From 65349ba95919c678ce6b28d2a1b4256bc93cd13e Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Fri, 19 Dec 2025 16:00:18 +0100 Subject: [PATCH 01/23] CSPL-4372: Add approval gate workflow and integrate into existing GitHub Actions - Created a new approval gate workflow to manage pull request approvals based on author association. - Updated existing workflows to use the approval gate, ensuring that checks are performed before proceeding with build and test jobs. - Changed event trigger from `pull_request` to `pull_request_target` for better security and context handling. --- .github/workflows/approval-gate.yml | 27 +++++++++++++++++++ .../workflows/build-test-push-workflow.yml | 5 +++- .../distroless-build-test-push-workflow.yml | 5 +++- .github/workflows/prodsec-workflow.yml | 7 +++-- 4 files changed, 40 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/approval-gate.yml diff --git a/.github/workflows/approval-gate.yml b/.github/workflows/approval-gate.yml new file mode 100644 index 000000000..685a131f4 --- /dev/null +++ b/.github/workflows/approval-gate.yml @@ -0,0 +1,27 @@ +name: Approval Gate + +on: + workflow_call: + inputs: + environment-name: + description: 'Environment name for approval' + required: false + type: string + default: 'external-contributor-approval' + +jobs: + approval-gate: + runs-on: ubuntu-latest + environment: ${{ + (github.event_name == 'pull_request_target' && + !contains(fromJSON('["MEMBER", "OWNER"]'), github.event.pull_request.author_association)) + && inputs.environment-name + || '' + }} + steps: + - name: Approval status + run: | + echo "Event: ${{ github.event_name }}" + echo "Author association: ${{ github.event.pull_request.author_association }}" + echo "Approval granted or not required" + diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml index f392cd98a..627ca6750 100644 --- a/.github/workflows/build-test-push-workflow.yml +++ b/.github/workflows/build-test-push-workflow.yml @@ -5,14 +5,17 @@ permissions: id-token: write pull-requests: write on: - pull_request: {} + pull_request_target: {} push: branches: - main - develop jobs: + approval-gate: + uses: ./.github/workflows/approval-gate.yml check-formating: runs-on: ubuntu-latest + needs: approval-gate steps: - uses: actions/checkout@v2 - name: Dotenv Action diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index ef652f5b9..b8d6b87a5 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -5,14 +5,17 @@ permissions: id-token: write pull-requests: write on: - pull_request: {} + pull_request_target: {} push: branches: - main - develop jobs: + approval-gate: + uses: ./.github/workflows/approval-gate.yml check-formating: runs-on: ubuntu-latest + needs: approval-gate steps: - uses: actions/checkout@v2 - name: Dotenv Action diff --git a/.github/workflows/prodsec-workflow.yml b/.github/workflows/prodsec-workflow.yml index 54942b0b2..90d23d281 100644 --- a/.github/workflows/prodsec-workflow.yml +++ b/.github/workflows/prodsec-workflow.yml @@ -4,13 +4,16 @@ permissions: packages: write pull-requests: write on: - pull_request: {} + pull_request_target: {} push: branches: - main - develop jobs: + approval-gate: + uses: ./.github/workflows/approval-gate.yml semgrep: + needs: approval-gate name: Semgrep Scanner runs-on: ubuntu-24.04 env: @@ -32,7 +35,7 @@ jobs: - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - - name: Run FOSSA Test + - name: Run FOSSA Test uses: fossas/fossa-action@main with: api-key: ${{secrets.FOSSA_API_TOKEN}} \ No newline at end of file From c9ac960d8b01e753cb93bab87329e699964b99b5 Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Fri, 19 Dec 2025 16:27:10 +0100 Subject: [PATCH 02/23] CSPL-4372: Update GitHub Actions to use checkout@v6 with merge commit SHA reference - Updated all workflows to replace actions/checkout@v2 and actions/checkout@v3 with actions/checkout@v6. - Added support for referencing the merge commit SHA or the current SHA for better consistency in builds. --- .../workflows/build-test-push-workflow.yml | 20 ++++++++++++++----- .../distroless-build-test-push-workflow.yml | 20 ++++++++++++++----- .github/workflows/prodsec-workflow.yml | 8 ++++++-- 3 files changed, 36 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml index 627ca6750..78357da40 100644 --- a/.github/workflows/build-test-push-workflow.yml +++ b/.github/workflows/build-test-push-workflow.yml @@ -17,7 +17,9 @@ jobs: runs-on: ubuntu-latest needs: approval-gate steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -33,7 +35,9 @@ jobs: runs-on: ubuntu-latest needs: check-formating steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -71,7 +75,9 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -128,7 +134,9 @@ jobs: steps: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -202,7 +210,9 @@ jobs: DEPLOYMENT_TYPE: "" steps: - name: Chekcout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index b8d6b87a5..17483efd4 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -17,7 +17,9 @@ jobs: runs-on: ubuntu-latest needs: approval-gate steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -33,7 +35,9 @@ jobs: runs-on: ubuntu-latest needs: check-formating steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -70,7 +74,9 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -128,7 +134,9 @@ jobs: # steps: # - name: Set up cosign # uses: sigstore/cosign-installer@main -# - uses: actions/checkout@v2 +# - uses: actions/checkout@v6 +# with: +# ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} # - name: Dotenv Action # id: dotenv # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -202,7 +210,9 @@ jobs: DEPLOYMENT_TYPE: "" steps: - name: Chekcout code - uses: actions/checkout@v2 + uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/prodsec-workflow.yml b/.github/workflows/prodsec-workflow.yml index 90d23d281..23df618a2 100644 --- a/.github/workflows/prodsec-workflow.yml +++ b/.github/workflows/prodsec-workflow.yml @@ -21,7 +21,9 @@ jobs: container: image: returntocorp/semgrep steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - run: semgrep ci FOSSA-scanner: runs-on: ubuntu-latest @@ -31,7 +33,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 From e97904a839dc57e0e5f03957ebd4a55cf0efb3fa Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Fri, 19 Dec 2025 16:29:17 +0100 Subject: [PATCH 03/23] Potential fix for code scanning alert no. 183: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/approval-gate.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/approval-gate.yml b/.github/workflows/approval-gate.yml index 685a131f4..01e8ebd5c 100644 --- a/.github/workflows/approval-gate.yml +++ b/.github/workflows/approval-gate.yml @@ -11,6 +11,8 @@ on: jobs: approval-gate: + permissions: + contents: read runs-on: ubuntu-latest environment: ${{ (github.event_name == 'pull_request_target' && From 10ae2ca7dbb94848111db0edf0ac5e274ddb6b36 Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Fri, 19 Dec 2025 16:55:27 +0100 Subject: [PATCH 04/23] Update GitHub Actions workflows to use actions/checkout@v4 for consistency and compatibility --- .github/workflows/build-test-push-workflow.yml | 10 +++++----- .../workflows/distroless-build-test-push-workflow.yml | 10 +++++----- .github/workflows/prodsec-workflow.yml | 4 ++-- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml index 78357da40..bbd045ebc 100644 --- a/.github/workflows/build-test-push-workflow.yml +++ b/.github/workflows/build-test-push-workflow.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest needs: approval-gate steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest needs: check-formating steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action @@ -75,7 +75,7 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action @@ -134,7 +134,7 @@ jobs: steps: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action @@ -210,7 +210,7 @@ jobs: DEPLOYMENT_TYPE: "" steps: - name: Chekcout code - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Set Test Cluster Name diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index 17483efd4..c394b2e00 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest needs: approval-gate steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action @@ -35,7 +35,7 @@ jobs: runs-on: ubuntu-latest needs: check-formating steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action @@ -74,7 +74,7 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action @@ -134,7 +134,7 @@ jobs: # steps: # - name: Set up cosign # uses: sigstore/cosign-installer@main -# - uses: actions/checkout@v6 +# - uses: actions/checkout@v4 # with: # ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} # - name: Dotenv Action @@ -210,7 +210,7 @@ jobs: DEPLOYMENT_TYPE: "" steps: - name: Chekcout code - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Set Test Cluster Name diff --git a/.github/workflows/prodsec-workflow.yml b/.github/workflows/prodsec-workflow.yml index 23df618a2..5be197afa 100644 --- a/.github/workflows/prodsec-workflow.yml +++ b/.github/workflows/prodsec-workflow.yml @@ -21,7 +21,7 @@ jobs: container: image: returntocorp/semgrep steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - run: semgrep ci @@ -33,7 +33,7 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - name: Dotenv Action From 60c7d46e6cb37fc1af133ca4b8dab1b40c10e50f Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Fri, 19 Dec 2025 17:18:34 +0100 Subject: [PATCH 05/23] Update GitHub Actions workflows to specify branches for pull_request_target event - Added branch filters for the pull_request_target event in both build-test-push and prodsec workflows to include 'develop' and 'CSPL-4372-add-approval-gate-exec-in-target'. This enhances security and ensures workflows are triggered only for specified branches. --- .github/workflows/build-test-push-workflow.yml | 5 ++++- .github/workflows/prodsec-workflow.yml | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml index bbd045ebc..3c38ddf1f 100644 --- a/.github/workflows/build-test-push-workflow.yml +++ b/.github/workflows/build-test-push-workflow.yml @@ -5,7 +5,10 @@ permissions: id-token: write pull-requests: write on: - pull_request_target: {} + pull_request_target: + branches: + - 'develop' + - 'CSPL-4372-add-approval-gate-exec-in-target' push: branches: - main diff --git a/.github/workflows/prodsec-workflow.yml b/.github/workflows/prodsec-workflow.yml index 5be197afa..0938ca084 100644 --- a/.github/workflows/prodsec-workflow.yml +++ b/.github/workflows/prodsec-workflow.yml @@ -4,7 +4,10 @@ permissions: packages: write pull-requests: write on: - pull_request_target: {} + pull_request_target: + branches: + - 'develop' + - 'CSPL-4372-add-approval-gate-exec-in-target' push: branches: - main From e8c5c12268f81d09d8d1722875621cee0a6a5480 Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Fri, 19 Dec 2025 17:49:49 +0100 Subject: [PATCH 06/23] Update distroless build-test-push workflow to include branch filters and modify approval gate logic - Added branch filters for the `pull_request_target` event to specify 'develop' and 'CSPL-4372-add-approval-gate-exec-in-target'. - Updated the approval gate logic to conditionally set the environment based on the author association of the pull request, enhancing security for external contributors. --- .../distroless-build-test-push-workflow.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index c394b2e00..48a311a60 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -5,17 +5,23 @@ permissions: id-token: write pull-requests: write on: - pull_request_target: {} + pull_request_target: + branches: + - 'develop' + - 'CSPL-4372-add-approval-gate-exec-in-target' push: branches: - main - develop jobs: - approval-gate: - uses: ./.github/workflows/approval-gate.yml check-formating: runs-on: ubuntu-latest - needs: approval-gate + environment: ${{ + (github.event_name == 'pull_request_target' && + !contains(fromJSON('["MEMBER", "OWNER"]'), github.event.pull_request.author_association)) + && 'external-contributor-approval' + || '' + }} steps: - uses: actions/checkout@v4 with: From ea7ff8eaad0a9afec84ea832e51a7a44de5fd6ea Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Fri, 19 Dec 2025 17:52:02 +0100 Subject: [PATCH 07/23] Refactor distroless build-test-push workflow to trigger on pull_request event - Changed the event trigger from `pull_request_target` to `pull_request`, removing specific branch filters for enhanced flexibility in workflow execution. --- .github/workflows/distroless-build-test-push-workflow.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index 48a311a60..17209d987 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -5,10 +5,7 @@ permissions: id-token: write pull-requests: write on: - pull_request_target: - branches: - - 'develop' - - 'CSPL-4372-add-approval-gate-exec-in-target' + pull_request: {} push: branches: - main From 09fd53b2d4ebb1d2cb8692c451085aab4c17374e Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Fri, 19 Dec 2025 17:54:28 +0100 Subject: [PATCH 08/23] Integrate approval gate into distroless build-test-push workflow - Added an approval gate job to the workflow to manage pull request approvals. - Updated the check-formating job to depend on the approval gate, ensuring that checks are performed before proceeding with formatting steps. --- .../workflows/distroless-build-test-push-workflow.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index 17209d987..e5fccf458 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -11,14 +11,11 @@ on: - main - develop jobs: + approval-gate: + uses: ./.github/workflows/approval-gate.yml check-formating: runs-on: ubuntu-latest - environment: ${{ - (github.event_name == 'pull_request_target' && - !contains(fromJSON('["MEMBER", "OWNER"]'), github.event.pull_request.author_association)) - && 'external-contributor-approval' - || '' - }} + needs: approval-gate steps: - uses: actions/checkout@v4 with: From 0e5846c098e7be44cea8d2b3d5e9ea20ffa687ce Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Fri, 19 Dec 2025 17:57:15 +0100 Subject: [PATCH 09/23] Add debug output for pull request details in approval gate workflow - Enhanced the approval status job in the approval gate workflow by adding a debug statement to echo the pull request details, aiding in troubleshooting and visibility during workflow execution. --- .github/workflows/approval-gate.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/approval-gate.yml b/.github/workflows/approval-gate.yml index 01e8ebd5c..7bf529a75 100644 --- a/.github/workflows/approval-gate.yml +++ b/.github/workflows/approval-gate.yml @@ -24,6 +24,7 @@ jobs: - name: Approval status run: | echo "Event: ${{ github.event_name }}" + echo "Pull request: ${{ github.event.pull_request }}" echo "Author association: ${{ github.event.pull_request.author_association }}" echo "Approval granted or not required" From be2ac5470c9e13f012e1a583c1abab9faeebe334 Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Fri, 19 Dec 2025 18:00:31 +0100 Subject: [PATCH 10/23] Enhance approval gate workflow with detailed pull request JSON output - Updated the approval status job in the approval gate workflow to output the pull request details in JSON format, improving visibility and debugging capabilities during workflow execution. --- .github/workflows/approval-gate.yml | 2 +- .../distroless-build-test-push-workflow.yml | 620 +++++++++--------- 2 files changed, 311 insertions(+), 311 deletions(-) diff --git a/.github/workflows/approval-gate.yml b/.github/workflows/approval-gate.yml index 7bf529a75..457c70996 100644 --- a/.github/workflows/approval-gate.yml +++ b/.github/workflows/approval-gate.yml @@ -24,7 +24,7 @@ jobs: - name: Approval status run: | echo "Event: ${{ github.event_name }}" - echo "Pull request: ${{ github.event.pull_request }}" + echo "Pull request: ${{ toJson(github.event.pull_request) }}" echo "Author association: ${{ github.event.pull_request.author_association }}" echo "Approval granted or not required" diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index e5fccf458..d41cd1042 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -31,314 +31,314 @@ jobs: run: make fmt && if [[ $? -ne 0 ]]; then false; fi - name: Lint source code run: make vet && if [[ $? -ne 0 ]]; then false; fi - unit-tests: - runs-on: ubuntu-latest - needs: check-formating - steps: - - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - - name: Dotenv Action - id: dotenv - uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - - name: Setup Go - uses: actions/setup-go@v2 - with: - go-version: ${{ steps.dotenv.outputs.GO_VERSION }} - - name: Install goveralls - run: | - go version - go install github.com/mattn/goveralls@latest - - name: Install Ginkgo - run: | - make setup/ginkgo - go mod tidy - - name: Run Unit Tests - run: make test - - name: Run Code Coverage - run: goveralls -coverprofile=coverage.out -service=circle-ci -repotoken ${{ secrets.COVERALLS_TOKEN }} - - name: Upload Coverage artifacts - uses: actions/upload-artifact@v4.4.0 - with: - name: coverage.out - path: coverage.out - build-operator-image: - runs-on: ubuntu-latest - needs: unit-tests - env: - SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} - SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator - ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} - S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - steps: - - name: Set up cosign - uses: sigstore/cosign-installer@main +# unit-tests: +# runs-on: ubuntu-latest +# needs: check-formating +# steps: +# - uses: actions/checkout@v4 +# with: +# ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} +# - name: Dotenv Action +# id: dotenv +# uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 +# - name: Setup Go +# uses: actions/setup-go@v2 +# with: +# go-version: ${{ steps.dotenv.outputs.GO_VERSION }} +# - name: Install goveralls +# run: | +# go version +# go install github.com/mattn/goveralls@latest +# - name: Install Ginkgo +# run: | +# make setup/ginkgo +# go mod tidy +# - name: Run Unit Tests +# run: make test +# - name: Run Code Coverage +# run: goveralls -coverprofile=coverage.out -service=circle-ci -repotoken ${{ secrets.COVERALLS_TOKEN }} +# - name: Upload Coverage artifacts +# uses: actions/upload-artifact@v4.4.0 +# with: +# name: coverage.out +# path: coverage.out +# build-operator-image: +# runs-on: ubuntu-latest +# needs: unit-tests +# env: +# SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} +# SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator +# ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} +# S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} +# steps: +# - name: Set up cosign +# uses: sigstore/cosign-installer@main - - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - - name: Dotenv Action - id: dotenv - uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - - name: Setup Go - uses: actions/setup-go@v2 - with: - go-version: ${{ steps.dotenv.outputs.GO_VERSION }} - - name: Install Ginkgo - run: | - make setup/ginkgo - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2.5.0 - - name: Install Operator SDK - run: | - export ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac) - export OS=$(uname | awk '{print tolower($0)}') - export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }} - sudo curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH} - sudo chmod +x operator-sdk_${OS}_${ARCH} - sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v5 - with: - role-to-assume: ${{ vars.AWS_ROLE_ARN }} - role-session-name: github-${{ github.run_id }} - aws-region: ${{ vars.AWS_REGION }} - role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - name: Build and push Splunk Operator Image - run: | - export BASE_IMAGE=gcr.io/distroless/static-debian12 - export BASE_IMAGE_VERSION=latest - make docker-buildx BASE_IMAGE=$BASE_IMAGE BASE_IMAGE_VERSION=$BASE_IMAGE_VERSION IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA-distroless - - name: Sign Splunk Operator image with a key - run: | - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }}-distroless - env: - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} -# vulnerability-scan: -# permissions: -# actions: read -# contents: read -# security-events: write -# runs-on: ubuntu-latest -# needs: build-operator-image -# env: -# SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} -# SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator -# ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} -# S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} -# IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }}-distroless -# steps: -# - name: Set up cosign -# uses: sigstore/cosign-installer@main -# - uses: actions/checkout@v4 -# with: -# ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} -# - name: Dotenv Action -# id: dotenv -# uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 -# - name: Set up Docker Buildx -# uses: docker/setup-buildx-action@v2.5.0 -# - name: Configure AWS credentials -# uses: aws-actions/configure-aws-credentials@v5 -# with: -# role-to-assume: ${{ vars.AWS_ROLE_ARN }} -# role-session-name: github-${{ github.run_id }} -# aws-region: ${{ vars.AWS_REGION }} -# role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} -# -# - name: Login to Amazon ECR -# uses: aws-actions/amazon-ecr-login@v1 -# - name: Pull Splunk Operator Image Locally -# run: | -# docker pull ${{ env.IMAGE_NAME }} -# - name: Verify Signed Splunk Operator image -# run: | -# cosign verify --key env://COSIGN_PUBLIC_KEY ${{ env.IMAGE_NAME }} -# env: -# COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} -# - name: Run Trivy vulnerability scanner -# uses: aquasecurity/trivy-action@master -# with: -# image-ref: '${{ env.IMAGE_NAME }}' -# format: sarif -# #exit-code: 1 -# severity: 'CRITICAL' -# ignore-unfixed: true -# output: 'trivy-results.sarif' -# - name: Upload Trivy scan results to GitHub Security tab -# uses: github/codeql-action/upload-sarif@v3 -# with: -# sarif_file: 'trivy-results.sarif' - smoke-tests: - needs: build-operator-image - strategy: - fail-fast: false - matrix: - test: [ - basic, - appframeworksS1, - managerappframeworkc3, - managerappframeworkm4, - managersecret, - managermc, - ] - runs-on: ubuntu-latest - env: - CLUSTER_NODES: 1 - CLUSTER_WORKERS: 3 - SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} - SPLUNK_ENTERPRISE_RELEASE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_RELEASE_IMAGE }} - SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator - SPLUNK_OPERATOR_IMAGE_FILENAME: splunk-operator - TEST_FOCUS: "${{ matrix.test }}" - # This regex matches any string not containing smoke keyword - TEST_TO_SKIP: "^(?:[^s]+|s(?:$|[^m]|m(?:$|[^o]|o(?:$|[^k]|k(?:$|[^e])))))*$" - TEST_CLUSTER_PLATFORM: eks - EKS_VPC_PRIVATE_SUBNET_STRING: ${{ secrets.EKS_VPC_PRIVATE_SUBNET_STRING }} - EKS_VPC_PUBLIC_SUBNET_STRING: ${{ secrets.EKS_VPC_PUBLIC_SUBNET_STRING }} - TEST_BUCKET: ${{ secrets.TEST_BUCKET }} - TEST_INDEXES_S3_BUCKET: ${{ secrets.TEST_INDEXES_S3_BUCKET }} - ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} - PRIVATE_REGISTRY: ${{ secrets.ECR_REPOSITORY }} - S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - EKS_SSH_PUBLIC_KEY: ${{ secrets.EKS_SSH_PUBLIC_KEY }} - CLUSTER_WIDE: "true" - DEPLOYMENT_TYPE: "" - steps: - - name: Chekcout code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} - - name: Set Test Cluster Name - id: set-cluster-name - uses: ./.github/actions/set-cluster-name - with: - test-type: smoke - platform: distroless - test-name: ${{ matrix.test }} - run-id: ${{ github.run_id }} - - name: Export cluster name to environment - run: | - echo "TEST_CLUSTER_NAME=${{ steps.set-cluster-name.outputs.cluster-name }}" >> $GITHUB_ENV - - name: Dotenv Action - id: dotenv - uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - - name: Change splunk enterprise to release image on main branches - if: github.ref == 'refs/heads/main' - run: | - echo "SPLUNK_ENTERPRISE_IMAGE=${{ steps.dotenv.outputs.SPLUNK_ENTERPRISE_RELEASE_IMAGE }}" >> $GITHUB_ENV - - name: Install Kubectl - uses: Azure/setup-kubectl@v3 - with: - version: ${{ steps.dotenv.outputs.KUBECTL_VERSION }} - - name: Install Python - uses: actions/setup-python@v2 - - name: Install AWS CLI - run: | - curl "${{ steps.dotenv.outputs.AWSCLI_URL}}" -o "awscliv2.zip" - unzip awscliv2.zip - sudo ./aws/install --update - aws --version - - name: Setup Go - uses: actions/setup-go@v2 - with: - go-version: ${{ steps.dotenv.outputs.GO_VERSION }} - - name: Install Ginkgo - run: | - make setup/ginkgo - - name: Install Helm - run: | - curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 - chmod 700 get_helm.sh - ./get_helm.sh - DESIRED_VERSION=v3.8.2 bash get_helm.sh - - name: Install EKS CTL - run: | - curl --silent --insecure --location "https://github.com/weaveworks/eksctl/releases/download/${{ steps.dotenv.outputs.EKSCTL_VERSION }}/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp - sudo mv /tmp/eksctl /usr/local/bin - eksctl version - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2.5.0 - - name: Install Operator SDK - run: | - sudo curl -L -o /usr/local/bin/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}/operator-sdk-${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}-x86_64-linux-gnu - sudo chmod +x /usr/local/bin/operator-sdk - - name: Configure Docker Hub credentials - uses: docker/login-action@v1 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN}} - - name: Set Splunk Operator image - run: | - echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA-distroless" >> $GITHUB_ENV - - name: Pull Splunk Enterprise Image - run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v5 - with: - role-to-assume: ${{ vars.AWS_ROLE_ARN }} - role-session-name: github-${{ github.run_id }} - aws-region: ${{ vars.AWS_REGION }} - role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - name: Tag and Push Splunk Enterprise Image to ECR - run: | - docker tag ${{ env.SPLUNK_ENTERPRISE_IMAGE }} ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} - docker push ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} - - name: Create EKS cluster - run: | - export EKS_CLUSTER_K8_VERSION=${{ steps.dotenv.outputs.EKS_CLUSTER_K8_VERSION }} - make cluster-up - - name: install metric server - run: | - curl -LO https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml - kubectl replace --force -f components.yaml || kubectl apply -f components.yaml - - name: install k8s dashboard - run: | - kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.5/aio/deploy/recommended.yaml - - name: Setup Kustomize - run: | - sudo snap install kustomize - mkdir -p ./bin - cp /snap/bin/kustomize ./bin/kustomize - - name: Run smoke test - id: smoketest - timeout-minutes: 240 - env: - TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} - TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} - run: | - make int-test - - name: Collect Test Logs - if: ${{ always() }} - run: | - mkdir -p /tmp/pod_logs - find ./test -name "*.log" -exec cp {} /tmp/pod_logs \; - - name: Archive Pod Logs - if: ${{ always() }} - uses: actions/upload-artifact@v4.4.0 - with: - name: "splunk-pods-logs--artifacts-${{ matrix.test }}" - path: "/tmp/pod_logs/**" - - name: Cleanup Test Case artifacts - if: ${{ always() }} - run: | - make cleanup - make clean - - name: Cleanup up EKS cluster - if: ${{ always() }} - run: | - make cluster-down - #- name: Test Report - # uses: dorny/test-reporter@v1 - # if: success() || failure() # run this step even if previous step failed - # with: - # name: Integration Tests # Name of the check run which will be created - # path: inttest-*.xml # Path to test results - # reporter: jest-junit # Format of test results +# - uses: actions/checkout@v4 +# with: +# ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} +# - name: Dotenv Action +# id: dotenv +# uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 +# - name: Setup Go +# uses: actions/setup-go@v2 +# with: +# go-version: ${{ steps.dotenv.outputs.GO_VERSION }} +# - name: Install Ginkgo +# run: | +# make setup/ginkgo +# - name: Set up Docker Buildx +# uses: docker/setup-buildx-action@v2.5.0 +# - name: Install Operator SDK +# run: | +# export ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac) +# export OS=$(uname | awk '{print tolower($0)}') +# export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }} +# sudo curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH} +# sudo chmod +x operator-sdk_${OS}_${ARCH} +# sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk +# - name: Configure AWS credentials +# uses: aws-actions/configure-aws-credentials@v5 +# with: +# role-to-assume: ${{ vars.AWS_ROLE_ARN }} +# role-session-name: github-${{ github.run_id }} +# aws-region: ${{ vars.AWS_REGION }} +# role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} +# - name: Login to Amazon ECR +# id: login-ecr +# uses: aws-actions/amazon-ecr-login@v1 +# - name: Build and push Splunk Operator Image +# run: | +# export BASE_IMAGE=gcr.io/distroless/static-debian12 +# export BASE_IMAGE_VERSION=latest +# make docker-buildx BASE_IMAGE=$BASE_IMAGE BASE_IMAGE_VERSION=$BASE_IMAGE_VERSION IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA-distroless +# - name: Sign Splunk Operator image with a key +# run: | +# cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }}-distroless +# env: +# COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} +# COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} +# # vulnerability-scan: +# # permissions: +# # actions: read +# # contents: read +# # security-events: write +# # runs-on: ubuntu-latest +# # needs: build-operator-image +# # env: +# # SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} +# # SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator +# # ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} +# # S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} +# # IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }}-distroless +# # steps: +# # - name: Set up cosign +# # uses: sigstore/cosign-installer@main +# # - uses: actions/checkout@v4 +# # with: +# # ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} +# # - name: Dotenv Action +# # id: dotenv +# # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 +# # - name: Set up Docker Buildx +# # uses: docker/setup-buildx-action@v2.5.0 +# # - name: Configure AWS credentials +# # uses: aws-actions/configure-aws-credentials@v5 +# # with: +# # role-to-assume: ${{ vars.AWS_ROLE_ARN }} +# # role-session-name: github-${{ github.run_id }} +# # aws-region: ${{ vars.AWS_REGION }} +# # role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} +# # +# # - name: Login to Amazon ECR +# # uses: aws-actions/amazon-ecr-login@v1 +# # - name: Pull Splunk Operator Image Locally +# # run: | +# # docker pull ${{ env.IMAGE_NAME }} +# # - name: Verify Signed Splunk Operator image +# # run: | +# # cosign verify --key env://COSIGN_PUBLIC_KEY ${{ env.IMAGE_NAME }} +# # env: +# # COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} +# # - name: Run Trivy vulnerability scanner +# # uses: aquasecurity/trivy-action@master +# # with: +# # image-ref: '${{ env.IMAGE_NAME }}' +# # format: sarif +# # #exit-code: 1 +# # severity: 'CRITICAL' +# # ignore-unfixed: true +# # output: 'trivy-results.sarif' +# # - name: Upload Trivy scan results to GitHub Security tab +# # uses: github/codeql-action/upload-sarif@v3 +# # with: +# # sarif_file: 'trivy-results.sarif' +# smoke-tests: +# needs: build-operator-image +# strategy: +# fail-fast: false +# matrix: +# test: [ +# basic, +# appframeworksS1, +# managerappframeworkc3, +# managerappframeworkm4, +# managersecret, +# managermc, +# ] +# runs-on: ubuntu-latest +# env: +# CLUSTER_NODES: 1 +# CLUSTER_WORKERS: 3 +# SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} +# SPLUNK_ENTERPRISE_RELEASE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_RELEASE_IMAGE }} +# SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator +# SPLUNK_OPERATOR_IMAGE_FILENAME: splunk-operator +# TEST_FOCUS: "${{ matrix.test }}" +# # This regex matches any string not containing smoke keyword +# TEST_TO_SKIP: "^(?:[^s]+|s(?:$|[^m]|m(?:$|[^o]|o(?:$|[^k]|k(?:$|[^e])))))*$" +# TEST_CLUSTER_PLATFORM: eks +# EKS_VPC_PRIVATE_SUBNET_STRING: ${{ secrets.EKS_VPC_PRIVATE_SUBNET_STRING }} +# EKS_VPC_PUBLIC_SUBNET_STRING: ${{ secrets.EKS_VPC_PUBLIC_SUBNET_STRING }} +# TEST_BUCKET: ${{ secrets.TEST_BUCKET }} +# TEST_INDEXES_S3_BUCKET: ${{ secrets.TEST_INDEXES_S3_BUCKET }} +# ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} +# PRIVATE_REGISTRY: ${{ secrets.ECR_REPOSITORY }} +# S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} +# EKS_SSH_PUBLIC_KEY: ${{ secrets.EKS_SSH_PUBLIC_KEY }} +# CLUSTER_WIDE: "true" +# DEPLOYMENT_TYPE: "" +# steps: +# - name: Chekcout code +# uses: actions/checkout@v4 +# with: +# ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} +# - name: Set Test Cluster Name +# id: set-cluster-name +# uses: ./.github/actions/set-cluster-name +# with: +# test-type: smoke +# platform: distroless +# test-name: ${{ matrix.test }} +# run-id: ${{ github.run_id }} +# - name: Export cluster name to environment +# run: | +# echo "TEST_CLUSTER_NAME=${{ steps.set-cluster-name.outputs.cluster-name }}" >> $GITHUB_ENV +# - name: Dotenv Action +# id: dotenv +# uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 +# - name: Change splunk enterprise to release image on main branches +# if: github.ref == 'refs/heads/main' +# run: | +# echo "SPLUNK_ENTERPRISE_IMAGE=${{ steps.dotenv.outputs.SPLUNK_ENTERPRISE_RELEASE_IMAGE }}" >> $GITHUB_ENV +# - name: Install Kubectl +# uses: Azure/setup-kubectl@v3 +# with: +# version: ${{ steps.dotenv.outputs.KUBECTL_VERSION }} +# - name: Install Python +# uses: actions/setup-python@v2 +# - name: Install AWS CLI +# run: | +# curl "${{ steps.dotenv.outputs.AWSCLI_URL}}" -o "awscliv2.zip" +# unzip awscliv2.zip +# sudo ./aws/install --update +# aws --version +# - name: Setup Go +# uses: actions/setup-go@v2 +# with: +# go-version: ${{ steps.dotenv.outputs.GO_VERSION }} +# - name: Install Ginkgo +# run: | +# make setup/ginkgo +# - name: Install Helm +# run: | +# curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 +# chmod 700 get_helm.sh +# ./get_helm.sh +# DESIRED_VERSION=v3.8.2 bash get_helm.sh +# - name: Install EKS CTL +# run: | +# curl --silent --insecure --location "https://github.com/weaveworks/eksctl/releases/download/${{ steps.dotenv.outputs.EKSCTL_VERSION }}/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp +# sudo mv /tmp/eksctl /usr/local/bin +# eksctl version +# - name: Set up Docker Buildx +# uses: docker/setup-buildx-action@v2.5.0 +# - name: Install Operator SDK +# run: | +# sudo curl -L -o /usr/local/bin/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}/operator-sdk-${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}-x86_64-linux-gnu +# sudo chmod +x /usr/local/bin/operator-sdk +# - name: Configure Docker Hub credentials +# uses: docker/login-action@v1 +# with: +# username: ${{ secrets.DOCKERHUB_USERNAME }} +# password: ${{ secrets.DOCKERHUB_TOKEN}} +# - name: Set Splunk Operator image +# run: | +# echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA-distroless" >> $GITHUB_ENV +# - name: Pull Splunk Enterprise Image +# run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} +# - name: Configure AWS credentials +# uses: aws-actions/configure-aws-credentials@v5 +# with: +# role-to-assume: ${{ vars.AWS_ROLE_ARN }} +# role-session-name: github-${{ github.run_id }} +# aws-region: ${{ vars.AWS_REGION }} +# role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} +# - name: Login to Amazon ECR +# id: login-ecr +# uses: aws-actions/amazon-ecr-login@v1 +# - name: Tag and Push Splunk Enterprise Image to ECR +# run: | +# docker tag ${{ env.SPLUNK_ENTERPRISE_IMAGE }} ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} +# docker push ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} +# - name: Create EKS cluster +# run: | +# export EKS_CLUSTER_K8_VERSION=${{ steps.dotenv.outputs.EKS_CLUSTER_K8_VERSION }} +# make cluster-up +# - name: install metric server +# run: | +# curl -LO https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml +# kubectl replace --force -f components.yaml || kubectl apply -f components.yaml +# - name: install k8s dashboard +# run: | +# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.5/aio/deploy/recommended.yaml +# - name: Setup Kustomize +# run: | +# sudo snap install kustomize +# mkdir -p ./bin +# cp /snap/bin/kustomize ./bin/kustomize +# - name: Run smoke test +# id: smoketest +# timeout-minutes: 240 +# env: +# TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} +# TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} +# run: | +# make int-test +# - name: Collect Test Logs +# if: ${{ always() }} +# run: | +# mkdir -p /tmp/pod_logs +# find ./test -name "*.log" -exec cp {} /tmp/pod_logs \; +# - name: Archive Pod Logs +# if: ${{ always() }} +# uses: actions/upload-artifact@v4.4.0 +# with: +# name: "splunk-pods-logs--artifacts-${{ matrix.test }}" +# path: "/tmp/pod_logs/**" +# - name: Cleanup Test Case artifacts +# if: ${{ always() }} +# run: | +# make cleanup +# make clean +# - name: Cleanup up EKS cluster +# if: ${{ always() }} +# run: | +# make cluster-down +# #- name: Test Report +# # uses: dorny/test-reporter@v1 +# # if: success() || failure() # run this step even if previous step failed +# # with: +# # name: Integration Tests # Name of the check run which will be created +# # path: inttest-*.xml # Path to test results +# # reporter: jest-junit # Format of test results From cba3ced1ecae70e7e0742dd3bf9aad0f465f7f4a Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Mon, 22 Dec 2025 12:30:53 +0100 Subject: [PATCH 11/23] CSPL-4272 Update workflows to utilize commit SHA from approval gate and upgrade checkout action - Modified all workflows to use the commit SHA output from the approval gate, ensuring consistency in the reference used during the checkout process. - Upgraded the actions/checkout version from v4 to v6 across all workflows for improved performance and compatibility. --- .github/workflows/approval-gate.yml | 41 ++++++++++++++++++- .../workflows/build-test-push-workflow.yml | 36 +++++++++------- .../distroless-build-test-push-workflow.yml | 20 ++++----- .github/workflows/prodsec-workflow.yml | 9 ++-- 4 files changed, 76 insertions(+), 30 deletions(-) diff --git a/.github/workflows/approval-gate.yml b/.github/workflows/approval-gate.yml index 457c70996..f7ce44c37 100644 --- a/.github/workflows/approval-gate.yml +++ b/.github/workflows/approval-gate.yml @@ -8,23 +8,60 @@ on: required: false type: string default: 'external-contributor-approval' + outputs: + commit-sha: + description: 'The commit SHA (PR head for PRs, pushed commit for push events)' + value: ${{ jobs.get-commit-info.outputs.commit-sha }} + commit-message: + description: 'The commit message' + value: ${{ jobs.get-commit-info.outputs.commit-message }} jobs: + # Get commit info from the PR head (not the base branch). + # This is necessary because with 'pull_request_target', GITHUB_SHA and the default + # checkout point to the BASE branch, not the PR's code. We explicitly use + # 'github.event.pull_request.head.sha' to get the actual PR commit info. + # For 'push' events, we fall back to 'github.sha' (the pushed commit). + get-commit-info: + runs-on: ubuntu-latest + outputs: + commit-sha: ${{ steps.get-sha.outputs.commit_sha }} + commit-message: ${{ steps.get-message.outputs.commit_message }} + steps: + - name: Checkout repository + uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + - name: Get commit SHA + id: get-sha + run: | + COMMIT_SHA="${{ github.event.pull_request.head.sha || github.sha }}" + echo "commit_sha=${COMMIT_SHA}" >> $GITHUB_OUTPUT + echo "Commit SHA: ${COMMIT_SHA}" + - name: Get commit message + id: get-message + run: | + COMMIT_MSG=$(git log -1 --pretty=%B) + echo "commit_message<> $GITHUB_OUTPUT + echo "$COMMIT_MSG" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + echo "Commit message:" + echo "$COMMIT_MSG" approval-gate: permissions: contents: read runs-on: ubuntu-latest environment: ${{ (github.event_name == 'pull_request_target' && - !contains(fromJSON('["MEMBER", "OWNER"]'), github.event.pull_request.author_association)) + !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), github.event.pull_request.author_association)) && inputs.environment-name + || (github.event_name == 'pull_request' && inputs.environment-name) || '' }} steps: - name: Approval status run: | echo "Event: ${{ github.event_name }}" - echo "Pull request: ${{ toJson(github.event.pull_request) }}" echo "Author association: ${{ github.event.pull_request.author_association }}" echo "Approval granted or not required" diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml index 3c38ddf1f..60ab595e3 100644 --- a/.github/workflows/build-test-push-workflow.yml +++ b/.github/workflows/build-test-push-workflow.yml @@ -20,9 +20,9 @@ jobs: runs-on: ubuntu-latest needs: approval-gate steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: - ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -36,11 +36,13 @@ jobs: run: make vet && if [[ $? -ne 0 ]]; then false; fi unit-tests: runs-on: ubuntu-latest - needs: check-formating + needs: + - check-formating + - approval-gate steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: - ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -68,7 +70,9 @@ jobs: path: coverage.out build-operator-image: runs-on: ubuntu-latest - needs: unit-tests + needs: + - unit-tests + - approval-gate env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -78,9 +82,9 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: - ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -127,7 +131,9 @@ jobs: id-token: write security-events: write runs-on: ubuntu-latest - needs: build-operator-image + needs: + - build-operator-image + - approval-gate env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -137,9 +143,9 @@ jobs: steps: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: - ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -177,7 +183,9 @@ jobs: with: sarif_file: 'trivy-results.sarif' smoke-tests: - needs: vulnerability-scan + needs: + - vulnerability-scan + - approval-gate strategy: fail-fast: false matrix: @@ -213,9 +221,9 @@ jobs: DEPLOYMENT_TYPE: "" steps: - name: Chekcout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: - ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index d41cd1042..3b3f1640c 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -17,9 +17,9 @@ jobs: runs-on: ubuntu-latest needs: approval-gate steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: - ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -35,9 +35,9 @@ jobs: # runs-on: ubuntu-latest # needs: check-formating # steps: -# - uses: actions/checkout@v4 +# - uses: actions/checkout@v6 # with: -# ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} +# ref: ${{ needs.approval-gate.outputs.commit-sha }} # - name: Dotenv Action # id: dotenv # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -74,9 +74,9 @@ jobs: # - name: Set up cosign # uses: sigstore/cosign-installer@main -# - uses: actions/checkout@v4 +# - uses: actions/checkout@v6 # with: -# ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} +# ref: ${{ needs.approval-gate.outputs.commit-sha }} # - name: Dotenv Action # id: dotenv # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -134,9 +134,9 @@ jobs: # # steps: # # - name: Set up cosign # # uses: sigstore/cosign-installer@main -# # - uses: actions/checkout@v4 +# # - uses: actions/checkout@v6 # # with: -# # ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} +# # ref: ${{ needs.approval-gate.outputs.commit-sha }} # # - name: Dotenv Action # # id: dotenv # # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -210,9 +210,9 @@ jobs: # DEPLOYMENT_TYPE: "" # steps: # - name: Chekcout code -# uses: actions/checkout@v4 +# uses: actions/checkout@v6 # with: -# ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} +# ref: ${{ needs.approval-gate.outputs.commit-sha }} # - name: Set Test Cluster Name # id: set-cluster-name # uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/prodsec-workflow.yml b/.github/workflows/prodsec-workflow.yml index 0938ca084..ee172ce43 100644 --- a/.github/workflows/prodsec-workflow.yml +++ b/.github/workflows/prodsec-workflow.yml @@ -24,11 +24,12 @@ jobs: container: image: returntocorp/semgrep steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: - ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} + ref: ${{ needs.approval-gate.outputs.commit-sha }} - run: semgrep ci FOSSA-scanner: + needs: approval-gate runs-on: ubuntu-latest env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} @@ -36,9 +37,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: - ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} + ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 From d1169a325072573b91c75ebdb53b51d561eb0a48 Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Mon, 22 Dec 2025 12:37:44 +0100 Subject: [PATCH 12/23] Potential fix for code scanning alert no. 222: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/approval-gate.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/approval-gate.yml b/.github/workflows/approval-gate.yml index f7ce44c37..550dd29e4 100644 --- a/.github/workflows/approval-gate.yml +++ b/.github/workflows/approval-gate.yml @@ -23,6 +23,8 @@ jobs: # 'github.event.pull_request.head.sha' to get the actual PR commit info. # For 'push' events, we fall back to 'github.sha' (the pushed commit). get-commit-info: + permissions: + contents: read runs-on: ubuntu-latest outputs: commit-sha: ${{ steps.get-sha.outputs.commit_sha }} From 85f4c1597e97771bdebd0eea1b68a65909b5f836 Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Mon, 22 Dec 2025 12:43:22 +0100 Subject: [PATCH 13/23] Add dependency on get-commit-info job in approval gate workflow - Updated the approval gate job to depend on the get-commit-info job, ensuring that commit information is available before proceeding with the approval process. --- .github/workflows/approval-gate.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/approval-gate.yml b/.github/workflows/approval-gate.yml index 550dd29e4..0e6613bc5 100644 --- a/.github/workflows/approval-gate.yml +++ b/.github/workflows/approval-gate.yml @@ -50,6 +50,7 @@ jobs: echo "Commit message:" echo "$COMMIT_MSG" approval-gate: + needs: get-commit-info permissions: contents: read runs-on: ubuntu-latest From 3c29d08082f89f97b35a4b862e20e4936005b6f2 Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Mon, 22 Dec 2025 16:47:23 +0100 Subject: [PATCH 14/23] Refactor build-test-push workflow by commenting out unit tests and related steps - Commented out the unit-tests job and its dependencies in the build-test-push workflow to streamline the process. - Retained the structure for potential future reactivation of unit tests while maintaining the overall workflow integrity. --- .../workflows/build-test-push-workflow.yml | 632 +++++++++--------- 1 file changed, 316 insertions(+), 316 deletions(-) diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml index 60ab595e3..7ba44f8b6 100644 --- a/.github/workflows/build-test-push-workflow.yml +++ b/.github/workflows/build-test-push-workflow.yml @@ -34,321 +34,321 @@ jobs: run: make fmt && if [[ $? -ne 0 ]]; then false; fi - name: Lint source code run: make vet && if [[ $? -ne 0 ]]; then false; fi - unit-tests: - runs-on: ubuntu-latest - needs: - - check-formating - - approval-gate - steps: - - uses: actions/checkout@v6 - with: - ref: ${{ needs.approval-gate.outputs.commit-sha }} - - name: Dotenv Action - id: dotenv - uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - - name: Setup Go - uses: actions/setup-go@v2 - with: - go-version: ${{ steps.dotenv.outputs.GO_VERSION }} - - name: Install goveralls - run: | - go version - go install github.com/mattn/goveralls@latest - - name: Install Ginkgo - run: | - make setup/ginkgo - go mod tidy - - name: Run Unit Tests - run: | - make test - - name: Run Code Coverage - run: goveralls -coverprofile=coverage.out -service=circle-ci -repotoken ${{ secrets.COVERALLS_TOKEN }} - - name: Upload Coverage artifacts - uses: actions/upload-artifact@v4.4.0 - with: - name: coverage.out - path: coverage.out - build-operator-image: - runs-on: ubuntu-latest - needs: - - unit-tests - - approval-gate - env: - SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} - SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator - ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} - S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - steps: - - name: Set up cosign - uses: sigstore/cosign-installer@main + # unit-tests: + # runs-on: ubuntu-latest + # needs: + # - check-formating + # - approval-gate + # steps: + # - uses: actions/checkout@v6 + # with: + # ref: ${{ needs.approval-gate.outputs.commit-sha }} + # - name: Dotenv Action + # id: dotenv + # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 + # - name: Setup Go + # uses: actions/setup-go@v2 + # with: + # go-version: ${{ steps.dotenv.outputs.GO_VERSION }} + # - name: Install goveralls + # run: | + # go version + # go install github.com/mattn/goveralls@latest + # - name: Install Ginkgo + # run: | + # make setup/ginkgo + # go mod tidy + # - name: Run Unit Tests + # run: | + # make test + # - name: Run Code Coverage + # run: goveralls -coverprofile=coverage.out -service=circle-ci -repotoken ${{ secrets.COVERALLS_TOKEN }} + # - name: Upload Coverage artifacts + # uses: actions/upload-artifact@v4.4.0 + # with: + # name: coverage.out + # path: coverage.out + # build-operator-image: + # runs-on: ubuntu-latest + # needs: + # - unit-tests + # - approval-gate + # env: + # SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} + # SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator + # ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} + # S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + # steps: + # - name: Set up cosign + # uses: sigstore/cosign-installer@main - - uses: actions/checkout@v6 - with: - ref: ${{ needs.approval-gate.outputs.commit-sha }} - - name: Dotenv Action - id: dotenv - uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - - name: Setup Go - uses: actions/setup-go@v2 - with: - go-version: ${{ steps.dotenv.outputs.GO_VERSION }} - - name: Install Ginkgo - run: | - make setup/ginkgo - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2.5.0 - - name: Install Operator SDK - run: | - export ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac) - export OS=$(uname | awk '{print tolower($0)}') - export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }} - sudo curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH} - sudo chmod +x operator-sdk_${OS}_${ARCH} - sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v5 - with: - role-to-assume: ${{ vars.AWS_ROLE_ARN }} - role-session-name: github-${{ github.run_id }} - aws-region: ${{ vars.AWS_REGION }} - role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - name: Build and push Splunk Operator Image - run: | - make docker-buildx IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA - - name: Sign Splunk Operator image with a key - run: | - cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }} - env: - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - vulnerability-scan: - permissions: - actions: read - contents: read - id-token: write - security-events: write - runs-on: ubuntu-latest - needs: - - build-operator-image - - approval-gate - env: - SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} - SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator - ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} - S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }} - steps: - - name: Set up cosign - uses: sigstore/cosign-installer@main - - uses: actions/checkout@v6 - with: - ref: ${{ needs.approval-gate.outputs.commit-sha }} - - name: Dotenv Action - id: dotenv - uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2.5.0 - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v5 - with: - role-to-assume: ${{ vars.AWS_ROLE_ARN }} - role-session-name: github-${{ github.run_id }} - aws-region: ${{ vars.AWS_REGION }} - role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} + # - uses: actions/checkout@v6 + # with: + # ref: ${{ needs.approval-gate.outputs.commit-sha }} + # - name: Dotenv Action + # id: dotenv + # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 + # - name: Setup Go + # uses: actions/setup-go@v2 + # with: + # go-version: ${{ steps.dotenv.outputs.GO_VERSION }} + # - name: Install Ginkgo + # run: | + # make setup/ginkgo + # - name: Set up Docker Buildx + # uses: docker/setup-buildx-action@v2.5.0 + # - name: Install Operator SDK + # run: | + # export ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac) + # export OS=$(uname | awk '{print tolower($0)}') + # export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }} + # sudo curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH} + # sudo chmod +x operator-sdk_${OS}_${ARCH} + # sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk + # - name: Configure AWS credentials + # uses: aws-actions/configure-aws-credentials@v5 + # with: + # role-to-assume: ${{ vars.AWS_ROLE_ARN }} + # role-session-name: github-${{ github.run_id }} + # aws-region: ${{ vars.AWS_REGION }} + # role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} + # - name: Login to Amazon ECR + # id: login-ecr + # uses: aws-actions/amazon-ecr-login@v1 + # - name: Build and push Splunk Operator Image + # run: | + # make docker-buildx IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA + # - name: Sign Splunk Operator image with a key + # run: | + # cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }} + # env: + # COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + # COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + # vulnerability-scan: + # permissions: + # actions: read + # contents: read + # id-token: write + # security-events: write + # runs-on: ubuntu-latest + # needs: + # - build-operator-image + # - approval-gate + # env: + # SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} + # SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator + # ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} + # S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + # IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }} + # steps: + # - name: Set up cosign + # uses: sigstore/cosign-installer@main + # - uses: actions/checkout@v6 + # with: + # ref: ${{ needs.approval-gate.outputs.commit-sha }} + # - name: Dotenv Action + # id: dotenv + # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 + # - name: Set up Docker Buildx + # uses: docker/setup-buildx-action@v2.5.0 + # - name: Configure AWS credentials + # uses: aws-actions/configure-aws-credentials@v5 + # with: + # role-to-assume: ${{ vars.AWS_ROLE_ARN }} + # role-session-name: github-${{ github.run_id }} + # aws-region: ${{ vars.AWS_REGION }} + # role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - - name: Login to Amazon ECR - uses: aws-actions/amazon-ecr-login@v1 - - name: Pull Splunk Operator Image Locally - run: | - docker pull ${{ env.IMAGE_NAME }} - - name: Verify Signed Splunk Operator image - run: | - cosign verify --key env://COSIGN_PUBLIC_KEY ${{ env.IMAGE_NAME }} - env: - COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: '${{ env.IMAGE_NAME }}' - format: sarif - #exit-code: 1 - severity: 'CRITICAL' - ignore-unfixed: true - output: 'trivy-results.sarif' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' - smoke-tests: - needs: - - vulnerability-scan - - approval-gate - strategy: - fail-fast: false - matrix: - test: [ - basic, - appframeworksS1, - managerappframeworkc3, - managerappframeworkm4, - managersecret, - managermc, - ] - runs-on: ubuntu-latest - env: - CLUSTER_NODES: 1 - CLUSTER_WORKERS: 3 - SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} - SPLUNK_ENTERPRISE_RELEASE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_RELEASE_IMAGE }} - SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator - SPLUNK_OPERATOR_IMAGE_FILENAME: splunk-operator - TEST_FOCUS: "${{ matrix.test }}" - # This regex matches any string not containing smoke keyword - TEST_TO_SKIP: "^(?:[^s]+|s(?:$|[^m]|m(?:$|[^o]|o(?:$|[^k]|k(?:$|[^e])))))*$" - TEST_CLUSTER_PLATFORM: eks - EKS_VPC_PRIVATE_SUBNET_STRING: ${{ secrets.EKS_VPC_PRIVATE_SUBNET_STRING }} - EKS_VPC_PUBLIC_SUBNET_STRING: ${{ secrets.EKS_VPC_PUBLIC_SUBNET_STRING }} - TEST_BUCKET: ${{ secrets.TEST_BUCKET }} - TEST_INDEXES_S3_BUCKET: ${{ secrets.TEST_INDEXES_S3_BUCKET }} - ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} - PRIVATE_REGISTRY: ${{ secrets.ECR_REPOSITORY }} - S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - EKS_SSH_PUBLIC_KEY: ${{ secrets.EKS_SSH_PUBLIC_KEY }} - CLUSTER_WIDE: "true" - DEPLOYMENT_TYPE: "" - steps: - - name: Chekcout code - uses: actions/checkout@v6 - with: - ref: ${{ needs.approval-gate.outputs.commit-sha }} - - name: Set Test Cluster Name - id: set-cluster-name - uses: ./.github/actions/set-cluster-name - with: - test-type: smoke - test-name: ${{ matrix.test }} - run-id: ${{ github.run_id }} - - name: Export cluster name to environment - run: | - echo "TEST_CLUSTER_NAME=${{ steps.set-cluster-name.outputs.cluster-name }}" >> $GITHUB_ENV - - name: Dotenv Action - id: dotenv - uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - - name: Change splunk enterprise to release image on main branches - if: github.ref == 'refs/heads/main' - run: | - echo "SPLUNK_ENTERPRISE_IMAGE=${{ steps.dotenv.outputs.SPLUNK_ENTERPRISE_RELEASE_IMAGE }}" >> $GITHUB_ENV - - name: Install Kubectl - uses: Azure/setup-kubectl@v3 - with: - version: ${{ steps.dotenv.outputs.KUBECTL_VERSION }} - - name: Install Python - uses: actions/setup-python@v2 - - name: Install AWS CLI - run: | - curl "${{ steps.dotenv.outputs.AWSCLI_URL}}" -o "awscliv2.zip" - unzip awscliv2.zip - sudo ./aws/install --update - aws --version - - name: Setup Go - uses: actions/setup-go@v2 - with: - go-version: ${{ steps.dotenv.outputs.GO_VERSION }} - - name: Install Ginkgo - run: | - make setup/ginkgo - - name: Install Helm - run: | - curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 - chmod 700 get_helm.sh - ./get_helm.sh - DESIRED_VERSION=v3.8.2 bash get_helm.sh - - name: Install EKS CTL - run: | - curl --silent --insecure --location "https://github.com/weaveworks/eksctl/releases/download/${{ steps.dotenv.outputs.EKSCTL_VERSION }}/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp - sudo mv /tmp/eksctl /usr/local/bin - eksctl version - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2.5.0 - - name: Install Operator SDK - run: | - sudo curl -L -o /usr/local/bin/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}/operator-sdk-${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}-x86_64-linux-gnu - sudo chmod +x /usr/local/bin/operator-sdk - - name: Configure Docker Hub credentials - uses: docker/login-action@v1 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN}} - - name: Set Splunk Operator image - run: | - echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV - - name: Pull Splunk Enterprise Image - run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v5 - with: - role-to-assume: ${{ vars.AWS_ROLE_ARN }} - role-session-name: github-${{ github.run_id }} - aws-region: ${{ vars.AWS_REGION }} - role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - name: Tag and Push Splunk Enterprise Image to ECR - run: | - docker tag ${{ env.SPLUNK_ENTERPRISE_IMAGE }} ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} - docker push ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} - - name: Create EKS cluster - run: | - export EKS_CLUSTER_K8_VERSION=${{ steps.dotenv.outputs.EKS_CLUSTER_K8_VERSION }} - make cluster-up - - name: install metric server - run: | - curl -LO https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml - kubectl replace --force -f components.yaml || kubectl apply -f components.yaml - - name: install k8s dashboard - run: | - kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.5/aio/deploy/recommended.yaml - - name: Setup Kustomize - run: | - sudo snap install kustomize - mkdir -p ./bin - cp /snap/bin/kustomize ./bin/kustomize - - name: Run smoke test - id: smoketest - timeout-minutes: 240 - env: - TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} - TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} - run: | - make int-test - - name: Collect Test Logs - if: ${{ always() }} - run: | - mkdir -p /tmp/pod_logs - find ./test -name "*.log" -exec cp {} /tmp/pod_logs \; - - name: Archive Pod Logs - if: ${{ always() }} - uses: actions/upload-artifact@v4.4.0 - with: - name: "splunk-pods-logs--artifacts-${{ matrix.test }}" - path: "/tmp/pod_logs/**" - - name: Cleanup Test Case artifacts - if: ${{ always() }} - run: | - make cleanup - make clean - - name: Cleanup up EKS cluster - if: ${{ always() }} - run: | - make cluster-down - #- name: Test Report - # uses: dorny/test-reporter@v1 - # if: success() || failure() # run this step even if previous step failed - # with: - # name: Integration Tests # Name of the check run which will be created - # path: inttest-*.xml # Path to test results - # reporter: jest-junit # Format of test results + # - name: Login to Amazon ECR + # uses: aws-actions/amazon-ecr-login@v1 + # - name: Pull Splunk Operator Image Locally + # run: | + # docker pull ${{ env.IMAGE_NAME }} + # - name: Verify Signed Splunk Operator image + # run: | + # cosign verify --key env://COSIGN_PUBLIC_KEY ${{ env.IMAGE_NAME }} + # env: + # COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} + # - name: Run Trivy vulnerability scanner + # uses: aquasecurity/trivy-action@master + # with: + # image-ref: '${{ env.IMAGE_NAME }}' + # format: sarif + # #exit-code: 1 + # severity: 'CRITICAL' + # ignore-unfixed: true + # output: 'trivy-results.sarif' + # - name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v3 + # with: + # sarif_file: 'trivy-results.sarif' + # smoke-tests: + # needs: + # - vulnerability-scan + # - approval-gate + # strategy: + # fail-fast: false + # matrix: + # test: [ + # basic, + # appframeworksS1, + # managerappframeworkc3, + # managerappframeworkm4, + # managersecret, + # managermc, + # ] + # runs-on: ubuntu-latest + # env: + # CLUSTER_NODES: 1 + # CLUSTER_WORKERS: 3 + # SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} + # SPLUNK_ENTERPRISE_RELEASE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_RELEASE_IMAGE }} + # SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator + # SPLUNK_OPERATOR_IMAGE_FILENAME: splunk-operator + # TEST_FOCUS: "${{ matrix.test }}" + # # This regex matches any string not containing smoke keyword + # TEST_TO_SKIP: "^(?:[^s]+|s(?:$|[^m]|m(?:$|[^o]|o(?:$|[^k]|k(?:$|[^e])))))*$" + # TEST_CLUSTER_PLATFORM: eks + # EKS_VPC_PRIVATE_SUBNET_STRING: ${{ secrets.EKS_VPC_PRIVATE_SUBNET_STRING }} + # EKS_VPC_PUBLIC_SUBNET_STRING: ${{ secrets.EKS_VPC_PUBLIC_SUBNET_STRING }} + # TEST_BUCKET: ${{ secrets.TEST_BUCKET }} + # TEST_INDEXES_S3_BUCKET: ${{ secrets.TEST_INDEXES_S3_BUCKET }} + # ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} + # PRIVATE_REGISTRY: ${{ secrets.ECR_REPOSITORY }} + # S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + # EKS_SSH_PUBLIC_KEY: ${{ secrets.EKS_SSH_PUBLIC_KEY }} + # CLUSTER_WIDE: "true" + # DEPLOYMENT_TYPE: "" + # steps: + # - name: Chekcout code + # uses: actions/checkout@v6 + # with: + # ref: ${{ needs.approval-gate.outputs.commit-sha }} + # - name: Set Test Cluster Name + # id: set-cluster-name + # uses: ./.github/actions/set-cluster-name + # with: + # test-type: smoke + # test-name: ${{ matrix.test }} + # run-id: ${{ github.run_id }} + # - name: Export cluster name to environment + # run: | + # echo "TEST_CLUSTER_NAME=${{ steps.set-cluster-name.outputs.cluster-name }}" >> $GITHUB_ENV + # - name: Dotenv Action + # id: dotenv + # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 + # - name: Change splunk enterprise to release image on main branches + # if: github.ref == 'refs/heads/main' + # run: | + # echo "SPLUNK_ENTERPRISE_IMAGE=${{ steps.dotenv.outputs.SPLUNK_ENTERPRISE_RELEASE_IMAGE }}" >> $GITHUB_ENV + # - name: Install Kubectl + # uses: Azure/setup-kubectl@v3 + # with: + # version: ${{ steps.dotenv.outputs.KUBECTL_VERSION }} + # - name: Install Python + # uses: actions/setup-python@v2 + # - name: Install AWS CLI + # run: | + # curl "${{ steps.dotenv.outputs.AWSCLI_URL}}" -o "awscliv2.zip" + # unzip awscliv2.zip + # sudo ./aws/install --update + # aws --version + # - name: Setup Go + # uses: actions/setup-go@v2 + # with: + # go-version: ${{ steps.dotenv.outputs.GO_VERSION }} + # - name: Install Ginkgo + # run: | + # make setup/ginkgo + # - name: Install Helm + # run: | + # curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 + # chmod 700 get_helm.sh + # ./get_helm.sh + # DESIRED_VERSION=v3.8.2 bash get_helm.sh + # - name: Install EKS CTL + # run: | + # curl --silent --insecure --location "https://github.com/weaveworks/eksctl/releases/download/${{ steps.dotenv.outputs.EKSCTL_VERSION }}/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp + # sudo mv /tmp/eksctl /usr/local/bin + # eksctl version + # - name: Set up Docker Buildx + # uses: docker/setup-buildx-action@v2.5.0 + # - name: Install Operator SDK + # run: | + # sudo curl -L -o /usr/local/bin/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}/operator-sdk-${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}-x86_64-linux-gnu + # sudo chmod +x /usr/local/bin/operator-sdk + # - name: Configure Docker Hub credentials + # uses: docker/login-action@v1 + # with: + # username: ${{ secrets.DOCKERHUB_USERNAME }} + # password: ${{ secrets.DOCKERHUB_TOKEN}} + # - name: Set Splunk Operator image + # run: | + # echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV + # - name: Pull Splunk Enterprise Image + # run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} + # - name: Configure AWS credentials + # uses: aws-actions/configure-aws-credentials@v5 + # with: + # role-to-assume: ${{ vars.AWS_ROLE_ARN }} + # role-session-name: github-${{ github.run_id }} + # aws-region: ${{ vars.AWS_REGION }} + # role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} + # - name: Login to Amazon ECR + # id: login-ecr + # uses: aws-actions/amazon-ecr-login@v1 + # - name: Tag and Push Splunk Enterprise Image to ECR + # run: | + # docker tag ${{ env.SPLUNK_ENTERPRISE_IMAGE }} ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} + # docker push ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} + # - name: Create EKS cluster + # run: | + # export EKS_CLUSTER_K8_VERSION=${{ steps.dotenv.outputs.EKS_CLUSTER_K8_VERSION }} + # make cluster-up + # - name: install metric server + # run: | + # curl -LO https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml + # kubectl replace --force -f components.yaml || kubectl apply -f components.yaml + # - name: install k8s dashboard + # run: | + # kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.5/aio/deploy/recommended.yaml + # - name: Setup Kustomize + # run: | + # sudo snap install kustomize + # mkdir -p ./bin + # cp /snap/bin/kustomize ./bin/kustomize + # - name: Run smoke test + # id: smoketest + # timeout-minutes: 240 + # env: + # TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + # TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} + # run: | + # make int-test + # - name: Collect Test Logs + # if: ${{ always() }} + # run: | + # mkdir -p /tmp/pod_logs + # find ./test -name "*.log" -exec cp {} /tmp/pod_logs \; + # - name: Archive Pod Logs + # if: ${{ always() }} + # uses: actions/upload-artifact@v4.4.0 + # with: + # name: "splunk-pods-logs--artifacts-${{ matrix.test }}" + # path: "/tmp/pod_logs/**" + # - name: Cleanup Test Case artifacts + # if: ${{ always() }} + # run: | + # make cleanup + # make clean + # - name: Cleanup up EKS cluster + # if: ${{ always() }} + # run: | + # make cluster-down + # #- name: Test Report + # # uses: dorny/test-reporter@v1 + # # if: success() || failure() # run this step even if previous step failed + # # with: + # # name: Integration Tests # Name of the check run which will be created + # # path: inttest-*.xml # Path to test results + # # reporter: jest-junit # Format of test results From ae59ec19162bf7a6bad72b2b6d3e9579ed2bda88 Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Mon, 22 Dec 2025 17:00:01 +0100 Subject: [PATCH 15/23] Update distroless build-test-push workflow to trigger on specific branches for pull requests - Changed the event trigger from `pull_request` to `pull_request_target` with specified branches: 'develop' and 'CSPL-4372-add-approval-gate-exec-in-target', enhancing control over workflow execution. --- .github/workflows/distroless-build-test-push-workflow.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index 3b3f1640c..5225890f8 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -5,7 +5,10 @@ permissions: id-token: write pull-requests: write on: - pull_request: {} + pull_request_target: + branches: + - 'develop' + - 'CSPL-4372-add-approval-gate-exec-in-target' push: branches: - main From 5be9f03bc64965a814f6566ce4bc892cd76e51b1 Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Mon, 22 Dec 2025 17:11:45 +0100 Subject: [PATCH 16/23] Enhance approval gate workflow with commit SHA and message retrieval - Added steps to the approval gate job to retrieve the commit SHA and message from the pull request, improving the workflow's ability to handle commit information effectively. - Updated the environment condition to ensure proper execution based on author association and event type. --- .../distroless-build-test-push-workflow.yml | 39 ++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index 5225890f8..a863e64e5 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -15,7 +15,44 @@ on: - develop jobs: approval-gate: - uses: ./.github/workflows/approval-gate.yml + permissions: + contents: read + runs-on: ubuntu-latest + outputs: + commit-sha: ${{ steps.get-sha.outputs.commit_sha }} + commit-message: ${{ steps.get-message.outputs.commit_message }} + environment: ${{ + (github.event_name == 'pull_request_target' && + !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), github.event.pull_request.author_association)) + && inputs.environment-name + || (github.event_name == 'pull_request' && inputs.environment-name) + || '' + }} + steps: + - name: Checkout repository + uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + - name: Get commit SHA + id: get-sha + run: | + COMMIT_SHA="${{ github.event.pull_request.head.sha || github.sha }}" + echo "commit_sha=${COMMIT_SHA}" >> $GITHUB_OUTPUT + echo "Commit SHA: ${COMMIT_SHA}" + - name: Get commit message + id: get-message + run: | + COMMIT_MSG=$(git log -1 --pretty=%B) + echo "commit_message<> $GITHUB_OUTPUT + echo "$COMMIT_MSG" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + echo "Commit message:" + echo "$COMMIT_MSG" + - name: Approval status + run: | + echo "Event: ${{ github.event_name }}" + echo "Author association: ${{ github.event.pull_request.author_association }}" + echo "Approval granted or not required" check-formating: runs-on: ubuntu-latest needs: approval-gate From fa8ca1e35feaf389acc3603048357b4335b7dea7 Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Mon, 12 Jan 2026 16:32:12 +0100 Subject: [PATCH 17/23] Add target checkout action for improved pull request handling - Introduced a new GitHub Action for target checkout to correctly handle pull_request_target scenarios, ensuring the correct branch is checked out. - Updated multiple workflows to utilize the new target checkout action, replacing the default checkout action for better compatibility with pull request contexts. - Enhanced the workflows to maintain consistent behavior across different event types while improving overall workflow reliability. --- .github/actions/target-checkout/action.yml | 20 + .github/workflows/approval-gate.yml | 3 +- ...AL2023-build-test-push-workflow-AL2023.yml | 10 +- .../arm-AL2023-int-test-workflow.yml | 4 +- .../arm-RHEL-build-test-push-workflow.yml | 4 +- .../workflows/arm-RHEL-int-test-workflow.yml | 4 +- .../arm-Ubuntu-build-test-push-workflow.yml | 8 +- .../arm-Ubuntu-int-test-workflow.yml | 4 +- .../workflows/automated-release-workflow.yml | 10 +- .github/workflows/bias-language-workflow.yml | 2 +- .../workflows/build-test-push-workflow.yml | 634 ++++++++--------- .../workflows/bundle-push-post-release.yml | 2 +- .../distroless-build-test-push-workflow.yml | 661 +++++++++--------- .../distroless-int-test-workflow.yml | 4 +- .github/workflows/helm-test-workflow.yml | 4 +- .github/workflows/int-test-azure-workflow.yml | 6 +- .github/workflows/int-test-gcp-workflow.yml | 16 +- .github/workflows/int-test-workflow.yml | 4 +- .github/workflows/kubectl-splunk-workflow.yml | 12 +- .../workflows/manual-int-test-workflow.yml | 4 +- .../merge-develop-to-main-workflow.yml | 4 +- .../namespace-scope-int-workflow.yml | 2 +- .../workflows/nightly-int-test-workflow.yml | 9 +- .github/workflows/pre-release-workflow.yml | 2 +- .github/workflows/prodsec-workflow.yml | 4 +- .github/workflows/release.yml | 2 +- 26 files changed, 710 insertions(+), 729 deletions(-) create mode 100644 .github/actions/target-checkout/action.yml diff --git a/.github/actions/target-checkout/action.yml b/.github/actions/target-checkout/action.yml new file mode 100644 index 000000000..8811f9eda --- /dev/null +++ b/.github/actions/target-checkout/action.yml @@ -0,0 +1,20 @@ +# .github/actions/target-checkout/action.yml +name: 'Target Checkout' +description: | + Checkout that handles pull_request_target correctly. + This was created to fix the issue where the default checkout in pull_request_target is the main branch, not the PR head. +inputs: + ref: + description: | + The commit SHA to checkout (required if workflow needs approval gate). + If not provided, the PR head or the pushed commit will be used. + required: false + default: '' +runs: + using: 'composite' + steps: + - name: Checkout + uses: actions/checkout@v6 + with: + # Use provided ref, or fall back to PR head for pull_request_target, or default + ref: ${{ inputs.ref || github.event.pull_request.head.sha || github.sha }} \ No newline at end of file diff --git a/.github/workflows/approval-gate.yml b/.github/workflows/approval-gate.yml index 0e6613bc5..167689f47 100644 --- a/.github/workflows/approval-gate.yml +++ b/.github/workflows/approval-gate.yml @@ -31,7 +31,7 @@ jobs: commit-message: ${{ steps.get-message.outputs.commit_message }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: ./.github/actions/target-checkout with: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Get commit SHA @@ -58,7 +58,6 @@ jobs: (github.event_name == 'pull_request_target' && !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), github.event.pull_request.author_association)) && inputs.environment-name - || (github.event_name == 'pull_request' && inputs.environment-name) || '' }} steps: diff --git a/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml b/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml index de972ba59..95b365fe1 100644 --- a/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml +++ b/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml @@ -5,7 +5,7 @@ permissions: id-token: write pull-requests: write on: - workflow_dispatch: + workflow_dispatch: inputs: splunk_image_repository_tag: description: 'Splunk AL2023-based Docker Image repository and tag (e.g. repository-name:tag)' @@ -14,7 +14,7 @@ jobs: check-formating: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest needs: check-formating steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -67,7 +67,7 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -148,7 +148,7 @@ jobs: GRAVITON_TESTING: "true" steps: - name: Chekcout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-AL2023-int-test-workflow.yml b/.github/workflows/arm-AL2023-int-test-workflow.yml index b0bd87391..953165f51 100644 --- a/.github/workflows/arm-AL2023-int-test-workflow.yml +++ b/.github/workflows/arm-AL2023-int-test-workflow.yml @@ -19,7 +19,7 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -101,7 +101,7 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-RHEL-build-test-push-workflow.yml b/.github/workflows/arm-RHEL-build-test-push-workflow.yml index 947681124..91d64714e 100644 --- a/.github/workflows/arm-RHEL-build-test-push-workflow.yml +++ b/.github/workflows/arm-RHEL-build-test-push-workflow.yml @@ -19,7 +19,7 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -102,7 +102,7 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-RHEL-int-test-workflow.yml b/.github/workflows/arm-RHEL-int-test-workflow.yml index 4ba671c50..85b33f015 100644 --- a/.github/workflows/arm-RHEL-int-test-workflow.yml +++ b/.github/workflows/arm-RHEL-int-test-workflow.yml @@ -19,7 +19,7 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -101,7 +101,7 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml b/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml index cecd1539f..6837eb370 100644 --- a/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml +++ b/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml @@ -14,7 +14,7 @@ jobs: check-formating: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest needs: check-formating steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -67,7 +67,7 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -148,7 +148,7 @@ jobs: GRAVITON_TESTING: "true" steps: - name: Chekcout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-Ubuntu-int-test-workflow.yml b/.github/workflows/arm-Ubuntu-int-test-workflow.yml index f4a1ce18c..2aa1ef742 100644 --- a/.github/workflows/arm-Ubuntu-int-test-workflow.yml +++ b/.github/workflows/arm-Ubuntu-int-test-workflow.yml @@ -19,7 +19,7 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -101,7 +101,7 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/automated-release-workflow.yml b/.github/workflows/automated-release-workflow.yml index 348dea7ed..b7b860868 100644 --- a/.github/workflows/automated-release-workflow.yml +++ b/.github/workflows/automated-release-workflow.yml @@ -31,7 +31,7 @@ jobs: uses: sigstore/cosign-installer@main - name: Checkout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Deep Fetch run: | @@ -108,14 +108,14 @@ jobs: run: | regctl image copy ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_RC_IMAGE_NAME }}:${{ github.event.inputs.release_version }}-RC splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }} regctl image copy ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_RC_IMAGE_NAME }}:${{ github.event.inputs.release_version }}-RC splunk/splunk-operator:latest - + - name: Sign Splunk Operator image with a key run: | cosign sign --yes --key env://COSIGN_PRIVATE_KEY splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }} env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - + - name: Verify Splunk Operator image with a key run: | cosign verify --key env://COSIGN_PUBLIC_KEY splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }} @@ -125,14 +125,14 @@ jobs: - name: Promote Distroless RC Image to Release run: | regctl image copy ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_RC_IMAGE_NAME }}:${{ github.event.inputs.release_version }}-RC-distroless splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}-distroless - + - name: Sign Distroless Splunk Operator image with a key run: | cosign sign --yes --key env://COSIGN_PRIVATE_KEY splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}-distroless env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - + - name: Verify Distroless Splunk Operator image with a key run: | cosign verify --key env://COSIGN_PUBLIC_KEY splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}-distroless diff --git a/.github/workflows/bias-language-workflow.yml b/.github/workflows/bias-language-workflow.yml index 2ea42b520..87ff0d806 100644 --- a/.github/workflows/bias-language-workflow.yml +++ b/.github/workflows/bias-language-workflow.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest name: Detecting Biased Language steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - id: biased-lang-linter uses: splunk/biased-lang-linter@main continue-on-error: false diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml index 7ba44f8b6..838ca0f9e 100644 --- a/.github/workflows/build-test-push-workflow.yml +++ b/.github/workflows/build-test-push-workflow.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest needs: approval-gate steps: - - uses: actions/checkout@v6 + - uses: ./.github/actions/target-checkout with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action @@ -34,321 +34,321 @@ jobs: run: make fmt && if [[ $? -ne 0 ]]; then false; fi - name: Lint source code run: make vet && if [[ $? -ne 0 ]]; then false; fi - # unit-tests: - # runs-on: ubuntu-latest - # needs: - # - check-formating - # - approval-gate - # steps: - # - uses: actions/checkout@v6 - # with: - # ref: ${{ needs.approval-gate.outputs.commit-sha }} - # - name: Dotenv Action - # id: dotenv - # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - # - name: Setup Go - # uses: actions/setup-go@v2 - # with: - # go-version: ${{ steps.dotenv.outputs.GO_VERSION }} - # - name: Install goveralls - # run: | - # go version - # go install github.com/mattn/goveralls@latest - # - name: Install Ginkgo - # run: | - # make setup/ginkgo - # go mod tidy - # - name: Run Unit Tests - # run: | - # make test - # - name: Run Code Coverage - # run: goveralls -coverprofile=coverage.out -service=circle-ci -repotoken ${{ secrets.COVERALLS_TOKEN }} - # - name: Upload Coverage artifacts - # uses: actions/upload-artifact@v4.4.0 - # with: - # name: coverage.out - # path: coverage.out - # build-operator-image: - # runs-on: ubuntu-latest - # needs: - # - unit-tests - # - approval-gate - # env: - # SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} - # SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator - # ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} - # S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - # steps: - # - name: Set up cosign - # uses: sigstore/cosign-installer@main + unit-tests: + runs-on: ubuntu-latest + needs: + - check-formating + - approval-gate + steps: + - uses: ./.github/actions/target-checkout + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} + - name: Dotenv Action + id: dotenv + uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 + - name: Setup Go + uses: actions/setup-go@v2 + with: + go-version: ${{ steps.dotenv.outputs.GO_VERSION }} + - name: Install goveralls + run: | + go version + go install github.com/mattn/goveralls@latest + - name: Install Ginkgo + run: | + make setup/ginkgo + go mod tidy + - name: Run Unit Tests + run: | + make test + - name: Run Code Coverage + run: goveralls -coverprofile=coverage.out -service=circle-ci -repotoken ${{ secrets.COVERALLS_TOKEN }} + - name: Upload Coverage artifacts + uses: actions/upload-artifact@v4.4.0 + with: + name: coverage.out + path: coverage.out + build-operator-image: + runs-on: ubuntu-latest + needs: + - unit-tests + - approval-gate + env: + SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} + SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator + ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} + S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + steps: + - name: Set up cosign + uses: sigstore/cosign-installer@main - # - uses: actions/checkout@v6 - # with: - # ref: ${{ needs.approval-gate.outputs.commit-sha }} - # - name: Dotenv Action - # id: dotenv - # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - # - name: Setup Go - # uses: actions/setup-go@v2 - # with: - # go-version: ${{ steps.dotenv.outputs.GO_VERSION }} - # - name: Install Ginkgo - # run: | - # make setup/ginkgo - # - name: Set up Docker Buildx - # uses: docker/setup-buildx-action@v2.5.0 - # - name: Install Operator SDK - # run: | - # export ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac) - # export OS=$(uname | awk '{print tolower($0)}') - # export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }} - # sudo curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH} - # sudo chmod +x operator-sdk_${OS}_${ARCH} - # sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - # - name: Configure AWS credentials - # uses: aws-actions/configure-aws-credentials@v5 - # with: - # role-to-assume: ${{ vars.AWS_ROLE_ARN }} - # role-session-name: github-${{ github.run_id }} - # aws-region: ${{ vars.AWS_REGION }} - # role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - # - name: Login to Amazon ECR - # id: login-ecr - # uses: aws-actions/amazon-ecr-login@v1 - # - name: Build and push Splunk Operator Image - # run: | - # make docker-buildx IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA - # - name: Sign Splunk Operator image with a key - # run: | - # cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }} - # env: - # COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - # COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - # vulnerability-scan: - # permissions: - # actions: read - # contents: read - # id-token: write - # security-events: write - # runs-on: ubuntu-latest - # needs: - # - build-operator-image - # - approval-gate - # env: - # SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} - # SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator - # ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} - # S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - # IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }} - # steps: - # - name: Set up cosign - # uses: sigstore/cosign-installer@main - # - uses: actions/checkout@v6 - # with: - # ref: ${{ needs.approval-gate.outputs.commit-sha }} - # - name: Dotenv Action - # id: dotenv - # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - # - name: Set up Docker Buildx - # uses: docker/setup-buildx-action@v2.5.0 - # - name: Configure AWS credentials - # uses: aws-actions/configure-aws-credentials@v5 - # with: - # role-to-assume: ${{ vars.AWS_ROLE_ARN }} - # role-session-name: github-${{ github.run_id }} - # aws-region: ${{ vars.AWS_REGION }} - # role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} + - uses: ./.github/actions/target-checkout + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} + - name: Dotenv Action + id: dotenv + uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 + - name: Setup Go + uses: actions/setup-go@v2 + with: + go-version: ${{ steps.dotenv.outputs.GO_VERSION }} + - name: Install Ginkgo + run: | + make setup/ginkgo + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2.5.0 + - name: Install Operator SDK + run: | + export ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac) + export OS=$(uname | awk '{print tolower($0)}') + export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }} + sudo curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH} + sudo chmod +x operator-sdk_${OS}_${ARCH} + sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + - name: Build and push Splunk Operator Image + run: | + make docker-buildx IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA + - name: Sign Splunk Operator image with a key + run: | + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }} + env: + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + vulnerability-scan: + permissions: + actions: read + contents: read + id-token: write + security-events: write + runs-on: ubuntu-latest + needs: + - build-operator-image + - approval-gate + env: + SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} + SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator + ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} + S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }} + steps: + - name: Set up cosign + uses: sigstore/cosign-installer@main + - uses: ./.github/actions/target-checkout + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} + - name: Dotenv Action + id: dotenv + uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2.5.0 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - # - name: Login to Amazon ECR - # uses: aws-actions/amazon-ecr-login@v1 - # - name: Pull Splunk Operator Image Locally - # run: | - # docker pull ${{ env.IMAGE_NAME }} - # - name: Verify Signed Splunk Operator image - # run: | - # cosign verify --key env://COSIGN_PUBLIC_KEY ${{ env.IMAGE_NAME }} - # env: - # COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} - # - name: Run Trivy vulnerability scanner - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: '${{ env.IMAGE_NAME }}' - # format: sarif - # #exit-code: 1 - # severity: 'CRITICAL' - # ignore-unfixed: true - # output: 'trivy-results.sarif' - # - name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v3 - # with: - # sarif_file: 'trivy-results.sarif' - # smoke-tests: - # needs: - # - vulnerability-scan - # - approval-gate - # strategy: - # fail-fast: false - # matrix: - # test: [ - # basic, - # appframeworksS1, - # managerappframeworkc3, - # managerappframeworkm4, - # managersecret, - # managermc, - # ] - # runs-on: ubuntu-latest - # env: - # CLUSTER_NODES: 1 - # CLUSTER_WORKERS: 3 - # SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} - # SPLUNK_ENTERPRISE_RELEASE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_RELEASE_IMAGE }} - # SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator - # SPLUNK_OPERATOR_IMAGE_FILENAME: splunk-operator - # TEST_FOCUS: "${{ matrix.test }}" - # # This regex matches any string not containing smoke keyword - # TEST_TO_SKIP: "^(?:[^s]+|s(?:$|[^m]|m(?:$|[^o]|o(?:$|[^k]|k(?:$|[^e])))))*$" - # TEST_CLUSTER_PLATFORM: eks - # EKS_VPC_PRIVATE_SUBNET_STRING: ${{ secrets.EKS_VPC_PRIVATE_SUBNET_STRING }} - # EKS_VPC_PUBLIC_SUBNET_STRING: ${{ secrets.EKS_VPC_PUBLIC_SUBNET_STRING }} - # TEST_BUCKET: ${{ secrets.TEST_BUCKET }} - # TEST_INDEXES_S3_BUCKET: ${{ secrets.TEST_INDEXES_S3_BUCKET }} - # ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} - # PRIVATE_REGISTRY: ${{ secrets.ECR_REPOSITORY }} - # S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - # EKS_SSH_PUBLIC_KEY: ${{ secrets.EKS_SSH_PUBLIC_KEY }} - # CLUSTER_WIDE: "true" - # DEPLOYMENT_TYPE: "" - # steps: - # - name: Chekcout code - # uses: actions/checkout@v6 - # with: - # ref: ${{ needs.approval-gate.outputs.commit-sha }} - # - name: Set Test Cluster Name - # id: set-cluster-name - # uses: ./.github/actions/set-cluster-name - # with: - # test-type: smoke - # test-name: ${{ matrix.test }} - # run-id: ${{ github.run_id }} - # - name: Export cluster name to environment - # run: | - # echo "TEST_CLUSTER_NAME=${{ steps.set-cluster-name.outputs.cluster-name }}" >> $GITHUB_ENV - # - name: Dotenv Action - # id: dotenv - # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - # - name: Change splunk enterprise to release image on main branches - # if: github.ref == 'refs/heads/main' - # run: | - # echo "SPLUNK_ENTERPRISE_IMAGE=${{ steps.dotenv.outputs.SPLUNK_ENTERPRISE_RELEASE_IMAGE }}" >> $GITHUB_ENV - # - name: Install Kubectl - # uses: Azure/setup-kubectl@v3 - # with: - # version: ${{ steps.dotenv.outputs.KUBECTL_VERSION }} - # - name: Install Python - # uses: actions/setup-python@v2 - # - name: Install AWS CLI - # run: | - # curl "${{ steps.dotenv.outputs.AWSCLI_URL}}" -o "awscliv2.zip" - # unzip awscliv2.zip - # sudo ./aws/install --update - # aws --version - # - name: Setup Go - # uses: actions/setup-go@v2 - # with: - # go-version: ${{ steps.dotenv.outputs.GO_VERSION }} - # - name: Install Ginkgo - # run: | - # make setup/ginkgo - # - name: Install Helm - # run: | - # curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 - # chmod 700 get_helm.sh - # ./get_helm.sh - # DESIRED_VERSION=v3.8.2 bash get_helm.sh - # - name: Install EKS CTL - # run: | - # curl --silent --insecure --location "https://github.com/weaveworks/eksctl/releases/download/${{ steps.dotenv.outputs.EKSCTL_VERSION }}/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp - # sudo mv /tmp/eksctl /usr/local/bin - # eksctl version - # - name: Set up Docker Buildx - # uses: docker/setup-buildx-action@v2.5.0 - # - name: Install Operator SDK - # run: | - # sudo curl -L -o /usr/local/bin/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}/operator-sdk-${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}-x86_64-linux-gnu - # sudo chmod +x /usr/local/bin/operator-sdk - # - name: Configure Docker Hub credentials - # uses: docker/login-action@v1 - # with: - # username: ${{ secrets.DOCKERHUB_USERNAME }} - # password: ${{ secrets.DOCKERHUB_TOKEN}} - # - name: Set Splunk Operator image - # run: | - # echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV - # - name: Pull Splunk Enterprise Image - # run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - # - name: Configure AWS credentials - # uses: aws-actions/configure-aws-credentials@v5 - # with: - # role-to-assume: ${{ vars.AWS_ROLE_ARN }} - # role-session-name: github-${{ github.run_id }} - # aws-region: ${{ vars.AWS_REGION }} - # role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - # - name: Login to Amazon ECR - # id: login-ecr - # uses: aws-actions/amazon-ecr-login@v1 - # - name: Tag and Push Splunk Enterprise Image to ECR - # run: | - # docker tag ${{ env.SPLUNK_ENTERPRISE_IMAGE }} ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} - # docker push ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} - # - name: Create EKS cluster - # run: | - # export EKS_CLUSTER_K8_VERSION=${{ steps.dotenv.outputs.EKS_CLUSTER_K8_VERSION }} - # make cluster-up - # - name: install metric server - # run: | - # curl -LO https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml - # kubectl replace --force -f components.yaml || kubectl apply -f components.yaml - # - name: install k8s dashboard - # run: | - # kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.5/aio/deploy/recommended.yaml - # - name: Setup Kustomize - # run: | - # sudo snap install kustomize - # mkdir -p ./bin - # cp /snap/bin/kustomize ./bin/kustomize - # - name: Run smoke test - # id: smoketest - # timeout-minutes: 240 - # env: - # TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} - # TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} - # run: | - # make int-test - # - name: Collect Test Logs - # if: ${{ always() }} - # run: | - # mkdir -p /tmp/pod_logs - # find ./test -name "*.log" -exec cp {} /tmp/pod_logs \; - # - name: Archive Pod Logs - # if: ${{ always() }} - # uses: actions/upload-artifact@v4.4.0 - # with: - # name: "splunk-pods-logs--artifacts-${{ matrix.test }}" - # path: "/tmp/pod_logs/**" - # - name: Cleanup Test Case artifacts - # if: ${{ always() }} - # run: | - # make cleanup - # make clean - # - name: Cleanup up EKS cluster - # if: ${{ always() }} - # run: | - # make cluster-down - # #- name: Test Report - # # uses: dorny/test-reporter@v1 - # # if: success() || failure() # run this step even if previous step failed - # # with: - # # name: Integration Tests # Name of the check run which will be created - # # path: inttest-*.xml # Path to test results - # # reporter: jest-junit # Format of test results + - name: Login to Amazon ECR + uses: aws-actions/amazon-ecr-login@v1 + - name: Pull Splunk Operator Image Locally + run: | + docker pull ${{ env.IMAGE_NAME }} + - name: Verify Signed Splunk Operator image + run: | + cosign verify --key env://COSIGN_PUBLIC_KEY ${{ env.IMAGE_NAME }} + env: + COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{ env.IMAGE_NAME }}' + format: sarif + #exit-code: 1 + severity: 'CRITICAL' + ignore-unfixed: true + output: 'trivy-results.sarif' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' + smoke-tests: + needs: + - vulnerability-scan + - approval-gate + strategy: + fail-fast: false + matrix: + test: [ + basic, + appframeworksS1, + managerappframeworkc3, + managerappframeworkm4, + managersecret, + managermc, + ] + runs-on: ubuntu-latest + env: + CLUSTER_NODES: 1 + CLUSTER_WORKERS: 3 + SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} + SPLUNK_ENTERPRISE_RELEASE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_RELEASE_IMAGE }} + SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator + SPLUNK_OPERATOR_IMAGE_FILENAME: splunk-operator + TEST_FOCUS: "${{ matrix.test }}" + # This regex matches any string not containing smoke keyword + TEST_TO_SKIP: "^(?:[^s]+|s(?:$|[^m]|m(?:$|[^o]|o(?:$|[^k]|k(?:$|[^e])))))*$" + TEST_CLUSTER_PLATFORM: eks + EKS_VPC_PRIVATE_SUBNET_STRING: ${{ secrets.EKS_VPC_PRIVATE_SUBNET_STRING }} + EKS_VPC_PUBLIC_SUBNET_STRING: ${{ secrets.EKS_VPC_PUBLIC_SUBNET_STRING }} + TEST_BUCKET: ${{ secrets.TEST_BUCKET }} + TEST_INDEXES_S3_BUCKET: ${{ secrets.TEST_INDEXES_S3_BUCKET }} + ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} + PRIVATE_REGISTRY: ${{ secrets.ECR_REPOSITORY }} + S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + EKS_SSH_PUBLIC_KEY: ${{ secrets.EKS_SSH_PUBLIC_KEY }} + CLUSTER_WIDE: "true" + DEPLOYMENT_TYPE: "" + steps: + - name: Chekcout code + uses: ./.github/actions/target-checkout + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} + - name: Set Test Cluster Name + id: set-cluster-name + uses: ./.github/actions/set-cluster-name + with: + test-type: smoke + test-name: ${{ matrix.test }} + run-id: ${{ github.run_id }} + - name: Export cluster name to environment + run: | + echo "TEST_CLUSTER_NAME=${{ steps.set-cluster-name.outputs.cluster-name }}" >> $GITHUB_ENV + - name: Dotenv Action + id: dotenv + uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 + - name: Change splunk enterprise to release image on main branches + if: github.ref == 'refs/heads/main' + run: | + echo "SPLUNK_ENTERPRISE_IMAGE=${{ steps.dotenv.outputs.SPLUNK_ENTERPRISE_RELEASE_IMAGE }}" >> $GITHUB_ENV + - name: Install Kubectl + uses: Azure/setup-kubectl@v3 + with: + version: ${{ steps.dotenv.outputs.KUBECTL_VERSION }} + - name: Install Python + uses: actions/setup-python@v2 + - name: Install AWS CLI + run: | + curl "${{ steps.dotenv.outputs.AWSCLI_URL}}" -o "awscliv2.zip" + unzip awscliv2.zip + sudo ./aws/install --update + aws --version + - name: Setup Go + uses: actions/setup-go@v2 + with: + go-version: ${{ steps.dotenv.outputs.GO_VERSION }} + - name: Install Ginkgo + run: | + make setup/ginkgo + - name: Install Helm + run: | + curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 + chmod 700 get_helm.sh + ./get_helm.sh + DESIRED_VERSION=v3.8.2 bash get_helm.sh + - name: Install EKS CTL + run: | + curl --silent --insecure --location "https://github.com/weaveworks/eksctl/releases/download/${{ steps.dotenv.outputs.EKSCTL_VERSION }}/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp + sudo mv /tmp/eksctl /usr/local/bin + eksctl version + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2.5.0 + - name: Install Operator SDK + run: | + sudo curl -L -o /usr/local/bin/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}/operator-sdk-${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}-x86_64-linux-gnu + sudo chmod +x /usr/local/bin/operator-sdk + - name: Configure Docker Hub credentials + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN}} + - name: Set Splunk Operator image + run: | + echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV + - name: Pull Splunk Enterprise Image + run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + - name: Tag and Push Splunk Enterprise Image to ECR + run: | + docker tag ${{ env.SPLUNK_ENTERPRISE_IMAGE }} ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} + docker push ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} + - name: Create EKS cluster + run: | + export EKS_CLUSTER_K8_VERSION=${{ steps.dotenv.outputs.EKS_CLUSTER_K8_VERSION }} + make cluster-up + - name: install metric server + run: | + curl -LO https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml + kubectl replace --force -f components.yaml || kubectl apply -f components.yaml + - name: install k8s dashboard + run: | + kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.5/aio/deploy/recommended.yaml + - name: Setup Kustomize + run: | + sudo snap install kustomize + mkdir -p ./bin + cp /snap/bin/kustomize ./bin/kustomize + - name: Run smoke test + id: smoketest + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} + run: | + make int-test + - name: Collect Test Logs + if: ${{ always() }} + run: | + mkdir -p /tmp/pod_logs + find ./test -name "*.log" -exec cp {} /tmp/pod_logs \; + - name: Archive Pod Logs + if: ${{ always() }} + uses: actions/upload-artifact@v4.4.0 + with: + name: "splunk-pods-logs--artifacts-${{ matrix.test }}" + path: "/tmp/pod_logs/**" + - name: Cleanup Test Case artifacts + if: ${{ always() }} + run: | + make cleanup + make clean + - name: Cleanup up EKS cluster + if: ${{ always() }} + run: | + make cluster-down + #- name: Test Report + # uses: dorny/test-reporter@v1 + # if: success() || failure() # run this step even if previous step failed + # with: + # name: Integration Tests # Name of the check run which will be created + # path: inttest-*.xml # Path to test results + # reporter: jest-junit # Format of test results diff --git a/.github/workflows/bundle-push-post-release.yml b/.github/workflows/bundle-push-post-release.yml index 7b10c5061..cc4a15b8e 100644 --- a/.github/workflows/bundle-push-post-release.yml +++ b/.github/workflows/bundle-push-post-release.yml @@ -19,7 +19,7 @@ jobs: if: github.ref == 'refs/heads/main' steps: - name: Checkout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Deep Fetch run: | diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index a863e64e5..e3276cf7f 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -15,49 +15,12 @@ on: - develop jobs: approval-gate: - permissions: - contents: read - runs-on: ubuntu-latest - outputs: - commit-sha: ${{ steps.get-sha.outputs.commit_sha }} - commit-message: ${{ steps.get-message.outputs.commit_message }} - environment: ${{ - (github.event_name == 'pull_request_target' && - !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), github.event.pull_request.author_association)) - && inputs.environment-name - || (github.event_name == 'pull_request' && inputs.environment-name) - || '' - }} - steps: - - name: Checkout repository - uses: actions/checkout@v6 - with: - ref: ${{ github.event.pull_request.head.sha || github.sha }} - - name: Get commit SHA - id: get-sha - run: | - COMMIT_SHA="${{ github.event.pull_request.head.sha || github.sha }}" - echo "commit_sha=${COMMIT_SHA}" >> $GITHUB_OUTPUT - echo "Commit SHA: ${COMMIT_SHA}" - - name: Get commit message - id: get-message - run: | - COMMIT_MSG=$(git log -1 --pretty=%B) - echo "commit_message<> $GITHUB_OUTPUT - echo "$COMMIT_MSG" >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT - echo "Commit message:" - echo "$COMMIT_MSG" - - name: Approval status - run: | - echo "Event: ${{ github.event_name }}" - echo "Author association: ${{ github.event.pull_request.author_association }}" - echo "Approval granted or not required" + uses: ./.github/workflows/approval-gate.yml check-formating: runs-on: ubuntu-latest needs: approval-gate steps: - - uses: actions/checkout@v6 + - uses: ./.github/actions/target-checkout with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action @@ -71,314 +34,314 @@ jobs: run: make fmt && if [[ $? -ne 0 ]]; then false; fi - name: Lint source code run: make vet && if [[ $? -ne 0 ]]; then false; fi -# unit-tests: -# runs-on: ubuntu-latest -# needs: check-formating -# steps: -# - uses: actions/checkout@v6 -# with: -# ref: ${{ needs.approval-gate.outputs.commit-sha }} -# - name: Dotenv Action -# id: dotenv -# uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 -# - name: Setup Go -# uses: actions/setup-go@v2 -# with: -# go-version: ${{ steps.dotenv.outputs.GO_VERSION }} -# - name: Install goveralls -# run: | -# go version -# go install github.com/mattn/goveralls@latest -# - name: Install Ginkgo -# run: | -# make setup/ginkgo -# go mod tidy -# - name: Run Unit Tests -# run: make test -# - name: Run Code Coverage -# run: goveralls -coverprofile=coverage.out -service=circle-ci -repotoken ${{ secrets.COVERALLS_TOKEN }} -# - name: Upload Coverage artifacts -# uses: actions/upload-artifact@v4.4.0 -# with: -# name: coverage.out -# path: coverage.out -# build-operator-image: -# runs-on: ubuntu-latest -# needs: unit-tests -# env: -# SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} -# SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator -# ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} -# S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} -# steps: -# - name: Set up cosign -# uses: sigstore/cosign-installer@main + unit-tests: + runs-on: ubuntu-latest + needs: check-formating + steps: + - uses: ./.github/actions/target-checkout + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} + - name: Dotenv Action + id: dotenv + uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 + - name: Setup Go + uses: actions/setup-go@v2 + with: + go-version: ${{ steps.dotenv.outputs.GO_VERSION }} + - name: Install goveralls + run: | + go version + go install github.com/mattn/goveralls@latest + - name: Install Ginkgo + run: | + make setup/ginkgo + go mod tidy + - name: Run Unit Tests + run: make test + - name: Run Code Coverage + run: goveralls -coverprofile=coverage.out -service=circle-ci -repotoken ${{ secrets.COVERALLS_TOKEN }} + - name: Upload Coverage artifacts + uses: actions/upload-artifact@v4.4.0 + with: + name: coverage.out + path: coverage.out + build-operator-image: + runs-on: ubuntu-latest + needs: unit-tests + env: + SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} + SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator + ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} + S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + steps: + - name: Set up cosign + uses: sigstore/cosign-installer@main -# - uses: actions/checkout@v6 -# with: -# ref: ${{ needs.approval-gate.outputs.commit-sha }} -# - name: Dotenv Action -# id: dotenv -# uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 -# - name: Setup Go -# uses: actions/setup-go@v2 -# with: -# go-version: ${{ steps.dotenv.outputs.GO_VERSION }} -# - name: Install Ginkgo -# run: | -# make setup/ginkgo -# - name: Set up Docker Buildx -# uses: docker/setup-buildx-action@v2.5.0 -# - name: Install Operator SDK -# run: | -# export ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac) -# export OS=$(uname | awk '{print tolower($0)}') -# export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }} -# sudo curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH} -# sudo chmod +x operator-sdk_${OS}_${ARCH} -# sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk -# - name: Configure AWS credentials -# uses: aws-actions/configure-aws-credentials@v5 -# with: -# role-to-assume: ${{ vars.AWS_ROLE_ARN }} -# role-session-name: github-${{ github.run_id }} -# aws-region: ${{ vars.AWS_REGION }} -# role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} -# - name: Login to Amazon ECR -# id: login-ecr -# uses: aws-actions/amazon-ecr-login@v1 -# - name: Build and push Splunk Operator Image -# run: | -# export BASE_IMAGE=gcr.io/distroless/static-debian12 -# export BASE_IMAGE_VERSION=latest -# make docker-buildx BASE_IMAGE=$BASE_IMAGE BASE_IMAGE_VERSION=$BASE_IMAGE_VERSION IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA-distroless -# - name: Sign Splunk Operator image with a key -# run: | -# cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }}-distroless -# env: -# COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} -# COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} -# # vulnerability-scan: -# # permissions: -# # actions: read -# # contents: read -# # security-events: write -# # runs-on: ubuntu-latest -# # needs: build-operator-image -# # env: -# # SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} -# # SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator -# # ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} -# # S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} -# # IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }}-distroless -# # steps: -# # - name: Set up cosign -# # uses: sigstore/cosign-installer@main -# # - uses: actions/checkout@v6 -# # with: -# # ref: ${{ needs.approval-gate.outputs.commit-sha }} -# # - name: Dotenv Action -# # id: dotenv -# # uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 -# # - name: Set up Docker Buildx -# # uses: docker/setup-buildx-action@v2.5.0 -# # - name: Configure AWS credentials -# # uses: aws-actions/configure-aws-credentials@v5 -# # with: -# # role-to-assume: ${{ vars.AWS_ROLE_ARN }} -# # role-session-name: github-${{ github.run_id }} -# # aws-region: ${{ vars.AWS_REGION }} -# # role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} -# # -# # - name: Login to Amazon ECR -# # uses: aws-actions/amazon-ecr-login@v1 -# # - name: Pull Splunk Operator Image Locally -# # run: | -# # docker pull ${{ env.IMAGE_NAME }} -# # - name: Verify Signed Splunk Operator image -# # run: | -# # cosign verify --key env://COSIGN_PUBLIC_KEY ${{ env.IMAGE_NAME }} -# # env: -# # COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} -# # - name: Run Trivy vulnerability scanner -# # uses: aquasecurity/trivy-action@master -# # with: -# # image-ref: '${{ env.IMAGE_NAME }}' -# # format: sarif -# # #exit-code: 1 -# # severity: 'CRITICAL' -# # ignore-unfixed: true -# # output: 'trivy-results.sarif' -# # - name: Upload Trivy scan results to GitHub Security tab -# # uses: github/codeql-action/upload-sarif@v3 -# # with: -# # sarif_file: 'trivy-results.sarif' -# smoke-tests: -# needs: build-operator-image -# strategy: -# fail-fast: false -# matrix: -# test: [ -# basic, -# appframeworksS1, -# managerappframeworkc3, -# managerappframeworkm4, -# managersecret, -# managermc, -# ] -# runs-on: ubuntu-latest -# env: -# CLUSTER_NODES: 1 -# CLUSTER_WORKERS: 3 -# SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} -# SPLUNK_ENTERPRISE_RELEASE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_RELEASE_IMAGE }} -# SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator -# SPLUNK_OPERATOR_IMAGE_FILENAME: splunk-operator -# TEST_FOCUS: "${{ matrix.test }}" -# # This regex matches any string not containing smoke keyword -# TEST_TO_SKIP: "^(?:[^s]+|s(?:$|[^m]|m(?:$|[^o]|o(?:$|[^k]|k(?:$|[^e])))))*$" -# TEST_CLUSTER_PLATFORM: eks -# EKS_VPC_PRIVATE_SUBNET_STRING: ${{ secrets.EKS_VPC_PRIVATE_SUBNET_STRING }} -# EKS_VPC_PUBLIC_SUBNET_STRING: ${{ secrets.EKS_VPC_PUBLIC_SUBNET_STRING }} -# TEST_BUCKET: ${{ secrets.TEST_BUCKET }} -# TEST_INDEXES_S3_BUCKET: ${{ secrets.TEST_INDEXES_S3_BUCKET }} -# ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} -# PRIVATE_REGISTRY: ${{ secrets.ECR_REPOSITORY }} -# S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} -# EKS_SSH_PUBLIC_KEY: ${{ secrets.EKS_SSH_PUBLIC_KEY }} -# CLUSTER_WIDE: "true" -# DEPLOYMENT_TYPE: "" -# steps: -# - name: Chekcout code -# uses: actions/checkout@v6 -# with: -# ref: ${{ needs.approval-gate.outputs.commit-sha }} -# - name: Set Test Cluster Name -# id: set-cluster-name -# uses: ./.github/actions/set-cluster-name -# with: -# test-type: smoke -# platform: distroless -# test-name: ${{ matrix.test }} -# run-id: ${{ github.run_id }} -# - name: Export cluster name to environment -# run: | -# echo "TEST_CLUSTER_NAME=${{ steps.set-cluster-name.outputs.cluster-name }}" >> $GITHUB_ENV -# - name: Dotenv Action -# id: dotenv -# uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 -# - name: Change splunk enterprise to release image on main branches -# if: github.ref == 'refs/heads/main' -# run: | -# echo "SPLUNK_ENTERPRISE_IMAGE=${{ steps.dotenv.outputs.SPLUNK_ENTERPRISE_RELEASE_IMAGE }}" >> $GITHUB_ENV -# - name: Install Kubectl -# uses: Azure/setup-kubectl@v3 -# with: -# version: ${{ steps.dotenv.outputs.KUBECTL_VERSION }} -# - name: Install Python -# uses: actions/setup-python@v2 -# - name: Install AWS CLI -# run: | -# curl "${{ steps.dotenv.outputs.AWSCLI_URL}}" -o "awscliv2.zip" -# unzip awscliv2.zip -# sudo ./aws/install --update -# aws --version -# - name: Setup Go -# uses: actions/setup-go@v2 -# with: -# go-version: ${{ steps.dotenv.outputs.GO_VERSION }} -# - name: Install Ginkgo -# run: | -# make setup/ginkgo -# - name: Install Helm -# run: | -# curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 -# chmod 700 get_helm.sh -# ./get_helm.sh -# DESIRED_VERSION=v3.8.2 bash get_helm.sh -# - name: Install EKS CTL -# run: | -# curl --silent --insecure --location "https://github.com/weaveworks/eksctl/releases/download/${{ steps.dotenv.outputs.EKSCTL_VERSION }}/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp -# sudo mv /tmp/eksctl /usr/local/bin -# eksctl version -# - name: Set up Docker Buildx -# uses: docker/setup-buildx-action@v2.5.0 -# - name: Install Operator SDK -# run: | -# sudo curl -L -o /usr/local/bin/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}/operator-sdk-${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}-x86_64-linux-gnu -# sudo chmod +x /usr/local/bin/operator-sdk -# - name: Configure Docker Hub credentials -# uses: docker/login-action@v1 -# with: -# username: ${{ secrets.DOCKERHUB_USERNAME }} -# password: ${{ secrets.DOCKERHUB_TOKEN}} -# - name: Set Splunk Operator image -# run: | -# echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA-distroless" >> $GITHUB_ENV -# - name: Pull Splunk Enterprise Image -# run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} -# - name: Configure AWS credentials -# uses: aws-actions/configure-aws-credentials@v5 -# with: -# role-to-assume: ${{ vars.AWS_ROLE_ARN }} -# role-session-name: github-${{ github.run_id }} -# aws-region: ${{ vars.AWS_REGION }} -# role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} -# - name: Login to Amazon ECR -# id: login-ecr -# uses: aws-actions/amazon-ecr-login@v1 -# - name: Tag and Push Splunk Enterprise Image to ECR -# run: | -# docker tag ${{ env.SPLUNK_ENTERPRISE_IMAGE }} ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} -# docker push ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} -# - name: Create EKS cluster -# run: | -# export EKS_CLUSTER_K8_VERSION=${{ steps.dotenv.outputs.EKS_CLUSTER_K8_VERSION }} -# make cluster-up -# - name: install metric server -# run: | -# curl -LO https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml -# kubectl replace --force -f components.yaml || kubectl apply -f components.yaml -# - name: install k8s dashboard -# run: | -# kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.5/aio/deploy/recommended.yaml -# - name: Setup Kustomize -# run: | -# sudo snap install kustomize -# mkdir -p ./bin -# cp /snap/bin/kustomize ./bin/kustomize -# - name: Run smoke test -# id: smoketest -# timeout-minutes: 240 -# env: -# TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} -# TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} -# run: | -# make int-test -# - name: Collect Test Logs -# if: ${{ always() }} -# run: | -# mkdir -p /tmp/pod_logs -# find ./test -name "*.log" -exec cp {} /tmp/pod_logs \; -# - name: Archive Pod Logs -# if: ${{ always() }} -# uses: actions/upload-artifact@v4.4.0 -# with: -# name: "splunk-pods-logs--artifacts-${{ matrix.test }}" -# path: "/tmp/pod_logs/**" -# - name: Cleanup Test Case artifacts -# if: ${{ always() }} -# run: | -# make cleanup -# make clean -# - name: Cleanup up EKS cluster -# if: ${{ always() }} -# run: | -# make cluster-down -# #- name: Test Report -# # uses: dorny/test-reporter@v1 -# # if: success() || failure() # run this step even if previous step failed -# # with: -# # name: Integration Tests # Name of the check run which will be created -# # path: inttest-*.xml # Path to test results -# # reporter: jest-junit # Format of test results + - uses: ./.github/actions/target-checkout + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} + - name: Dotenv Action + id: dotenv + uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 + - name: Setup Go + uses: actions/setup-go@v2 + with: + go-version: ${{ steps.dotenv.outputs.GO_VERSION }} + - name: Install Ginkgo + run: | + make setup/ginkgo + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2.5.0 + - name: Install Operator SDK + run: | + export ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac) + export OS=$(uname | awk '{print tolower($0)}') + export OPERATOR_SDK_DL_URL=https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }} + sudo curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH} + sudo chmod +x operator-sdk_${OS}_${ARCH} + sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + - name: Build and push Splunk Operator Image + run: | + export BASE_IMAGE=gcr.io/distroless/static-debian12 + export BASE_IMAGE_VERSION=latest + make docker-buildx BASE_IMAGE=$BASE_IMAGE BASE_IMAGE_VERSION=$BASE_IMAGE_VERSION IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA-distroless + - name: Sign Splunk Operator image with a key + run: | + cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }}-distroless + env: + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} +# vulnerability-scan: +# permissions: +# actions: read +# contents: read +# security-events: write +# runs-on: ubuntu-latest +# needs: build-operator-image +# env: +# SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} +# SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator +# ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} +# S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} +# IMAGE_NAME: ${{ secrets.ECR_REPOSITORY }}/splunk/splunk-operator:${{ github.sha }}-distroless +# steps: +# - name: Set up cosign +# uses: sigstore/cosign-installer@main +# - uses: ./.github/actions/target-checkout +# with: +# ref: ${{ needs.approval-gate.outputs.commit-sha }} +# - name: Dotenv Action +# id: dotenv +# uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 +# - name: Set up Docker Buildx +# uses: docker/setup-buildx-action@v2.5.0 +# - name: Configure AWS credentials +# uses: aws-actions/configure-aws-credentials@v5 +# with: +# role-to-assume: ${{ vars.AWS_ROLE_ARN }} +# role-session-name: github-${{ github.run_id }} +# aws-region: ${{ vars.AWS_REGION }} +# role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} +# +# - name: Login to Amazon ECR +# uses: aws-actions/amazon-ecr-login@v1 +# - name: Pull Splunk Operator Image Locally +# run: | +# docker pull ${{ env.IMAGE_NAME }} +# - name: Verify Signed Splunk Operator image +# run: | +# cosign verify --key env://COSIGN_PUBLIC_KEY ${{ env.IMAGE_NAME }} +# env: +# COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} +# - name: Run Trivy vulnerability scanner +# uses: aquasecurity/trivy-action@master +# with: +# image-ref: '${{ env.IMAGE_NAME }}' +# format: sarif +# #exit-code: 1 +# severity: 'CRITICAL' +# ignore-unfixed: true +# output: 'trivy-results.sarif' +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: 'trivy-results.sarif' + smoke-tests: + needs: build-operator-image + strategy: + fail-fast: false + matrix: + test: [ + basic, + appframeworksS1, + managerappframeworkc3, + managerappframeworkm4, + managersecret, + managermc, + ] + runs-on: ubuntu-latest + env: + CLUSTER_NODES: 1 + CLUSTER_WORKERS: 3 + SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} + SPLUNK_ENTERPRISE_RELEASE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_RELEASE_IMAGE }} + SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator + SPLUNK_OPERATOR_IMAGE_FILENAME: splunk-operator + TEST_FOCUS: "${{ matrix.test }}" + # This regex matches any string not containing smoke keyword + TEST_TO_SKIP: "^(?:[^s]+|s(?:$|[^m]|m(?:$|[^o]|o(?:$|[^k]|k(?:$|[^e])))))*$" + TEST_CLUSTER_PLATFORM: eks + EKS_VPC_PRIVATE_SUBNET_STRING: ${{ secrets.EKS_VPC_PRIVATE_SUBNET_STRING }} + EKS_VPC_PUBLIC_SUBNET_STRING: ${{ secrets.EKS_VPC_PUBLIC_SUBNET_STRING }} + TEST_BUCKET: ${{ secrets.TEST_BUCKET }} + TEST_INDEXES_S3_BUCKET: ${{ secrets.TEST_INDEXES_S3_BUCKET }} + ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} + PRIVATE_REGISTRY: ${{ secrets.ECR_REPOSITORY }} + S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + EKS_SSH_PUBLIC_KEY: ${{ secrets.EKS_SSH_PUBLIC_KEY }} + CLUSTER_WIDE: "true" + DEPLOYMENT_TYPE: "" + steps: + - name: Chekcout code + uses: ./.github/actions/target-checkout + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} + - name: Set Test Cluster Name + id: set-cluster-name + uses: ./.github/actions/set-cluster-name + with: + test-type: smoke + platform: distroless + test-name: ${{ matrix.test }} + run-id: ${{ github.run_id }} + - name: Export cluster name to environment + run: | + echo "TEST_CLUSTER_NAME=${{ steps.set-cluster-name.outputs.cluster-name }}" >> $GITHUB_ENV + - name: Dotenv Action + id: dotenv + uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 + - name: Change splunk enterprise to release image on main branches + if: github.ref == 'refs/heads/main' + run: | + echo "SPLUNK_ENTERPRISE_IMAGE=${{ steps.dotenv.outputs.SPLUNK_ENTERPRISE_RELEASE_IMAGE }}" >> $GITHUB_ENV + - name: Install Kubectl + uses: Azure/setup-kubectl@v3 + with: + version: ${{ steps.dotenv.outputs.KUBECTL_VERSION }} + - name: Install Python + uses: actions/setup-python@v2 + - name: Install AWS CLI + run: | + curl "${{ steps.dotenv.outputs.AWSCLI_URL}}" -o "awscliv2.zip" + unzip awscliv2.zip + sudo ./aws/install --update + aws --version + - name: Setup Go + uses: actions/setup-go@v2 + with: + go-version: ${{ steps.dotenv.outputs.GO_VERSION }} + - name: Install Ginkgo + run: | + make setup/ginkgo + - name: Install Helm + run: | + curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 + chmod 700 get_helm.sh + ./get_helm.sh + DESIRED_VERSION=v3.8.2 bash get_helm.sh + - name: Install EKS CTL + run: | + curl --silent --insecure --location "https://github.com/weaveworks/eksctl/releases/download/${{ steps.dotenv.outputs.EKSCTL_VERSION }}/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp + sudo mv /tmp/eksctl /usr/local/bin + eksctl version + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2.5.0 + - name: Install Operator SDK + run: | + sudo curl -L -o /usr/local/bin/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}/operator-sdk-${{ steps.dotenv.outputs.OPERATOR_SDK_VERSION }}-x86_64-linux-gnu + sudo chmod +x /usr/local/bin/operator-sdk + - name: Configure Docker Hub credentials + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN}} + - name: Set Splunk Operator image + run: | + echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA-distroless" >> $GITHUB_ENV + - name: Pull Splunk Enterprise Image + run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + - name: Tag and Push Splunk Enterprise Image to ECR + run: | + docker tag ${{ env.SPLUNK_ENTERPRISE_IMAGE }} ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} + docker push ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_ENTERPRISE_IMAGE }} + - name: Create EKS cluster + run: | + export EKS_CLUSTER_K8_VERSION=${{ steps.dotenv.outputs.EKS_CLUSTER_K8_VERSION }} + make cluster-up + - name: install metric server + run: | + curl -LO https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml + kubectl replace --force -f components.yaml || kubectl apply -f components.yaml + - name: install k8s dashboard + run: | + kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.5/aio/deploy/recommended.yaml + - name: Setup Kustomize + run: | + sudo snap install kustomize + mkdir -p ./bin + cp /snap/bin/kustomize ./bin/kustomize + - name: Run smoke test + id: smoketest + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} + run: | + make int-test + - name: Collect Test Logs + if: ${{ always() }} + run: | + mkdir -p /tmp/pod_logs + find ./test -name "*.log" -exec cp {} /tmp/pod_logs \; + - name: Archive Pod Logs + if: ${{ always() }} + uses: actions/upload-artifact@v4.4.0 + with: + name: "splunk-pods-logs--artifacts-${{ matrix.test }}" + path: "/tmp/pod_logs/**" + - name: Cleanup Test Case artifacts + if: ${{ always() }} + run: | + make cleanup + make clean + - name: Cleanup up EKS cluster + if: ${{ always() }} + run: | + make cluster-down + #- name: Test Report + # uses: dorny/test-reporter@v1 + # if: success() || failure() # run this step even if previous step failed + # with: + # name: Integration Tests # Name of the check run which will be created + # path: inttest-*.xml # Path to test results + # reporter: jest-junit # Format of test results diff --git a/.github/workflows/distroless-int-test-workflow.yml b/.github/workflows/distroless-int-test-workflow.yml index 0dea5b263..48210d000 100644 --- a/.github/workflows/distroless-int-test-workflow.yml +++ b/.github/workflows/distroless-int-test-workflow.yml @@ -18,7 +18,7 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -100,7 +100,7 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/helm-test-workflow.yml b/.github/workflows/helm-test-workflow.yml index e0ed442a4..0932e164f 100644 --- a/.github/workflows/helm-test-workflow.yml +++ b/.github/workflows/helm-test-workflow.yml @@ -20,7 +20,7 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -84,7 +84,7 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Chekcout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/int-test-azure-workflow.yml b/.github/workflows/int-test-azure-workflow.yml index b58a04959..935d4bf22 100644 --- a/.github/workflows/int-test-azure-workflow.yml +++ b/.github/workflows/int-test-azure-workflow.yml @@ -16,7 +16,7 @@ jobs: SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator CONTAINER_REGISTRY: ${{ secrets.AZURE_CONTAINER_REGISTRY }} steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -63,7 +63,7 @@ jobs: AZURE_REGION: ${{ secrets.AZURE_REGION }} steps: - name: Checkout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -138,7 +138,7 @@ jobs: run: | echo "TEST_CLUSTER_NAME=az${{ github.run_id }}" >> $GITHUB_ENV - name: Checkout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 diff --git a/.github/workflows/int-test-gcp-workflow.yml b/.github/workflows/int-test-gcp-workflow.yml index bae27e97e..26f82233f 100644 --- a/.github/workflows/int-test-gcp-workflow.yml +++ b/.github/workflows/int-test-gcp-workflow.yml @@ -18,7 +18,7 @@ jobs: ARTIFACT_REGISTRY: ${{ secrets.GCP_ARTIFACT_REGISTRY }} # Updated for Artifact Registry steps: - name: Checkout Code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Load Environment Variables id: dotenv @@ -66,7 +66,7 @@ jobs: create-cluster-and-run-tests: strategy: matrix: - test_focus: + test_focus: - { order: 1, name: "c3_gcp_sanity" } - { order: 2, name: "c3_mgr_gcp_sanity" } - { order: 3, name: "m4_gcp_sanity" } @@ -116,7 +116,7 @@ jobs: echo "CLUSTER_NAME=gke-${{ matrix.test_focus.order }}-$GITHUB_RUN_ID" >> $GITHUB_ENV echo "TEST_CLUSTER_NAME=gke-${{ matrix.test_focus.order }}-$GITHUB_RUN_ID" >> $GITHUB_ENV - name: Checkout Code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Load Environment Variables id: dotenv @@ -128,7 +128,7 @@ jobs: uses: google-github-actions/auth@v1 with: credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }} - + - name: Set up Cloud SDK uses: google-github-actions/setup-gcloud@v1 with: @@ -187,7 +187,7 @@ jobs: uses: actions/setup-go@v2 with: go-version: ${{ steps.dotenv.outputs.GO_VERSION }} - + - name: Install Go Lint run: | go version @@ -207,7 +207,7 @@ jobs: username: _json_key password: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }} - - name: Pull Splunk Enterprise Image + - name: Pull Splunk Enterprise Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Pull Splunk Operator Image Locally @@ -230,7 +230,7 @@ jobs: with: cluster_name: ${{ env.CLUSTER_NAME }} location: ${{ env.GCP_ZONE }} - + - name: Install Metrics Server run: | curl -LO https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml @@ -248,7 +248,7 @@ jobs: - name: Verify kubectl Configuration run: | kubectl config current-context - + - name: Apply StorageClass run: | kubectl apply -f test/gcp-storageclass.yaml diff --git a/.github/workflows/int-test-workflow.yml b/.github/workflows/int-test-workflow.yml index fabc2b4fa..3c03d487a 100644 --- a/.github/workflows/int-test-workflow.yml +++ b/.github/workflows/int-test-workflow.yml @@ -19,7 +19,7 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -96,7 +96,7 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/kubectl-splunk-workflow.yml b/.github/workflows/kubectl-splunk-workflow.yml index 70bc6fecf..1f8ee803b 100644 --- a/.github/workflows/kubectl-splunk-workflow.yml +++ b/.github/workflows/kubectl-splunk-workflow.yml @@ -1,6 +1,6 @@ # .github/workflows/ci.yml -name: Kubectl Splunk CI +name: Kubectl Splunk CI permissions: contents: read @@ -9,18 +9,18 @@ permissions: on: push: - branches: - - feature/CSPL-3152 + branches: + - feature/CSPL-3152 pull_request: - branches: - - feature/CSPL-3152 + branches: + - feature/CSPL-3152 jobs: build-and-test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Set up Python uses: actions/setup-python@v2 diff --git a/.github/workflows/manual-int-test-workflow.yml b/.github/workflows/manual-int-test-workflow.yml index dc6981e46..d5769b5cd 100644 --- a/.github/workflows/manual-int-test-workflow.yml +++ b/.github/workflows/manual-int-test-workflow.yml @@ -57,7 +57,7 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name @@ -179,7 +179,7 @@ jobs: SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator TAG: int steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 diff --git a/.github/workflows/merge-develop-to-main-workflow.yml b/.github/workflows/merge-develop-to-main-workflow.yml index cab11eb85..6c185602d 100644 --- a/.github/workflows/merge-develop-to-main-workflow.yml +++ b/.github/workflows/merge-develop-to-main-workflow.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest if: github.ref == 'refs/heads/develop' steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout with: ref: main - name: Reset main branch @@ -52,7 +52,7 @@ jobs: SPLUNK_OPERATOR_RC_IMAGE_NAME: splunk/splunk-operator-rc steps: - name: Checkout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout with: ref: "promote-develop-to-main-${{ github.event.inputs.release_version }}" diff --git a/.github/workflows/namespace-scope-int-workflow.yml b/.github/workflows/namespace-scope-int-workflow.yml index 03cbc2b4f..ecb12c87b 100644 --- a/.github/workflows/namespace-scope-int-workflow.yml +++ b/.github/workflows/namespace-scope-int-workflow.yml @@ -52,7 +52,7 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout with: ref: develop - name: Set Test Cluster Name diff --git a/.github/workflows/nightly-int-test-workflow.yml b/.github/workflows/nightly-int-test-workflow.yml index 769bac74a..88a199742 100644 --- a/.github/workflows/nightly-int-test-workflow.yml +++ b/.github/workflows/nightly-int-test-workflow.yml @@ -16,7 +16,7 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout with: ref: develop - name: Dotenv Action @@ -93,7 +93,7 @@ jobs: echo "CLUSTER_WORKERS=5" >> $GITHUB_ENV echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout with: ref: develop - name: Set Test Cluster Name @@ -217,7 +217,7 @@ jobs: steps: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: actions/checkout@v2 + - uses: ./.github/actions/target-checkout with: ref: develop - name: Dotenv Action @@ -253,9 +253,8 @@ jobs: env: COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - - name: Verify Signed Splunk Operator image + - name: Verify Signed Splunk Operator image run: | cosign verify --key env://COSIGN_PUBLIC_KEY ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }} env: COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} - \ No newline at end of file diff --git a/.github/workflows/pre-release-workflow.yml b/.github/workflows/pre-release-workflow.yml index b5b48bacc..6238ae5d9 100644 --- a/.github/workflows/pre-release-workflow.yml +++ b/.github/workflows/pre-release-workflow.yml @@ -41,7 +41,7 @@ jobs: ', github.ref) steps: - name: Checkout code - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout - name: Deep Fetch run: | diff --git a/.github/workflows/prodsec-workflow.yml b/.github/workflows/prodsec-workflow.yml index ee172ce43..5ca29c6f6 100644 --- a/.github/workflows/prodsec-workflow.yml +++ b/.github/workflows/prodsec-workflow.yml @@ -24,7 +24,7 @@ jobs: container: image: returntocorp/semgrep steps: - - uses: actions/checkout@v6 + - uses: ./.github/actions/target-checkout with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - run: semgrep ci @@ -37,7 +37,7 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: actions/checkout@v6 + - uses: ./.github/actions/target-checkout with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 31e78b221..2d49b2e8d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: ./.github/actions/target-checkout with: fetch-depth: 0 From a557fd4bdfc4f27791db061c3a8ac84b65dc379c Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Mon, 12 Jan 2026 16:34:51 +0100 Subject: [PATCH 18/23] Add README for GitHub workflows and update workflow triggers - Created a README file to document the PR testing strategy, including the rationale for using `pull_request` and `pull_request_target` events. - Updated multiple workflow files to ignore changes in documentation and markdown files for `pull_request` and `push` events, enhancing workflow efficiency and security. - Ensured consistent handling of pull request events across workflows by implementing the new paths-ignore strategy. --- .github/README.md | 35 +++++++++++++++++++ .../workflows/build-test-push-workflow.yml | 18 ++++++++-- .../distroless-build-test-push-workflow.yml | 18 ++++++++-- .github/workflows/prodsec-workflow.yml | 18 ++++++++-- 4 files changed, 80 insertions(+), 9 deletions(-) create mode 100644 .github/README.md diff --git a/.github/README.md b/.github/README.md new file mode 100644 index 000000000..d7624ef93 --- /dev/null +++ b/.github/README.md @@ -0,0 +1,35 @@ +# GitHub Workflows + +## PR Testing Strategy + +### Why Two Triggers? + +GitHub's `pull_request` event doesn't expose secrets to fork PRs (for security). But we need secrets to run integration tests. The `pull_request_target` event does expose secrets—but it sets `GITHUB_SHA` to the **base branch**, not the PR. This means the default checkout gets the wrong code, and creates security risks if not handled carefully. + +### How We Handle It + +| Trigger | Branch | Why | +|---------|--------|-----| +| `pull_request_target` | `develop` | Enables secrets for fork PRs; requires manual approval | +| `pull_request` | All except `develop` | Standard trigger for trusted maintainers | + +### Security Requirements + +1. **Always use `approval-gate.yml`** as a dependency for jobs needing secrets +2. **Always use `target-checkout`** action to checkout the correct PR commit (not the base branch) +3. **Always pass the approval gate's `commit-sha`** to prevent testing unapproved code: + +```yaml +jobs: + approval-gate: + uses: ./.github/workflows/approval-gate.yml + + build: + needs: approval-gate + steps: + - uses: ./.github/actions/target-checkout + with: + ref: ${{ needs.approval-gate.outputs.commit-sha }} +``` + +> ⚠️ Without these safeguards, a malicious commit could be added after approval but before execution. diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml index 838ca0f9e..0379d5987 100644 --- a/.github/workflows/build-test-push-workflow.yml +++ b/.github/workflows/build-test-push-workflow.yml @@ -5,14 +5,26 @@ permissions: id-token: write pull-requests: write on: + # See .github/README.md for PR testing strategy documentation pull_request_target: branches: - 'develop' - - 'CSPL-4372-add-approval-gate-exec-in-target' + paths-ignore: + - 'docs/**' + - '*.md' + pull_request: + branches-ignore: + - 'develop' + paths-ignore: + - 'docs/**' + - '*.md' push: branches: - - main - - develop + - main + - develop + paths-ignore: + - 'docs/**' + - '*.md' jobs: approval-gate: uses: ./.github/workflows/approval-gate.yml diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index e3276cf7f..2cdfe1153 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -5,14 +5,26 @@ permissions: id-token: write pull-requests: write on: + # See .github/README.md for PR testing strategy documentation pull_request_target: branches: - 'develop' - - 'CSPL-4372-add-approval-gate-exec-in-target' + paths-ignore: + - 'docs/**' + - '*.md' + pull_request: + branches-ignore: + - 'develop' + paths-ignore: + - 'docs/**' + - '*.md' push: branches: - - main - - develop + - main + - develop + paths-ignore: + - 'docs/**' + - '*.md' jobs: approval-gate: uses: ./.github/workflows/approval-gate.yml diff --git a/.github/workflows/prodsec-workflow.yml b/.github/workflows/prodsec-workflow.yml index 5ca29c6f6..8a5312bde 100644 --- a/.github/workflows/prodsec-workflow.yml +++ b/.github/workflows/prodsec-workflow.yml @@ -4,14 +4,26 @@ permissions: packages: write pull-requests: write on: + # See .github/README.md for PR testing strategy documentation pull_request_target: branches: - 'develop' - - 'CSPL-4372-add-approval-gate-exec-in-target' + paths-ignore: + - 'docs/**' + - '*.md' + pull_request: + branches-ignore: + - 'develop' + paths-ignore: + - 'docs/**' + - '*.md' push: branches: - - main - - develop + - main + - develop + paths-ignore: + - 'docs/**' + - '*.md' jobs: approval-gate: uses: ./.github/workflows/approval-gate.yml From 4a2bfd8b7f2c12dec798f02141e18b6587b12c18 Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Mon, 12 Jan 2026 19:14:45 +0100 Subject: [PATCH 19/23] Update workflows to replace target checkout action with actions/checkout@v6 - Replaced the custom target checkout action with actions/checkout@v6 across multiple workflow files to enhance compatibility and maintainability. - Introduced an environment variable CHECKOUT_REF to standardize the reference used during the checkout process, improving consistency across workflows. --- .github/workflows/approval-gate.yml | 2 +- ...-AL2023-build-test-push-workflow-AL2023.yml | 18 ++++++++++++++---- .../workflows/arm-AL2023-int-test-workflow.yml | 10 ++++++++-- .../arm-RHEL-build-test-push-workflow.yml | 10 ++++++++-- .../workflows/arm-RHEL-int-test-workflow.yml | 10 ++++++++-- .../arm-Ubuntu-build-test-push-workflow.yml | 18 ++++++++++++++---- .../workflows/arm-Ubuntu-int-test-workflow.yml | 10 ++++++++-- .../workflows/automated-release-workflow.yml | 7 +++++-- .github/workflows/bias-language-workflow.yml | 6 +++++- .github/workflows/build-test-push-workflow.yml | 14 +++++++------- .github/workflows/bundle-push-post-release.yml | 7 +++++-- .../distroless-build-test-push-workflow.yml | 10 +++++----- .../workflows/distroless-int-test-workflow.yml | 10 ++++++++-- .github/workflows/helm-test-workflow.yml | 10 ++++++++-- .github/workflows/int-test-azure-workflow.yml | 14 +++++++++++--- .github/workflows/int-test-gcp-workflow.yml | 12 ++++++++---- .github/workflows/int-test-workflow.yml | 10 ++++++++-- .github/workflows/kubectl-splunk-workflow.yml | 8 ++++++-- .github/workflows/manual-int-test-workflow.yml | 10 ++++++++-- .../merge-develop-to-main-workflow.yml | 4 ++-- .../workflows/namespace-scope-int-workflow.yml | 2 +- .../workflows/nightly-int-test-workflow.yml | 6 +++--- .github/workflows/pre-release-workflow.yml | 7 +++++-- .github/workflows/prodsec-workflow.yml | 4 ++-- .github/workflows/release.yml | 6 ++++-- 25 files changed, 162 insertions(+), 63 deletions(-) diff --git a/.github/workflows/approval-gate.yml b/.github/workflows/approval-gate.yml index 167689f47..693f07a11 100644 --- a/.github/workflows/approval-gate.yml +++ b/.github/workflows/approval-gate.yml @@ -31,7 +31,7 @@ jobs: commit-message: ${{ steps.get-message.outputs.commit_message }} steps: - name: Checkout repository - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Get commit SHA diff --git a/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml b/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml index 95b365fe1..aa1d0736e 100644 --- a/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml +++ b/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml @@ -10,11 +10,15 @@ on: splunk_image_repository_tag: description: 'Splunk AL2023-based Docker Image repository and tag (e.g. repository-name:tag)' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: check-formating: runs-on: ubuntu-latest steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -30,7 +34,9 @@ jobs: runs-on: ubuntu-latest needs: check-formating steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -67,7 +73,9 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -148,7 +156,9 @@ jobs: GRAVITON_TESTING: "true" steps: - name: Chekcout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-AL2023-int-test-workflow.yml b/.github/workflows/arm-AL2023-int-test-workflow.yml index 953165f51..7aaeda2e4 100644 --- a/.github/workflows/arm-AL2023-int-test-workflow.yml +++ b/.github/workflows/arm-AL2023-int-test-workflow.yml @@ -10,6 +10,8 @@ on: splunk_image_repository_tag: description: 'Splunk AL2023-based Docker Image repository and tag (e.g. repository-name:tag)' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image-arm-al2023: runs-on: ubuntu-latest @@ -19,7 +21,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -101,7 +105,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-RHEL-build-test-push-workflow.yml b/.github/workflows/arm-RHEL-build-test-push-workflow.yml index 91d64714e..437b1ca7f 100644 --- a/.github/workflows/arm-RHEL-build-test-push-workflow.yml +++ b/.github/workflows/arm-RHEL-build-test-push-workflow.yml @@ -10,6 +10,8 @@ on: splunk_image_repository_tag: description: 'Splunk RHEL-based Docker Image repository and tag (e.g. repository-name:tag)' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image-arm-rhel: runs-on: ubuntu-latest @@ -19,7 +21,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -102,7 +106,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-RHEL-int-test-workflow.yml b/.github/workflows/arm-RHEL-int-test-workflow.yml index 85b33f015..8c399aeea 100644 --- a/.github/workflows/arm-RHEL-int-test-workflow.yml +++ b/.github/workflows/arm-RHEL-int-test-workflow.yml @@ -10,6 +10,8 @@ on: splunk_image_repository_tag: description: 'Splunk RHEL-based Docker Image repository and tag (e.g. repository-name:tag)' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image-arm-rhel: runs-on: ubuntu-latest @@ -19,7 +21,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -101,7 +105,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml b/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml index 6837eb370..2c5a20e2f 100644 --- a/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml +++ b/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml @@ -10,11 +10,15 @@ on: splunk_image_repository_tag: description: 'Splunk Ubuntu-based Docker Image repository and tag (e.g. repository-name:tag)' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: check-formating: runs-on: ubuntu-latest steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -30,7 +34,9 @@ jobs: runs-on: ubuntu-latest needs: check-formating steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -67,7 +73,9 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -148,7 +156,9 @@ jobs: GRAVITON_TESTING: "true" steps: - name: Chekcout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/arm-Ubuntu-int-test-workflow.yml b/.github/workflows/arm-Ubuntu-int-test-workflow.yml index 2aa1ef742..f30372677 100644 --- a/.github/workflows/arm-Ubuntu-int-test-workflow.yml +++ b/.github/workflows/arm-Ubuntu-int-test-workflow.yml @@ -10,6 +10,8 @@ on: splunk_image_repository_tag: description: 'Splunk Ubuntu-based Docker Image repository and tag (e.g. repository-name:tag)' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image-arm-ubuntu: runs-on: ubuntu-latest @@ -19,7 +21,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -101,7 +105,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/automated-release-workflow.yml b/.github/workflows/automated-release-workflow.yml index b7b860868..67fe249b4 100644 --- a/.github/workflows/automated-release-workflow.yml +++ b/.github/workflows/automated-release-workflow.yml @@ -16,6 +16,8 @@ on: enterprise_version: description: 'Enterprise Image Version. Should match with Tag on Splunk Enterprise Docker Repo' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: automated-release: name: Automated Release Workflow @@ -31,8 +33,9 @@ jobs: uses: sigstore/cosign-installer@main - name: Checkout code - uses: ./.github/actions/target-checkout - + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Deep Fetch run: | git fetch --prune --unshallow diff --git a/.github/workflows/bias-language-workflow.yml b/.github/workflows/bias-language-workflow.yml index 87ff0d806..a72950c2c 100644 --- a/.github/workflows/bias-language-workflow.yml +++ b/.github/workflows/bias-language-workflow.yml @@ -4,12 +4,16 @@ permissions: packages: write pull-requests: write on: [push] +env: + CHECKOUT_REF: ${{ github.ref }} jobs: biased_lang: runs-on: ubuntu-latest name: Detecting Biased Language steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - id: biased-lang-linter uses: splunk/biased-lang-linter@main continue-on-error: false diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml index 0379d5987..4f9bed01e 100644 --- a/.github/workflows/build-test-push-workflow.yml +++ b/.github/workflows/build-test-push-workflow.yml @@ -13,8 +13,8 @@ on: - 'docs/**' - '*.md' pull_request: - branches-ignore: - - 'develop' + # branches-ignore: + # - 'develop' paths-ignore: - 'docs/**' - '*.md' @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest needs: approval-gate steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action @@ -52,7 +52,7 @@ jobs: - check-formating - approval-gate steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action @@ -94,7 +94,7 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action @@ -155,7 +155,7 @@ jobs: steps: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action @@ -233,7 +233,7 @@ jobs: DEPLOYMENT_TYPE: "" steps: - name: Chekcout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Set Test Cluster Name diff --git a/.github/workflows/bundle-push-post-release.yml b/.github/workflows/bundle-push-post-release.yml index cc4a15b8e..435fe3a7b 100644 --- a/.github/workflows/bundle-push-post-release.yml +++ b/.github/workflows/bundle-push-post-release.yml @@ -12,6 +12,8 @@ on: operator_image_tag: description: 'Tag for Splunk Operator Image' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: bundle-push: name: Bundle Push Post Release @@ -19,8 +21,9 @@ jobs: if: github.ref == 'refs/heads/main' steps: - name: Checkout code - uses: ./.github/actions/target-checkout - + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Deep Fetch run: | git fetch --prune --unshallow diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index 2cdfe1153..f0e2a6276 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest needs: approval-gate steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action @@ -50,7 +50,7 @@ jobs: runs-on: ubuntu-latest needs: check-formating steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action @@ -89,7 +89,7 @@ jobs: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action @@ -149,7 +149,7 @@ jobs: # steps: # - name: Set up cosign # uses: sigstore/cosign-installer@main -# - uses: ./.github/actions/target-checkout +# - uses: actions/checkout@v6 # with: # ref: ${{ needs.approval-gate.outputs.commit-sha }} # - name: Dotenv Action @@ -225,7 +225,7 @@ jobs: DEPLOYMENT_TYPE: "" steps: - name: Chekcout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Set Test Cluster Name diff --git a/.github/workflows/distroless-int-test-workflow.yml b/.github/workflows/distroless-int-test-workflow.yml index 48210d000..b038ee70b 100644 --- a/.github/workflows/distroless-int-test-workflow.yml +++ b/.github/workflows/distroless-int-test-workflow.yml @@ -9,6 +9,8 @@ on: branches: - develop - main +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image-distroless: runs-on: ubuntu-latest @@ -18,7 +20,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -100,7 +104,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/helm-test-workflow.yml b/.github/workflows/helm-test-workflow.yml index 0932e164f..7d6439b17 100644 --- a/.github/workflows/helm-test-workflow.yml +++ b/.github/workflows/helm-test-workflow.yml @@ -11,6 +11,8 @@ on: - main - feature** workflow_dispatch: +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image: runs-on: ubuntu-latest @@ -20,7 +22,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -84,7 +88,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Chekcout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/int-test-azure-workflow.yml b/.github/workflows/int-test-azure-workflow.yml index 935d4bf22..2a3a77d26 100644 --- a/.github/workflows/int-test-azure-workflow.yml +++ b/.github/workflows/int-test-azure-workflow.yml @@ -8,6 +8,8 @@ on: branches: - develop - main +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image: runs-on: ubuntu-latest @@ -16,7 +18,9 @@ jobs: SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator CONTAINER_REGISTRY: ${{ secrets.AZURE_CONTAINER_REGISTRY }} steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -63,7 +67,9 @@ jobs: AZURE_REGION: ${{ secrets.AZURE_REGION }} steps: - name: Checkout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -138,7 +144,9 @@ jobs: run: | echo "TEST_CLUSTER_NAME=az${{ github.run_id }}" >> $GITHUB_ENV - name: Checkout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 diff --git a/.github/workflows/int-test-gcp-workflow.yml b/.github/workflows/int-test-gcp-workflow.yml index 26f82233f..c87648d68 100644 --- a/.github/workflows/int-test-gcp-workflow.yml +++ b/.github/workflows/int-test-gcp-workflow.yml @@ -9,6 +9,8 @@ on: branches: - develop - main +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image: runs-on: ubuntu-latest @@ -18,8 +20,9 @@ jobs: ARTIFACT_REGISTRY: ${{ secrets.GCP_ARTIFACT_REGISTRY }} # Updated for Artifact Registry steps: - name: Checkout Code - uses: ./.github/actions/target-checkout - + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Load Environment Variables id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -116,8 +119,9 @@ jobs: echo "CLUSTER_NAME=gke-${{ matrix.test_focus.order }}-$GITHUB_RUN_ID" >> $GITHUB_ENV echo "TEST_CLUSTER_NAME=gke-${{ matrix.test_focus.order }}-$GITHUB_RUN_ID" >> $GITHUB_ENV - name: Checkout Code - uses: ./.github/actions/target-checkout - + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Load Environment Variables id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 diff --git a/.github/workflows/int-test-workflow.yml b/.github/workflows/int-test-workflow.yml index 3c03d487a..540c12e29 100644 --- a/.github/workflows/int-test-workflow.yml +++ b/.github/workflows/int-test-workflow.yml @@ -10,6 +10,8 @@ on: - develop - main - feature** +env: + CHECKOUT_REF: ${{ github.ref }} jobs: build-operator-image: runs-on: ubuntu-latest @@ -19,7 +21,9 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 @@ -96,7 +100,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkcout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name diff --git a/.github/workflows/kubectl-splunk-workflow.yml b/.github/workflows/kubectl-splunk-workflow.yml index 1f8ee803b..29b5143be 100644 --- a/.github/workflows/kubectl-splunk-workflow.yml +++ b/.github/workflows/kubectl-splunk-workflow.yml @@ -15,13 +15,17 @@ on: branches: - feature/CSPL-3152 +env: + CHECKOUT_REF: ${{ github.ref }} + jobs: build-and-test: runs-on: ubuntu-latest steps: - - uses: ./.github/actions/target-checkout - + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set up Python uses: actions/setup-python@v2 with: diff --git a/.github/workflows/manual-int-test-workflow.yml b/.github/workflows/manual-int-test-workflow.yml index d5769b5cd..794a0fbff 100644 --- a/.github/workflows/manual-int-test-workflow.yml +++ b/.github/workflows/manual-int-test-workflow.yml @@ -11,6 +11,8 @@ on: description: 'Run Operator in Cluster Wide Mode. Type false to run cluster in namespace mode' required: false default: "true" +env: + CHECKOUT_REF: ${{ github.ref }} jobs: int-tests: strategy: @@ -57,7 +59,9 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Set Test Cluster Name id: set-cluster-name uses: ./.github/actions/set-cluster-name @@ -179,7 +183,9 @@ jobs: SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator TAG: int steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Dotenv Action id: dotenv uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 diff --git a/.github/workflows/merge-develop-to-main-workflow.yml b/.github/workflows/merge-develop-to-main-workflow.yml index 6c185602d..f58ccc550 100644 --- a/.github/workflows/merge-develop-to-main-workflow.yml +++ b/.github/workflows/merge-develop-to-main-workflow.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest if: github.ref == 'refs/heads/develop' steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 with: ref: main - name: Reset main branch @@ -52,7 +52,7 @@ jobs: SPLUNK_OPERATOR_RC_IMAGE_NAME: splunk/splunk-operator-rc steps: - name: Checkout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 with: ref: "promote-develop-to-main-${{ github.event.inputs.release_version }}" diff --git a/.github/workflows/namespace-scope-int-workflow.yml b/.github/workflows/namespace-scope-int-workflow.yml index ecb12c87b..2ace40df8 100644 --- a/.github/workflows/namespace-scope-int-workflow.yml +++ b/.github/workflows/namespace-scope-int-workflow.yml @@ -52,7 +52,7 @@ jobs: echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - name: Checkout code - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 with: ref: develop - name: Set Test Cluster Name diff --git a/.github/workflows/nightly-int-test-workflow.yml b/.github/workflows/nightly-int-test-workflow.yml index 88a199742..20abdb7f2 100644 --- a/.github/workflows/nightly-int-test-workflow.yml +++ b/.github/workflows/nightly-int-test-workflow.yml @@ -16,7 +16,7 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 with: ref: develop - name: Dotenv Action @@ -93,7 +93,7 @@ jobs: echo "CLUSTER_WORKERS=5" >> $GITHUB_ENV echo "CLUSTER_NODES=2" >> $GITHUB_ENV fi - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 with: ref: develop - name: Set Test Cluster Name @@ -217,7 +217,7 @@ jobs: steps: - name: Set up cosign uses: sigstore/cosign-installer@main - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 with: ref: develop - name: Dotenv Action diff --git a/.github/workflows/pre-release-workflow.yml b/.github/workflows/pre-release-workflow.yml index 6238ae5d9..70e59cfeb 100644 --- a/.github/workflows/pre-release-workflow.yml +++ b/.github/workflows/pre-release-workflow.yml @@ -27,6 +27,8 @@ on: new_enterprise_version: description: 'NEW ENTERPRISE IMAGE VERSION' required: true +env: + CHECKOUT_REF: ${{ github.ref }} jobs: automated-release: name: Automated Pre Release @@ -41,8 +43,9 @@ jobs: ', github.ref) steps: - name: Checkout code - uses: ./.github/actions/target-checkout - + uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} - name: Deep Fetch run: | git fetch --prune --unshallow diff --git a/.github/workflows/prodsec-workflow.yml b/.github/workflows/prodsec-workflow.yml index 8a5312bde..227d9af7c 100644 --- a/.github/workflows/prodsec-workflow.yml +++ b/.github/workflows/prodsec-workflow.yml @@ -36,7 +36,7 @@ jobs: container: image: returntocorp/semgrep steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - run: semgrep ci @@ -49,7 +49,7 @@ jobs: ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 with: ref: ${{ needs.approval-gate.outputs.commit-sha }} - name: Dotenv Action diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2d49b2e8d..cd7a9ae94 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,15 +7,17 @@ on: push: branches: - main +env: + CHECKOUT_REF: ${{ github.ref }} jobs: release: runs-on: ubuntu-latest steps: - name: Checkout - uses: ./.github/actions/target-checkout + uses: actions/checkout@v6 with: + ref: ${{ env.CHECKOUT_REF }} fetch-depth: 0 - - name: Configure Git run: | git config user.name "$GITHUB_ACTOR" From 8f5effe5d48d006cc7640375466eb7f74c931de8 Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Mon, 12 Jan 2026 19:15:23 +0100 Subject: [PATCH 20/23] Implement checkout reference validation and enhance README documentation - Added a Python script to check for 'with.ref' specification in all actions/checkout usages, ensuring consistent checkout behavior across workflows. - Introduced a new lint-workflows.yml file to automate the validation process during push and pull request events. - Updated the README to include new security requirements and examples for specifying 'with.ref' in workflows, reinforcing best practices for GitHub Actions. --- .github/README.md | 24 +++++++- .github/scripts/check-checkout-ref.py | 81 +++++++++++++++++++++++++++ .github/workflows/lint-workflows.yml | 32 +++++++++++ 3 files changed, 134 insertions(+), 3 deletions(-) create mode 100644 .github/scripts/check-checkout-ref.py create mode 100644 .github/workflows/lint-workflows.yml diff --git a/.github/README.md b/.github/README.md index d7624ef93..4a8f41a72 100644 --- a/.github/README.md +++ b/.github/README.md @@ -16,8 +16,12 @@ GitHub's `pull_request` event doesn't expose secrets to fork PRs (for security). ### Security Requirements 1. **Always use `approval-gate.yml`** as a dependency for jobs needing secrets -2. **Always use `target-checkout`** action to checkout the correct PR commit (not the base branch) -3. **Always pass the approval gate's `commit-sha`** to prevent testing unapproved code: +2. **Always specify `with.ref`** on all `actions/checkout` steps (enforced by `lint-workflows.yml`) +3. **Always pass the approval gate's `commit-sha`** to prevent testing unapproved code + +### Checkout Patterns + +**For workflows using approval-gate** (recommended for `pull_request_target`): ```yaml jobs: @@ -27,9 +31,23 @@ jobs: build: needs: approval-gate steps: - - uses: ./.github/actions/target-checkout + - uses: actions/checkout@v6 with: ref: ${{ needs.approval-gate.outputs.commit-sha }} ``` +**For simpler workflows** (e.g., `pull_request` or `push` triggers): + +```yaml +# Preferred: Define ref once at workflow level, reuse in all jobs +env: + CHECKOUT_REF: ${{ github.ref }} +jobs: + build: + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ env.CHECKOUT_REF }} +``` + > ⚠️ Without these safeguards, a malicious commit could be added after approval but before execution. diff --git a/.github/scripts/check-checkout-ref.py b/.github/scripts/check-checkout-ref.py new file mode 100644 index 000000000..8d51c0918 --- /dev/null +++ b/.github/scripts/check-checkout-ref.py @@ -0,0 +1,81 @@ +#!/usr/bin/env python3 +""" +Check that all actions/checkout usages have 'with.ref' specified. + +This ensures consistent and explicit checkout behavior across all workflows. +""" + +import sys +from pathlib import Path + +import yaml + + +def check_workflow_file(filepath: Path) -> list[dict]: + """ + Check a workflow file for actions/checkout usages without 'with.ref'. + + Returns a list of violations. + """ + violations = [] + + with open(filepath, "r") as f: + try: + data = yaml.safe_load(f) + except yaml.YAMLError as e: + print(f"Warning: Failed to parse {filepath}: {e}") + return [] + + if not data or "jobs" not in data: + return [] + + for job_name, job in data["jobs"].items(): + steps = job.get("steps", []) + for i, step in enumerate(steps): + uses = step.get("uses", "") + if "actions/checkout" in uses: + with_block = step.get("with", {}) + has_ref = isinstance(with_block, dict) and "ref" in with_block + + if not has_ref: + violations.append({ + "file": str(filepath), + "job": job_name, + "step": i, + "uses": uses, + }) + + return violations + + +def main(): + workflows_dir = Path(".github/workflows") + + if not workflows_dir.exists(): + print("Error: .github/workflows directory not found") + sys.exit(1) + + all_violations = [] + + for pattern in ("*.yml", "*.yaml"): + for workflow_file in sorted(workflows_dir.glob(pattern)): + all_violations.extend(check_workflow_file(workflow_file)) + + if all_violations: + print("❌ Found actions/checkout usages without 'with.ref' specified:\n") + for v in all_violations: + print(f" {v['file']}") + print(f" Job: {v['job']}, Step: {v['step']}") + print(f" Uses: {v['uses']}\n") + print(f"Total violations: {len(all_violations)}") + print("\nAll actions/checkout steps should specify 'with.ref' to ensure") + print("consistent and explicit checkout behavior.") + print("\nSee .github/README.md for security requirements and examples.") + sys.exit(1) + else: + print("✅ All actions/checkout usages have 'with.ref' specified") + sys.exit(0) + + +if __name__ == "__main__": + main() diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml new file mode 100644 index 000000000..aa1451189 --- /dev/null +++ b/.github/workflows/lint-workflows.yml @@ -0,0 +1,32 @@ +name: Lint Workflows +permissions: + contents: read +on: + push: + paths: + - '.github/workflows/**' + - '.github/scripts/**' + pull_request: + paths: + - '.github/workflows/**' + - '.github/scripts/**' + +jobs: + check-checkout-ref: + name: Check actions/checkout has ref specified + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ github.event.pull_request.head.sha || github.sha }} + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.14' + + - name: Install dependencies + run: pip install pyyaml + + - name: Check all actions/checkout have ref specified + run: python .github/scripts/check-checkout-ref.py From 7979d7dacf0d1d64d8cd32244e6839616d7ccbb4 Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Mon, 12 Jan 2026 19:26:36 +0100 Subject: [PATCH 21/23] Remove target checkout action as it is no longer needed after replacing it with actions/checkout@v6 for improved compatibility and maintainability. --- .github/actions/target-checkout/action.yml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 .github/actions/target-checkout/action.yml diff --git a/.github/actions/target-checkout/action.yml b/.github/actions/target-checkout/action.yml deleted file mode 100644 index 8811f9eda..000000000 --- a/.github/actions/target-checkout/action.yml +++ /dev/null @@ -1,20 +0,0 @@ -# .github/actions/target-checkout/action.yml -name: 'Target Checkout' -description: | - Checkout that handles pull_request_target correctly. - This was created to fix the issue where the default checkout in pull_request_target is the main branch, not the PR head. -inputs: - ref: - description: | - The commit SHA to checkout (required if workflow needs approval gate). - If not provided, the PR head or the pushed commit will be used. - required: false - default: '' -runs: - using: 'composite' - steps: - - name: Checkout - uses: actions/checkout@v6 - with: - # Use provided ref, or fall back to PR head for pull_request_target, or default - ref: ${{ inputs.ref || github.event.pull_request.head.sha || github.sha }} \ No newline at end of file From 47d6a20163e02fbd998aeb733771c4898491864c Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Mon, 12 Jan 2026 19:31:47 +0100 Subject: [PATCH 22/23] Comment out branches-ignore in pull request triggers across workflows to enable testing before merging to main. Add TODO for future uncommenting. --- .github/workflows/build-test-push-workflow.yml | 2 ++ .github/workflows/distroless-build-test-push-workflow.yml | 6 ++++-- .github/workflows/prodsec-workflow.yml | 6 ++++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml index 4f9bed01e..717d34b28 100644 --- a/.github/workflows/build-test-push-workflow.yml +++ b/.github/workflows/build-test-push-workflow.yml @@ -13,6 +13,8 @@ on: - 'docs/**' - '*.md' pull_request: + # Commented to enable PR testing before merging to main + # TODO: Uncomment after merge # branches-ignore: # - 'develop' paths-ignore: diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index f0e2a6276..db81842f6 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -13,8 +13,10 @@ on: - 'docs/**' - '*.md' pull_request: - branches-ignore: - - 'develop' + # Commented to enable PR testing before merging to main + # TODO: Uncomment after merge + # branches-ignore: + # - 'develop' paths-ignore: - 'docs/**' - '*.md' diff --git a/.github/workflows/prodsec-workflow.yml b/.github/workflows/prodsec-workflow.yml index 227d9af7c..8e689c292 100644 --- a/.github/workflows/prodsec-workflow.yml +++ b/.github/workflows/prodsec-workflow.yml @@ -12,8 +12,10 @@ on: - 'docs/**' - '*.md' pull_request: - branches-ignore: - - 'develop' + # Commented to enable PR testing before merging to main + # TODO: Uncomment after merge + # branches-ignore: + # - 'develop' paths-ignore: - 'docs/**' - '*.md' From 70165223c15b09ee16826636c705e98eb3b12908 Mon Sep 17 00:00:00 2001 From: Jakub Buczak Date: Mon, 12 Jan 2026 19:37:52 +0100 Subject: [PATCH 23/23] Enhance approval gate workflow by removing redundant permissions - Removed unnecessary permissions declarations from the approval gate and get-commit-info jobs, streamlining the workflow configuration. - Added a global permissions section to define content read access, improving clarity and maintainability. --- .github/workflows/approval-gate.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/approval-gate.yml b/.github/workflows/approval-gate.yml index 693f07a11..bfbee58ca 100644 --- a/.github/workflows/approval-gate.yml +++ b/.github/workflows/approval-gate.yml @@ -1,4 +1,6 @@ name: Approval Gate +permissions: + contents: read on: workflow_call: @@ -23,8 +25,6 @@ jobs: # 'github.event.pull_request.head.sha' to get the actual PR commit info. # For 'push' events, we fall back to 'github.sha' (the pushed commit). get-commit-info: - permissions: - contents: read runs-on: ubuntu-latest outputs: commit-sha: ${{ steps.get-sha.outputs.commit_sha }} @@ -51,8 +51,6 @@ jobs: echo "$COMMIT_MSG" approval-gate: needs: get-commit-info - permissions: - contents: read runs-on: ubuntu-latest environment: ${{ (github.event_name == 'pull_request_target' &&