Improve automation (#33)

* fix: ensure `make test` can be run Prior to this commit, `make test` would fail because one of the Makefile targets was invoking `./bin/controller-gen` with the wrong arguments. To fix the `controller-gen` invocation, the empty `config/crd/bases` directory had to be added. Finally, the invocation of `controller-gen` has been changed to reflect the one generated by latest version of kube-builder. Signed-off-by: Flavio Castelli <[email protected]> * test: fix integration tests Ensure all the tests are passing Signed-off-by: Flavio Castelli <[email protected]> * chore(deps): update to latest stable version of Go Upgrade to Go 1.21 Signed-off-by: Flavio Castelli <[email protected]> * test: make use of golangci Introduce golangci linter Signed-off-by: Flavio Castelli <[email protected]> * fix: address golangci warnings Address the warnings reported by golangci Signed-off-by: Flavio Castelli <[email protected]> * automation: provide multiple actions This commit brings new automation via new GitHub actions. Important: all the GitHub actions are now referenced by their shasum. This provides a better security posture. Next to the shasum, there's a comment stating the "human" tag of the action. Dependabot can keep both information (shasum, human tag) in sync. Testing ======= Unit and function tests, plus linters are now run on PR and each change done to the `main` branch. Container image building ============================ The container image will be built only from the contents of the `main` branch or with the contents referenced by a tag that follows the `v*` naming convention. Prior to this commit, images were built also for PR branches, which caused issues like #31 The following tags are going to be used: - `latest`: rolling tag pointing to `main` - `v<version>`: a tagged release of the operator Prior to this change the stable releases had a really long (and a bit strange) tag: `:kwasm-operator-<version>`. SBOM generation =============== As part of the release process, SBOM files are generated for the container images (x86_64, arm64). The SBOM files are generated using syft. Cosign integration ================== Each artifact produced by the automation pipeline (container images, SBOM files) are now signed by cosign. Signing is done using Sigstore's keyless mode. Changelog generation ==================== Release drafter is now used to automatically build a changelog of the upcoming release. The changelog is built by looking at the commits subjects. As a result of that, it would be great to have all the contributions follow git semantic commits guidelines. We should probably document that into the contribution guidelines. GitHub Release ============== A GitHub release will be created whenever a `v*` tag is pushed. The name of the GitHub Release will be `v<version>`. The GitHub release will contain the information generated by the `release-drafter` action. The release will also feature several artifacts like the SBOMs and the signatures of the container images (+ SBOMS). These can be used by end users to verify the integrity of all the assets we produce inside of our release pipeline. Prior to this commit, no GitHub Release was created for the operator itself. There was just one release for the helm chart. Helm chart release ================== When the contents of the `charts/` directory are changed, the GitHub action will create a new GitHub release called `kwasm-operator-chart-<version>`. This is done to differentiate it from the GitHub Release of the operator. The action creates also a git tag named `kwasm-operator-chart-<version>`. Before this tag was named `kwasm-operator-<version>`. Signed-off-by: Flavio Castelli <[email protected]> * automation: fix dependabot configuration dependabot configuration had an error which prevented its usage. Now we track Docker, Go and GitHub Actions updates. Signed-off-by: Flavio Castelli <[email protected]> --------- Signed-off-by: Flavio Castelli <[email protected]>
KWasm · Dec 3, 2023 · f3245d3 · f3245d3
1 parent a4a3411
commit f3245d3
Show file tree

Hide file tree

Showing 19 changed files with 713 additions and 111 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,11 +1,14 @@
 version: 2
 updates:
-  - package-ecosystem: "" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "gomod"
+    directory: "/"
     schedule:
       interval: "daily"
-    versioning-strategy: "lockfile-only"
-    allowed_updates:
-      - match:
-          dependency_type: "all"
-          update_type: "semver:patch"
diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
@@ -0,0 +1,66 @@
+categories:
+  - title: '⚠️  Breaking changes'
+    labels:
+      - 'kind/major'
+      - 'kind/breaking-change'
+  - title: '🚀 Features'
+    labels:
+      - 'kind/enhancement'
+      - 'kind/feature'
+  - title: '🐛 Bug Fixes'
+    labels:
+      - 'kind/bug'
+  - title: '🧰 Maintenance'
+    labels:
+      - 'kind/chore'
+      - 'area/dependencies'
+
+exclude-labels:
+  - duplicate
+  - invalid
+  - later
+  - wontfix
+  - kind/question
+  - release/skip-changelog
+
+change-template: '- $TITLE (#$NUMBER)'
+change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
+name-template: 'v$RESOLVED_VERSION'
+template: |
+  $CHANGES
+
+autolabeler:
+    # Tag any PR with "!" in the subject as major update. In other words, breaking change
+  - label: 'kind/breaking-change'
+    title: '/.*!:.*/'
+  - label: 'area/dependencies'
+    title: 'chore(deps)'
+  - label: 'area/dependencies'
+    title: 'fix(deps)'
+  - label: 'area/dependencies'
+    title: 'build(deps)'
+  - label: 'kind/feature'
+    title: 'feat'
+  - label: 'kind/bug'
+    title: 'fix'
+  - label: 'kind/chore'
+    title: 'chore'
+
+version-resolver:
+  major:
+    labels:
+      - 'kind/major'
+      - 'kind/breaking-change'
+  minor:
+    labels:
+      - 'kind/minor'
+      - 'kind/feature'
+      - 'kind/enhancement'
+  patch:
+    labels:
+      - 'kind/patch'
+      - 'kind/fix'
+      - 'kind/bug'
+      - 'kind/chore'
+      - 'area/dependencies'
+  default: patch
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,33 @@
+name: CI
+
+on:
+  workflow_call:
+  push:
+  pull_request:
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  unit_tests:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: "1.21"
+      - run: make test
+
+  golangci:
+    name: Golangci-lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: "1.21"
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
+        with:
+          version: v1.54.2
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -0,0 +1,39 @@
+name: Build container image, sign it, and generate SBOMs
+
+on:
+  workflow_call:
+    outputs:
+      digest:
+        description: "Container image digest"
+        value: ${{jobs.build.outputs.digest}}
+
+  push:
+    branches:
+      - "main"
+      - "feat-**"
+
+jobs:
+  build:
+    uses: ./.github/workflows/container-image.yml
+    permissions:
+      packages: write
+    with:
+      push-image: true
+
+  sign:
+    needs: build
+    uses: ./.github/workflows/sign-image.yml
+    permissions:
+      packages: write
+      id-token: write
+    with:
+      image-digest: ${{ needs.build.outputs.digest }}
+
+  sbom:
+    needs: build
+    uses: ./.github/workflows/sbom.yml
+    permissions:
+      packages: write
+      id-token: write
+    with:
+      image-digest: ${{ needs.build.outputs.digest }}
diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml
@@ -0,0 +1,72 @@
+name: Build container image
+
+on:
+  workflow_call:
+    inputs:
+      push-image:
+        type: boolean
+        required: true
+    outputs:
+      repository:
+        description: "Repository used to build the container image"
+        value: ${{ jobs.build.outputs.repository }}
+      tag:
+        description: "Tag used to build the container image"
+        value: ${{ jobs.build.outputs.tag }}
+      digest:
+        description: "Image digest"
+        value: ${{ jobs.build.outputs.digest }}
+
+jobs:
+  build:
+    name: Build container image
+    permissions:
+      packages: write
+    runs-on: ubuntu-latest
+    outputs:
+      repository: ${{ steps.setoutput.outputs.repository }}
+      tag: ${{ steps.setoutput.outputs.tag }}
+      artifact: ${{ steps.setoutput.outputs.artifact }}
+      digest: ${{ steps.setoutput.outputs.digest }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Retrieve tag name (main branch)
+        if: ${{ startsWith(github.ref, 'refs/heads/main') }}
+        run: |
+          echo TAG_NAME=latest >> $GITHUB_ENV
+      - name: Retrieve tag name (feat branch)
+        if: ${{ startsWith(github.ref, 'refs/heads/feat') }}
+        run: |
+          echo "TAG_NAME=latest-$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
+      - name: Retrieve tag name (tag)
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        run: |
+          echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV
+      - name: Build and push container image
+        if: ${{ inputs.push-image }}
+        id: build-image
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64, linux/arm64
+          push: true
+          tags: |
+            ghcr.io/${{github.repository_owner}}/kwasm-operator:${{ env.TAG_NAME }}
+      - id: setoutput
+        name: Set output parameters
+        run: |
+          echo "repository=ghcr.io/${{github.repository_owner}}/kwasm-operator" >> $GITHUB_OUTPUT
+          echo "tag=${{ env.TAG_NAME }}" >> $GITHUB_OUTPUT
+          echo "digest=${{ steps.build-image.outputs.digest }}" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml
diff --git a/.github/workflows/helm-chart-release.yml b/.github/workflows/helm-chart-release.yml
@@ -0,0 +1,42 @@
+# This action releases the kwasm-operator helm chart
+# The action must run on each commit done against main, however
+# a new release will be performed **only** when a change occurs inside
+# of the `charts` directory.
+name: Release helm chart
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      packages: write
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Install Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: v3.10.0
+
+      - name: Run chart-releaser
+        if: github.ref == 'refs/heads/main'
+        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_RELEASE_NAME_TEMPLATE: "{{ .Name }}-chart-{{ .Version }}"
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -0,0 +1,37 @@
+name: Release Drafter
+
+on:
+  workflow_dispatch:
+  push:
+    # branches to consider in the event; optional, defaults to all
+    branches:
+      - main
+  # pull_request event is required only for autolabeler
+  pull_request:
+    # Only following types are handled by the action, but one can default to all as well
+    types: [opened, reopened, synchronize, edited]
+  # pull_request_target event is required for autolabeler to support PRs from forks
+  pull_request_target:
+    types: [opened, reopened, synchronize, edited]
+
+permissions:
+  contents: read
+
+jobs:
+  update_release_draft:
+    permissions:
+      # write permission is required to create a github release
+      contents: write
+      # write permission is required for autolabeler
+      # otherwise, read permission is required at least
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      # Drafts your next Release notes as Pull Requests are merged into "master"
+      - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5.25.0
+        # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
+        # with:
+        #   config-name: my-config.yml
+        #   disable-autolabeler: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}