resolve GHSA-6xv5-86q9-7xr8 #268
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR/main branch CI | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| branches: | |
| - main | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| env: | |
| APP_SLUG: replicated-sdk-e2e | |
| jobs: | |
| make-tests: | |
| env: | |
| PACT_VERSION: ${{ github.sha }} | |
| PACT_BROKER_BASE_URL: ${{ vars.PACT_BROKER_BASE_URL }} | |
| PACT_BROKER_TOKEN: ${{ secrets.PACT_BROKER_TOKEN }} | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: '^1.20' | |
| cache: false | |
| - uses: replicatedhq/action-install-pact@v1 | |
| - run: make test | |
| - if: github.event_name == 'push' || ( github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository ) | |
| run: make publish-pact | |
| - if: github.event_name == 'push' || ( github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository ) | |
| run: | | |
| make can-i-deploy || echo "::warning:: can-i-deploy says no; provider(s) must successfully verify before release" | |
| build-and-push-e2e: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: '^1.20' | |
| - name: build and push replicated for e2e | |
| env: | |
| USER: automated-${{ github.run_id }} | |
| run: make build-ttl.sh | |
| validate-chart: | |
| runs-on: ubuntu-22.04 | |
| needs: [ build-and-push-e2e ] | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: validate chart | |
| run: | | |
| output=$(helm template oci://ttl.sh/automated-${{ github.run_id }}/replicated --version 0.0.0) | |
| if echo $output | grep -q integration-enabled; then | |
| printf "'integration-enabled' key should not exist if value is not set by the user:\n\n%s\n\n" "$output" | |
| exit 1 | |
| fi | |
| if echo $output | grep -q 'kind: ConfigMap'; then | |
| printf "legacy/deprecated configmap should not exist:\n\n%s\n\n" "$output" | |
| exit 1 | |
| fi | |
| if ! echo $output | grep -q 'kind: ServiceAccount'; then | |
| printf "default service account should exist if user does not set serviceAccountName:\n\n%s\n\n" "$output" | |
| exit 1 | |
| fi | |
| if ! echo $output | grep -q 'kind: Role'; then | |
| printf "default role should exist if user does not set serviceAccountName:\n\n%s\n\n" "$output" | |
| exit 1 | |
| fi | |
| if ! echo $output | grep -q 'kind: RoleBinding'; then | |
| printf "default rolebinding should exist if user does not set serviceAccountName:\n\n%s\n\n" "$output" | |
| exit 1 | |
| fi | |
| output=$(helm template oci://ttl.sh/automated-${{ github.run_id }}/replicated --version 0.0.0 --set integration.enabled=true) | |
| if ! echo $output | grep -q integration-enabled; then | |
| printf "'integration-enabled' key should exist if value is set by the user:\n\n%s\n\n" "$output" | |
| exit 1 | |
| fi | |
| output=$(helm template oci://ttl.sh/automated-${{ github.run_id }}/replicated --version 0.0.0 --set serviceAccountName=foo) | |
| if echo $output | grep -q 'kind: ServiceAccount'; then | |
| printf "default service account should not exist if user sets serviceAccountName:\n\n%s\n\n" "$output" | |
| exit 1 | |
| fi | |
| if echo $output | grep -q 'kind: Role'; then | |
| printf "default role should not exist if user sets serviceAccountName:\n\n%s\n\n" "$output" | |
| exit 1 | |
| fi | |
| if echo $output | grep -q 'kind: RoleBinding'; then | |
| printf "default rolebinding should not exist if user sets serviceAccountName:\n\n%s\n\n" "$output" | |
| exit 1 | |
| fi | |
| if ! echo $output | grep -q 'serviceAccountName: foo'; then | |
| printf "user-set serviceAccountName reference should exist:\n\n%s\n\n" "$output" | |
| exit 1 | |
| fi | |
| cat << EOF >> test-values.yaml | |
| extraEnv: | |
| - name: TEST_EXTRA_ENV | |
| value: test-extra-env | |
| EOF | |
| output=$(helm template oci://ttl.sh/automated-${{ github.run_id }}/replicated --version 0.0.0 --values test-values.yaml) | |
| if ! echo $output | grep -q 'TEST_EXTRA_ENV'; then | |
| printf "user-set extraEnv should exist:\n\n%s\n\n" "$output" | |
| exit 1 | |
| fi | |
| create-test-release: | |
| runs-on: ubuntu-22.04 | |
| needs: [ build-and-push-e2e ] | |
| outputs: | |
| license-id: ${{ steps.create-customer.outputs.license-id }} | |
| customer-id: ${{ steps.create-customer.outputs.customer-id }} | |
| channel-slug: ${{ steps.create-release.outputs.channel-slug }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Package test chart | |
| env: | |
| REPLICATED_CHART_NAME: replicated | |
| REPLICATED_REPOSITORY: oci://ttl.sh/automated-${{ github.run_id }} | |
| REPLICATED_CHART_VERSION: 0.0.0 | |
| run: | | |
| cd test-chart | |
| envsubst < Chart.yaml.tmpl > Chart.yaml | |
| helm dep update | |
| helm package . | |
| - name: Create release | |
| id: create-release | |
| uses: replicatedhq/replicated-actions/[email protected] | |
| with: | |
| app-slug: ${{ env.APP_SLUG }} | |
| api-token: ${{ secrets.C11Y_MATRIX_TOKEN }} | |
| chart: test-chart/test-chart-0.1.0.tgz | |
| promote-channel: automated-${{ github.run_id }} | |
| version: 0.1.0 | |
| - name: Create customer | |
| id: create-customer | |
| uses: replicatedhq/replicated-actions/create-customer@main | |
| with: | |
| app-slug: ${{ env.APP_SLUG }} | |
| api-token: ${{ secrets.C11Y_MATRIX_TOKEN }} | |
| customer-name: automated-${{ github.run_id }} | |
| customer-email: [email protected] | |
| license-type: dev | |
| channel-slug: ${{ steps.create-release.outputs.channel-slug }} | |
| entitlements: | | |
| - name: "num_seats" | |
| value: "10" | |
| is-kots-install-enabled: "false" | |
| validate-e2e: | |
| runs-on: ubuntu-22.04 | |
| needs: [ create-test-release ] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| cluster: [ | |
| {distribution: k3s, version: 1.26}, | |
| {distribution: eks, version: 1.27}, | |
| {distribution: gke, version: 1.27}, | |
| {distribution: kind, version: 1.27}, | |
| {distribution: openshift, version: 4.13.0-okd} | |
| ] | |
| env: | |
| LICENSE_ID: ${{ needs.create-test-release.outputs.license-id }} | |
| CHANNEL_SLUG: ${{ needs.create-test-release.outputs.channel-slug }} | |
| LICENSE_FIELDS: '[{"name":"expires_at","value": ""},{"name":"num_seats","value":"10"}]' | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Create cluster | |
| id: create-cluster | |
| uses: replicatedhq/replicated-actions/[email protected] | |
| with: | |
| api-token: ${{ secrets.C11Y_MATRIX_TOKEN }} | |
| kubernetes-distribution: ${{ matrix.cluster.distribution }} | |
| kubernetes-version: ${{ matrix.cluster.version }} | |
| cluster-name: automated-${{ github.run_id }}-${{ matrix.cluster.distribution }}-${{ matrix.cluster.version }} | |
| ttl: 2h | |
| export-kubeconfig: true | |
| - name: Install via Helm as standalone in integration mode | |
| run: helm install replicated oci://ttl.sh/automated-${{ github.run_id }}/replicated --version 0.0.0 --set integration.licenseID=$LICENSE_ID --wait --timeout 2m | |
| - name: Validate endpoints | |
| uses: ./.github/actions/validate-endpoints | |
| with: | |
| license-id: ${{ env.LICENSE_ID }} | |
| license-fields: ${{ env.LICENSE_FIELDS }} | |
| integration-enabled: 'true' | |
| - name: Uninstall replicated via Helm | |
| run: helm uninstall replicated --wait --timeout 2m | |
| - name: Install via kubectl as standalone in integration mode | |
| run: | | |
| helm template replicated oci://ttl.sh/automated-${{ github.run_id }}/replicated --version 0.0.0 --set integration.licenseID=$LICENSE_ID | kubectl apply -f - | |
| kubectl rollout status deployment replicated --timeout=2m | |
| - name: Validate endpoints | |
| uses: ./.github/actions/validate-endpoints | |
| with: | |
| license-id: ${{ env.LICENSE_ID }} | |
| license-fields: ${{ env.LICENSE_FIELDS }} | |
| integration-enabled: 'true' | |
| deployed-via-kubectl: 'true' | |
| - name: Uninstall replicated via kubectl | |
| run: | | |
| helm template replicated oci://ttl.sh/automated-${{ github.run_id }}/replicated --version 0.0.0 --set integration.licenseID=$LICENSE_ID | kubectl delete -f - | |
| kubectl wait --for=delete deployment/replicated --timeout=2m | |
| - name: Login to registry | |
| run: helm registry login registry.replicated.com --username $LICENSE_ID --password $LICENSE_ID | |
| - name: Install via Helm as subchart in integration mode | |
| run: helm install test-chart oci://registry.replicated.com/$APP_SLUG/$CHANNEL_SLUG/test-chart --wait --timeout 2m | |
| - name: Validate endpoints | |
| uses: ./.github/actions/validate-endpoints | |
| with: | |
| license-id: ${{ env.LICENSE_ID }} | |
| license-fields: ${{ env.LICENSE_FIELDS }} | |
| integration-enabled: 'true' | |
| - name: Uninstall test-chart via Helm | |
| run: helm uninstall test-chart --wait --timeout 2m | |
| - name: Install via kubectl as subchart in integration mode | |
| run: | | |
| helm template test-chart oci://registry.replicated.com/$APP_SLUG/$CHANNEL_SLUG/test-chart | kubectl apply -f - | |
| kubectl rollout status deployment test-chart --timeout=2m | |
| kubectl rollout status deployment replicated --timeout=2m | |
| - name: Validate endpoints | |
| uses: ./.github/actions/validate-endpoints | |
| with: | |
| license-id: ${{ env.LICENSE_ID }} | |
| license-fields: ${{ env.LICENSE_FIELDS }} | |
| integration-enabled: 'true' | |
| deployed-via-kubectl: 'true' | |
| - name: Uninstall test-chart via kubectl | |
| run: | | |
| helm template test-chart oci://registry.replicated.com/$APP_SLUG/$CHANNEL_SLUG/test-chart | kubectl delete -f - | |
| kubectl wait --for=delete deployment/test-chart --timeout=2m | |
| kubectl wait --for=delete deployment/replicated --timeout=2m | |
| # we have to explicitly disable integration mode here because we're using a "dev" license | |
| - name: Install via Helm as subchart in production mode | |
| run: helm install test-chart oci://registry.replicated.com/$APP_SLUG/$CHANNEL_SLUG/test-chart --set replicated.integration.enabled=false --wait --timeout 2m | |
| - name: Validate endpoints | |
| uses: ./.github/actions/validate-endpoints | |
| with: | |
| license-id: ${{ env.LICENSE_ID }} | |
| license-fields: ${{ env.LICENSE_FIELDS }} | |
| integration-enabled: 'false' | |
| - name: Upgrade via Helm as subchart in production mode to a new version | |
| run: | | |
| oldpodname=$(kubectl get pods -l app.kubernetes.io/name=replicated -o jsonpath='{.items[0].metadata.name}') | |
| helm upgrade test-chart oci://registry.replicated.com/$APP_SLUG/$CHANNEL_SLUG/test-chart --set replicated.integration.enabled=false --set replicated.versionLabel=1.0.0 --wait --timeout 2m | |
| COUNTER=1 | |
| while [ kubectl get pods -l app.kubernetes.io/name=replicated -o jsonpath='{.items[0].metadata.name}' | grep -q $oldpodname ]; do | |
| ((COUNTER += 1)) | |
| if [ $COUNTER -gt 60 ]; then | |
| echo "Pod did not restart after upgrade" | |
| exit 1 | |
| fi | |
| sleep 1 | |
| done | |
| - name: Validate endpoints | |
| uses: ./.github/actions/validate-endpoints | |
| with: | |
| license-id: ${{ env.LICENSE_ID }} | |
| license-fields: ${{ env.LICENSE_FIELDS }} | |
| version-label: '1.0.0' | |
| integration-enabled: 'false' | |
| - name: Uninstall test-chart via Helm | |
| run: helm uninstall test-chart --wait --timeout 2m | |
| # we have to explicitly disable integration mode here because we're using a "dev" license | |
| - name: Install via kubectl as subchart in production mode | |
| run: | | |
| helm template test-chart oci://registry.replicated.com/$APP_SLUG/$CHANNEL_SLUG/test-chart --set replicated.integration.enabled=false | kubectl apply -f - | |
| kubectl rollout status deployment test-chart --timeout=2m | |
| kubectl rollout status deployment replicated --timeout=2m | |
| - name: Validate endpoints | |
| uses: ./.github/actions/validate-endpoints | |
| with: | |
| license-id: ${{ env.LICENSE_ID }} | |
| license-fields: ${{ env.LICENSE_FIELDS }} | |
| integration-enabled: 'false' | |
| deployed-via-kubectl: 'true' | |
| - name: Upgrade via kubectl as subchart in production mode | |
| run: | | |
| oldpodname=$(kubectl get pods -l app.kubernetes.io/name=replicated -o jsonpath='{.items[0].metadata.name}') | |
| helm template test-chart oci://registry.replicated.com/$APP_SLUG/$CHANNEL_SLUG/test-chart --set replicated.integration.enabled=false --set replicated.versionLabel=1.0.0 | kubectl apply -f - | |
| kubectl rollout status deployment test-chart --timeout=2m | |
| kubectl rollout status deployment replicated --timeout=2m | |
| COUNTER=1 | |
| while [ kubectl get pods -l app.kubernetes.io/name=replicated -o jsonpath='{.items[0].metadata.name}' | grep -q $oldpodname ]; do | |
| ((COUNTER += 1)) | |
| if [ $COUNTER -gt 60 ]; then | |
| echo "Pod did not restart after upgrade" | |
| exit 1 | |
| fi | |
| sleep 1 | |
| done | |
| - name: Validate endpoints | |
| uses: ./.github/actions/validate-endpoints | |
| with: | |
| license-id: ${{ env.LICENSE_ID }} | |
| license-fields: ${{ env.LICENSE_FIELDS }} | |
| integration-enabled: 'false' | |
| version-label: '1.0.0' | |
| deployed-via-kubectl: 'true' | |
| - name: Uninstall test-chart via kubectl | |
| run: | | |
| helm template test-chart oci://registry.replicated.com/$APP_SLUG/$CHANNEL_SLUG/test-chart --set replicated.integration.enabled=false | kubectl delete -f - | |
| kubectl wait --for=delete deployment/test-chart --timeout=2m | |
| kubectl wait --for=delete deployment/replicated --timeout=2m | |
| - name: Remove Cluster | |
| uses: replicatedhq/replicated-actions/[email protected] | |
| if: ${{ success() || cancelled() }} | |
| with: | |
| api-token: ${{ secrets.C11Y_MATRIX_TOKEN }} | |
| cluster-id: ${{ steps.create-cluster.outputs.cluster-id }} | |
| cleanup-test-release: | |
| runs-on: ubuntu-22.04 | |
| needs: [ create-test-release, validate-e2e ] | |
| steps: | |
| - name: Archive Customer | |
| if: ${{ needs.create-test-release.outputs.customer-id != '' }} | |
| uses: replicatedhq/replicated-actions/[email protected] | |
| with: | |
| api-token: ${{ secrets.C11Y_MATRIX_TOKEN }} | |
| customer-id: ${{ needs.create-test-release.outputs.customer-id }} | |
| - name: Archive Channel | |
| if: ${{ needs.create-test-release.outputs.channel-slug != '' }} | |
| uses: replicatedhq/replicated-actions/[email protected] | |
| with: | |
| app-slug: ${{ env.APP_SLUG }} | |
| api-token: ${{ secrets.C11Y_MATRIX_TOKEN }} | |
| channel-slug: ${{ needs.create-test-release.outputs.channel-slug }} |