Merge pull request #1048 from marquiz/release-0.8

[release-0.8]: backports from master

.github/workflows/common-build-docs.yaml

@@ -0,0 +1,36 @@
+name: Build documentation
+on:
+  workflow_call:
+    inputs:
+      publish:
+        default: false
+        required: false
+        type: boolean
+
+jobs:
+  update-gh-pages:
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@v1
+
+    - name: Fetch gh-pages
+      run: git fetch --no-tags --prune --depth=1 origin refs/heads/gh-pages:refs/heads/gh-pages
+
+    - name: Install build dependencies
+      run: |
+        pip3 install --user -r docs/requirements.txt
+        echo "`python3 -m site --user-base`/bin" >> $GITHUB_PATH
+
+    - name: Add docs from this revision to gh-pages
+      run: |
+        git config user.name "Github"
+        git config user.email "[email protected]"
+        ./scripts/build/update-gh-pages.sh
+
+    - name: Publish gh-pages
+      if: ${{ inputs.publish }}
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        git push https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git gh-pages

.github/workflows/common-build-images.yaml

@@ -0,0 +1,44 @@
+name: Build container images
+
+on:
+  workflow_call:
+    inputs:
+      image-tag:
+        default: ${{ github.ref_name }}
+        required: false
+        type: string
+      publish:
+        default: false
+        required: false
+        type: boolean
+      github-environment:
+        default: null
+        required: false
+        type: string
+
+jobs:
+  build-images:
+    name: Build and publish container images
+    runs-on: ubuntu-22.04
+    environment: ${{ inputs.github-environment }}
+    env:
+      IMAGE_REPO: intel
+      IMAGE_VERSION: ${{ inputs.image-tag }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Build images
+      run: "make images IMAGE_VERSION=${IMAGE_VERSION}  Q="
+
+    - name: Login to Docker Hub
+      if: ${{ inputs.publish }}
+      uses: docker/login-action@v2
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+    - name: Push images
+      if: ${{ inputs.publish }}
+      run: "make images-push IMAGE_VERSION=${IMAGE_VERSION} Q="
+

.github/workflows/common-codeql.yaml

@@ -0,0 +1,19 @@
+name: CodeQL scanning
+on:
+  workflow_call:
+
+jobs:
+  codeql-scan:
+    runs-on: ubuntu-22.04
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: go
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2

.github/workflows/common-trivy.yaml

@@ -0,0 +1,90 @@
+name: Trivy scanning
+on:
+  workflow_call:
+    inputs:
+      upload-to-github-security-tab:
+        default: false
+        required: false
+        type: boolean
+      export-csv:
+        default: false
+        required: false
+        type: boolean
+
+jobs:
+  trivy-scan-licenses:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Run Trivy in fs mode
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: fs
+        scan-ref: .
+        exit-code: 1
+        scanners: license
+        severity: "UNKNOWN,MEDIUM,HIGH,CRITICAL"
+
+  trivy-scan-vulns:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Run Trivy in fs mode
+      continue-on-error: true
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: fs
+        scan-ref: .
+        exit-code: 1
+        list-all-pkgs: true
+        format: json
+        output: trivy-report.json
+
+    - name: Show report in human-readable format
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: convert
+        vuln-type: ''
+        severity: ''
+        image-ref: trivy-report.json
+        format: table
+
+    - name: Convert report to sarif
+      if: ${{ inputs.upload-to-github-security-tab }}
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: convert
+        vuln-type: ''
+        severity: ''
+        image-ref: trivy-report.json
+        format: sarif
+        output: trivy-report.sarif
+
+    - name: Upload sarif report to GitHub Security tab
+      if: ${{ inputs.upload-to-github-security-tab }}
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+       sarif_file: trivy-report.sarif
+
+    - name: Convert report to csv
+      if: ${{ inputs.export-csv }}
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: convert
+        vuln-type: ''
+        severity: ''
+        image-ref: trivy-report.json
+        format: template
+        template: "@.github/workflows/trivy-csv.tpl"
+        output: trivy-report.csv
+
+    - name: Upload CSV report as an artifact
+      if: ${{ inputs.export-csv }}
+      uses: actions/upload-artifact@v3
+      with:
+        name: trivy-report
+        path: trivy-report.csv

.github/workflows/common-verify-code.yaml

@@ -0,0 +1,45 @@
+name: Verify code
+
+on:
+  - workflow_call
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: go.mod
+      id: go
+
+    - name: Install golangci-lint
+      run: curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.51.2
+
+    - name: Gofmt
+      run: make format
+
+    - name: Build
+      run: make
+
+    - name: Test
+      run: make test
+
+    - name: Golangci-lint
+      run: |
+        export PATH=$PATH:$(go env GOPATH)/bin
+        make golangci-lint
+
+    - name: Codecov report
+      run: bash <(curl -s https://codecov.io/bash)
+
+  trivy-scan:
+    uses: "./.github/workflows/common-trivy.yaml"
+    with:
+      upload-to-github-security-tab: true
+
+  codeql-scan:
+    uses: "./.github/workflows/common-codeql.yaml"

.github/workflows/publish-devel-images.yaml

@@ -0,0 +1,23 @@
+name: Build and publish devel container images
+
+on:
+  push:
+    branches: ["master"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+
+jobs:
+  trivy-scan:
+    uses: "./.github/workflows/common-trivy.yaml"
+
+  publish-images:
+    uses: "./.github/workflows/common-build-images.yaml"
+    needs: [trivy-scan]
+    secrets: inherit
+    with:
+      publish: true
+      image-tag: "devel"
+      github-environment: "staging"
+

.github/workflows/publish-docs.yml

@@ -1,44 +1,22 @@
-name: Publish
+name: Publish documentation
 
 on:
   push:
     branches:
         - master
         - release-*
+    # Path filters are ignored for tags
+    paths:
+      - "docs/**"
+      - "Makefile"
     tags:
         - v*
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
 
 jobs:
   update-gh-pages:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v1
-
-    - name: Turnstyle
-      uses: softprops/turnstyle@v1
-      with:
-        abort-after-seconds: 600
-        same-branch-only: false
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-    - name: Fetch gh-pages
-      run: git fetch --no-tags --prune --depth=1 origin refs/heads/gh-pages:refs/heads/gh-pages
-
-    - name: Install build dependencies
-      run: |
-        pip3 install --user -r docs/requirements.txt
-        echo "`python3 -m site --user-base`/bin" >> $GITHUB_PATH
-
-    - name: Add docs from this revision to gh-pages
-      run: |
-        git config user.name "Github"
-        git config user.email "[email protected]"
-        ./scripts/build/update-gh-pages.sh
-
-    - name: Publish/push to gh-pages
-      shell: bash
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-        git push https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git gh-pages
+    uses: "./.github/workflows/common-build-docs.yaml"
+    with:
+      publish: true

.github/workflows/release.yaml

@@ -0,0 +1,47 @@
+name: Build and publish release artifacts
+
+on:
+  push:
+    tags: [ 'v*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+
+jobs:
+  trivy-scan:
+    uses: "./.github/workflows/common-trivy.yaml"
+    with:
+      export-csv: true
+
+  publish-images:
+    uses: "./.github/workflows/common-build-images.yaml"
+    needs: [trivy-scan]
+    secrets: inherit
+    with:
+      publish: true
+      image-tag: ${{ github.ref_name }}
+      github-environment: "release"
+
+  build-packages:
+    needs: [trivy-scan]
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Build packages
+      run: "make cross-packages  Q="
+
+    - name: Build vendored dist tarball
+      run: "make vendored-dist  Q="
+
+    - name: Upload release assets
+      uses: softprops/action-gh-release@v1
+      with:
+        name: ${{ github.ref_name }}
+        draft: true
+        append_body: true
+        files: |
+          packages/release-assets/*
+          vendored-cri-resource-manager-*.tar.gz

.github/workflows/trivy-csv.tpl

@@ -0,0 +1,29 @@
+{{ range . }}
+Trivy Vulnerability Scan Results ({{- .Target -}})
+VulnerabilityID,Severity,CVSS Score,Title,Library,Vulnerable Version,Fixed Version,Information URL,Triage Information
+{{ range .Vulnerabilities }}
+    {{- .VulnerabilityID }},
+    {{- .Severity }},
+    {{- range $key, $value := .CVSS }}
+        {{- if (eq $key "nvd") }}
+            {{- .V3Score -}}
+        {{- end }}
+    {{- end }},
+    {{- quote .Title }},
+    {{- quote .PkgName }},
+    {{- quote .InstalledVersion }},
+    {{- quote .FixedVersion }},
+    {{- .PrimaryURL }}
+{{ else -}}
+    No vulnerabilities found at this time.
+{{ end }}
+Trivy Dependency Scan Results ({{ .Target }})
+ID,Name,Version,Notes
+{{ range .Packages -}}
+    {{- quote .ID }},
+    {{- quote .Name }},
+    {{- quote .Version }}
+{{ else -}}
+    No dependencies found at this time.
+{{ end }}
+{{ end }}