diff --git a/.github/renovate.json5 b/.github/renovate.json5 new file mode 100644 index 0000000..28f3379 --- /dev/null +++ b/.github/renovate.json5 @@ -0,0 +1,5 @@ +{ + "extends": [ + "github>newrelic/coreint-automation:renovate-base.json5" + ] +} diff --git a/.github/workflows/prerelease.yml b/.github/workflows/on_prerelease.yml similarity index 93% rename from .github/workflows/prerelease.yml rename to .github/workflows/on_prerelease.yml index 9b6b5ba..3244ab2 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/on_prerelease.yml @@ -1,4 +1,4 @@ -name: Prerelease pipeline +name: Create prerelease artifacts on: release: @@ -82,13 +82,6 @@ jobs: GPG_MAIL: 'infrastructure-eng@newrelic.com' GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }} GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded - - name: Notify failure via Slack - if: ${{ failure() }} - uses: archive/github-actions-slack@master - with: - slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }} - slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }} - slack-text: "❌ `${{ env.REPO_FULL_NAME }}`: prerelease pipeline failed." - name: Test package installability uses: newrelic/integrations-pkg-test-action/linux@v1 with: @@ -138,13 +131,6 @@ jobs: if: startsWith(matrix.test-upgrade, 'false') shell: bash run: build/windows/upload_msi.sh ${INTEGRATION} ${{ matrix.goarch }} ${TAG} - - name: Notify failure via Slack - if: ${{ failure() }} - uses: archive/github-actions-slack@master - with: - slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }} - slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }} - slack-text: "❌ `${{ env.REPO_FULL_NAME }}`: prerelease pipeline failed." publish-to-s3: name: Send release assets to S3 @@ -189,3 +175,15 @@ jobs: packageLocation: repo stagingRepo: true upgrade: false + + notify-failure: + if: ${{ always() && failure() }} + needs: [test-nix, test-windows, test-integration-nix, prerelease, package-win, publish-to-s3] + runs-on: ubuntu-latest + steps: + - name: Notify failure via Slack + uses: archive/github-actions-slack@master + with: + slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }} + slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }} + slack-text: "❌ `${{ env.ORIGINAL_REPO_NAME }}`: [prerelease pipeline failed](${{ github.server_url }}/${{ env.ORIGINAL_REPO_NAME }}/actions/runs/${{ github.run_id }})." diff --git a/.github/workflows/release.yml b/.github/workflows/on_release.yml similarity index 77% rename from .github/workflows/release.yml rename to .github/workflows/on_release.yml index bb0cdab..7825448 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/on_release.yml @@ -1,4 +1,4 @@ -name: Release pipeline +name: Create release artifacts on: release: @@ -53,3 +53,15 @@ jobs: integration: 'nri-${{ env.INTEGRATION }}' # Required, with nri- prefix packageLocation: repo upgrade: false + + notify-failure: + if: ${{ always() && failure() }} + needs: [publish-to-s3] + runs-on: ubuntu-latest + steps: + - name: Notify failure via Slack + uses: archive/github-actions-slack@master + with: + slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }} + slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }} + slack-text: "❌ `${{ env.ORIGINAL_REPO_NAME }}`: [release pipeline failed](${{ github.server_url }}/${{ env.ORIGINAL_REPO_NAME }}/actions/runs/${{ github.run_id }})." diff --git a/.github/workflows/push_pr.yml b/.github/workflows/push_pr.yml index 87c6582..2a37958 100644 --- a/.github/workflows/push_pr.yml +++ b/.github/workflows/push_pr.yml @@ -5,6 +5,7 @@ on: branches: - main - master + - renovate/** pull_request: env: @@ -29,6 +30,8 @@ jobs: continue-on-error: ${{ github.event_name != 'pull_request' }} with: only-new-issues: true + - name: Check if CHANGELOG is valid + uses: newrelic/release-toolkit/validate-markdown@v1 snyk: name: Run security checks via snyk diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..646cc5c --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,47 @@ +name: Security Scan + +on: + push: + branches: + - master + - main + - renovate/** + pull_request: + schedule: + - cron: "0 3 * * *" + +jobs: + trivy: + name: Trivy security scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.7.1 + if: ${{ ! github.event.schedule }} # Do not run inline checks when running periodically + with: + scan-type: fs + ignore-unfixed: true + exit-code: 1 + severity: 'HIGH,CRITICAL' + skip-dirs: 'build' + + - name: Run Trivy vulnerability scanner sarif output + uses: aquasecurity/trivy-action@0.7.1 + if: ${{ github.event.schedule }} # Generate sarif when running periodically + with: + scan-type: fs + ignore-unfixed: true + severity: 'HIGH,CRITICAL' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + skip-dirs: 'build' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: ${{ github.event.schedule }} # Upload sarif when running periodically + with: + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/trigger_prerelease.yml b/.github/workflows/trigger_prerelease.yml new file mode 100644 index 0000000..0ce13b4 --- /dev/null +++ b/.github/workflows/trigger_prerelease.yml @@ -0,0 +1,20 @@ +name: Trigger prerelease creation + +# This workflow triggers a prerelease creation with changelog and the release notes created by the release toolkit. +# This workflow should be triggered merely from the default branch. +# If you wish to be 100% free creating a prerelease, just create it manually. + +on: + workflow_dispatch: + schedule: + - cron: "30 9 * * 2" + +jobs: + prerelease: + uses: newrelic/coreint-automation/.github/workflows/trigger_prerelease.yaml@v1 + secrets: + bot_token: ${{ secrets.COREINT_BOT_TOKEN }} + slack_channel: ${{ secrets.COREINT_SLACK_CHANNEL }} + slack_token: ${{ secrets.COREINT_SLACK_TOKEN }} + with: + rt-included-files: go.mod,go.sum,build/Dockerfile diff --git a/.gitignore b/.gitignore index 11f76f9..9d4c3d6 100644 --- a/.gitignore +++ b/.gitignore @@ -58,4 +58,7 @@ dist/ src/versioninfo.json src/resource.syso -vendor/ \ No newline at end of file +vendor/ + +# Release toolkit +CHANGELOG.partial.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d2836b..0515f92 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,12 +1,18 @@ -# Change Log +# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +Unreleased section should follow [Release Toolkit](https://github.com/newrelic/release-toolkit#render-markdown-and-update-markdown) + +## Unreleased +### enhancement + - bumped golang version pinning 1.20.6 + ## 2.9.0 (2023-06-06) -# Changed +### Changed - Update Go version to 1.20 ## 2.8.7 (2022-12-31) diff --git a/Makefile b/Makefile index e153e92..7284948 100644 --- a/Makefile +++ b/Makefile @@ -26,8 +26,15 @@ compile: @echo "=== $(INTEGRATION) === [ compile ]: Building $(BINARY_NAME)..." @go build -o bin/$(BINARY_NAME) $(GO_FILES) +# rt-update-changelog runs the release-toolkit run.sh script by piping it into bash to update the CHANGELOG.md. +# It also passes down to the script all the flags added to the make target. To check all the accepted flags, +# see: https://github.com/newrelic/release-toolkit/blob/main/contrib/ohi-release-notes/run.sh +# e.g. `make rt-update-changelog -- -v` +rt-update-changelog: + curl "https://raw.githubusercontent.com/newrelic/release-toolkit/v1/contrib/ohi-release-notes/run.sh" | bash -s -- $(filter-out $@,$(MAKECMDGOALS)) + # Include thematic Makefiles include $(CURDIR)/build/ci.mk include $(CURDIR)/build/release.mk -.PHONY: all build clean compile test +.PHONY: all build clean compile test rt-update-changelog diff --git a/build/Dockerfile b/build/Dockerfile index 1af00c7..196017e 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20-buster +FROM golang:1.20.6-bookworm ARG GH_VERSION='1.9.2'