Merge branch 'main' into dependabot/github_actions/code-check-actions…

…/luacheck/lunarmodules/luacheck-1.1.1
Kong · Jan 12, 2024 · 540c2ae · 540c2ae
2 parents 98a7b1b + 4f5fcc8
commit 540c2ae
Show file tree

Hide file tree

Showing 27 changed files with 721 additions and 148 deletions.
diff --git a/.github/workflows/build-sdk-js.yml b/.github/workflows/build-sdk-js.yml
@@ -18,14 +18,14 @@ jobs:
     runs-on: ubuntu-latest
     name: Test Build JS SDK on PR
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
         with:
           repository: ${{env.JS_SDK_TEST_REPOSITORY}}
           path: ${{github.workspace}}/sdk
       - uses: ./code-build-actions/build-js-sdk
         with:
-          dry-run: true
+          dry-run: 'true'
           app_directory: ${{ github.workspace }}
           sdk_output_directory: ${{github.workspace}}/sdk
           token: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/docker-image-scan.yml b/.github/workflows/docker-image-scan.yml
@@ -18,14 +18,14 @@ jobs:
     env:
       IMAGE: kong/kong-gateway-dev:latest #particular reason for the choice of image: test multi arch image sbom
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - name: Install regctl
       uses: regclient/actions/regctl-installer@main
 
     - name: Login to DockerHub
       if: success()
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         username: ${{ secrets.GHA_DOCKERHUB_PULL_USER }}
         password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUBLIC_TOKEN }}

diff --git a/.github/workflows/docker-image-sign.yml b/.github/workflows/docker-image-sign.yml
@@ -0,0 +1,88 @@
+name: Docker Sign Test
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+    tags:
+    - '*'
+  workflow_dispatch: {}
+
+jobs:
+  test-sign-docker-image:
+
+    permissions:
+      contents: read
+      packages: write # needed to upload to packages to registry
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+    name: Test Sign Docker Image
+    runs-on: ubuntu-22.04
+    env:
+      PRERELEASE_IMAGE: kongcloud/security-test-repo-pub:ubuntu_23_10 #particular reason for the choice of image: test multi arch image
+      TAGS: kongcloud/security-test-repo-pub:ubuntu_23_10,kongcloud/security-test-repo:ubuntu_23_10
+    steps:
+
+    - uses: actions/checkout@v3
+
+    - name: Install regctl
+      uses: regclient/actions/regctl-installer@main
+
+    - name: Parse Image Manifest Digest
+      id: image_manifest_metadata
+      run: |
+        manifest_list_exists="$(
+          if regctl manifest get "${PRERELEASE_IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then
+            echo true
+          else
+            echo false
+          fi
+        )"
+        echo "manifest_list_exists=$manifest_list_exists"
+        echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT
+
+        manifest_sha="$(regctl image digest "${PRERELEASE_IMAGE}")"
+
+        echo "manifest_sha=$manifest_sha"
+        echo "manifest_sha=$manifest_sha" >> $GITHUB_OUTPUT
+
+    - name: Sign Image digest
+      id: sign_image
+      if: steps.image_manifest_metadata.outputs.manifest_sha != ''
+      uses: ./security-actions/sign-docker-image
+      with:
+        cosign_output_prefix: ubuntu-23-10
+        signature_registry: kongcloud/security-test-repo-sig-pub
+        tags: ${{ env.TAGS }} 
+        image_digest: ${{ steps.image_manifest_metadata.outputs.manifest_sha }}
+        local_save_cosign_assets: true
+        registry_username: ${{ secrets.DOCKERHUB_PUSH_USERNAME }}
+        registry_password: ${{ secrets.DOCKERHUB_PUSH_TOKEN }}
+
+    - name: Push Images
+      env:
+        RELEASE_TAG: kongcloud/security-test-repo:v1
+      run: |
+        docker pull ${PRERELEASE_IMAGE}
+        for tag in $RELEASE_TAG; do
+          regctl -v debug image copy ${PRERELEASE_IMAGE} $tag
+        done
+    
+    - name: Sign Image digest
+      id: sign_image_v1
+      if: steps.image_manifest_metadata.outputs.manifest_sha != ''
+      uses: ./security-actions/sign-docker-image
+      env:
+        RELEASE_TAG: kongcloud/security-test-repo:v1
+      with:
+        cosign_output_prefix: v1 # Optional
+        local_save_cosign_assets: true # Optional
+        signature_registry: kongcloud/security-test-repo-sig-pub
+        tags: ${{ env.RELEASE_TAG }} 
+        image_digest: ${{ steps.image_manifest_metadata.outputs.manifest_sha }}
+        registry_username: ${{ secrets.DOCKERHUB_PUSH_USERNAME }}
+        registry_password: ${{ secrets.DOCKERHUB_PUSH_TOKEN }}
diff --git a/.github/workflows/luacheck.yml → .github/workflows/lua-lint.yml b/.github/workflows/luacheck.yml → .github/workflows/lua-lint.yml
@@ -12,17 +12,22 @@ on:
   workflow_dispatch: {}
 
 jobs:
-  test-luacheck:
+  test-lua-lint:
     env:
       TEST_REPOSITORY: "${{github.repository_owner}}/atc-router"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: read
+      checks: write
+      pull-requests: write
     name: Luacheck code analysis
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
         with:
           repository: ${{env.TEST_REPOSITORY}}
           path: ${{env.TEST_REPOSITORY}}
-      - uses: ./code-check-actions/luacheck
+      - uses: ./code-check-actions/lua-lint
         with:
           additional_args: '--no-default-config --config ${{env.TEST_REPOSITORY}}/.luacheckrc ${{env.TEST_REPOSITORY}}'
diff --git a/.github/workflows/rust-lint.yml b/.github/workflows/rust-lint.yml
@@ -0,0 +1,37 @@
+name: Rust Lint Test
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+    tags:
+    - '*'
+  workflow_dispatch: {}
+
+jobs:
+  test-rust-lint:
+    permissions:
+      # required for all workflows
+      security-events: write
+      checks: write
+      pull-requests: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+    env:
+      TEST_REPOSITORY: "${{github.repository_owner}}/atc-router"
+    runs-on: ubuntu-latest
+    name: Rust Code Linting checks
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          repository: ${{env.TEST_REPOSITORY}}
+          path: ${{env.TEST_REPOSITORY}}
+      - uses: ./code-check-actions/rust-lint
+        with:
+          token: ${{secrets.GITHUB_TOKEN}}
+          manifest_dir: ${{ github.workspace }}/${{env.TEST_REPOSITORY}}
diff --git a/.github/workflows/rustcheck.yml → .github/workflows/rust-sca.yml b/.github/workflows/rustcheck.yml → .github/workflows/rust-sca.yml
@@ -1,4 +1,4 @@
-name: Rust SCA and Lint Test
+name: Rust SCA Test
 
 on:
   pull_request:
@@ -26,13 +26,13 @@ jobs:
     runs-on: ubuntu-latest
     name: Rust code analysis and SCA checks
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
         with:
           repository: ${{env.TEST_REPOSITORY}}
           path: ${{env.TEST_REPOSITORY}}
-      - uses: ./code-check-actions/rustcheck
+      - uses: ./security-actions/scan-rust
         with:
           asset_prefix: ${{env.TEST_REPOSITORY}}
-          token: ${{secrets.GITHUB_TOKEN}}
-          dir: ${{ github.workspace }}/${{env.TEST_REPOSITORY}}
+          dir: ${{ github.workspace }}/${{env.TEST_REPOSITORY}}
+          codeql_upload: false
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -24,13 +24,15 @@ jobs:
     if: (github.actor != 'dependabot[bot]')
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
         with:
           repository: ${{env.TEST_REPOSITORY}}
           token: ${{secrets.GITHUB_TOKEN}}
           path: ${{env.TEST_REPOSITORY}}
-      - uses: Scimia/public-shared-actions/code-check-actions/semgrep@main
+      - uses: ./security-actions/semgrep
         with:
           additional_config: '--config p/rust'
+          codeql_upload: false
+          fail_on_findings: false
 
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,3 +1,5 @@
 * @Kong/team-shared-actions-reviewers
 
-security-actions/ @Kong/team-security-engineering
+security-actions/ @Kong/team-security-engineering
+pr-previews/ @adamdehaven @ValeryG @Drew-Kimberly
+code-check-actions/ @Kong/team-security-engineering
diff --git a/README.md b/README.md
@@ -1,2 +1,16 @@
 # public-shared-actions
 Shared actions available to both public and private repositories
+
+## Usage
+
+  ```yaml
+  - uses: Kong/public-shared-actions/<action-name>@<tag>
+  ```
+  
+  For example:
+  
+  ```yaml
+  - uses:  Kong/public-shared-actions/code-build-actions/build-js-sdk@v1.6.0
+  ```
+  
+  
diff --git a/code-build-actions/build-js-sdk/README.md b/code-build-actions/build-js-sdk/README.md
@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Build JS SDK
-        uses: Kong/public-shared-actions/build-js-sdk@main
+        uses: Kong/public-shared-actions/code-build-actions/build-js-sdk
 
 ```
 

diff --git a/code-build-actions/build-js-sdk/action.yaml b/code-build-actions/build-js-sdk/action.yaml
@@ -5,7 +5,7 @@ inputs:
   dry-run:
     description: 'If true, the action will not push the changes to the PR'
     required: false
-    default: false
+    default: 'false'
   token:
     description: 'A Github Token'
     required: true
@@ -50,17 +50,9 @@ runs:
       shell: bash
       working-directory: ${{inputs.sdk_output_directory}}
       run: |
-        openapi-generator-cli generate --generator-key client
+        openapi-generator-cli generate --generator-key client -o src
     - name: "Clean up generator files"
       shell: bash
       working-directory: ${{inputs.sdk_output_directory}}/src
       run: |
         rm -rf openapitools.json templates-js .openapi-generator-ignore .openapi-generator git_push.sh
-    - name: Commit SDK changes to the PR
-      uses: EndBug/add-and-commit@v9
-      if: ${{ !inputs.dry-run }}
-      with:
-        cwd: ${{inputs.sdk_output_directory}}
-        add: src
-        default_author: github_actions
-        message: Update SDK based on openapi.yaml changes
diff --git a/code-check-actions/luacheck/README.md → code-check-actions/lua-lint/README.md b/code-check-actions/luacheck/README.md → code-check-actions/lua-lint/README.md
@@ -6,12 +6,6 @@ This action analyzes all changed lua files using [lunarmodules/luacheck](https:/
 
 This action looks for any `cli` arguments and a deafult `.luacheckrc` config to derive the final configuaration as mentioned in [docs](https://luacheck.readthedocs.io/en/stable/cli.html#command-line-options)
 
-## User tracking
-
-Currently, these repos are using this action:
-
-[]
-
 ## Inputs
 
 ```yaml
@@ -24,8 +18,9 @@ additional_args:
 ## Outputs
 - Depending on the event, refer [publishing](https://github.com/EnricoMi/publish-unit-test-result-action#publishing-test-results)
 
-## Action status
+## Action Output
 - Always exit with 0 even when there are warnings / errors and be non-blocking
+- The failure mode of build is not configurable based on shared action outcome
 
 ## Example usage
 

diff --git a/code-check-actions/luacheck/action.yml → code-check-actions/lua-lint/action.yml b/code-check-actions/luacheck/action.yml → code-check-actions/lua-lint/action.yml
@@ -10,7 +10,7 @@ inputs:
     description: 'List of files, directories and rockspecs to check'
     required: false
     default: '.' # Scans workspace dir
-    
+
 runs:
   using: composite
   steps:
@@ -19,8 +19,8 @@ runs:
       uses: lunarmodules/luacheck@ababb6d403d634eb74d2c541035e9ede966e710d
       continue-on-error: true
       with:
-        args: "${{ inputs.additional_args }} -c --codes --ranges --formatter JUnit -q ${{ inputs.files }} > luacheck_${{github.sha}}.xml"
-    
+        args: "${{ inputs.additional_args }} --codes --ranges --formatter JUnit -q ${{ inputs.files }} > luacheck_${{github.sha}}.xml"
+
     - name: Upload results to workflow
       if: always()
       uses: actions/upload-artifact@v3
@@ -32,7 +32,7 @@ runs:
 
 #     - name: Print Luacheck results
 #       shell: bash
-#       run: | 
+#       run: |
 #         cat luacheck_${{github.sha}}.xml
 
     # when using the regular GITHUB_TOKEN, the check-run created by this step will be assigned to a
@@ -42,12 +42,13 @@ runs:
     # Publishing: https://github.com/EnricoMi/publish-unit-test-result-action#publishing-test-results
     - name: Luacheck Report
       uses: EnricoMi/publish-unit-test-result-action@v2
-      if: always()
+      if: always() && github.actor != 'dependabot[bot]'
       with:
         files: |
           luacheck_${{github.sha}}.xml
         check_name: Luacheck Report
         comment_mode: always
         action_fail: false
+        fail_on: 'nothing' # Explicitly don't fail reporting check based on test results
+
 
-