diff --git a/.github/README.md b/.github/README.md new file mode 100644 index 000000000..4a8f41a72 --- /dev/null +++ b/.github/README.md @@ -0,0 +1,53 @@ +# GitHub Workflows + +## PR Testing Strategy + +### Why Two Triggers? + +GitHub's `pull_request` event doesn't expose secrets to fork PRs (for security). But we need secrets to run integration tests. The `pull_request_target` event does expose secrets—but it sets `GITHUB_SHA` to the **base branch**, not the PR. This means the default checkout gets the wrong code, and creates security risks if not handled carefully. + +### How We Handle It + +| Trigger | Branch | Why | +|---------|--------|-----| +| `pull_request_target` | `develop` | Enables secrets for fork PRs; requires manual approval | +| `pull_request` | All except `develop` | Standard trigger for trusted maintainers | + +### Security Requirements + +1. **Always use `approval-gate.yml`** as a dependency for jobs needing secrets +2. **Always specify `with.ref`** on all `actions/checkout` steps (enforced by `lint-workflows.yml`) +3. **Always pass the approval gate's `commit-sha`** to prevent testing unapproved code + +### Checkout Patterns + +**For workflows using approval-gate** (recommended for `pull_request_target`): + +```yaml +jobs: + approval-gate: + uses: ./.github/workflows/approval-gate.yml + + build: + needs: approval-gate + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} +``` + +**For simpler workflows** (e.g., `pull_request` or `push` triggers): + +```yaml +# Preferred: Define ref once at workflow level, reuse in all jobs +env: + CHECKOUT_REF: ${{ github.ref }} +jobs: + build: + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} +``` + +> ⚠️ Without these safeguards, a malicious commit could be added after approval but before execution. diff --git a/.github/scripts/check-checkout-ref.py b/.github/scripts/check-checkout-ref.py new file mode 100644 index 000000000..8d51c0918 --- /dev/null +++ b/.github/scripts/check-checkout-ref.py @@ -0,0 +1,81 @@ +#!/usr/bin/env python3 +""" +Check that all actions/checkout usages have 'with.ref' specified. + +This ensures consistent and explicit checkout behavior across all workflows. +""" + +import sys +from pathlib import Path + +import yaml + + +def check_workflow_file(filepath: Path) -> list[dict]: + """ + Check a workflow file for actions/checkout usages without 'with.ref'. + + Returns a list of violations. + """ + violations = [] + + with open(filepath, "r") as f: + try: + data = yaml.safe_load(f) + except yaml.YAMLError as e: + print(f"Warning: Failed to parse {filepath}: {e}") + return [] + + if not data or "jobs" not in data: + return [] + + for job_name, job in data["jobs"].items(): + steps = job.get("steps", []) + for i, step in enumerate(steps): + uses = step.get("uses", "") + if "actions/checkout" in uses: + with_block = step.get("with", {}) + has_ref = isinstance(with_block, dict) and "ref" in with_block + + if not has_ref: + violations.append({ + "file": str(filepath), + "job": job_name, + "step": i, + "uses": uses, + }) + + return violations + + +def main(): + workflows_dir = Path(".github/workflows") + + if not workflows_dir.exists(): + print("Error: .github/workflows directory not found") + sys.exit(1) + + all_violations = [] + + for pattern in ("*.yml", "*.yaml"): + for workflow_file in sorted(workflows_dir.glob(pattern)): + all_violations.extend(check_workflow_file(workflow_file)) + + if all_violations: + print("❌ Found actions/checkout usages without 'with.ref' specified:\n") + for v in all_violations: + print(f" {v['file']}") + print(f" Job: {v['job']}, Step: {v['step']}") + print(f" Uses: {v['uses']}\n") + print(f"Total violations: {len(all_violations)}") + print("\nAll actions/checkout steps should specify 'with.ref' to ensure") + print("consistent and explicit checkout behavior.") + print("\nSee .github/README.md for security requirements and examples.") + sys.exit(1) + else: + print("✅ All actions/checkout usages have 'with.ref' specified") + sys.exit(0) + + +if __name__ == "__main__": + main() diff --git a/.github/workflows/approval-gate.yml b/.github/workflows/approval-gate.yml new file mode 100644 index 000000000..bfbee58ca --- /dev/null +++ b/.github/workflows/approval-gate.yml @@ -0,0 +1,67 @@ +name: Approval Gate +permissions: + contents: read + +on: + workflow_call: + inputs: + environment-name: + description: 'Environment name for approval' + required: false + type: string + default: 'external-contributor-approval' + outputs: + commit-sha: + description: 'The commit SHA (PR head for PRs, pushed commit for push events)' + value: ${{ jobs.get-commit-info.outputs.commit-sha }} + commit-message: + description: 'The commit message' + value: ${{ jobs.get-commit-info.outputs.commit-message }} + +jobs: + # Get commit info from the PR head (not the base branch). + # This is necessary because with 'pull_request_target', GITHUB_SHA and the default + # checkout point to the BASE branch, not the PR's code. We explicitly use + # 'github.event.pull_request.head.sha' to get the actual PR commit info. + # For 'push' events, we fall back to 'github.sha' (the pushed commit). + get-commit-info: + runs-on: ubuntu-latest + outputs: + commit-sha: ${{ steps.get-sha.outputs.commit_sha }} + commit-message: ${{ steps.get-message.outputs.commit_message }} + steps: + - name: Checkout repository + uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + - name: Get commit SHA + id: get-sha + run: | + COMMIT_SHA="${{ github.event.pull_request.head.sha || github.sha }}" + echo "commit_sha=${COMMIT_SHA}" >> $GITHUB_OUTPUT + echo "Commit SHA: ${COMMIT_SHA}" + - name: Get commit message + id: get-message + run: | + COMMIT_MSG=$(git log -1 --pretty=%B) + echo "commit_message<> $GITHUB_OUTPUT + echo "$COMMIT_MSG" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + echo "Commit message:" + echo "$COMMIT_MSG" + approval-gate: + needs: get-commit-info + runs-on: ubuntu-latest + environment: ${{ + (github.event_name == 'pull_request_target' && + !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), github.event.pull_request.author_association)) + && inputs.environment-name + || '' + }} + steps: + - name: Approval status + run: | + echo "Event: ${{ github.event_name }}" + echo "Author association: ${{ github.event.pull_request.author_association }}" + echo "Approval granted or not required" + diff --git a/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml b/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml index de972ba59..aa1d0736e 100644 --- a/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml +++ b/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml @@ -5,16 +5,20 @@ permissions: id-token: write pull-requests: write on: - workflow_dispatch: + workflow_dispatch: inputs: splunk_image_repository_tag: description: 'Splunk AL2023-based Docker Image repository and tag (e.g. repository-name:tag)' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: check-formating: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -30,7 +34,9 @@ jobs: runs-on: ubuntu-latest needs: check-formating steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -67,7 +73,9 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -148,7 +156,9 @@ jobs: GRAVITON_TESTING: "true" steps: - name: Chekcout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-AL2023-int-test-workflow.yml b/.github/workflows/arm-AL2023-int-test-workflow.yml index b0bd87391..7aaeda2e4 100644 --- a/.github/workflows/arm-AL2023-int-test-workflow.yml +++ b/.github/workflows/arm-AL2023-int-test-workflow.yml @@ -10,6 +10,8 @@ on: splunk_image_repository_tag: description: 'Splunk AL2023-based Docker Image repository and tag (e.g. repository-name:tag)' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image-arm-al2023: runs-on: ubuntu-latest @@ -19,7 +21,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -101,7 +105,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-RHEL-build-test-push-workflow.yml b/.github/workflows/arm-RHEL-build-test-push-workflow.yml index 947681124..437b1ca7f 100644 --- a/.github/workflows/arm-RHEL-build-test-push-workflow.yml +++ b/.github/workflows/arm-RHEL-build-test-push-workflow.yml @@ -10,6 +10,8 @@ on: splunk_image_repository_tag: description: 'Splunk RHEL-based Docker Image repository and tag (e.g. repository-name:tag)' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image-arm-rhel: runs-on: ubuntu-latest @@ -19,7 +21,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -102,7 +106,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-RHEL-int-test-workflow.yml b/.github/workflows/arm-RHEL-int-test-workflow.yml index 4ba671c50..8c399aeea 100644 --- a/.github/workflows/arm-RHEL-int-test-workflow.yml +++ b/.github/workflows/arm-RHEL-int-test-workflow.yml @@ -10,6 +10,8 @@ on: splunk_image_repository_tag: description: 'Splunk RHEL-based Docker Image repository and tag (e.g. repository-name:tag)' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image-arm-rhel: runs-on: ubuntu-latest @@ -19,7 +21,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -101,7 +105,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml b/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml index cecd1539f..2c5a20e2f 100644 --- a/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml +++ b/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml @@ -10,11 +10,15 @@ on: splunk_image_repository_tag: description: 'Splunk Ubuntu-based Docker Image repository and tag (e.g. repository-name:tag)' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: check-formating: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -30,7 +34,9 @@ jobs: runs-on: ubuntu-latest needs: check-formating steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -67,7 +73,9 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -148,7 +156,9 @@ jobs: GRAVITON_TESTING: "true" steps: - name: Chekcout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-Ubuntu-int-test-workflow.yml b/.github/workflows/arm-Ubuntu-int-test-workflow.yml index f4a1ce18c..f30372677 100644 --- a/.github/workflows/arm-Ubuntu-int-test-workflow.yml +++ b/.github/workflows/arm-Ubuntu-int-test-workflow.yml @@ -10,6 +10,8 @@ on: splunk_image_repository_tag: description: 'Splunk Ubuntu-based Docker Image repository and tag (e.g. repository-name:tag)' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image-arm-ubuntu: runs-on: ubuntu-latest @@ -19,7 +21,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -101,7 +105,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/automated-release-workflow.yml b/.github/workflows/automated-release-workflow.yml index 348dea7ed..67fe249b4 100644 --- a/.github/workflows/automated-release-workflow.yml +++ b/.github/workflows/automated-release-workflow.yml @@ -16,6 +16,8 @@ on: enterprise_version: description: 'Enterprise Image Version. Should match with Tag on Splunk Enterprise Docker Repo' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: automated-release: name: Automated Release Workflow @@ -31,8 +33,9 @@ jobs: uses: sigstore/cosign-installer@main - name: Checkout code - uses: actions/checkout@v2 - + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Deep Fetch run: | git fetch --prune --unshallow @@ -108,14 +111,14 @@ jobs: run: | regctl image copy ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_RC_IMAGE_NAME }}:${{ github.event.inputs.release_version }}-RC splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }} regctl image copy ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_RC_IMAGE_NAME }}:${{ github.event.inputs.release_version }}-RC splunk/splunk-operator:latest - + - name: Sign Splunk Operator image with a key run: | cosign sign --yes --key env://COSIGN_PRIVATE_KEY splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }} env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - + - name: Verify Splunk Operator image with a key run: | cosign verify --key env://COSIGN_PUBLIC_KEY splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }} @@ -125,14 +128,14 @@ jobs: - name: Promote Distroless RC Image to Release run: | regctl image copy ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_RC_IMAGE_NAME }}:${{ github.event.inputs.release_version }}-RC-distroless splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}-distroless - + - name: Sign Distroless Splunk Operator image with a key run: | cosign sign --yes --key env://COSIGN_PRIVATE_KEY splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}-distroless env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - + - name: Verify Distroless Splunk Operator image with a key run: | cosign verify --key env://COSIGN_PUBLIC_KEY splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}-distroless diff --git a/.github/workflows/bias-language-workflow.yml b/.github/workflows/bias-language-workflow.yml index 2ea42b520..a72950c2c 100644 --- a/.github/workflows/bias-language-workflow.yml +++ b/.github/workflows/bias-language-workflow.yml @@ -4,12 +4,16 @@ permissions: packages: write pull-requests: write on: [push] +env: + CHECKOUT_REF: ${{ github.ref }} jobs: biased_lang: runs-on: ubuntu-latest name: Detecting Biased Language steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - id: biased-lang-linter uses: splunk/biased-lang-linter@main continue-on-error: false diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml index f392cd98a..717d34b28 100644 --- a/.github/workflows/build-test-push-workflow.yml +++ b/.github/workflows/build-test-push-workflow.yml @@ -5,16 +5,38 @@ permissions: id-token: write pull-requests: write on: - pull_request: {} + # See .github/README.md for PR testing strategy documentation + pull_request_target: + branches: + - 'develop' + paths-ignore: + - 'docs/**' + - '*.md' + pull_request: + # Commented to enable PR testing before merging to main + # TODO: Uncomment after merge + # branches-ignore: + # - 'develop' + paths-ignore: + - 'docs/**' + - '*.md' push: branches: - - main - - develop + - main + - develop + paths-ignore: + - 'docs/**' + - '*.md' jobs: + approval-gate: + uses: ./.github/workflows/approval-gate.yml check-formating: runs-on: ubuntu-latest + needs: approval-gate steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -28,9 +50,13 @@ jobs: run: make vet && if [[ $? -ne 0 ]]; then false; fi unit-tests: runs-on: ubuntu-latest - needs: check-formating + needs: + - check-formating + - approval-gate steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -58,7 +84,9 @@ jobs: path: coverage.out build-operator-image: runs-on: ubuntu-latest - needs: unit-tests + needs: + - unit-tests + - approval-gate env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -68,7 +96,9 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -115,7 +145,9 @@ jobs: id-token: write security-events: write runs-on: ubuntu-latest - needs: build-operator-image + needs: + - build-operator-image + - approval-gate env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -125,7 +157,9 @@ jobs: steps: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -163,7 +197,9 @@ jobs: with: sarif_file: 'trivy-results.sarif' smoke-tests: - needs: vulnerability-scan + needs: + - vulnerability-scan + - approval-gate strategy: fail-fast: false matrix: @@ -199,7 +235,9 @@ jobs: DEPLOYMENT_TYPE: "" steps: - name: Chekcout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/bundle-push-post-release.yml b/.github/workflows/bundle-push-post-release.yml index 7b10c5061..435fe3a7b 100644 --- a/.github/workflows/bundle-push-post-release.yml +++ b/.github/workflows/bundle-push-post-release.yml @@ -12,6 +12,8 @@ on: operator_image_tag: description: 'Tag for Splunk Operator Image' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: bundle-push: name: Bundle Push Post Release @@ -19,8 +21,9 @@ jobs: if: github.ref == 'refs/heads/main' steps: - name: Checkout code - uses: actions/checkout@v2 - + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Deep Fetch run: | git fetch --prune --unshallow diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index ef652f5b9..db81842f6 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -5,16 +5,38 @@ permissions: id-token: write pull-requests: write on: - pull_request: {} + # See .github/README.md for PR testing strategy documentation + pull_request_target: + branches: + - 'develop' + paths-ignore: + - 'docs/**' + - '*.md' + pull_request: + # Commented to enable PR testing before merging to main + # TODO: Uncomment after merge + # branches-ignore: + # - 'develop' + paths-ignore: + - 'docs/**' + - '*.md' push: branches: - - main - - develop + - main + - develop + paths-ignore: + - 'docs/**' + - '*.md' jobs: + approval-gate: + uses: ./.github/workflows/approval-gate.yml check-formating: runs-on: ubuntu-latest + needs: approval-gate steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -30,7 +52,9 @@ jobs: runs-on: ubuntu-latest needs: check-formating steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -67,7 +91,9 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -125,7 +151,9 @@ jobs: # steps: # - name: Set up cosign # uses: sigstore/cosign-installer@main -# - uses: actions/checkout@v2 +# - uses: actions/checkout@v6 +# with: +# ref: ${{ needs.approval-gate.outputs.commit-sha }} # - name: Dotenv Action # id: dotenv # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -199,7 +227,9 @@ jobs: DEPLOYMENT_TYPE: "" steps: - name: Chekcout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/distroless-int-test-workflow.yml b/.github/workflows/distroless-int-test-workflow.yml index 0dea5b263..b038ee70b 100644 --- a/.github/workflows/distroless-int-test-workflow.yml +++ b/.github/workflows/distroless-int-test-workflow.yml @@ -9,6 +9,8 @@ on: branches: - develop - main +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image-distroless: runs-on: ubuntu-latest @@ -18,7 +20,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -100,7 +104,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/helm-test-workflow.yml b/.github/workflows/helm-test-workflow.yml index e0ed442a4..7d6439b17 100644 --- a/.github/workflows/helm-test-workflow.yml +++ b/.github/workflows/helm-test-workflow.yml @@ -11,6 +11,8 @@ on: - main - feature** workflow_dispatch: +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image: runs-on: ubuntu-latest @@ -20,7 +22,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -84,7 +88,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Chekcout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/int-test-azure-workflow.yml b/.github/workflows/int-test-azure-workflow.yml index b58a04959..2a3a77d26 100644 --- a/.github/workflows/int-test-azure-workflow.yml +++ b/.github/workflows/int-test-azure-workflow.yml @@ -8,6 +8,8 @@ on: branches: - develop - main +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image: runs-on: ubuntu-latest @@ -16,7 +18,9 @@ jobs: SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator CONTAINER_REGISTRY: ${{ secrets.AZURE_CONTAINER_REGISTRY }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -63,7 +67,9 @@ jobs: AZURE_REGION: ${{ secrets.AZURE_REGION }} steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -138,7 +144,9 @@ jobs: run: | echo "TEST_CLUSTER_NAME=az${{ github.run_id }}" >> $GITHUB_ENV - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 diff --git a/.github/workflows/int-test-gcp-workflow.yml b/.github/workflows/int-test-gcp-workflow.yml index bae27e97e..c87648d68 100644 --- a/.github/workflows/int-test-gcp-workflow.yml +++ b/.github/workflows/int-test-gcp-workflow.yml @@ -9,6 +9,8 @@ on: branches: - develop - main +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image: runs-on: ubuntu-latest @@ -18,8 +20,9 @@ jobs: ARTIFACT_REGISTRY: ${{ secrets.GCP_ARTIFACT_REGISTRY }} # Updated for Artifact Registry steps: - name: Checkout Code - uses: actions/checkout@v2 - + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Load Environment Variables id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -66,7 +69,7 @@ jobs: create-cluster-and-run-tests: strategy: matrix: - test_focus: + test_focus: - { order: 1, name: "c3_gcp_sanity" } - { order: 2, name: "c3_mgr_gcp_sanity" } - { order: 3, name: "m4_gcp_sanity" } @@ -116,8 +119,9 @@ jobs: echo "CLUSTER_NAME=gke-${{ matrix.test_focus.order }}-$GITHUB_RUN_ID" >> $GITHUB_ENV echo "TEST_CLUSTER_NAME=gke-${{ matrix.test_focus.order }}-$GITHUB_RUN_ID" >> $GITHUB_ENV - name: Checkout Code - uses: actions/checkout@v2 - + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Load Environment Variables id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -128,7 +132,7 @@ jobs: uses: google-github-actions/auth@v1 with: credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }} - + - name: Set up Cloud SDK uses: google-github-actions/setup-gcloud@v1 with: @@ -187,7 +191,7 @@ jobs: uses: actions/setup-go@v2 with: go-version: ${{ steps.dotenv.outputs.GO_VERSION }} - + - name: Install Go Lint run: | go version @@ -207,7 +211,7 @@ jobs: username: _json_key password: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }} - - name: Pull Splunk Enterprise Image + - name: Pull Splunk Enterprise Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Pull Splunk Operator Image Locally @@ -230,7 +234,7 @@ jobs: with: cluster_name: ${{ env.CLUSTER_NAME }} location: ${{ env.GCP_ZONE }} - + - name: Install Metrics Server run: | curl -LO https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml @@ -248,7 +252,7 @@ jobs: - name: Verify kubectl Configuration run: | kubectl config current-context - + - name: Apply StorageClass run: | kubectl apply -f test/gcp-storageclass.yaml diff --git a/.github/workflows/int-test-workflow.yml b/.github/workflows/int-test-workflow.yml index fabc2b4fa..540c12e29 100644 --- a/.github/workflows/int-test-workflow.yml +++ b/.github/workflows/int-test-workflow.yml @@ -10,6 +10,8 @@ on: - develop - main - feature** +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image: runs-on: ubuntu-latest @@ -19,7 +21,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -96,7 +100,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/kubectl-splunk-workflow.yml b/.github/workflows/kubectl-splunk-workflow.yml index 70bc6fecf..29b5143be 100644 --- a/.github/workflows/kubectl-splunk-workflow.yml +++ b/.github/workflows/kubectl-splunk-workflow.yml @@ -1,6 +1,6 @@ # .github/workflows/ci.yml -name: Kubectl Splunk CI +name: Kubectl Splunk CI permissions: contents: read @@ -9,19 +9,23 @@ permissions: on: push: - branches: - - feature/CSPL-3152 + branches: + - feature/CSPL-3152 pull_request: - branches: - - feature/CSPL-3152 + branches: + - feature/CSPL-3152 + +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-and-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set up Python uses: actions/setup-python@v2 with: diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml new file mode 100644 index 000000000..aa1451189 --- /dev/null +++ b/.github/workflows/lint-workflows.yml @@ -0,0 +1,32 @@ +name: Lint Workflows +permissions: + contents: read +on: + push: + paths: + - '.github/workflows/**' + - '.github/scripts/**' + pull_request: + paths: + - '.github/workflows/**' + - '.github/scripts/**' + +jobs: + check-checkout-ref: + name: Check actions/checkout has ref specified + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.14' + + - name: Install dependencies + run: pip install pyyaml + + - name: Check all actions/checkout have ref specified + run: python .github/scripts/check-checkout-ref.py diff --git a/.github/workflows/manual-int-test-workflow.yml b/.github/workflows/manual-int-test-workflow.yml index dc6981e46..794a0fbff 100644 --- a/.github/workflows/manual-int-test-workflow.yml +++ b/.github/workflows/manual-int-test-workflow.yml @@ -11,6 +11,8 @@ on: description: 'Run Operator in Cluster Wide Mode. Type false to run cluster in namespace mode' required: false default: "true" +env: + CHECKOUT_REF: ${{ github.ref }} jobs: int-tests: strategy: @@ -57,7 +59,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name @@ -179,7 +183,9 @@ jobs: SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator TAG: int steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 diff --git a/.github/workflows/merge-develop-to-main-workflow.yml b/.github/workflows/merge-develop-to-main-workflow.yml index cab11eb85..f58ccc550 100644 --- a/.github/workflows/merge-develop-to-main-workflow.yml +++ b/.github/workflows/merge-develop-to-main-workflow.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest if: github.ref == 'refs/heads/develop' steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 with: ref: main - name: Reset main branch @@ -52,7 +52,7 @@ jobs: SPLUNK_OPERATOR_RC_IMAGE_NAME: splunk/splunk-operator-rc steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 with: ref: "promote-develop-to-main-${{ github.event.inputs.release_version }}" diff --git a/.github/workflows/namespace-scope-int-workflow.yml b/.github/workflows/namespace-scope-int-workflow.yml index 03cbc2b4f..2ace40df8 100644 --- a/.github/workflows/namespace-scope-int-workflow.yml +++ b/.github/workflows/namespace-scope-int-workflow.yml @@ -52,7 +52,7 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 with: ref: develop - name: Set Test Cluster Name diff --git a/.github/workflows/nightly-int-test-workflow.yml b/.github/workflows/nightly-int-test-workflow.yml index 769bac74a..20abdb7f2 100644 --- a/.github/workflows/nightly-int-test-workflow.yml +++ b/.github/workflows/nightly-int-test-workflow.yml @@ -16,7 +16,7 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 with: ref: develop - name: Dotenv Action @@ -93,7 +93,7 @@ jobs: echo "CLUSTER_WORKERS=5" >> $GITHUB_ENV echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 with: ref: develop - name: Set Test Cluster Name @@ -217,7 +217,7 @@ jobs: steps: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 with: ref: develop - name: Dotenv Action @@ -253,9 +253,8 @@ jobs: env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - - name: Verify Signed Splunk Operator image + - name: Verify Signed Splunk Operator image run: | cosign verify --key env://COSIGN_PUBLIC_KEY ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }} env: COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} - \ No newline at end of file diff --git a/.github/workflows/pre-release-workflow.yml b/.github/workflows/pre-release-workflow.yml index b5b48bacc..70e59cfeb 100644 --- a/.github/workflows/pre-release-workflow.yml +++ b/.github/workflows/pre-release-workflow.yml @@ -27,6 +27,8 @@ on: new_enterprise_version: description: 'NEW ENTERPRISE IMAGE VERSION' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: automated-release: name: Automated Pre Release @@ -41,8 +43,9 @@ jobs: ', github.ref) steps: - name: Checkout code - uses: actions/checkout@v2 - + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Deep Fetch run: | git fetch --prune --unshallow diff --git a/.github/workflows/prodsec-workflow.yml b/.github/workflows/prodsec-workflow.yml index 54942b0b2..8e689c292 100644 --- a/.github/workflows/prodsec-workflow.yml +++ b/.github/workflows/prodsec-workflow.yml @@ -4,13 +4,33 @@ permissions: packages: write pull-requests: write on: - pull_request: {} + # See .github/README.md for PR testing strategy documentation + pull_request_target: + branches: + - 'develop' + paths-ignore: + - 'docs/**' + - '*.md' + pull_request: + # Commented to enable PR testing before merging to main + # TODO: Uncomment after merge + # branches-ignore: + # - 'develop' + paths-ignore: + - 'docs/**' + - '*.md' push: branches: - - main - - develop + - main + - develop + paths-ignore: + - 'docs/**' + - '*.md' jobs: + approval-gate: + uses: ./.github/workflows/approval-gate.yml semgrep: + needs: approval-gate name: Semgrep Scanner runs-on: ubuntu-24.04 env: @@ -18,9 +38,12 @@ jobs: container: image: returntocorp/semgrep steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v6 + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} - run: semgrep ci FOSSA-scanner: + needs: approval-gate runs-on: ubuntu-latest env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} @@ -28,11 +51,13 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - - name: Run FOSSA Test + - name: Run FOSSA Test uses: fossas/fossa-action@main with: api-key: ${{secrets.FOSSA_API_TOKEN}} \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 31e78b221..cd7a9ae94 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,15 +7,17 @@ on: push: branches: - main +env: + CHECKOUT_REF: ${{ github.ref }} jobs: release: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v6 with: + ref: ${{ env.CHECKOUT_REF }} fetch-depth: 0 - - name: Configure Git run: | git config user.name "$GITHUB_ACTOR"