From 6a5ef307119405eb1669e139d23b81bfe700684c Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Mon, 24 Mar 2025 16:10:54 +0800 Subject: [PATCH 1/7] chore: configure dependabot --- .github/dependabot.yaml | 44 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/dependabot.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..c344a50 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,44 @@ +version: 2 +updates: +- package-ecosystem: github-actions + commit-message: + prefix: chore + include: scope + directory: / + schedule: + interval: monthly + groups: + github-actions: + patterns: + - "*" + update-types: + - "minor" + - "patch" +- package-ecosystem: docker + commit-message: + prefix: chore + include: scope + directory: / + schedule: + interval: monthly + groups: + docker: + patterns: + - "*" + update-types: + - "minor" + - "patch" +- package-ecosystem: gomod + commit-message: + prefix: chore + include: scope + directory: / + schedule: + interval: monthly + groups: + gomod: + patterns: + - "*" + update-types: + - "minor" + - "patch" From f434b7adea4ea614d796e17df2a24f0b10f1f910 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Tue, 15 Apr 2025 20:23:41 +0800 Subject: [PATCH 2/7] chore: add dependency review workkflow and configuration --- .github/dependency-review-config.yaml | 17 +++++++++++++++++ .github/workflows/dependency-review.yaml | 16 ++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 .github/dependency-review-config.yaml create mode 100644 .github/workflows/dependency-review.yaml diff --git a/.github/dependency-review-config.yaml b/.github/dependency-review-config.yaml new file mode 100644 index 0000000..f9eda47 --- /dev/null +++ b/.github/dependency-review-config.yaml @@ -0,0 +1,17 @@ +# https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md +allow-licenses: +- 'Apache-2.0' +- 'BSD-2-Clause' +- 'BSD-2-Clause-FreeBSD' +- 'BSD-3-Clause' +- 'ISC' +- 'MIT' +- 'PostgreSQL' +- 'Python-2.0' +- 'X11' +- 'Zlib' + +allow-dependencies-licenses: +# this action is GPL-3 but it is only used in CI +# https://github.com/actions/dependency-review-action/issues/530#issuecomment-1638291806 +- pkg:githubactions/vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787 diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml new file mode 100644 index 0000000..4fcbd5b --- /dev/null +++ b/.github/workflows/dependency-review.yaml @@ -0,0 +1,16 @@ +name: dependency review +on: + pull_request: + branches: + - main +permissions: {} +jobs: + dependency-review: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/dependency-review-action@ce3cf9537a52e8119d91fd484ab5b8a807627bf8 # v4.6.0 + with: + config-file: .github/dependency-review-config.yaml From 8c47f33e0974081053435133fffe9bec98ea50b2 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Fri, 16 May 2025 13:18:42 +0800 Subject: [PATCH 3/7] chore: enable OSSF analysis workflow and add badges to README --- .github/workflows/ossf-analysis.yaml | 31 ++++++++++++++++++++++++++++ README.md | 3 +++ 2 files changed, 34 insertions(+) create mode 100644 .github/workflows/ossf-analysis.yaml diff --git a/.github/workflows/ossf-analysis.yaml b/.github/workflows/ossf-analysis.yaml new file mode 100644 index 0000000..d9940bc --- /dev/null +++ b/.github/workflows/ossf-analysis.yaml @@ -0,0 +1,31 @@ +name: OSSF scorecard +on: + push: + branches: + - main +permissions: {} +jobs: + ossf-scorecard-analysis: + runs-on: ubuntu-latest + permissions: + contents: read + # Needed if using Code scanning alerts + security-events: write + # Needed for GitHub OIDC token if publish_results is true + id-token: write + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Run analysis + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 + with: + results_file: results.sarif + results_format: sarif + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. + publish_results: true + - name: Upload SARIF results to code scanning + uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index 51e232a..2c3a177 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ # Aergia +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/uselagoon/aergia-controller/badge)](https://securityscorecards.dev/viewer/?uri=github.com/uselagoon/aergia-controller) +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10427/badge)](https://www.bestpractices.dev/projects/10427) + > In Greek mythology, Aergia is the personification of sloth, idleness, indolence and laziness Aergia is a controller that can be used to scale deployments from zero when a request is made to an ingress with a zero scaled deployment. From c84f550a12416f772339079131d1f4d0b3bc6c12 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 15 May 2025 14:04:08 +0800 Subject: [PATCH 4/7] chore: attest images --- .github/workflows/build_and_publish.yml | 27 +++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_and_publish.yml b/.github/workflows/build_and_publish.yml index b568b06..6308c3b 100644 --- a/.github/workflows/build_and_publish.yml +++ b/.github/workflows/build_and_publish.yml @@ -9,9 +9,17 @@ on: pull_request: branches: - 'main' - +permissions: {} jobs: docker: + permissions: + # checkout + contents: read + # image push + packages: write + # required by attest-build-provenance + id-token: write + attestations: write runs-on: ubuntu-latest steps: - @@ -48,9 +56,24 @@ jobs: - name: Build and push uses: docker/build-push-action@v5 + id: build-and-push with: context: . platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file + labels: ${{ steps.meta.outputs.labels }} + + - name: Attest dockerhub image + uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 + with: + subject-digest: ${{steps.build-and-push.outputs.digest}} + subject-name: index.docker.io/${{ github.repository_owner }}/aergia + push-to-registry: true + + - name: Attest ghcr image + uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 + with: + subject-digest: ${{steps.build-and-push.outputs.digest}} + subject-name: ghcr.io/${{ github.repository_owner }}/aergia + push-to-registry: true From e7ab5970978b73191f324f31bb02902111ac55ab Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Fri, 16 May 2025 11:18:20 +0800 Subject: [PATCH 5/7] chore: add tag-to-release workflow This workflow will trigger when a tag is pushed and will create a Github Release for the tag. It will also attach an attested SBOM to the release. --- .github/workflows/tag-to-release.yaml | 37 +++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/tag-to-release.yaml diff --git a/.github/workflows/tag-to-release.yaml b/.github/workflows/tag-to-release.yaml new file mode 100644 index 0000000..a268fc1 --- /dev/null +++ b/.github/workflows/tag-to-release.yaml @@ -0,0 +1,37 @@ +name: tag to release +on: + push: + tags: + - v* +permissions: {} +jobs: + release: + permissions: + # create release + contents: write + # required by attest-build-provenance + id-token: write + attestations: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + - name: Create release + run: | + gh release create "${{ github.ref_name }}" --verify-tag --generate-notes + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Attach SBOM to release in SPDX JSON format + # https://docs.github.com/en/rest/dependency-graph/sboms?apiVersion=2022-11-28 + run: | + gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + /repos/${{ github.repository }}/dependency-graph/sbom > sbom.spdx.json + gh release upload "${{ github.ref_name }}" sbom.spdx.json + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 + with: + subject-path: sbom.spdx.json From 62e9c11528ee28b7ad201c660c45c69c0693bd52 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Fri, 16 May 2025 11:32:39 +0800 Subject: [PATCH 6/7] chore: add coverage workflow --- .github/workflows/coverage.yaml | 27 +++++++++++++++++++++++++++ README.md | 1 + 2 files changed, 28 insertions(+) create mode 100644 .github/workflows/coverage.yaml diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml new file mode 100644 index 0000000..ad16190 --- /dev/null +++ b/.github/workflows/coverage.yaml @@ -0,0 +1,27 @@ +name: coverage +on: + push: + branches: + - main +permissions: {} +jobs: + coverage: + permissions: + contents: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 + with: + go-version: stable + - name: Calculate coverage + run: | + go test -v -covermode=atomic -coverprofile=cover.out -coverpkg=./... ./... + - name: Generage coverage badge + uses: vladopajic/go-test-coverage@937b863f06595080198d555b7ed3aa474ae5199c # v2.14.1 + with: + profile: cover.out + local-prefix: github.com/${{ github.repository }} + git-token: ${{ secrets.GITHUB_TOKEN }} + # orphan branch for storing badges + git-branch: badges diff --git a/README.md b/README.md index 2c3a177..12dbd46 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/uselagoon/aergia-controller/badge)](https://securityscorecards.dev/viewer/?uri=github.com/uselagoon/aergia-controller) [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10427/badge)](https://www.bestpractices.dev/projects/10427) +[![coverage](https://raw.githubusercontent.com/uselagoon/aergia-controller/badges/.badges/main/coverage.svg)](https://github.com/uselagoon/aergia-controller/actions/workflows/coverage.yaml) > In Greek mythology, Aergia is the personification of sloth, idleness, indolence and laziness From 4f2ac04e76bccf936dbf6dbd67ea24355d71f007 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Fri, 16 May 2025 11:40:11 +0800 Subject: [PATCH 7/7] chore: add lint workflow --- .github/workflows/lint.yaml | 28 ++++++++++++++++++++++++++++ .golangci.yaml | 5 +++++ 2 files changed, 33 insertions(+) create mode 100644 .github/workflows/lint.yaml create mode 100644 .golangci.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 0000000..fab0671 --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,28 @@ +name: lint +on: + pull_request: + branches: + - main +permissions: {} +jobs: + lint-go: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 + with: + go-version: stable + - uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0 + with: + args: --timeout=180s --enable gocritic + lint-actions: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: docker://rhysd/actionlint:1.7.0@sha256:601d6faeefa07683a4a79f756f430a1850b34d575d734b1d1324692202bf312e # v1.7.0 + with: + args: -color diff --git a/.golangci.yaml b/.golangci.yaml new file mode 100644 index 0000000..3506354 --- /dev/null +++ b/.golangci.yaml @@ -0,0 +1,5 @@ +version: "2" +linters: + exclusions: + presets: + - std-error-handling