diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..c344a50 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,44 @@ +version: 2 +updates: +- package-ecosystem: github-actions + commit-message: + prefix: chore + include: scope + directory: / + schedule: + interval: monthly + groups: + github-actions: + patterns: + - "*" + update-types: + - "minor" + - "patch" +- package-ecosystem: docker + commit-message: + prefix: chore + include: scope + directory: / + schedule: + interval: monthly + groups: + docker: + patterns: + - "*" + update-types: + - "minor" + - "patch" +- package-ecosystem: gomod + commit-message: + prefix: chore + include: scope + directory: / + schedule: + interval: monthly + groups: + gomod: + patterns: + - "*" + update-types: + - "minor" + - "patch" diff --git a/.github/dependency-review-config.yaml b/.github/dependency-review-config.yaml new file mode 100644 index 0000000..08389a1 --- /dev/null +++ b/.github/dependency-review-config.yaml @@ -0,0 +1,20 @@ +# https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md +allow-licenses: +- 'Apache-2.0' +- 'BSD-2-Clause' +- 'BSD-2-Clause-FreeBSD' +- 'BSD-3-Clause' +- 'ISC' +- 'MIT' +- 'PostgreSQL' +- 'Python-2.0' +- 'X11' +- 'Zlib' + +allow-dependencies-licenses: +# this action is GPL-3 but it is only used in CI +# https://github.com/actions/dependency-review-action/issues/530#issuecomment-1638291806 +- pkg:githubactions/vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787 +# this package is MPL-2.0 and has a CNCF exception +# https://github.com/cncf/foundation/blob/9b8c9173c2101c1b4aedad3caf2c0128715133f6/license-exceptions/cncf-exceptions-2022-04-12.json#L43C17-L43C47 +- pkg:golang/github.com/go-sql-driver/mysql diff --git a/.github/workflows/build-and-publish.yaml b/.github/workflows/build-and-publish.yaml index 8bca416..9119585 100644 --- a/.github/workflows/build-and-publish.yaml +++ b/.github/workflows/build-and-publish.yaml @@ -10,8 +10,18 @@ on: branches: - 'main' +permissions: {} + jobs: docker: + permissions: + # checkout + contents: read + # image push + packages: write + # required by attest-build-provenance + id-token: write + attestations: write runs-on: ubuntu-latest steps: - @@ -48,9 +58,24 @@ jobs: - name: Build and push uses: docker/build-push-action@v5 + id: build-and-push with: context: . platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file + labels: ${{ steps.meta.outputs.labels }} + + - name: Attest dockerhub image + uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 + with: + subject-digest: ${{steps.build-and-push.outputs.digest}} + subject-name: index.docker.io/${{ github.repository }} + push-to-registry: true + + - name: Attest ghcr image + uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 + with: + subject-digest: ${{steps.build-and-push.outputs.digest}} + subject-name: ghcr.io/${{ github.repository }} + push-to-registry: true diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml new file mode 100644 index 0000000..ed3945f --- /dev/null +++ b/.github/workflows/coverage.yaml @@ -0,0 +1,27 @@ +name: coverage +on: + push: + branches: + - main +permissions: {} +jobs: + coverage: + permissions: + contents: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 + with: + go-version: stable + - name: Calculate coverage + run: | + go test -skip TestE2E -v -covermode=atomic -coverprofile=cover.out -coverpkg=./... ./... + - name: Generage coverage badge + uses: vladopajic/go-test-coverage@937b863f06595080198d555b7ed3aa474ae5199c # v2.14.1 + with: + profile: cover.out + local-prefix: github.com/${{ github.repository }} + git-token: ${{ secrets.GITHUB_TOKEN }} + # orphan branch for storing badges + git-branch: badges diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml new file mode 100644 index 0000000..4fcbd5b --- /dev/null +++ b/.github/workflows/dependency-review.yaml @@ -0,0 +1,16 @@ +name: dependency review +on: + pull_request: + branches: + - main +permissions: {} +jobs: + dependency-review: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/dependency-review-action@ce3cf9537a52e8119d91fd484ab5b8a807627bf8 # v4.6.0 + with: + config-file: .github/dependency-review-config.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 0000000..fab0671 --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,28 @@ +name: lint +on: + pull_request: + branches: + - main +permissions: {} +jobs: + lint-go: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 + with: + go-version: stable + - uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0 + with: + args: --timeout=180s --enable gocritic + lint-actions: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: docker://rhysd/actionlint:1.7.0@sha256:601d6faeefa07683a4a79f756f430a1850b34d575d734b1d1324692202bf312e # v1.7.0 + with: + args: -color diff --git a/.github/workflows/ossf-analysis.yaml b/.github/workflows/ossf-analysis.yaml new file mode 100644 index 0000000..1ae5976 --- /dev/null +++ b/.github/workflows/ossf-analysis.yaml @@ -0,0 +1,31 @@ +name: OSSF scorecard +on: + push: + branches: + - main +permissions: {} +jobs: + ossf-scorecard-analysis: + runs-on: ubuntu-latest + permissions: + contents: read + # Needed if using Code scanning alerts + security-events: write + # Needed for GitHub OIDC token if publish_results is true + id-token: write + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Run analysis + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 + with: + results_file: results.sarif + results_format: sarif + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. + publish_results: true + - name: Upload SARIF results to code scanning + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16 + with: + sarif_file: results.sarif diff --git a/.github/workflows/tag-to-release.yaml b/.github/workflows/tag-to-release.yaml new file mode 100644 index 0000000..a268fc1 --- /dev/null +++ b/.github/workflows/tag-to-release.yaml @@ -0,0 +1,37 @@ +name: tag to release +on: + push: + tags: + - v* +permissions: {} +jobs: + release: + permissions: + # create release + contents: write + # required by attest-build-provenance + id-token: write + attestations: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + - name: Create release + run: | + gh release create "${{ github.ref_name }}" --verify-tag --generate-notes + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Attach SBOM to release in SPDX JSON format + # https://docs.github.com/en/rest/dependency-graph/sboms?apiVersion=2022-11-28 + run: | + gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + /repos/${{ github.repository }}/dependency-graph/sbom > sbom.spdx.json + gh release upload "${{ github.ref_name }}" sbom.spdx.json + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 + with: + subject-path: sbom.spdx.json diff --git a/.golangci.yaml b/.golangci.yaml new file mode 100644 index 0000000..3506354 --- /dev/null +++ b/.golangci.yaml @@ -0,0 +1,5 @@ +version: "2" +linters: + exclusions: + presets: + - std-error-handling diff --git a/.golangci.yml b/.golangci.yml deleted file mode 100644 index aed8644..0000000 --- a/.golangci.yml +++ /dev/null @@ -1,40 +0,0 @@ -run: - deadline: 5m - allow-parallel-runners: true - -issues: - # don't skip warning about doc comments - # don't exclude the default set of lint - exclude-use-default: false - # restore some of the defaults - # (fill in the rest as needed) - exclude-rules: - - path: "api/*" - linters: - - lll - - path: "internal/*" - linters: - - dupl - - lll -linters: - disable-all: true - enable: - - dupl - - errcheck - - exportloopref - - goconst - - gocyclo - - gofmt - - goimports - - gosimple - - govet - - ineffassign - - lll - - misspell - - nakedret - - prealloc - - staticcheck - - typecheck - - unconvert - - unparam - - unused diff --git a/README.md b/README.md index 7cb7be5..1a86111 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,9 @@ # DBaaS Controller +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10670/badge)](https://www.bestpractices.dev/projects/10670) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/uselagoon/dbaas-controller/badge)](https://securityscorecards.dev/viewer/?uri=github.com/uselagoon/dbaas-controller) +[![coverage](https://raw.githubusercontent.com/uselagoon/dbaas-controller/badges/.badges/main/coverage.svg)](https://github.com/uselagoon/dbaas-controller/actions/workflows/coverage.yaml) + ## Overview The dbaas-controller is designed to be used by Lagoon, specifically focusing on provisioning database access for Lagoon workloads. The dbaas-controller aims to facilitate easier updates, migrations, and overall management of database resources in Lagoon environments.