diff --git a/.github/dependabot.yml b/.github/dependabot.yml index bffb4d534..ff64e9c99 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,6 @@ # Generated by: gromit policy -# Generated on: Wed Jul 26 08:25:03 UTC 2023 +# Generated on: Fri Oct 27 04:05:19 UTC 2023 version: 2 updates: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f6509fa51..8473f1975 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,12 +1,11 @@ # Generated by: gromit policy -# Generated on: Wed Jul 26 08:25:03 UTC 2023 +# Generated on: Fri Oct 27 04:05:19 UTC 2023 # Distribution channels covered by this workflow # - Ubuntu and Debian # - RHEL and AL # - docker hub # - devenv ECR -# - AWS mktplace (not active atm) # - Cloudsmith name: Release @@ -21,7 +20,6 @@ on: - 'v*' env: - SLACK_CLI_TOKEN: ${{ secrets.BENDER_TOKEN }} GOPRIVATE: github.com/TykTechnologies jobs: @@ -29,17 +27,22 @@ jobs: name: '${{ matrix.golang_cross }}' runs-on: ubuntu-latest container: 'tykio/golang-cross:${{ matrix.golang_cross }}' + permissions: + id-token: write # AWS OIDC JWT + contents: read # actions/checkout strategy: fail-fast: false matrix: - golang_cross: [ 1.19-bullseye ] - include: + golang_cross: + - 1.19-bullseye + include: - golang_cross: 1.19-bullseye - goreleaser: 'ci/goreleaser/goreleaser.yml' + goreleaser: 'ci/goreleaser/goreleaser.yml' + cgo: 0 rpmvers: 'el/7 el/8 el/9 amazon/2 amazon/2023' - debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy debian/jessie debian/buster debian/bullseye' + debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy debian/jessie debian/buster debian/bullseye debian/bookworm' outputs: - tag: ${{ steps.targets.outputs.tag }} + tags: ${{ steps.metadata.outputs.tags }} steps: - name: Fix private module deps @@ -74,32 +77,24 @@ jobs: username: ${{ secrets.CLOUDSMITH_USERNAME }} password: ${{ secrets.CLOUDSMITH_API_KEY }} - - name: Unlock agent and set tag - id: targets - shell: bash + - name: Unlock agent env: NFPM_STD_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }} GPG_FINGERPRINT: 12B5D62C28F57592D1575BD51ED14C59E37DAC20 PKG_SIGNING_KEY: ${{ secrets.SIGNING_KEY }} - run: | + run: ci/bin/unlock-agent.sh - current_tag=${GITHUB_REF##*/} - echo "tag=${current_tag}" >> $GITHUB_OUTPUT - - name: Delete old release assets - if: startsWith(github.ref, 'refs/tags') - uses: mknejp/delete-release-assets@v1 + + + - uses: actions/cache@v3 with: - token: ${{ github.token }} - tag: ${{ github.ref }} - fail-if-no-assets: false - fail-if-no-release: false - assets: | - *.deb - *.rpm - *.tar.gz - *.txt.sig - *.txt + path: | + ~/.cache/go-build + ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - uses: goreleaser/goreleaser-action@v4 with: @@ -107,7 +102,7 @@ jobs: args: release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot' || '' }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CGO_ENABLED: 0 + CGO_ENABLED: ${{ matrix.cgo }} NFPM_STD_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }} NFPM_PAYG_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }} GPG_FINGERPRINT: 12B5D62C28F57592D1575BD51ED14C59E37DAC20 @@ -116,88 +111,65 @@ jobs: DEBVERS: ${{ matrix.debvers }} RPMVERS: ${{ matrix.rpmvers }} PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }} - - uses: actions/upload-artifact@v3 - with: - name: deb - retention-days: 1 - path: | - dist/*.deb - !dist/*PAYG*.deb - - - uses: actions/upload-artifact@v3 - with: - name: rpm - retention-days: 1 - path: | - dist/*.rpm - !dist/*PAYG*.rpm - ci: - needs: - - goreleaser - runs-on: ubuntu-latest - permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - - steps: - - name: Shallow checkout of tyk-pump - uses: actions/checkout@v3 - with: - fetch-depth: 1 - - uses: aws-actions/configure-aws-credentials@v2 with: role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk role-session-name: cipush aws-region: eu-central-1 + # Don't mask to pass it across job boundaries + mask-aws-account-id: false - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - - uses: actions/download-artifact@v3 + - uses: aws-actions/amazon-ecr-login@v1 + id: ecr with: - name: deb + mask-password: 'true' - - name: Docker metadata + - name: Docker metadata for CI id: metadata uses: docker/metadata-action@v4 with: - images: ${{ steps.login-ecr.outputs.registry }}/tyk-pump + images: ${{ steps.ecr.outputs.registry }}/tyk-pump flavor: | latest=false - prefix=v tags: | - type=semver,pattern=v{{version}} - type=semver,pattern=v{{major}}.{{minor}} - type=semver,pattern=v{{major}} - type=ref,event=branch + type=ref,event=branch + type=ref,event=pr + type=sha,format=long + type=semver,pattern=v{{major}}.{{minor}},prefix=v + type=semver,pattern=v{{version}},prefix=v - - uses: docker/setup-qemu-action@v2 - - - uses: docker/setup-buildx-action@v2 + - name: CI push + shell: bash + env: + t: ${{ steps.metadata.outputs.tags }} + build_tag: ${{ startswith(github.ref, 'refs/tags') && github.ref_name || 'v0.0.0' }} + run: | + set +e + IFS=$'\n' tags=($t) + for tag in "${tags[@]}"; do + for arch in amd64 arm64; do + docker tag tykio/tyk-pump-docker-pub:${build_tag}-${arch} ${tag}-${arch} && docker push ${tag}-${arch} + done + docker manifest create ${tag} ${tag}-amd64 ${tag}-arm64 && docker manifest push ${tag} + done - - name: CI build - uses: docker/build-push-action@v4 + - uses: actions/upload-artifact@v3 with: - push: true - context: "." - file: ci/Dockerfile.std - platforms: linux/amd64,linux/arm64 - tags: | - ${{ steps.metadata.outputs.tags }} - ${{ steps.login-ecr.outputs.registry }}/tyk-pump:${{ needs.goreleaser.outputs.tag }} - ${{ steps.login-ecr.outputs.registry }}/tyk-pump:${{ github.sha }} + name: deb + retention-days: 1 + path: | + dist/*.deb + !dist/*PAYG*.deb - sbom: - needs: ci - uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@main - secrets: - TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }} - DEPDASH_URL: ${{ secrets.DEPDASH_URL }} - DEPDASH_KEY: ${{ secrets.DEPDASH_KEY }} - ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }} + - uses: actions/upload-artifact@v3 + with: + name: rpm + retention-days: 1 + path: | + dist/*.rpm + !dist/*PAYG*.rpm +# TODO: PR comment, using just one comment and updating, not a new comment each time upgrade-deb: if: startsWith(github.ref, 'refs/tags') @@ -213,10 +185,11 @@ jobs: - amd64 - arm64 distro: - - ubuntu:jammy - ubuntu:bionic - ubuntu:focal + - ubuntu:jammy - debian:bullseye + - debian:bookworm steps: - uses: actions/checkout@v3 @@ -260,8 +233,9 @@ jobs: fail-fast: false matrix: distro: - - ubi9/ubi - - ubi8/ubi + - amazonlinux:2023 + - registry.access.redhat.com/ubi8/ubi + - registry.access.redhat.com/ubi9/ubi steps: - uses: actions/checkout@v3 @@ -276,7 +250,7 @@ jobs: - name: generate dockerfile run: | - echo 'FROM registry.access.redhat.com/${{ matrix.distro }} + echo 'FROM ${{ matrix.distro }} COPY tyk-pump*.x86_64.rpm /tyk-pump.rpm RUN yum install --allowerasing -y curl RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-pump/script.rpm.sh | bash && yum install -y tyk-pump-1.6.0-1 @@ -293,19 +267,20 @@ jobs: push: false smoke-tests: - if: startsWith(github.ref, 'refs/tags') needs: - goreleaser + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 with: fetch-depth: 1 - - - name: Run tests + - name: Run ci/tests shell: bash - env: + env: GITHUB_TAG: ${{ github.ref }} run: | set -eaxo pipefail @@ -335,3 +310,11 @@ jobs: fi done + + sbom: + needs: goreleaser + uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@main + secrets: + DEPDASH_URL: ${{ secrets.DEPDASH_URL }} + DEPDASH_KEY: ${{ secrets.DEPDASH_KEY }} + ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }} diff --git a/ci/Dockerfile.std b/ci/Dockerfile.std index cce463d35..264105d09 100644 --- a/ci/Dockerfile.std +++ b/ci/Dockerfile.std @@ -1,6 +1,5 @@ - # Generated by: gromit policy -# Generated on: Wed Jul 26 08:25:03 UTC 2023 +# Generated on: Fri Oct 27 04:05:19 UTC 2023 FROM debian:bullseye-slim ARG TARGETARCH @@ -10,9 +9,8 @@ ENV DEBIAN_FRONTEND=noninteractive RUN apt-get update \ && apt-get dist-upgrade -y ca-certificates - # Remove some things to decrease CVE surface -RUN apt-get remove -y --allow-remove-essential --auto-remove curl libtiff5 ncurses-base \ +RUN dpkg --purge --force-remove-essential curl ncurses-base \ && rm /usr/bin/passwd && rm /usr/sbin/adduser # Clean up caches, unwanted .a and .o files diff --git a/ci/aws/byol.pkr.hcl b/ci/aws/byol.pkr.hcl index 167d9afdf..a927bf9d4 100644 --- a/ci/aws/byol.pkr.hcl +++ b/ci/aws/byol.pkr.hcl @@ -1,6 +1,6 @@ # Generated by: gromit policy -# Generated on: Wed Jul 26 08:25:03 UTC 2023 +# Generated on: Fri Oct 27 04:05:19 UTC 2023 packer { required_plugins { diff --git a/ci/goreleaser/goreleaser.yml b/ci/goreleaser/goreleaser.yml index d7666a2b4..afa7be00c 100644 --- a/ci/goreleaser/goreleaser.yml +++ b/ci/goreleaser/goreleaser.yml @@ -1,5 +1,5 @@ # Generated by: gromit policy -# Generated on: Wed Jul 26 08:25:03 UTC 2023 +# Generated on: Fri Oct 27 04:05:19 UTC 2023 # Check the documentation at http://goreleaser.com # This project needs CGO_ENABLED=1 and the cross-compiler toolchains for @@ -14,6 +14,7 @@ builds: goarch: - amd64 - arm64 + - s390x binary: tyk-pump dockers: @@ -21,8 +22,8 @@ dockers: - ids: - std image_templates: - - "tykio/tyk-pump-docker-pub:{{ .Tag }}-amd64" - - "docker.tyk.io/tyk-pump/tyk-pump:{{ .Tag }}-amd64" + - "tykio/tyk-pump-docker-pub:{{.Tag}}-amd64" + - "docker.tyk.io/tyk-pump/tyk-pump:{{.Tag}}-amd64" build_flag_templates: - "--build-arg=PORTS=80" - "--platform=linux/amd64" @@ -43,8 +44,8 @@ dockers: - ids: - std image_templates: - - "tykio/tyk-pump-docker-pub:{{ .Tag }}-arm64" - - "docker.tyk.io/tyk-pump/tyk-pump:{{ .Tag }}-arm64" + - "tykio/tyk-pump-docker-pub:{{.Tag}}-arm64" + - "docker.tyk.io/tyk-pump/tyk-pump:{{.Tag}}-arm64" build_flag_templates: - "--build-arg=PORTS=80" - "--platform=linux/arm64" @@ -128,6 +129,11 @@ publishers: cmd: /pc.sh {{ .ArtifactPath }} +# This disables archives +archives: + - format: binary + allow_different_binary_count: true + checksum: disable: true diff --git a/ci/install/before_install.sh b/ci/install/before_install.sh index 6b30c85a1..06e23e74a 100755 --- a/ci/install/before_install.sh +++ b/ci/install/before_install.sh @@ -1,7 +1,7 @@ #!/bin/bash # Generated by: gromit policy -# Generated on: Wed Jul 26 08:25:03 UTC 2023 +# Generated on: Fri Oct 27 04:05:19 UTC 2023 echo "Creating user and group..." GROUPNAME="tyk" diff --git a/ci/install/post_install.sh b/ci/install/post_install.sh index ea03d859c..8d38d1eb5 100755 --- a/ci/install/post_install.sh +++ b/ci/install/post_install.sh @@ -2,7 +2,7 @@ # Generated by: gromit policy -# Generated on: Wed Jul 26 08:25:03 UTC 2023 +# Generated on: Fri Oct 27 04:05:19 UTC 2023 # If "True" the install directory ownership will be changed to "tyk:tyk" change_ownership="True" diff --git a/ci/install/post_remove.sh b/ci/install/post_remove.sh index 016299b1f..ab13ba20e 100755 --- a/ci/install/post_remove.sh +++ b/ci/install/post_remove.sh @@ -1,7 +1,7 @@ #!/bin/sh # Generated by: gromit policy -# Generated on: Wed Jul 26 08:25:03 UTC 2023 +# Generated on: Fri Oct 27 04:05:19 UTC 2023 cleanRemove() { diff --git a/ci/install/post_trans.sh b/ci/install/post_trans.sh index 0ccb92d6d..761c955a2 100644 --- a/ci/install/post_trans.sh +++ b/ci/install/post_trans.sh @@ -1,7 +1,7 @@ #!/bin/sh # Generated by: gromit policy -# Generated on: Wed Jul 26 08:25:03 UTC 2023 +# Generated on: Fri Oct 27 04:05:19 UTC 2023 if command -V systemctl >/dev/null 2>&1; then if [ ! -f /lib/systemd/system/tyk-pump.service ]; then