Update GitHub actions to use full length commit ids for
third-party actions to reduce security risk in case of vulnerabilities.
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: Nikhil-Ladha <nikhilladha1999@gmail.com>
The secret in the project settings has a typo and is called `SYNK_TOKEN`
instead of `SNYK_TOKEN`. Changing the name of the secret does not seem
to be trivial; it needs to be deleted and re-created, which requires
obtaining a new token, somehow. Adopting the name with the typo in the
GitHub Workflow is easier.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
added test for uncommitted changes in deploy directory under go-test GH action.
Also, created a new make target named `make check-deploy-committed` that
can be used to verify the uncommitted changes.
Signed-off-by: Nikhil-Ladha <nikhilladha1999@gmail.com>
When Go modules get updated, golangci-lint sometimes fails with weird
errors. One of the common causes seems to be that there is a dependency
breakage between modules that are only used within the e2e test suite. A
normal build of the cephcsi executable succeeds, but building ./e2e
would fail.
By adding a job to build the e2e.test executable, a clear error message
will be reported when there are package dependency conflicts.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
The k8s-external-storage/1.26 CI job does not work with the versions
that are part of the release-v3.11 and devel branches.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
adding snyk github action to
run when a PR is merged to the release
branch or when a new release is done.
Run snyk weekly on the devel branch.
This will help us to track the security
scanning results and fix if anything is
required and also it serves as a placeholder
for security scanning result for a while.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
The `tickgit.com` webservice seems to not update itself anymore, but
having a list of TODO's is very useful. Use the tickgit project to
gather the TODO's, bit in a GitHub Workflow.
Developers can also run `make containerized-test TARGET=tickgit` to get
the result locally.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
Keeping track of changes between releases
and fetching that information during
release is difficult, Adding a doc to
keep track of the changes between major
releases which helps during release.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
go-ceph is an important package that we consume. It is better to have
that as separate rebase PR from Dependabot and not include it in the
general GitHub package group.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
Golang dependencies are already grouped, but they only contain packages
from `github.com/golang*`. There are more Golang standard packages that
are located at `golang.org/x/*`. Because of the tight relationship
between these packages, it is more efficient to group updates together.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
enable dependabot raising PR by groups to
reduce PR and save CI resources.
This uses the beta groups feature of dependabot
More details here
https://docs.github.com/en/code-security/\
dependabot/dependabot-version-updates/\
configuration-options-for-the-dependabot.yml-file#groups
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
By adding an if-statement for each step of the matrix job, only those
steps are executed where the base ref of the PR matches the branch in
the matrix parameters.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
It seems that `matrix.*` parameters can not be used in the if-statement
for a job. Now using the `exclude:` parameter with a more dynamically
constructed value for the branch. If the value for the branch is not
part of the initial branch list, the value will not be excluded, so the
jobs are expected to run.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
By using a matrix strategy with excluding certain branches and
Kubernetes versions, the number of CI jobs per PullRequest should stay
limited.
Closes: #4060
Signed-off-by: Niels de Vos <ndevos@ibm.com>
`podman` is installed by default on the Ubuntu runners. Podman is
recommended for developers and contributors, as there are no elevated
privileges required to run it. Docker requires extra permissions to
build and or run container images, and contributors to Ceph-CSI should
not need to spend time working with that (several developers run the
`docker` command with `sudo`, which is discouraged).
Only the multi-arch Workflows require Docker, for the time being.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
It is unclear how a module for utility functions can have the same
problem as a separate side-car that is expected to do the input
validation. The side-cars have been fixed already, no further details
are in the CVE description (from 2019).
See-also: https://github.com/advisories/GHSA-f4w6-3rh6-6q4
Signed-off-by: Niels de Vos <ndevos@ibm.com>
`/retest all` causes a spike in resource consumption in Jenkins and the
OpenShift cluster kills the Pod. That means tests are not fully running
yet, and results never arrive back in the PR. Instead of `/retest all`,
the `ok-to-test` label can be used to trigger required tests with a
slight delay between each command.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
K8s 1.24 will be End of Life on 2023-07-28.
Therefore, removing checks for ci tests on
that version.
refer:
https://kubernetes.io/releases/#release-v1-24
Signed-off-by: Rakshith R <rar@redhat.com>
The mergify label copier used github-actions bot
to add labels. Actions performed by github-actions
bot do not trigger a workflow and hence
pull-request-commentor was not working as expected.
This commit modifies mergify label copier to use
Cephcsi-bot to copy labels which then will be
able to trigger action to add pr comments.
Signed-off-by: Rakshith R <rar@redhat.com>
Forked repositories contain the the `.github/workflows/` directory, and
therefore run all the GitHub Workflows located there. Some of the
workflows need additional configuration, like providing access to the
standard `GITHUB_TOKEN`. If the extra configuration is not done, the
GitHub Workflow will fail, and the owner of the forked repository will
receive regular notifications about that.
There is no need to run the "retest" workflow on forked repositories, so
it can be skipped by default.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
By default the `GITHUB_TOKEN` is used for the actions, and the name of
the account that comments is "github-actions[bot]". It is a nice touch
to use the Ceph-CSI Bot account instead.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
The `github.event.label.name` was replaced by
`github.event.pull_request.label` in PR #3862. It seems that the value
always is `null`, which causes the pull-request-commenter to skip the
events for `ok-to-test` label additions. By using the original
`github.event.label.name`, things work again as expected.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
With the updates to the pull-request-commenter, all strings were placed
within `'` to prevent syntax issues. It seems that
`github.event.pull_request.merged` really is a boolean (or `null`), and
not a string.
Doc: https://docs.github.com/en/webhooks-and-events/ ("payloads" section)
Signed-off-by: Niels de Vos <ndevos@ibm.com>
Backslashes (`\`) cause issues in the `if` statment with GitHub
Workflows.
Unexpected symbol: '\'. Located at position 53 within expression:
(github.event.pull_request.label == 'ok-to-test' && \
Using the `>` YAML syntax to replace linebreaks with spaces should
address this problem.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
The `ok-to-test` label does not work anymore, and the GitHub Workflow
contains the following error:
The workflow is not valid.
.github/workflows/pull-request-commentor.yaml (Line: 15, Col: 9):
Unrecognized named-value: 'ok-to-test'.
Signed-off-by: Niels de Vos <ndevos@ibm.com>