build(deps): bump oras-project/setup-oras from 1.2.4 to 2.0.0 #443
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright Broadcom, Inc. All Rights Reserved. | |
| # SPDX-License-Identifier: APACHE-2.0 | |
| name: '[CI/CD] Verify' | |
| on: # rebuild any PRs and main branch changes | |
| pull_request: | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| - labeled | |
| branches: | |
| - main | |
| - bitnami:main | |
| # Remove all permissions by default | |
| permissions: {} | |
| # Avoid concurrency over the same PR | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number }} | |
| jobs: | |
| get-chart: | |
| runs-on: ubuntu-latest | |
| name: Get modified charts | |
| permissions: | |
| pull-requests: read | |
| outputs: | |
| chart: ${{ steps.get-chart.outputs.chart }} | |
| result: ${{ steps.get-chart.outputs.result }} | |
| values-updated: ${{ steps.get-chart.outputs.values-updated }} | |
| steps: | |
| - id: get-chart | |
| uses: bitnami/charts/.github/actions/get-chart@main | |
| with: | |
| pr-url: "${{ github.event.pull_request.url }}" | |
| pr-number: "${{ github.event.pull_request.number }}" | |
| chart-tests: | |
| runs-on: ubuntu-latest | |
| needs: [get-chart] | |
| name: Look for hardcoded images | |
| if: needs.get-chart.outputs.result == 'ok' | |
| steps: | |
| - name: Checkout bitnami/charts | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | |
| with: | |
| path: charts | |
| - id: check-hardcoded-images | |
| name: Look for hardcoded images | |
| env: | |
| CHART: ${{ needs.get-chart.outputs.chart }} | |
| run: | | |
| cd "${GITHUB_WORKSPACE}/charts" || exit 1 | |
| hardcoded_images=() | |
| while read -r image; do | |
| if [[ -n "$image" && $image != {{*}} ]]; then | |
| hardcoded_images+=("${image}") | |
| fi | |
| done <<< "$(grep --exclude "NOTES.txt" -REoh "\s*image:\s+[\"']*.+[\"']*\s*$" "bitnami/${CHART}/templates" | sed "s/image: [\"']*//" | sed "s/[\"']*$//")" | |
| echo "${hardcoded_images[@]}" | |
| if [[ ${#hardcoded_images[@]} -gt 0 ]] ; then | |
| echo "error=Found hardcoded images in the chart templates: ${hardcoded_images[*]}" | |
| exit 1 | |
| fi | |
| - id: check-image-warning-list | |
| name: Check image warning list | |
| env: | |
| CHART: ${{ needs.get-chart.outputs.chart }} | |
| run: | | |
| cd "${GITHUB_WORKSPACE}/charts" || exit 1 | |
| if [[ "$CHART" != "common" && "$CHART" != "fluentd" ]]; then | |
| readarray -t tag_paths < <(yq e '.. | (path | join("."))' "bitnami/${CHART}/values.yaml" | grep -E '\.tag$' | sed 's/.tag$//g' | sort -u) | |
| readarray -t registry_paths < <(yq e '.. | (path | join("."))' "bitnami/${CHART}/values.yaml" | grep '\.registry$' | sed 's/.registry$//g' | sort -u) | |
| # We assume that image objects are those that contain both keys 'tag' and 'registry' | |
| images_paths=() | |
| for path in "${tag_paths[@]}"; do | |
| if echo "${registry_paths[@]}" | grep -w -q "$path"; then | |
| [[ -n "$path" ]] && images_paths+=("$path") | |
| fi | |
| done | |
| # Get the images defined in the image warning helper | |
| readarray -d ' ' -t images_list_tmp < <(grep -E 'common.warnings.modifiedImages' "bitnami/${CHART}/templates/NOTES.txt" | sed -E 's/.*\(list (.+)\) "context".*/\1/' | sed 's/.Values.//g') | |
| # Remove any empty element from the array | |
| images_list=() | |
| for i in "${images_list_tmp[@]}"; do | |
| if echo "$i" | grep -q -E "\S+"; then | |
| images_list+=("$i") | |
| fi | |
| done | |
| # Compare the image objects and the image warning list | |
| if [[ ${#images_list[@]} -eq ${#images_paths[@]} ]]; then | |
| for path in "${images_list[@]}"; do | |
| if ! echo "${images_paths[*]}" | grep -w -q "$path"; then | |
| echo "Found inconsistencies in the images warning list: '${images_list[*]}' should be equal to '${images_paths[*]}'" | |
| exit 1 | |
| fi | |
| done | |
| else | |
| echo "Found inconsistencies in the images warning list: '${images_list[*]}' should be equal to '${images_paths[*]}'" | |
| exit 1 | |
| fi | |
| fi | |
| verify: | |
| runs-on: ubuntu-latest | |
| needs: [get-chart] | |
| name: Run linter and kubescape | |
| permissions: | |
| contents: read | |
| if: needs.get-chart.outputs.result == 'ok' | |
| steps: | |
| - name: Checkout bitnami/charts | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | |
| with: | |
| ref: ${{github.event.pull_request.head.ref}} | |
| repository: ${{github.event.pull_request.head.repo.full_name}} | |
| path: charts-pr | |
| - name: Checkout bitnami/charts | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | |
| with: | |
| ref: ${{github.event.pull_request.base.ref}} | |
| repository: ${{github.event.pull_request.base.repo.full_name}} | |
| fetch-depth: 1 | |
| path: charts-main | |
| - name: Install helm | |
| run: | | |
| HELM_TARBALL="helm-v3.8.1-linux-amd64.tar.gz" | |
| curl -SsLfO "https://get.helm.sh/${HELM_TARBALL}" && sudo tar xf "$HELM_TARBALL" --strip-components 1 -C /usr/local/bin | |
| - name: Install Kubescape | |
| run: | | |
| curl -s https://raw.githubusercontent.com/kubescape/kubescape/bd0be45c0b8f5d42e7459f85a345eaacd361e22e/install.sh | /bin/bash -s -- -v v3.0.41 | |
| - name: Run helm-dep-build | |
| env: | |
| CHART: ${{ needs.get-chart.outputs.chart }} | |
| run: | | |
| charts_paths=("charts-main" "charts-pr") | |
| for charts_path in "${charts_paths[@]}"; do | |
| if [ -d "${charts_path}/bitnami/${CHART}" ]; then | |
| helm dep build "${charts_path}/bitnami/${CHART}" | |
| if [ -d "${charts_path}/bitnami/${CHART}/charts" ]; then | |
| pushd ${charts_path}/bitnami/${CHART}/charts | |
| for filename in *.tgz; do | |
| tar -xf "$filename" | |
| rm -f "$filename" | |
| done | |
| popd | |
| fi | |
| fi | |
| done | |
| - name: Run helm-lint | |
| env: | |
| CHART: ${{ needs.get-chart.outputs.chart }} | |
| run: | | |
| helm lint "charts-pr/bitnami/${CHART}" | |
| - id: validate-scores | |
| name: Validate score | |
| # Skip step when user 'skip-score' label is used | |
| if: | | |
| !( | |
| contains(github.event.pull_request.labels.*.name, 'skip-score') || | |
| (github.event.action == 'labeled' && github.event.label.name == 'skip-score') | |
| ) | |
| env: | |
| CHART: ${{ needs.get-chart.outputs.chart }} | |
| run: | | |
| export PATH="$PATH:$HOME/.kubescape/bin" | |
| FRAMEWORKS="MITRE,NSA,SOC2,cis-v1.10.0" | |
| if [ -d "charts-main/bitnami/${CHART}" ]; then | |
| report_dir="$(mktemp -d)" | |
| charts_paths=("charts-pr" "charts-main") | |
| for chart_path in "${charts_paths[@]}"; do | |
| echo "Scanning ${chart_path}/bitnami/${CHART}" | |
| report_file="${report_dir}/${chart_path}.json" | |
| kubescape scan framework "${FRAMEWORKS}" "${chart_path}/bitnami/${CHART}" --format json -o "${report_file}" | |
| # Use only 2 decimals and save it wihout separator (for integer operations). | |
| printf "%s%.2s" $(echo "$(jq .summaryDetails.complianceScore ${report_file})" | tr '.' ' ') | sed 's/\.$//' > "${report_dir}/${chart_path}.score" | |
| done | |
| score="$(<"${report_dir}/charts-pr.score")" | |
| main_score="$(<"${report_dir}/charts-main.score")" | |
| # To show the scores we need to add the decimals: 1234 > 12.34 | |
| echo "Current score: ${score:0:${#score}-2}.${score: -2}, previous one: ${main_score:0:${#main_score}-2}.${main_score: -2}" | |
| if [[ $((score - main_score)) -lt 0 ]]; then | |
| echo "Kubescape score has worsened" | |
| exit 1 | |
| fi | |
| else | |
| echo "Chart not found at bitnami/${CHART}. It will be assumed that the upstream chart does not exist." | |
| fi |