetch-depth: 1
token: ${{ secrets.BOT_TOKEN }}
- name: Bump and Sync
shell: bash
run: |
# Designed to ensure the appversion in Chart.yaml is in sync with the primary Chart tag if found
# Also makes sure that home link is pointing to the correct url
sync_tag() {
fix: Build links to Docker images for Chart.yaml (#6963) * style: Split long lines, follow .editorconfig Signed-off-by: Dan Christensen <opello@opello.org> * fix: Clarify why some sources are being excluded The explanation is also meant to remind anyone that sees it that the code could inadvertently remove a sources sequence entry that was intentionally added, because it can not tell. Signed-off-by: Dan Christensen <opello@opello.org> * fix: Comment the image-to-URL code Signed-off-by: Dan Christensen <opello@opello.org> * refactor: Use case instead of if-ladder This is a faithful move from the if-ladder to a case statement that preserves the existing behavior, with optimization to follow. The behavior of the function before and after this change is the same. Signed-off-by: Dan Christensen <opello@opello.org> * fix: Remove dead code No "container source" entry from description_list.md has a scheme. The values are parsed from the Dockerfiles and would not have one there either. Signed-off-by: Dan Christensen <opello@opello.org> * fix: tccr.io image links Parse the tccr.io prefix specifically instead of just checking for the substring tccr which could result in a false positive. The generated link was also going to point to a truecharts subdirectory under mirror in the containers repository that does not exist. Signed-off-by: Dan Christensen <opello@opello.org> * fix: lscr.io image links Parse the lscr.io prefix specifically instead of just checking for the substring lscr which could result in a false positive. The generated link would also return a 404 because the web interface requires the image name to be passed in the query string. Signed-off-by: Dan Christensen <opello@opello.org> * fix: gcr.io image links Parse the gcr.io prefix specifically instead of just checking for the substring gcr which could result in a false positive. Signed-off-by: Dan Christensen <opello@opello.org> * feat: Do not add sources if no prefix is created The intent of this code is to generate URLs to be included in documentation to attribute inputs to the chart. If a publicly accessible URL can not be generated from the image name it makes sense to not add anything and instead rely on a manual edit to the Chart.yaml. Signed-off-by: Dan Christensen <opello@opello.org> * fix: Disable azurecr.io image links There does not seem to be a general purpose web index to the azurecr.io hosted images. Signed-off-by: Dan Christensen <opello@opello.org> * feat: Disable mcr.microsoft.com image links Signed-off-by: Dan Christensen <opello@opello.org> * fix: public.ecr.aws image links Parse the public.ecr.aws prefix specifically instead of just checking for the substring public.ecr.aws which could result in a false positive. Signed-off-by: Dan Christensen <opello@opello.org> * fix: Disable ocir.io image links There does not seem to be a general purpose web index to the ocir.io hosted images. Signed-off-by: Dan Christensen <opello@opello.org> * refactor: Add Docker Hub hosted image links From the perspective of linking to image details on the Docker Hub web interface, there are two types of images: 1. Docker Official Images 2. all of the other images, regardless of their trustworthiness The Docker Official Images can be referenced several ways, either on the command line when passed to docker pull, or in the FROM instruction of a Dockerfile: * busybox * library/busybox * docker.io/busybox * docker.io/library/busybox Furthermore, over the years there have been several domains used for the official Docker Hub registry: * docker.io * index.docker.io * registry-1.docker.io * registry.hub.docker.com The goal here is handling each possible case, which makes Docker Hub images more complex than the handling for other registries. It also makes the case block's '*' (default) case harder to find in the sequence of glob expressions, but this is necessary to avoid repeating the parsing or adding another helper function. Reference: https://github.com/docker/hub-feedback/issues/2113 https://github.com/docker/cli/issues/3793 Signed-off-by: Dan Christensen <opello@opello.org> * feat: ghcr.io image links Signed-off-by: Dan Christensen <opello@opello.org> * feat: quay.io image links Signed-off-by: Dan Christensen <opello@opello.org> * feat: Do not generate likely-bad links By assuming image names that are not handled by other cases are Docker Hub images there is a risk of generating bad links. Minimize this risk by not generating a link if the image name for a Docker Hub link has two slashes. This is a case that should not happen and would likely mean an unsupported registry is being used. There is still a risk of an unsupported registry being treated as Docker Hub and an invalid link being generated. That case is if the domain and image name is example.com/busybox where there is only one slash. Signed-off-by: Dan Christensen <opello@opello.org> * refactor: Sort cases Sort the cases from longest to shortest prioritizing any case with a suffix only glob over any case with a prefix glob. The intention is to avoid having a case that can not be reached. The combined Docker Hub and default case is last. It might make sense to split the default case handling off but it does not seem to be a problem right now. Signed-off-by: Dan Christensen <opello@opello.org> --------- Signed-off-by: Dan Christensen <opello@opello.org>
2023-02-09 12:08:53 +00:00
local chart="$1"
local chartname="$2"
local train="$3"
echo "Attempting to sync primary tag with appversion for: ${chartname}"
local tag="$(cat ${chart}/values.yaml | grep '^ tag: ' | awk -F" " '{ print $2 }' | head -1)"
tag="${tag%%@*}"
tag="${tag:-auto}"
tag=$(echo $tag | sed "s/release-//g")
tag=$(echo $tag | sed "s/release_//g")
tag=$(echo $tag | sed "s/version-//g")
tag=$(echo $tag | sed "s/version_//g")
tag="${tag#*V.}"
tag="${tag#*v-}"
tag="${tag#*v}"
tag="${tag%-*}"
tag="${tag:0:10}"
tag="${tag%-}"
tag="${tag%_}"
tag="${tag%.}"
echo "Updating tag of ${chartname} to ${tag}..."
sed -i -e "s|appVersion: .*|appVersion: \"${tag}\"|" "${chart}/Chart.yaml"
echo "Updating icon of ${chartname}..."
sed -i -e "s|icon: .*|icon: https:\/\/truecharts.org\/img\/hotlink-ok\/chart-icons\/${chartname}.png|" "${chart}/Chart.yaml"
echo "Updating home of ${chartname}..."
sed -i -e "s|home: .*|home: https:\/\/truecharts.org\/charts\/${train}\/${chartname}|" "${chart}/Chart.yaml"
echo "Attempting to update sources of ${chartname}..."
echo "Using go-yq verion: <$(go-yq -V)>"
# Get current sources, exluding those that may have been added automatically.
curr_sources=$(
go-yq '
.sources[] |
select(
. != "https://github.com/truecharts*" and
. != "https://ghcr*" and
. != "docker.io*" and
. != "https://docker.io*" and
. != "https://hub.docker*" and
. != "https://fleet.*" and
. != "https://github.com/truecharts/containers/tree/master/mirror/*" and
. != "https://public.ecr.aws*" and
. != "https://ocir.io*" and
. != "https://gcr*" and
. != "https://azurecr*" and
. != "https://quay*" and
. != "https://lscr*" and
. != "https://github.com/truecharts/containers*" and
. == "http*"
)
' \
"${chart}/Chart.yaml"
)
# Empty sources list in-place
go-yq -i 'del(.sources.[])' "${chart}/Chart.yaml"
# Add truechart source
tcsource="https://github.com/truecharts/charts/tree/master/charts/$train/$chartname" go-yq -i '.sources += env(tcsource)' "${chart}/Chart.yaml"
# Get the container image name that was parsed out of the Dockerfile for the website.
container=$(cat website/docs/charts/description_list.md | grep "\[${chartname}\]" | cut -f3 -d '|' | grep -v 'Not Found' || echo "")
# Convert the container image name to a URL.
if [ ! -z "$container" ]; then
prefix=""
case "$container" in
lscr.io/linuxserver/*)
prefix="https://fleet.linuxserver.io/image?name="
container=${container#lscr.io/}
;;
tccr.io/truecharts/*)
prefix="https://github.com/truecharts/containers/tree/master/mirror"
container=${container#tccr.io/truecharts/}
;;
mcr.microsoft.com/*)
prefix=""
;;
public.ecr.aws/*)
prefix="https://gallery.ecr.aws/"
container=${container#public.ecr.aws/}
;;
ghcr.io/*)
prefix="https://"
;;
quay.io/*)
prefix="https://"
;;
gcr.io/*)
prefix="https://"
;;
*.azurecr.io/*)
prefix=""
;;
*.ocir.io/*)
prefix=""
;;
# There have been a number of domains used for the Docker Hub registry over the years.
# NOTE: This is also the default case!
docker.io/*|index.docker.io/*|registry-1.docker.io/*|registry.hub.docker.com/*|*)
prefix="https://hub.docker.com/r/"
container=${container#docker.io/}
container=${container#index.docker.io/}
container=${container#registry-1.docker.io/}
container=${container#registry.hub.docker.com/}
# If the image name does not contain a slash it is a Docker Official Image.
if [ "$container" == "${container////}" ]; then
prefix="https://hub.docker.com/_/"
# If the user name is library it is a Docker Official Image.
elif [ "${container%%/*}" == "library" ]; then
prefix="https://hub.docker.com/_/"
container=${container#library/}
fi
# Avoid creating a bad link since an unsupported registry may have been used.
slashes=${container//[^\/]/}
# Bail out if the image name has more than 1 slash.
if [ ${#slashes} -gt 1 ]; then
prefix=""
echo "WARNING: Not assuming '$container' is a Docker Hub image"
fi
;;
esac
if [ -n "${prefix}" ]; then
container="${prefix}${container}" go-yq -i '.sources += env(container) | .sources |= unique' "${chart}/Chart.yaml"
fi
fix: Build links to Docker images for Chart.yaml (#6963) * style: Split long lines, follow .editorconfig Signed-off-by: Dan Christensen <opello@opello.org> * fix: Clarify why some sources are being excluded The explanation is also meant to remind anyone that sees it that the code could inadvertently remove a sources sequence entry that was intentionally added, because it can not tell. Signed-off-by: Dan Christensen <opello@opello.org> * fix: Comment the image-to-URL code Signed-off-by: Dan Christensen <opello@opello.org> * refactor: Use case instead of if-ladder This is a faithful move from the if-ladder to a case statement that preserves the existing behavior, with optimization to follow. The behavior of the function before and after this change is the same. Signed-off-by: Dan Christensen <opello@opello.org> * fix: Remove dead code No "container source" entry from description_list.md has a scheme. The values are parsed from the Dockerfiles and would not have one there either. Signed-off-by: Dan Christensen <opello@opello.org> * fix: tccr.io image links Parse the tccr.io prefix specifically instead of just checking for the substring tccr which could result in a false positive. The generated link was also going to point to a truecharts subdirectory under mirror in the containers repository that does not exist. Signed-off-by: Dan Christensen <opello@opello.org> * fix: lscr.io image links Parse the lscr.io prefix specifically instead of just checking for the substring lscr which could result in a false positive. The generated link would also return a 404 because the web interface requires the image name to be passed in the query string. Signed-off-by: Dan Christensen <opello@opello.org> * fix: gcr.io image links Parse the gcr.io prefix specifically instead of just checking for the substring gcr which could result in a false positive. Signed-off-by: Dan Christensen <opello@opello.org> * feat: Do not add sources if no prefix is created The intent of this code is to generate URLs to be included in documentation to attribute inputs to the chart. If a publicly accessible URL can not be generated from the image name it makes sense to not add anything and instead rely on a manual edit to the Chart.yaml. Signed-off-by: Dan Christensen <opello@opello.org> * fix: Disable azurecr.io image links There does not seem to be a general purpose web index to the azurecr.io hosted images. Signed-off-by: Dan Christensen <opello@opello.org> * feat: Disable mcr.microsoft.com image links Signed-off-by: Dan Christensen <opello@opello.org> * fix: public.ecr.aws image links Parse the public.ecr.aws prefix specifically instead of just checking for the substring public.ecr.aws which could result in a false positive. Signed-off-by: Dan Christensen <opello@opello.org> * fix: Disable ocir.io image links There does not seem to be a general purpose web index to the ocir.io hosted images. Signed-off-by: Dan Christensen <opello@opello.org> * refactor: Add Docker Hub hosted image links From the perspective of linking to image details on the Docker Hub web interface, there are two types of images: 1. Docker Official Images 2. all of the other images, regardless of their trustworthiness The Docker Official Images can be referenced several ways, either on the command line when passed to docker pull, or in the FROM instruction of a Dockerfile: * busybox * library/busybox * docker.io/busybox * docker.io/library/busybox Furthermore, over the years there have been several domains used for the official Docker Hub registry: * docker.io * index.docker.io * registry-1.docker.io * registry.hub.docker.com The goal here is handling each possible case, which makes Docker Hub images more complex than the handling for other registries. It also makes the case block's '*' (default) case harder to find in the sequence of glob expressions, but this is necessary to avoid repeating the parsing or adding another helper function. Reference: https://github.com/docker/hub-feedback/issues/2113 https://github.com/docker/cli/issues/3793 Signed-off-by: Dan Christensen <opello@opello.org> * feat: ghcr.io image links Signed-off-by: Dan Christensen <opello@opello.org> * feat: quay.io image links Signed-off-by: Dan Christensen <opello@opello.org> * feat: Do not generate likely-bad links By assuming image names that are not handled by other cases are Docker Hub images there is a risk of generating bad links. Minimize this risk by not generating a link if the image name for a Docker Hub link has two slashes. This is a case that should not happen and would likely mean an unsupported registry is being used. There is still a risk of an unsupported registry being treated as Docker Hub and an invalid link being generated. That case is if the domain and image name is example.com/busybox where there is only one slash. Signed-off-by: Dan Christensen <opello@opello.org> * refactor: Sort cases Sort the cases from longest to shortest prioritizing any case with a suffix only glob over any case with a prefix glob. The intention is to avoid having a case that can not be reached. The combined Docker Hub and default case is last. It might make sense to split the default case handling off but it does not seem to be a problem right now. Signed-off-by: Dan Christensen <opello@opello.org> --------- Signed-off-by: Dan Christensen <opello@opello.org>
2023-02-09 12:08:53 +00:00
fi
# Add the rest of the sources
while IFS= read -r line; do
src="$line" go-yq -i '.sources += env(src)' "${chart}/Chart.yaml" || echo "src set error"
done <<< "$curr_sources"
echo "Sources of ${chartname} updated!"
}
export -f sync_tag
for train in enterprise stable operators incubator dependency; do
echo "Correcting Chart.yaml for Train: ${train}..."
for chart in $(ls "charts/${train}"); do
echo "Correcting Chart.yaml for Chart: ${chart}..."
sync_tag "charts/${train}/${chart}" "${chart}" "${train}"
done
done
feat(metallb): add our own metallb operator (#9099) **Description** This adds our first chart for the `operators` train: metallb. It also includes some fixes to get said train to work. **⚙️ Type of change** - [x] ⚙️ Feature/App addition - [ ] 🪛 Bugfix - [x] ⚠️ Breaking change (fix or feature that would cause existing functionality to not work as expected) - [x] 🔃 Refactor of current code **🧪 How Has This Been Tested?** <!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration --> **📃 Notes:** This should not be used yet by end users. **✔️ Checklist:** - [x] ⚖️ My code follows the style guidelines of this project - [x] 👀 I have performed a self-review of my own code - [x] #️⃣ I have commented my code, particularly in hard-to-understand areas - [x] 📄 I have made corresponding changes to the documentation - [x] ⚠️ My changes generate no new warnings - [x] 🧪 I have added tests to this description that prove my fix is effective or that my feature works - [x] ⬆️ I increased versions for any altered app according to semantic versioning **➕ App addition** If this PR is an app addition please make sure you have done the following. - [x] 🪞 I have opened a PR on [truecharts/containers](https://github.com/truecharts/containers) adding the container to TrueCharts mirror repo. - [x] 🖼️ I have added an icon in the Chart's root directory called `icon.png` --- _Please don't blindly check all the boxes. Read them and only check those that apply. Those checkboxes are there for the reviewer to see what is this all about and the status of this PR with a quick glance._
2023-05-29 08:44:38 +00:00
- name: Fix Fixable Pre-Commit issues
shell: bash
if: inputs.chartChangesDetected == 'true'
run: |
echo "Running pre-commit test-and-cleanup..."
pre-commit run --all ||:
# Fix sh files to always be executable
find . -name '*.sh' | xargs chmod +x
- name: Cleanup
run: |
rm -rf changes.json
rm -rf master
- name: Commit changes
run: |
git config user.name "TrueCharts-Bot"
git config user.email "bot@truecharts.org"
git pull
git add --all
git commit -sm "Commit daily changes" || exit 0
git push
generate-security-reports:
runs-on: ubuntu-latest
name: "Generate Security Reports"
container:
image: ghcr.io/truecharts/devcontainer:3.1.10@sha256:c239addf725eb5cedf79517f8089fdafdc32b5270d1893ee87ae6e511b9bcae3
steps:
- name: Install Kubernetes tools
uses: yokawasa/action-setup-kube-tools@af4ebb1af1efd30c5bd84a2e9773355ad6362a33 # v0.9.3
with:
setup-tools: |
helmv3
helm: "3.8.0"
- name: Prep Helm
run: |
helm repo add truecharts https://charts.truecharts.org
helm repo add truecharts-library https://library-charts.truecharts.org
helm repo add truecharts-deps https://deps.truecharts.org
helm repo update
- name: Checkout
chore(deps): update github-actions (#11844) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | digest | `c85c95e` -> `f43a0e5` | | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.5.3` -> `v3.6.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://togithub.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://togithub.com/actions/checkout/pull/579) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi41Ny40IiwidXBkYXRlZEluVmVyIjoiMzYuNTcuNCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciJ9-->
2023-08-24 15:23:11 +00:00
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
token: ${{ secrets.BOT_TOKEN }}
fetch-depth: 1
- name: Setting repo parent dir as safe safe.directory
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Checkout website
chore(deps): update github-actions (#11844) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | digest | `c85c95e` -> `f43a0e5` | | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.5.3` -> `v3.6.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://togithub.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://togithub.com/actions/checkout/pull/579) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi41Ny40IiwidXBkYXRlZEluVmVyIjoiMzYuNTcuNCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciJ9-->
2023-08-24 15:23:11 +00:00
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
fetch-depth: 1
repository: truecharts/website
token: ${{ secrets.BOT_TOKEN }}
path: website
- name: fetch dependencies
shell: bash
run: |
.github/scripts/fetch_helm_deps.sh
- name: generate security reports
shell: bash
run: |
#!/bin/bash
render() {
local chart="$1"
local chartname="$2"
local train="$3"
echo "Rendering helm-template for ${chartname}"
mkdir -p ${chart}/render
helm template ${chart} >> ${chart}/render/app.yaml || echo "Helm template failed..."
}
helm_sec_scan() {
local chart="$1"
local chartname="$2"
local train="$3"
echo "Scanning helm security for ${chartname}"
mkdir -p ${chart}/render
rm -rf website/docs/charts/${train}/${chartname}/helm-security.md || echo "removing old helm-security file failed..."
echo "# Helm Security" >> website/docs/charts/${train}/${chartname}/helm-security.md
echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md
echo "## Helm-Chart" >> website/docs/charts/${train}/${chartname}/helm-security.md
echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md
echo "##### Scan Results" >> website/docs/charts/${train}/${chartname}/helm-security.md
echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md
trivy config --namespaces builtin.kubernetes.* -f template --template "@./templates/trivy-config.tpl" ${chart}/render >> website/docs/charts/${train}/${chartname}/helm-security.md || echo "trivy scan failed..."
}
container_sec_scan() {
local chart="$1"
local chartname="$2"
local train="$3"
echo "Scanning container security for ${chartname}"
mkdir -p ${chart}/render
rm -rf website/docs/charts/${train}/${chartname}/container-security.md || echo "removing old container-security file failed..."
echo "# Container Security" >> website/docs/charts/${train}/${chartname}/container-security.md
echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
echo "##### Detected Containers" >> website/docs/charts/${train}/${chartname}/container-security.md
echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
find ${chart}/render/ -name '*.yaml' -type f -exec cat {} \; | grep image: | sed "s/image: //g" | sed "s/\"//g" >> ${chart}/render/containers.tmp
cat ${chart}/render/containers.tmp >> website/docs/charts/${train}/${chartname}/container-security.md
echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
echo "##### Scan Results" >> website/docs/charts/${train}/${chartname}/container-security.md
echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
for container in $(cat ${chart}/render/containers.tmp | sort | uniq); do
if [[ "$container" == *"truecharts/alpine"* || "$container" == *"truecharts/ubuntu"* || "$container" == *"truecharts/kubectl"* ]]; then
echo "Skipping ${container}, as it's a shared common container..."
else
echo "**Container: ${container}**" >> website/docs/charts/${train}/${chartname}/container-security.md
echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
trivy image --security-checks vuln -f template --template "@./templates/trivy-container.tpl" ${container} >> website/docs/charts/${train}/${chartname}/container-security.md || echo "trivy container scan failed..."
echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
fi
done
}
cleanfiles() {
local chart="$1"
local chartname="$2"
local train="$3"
echo "sanitising website output for ${chartname}..."
rm -rf ${chart}/render
sed -i 's|<br>|<br />|g' website/docs/charts/${train}/${chartname}/helm-security.md ||:
sed -i 's|<br>|<br />|g' website/docs/charts/${train}/${chartname}/container-security.md ||:
sed -i 's|<hr>|<hr />|g' website/docs/charts/${train}/${chartname}/helm-security.md ||:
sed -i 's|<hr>|<hr />|g' website/docs/charts/${train}/${chartname}/container-security.md ||:
}
for train in enterprise stable operators incubator dependency; do
echo "Processing Charts for Train: ${train}..."
for chart in $(ls "charts/${train}"); do
render "charts/${train}/${chart}" ${chart} ${train} || echo "rendering failed for ${chart}"
helm_sec_scan "charts/${train}/${chart}" ${chart} ${train} || echo "helm chart processing failed for ${chart}"
if [ ${train} == "enterprise" ]; then
container_sec_scan "charts/${train}/${chart}" ${chart} ${train} || echo "container processing failed for ${chart}"
fi
cleanfiles "charts/${train}/${chart}" ${chart} ${train} || echo "cleaning failed for ${chart}"
done
done
echo "finsihed security scan"
- name: Commit Website Changes
run: |
cd website
git config user.name "TrueCharts-Bot"
git config user.email "bot@truecharts.org"
git pull
git add --all
git commit -sm "Commit released docs for TrueCharts" || exit 0
git push
lock-threads:
runs-on: ubuntu-latest
steps:
- uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # v4
with:
github-token: ${{ secrets.BOT_TOKEN }}
2023-03-16 10:09:35 +00:00
issue-inactive-days: "7"
exclude-any-issue-labels: ""
issue-comment: "This issue is locked to prevent necro-posting on closed issues. Please create a new issue or contact staff on discord of the problem persists"
issue-lock-reason: ""
pr-inactive-days: "7"
pr-comment: "This PR is locked to prevent necro-posting on closed PRs. Please create a issue or contact staff on discord if you want to further discuss this"
pr-lock-reason: "resolved"
log-output: true
2023-03-16 10:09:35 +00:00
2023-03-16 10:11:00 +00:00
check-contributors:
2023-03-16 10:10:29 +00:00
name: Check Contributors
2023-03-16 10:09:35 +00:00
runs-on: ubuntu-latest
steps:
- name: Checkout
chore(deps): update github-actions (#11844) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | digest | `c85c95e` -> `f43a0e5` | | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.5.3` -> `v3.6.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://togithub.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://togithub.com/actions/checkout/pull/579) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi41Ny40IiwidXBkYXRlZEluVmVyIjoiMzYuNTcuNCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciJ9-->
2023-08-24 15:23:11 +00:00
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
2023-03-16 10:09:35 +00:00
with:
token: ${{ secrets.BOT_TOKEN }}
fetch-depth: 1
- uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
2023-03-16 10:09:35 +00:00
with:
node-version: 18
- uses: borales/actions-yarn@97ba8bebfe5b549bb7999261698a52a81fd62f1b # v4.2.0
2023-03-16 10:09:35 +00:00
with:
cmd: install --frozen-lockfile
- name: List missing and unknown contributors
env:
PRIVATE_TOKEN: ${{ secrets.BOT_TOKEN }}
2023-03-16 10:09:35 +00:00
run: |
awk -F', ' '{ for( i=1; i<=NF; i++ ) print $i }' <<<$(yarn all-contributors check)