Commit Graph

95 Commits

Author SHA1 Message Date
StepSecurity Bot
56d08e1b4d ci: Harden GitHub Actions
Update GitHub actions to use full length commit ids for
third-party actions to reduce security risk in case of vulnerabilities.

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: Nikhil-Ladha <nikhilladha1999@gmail.com>
2024-09-19 11:00:39 +00:00
Niels de Vos
cde5048dd2 ci: pass the correct account token for Snyk jobs
The secret in the project settings has a typo and is called `SYNK_TOKEN`
instead of `SNYK_TOKEN`. Changing the name of the secret does not seem
to be trivial; it needs to be deleted and re-created, which requires
obtaining a new token, somehow. Adopting the name with the typo in the
GitHub Workflow is easier.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2024-08-27 09:58:24 +00:00
Madhu Rajanna
b0751cb06e ci: update rules for 3.12 release
updating release for 3.12 release

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2024-08-14 15:11:41 +00:00
Nikhil-Ladha
71cbf3d7eb ci: add test for uncommitted changes in deploy directory
added test for uncommitted changes in deploy directory under go-test GH action.
Also, created a new make target named `make check-deploy-committed` that
can be used to verify the uncommitted changes.

Signed-off-by: Nikhil-Ladha <nikhilladha1999@gmail.com>
2024-08-13 12:17:43 +00:00
Niels de Vos
6f043698d1 ci: add e2e-build-test for compiling the e2e testsuite
When Go modules get updated, golangci-lint sometimes fails with weird
errors. One of the common causes seems to be that there is a dependency
breakage between modules that are only used within the e2e test suite. A
normal build of the cephcsi executable succeeds, but building ./e2e
would fail.

By adding a job to build the e2e.test executable, a clear error message
will be reported when there are package dependency conflicts.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2024-06-28 08:38:54 +00:00
Niels de Vos
c558588bd8 ci: trigger k8s-1.30 jobs for current Ceph-CSI versions
Run CI jobs with Kubernetes 1.30 for the devel branch and upcoming
releases.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2024-05-02 15:25:58 +00:00
Niels de Vos
6009c28c30 ci: do not run k8s-1.26 tests for release-v3.11 and devel
The k8s-external-storage/1.26 CI job does not work with the versions
that are part of the release-v3.11 and devel branches.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2024-05-02 15:25:58 +00:00
Rakshith R
97bc20ae5a ci: update pr-commentor rules matrix
This commit adds rules for release-v3.11
and removes rules for release-v3.9.

Signed-off-by: Rakshith R <rar@redhat.com>
2024-04-02 08:07:30 +00:00
Niels de Vos
fe050557c9 ci: no need to test the devel branch with k8s v1.26
Signed-off-by: Niels de Vos <ndevos@ibm.com>
2024-02-15 08:22:16 +00:00
dependabot[bot]
6e20a7d062 rebase: bump peter-evans/create-or-update-comment from 3 to 4
Bumps [peter-evans/create-or-update-comment](https://github.com/peter-evans/create-or-update-comment) from 3 to 4.
- [Release notes](https://github.com/peter-evans/create-or-update-comment/releases)
- [Commits](https://github.com/peter-evans/create-or-update-comment/compare/v3...v4)

---
updated-dependencies:
- dependency-name: peter-evans/create-or-update-comment
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-30 11:58:48 +00:00
dependabot[bot]
43d2f86dc7 rebase: bump actions/dependency-review-action from 3 to 4
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3 to 4.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-24 08:48:11 +00:00
Riya Singhal
c807059618 ci: update github actions for k8s-1.29
kubernetes 1.29 is release recently, updating the
github action for the same.

Signed-off-by: Riya Singhal <rsinghal@redhat.com>
2024-01-04 13:02:44 +00:00
dependabot[bot]
4c97bbb2e4 rebase: bump github/codeql-action from 2 to 3
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v2...v3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-19 08:29:02 +00:00
dependabot[bot]
6cab5bfd42 rebase: bump actions/stale from 8 to 9
Bumps [actions/stale](https://github.com/actions/stale) from 8 to 9.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/stale/compare/v8...v9)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-12 08:44:36 +00:00
Rakshith R
788b6629ec ci: update pr-commentor rules matrix
This commit adds rules for release-v3.10
and removes rules for release-v3.8.

Signed-off-by: Rakshith R <rar@redhat.com>
2023-11-30 10:21:27 +01:00
Riya Singhal
aa55317c74 ci: add ci bot for auto assigning issue
this will auto assign the issue to the user who
commented /assign

Signed-off-by: Riya Singhal <rsinghal@redhat.com>
2023-11-22 13:19:26 +00:00
Madhu Rajanna
63f48874ad ci: add snyk for container image
adding a github action to do security
scanning for the cephcsi container image

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2023-11-16 10:23:13 +00:00
Madhu Rajanna
6b3665b80c ci: add snyk scanning
adding snyk github action to
run when a PR is merged to the release
branch or when a new release is done.
Run snyk weekly on the devel branch.
This will help us to track the security
scanning results and fix if anything is
required and also it serves as a placeholder
for security scanning result for a while.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2023-11-16 05:23:19 +00:00
dependabot[bot]
7f96dc8a64 rebase: bump actions/github-script from 6 to 7
Bumps [actions/github-script](https://github.com/actions/github-script) from 6 to 7.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-14 09:12:35 +00:00
Niels de Vos
ba37ff73ac ci: run tickgit after merging a PR in the devel branch
The `tickgit.com` webservice seems to not update itself anymore, but
having a list of TODO's is very useful. Use the tickgit project to
gather the TODO's, bit in a GitHub Workflow.

Developers can also run `make containerized-test TARGET=tickgit` to get
the result locally.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-11-08 08:29:10 +00:00
dependabot[bot]
5677834d24 rebase: bump docker/login-action from 2 to 3
Bumps [docker/login-action](https://github.com/docker/login-action) from 2 to 3.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v2...v3)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-20 10:03:37 +00:00
dependabot[bot]
b3ef8672a4 rebase: Bump actions/checkout from 3 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-05 08:47:25 +00:00
Niels de Vos
ee843e6ffd ci: only add /test .. comment if the branch for the PR matches
By adding an if-statement for each step of the matrix job, only those
steps are executed where the base ref of the PR matches the branch in
the matrix parameters.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-08-22 11:28:37 +00:00
Niels de Vos
2d120f2e10 ci: exclude branches from the testing matrix for ok-to-test comments
It seems that `matrix.*` parameters can not be used in the if-statement
for a job. Now using the `exclude:` parameter with a more dynamically
constructed value for the branch. If the value for the branch is not
part of the initial branch list, the value will not be excluded, so the
jobs are expected to run.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-08-22 11:09:14 +00:00
Niels de Vos
a57fe08e7d ci: run versioned k8s jobs only on selected branches
By using a matrix strategy with excluding certain branches and
Kubernetes versions, the number of CI jobs per PullRequest should stay
limited.

Closes: #4060
Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-08-21 11:06:29 +00:00
Madhu Rajanna
9ffd3ffd98 ci: update pull request commentor for kube 1.28.0
updating pull request commentor to
run tests with kubernetes 1.28.0

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2023-08-21 09:32:25 +02:00
Niels de Vos
f371aa2677 ci: use podman for simple GitHub workflows
`podman` is installed by default on the Ubuntu runners. Podman is
recommended for developers and contributors, as there are no elevated
privileges required to run it. Docker requires extra permissions to
build and or run container images, and contributors to Ceph-CSI should
not need to spend time working with that (several developers run the
`docker` command with `sudo`, which is discouraged).

Only the multi-arch Workflows require Docker, for the time being.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-08-07 16:34:44 +00:00
Niels de Vos
ce26b0e212 ci: allow CVE-2019-11255 in Kubernetes module dependency
It is unclear how a module for utility functions can have the same
problem as a separate side-car that is expected to do the input
validation. The side-cars have been fixed already, no further details
are in the CVE description (from 2019).

See-also: https://github.com/advisories/GHSA-f4w6-3rh6-6q4
Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-07-26 13:34:23 +00:00
Rakshith R
37f1d722d3 ci: remove checks for k8s 1.24 ci tests
K8s 1.24 will be End of Life on 2023-07-28.
Therefore, removing checks for ci tests on
that version.

refer:
https://kubernetes.io/releases/#release-v1-24

Signed-off-by: Rakshith R <rar@redhat.com>
2023-06-16 09:07:18 +02:00
Rakshith R
40888f01b6 ci: fix pr-commentor for merge queue draft pr
The mergify label copier used github-actions bot
to add labels. Actions performed by github-actions
bot do not trigger a workflow and hence
pull-request-commentor was not working as expected.
This commit modifies mergify label copier to use
Cephcsi-bot to copy labels which then will be
able to trigger action to add pr comments.

Signed-off-by: Rakshith R <rar@redhat.com>
2023-06-14 10:23:12 +00:00
Niels de Vos
0e79135419 ci: prevent Retest Workflow from running on forked repos
Forked repositories contain the the `.github/workflows/` directory, and
therefore run all the GitHub Workflows located there. Some of the
workflows need additional configuration, like providing access to the
standard `GITHUB_TOKEN`. If the extra configuration is not done, the
GitHub Workflow will fail, and the owner of the forked repository will
receive regular notifications about that.

There is no need to run the "retest" workflow on forked repositories, so
it can be skipped by default.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-06-05 08:56:40 +00:00
Niels de Vos
6a5d7f57e5 ci: use the "ceph-csi-bot" account for commenting on PRs
By default the `GITHUB_TOKEN` is used for the actions, and the name of
the account that comments is "github-actions[bot]". It is a nice touch
to use the Ceph-CSI Bot account instead.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-06-05 07:37:51 +00:00
Niels de Vos
ba991cbb85 ci: use github.event.label.name for check in pull-request-commenter
The `github.event.label.name` was replaced by
`github.event.pull_request.label` in PR #3862. It seems that the value
always is `null`, which causes the pull-request-commenter to skip the
events for `ok-to-test` label additions. By using the original
`github.event.label.name`, things work again as expected.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-06-01 11:52:02 +00:00
Niels de Vos
360df61eb0 ci: github.event.pull_request.merged is a boolean, not a string
With the updates to the pull-request-commenter, all strings were placed
within `'` to prevent syntax issues. It seems that
`github.event.pull_request.merged` really is a boolean (or `null`), and
not a string.

Doc: https://docs.github.com/en/webhooks-and-events/ ("payloads" section)
Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-05-31 09:44:25 +00:00
Niels de Vos
b804181a3d ci: remove \ from GitHub Workflow if condition
Backslashes (`\`) cause issues in the `if` statment with GitHub
Workflows.

    Unexpected symbol: '\'. Located at position 53 within expression:
    (github.event.pull_request.label == 'ok-to-test' && \

Using the `>` YAML syntax to replace linebreaks with spaces should
address this problem.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-05-31 07:44:13 +00:00
Niels de Vos
27dc4f0fde ci: fix syntax error in pull-request-commenter GitHub Workflow
The `ok-to-test` label does not work anymore, and the GitHub Workflow
contains the following error:

    The workflow is not valid.
    .github/workflows/pull-request-commentor.yaml (Line: 15, Col: 9):
    Unrecognized named-value: 'ok-to-test'.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-05-30 14:00:27 +00:00
Rakshith R
cf0fd2bfeb ci: fix pull-request-commentor workflow
Fix if condition in workflow to account
for ok-to-test label on newly created prs.

Signed-off-by: Rakshith R <rar@redhat.com>
2023-05-26 12:15:07 +00:00
Rakshith R
b157b1a7c2 ci: trigger Add comment workflow for "opened" prs
The `Add comment` workflow was triggered only
when labels were added to the pr and failed
to be run on prs which were created with the
required label.
This commit makes sure the workflow is triggered
on pr creation too.

Signed-off-by: Rakshith R <rar@redhat.com>
2023-05-26 09:22:16 +00:00
Rakshith R
c63af2108e ci: switch back to official label copier & always add ok-to-test label
Signed-off-by: Rakshith R <rar@redhat.com>
2023-05-19 07:40:10 +00:00
Niels de Vos
6547868611 ci: checkout the local mergify-merge-queue-labels-copier
Without checking out the repository, it is not possible to run the local
action.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-05-15 16:37:11 +00:00
Niels de Vos
e46f65640c ci: rename gha-mergify-merge-queue-labels-copier.yaml to action.yaml
It seems to be required to have the GitHub Action called `action.yaml`.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-05-15 15:22:12 +00:00
Niels de Vos
b371337287 ci: use modified gha-mergify-merge-queue-labels-copier Action
The original Mergifyio/gha-mergify-merge-queue-labels-copier@main
contains `startsWith()` that has the arguments reversed. This prevents
the action from working as intended.

See-also: https://docs.github.com/en/actions/learn-github-actions/expressions
Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-05-15 14:47:53 +00:00
Niels de Vos
52ebfa6b97 ci: include ci/skip/.. labels for copying into merge queue PRs
Setting an empty `labels:` fails to work as intended, no labels get
copied ad all. Now setting the `ci/skip/..` labels, as those are most
important for speeding up merging.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-05-15 12:47:40 +00:00
Niels de Vos
745d2ace92 ci: Mergify copy-labels requires empty string for labels:
Instead of leaving the `labels:` empty, pass an empty string `""`.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-05-15 08:03:28 +00:00
Niels de Vos
40eff59d45 ci: Mergify copy-labels requires empty labels: value
See-also: Mergifyio/mergify#5088
Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-05-15 07:24:04 +00:00
Niels de Vos
c37ac53cbb ci: add GitHub Workflow to copy labels in Mergify created PRs
When Mergify creates a PR, the `ok-to-test` label needs to be added
before CI runs. Not all PRs need complete testing, and they may have
some `ci/skip/..` labels too. With this new GitHub Workflow, the labels
get copied from the original PR into the newly created PR.

See-also: https://github.com/Mergifyio/mergify/discussions/5088
Signed-off-by: Niels de Vos <ndevos@ibm.com>
2023-05-11 11:05:46 +00:00
dependabot[bot]
c702264708 rebase: bump peter-evans/create-or-update-comment from 2 to 3
Bumps [peter-evans/create-or-update-comment](https://github.com/peter-evans/create-or-update-comment) from 2 to 3.
- [Release notes](https://github.com/peter-evans/create-or-update-comment/releases)
- [Commits](https://github.com/peter-evans/create-or-update-comment/compare/v2...v3)

---
updated-dependencies:
- dependency-name: peter-evans/create-or-update-comment
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-25 11:34:17 +00:00
riya-singhal31
1bc090d975 ci: update github actions for k8s 1.27
Signed-off-by: riya-singhal31 <rsinghal@redhat.com>
2023-04-21 08:18:33 +00:00
Madhu Rajanna
60248ce811 ci: remove kubernetes 1.23 from github action
Removed kubernetes 1.23 from github action
as 1.23 is not supported anymore.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2023-04-21 06:46:30 +00:00
dependabot[bot]
cb05525d4f rebase: Bump peter-evans/create-or-update-comment from 2 to 3
Bumps [peter-evans/create-or-update-comment](https://github.com/peter-evans/create-or-update-comment) from 2 to 3.
- [Release notes](https://github.com/peter-evans/create-or-update-comment/releases)
- [Commits](https://github.com/peter-evans/create-or-update-comment/compare/v2...v3)

---
updated-dependencies:
- dependency-name: peter-evans/create-or-update-comment
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-13 08:46:07 +00:00