Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,17 @@ on:
branches:
- main
- 'release-*'

permissions:
contents: read
pull-requests: read

jobs:
trivy:
permissions:
actions: read
contents: read
security-events: write
uses: "./.github/workflows/lib-trivy.yaml"

validate:
Expand Down
20 changes: 19 additions & 1 deletion .github/workflows/devel.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,38 @@ on:
push:
branches:
- main

permissions:
contents: read
pull-requests: read
security-events: write

jobs:
trivy:
permissions:
actions: read
contents: read
security-events: write
uses: "./.github/workflows/lib-trivy.yaml"
with:
upload-to-github-security-tab: true

validate:
uses: "./.github/workflows/lib-validate.yaml"

codeql:
permissions:
actions: read
contents: read
security-events: write
uses: "./.github/workflows/lib-codeql.yaml"

scorecard:
permissions:
contents: read
id-token: write
security-events: write
uses: "./.github/workflows/lib-scorecard.yaml"

build:
needs:
- validate
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/lib-build.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
name: build

on:
workflow_call:

permissions:
contents: read

jobs:
image:
name: Build image
Expand Down
32 changes: 32 additions & 0 deletions .github/workflows/lib-codeql.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: "CodeQL"

on:
workflow_call:

permissions:
actions: read
contents: read

jobs:
analyze:
name: Analysis
runs-on: 'ubuntu-latest'
timeout-minutes: 360

permissions:
security-events: write

steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: 'go'

- uses: actions/setup-go@v4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:go"
3 changes: 3 additions & 0 deletions .github/workflows/lib-publish.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
env:
no_base_check: "['intel-qat-plugin-kerneldrv', 'intel-idxd-config-initcontainer', 'crypto-perf', 'opae-nlb-demo']"

permissions:
contents: read

jobs:
image:
name: Build image
Expand Down
33 changes: 33 additions & 0 deletions .github/workflows/lib-scorecard.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: "OSSF"

on:
workflow_call:

permissions:
contents: read

jobs:
analysis:
name: Analysis
runs-on: ubuntu-latest

permissions:
security-events: write
id-token: write

steps:
- uses: actions/checkout@v4
with:
persist-credentials: false

- name: "Analyze project"
uses: ossf/scorecard-action@v2.3.1
with:
results_file: results.sarif
results_format: sarif
publish_results: true

- name: "Upload results to security"
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
7 changes: 7 additions & 0 deletions .github/workflows/lib-trivy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ on:
required: false
type: boolean

permissions:
actions: read
contents: read

jobs:
trivy-scan-deployments:
name: Scan deployments
Expand Down Expand Up @@ -69,6 +73,9 @@ jobs:
severity: "UNKNOWN,MEDIUM,HIGH,CRITICAL"

trivy-scan-vulns:
permissions:
security-events: write

runs-on: ubuntu-22.04
name: Scan vulnerabilities
steps:
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/lib-validate.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ name: validate
on:
workflow_call:

permissions:
contents: read

jobs:
docs:
name: Check docs are buildable
Expand All @@ -28,7 +31,6 @@ jobs:

golangci:
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
name: lint
runs-on: ubuntu-22.04
Expand Down
2 changes: 2 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ GOFMT := gofmt
KUSTOMIZE ?= kustomize
OPERATOR_SDK ?= operator-sdk



BUILDTAGS ?= ""
BUILDER ?= "docker"
EXTRA_BUILD_ARGS ?= ""
Expand Down
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
[![Build Status](https://github.com/intel/intel-device-plugins-for-kubernetes/workflows/CI/badge.svg?branch=main)](https://github.com/intel/intel-device-plugins-for-kubernetes/actions?query=workflow%3ACI)
[![Go Report Card](https://goreportcard.com/badge/github.com/intel/intel-device-plugins-for-kubernetes)](https://goreportcard.com/report/github.com/intel/intel-device-plugins-for-kubernetes)
[![GoDoc](https://godoc.org/github.com/intel/intel-device-plugins-for-kubernetes/pkg/deviceplugin?status.svg)](https://godoc.org/github.com/intel/intel-device-plugins-for-kubernetes/pkg/deviceplugin)
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/intel/intel-device-plugins-for-kubernetes/badge)](https://api.securityscorecards.dev/projects/intel/intel-device-plugins-for-kubernetes)
![Dependabot Status](https://flat.badgen.net/github/intel/intel-device-plugins-for-kubernetes)

This repository contains a framework for developing plugins for the Kubernetes
[device plugins framework](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/),
Expand Down