adding snyk github action to
run when a PR is merged to the release
branch or when a new release is done.
Run snyk weekly on the devel branch.
This will help us to track the security
scanning results and fix if anything is
required and also it serves as a placeholder
for security scanning result for a while.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
The `tickgit.com` webservice seems to not update itself anymore, but
having a list of TODO's is very useful. Use the tickgit project to
gather the TODO's, bit in a GitHub Workflow.
Developers can also run `make containerized-test TARGET=tickgit` to get
the result locally.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
Keeping track of changes between releases
and fetching that information during
release is difficult, Adding a doc to
keep track of the changes between major
releases which helps during release.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
go-ceph is an important package that we consume. It is better to have
that as separate rebase PR from Dependabot and not include it in the
general GitHub package group.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
Golang dependencies are already grouped, but they only contain packages
from `github.com/golang*`. There are more Golang standard packages that
are located at `golang.org/x/*`. Because of the tight relationship
between these packages, it is more efficient to group updates together.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
enable dependabot raising PR by groups to
reduce PR and save CI resources.
This uses the beta groups feature of dependabot
More details here
https://docs.github.com/en/code-security/\
dependabot/dependabot-version-updates/\
configuration-options-for-the-dependabot.yml-file#groups
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
By adding an if-statement for each step of the matrix job, only those
steps are executed where the base ref of the PR matches the branch in
the matrix parameters.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
It seems that `matrix.*` parameters can not be used in the if-statement
for a job. Now using the `exclude:` parameter with a more dynamically
constructed value for the branch. If the value for the branch is not
part of the initial branch list, the value will not be excluded, so the
jobs are expected to run.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
By using a matrix strategy with excluding certain branches and
Kubernetes versions, the number of CI jobs per PullRequest should stay
limited.
Closes: #4060
Signed-off-by: Niels de Vos <ndevos@ibm.com>
`podman` is installed by default on the Ubuntu runners. Podman is
recommended for developers and contributors, as there are no elevated
privileges required to run it. Docker requires extra permissions to
build and or run container images, and contributors to Ceph-CSI should
not need to spend time working with that (several developers run the
`docker` command with `sudo`, which is discouraged).
Only the multi-arch Workflows require Docker, for the time being.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
It is unclear how a module for utility functions can have the same
problem as a separate side-car that is expected to do the input
validation. The side-cars have been fixed already, no further details
are in the CVE description (from 2019).
See-also: https://github.com/advisories/GHSA-f4w6-3rh6-6q4
Signed-off-by: Niels de Vos <ndevos@ibm.com>
`/retest all` causes a spike in resource consumption in Jenkins and the
OpenShift cluster kills the Pod. That means tests are not fully running
yet, and results never arrive back in the PR. Instead of `/retest all`,
the `ok-to-test` label can be used to trigger required tests with a
slight delay between each command.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
The mergify label copier used github-actions bot
to add labels. Actions performed by github-actions
bot do not trigger a workflow and hence
pull-request-commentor was not working as expected.
This commit modifies mergify label copier to use
Cephcsi-bot to copy labels which then will be
able to trigger action to add pr comments.
Signed-off-by: Rakshith R <rar@redhat.com>
Forked repositories contain the the `.github/workflows/` directory, and
therefore run all the GitHub Workflows located there. Some of the
workflows need additional configuration, like providing access to the
standard `GITHUB_TOKEN`. If the extra configuration is not done, the
GitHub Workflow will fail, and the owner of the forked repository will
receive regular notifications about that.
There is no need to run the "retest" workflow on forked repositories, so
it can be skipped by default.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
By default the `GITHUB_TOKEN` is used for the actions, and the name of
the account that comments is "github-actions[bot]". It is a nice touch
to use the Ceph-CSI Bot account instead.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
The `github.event.label.name` was replaced by
`github.event.pull_request.label` in PR #3862. It seems that the value
always is `null`, which causes the pull-request-commenter to skip the
events for `ok-to-test` label additions. By using the original
`github.event.label.name`, things work again as expected.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
With the updates to the pull-request-commenter, all strings were placed
within `'` to prevent syntax issues. It seems that
`github.event.pull_request.merged` really is a boolean (or `null`), and
not a string.
Doc: https://docs.github.com/en/webhooks-and-events/ ("payloads" section)
Signed-off-by: Niels de Vos <ndevos@ibm.com>
Backslashes (`\`) cause issues in the `if` statment with GitHub
Workflows.
Unexpected symbol: '\'. Located at position 53 within expression:
(github.event.pull_request.label == 'ok-to-test' && \
Using the `>` YAML syntax to replace linebreaks with spaces should
address this problem.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
