From 9977c107f0c833206dcf0ff47a9803e06354e4c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Felipe=20=C3=81lvarez?= Date: Tue, 18 Jul 2023 17:09:42 +0200 Subject: [PATCH 1/6] feat(ci/cd): use release toolkit --- .github/renovate.json5 | 5 ++ .../{prerelease.yml => on_prerelease.yml} | 33 +++++-------- .../workflows/{release.yml => on_release.yml} | 2 +- .github/workflows/push_pr.yml | 3 ++ .github/workflows/security.yml | 47 +++++++++++++++++++ .github/workflows/trigger_prerelease.yml | 20 ++++++++ .gitignore | 5 +- CHANGELOG.md | 6 ++- Makefile | 9 +++- 9 files changed, 106 insertions(+), 24 deletions(-) create mode 100644 .github/renovate.json5 rename .github/workflows/{prerelease.yml => on_prerelease.yml} (90%) rename .github/workflows/{release.yml => on_release.yml} (98%) create mode 100644 .github/workflows/security.yml create mode 100644 .github/workflows/trigger_prerelease.yml diff --git a/.github/renovate.json5 b/.github/renovate.json5 new file mode 100644 index 0000000..28f3379 --- /dev/null +++ b/.github/renovate.json5 @@ -0,0 +1,5 @@ +{ + "extends": [ + "github>newrelic/coreint-automation:renovate-base.json5" + ] +} diff --git a/.github/workflows/prerelease.yml b/.github/workflows/on_prerelease.yml similarity index 90% rename from .github/workflows/prerelease.yml rename to .github/workflows/on_prerelease.yml index 9b6b5ba..ac91530 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/on_prerelease.yml @@ -1,4 +1,4 @@ -name: Prerelease pipeline +name: Create prerelease artifacts on: release: @@ -82,18 +82,6 @@ jobs: GPG_MAIL: 'infrastructure-eng@newrelic.com' GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }} GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded - - name: Notify failure via Slack - if: ${{ failure() }} - uses: archive/github-actions-slack@master - with: - slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }} - slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }} - slack-text: "❌ `${{ env.REPO_FULL_NAME }}`: prerelease pipeline failed." - - name: Test package installability - uses: newrelic/integrations-pkg-test-action/linux@v1 - with: - tag: ${{ env.TAG }} - integration: nri-${{ env.INTEGRATION }} package-win: name: Create MSI & Upload into GH Release assets @@ -138,13 +126,6 @@ jobs: if: startsWith(matrix.test-upgrade, 'false') shell: bash run: build/windows/upload_msi.sh ${INTEGRATION} ${{ matrix.goarch }} ${TAG} - - name: Notify failure via Slack - if: ${{ failure() }} - uses: archive/github-actions-slack@master - with: - slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }} - slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }} - slack-text: "❌ `${{ env.REPO_FULL_NAME }}`: prerelease pipeline failed." publish-to-s3: name: Send release assets to S3 @@ -189,3 +170,15 @@ jobs: packageLocation: repo stagingRepo: true upgrade: false + + notify-failure: + if: ${{ always() && failure() }} + needs: [test-nix, test-windows, test-integration-nix, prerelease, package-win, publish-to-s3] + runs-on: ubuntu-latest + steps: + - name: Notify failure via Slack + uses: archive/github-actions-slack@master + with: + slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }} + slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }} + slack-text: "❌ `${{ env.ORIGINAL_REPO_NAME }}`: [prerelease pipeline failed](${{ github.server_url }}/${{ env.ORIGINAL_REPO_NAME }}/actions/runs/${{ github.run_id }})." diff --git a/.github/workflows/release.yml b/.github/workflows/on_release.yml similarity index 98% rename from .github/workflows/release.yml rename to .github/workflows/on_release.yml index bb0cdab..b0fe8c0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/on_release.yml @@ -1,4 +1,4 @@ -name: Release pipeline +name: Create release artifacts on: release: diff --git a/.github/workflows/push_pr.yml b/.github/workflows/push_pr.yml index 87c6582..2a37958 100644 --- a/.github/workflows/push_pr.yml +++ b/.github/workflows/push_pr.yml @@ -5,6 +5,7 @@ on: branches: - main - master + - renovate/** pull_request: env: @@ -29,6 +30,8 @@ jobs: continue-on-error: ${{ github.event_name != 'pull_request' }} with: only-new-issues: true + - name: Check if CHANGELOG is valid + uses: newrelic/release-toolkit/validate-markdown@v1 snyk: name: Run security checks via snyk diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..646cc5c --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,47 @@ +name: Security Scan + +on: + push: + branches: + - master + - main + - renovate/** + pull_request: + schedule: + - cron: "0 3 * * *" + +jobs: + trivy: + name: Trivy security scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.7.1 + if: ${{ ! github.event.schedule }} # Do not run inline checks when running periodically + with: + scan-type: fs + ignore-unfixed: true + exit-code: 1 + severity: 'HIGH,CRITICAL' + skip-dirs: 'build' + + - name: Run Trivy vulnerability scanner sarif output + uses: aquasecurity/trivy-action@0.7.1 + if: ${{ github.event.schedule }} # Generate sarif when running periodically + with: + scan-type: fs + ignore-unfixed: true + severity: 'HIGH,CRITICAL' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + skip-dirs: 'build' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: ${{ github.event.schedule }} # Upload sarif when running periodically + with: + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/trigger_prerelease.yml b/.github/workflows/trigger_prerelease.yml new file mode 100644 index 0000000..4446aa2 --- /dev/null +++ b/.github/workflows/trigger_prerelease.yml @@ -0,0 +1,20 @@ +name: Trigger prerelease creation + +# This workflow triggers a prerelease creation with changelog and the release notes created by the release toolkit. +# This workflow should be triggered merely from the default branch. +# If you wish to be 100% free creating a prerelease, just create it manually. + +on: + workflow_dispatch: + schedule: + - cron: "30 9 * * 2" + +jobs: + prerelease: + uses: newrelic/coreint-automation/.github/workflows/trigger_prerelease.yaml@v1 + secrets: + bot_token: ${{ secrets.COREINT_BOT_TOKEN }} + slack_channel: ${{ secrets.COREINT_SLACK_CHANNEL }} + slack_token: ${{ secrets.COREINT_SLACK_TOKEN }} + with: + rt-included-files: go.mod,go.sum diff --git a/.gitignore b/.gitignore index 11f76f9..9d4c3d6 100644 --- a/.gitignore +++ b/.gitignore @@ -58,4 +58,7 @@ dist/ src/versioninfo.json src/resource.syso -vendor/ \ No newline at end of file +vendor/ + +# Release toolkit +CHANGELOG.partial.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d2836b..a7d422e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,14 @@ -# Change Log +# Changelog All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +Unreleased section should follow [Release Toolkit](https://github.com/newrelic/release-toolkit#render-markdown-and-update-markdown) + +## Unreleased + ## 2.9.0 (2023-06-06) # Changed - Update Go version to 1.20 diff --git a/Makefile b/Makefile index e153e92..7284948 100644 --- a/Makefile +++ b/Makefile @@ -26,8 +26,15 @@ compile: @echo "=== $(INTEGRATION) === [ compile ]: Building $(BINARY_NAME)..." @go build -o bin/$(BINARY_NAME) $(GO_FILES) +# rt-update-changelog runs the release-toolkit run.sh script by piping it into bash to update the CHANGELOG.md. +# It also passes down to the script all the flags added to the make target. To check all the accepted flags, +# see: https://github.com/newrelic/release-toolkit/blob/main/contrib/ohi-release-notes/run.sh +# e.g. `make rt-update-changelog -- -v` +rt-update-changelog: + curl "https://raw.githubusercontent.com/newrelic/release-toolkit/v1/contrib/ohi-release-notes/run.sh" | bash -s -- $(filter-out $@,$(MAKECMDGOALS)) + # Include thematic Makefiles include $(CURDIR)/build/ci.mk include $(CURDIR)/build/release.mk -.PHONY: all build clean compile test +.PHONY: all build clean compile test rt-update-changelog From d4637592880e4b36c2d81efe226bcc02f3275cfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Felipe=20=C3=81lvarez?= Date: Tue, 18 Jul 2023 17:11:12 +0200 Subject: [PATCH 2/6] chore: bump golang version --- CHANGELOG.md | 2 ++ build/Dockerfile | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a7d422e..9096e7f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/). Unreleased section should follow [Release Toolkit](https://github.com/newrelic/release-toolkit#render-markdown-and-update-markdown) ## Unreleased +### enhancement + - bumped golang version pinning 1.20.6 ## 2.9.0 (2023-06-06) # Changed diff --git a/build/Dockerfile b/build/Dockerfile index 1af00c7..196017e 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20-buster +FROM golang:1.20.6-bookworm ARG GH_VERSION='1.9.2' From c4365100a8344b089f3146b6770226a71ceb4c6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Felipe=20=C3=81lvarez?= Date: Tue, 18 Jul 2023 17:22:32 +0200 Subject: [PATCH 3/6] fix: typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9096e7f..0515f92 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ Unreleased section should follow [Release Toolkit](https://github.com/newrelic/r - bumped golang version pinning 1.20.6 ## 2.9.0 (2023-06-06) -# Changed +### Changed - Update Go version to 1.20 ## 2.8.7 (2022-12-31) From 57dd2a515d1e9211b77af700641bfb33f05c5b99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Felipe=20=C3=81lvarez?= Date: Wed, 19 Jul 2023 09:49:22 +0200 Subject: [PATCH 4/6] fix: revert step removed by mistake --- .github/workflows/on_prerelease.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/on_prerelease.yml b/.github/workflows/on_prerelease.yml index ac91530..3244ab2 100644 --- a/.github/workflows/on_prerelease.yml +++ b/.github/workflows/on_prerelease.yml @@ -82,6 +82,11 @@ jobs: GPG_MAIL: 'infrastructure-eng@newrelic.com' GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }} GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded + - name: Test package installability + uses: newrelic/integrations-pkg-test-action/linux@v1 + with: + tag: ${{ env.TAG }} + integration: nri-${{ env.INTEGRATION }} package-win: name: Create MSI & Upload into GH Release assets From d41a6e0794d624c8dbcb2d6e3c288903b96b9b67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Felipe=20=C3=81lvarez?= Date: Wed, 19 Jul 2023 09:53:05 +0200 Subject: [PATCH 5/6] fix: add missing notification --- .github/workflows/on_release.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/on_release.yml b/.github/workflows/on_release.yml index b0fe8c0..7825448 100644 --- a/.github/workflows/on_release.yml +++ b/.github/workflows/on_release.yml @@ -53,3 +53,15 @@ jobs: integration: 'nri-${{ env.INTEGRATION }}' # Required, with nri- prefix packageLocation: repo upgrade: false + + notify-failure: + if: ${{ always() && failure() }} + needs: [publish-to-s3] + runs-on: ubuntu-latest + steps: + - name: Notify failure via Slack + uses: archive/github-actions-slack@master + with: + slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }} + slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }} + slack-text: "❌ `${{ env.ORIGINAL_REPO_NAME }}`: [release pipeline failed](${{ github.server_url }}/${{ env.ORIGINAL_REPO_NAME }}/actions/runs/${{ github.run_id }})." From c241177ba7d319ba6d225f05222a8e51535c070f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Felipe=20=C3=81lvarez?= Date: Wed, 19 Jul 2023 10:14:22 +0200 Subject: [PATCH 6/6] feat: include dockerfile to trigger pre-release --- .github/workflows/trigger_prerelease.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trigger_prerelease.yml b/.github/workflows/trigger_prerelease.yml index 4446aa2..0ce13b4 100644 --- a/.github/workflows/trigger_prerelease.yml +++ b/.github/workflows/trigger_prerelease.yml @@ -17,4 +17,4 @@ jobs: slack_channel: ${{ secrets.COREINT_SLACK_CHANNEL }} slack_token: ${{ secrets.COREINT_SLACK_TOKEN }} with: - rt-included-files: go.mod,go.sum + rt-included-files: go.mod,go.sum,build/Dockerfile