Merge pull request #16 from docker/fix-gha-workflows

fix: gha workflows

.github/workflows/codeql.yml

@@ -1,78 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL"
-
-on:
-  push:
-    branches: ["main"]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: ["main"]
-  schedule:
-    - cron: "0 0 * * 1"
-
-permissions:
-  contents: read
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ["go"]
-        # CodeQL supports [ $supported-codeql-languages ]
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
-
-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
-        with:
-          languages: ${{ matrix.language }}
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
-
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
-
-      # ℹ️ Command-line programs to run using the OS shell.
-      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-      #   If the Autobuild fails above, remove it and uncomment the following three lines.
-      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-      # - run: |
-      #   echo "Run, Build Application using script"
-      #   ./location_of_script_within_repo/buildscript.sh
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
-        with:
-          category: "/language:${{matrix.language}}"

.github/workflows/scorecards.yml

@@ -10,7 +10,7 @@ on:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: '20 7 * * 2'
+    - cron: "20 7 * * 2"
   push:
     branches: ["main"]
 
@@ -40,6 +40,13 @@ jobs:
         with:
           persist-credentials: false
 
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
+        with:
+          app-id: ${{ vars.DOCKER_READ_APP_ID }}
+          private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }}
+
       - name: "Run analysis"
         uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
         with:
@@ -49,7 +56,7 @@ jobs:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecards on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          repo_token: ${{ steps.app-token.outputs.token }}
 
           # Public repositories:
           #   - Publish results to OpenSSF REST API for easy access by consumers

.github/workflows/workflow.yaml

@@ -28,19 +28,33 @@ jobs:
         with:
           egress-policy: audit
 
-      - name: Set up Go 1.19
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
+        with:
+          app-id: ${{ vars.DOCKER_READ_APP_ID }}
+          private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }}
+          repositories: "attest,attest-external-data-provider"
+
+      - name: Set up Go 1.22
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: 1.19
+          go-version: 1.22
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
+      - name: Download dependencies
+        run: |
+          export GOPRIVATE="github.com/docker/attest"
+          git config --global "url.https://x-access-token:${{ steps.app-token.outputs.token }}@github.com.insteadof" "https://github.com"
+          go mod download
+
       # source: https://github.com/golangci/golangci-lint-action
       - name: golangci-lint
         uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
         with:
-          version: v1.50.0
+          version: v1.59
 
   helm_build_test:
     name: "[Helm] Build and Test"
@@ -54,18 +68,26 @@ jobs:
         with:
           egress-policy: audit
 
-      - name: Set up Go 1.19
+      - name: Set up Go 1.22
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version: 1.19
+          go-version: 1.22
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
+        with:
+          app-id: ${{ vars.DOCKER_READ_APP_ID }}
+          private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }}
+          repositories: "attest,attest-external-data-provider"
+
       - name: Bootstrap e2e
         env:
-          KIND_VERSION: 0.17.0
-          BATS_VERSION: 1.8.2
+          KIND_VERSION: 0.23.0
+          BATS_VERSION: 1.11.0
         run: |
           mkdir -p $GITHUB_WORKSPACE/bin
           echo "${GITHUB_WORKSPACE}/bin" >> $GITHUB_PATH
@@ -74,7 +96,7 @@ jobs:
 
       - name: Create a kind cluster and install Gatekeeper
         env:
-          GATEKEEPER_VERSION: 3.11.0
+          GATEKEEPER_VERSION: 3.16.3
           KUBERNETES_VERSION: 1.26.0
         run: |
           kind create cluster --image kindest/node:v${KUBERNETES_VERSION} --name gatekeeper
@@ -82,6 +104,7 @@ jobs:
           helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
           helm install gatekeeper/gatekeeper \
             --version ${GATEKEEPER_VERSION} \
+            --set validatingWebhookTimeoutSeconds=15 \
             --set enableExternalData=true \
             --name-template=gatekeeper \
             --namespace security \
@@ -91,6 +114,7 @@ jobs:
       - name: Build and install attest-external-data-provider
         run: |
           ./scripts/generate-tls-cert.sh
+          export GITHUB_TOKEN=${{ steps.app-token.outputs.token }}
           make docker-buildx kind-load-image
           helm install attest-provider charts/external-data-provider \
             --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
@@ -99,4 +123,5 @@ jobs:
 
       - name: Run e2e
         run: |
+          export GATEKEEPER_NAMESPACE=security
           bats -t test/bats/test.bats

main.go

@@ -16,7 +16,6 @@ import (
 )
 
 const (
-	// timeout     = 15 * time.Second
 	defaultPort = 8090
 
 	certName = "tls.crt"

test/bats/test.bats

@@ -8,7 +8,7 @@ GATEKEEPER_NAMESPACE=${GATEKEEPER_NAMESPACE:-gatekeeper-system}
 
 teardown_file() {
   kubectl delete -f validation/
-  kubectl delete -f mutation/
+  #kubectl delete -f mutation/
 }
 
 @test "gatekeeper-controller-manager is running" {
@@ -19,33 +19,35 @@ teardown_file() {
   wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l control-plane=audit-controller"
 }
 
-@test "external-data-provider is running" {
-  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l run=external-data-provider"
+@test "attest-provider is running" {
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l run=attest-provider"
+  sleep 5 # we need a readiness probe https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes
 }
 
-@test "external data validation" {
-  run kubectl apply -f validation/external-data-provider-constraint-template.yaml
+@test "attest validation" {
+  run kubectl apply -f validation/attest-constraint-template.yaml
   assert_success
-  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced constrainttemplate k8sexternaldatavalidation"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced constrainttemplate k8sattestexternaldata"
 
-  run kubectl apply -f validation/external-data-provider-constraint.yaml
+  run kubectl apply -f validation/attest-constraint.yaml
   assert_success
-  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced k8sexternaldatavalidation deny-images-with-invalid-suffix"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced k8sattestexternaldata deny-images-that-fail-policy"
 
-  run kubectl run nginx --image=error_nginx --dry-run=server
-  # should deny pod admission if the image name has an "error_" prefix
+  run kubectl create ns test
+  run kubectl run nginx --image=nginx -n test --dry-run=server
+  # should deny pod admission if the image doesn't pass policy
   assert_failure
-  assert_match 'error_nginx' "${output}"
-  assert_match 'error_nginx_invalid' "${output}"
+  assert_match 'admit: false' "${output}"
 }
 
-@test "external data mutation" {
-  run kubectl apply -f mutation/external-data-provider-mutation.yaml
-  assert_success
-  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "mutator_enforced Assign append-valid-suffix-to-image"
-
-  run kubectl run nginx --image=nginx --dry-run=server --output json
-  assert_success
-  # should mutate the image field by appending "_valid" suffix
-  assert_match "nginx_valid" "$(jq -r '.spec.containers[0].image' <<< ${output})"
-}
+# TODO: write mutating webhook policy
+#@test "attest mutation" {
+#  run kubectl apply -f mutation/external-data-provider-mutation.yaml
+#  assert_success
+#  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "mutator_enforced Assign append-valid-suffix-to-image"
+#
+#  run kubectl run nginx --image=nginx --dry-run=server --output json
+#  assert_success
+#  # should mutate the image field by appending "_valid" suffix
+#  assert_match "nginx_valid" "$(jq -r '.spec.containers[0].image' <<< ${output})"
+#}