diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000000..18110187b1 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,157 @@ +name: ci + +'on': + pull_request: {} + merge_group: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.merge_group.head_ref || github.ref }} + cancel-in-progress: true + +defaults: + run: + shell: bash + +permissions: + contents: read + +jobs: + changes: + name: categorize changes + runs-on: ubuntu-latest + outputs: + non-docs: ${{ steps.detect.outputs.non-docs }} + yaml: ${{ steps.detect.outputs.yaml }} + steps: + - name: Get base depth + id: base-depth + run: echo "base-depth=$(expr ${{ github.event.pull_request.commits }} + 1)" >> $GITHUB_OUTPUT + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: ${{ steps.base-depth.outputs.base-depth }} + persist-credentials: false + - name: detect + id: detect + run: | + git fetch origin ${GITHUB_BASE_REF} + CHANGED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }} | tr ' ' '\n') + + echo -e "Changed files:\n${CHANGED_FILES}" + + # If no files are changed at all, then `grep -v` will match even though no change outputs + # should be true. Skipping output on an empty set of changes eliminates the false positive + if [[ -n "${CHANGED_FILES}" ]]; then + NON_DOCS=$(echo "${CHANGED_FILES}" | grep -Eqv '\.md$' && echo 'true' || echo 'false') + YAML=$(echo "${CHANGED_FILES}" | grep -Eq '\.ya?ml$' && echo 'true' || echo 'false') + echo "non-docs=${NON_DOCS}" | tee -a $GITHUB_OUTPUT + echo "yaml=${YAML}" | tee -a $GITHUB_OUTPUT + fi + + build: + name: build + runs-on: ubuntu-latest + needs: [changes] + if: ${{ needs.changes.outputs.non-docs == 'true' }} + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + with: + go-version-file: "go.mod" + - name: build + run: | + go build -v ./... + linting: + name: lint + runs-on: ubuntu-latest + permissions: + contents: read + checks: write # Used by golangci-lint to annotate code in the PR + needs: [changes] + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + with: + go-version-file: "go.mod" + - name: gofmt + if: ${{ needs.changes.outputs.non-docs == 'true' }} + run: | + gofmt_out=$(gofmt -d $(find * -name '*.go' ! -path 'vendor/*' ! -path 'third_party/*')) + if [[ -n "$gofmt_out" ]]; then + failed=1 + fi + echo "$gofmt_out" + - name: golangci-lint + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 + if: ${{ needs.changes.outputs.non-docs == 'true' }} + with: + version: v2.7.2 + args: --new-from-merge-base=origin/${{ github.base_ref }} --timeout=10m + - name: yamllint + if: ${{ needs.changes.outputs.yaml == 'true' }} + run: | + apt-get update && apt-get install -y yamllint + make yamllint + - name: check-license + if: ${{ needs.changes.outputs.non-docs == 'true' }} + run: | + go install github.com/google/go-licenses@v1.0.0 + go-licenses check ./... + tests: + needs: [build] + name: test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + with: + go-version-file: "go.mod" + - name: unit-test + run: | + make test-unit-verbose-and-race + e2e-tests: + needs: [build] + uses: ./.github/workflows/kind-e2e.yaml + + ci-summary: + name: CI summary + needs: [build, linting, tests, e2e-tests] + runs-on: ubuntu-latest + if: always() + steps: + - name: Check CI results + run: | + results=( + "build=${NEEDS_BUILD_RESULT}" + "linting=${NEEDS_LINTING_RESULT}" + "tests=${NEEDS_TESTS_RESULT}" + "e2e-tests=${NEEDS_E2E_TESTS_RESULT}" + ) + failed=0 + for r in "${results[@]}"; do + name="${r%%=*}" + result="${r#*=}" + echo "${name}: ${result}" + if [ "$result" != "success" ] && [ "$result" != "skipped" ]; then + failed=1 + fi + done + if [ "$failed" -eq 1 ]; then + echo "" + echo "Some CI jobs failed or were cancelled" + exit 1 + fi + echo "" + echo "All CI checks passed" + env: + NEEDS_BUILD_RESULT: ${{ needs.build.result }} + NEEDS_LINTING_RESULT: ${{ needs.linting.result }} + NEEDS_TESTS_RESULT: ${{ needs.tests.result }} + NEEDS_E2E_TESTS_RESULT: ${{ needs.e2e-tests.result }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c3405599e1..83cbab162f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -40,11 +40,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@a8d1ac45b9a34d11fe398d5503176af0d06b303e # v3.30.7 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -58,7 +58,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@a8d1ac45b9a34d11fe398d5503176af0d06b303e # v3.30.7 # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -71,6 +71,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@a8d1ac45b9a34d11fe398d5503176af0d06b303e # v3.30.7 with: - category: "/language:${{matrix.language}}" + category: "/language:${{matrix.language}}" \ No newline at end of file diff --git a/.github/workflows/kind-e2e.yaml b/.github/workflows/kind-e2e.yaml index f3a68917a2..db65065f21 100644 --- a/.github/workflows/kind-e2e.yaml +++ b/.github/workflows/kind-e2e.yaml @@ -1,42 +1,49 @@ name: Chains kind E2E Tests -on: - pull_request: - branches: - - main - - release-* +'on': + workflow_call: {} + # on: + # pull_request: + # branches: + # - main + # - release-* defaults: run: shell: bash - working-directory: ./ jobs: k8s: + permissions: + contents: read + concurrency: + group: ${{ github.workflow }}-${{ matrix.k8s-version }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true strategy: fail-fast: false # Keep running if one leg fails. matrix: # Keep in sync with the list of supported releases: https://kubernetes.io/releases/ - # TODO: add 1.31.x once it is added in https://github.com/sigstore/scaffolding/releases + # Add latest k8s-version once it is added in https://github.com/sigstore/scaffolding/releases k8s-version: - - v1.28.x - - v1.29.x - - v1.30.x + - v1.31.x + - v1.32.x + - v1.33.x uses: ./.github/workflows/reusable-e2e.yaml with: k8s-version: ${{ matrix.k8s-version }} - pipelines-release: v0.50.1 + pipelines-release: v1.2.0 # Latest version pipelines-lts: strategy: fail-fast: false # Keep running if one leg fails. matrix: pipelines-release: - # This should follow the list of versions from https://github.com/tektoncd/pipeline/blob/main/releases.md#release - - v0.53.5 # LTS - - v0.56.3 # LTS - - v0.59.2 # LTS - - v0.62.0 + # This should follow the list of versions from + # https://github.com/tektoncd/pipeline/blob/main/releases.md#release + - v0.62.9 # LTS + - v0.65.7 # LTS + - v0.68.1 # LTS + - v1.0.0 # LTS uses: ./.github/workflows/reusable-e2e.yaml with: - k8s-version: v1.28.x + k8s-version: v1.30.x # intersection of the latest version and scaffolding pipelines-release: ${{ matrix.pipelines-release }} diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml deleted file mode 100644 index 2a4d9f7621..0000000000 --- a/.github/workflows/lint.yaml +++ /dev/null @@ -1,53 +0,0 @@ -name: lint -on: - # only check PRs for new issues until preexisting issues are cleaned - # push: - # branches: - # - main - pull_request: - branches: - - main - - release-* -permissions: - contents: read - # Optional: allow read access to pull request. Use with `only-new-issues` option. - pull-requests: read -jobs: - golangci: - # Because this repository uses vendored dependencies, and grouping for dependabot updates, the - # PRs created by dependabot are huge. This causes issues for the linter: - # https://github.com/golangci/golangci-lint-action/issues/996 - # The chances of dependabot creating new linting issues are minimal. - if: github.actor != 'dependabot[bot]' - name: lint - runs-on: ubuntu-latest - steps: - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version: "1.22" - - - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7 - - - name: golangci-lint - uses: golangci/golangci-lint-action@v6.2.0 - with: - # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version - version: latest - - # Optional: working directory, useful for monorepos - # working-directory: somedir - - # Optional: golangci-lint command line arguments. - - # Optional: show only new issues if it's a pull request. The default value is `false`. - only-new-issues: true - - # Optional: if set to true then the all caching functionality will be complete disabled, - # takes precedence over all other caching options. - # skip-cache: true - - # Optional: if set to true then the action don't cache or restore ~/go/pkg. - # skip-pkg-cache: true - - # Optional: if set to true then the action don't cache or restore ~/.cache/go-build. - # skip-build-cache: true diff --git a/.github/workflows/reusable-e2e.yaml b/.github/workflows/reusable-e2e.yaml index e63ffc79bd..d599bc73af 100644 --- a/.github/workflows/reusable-e2e.yaml +++ b/.github/workflows/reusable-e2e.yaml @@ -1,7 +1,6 @@ - name: Reusable workflow example -on: +'on': workflow_call: inputs: pipelines-release: @@ -23,39 +22,31 @@ jobs: env: GOPATH: ${{ github.workspace }} - GO111MODULE: on + GO111MODULE: 'on' GOFLAGS: -ldflags=-s -ldflags=-w KO_DOCKER_REPO: registry.local:5000/knative KOCACHE: ~/ko - SIGSTORE_SCAFFOLDING_RELEASE_VERSION: "v0.7.12" - TEKTON_PIPELINES_RELEASE: "https://storage.googleapis.com/tekton-releases/pipeline/previous/${{ inputs.pipelines-release }}/release.yaml" + SIGSTORE_SCAFFOLDING_RELEASE_VERSION: "v0.7.24" + TEKTON_PIPELINES_RELEASE: "https://infra.tekton.dev/tekton-releases/pipeline/previous/${{ inputs.pipelines-release }}/release.yaml" # Note that we do not include the v prefix here so we can use it in all # the places this is used. - TEKTON_CLI_RELEASE: "0.30.0" + SKIP_INITIALIZE: true steps: - - name: Set up Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - name: Check out our repo + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - go-version: 1.22.x + persist-credentials: false - - uses: ko-build/setup-ko@v0.9 + - name: Set up Go + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: - version: tip + go-version-file: "go.mod" - - name: Install tkn cli - run: | - curl -Lo ./tkn_${{ env.TEKTON_CLI_RELEASE }}_Linux_x86_64.tar.gz https://github.com/tektoncd/cli/releases/download/v${{ env.TEKTON_CLI_RELEASE }}/tkn_${{ env.TEKTON_CLI_RELEASE }}_Linux_x86_64.tar.gz - tar xvzf ./tkn_${{ env.TEKTON_CLI_RELEASE }}_Linux_x86_64.tar.gz tkn - chmod u+x ./tkn - - - name: Check out our repo - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7 - with: - path: ./src/github.com/tektoncd/chains + - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9 - name: Install mirror, kind, knative + sigstore - uses: sigstore/scaffolding/actions/setup@main + uses: sigstore/scaffolding/actions/setup@8bd68672d418e5bd1b0ee1f2e2981874c3a30967 # v0.7.33 with: k8s-version: ${{ inputs.k8s-version }} version: ${{ env.SIGSTORE_SCAFFOLDING_RELEASE_VERSION }} @@ -63,7 +54,7 @@ jobs: - name: Install Tekton pipelines run: | - while ! kubectl apply --filename ${{ env.TEKTON_PIPELINES_RELEASE }} + while ! kubectl apply --filename ${TEKTON_PIPELINES_RELEASE} do echo "waiting for tekton pipelines to get installed" sleep 2 @@ -72,12 +63,13 @@ jobs: # Restart so picks up the changes. kubectl -n tekton-pipelines delete po -l app=tekton-pipelines-controller - - name: Install all the everythings - working-directory: ./src/github.com/tektoncd/chains - timeout-minutes: 10 + - name: Run integration tests run: | - ko apply -BRf ./config/ + ./test/presubmit-tests.sh --integration-tests + + - name: Run tutorial taskrun + run: | kubectl patch configmap/chains-config \ --namespace tekton-chains \ --type merge \ @@ -86,12 +78,13 @@ jobs: # Restart chains controller so picks up the changes. kubectl -n tekton-chains delete po -l app=tekton-chains-controller - # TODO(vaikas): Better way to find when the chains has picked up - # the changes - sleep 10 + # Wait for chains controller to be ready again + echo "Waiting for chains controller to be ready" + kubectl wait --for=condition=ready --timeout=2m -n tekton-chains pod -l app=tekton-chains-controller + + # Give chains a moment to reload the configuration + sleep 5 - - name: Run tutorial taskrun - run: | kubectl create -f https://raw.githubusercontent.com/tektoncd/chains/main/examples/taskruns/task-output-image.yaml # Sleep so the taskrun shows up. @@ -103,7 +96,7 @@ jobs: echo "Waiting for Chains to do it's thing" for i in {1..10} do - ./tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/transparency}" > tektonentry + tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/transparency}" > tektonentry if [ -s ./tektonentry ]; then if grep --quiet rekor.rekor-system.svc ./tektonentry ; then @@ -122,11 +115,14 @@ jobs: done # Did not find entry, fail + echo "Failed to find rekor transparency entry after 10 attempts" + kubectl get taskruns -oyaml + kubectl logs -n tekton-chains -l app=tekton-chains-controller --tail=100 exit 1 - name: Collect diagnostics if: ${{ failure() }} - uses: chainguard-dev/actions/kind-diag@9c0be1ee0103db886d1887d114ec97f8766b7ef8 # main + uses: chainguard-dev/actions/kind-diag@de68b87302e6266db5fb5220246f8aa46fe94b67 # v1.6.14 with: cluster-resources: nodes - namespace-resources: pods,taskruns,jobs + namespace-resources: pods,taskruns,jobs \ No newline at end of file diff --git a/.github/workflows/test-on-crc.yaml b/.github/workflows/test-on-crc.yaml index 551e7e1218..33c2ded87c 100644 --- a/.github/workflows/test-on-crc.yaml +++ b/.github/workflows/test-on-crc.yaml @@ -50,7 +50,7 @@ jobs: - name: Set the crc config env: - PULL_SECRET_CONTENT: ${{ secrets.CRC_TOKEN }} + PULL_SECRET_CONTENT: ${{ secrets.CRC_TOKEN }} run: | crc config set preset microshift echo "$PULL_SECRET_CONTENT" > pull-secret diff --git a/.golangci.yaml b/.golangci.yaml index e2ed142b7a..a8f05991e5 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -1,6 +1,11 @@ -# Documentation: https://golangci-lint.run/usage/configuration/ +version: "2" +run: + build-tags: + - e2e + modules-download-mode: vendor + issues-exit-code: 1 linters: - disable-all: true + default: none enable: - bodyclose - containedctx @@ -16,11 +21,8 @@ linters: - exhaustive - goconst - gocritic - - gofmt - - goimports - gomodguard - gosec - - gosimple - govet - ireturn - maintidx @@ -36,40 +38,45 @@ linters: - revive - staticcheck - thelper - - typecheck - unconvert - unparam - unused - usestdlibvars - whitespace -linters-settings: - depguard: + settings: + depguard: + rules: + main: + list-mode: lax + allow: + - $gostd + exclusions: + generated: lax + presets: + - common-false-positives + - legacy + - std-error-handling rules: - main: - list-mode: lax - allow: - - $gostd -output: - uniq-by-line: false + - linters: + - errcheck + - gosec + path: _test\.go + paths: + - third_party$ + - builtin$ + - examples$ issues: - # Only flag new issues - new: true - exclude-rules: - - path: _test\.go - linters: - - errcheck - - gosec max-issues-per-linter: 0 max-same-issues: 0 - include: - # Enable off-by-default rules for revive requiring that all exported elements have a properly formatted comment. - - EXC0012 # https://golangci-lint.run/usage/false-positives/#exc0012 - - EXC0014 # https://golangci-lint.run/usage/false-positives/#exc0014 -run: - issues-exit-code: 1 - build-tags: - - e2e - # skip-dirs: - # - vendor - timeout: 20m - modules-download-mode: vendor + new: true + uniq-by-line: false +formatters: + enable: + - gofmt + - goimports + exclusions: + generated: lax + paths: + - third_party$ + - builtin$ + - examples$ \ No newline at end of file diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000000..67ae3337b7 --- /dev/null +++ b/.yamllint @@ -0,0 +1,36 @@ +ignore: | + /vendor + test/**/*-chart/** + +rules: + braces: enable + brackets: enable + colons: enable + commas: enable + comments: + level: warning + comments-indentation: + level: warning + document-end: disable + document-start: disable + empty-lines: enable + empty-values: enable + hyphens: enable + key-duplicates: enable + key-ordering: disable + line-length: disable + new-line-at-end-of-file: disable + new-lines: enable + octal-values: enable + quoted-strings: disable + trailing-spaces: enable + truthy: + level: warning + + # accept both key: + # - item + # + # and key: + # - item + indentation: + indent-sequences: whatever diff --git a/Makefile b/Makefile new file mode 100644 index 0000000000..401e9bd7e6 --- /dev/null +++ b/Makefile @@ -0,0 +1,132 @@ +MODULE = $(shell env GO111MODULE=on $(GO) list -m) +DATE ?= $(shell date +%FT%T%z) +VERSION ?= $(shell git describe --tags --always --dirty --match=v* 2> /dev/null || \ + cat $(CURDIR)/.version 2> /dev/null || echo v0) +PKGS = $(or $(PKG),$(shell env GO111MODULE=on $(GO) list ./... )) +TESTPKGS = $(shell env GO111MODULE=on $(GO) list -f \ + '{{ if or .TestGoFiles .XTestGoFiles }}{{ .ImportPath }}{{ end }}' \ + $(PKGS)) +BIN = $(CURDIR)/.bin + +GOLANGCI_VERSION := $(shell yq '.jobs.linting.steps[] | select(.name == "golangci-lint") | .with.version' .github/workflows/ci.yaml) + +GO = go +TIMEOUT_UNIT = 5m +TIMEOUT_E2E = 20m +V = 0 +Q = $(if $(filter 1,$V),,@) +M = $(shell printf "\033[34;1m🐱\033[0m") + +export GO111MODULE=on + +COMMANDS=$(patsubst cmd/%,%,$(wildcard cmd/*)) +BINARIES=$(addprefix bin/,$(COMMANDS)) + +.PHONY: all +all: fmt $(BINARIES) | $(BIN) ; $(info $(M) building executable…) @ ## Build program binary + +$(BIN): + @mkdir -p $@ + +$(BIN)/%: | $(BIN) ; $(info $(M) building $(PACKAGE)…) + $Q tmp=$$(mktemp -d); \ + env GO111MODULE=off GOPATH=$$tmp GOBIN=$(BIN) $(GO) get $(PACKAGE) \ + || ret=$$?; \ + rm -rf $$tmp ; exit $$ret + +FORCE: + +bin/%: cmd/% FORCE + $Q $(GO) build -mod=vendor $(LDFLAGS) -v -o $@ ./$< + +KO = $(or ${KO_BIN},${KO_BIN},$(BIN)/ko) +$(BIN)/ko: PACKAGE=github.com/google/ko + +.PHONY: apply +apply: | $(KO) ; $(info $(M) ko apply -R -f config/) @ ## Apply config to the current cluster + $Q $(KO) apply -R -f config + +.PHONY: resolve +resolve: | $(KO) ; $(info $(M) ko resolve -R -f config/) @ ## Resolve config to the current cluster + $Q $(KO) resolve --push=false --oci-layout-path=$(BIN)/oci -R -f config + +.PHONY: generated +generated: | vendor ; $(info $(M) update generated files) ## Update generated files + $Q ./hack/update-codegen.sh + +.PHONY: vendor +vendor: + $Q ./hack/update-deps.sh + +## Tests + +TEST_UNIT_TARGETS := test-unit-verbose test-unit-race test-unit-verbose-and-race +test-unit-verbose: ARGS=-v +test-unit-race: ARGS=-race +test-unit-verbose-and-race: ARGS=-v -race +$(TEST_UNIT_TARGETS): test-unit +.PHONY: $(TEST_UNIT_TARGETS) test-unit +test-unit: ## Run unit tests + $(GO) test -timeout $(TIMEOUT_UNIT) $(ARGS) ./... + +TEST_E2E_TARGETS := test-e2e-short test-e2e-verbose test-e2e-race +test-e2e-short: ARGS=-short +test-e2e-verbose: ARGS=-v +test-e2e-race: ARGS=-race +$(TEST_E2E_TARGETS): test-e2e +.PHONY: $(TEST_E2E_TARGETS) test-e2e +test-e2e: ## Run end-to-end tests + $(GO) test -timeout $(TIMEOUT_E2E) -tags e2e $(ARGS) ./test/... + +.PHONY: test-yamls +test-yamls: ## Run yaml tests + ./test/e2e-tests-yaml.sh --run-tests + +.PHONY: check tests +check tests: test-unit test-e2e test-yamls + +## Linters + +GOLANGCILINT = $(BIN)/golangci-lint-$(GOLANGCI_VERSION) +$(GOLANGCILINT): ; $(info $(M) getting golangci-lint $(GOLANGCI_VERSION)) + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(BIN) $(GOLANGCI_VERSION) + mv $(BIN)/golangci-lint $(BIN)/golangci-lint-$(GOLANGCI_VERSION) + +.PHONY: golangci-lint +golangci-lint: | $(GOLANGCILINT) ; $(info $(M) running golangci-lint…) @ ## Run golangci-lint + $Q $(GOLANGCILINT) config verify + $Q $(GOLANGCILINT) run --modules-download-mode=vendor --max-issues-per-linter=0 --max-same-issues=0 --timeout 5m + +GOIMPORTS = $(BIN)/goimports +$(BIN)/goimports: | $(BIN) ; $(info $(M) building goimports…) + GOBIN=$(BIN) go install golang.org/x/tools/cmd/goimports@latest + +.PHONY: goimports +goimports: | $(GOIMPORTS) ; $(info $(M) running goimports…) ## Run goimports + $Q $(GOIMPORTS) -l -e -w pkg cmd test + +.PHONY: fmt +fmt: ; $(info $(M) running gofmt…) @ ## Run gofmt on all source files + $Q $(GO) fmt $(PKGS) + +.PHONY: yamllint +YAMLLINT := $(shell find . -path ./vendor -prune -o -type f -regex ".*y[a]ml" -print) +yamllint: | $(BIN) ; $(info $(M) running yamllint…) ## Run yamllint + yamllint -c .yamllint $(YAMLLINT) + +# Misc + +.PHONY: clean +clean: ; $(info $(M) cleaning…) @ ## Cleanup everything + @rm -rf $(BIN) + @rm -rf bin + @rm -rf test/tests.* test/coverage.* + +.PHONY: help +help: + @grep -hE '^[ a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | \ + awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-17s\033[0m %s\n", $$1, $$2}' + +.PHONY: version +version: + @echo $(VERSION) diff --git a/cmd/controller/kodata/HEAD b/cmd/controller/kodata/HEAD deleted file mode 120000 index 8f63681d36..0000000000 --- a/cmd/controller/kodata/HEAD +++ /dev/null @@ -1 +0,0 @@ -../../../.git/HEAD \ No newline at end of file diff --git a/cmd/controller/kodata/refs b/cmd/controller/kodata/refs deleted file mode 120000 index 739d35bf96..0000000000 --- a/cmd/controller/kodata/refs +++ /dev/null @@ -1 +0,0 @@ -../../../.git/refs \ No newline at end of file diff --git a/docs/vendor/gcp/slsa-2/pipeline.yaml b/docs/vendor/gcp/slsa-2/pipeline.yaml index ae31cd7689..3b2d99f3c6 100644 --- a/docs/vendor/gcp/slsa-2/pipeline.yaml +++ b/docs/vendor/gcp/slsa-2/pipeline.yaml @@ -17,7 +17,7 @@ kind: Pipeline metadata: name: slsa-demo-pipeline spec: - description: | + description: | This pipeline clones a git repo, builds a Docker image with Kaniko and pushes it to a registry params: diff --git a/examples/chains-deployment-keyless.yaml b/examples/chains-deployment-keyless.yaml index 00f10624d0..eb3520c4cf 100644 --- a/examples/chains-deployment-keyless.yaml +++ b/examples/chains-deployment-keyless.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# With AWS STS, for automatic id token injection into pod at /var/run/secrets/eks.amazonaws.com/serviceaccount/token +# With AWS STS, for automatic id token injection into pod at /var/run/secrets/eks.amazonaws.com/serviceaccount/token # need to patch the tekton-chains-controller serviceaccount with the following # annotations: # eks.amazonaws.com/audience: sigstore @@ -56,10 +56,10 @@ data: transparency.enabled: "true" transparency.url: https://rekor.apps.example.com signers.x509.fulcio.enabled: "true" - signers.x509.fulcio.address: https://fulcio.apps.example.com - signers.x509.tuf.mirror.url: https://tuf.apps.example.com + signers.x509.fulcio.address: https://fulcio.apps.example.com + signers.x509.tuf.mirror.url: https://tuf.apps.example.com signers.x509.fulcio.issuer: https://your-oidc.aws.gcp/xxxxxxxxx - signers.x509.identity.token.file: /var/run/secrets/eks.amazonaws.com/serviceaccount/token + signers.x509.identity.token.file: /var/run/secrets/eks.amazonaws.com/serviceaccount/token # The data can be tweaked at install time, it is commented out # because these are the default settings. # data: diff --git a/examples/releases/v0.3.0-build-chains-taskrun.yaml b/examples/releases/v0.3.0-build-chains-taskrun.yaml index db9b95bc9a..63315e6cf7 100644 --- a/examples/releases/v0.3.0-build-chains-taskrun.yaml +++ b/examples/releases/v0.3.0-build-chains-taskrun.yaml @@ -56,7 +56,7 @@ spec: git clone $(params.url) $(workspaces.sources) cd $(workspaces.sources) git checkout $(params.revision) - + # For each cmd/* directory, include a full gzipped tar of all source in # vendor/. This is overkill. Some deps' licenses require the source to be # included in the container image when they're used as a dependency. diff --git a/examples/v2alpha4/pipeline-with-object-type-hinting.yaml b/examples/v2alpha4/pipeline-with-object-type-hinting.yaml index 1f925bd132..1ace34b63c 100644 --- a/examples/v2alpha4/pipeline-with-object-type-hinting.yaml +++ b/examples/v2alpha4/pipeline-with-object-type-hinting.yaml @@ -19,7 +19,7 @@ spec: uri: {} digest: {} isBuildArtifact: {} - + - name: output2 type: object properties: diff --git a/examples/v2alpha4/pipeline-with-repeated-results.yaml b/examples/v2alpha4/pipeline-with-repeated-results.yaml index e259c1d9e7..8a064788b8 100644 --- a/examples/v2alpha4/pipeline-with-repeated-results.yaml +++ b/examples/v2alpha4/pipeline-with-repeated-results.yaml @@ -21,7 +21,7 @@ spec: uri: {} digest: {} isBuildArtifact: {} - + - name: output2 type: object properties: diff --git a/examples/v2alpha4/task-with-object-type-hinting.yaml b/examples/v2alpha4/task-with-object-type-hinting.yaml index 61b1fdfc9f..ffc053d611 100644 --- a/examples/v2alpha4/task-with-object-type-hinting.yaml +++ b/examples/v2alpha4/task-with-object-type-hinting.yaml @@ -11,7 +11,7 @@ spec: properties: uri: {} digest: {} - + - name: second-ARTIFACT_OUTPUTS description: The second artifact built type: object @@ -19,7 +19,7 @@ spec: uri: {} digest: {} isBuildArtifact: {} - + - name: third-IMAGE_URL type: string - name: third-IMAGE_DIGEST diff --git a/test/e2e-common.sh b/test/e2e-common.sh index c2287ca397..5eff0cb4fd 100755 --- a/test/e2e-common.sh +++ b/test/e2e-common.sh @@ -31,11 +31,11 @@ source $(dirname $0)/../vendor/github.com/tektoncd/plumbing/scripts/e2e-tests.sh function install_tkn() { echo ">> Installing tkn" - TKN_VERSION=0.20.0 - # Get the tar.xz - curl -LO https://github.com/tektoncd/cli/releases/download/v$TKN_VERSION/tkn_$TKN_VERSION_Linux_x86_64.tar.gz + TKN_VERSION=0.41.0 + # Get the tar.xz into /tmp to avoid dirtying the git working directory + curl -L -o /tmp/tkn_${TKN_VERSION}_Linux_x86_64.tar.gz https://github.com/tektoncd/cli/releases/download/v${TKN_VERSION}/tkn_${TKN_VERSION}_Linux_x86_64.tar.gz # Extract tkn to your PATH (e.g. /usr/local/bin) - tar xvzf tkn_$TKN_VERSION_Linux_x86_64.tar.gz -C /usr/local/bin/ tkn + tar xvzf /tmp/tkn_${TKN_VERSION}_Linux_x86_64.tar.gz -C /usr/local/bin/ tkn } function install_pipeline_crd() { diff --git a/test/e2e-tests.sh b/test/e2e-tests.sh index b1219489dc..366bd7c611 100755 --- a/test/e2e-tests.sh +++ b/test/e2e-tests.sh @@ -17,23 +17,24 @@ # This script calls out to scripts in tektoncd/plumbing to setup a cluster # and deploy Tekton Pipelines to it for running integration tests. +SKIP_INITIALIZE=${SKIP_INITIALIZE:="false"} +export GCE_METADATA_HOST=${GCE_METADATA_HOST:="localhost"} + export namespace="${NAMESPACE:-tekton-chains}" echo "Using namespace: $namespace" source $(git rev-parse --show-toplevel)/test/e2e-common.sh # Script entry point. - -initialize $@ +if [ "${SKIP_INITIALIZE}" != "true" ]; then + initialize $@ +fi header "Setting up environment" # Test against nightly instead of latest. install_tkn -export RELEASE_YAML="https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.62.0/release.yaml" -install_pipeline_crd - install_chains install_spire @@ -44,6 +45,8 @@ chains_patch_spire failed=0 +go install github.com/jstemmer/go-junit-report/v2@latest + # Run the integration tests header "Running Go e2e tests" go_test_e2e -timeout=35m ./test/... || failed=1 diff --git a/test/testdata/spire.yaml b/test/testdata/spire.yaml index 4eac7329a4..c088957520 100644 --- a/test/testdata/spire.yaml +++ b/test/testdata/spire.yaml @@ -109,8 +109,8 @@ metadata: app.kubernetes.io/instance: spire data: oidc-discovery-provider.conf: | + allow_insecure_scheme = true log_level = "INFO" - allow_insecure_scheme = "true" domains = [ "spire-oidc.spire" ] insecure_addr = ":8082" # listen_socket_path = "/tmp/spire-server/private/oidc.sock" @@ -140,7 +140,6 @@ data: # ca_key_type = "rsa-2048" jwt_issuer = "spire-oidc.spire" - default_svid_ttl = "1h" ca_subject = { country = ["US"], organization = ["SPIFFE"], @@ -200,7 +199,7 @@ metadata: app.kubernetes.io/instance: spire rules: - apiGroups: [""] - resources: ["pods","nodes","nodes/proxy"] + resources: ["pods", "nodes", "nodes/proxy"] verbs: ["get"] --- @@ -269,7 +268,7 @@ metadata: namespace: spire name: spire-server-role rules: - # allow "get" access to pods (to resolve selectors for PSAT attestation) +# allow "get" access to pods (to resolve selectors for PSAT attestation) - apiGroups: [""] resources: ["pods"] verbs: ["get"] @@ -379,14 +378,14 @@ spec: # This is a small image with wait-for-it, choose whatever image # you prefer that waits for a service to be up. This image is built # from https://github.com/lqhl/wait-for-it - image: gcr.io/spiffe-io/wait-for-it + image: ghcr.io/tektoncd/plumbing/wait-for-it imagePullPolicy: IfNotPresent args: ["-t", "30", "spire-server:8081"] containers: - name: spire-agent securityContext: {} - image: gcr.io/spiffe-io/spire-agent:1.0.2 + image: ghcr.io/spiffe/spire-agent:1.13.1@sha256:18326c81155ffb2685070f94b536a48eb0d0506db519f471abd16e3242eaf262 imagePullPolicy: IfNotPresent args: ["-config", "/run/spire/config/agent.conf"] volumeMounts: @@ -468,7 +467,7 @@ spec: - name: spire-server securityContext: {} - image: gcr.io/spiffe-io/spire-server:1.0.2 + image: ghcr.io/spiffe/spire-server:1.13.1@sha256:2c6d79b7858dc828a25eac1433556443266ee7f6695d97a8572ee97bb0117971 imagePullPolicy: IfNotPresent args: - -config @@ -505,30 +504,22 @@ spec: resources: {} - name: spire-oidc - image: gcr.io/spiffe-io/oidc-discovery-provider:1.0.2 + image: ghcr.io/spiffe/oidc-discovery-provider:1.13.1 imagePullPolicy: IfNotPresent args: - - -config - - /run/spire/oidc/config/oidc-discovery-provider.conf + - -config + - /run/spire/oidc/config/oidc-discovery-provider.conf ports: - - name: oidc - containerPort: 8082 - protocol: TCP + - name: oidc + containerPort: 8082 + protocol: TCP volumeMounts: - - name: spire-server-socket - mountPath: /tmp/spire-server/private - readOnly: false - - name: spire-oidc-config - mountPath: /run/spire/oidc/config/ - readOnly: true - # - name: spire-data - # mountPath: /run/spire/data - # readOnly: false - readinessProbe: - exec: - command: ["/bin/ps", "aux", " ||", "grep", "oidc-discovery-provider -config /run/spire/oidc/config/oidc-discovery-provider.conf"] - initialDelaySeconds: 5 - periodSeconds: 5 + - name: spire-server-socket + mountPath: /tmp/spire-server/private + readOnly: false + - name: spire-oidc-config + mountPath: /run/spire/oidc/config/ + readOnly: true resources: {} volumes: @@ -540,15 +531,15 @@ spec: - name: spire-oidc-config configMap: name: spire-oidc-dp - # volumeClaimTemplates: - # - metadata: - # name: spire-data - # labels: - # app.kubernetes.io/name: spire - # app.kubernetes.io/instance: spire - # spec: - # accessModes: - # - ReadWriteOnce - # resources: - # requests: - # storage: 1Gi +# volumeClaimTemplates: +# - metadata: +# name: spire-data +# labels: +# app.kubernetes.io/name: spire +# app.kubernetes.io/instance: spire +# spec: +# accessModes: +# - ReadWriteOnce +# resources: +# requests: +# storage: 1Gi diff --git a/test/testdata/vault.yaml b/test/testdata/vault.yaml index 5b6f58ff5a..0efef6f7be 100644 --- a/test/testdata/vault.yaml +++ b/test/testdata/vault.yaml @@ -49,7 +49,6 @@ metadata: labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: vault - annotations: spec: clusterIP: None publishNotReadyAddresses: true @@ -75,7 +74,6 @@ metadata: labels: app.kubernetes.io/name: vault app.kubernetes.io/instance: vault - annotations: spec: # We want the servers to become available even if they're not ready # since this DNS is also used for join operations. @@ -228,13 +226,12 @@ spec: volumes: - name: home emptyDir: {} - # volumeClaimTemplates: - # - metadata: - # name: data - # spec: - # accessModes: - # - ReadWriteOnce - # resources: - # requests: - # storage: 10Gi - + # volumeClaimTemplates: + # - metadata: + # name: data + # spec: + # accessModes: + # - ReadWriteOnce + # resources: + # requests: + # storage: 10Gi