diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 0f83449..6b0fabe 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -63,13 +63,6 @@ jobs: with: fetch-depth: 0 - - uses: camptocamp/initialise-gopass-summon-action@v2 - with: - ci-gpg-private-key: ${{secrets.CI_GPG_PRIVATE_KEY}} - github-gopass-ci-token: ${{secrets.GOPASS_CI_GITHUB_TOKEN}} - patterns: pypi - if: env.HAS_SECRETS == 'HAS_SECRETS' - - uses: actions/setup-python@v5 with: python-version: '3.13' diff --git a/config.md b/config.md index 485b797..e488f22 100644 --- a/config.md +++ b/config.md @@ -32,17 +32,6 @@ _Tag Publish configuration file_ - **`versions`** _(array)_: The kind or version that should be published, tag, branch or value of the --version argument of the tag-publish script. Default: `["version_tag", "version_branch", "rebuild", "feature_branch"]`. - **Items** _(string)_ - **`auto_login`** _(boolean)_: Auto login to the GitHub Docker registry. Default: `false`. - - **`snyk`** _(object)_: Checks the published images with Snyk. - - **`monitor_args`**: The arguments to pass to the Snyk container monitor command. Default: `["--app-vulns"]`. - - **One of** - - _array_ - - **Items** _(string)_ - - : Must be: `false`. - - **`test_args`**: The arguments to pass to the Snyk container test command. Default: `["--app-vulns", "--severity-threshold=critical"]`. - - **One of** - - _array_ - - **Items** _(string)_ - - : Must be: `false`. - **`pypi`** _(object)_: Configuration to publish on pypi. - **`packages`** _(array)_: The configuration of packages that will be published. - **Items** _(object)_: The configuration of package that will be published. diff --git a/tag_publish/__init__.py b/tag_publish/__init__.py index 6eaee18..e3d4e20 100644 --- a/tag_publish/__init__.py +++ b/tag_publish/__init__.py @@ -279,23 +279,6 @@ def download_application(application_name: str, binary_filename: Optional[str] = return binary_full_filename -def snyk_exec() -> tuple[str, dict[str, str]]: - """Get the Snyk cli executable path.""" - env = {**os.environ} - env["FORCE_COLOR"] = "true" - - snyk_bin = download_application("snyk/cli", "snyk") - - if "SNYK_TOKEN" not in env: - env["SNYK_TOKEN"] = subprocess.run( - ["gopass", "show", "gs/ci/snyk/token"], check=True, stdout=subprocess.PIPE, encoding="utf-8" - ).stdout.strip() - if "SNYK_ORG" in env: - subprocess.run([snyk_bin, "config", "set", f"org={env['SNYK_ORG']}"], check=True, env=env) - - return snyk_bin, env - - class PublishedPayload(TypedDict, total=False): """ The payload to send to the dispatch event. diff --git a/tag_publish/cli.py b/tag_publish/cli.py index 2f22c8b..2ff7fe5 100644 --- a/tag_publish/cli.py +++ b/tag_publish/cli.py @@ -73,7 +73,6 @@ def main() -> None: "--docker-versions", help="The versions to publish on Docker registry, comma separated, ex: 'x,x.y,x.y.z,latest'.", ) - parser.add_argument("--snyk-version", help="The version to publish to Snyk") parser.add_argument("--branch", help="The branch from which to compute the version") parser.add_argument("--tag", help="The tag from which to compute the version") parser.add_argument("--dry-run", action="store_true", help="Don't do the publish") @@ -190,7 +189,6 @@ def main() -> None: args.group, args.dry_run, args.docker_versions, - args.snyk_version, config, version, version_type, @@ -295,7 +293,6 @@ def _handle_docker_publish( group: str, dry_run: bool, docker_versions: str, - snyk_version: str, config: tag_publish.configuration.Configuration, version: str, version_type: str, @@ -358,7 +355,6 @@ def _handle_docker_publish( images_src: set[str] = set() images_full: list[str] = [] - images_snyk: set[str] = set() versions = docker_versions.split(",") if docker_versions else [version] for image_conf in docker_config.get("images", []): if image_conf.get("group", tag_publish.configuration.DOCKER_IMAGE_GROUP_DEFAULT) == group: @@ -366,25 +362,6 @@ def _handle_docker_publish( tag_src = tag_config.format(version="latest") image_source = f"{image_conf['name']}:{tag_src}" images_src.add(image_source) - tag_snyk = tag_config.format(version=snyk_version or version).lower() - image_snyk = f"{image_conf['name']}:{tag_snyk}" - - # Workaround sine we have the business plan - image_snyk = f"{image_conf['name']}_{tag_snyk}" - - if not dry_run: - subprocess.run(["docker", "tag", image_source, image_snyk], check=True) - images_snyk.add(image_snyk) - if tag_snyk != tag_src and not dry_run: - subprocess.run( - [ - "docker", - "tag", - image_source, - f"{image_conf['name']}:{tag_snyk}", - ], - check=True, - ) for name, conf in docker_config.get( "repository", @@ -423,55 +400,6 @@ def _handle_docker_publish( if dry_run: sys.exit(0) - try: - has_gopass = subprocess.run(["gopass", "--version"]).returncode == 0 # nosec # pylint: disable=subprocess-run-check - except FileNotFoundError: - has_gopass = False - if "SNYK_TOKEN" in os.environ or has_gopass: - snyk_exec, env = tag_publish.snyk_exec() - for image in images_snyk: - print(f"::group::Snyk check {image}") - sys.stdout.flush() - sys.stderr.flush() - try: - if version_type in ("version_branch", "version_tag"): - monitor_args = docker_config.get("snyk", {}).get( - "monitor_args", - tag_publish.configuration.DOCKER_SNYK_MONITOR_ARGS_DEFAULT, - ) - if monitor_args is not False: - subprocess.run( # pylint: disable=subprocess-run-check - [ - snyk_exec, - "container", - "monitor", - *monitor_args, - # Available only on the business plan - # f"--project-tags=tag={image.split(':')[-1]}", - image, - ], - env=env, - ) - test_args = docker_config.get("snyk", {}).get( - "test_args", tag_publish.configuration.DOCKER_SNYK_TEST_ARGS_DEFAULT - ) - snyk_error = False - if test_args is not False: - proc = subprocess.run( - [snyk_exec, "container", "test", *test_args, image], - check=False, - env=env, - ) - if proc.returncode != 0: - snyk_error = True - print("::endgroup::") - if snyk_error: - print("::error::Critical vulnerability found by Snyk in the published image.") - except subprocess.CalledProcessError as exception: - print(f"Error: {exception}") - print("::endgroup::") - print("::error::With error") - versions_config, dpkg_config_found = tag_publish.lib.docker.get_versions_config() dpkg_success = True for image in images_src: diff --git a/tag_publish/configuration.py b/tag_publish/configuration.py index fa88ead..7b7f043 100644 --- a/tag_publish/configuration.py +++ b/tag_publish/configuration.py @@ -2,7 +2,7 @@ Automatically generated file from a JSON schema. """ -from typing import Any, Dict, List, Literal, TypedDict, Union +from typing import Any, Dict, List, TypedDict class Configuration(TypedDict, total=False): @@ -98,14 +98,6 @@ class Configuration(TypedDict, total=False): """ Default value of the field path 'Docker repository versions' """ -DOCKER_SNYK_MONITOR_ARGS_DEFAULT = ["--app-vulns"] -""" Default value of the field path 'Docker snyk monitor_args' """ - - -DOCKER_SNYK_TEST_ARGS_DEFAULT = ["--app-vulns", "--severity-threshold=critical"] -""" Default value of the field path 'Docker snyk test_args' """ - - # | dispatch config. # | # | Send a dispatch event to an other repository @@ -175,9 +167,6 @@ class Docker(TypedDict, total=False): default: False """ - snyk: "_DockerSnyk" - """ Checks the published images with Snyk """ - class DockerImage(TypedDict, total=False): """Docker image.""" @@ -457,81 +446,6 @@ class Version(TypedDict, total=False): """ -_DOCKER_SNYK_MONITOR_ARGS_ONEOF0_DEFAULT = ["--app-vulns"] -""" Default value of the field path 'Docker Snyk monitor args oneof0' """ - - -_DOCKER_SNYK_MONITOR_ARGS_ONEOF1_DEFAULT = ["--app-vulns"] -""" Default value of the field path 'Docker Snyk monitor args oneof1' """ - - -_DOCKER_SNYK_TEST_ARGS_ONEOF0_DEFAULT = ["--app-vulns", "--severity-threshold=critical"] -""" Default value of the field path 'Docker Snyk test args oneof0' """ - - -_DOCKER_SNYK_TEST_ARGS_ONEOF1_DEFAULT = ["--app-vulns", "--severity-threshold=critical"] -""" Default value of the field path 'Docker Snyk test args oneof1' """ - - -class _DockerSnyk(TypedDict, total=False): - """Checks the published images with Snyk""" - - monitor_args: Union["_DockerSnykMonitorArgsOneof0", "_DockerSnykMonitorArgsOneof1"] - """ - Docker Snyk monitor args. - - The arguments to pass to the Snyk container monitor command - - default: - - --app-vulns - - Aggregation type: oneOf - """ - - test_args: Union["_DockerSnykTestArgsOneof0", "_DockerSnykTestArgsOneof1"] - """ - Docker Snyk test args. - - The arguments to pass to the Snyk container test command - - default: - - --app-vulns - - --severity-threshold=critical - - Aggregation type: oneOf - """ - - -_DockerSnykMonitorArgsOneof0 = List[str] -""" -default: - - --app-vulns -""" - - -_DockerSnykMonitorArgsOneof1 = Literal[False] -""" -default: - - --app-vulns -""" - - -_DockerSnykTestArgsOneof0 = List[str] -""" -default: - - --app-vulns - - --severity-threshold=critical -""" - - -_DockerSnykTestArgsOneof1 = Literal[False] -""" -default: - - --app-vulns - - --severity-threshold=critical -""" - - _VersionTransformItem = TypedDict( "_VersionTransformItem", { diff --git a/tag_publish/schema.json b/tag_publish/schema.json index 101ec36..98cc9a1 100644 --- a/tag_publish/schema.json +++ b/tag_publish/schema.json @@ -81,40 +81,6 @@ "description": "Auto login to the GitHub Docker registry", "type": "boolean", "default": false - }, - "snyk": { - "description": "Checks the published images with Snyk", - "type": "object", - "properties": { - "monitor_args": { - "description": "The arguments to pass to the Snyk container monitor command", - "title": "Docker Snyk monitor args", - "default": ["--app-vulns"], - "oneOf": [ - { - "type": "array", - "items": { - "type": "string" - } - }, - { "const": false } - ] - }, - "test_args": { - "description": "The arguments to pass to the Snyk container test command", - "title": "Docker Snyk test args", - "default": ["--app-vulns", "--severity-threshold=critical"], - "oneOf": [ - { - "type": "array", - "items": { - "type": "string" - } - }, - { "const": false } - ] - } - } } } }, diff --git a/tag_publish/versions.yaml b/tag_publish/versions.yaml index 307a97f..1ee744e 100644 --- a/tag_publish/versions.yaml +++ b/tag_publish/versions.yaml @@ -1,3 +1,2 @@ # https://docs.renovatebot.com/modules/datasource/#github-releases-datasource helm/chart-releaser: v1.6.1 # github-releases -snyk/cli: v1.1293.1 # github-releases