newrelic · sigilioso · Jul 19, 2023 · Jul 18, 2023 · Jul 18, 2023 · Jul 18, 2023
@@ -0,0 +1,5 @@
+{
+ "extends": [
+ "github>newrelic/coreint-automation:renovate-base.json5"
+ ]
+}
@@ -1,4 +1,4 @@
-name: Prerelease pipeline
+name: Create prerelease artifacts
 
 on:
  release:
@@ -82,13 +82,6 @@ jobs:
  GPG_MAIL: 'infrastructure-eng@newrelic.com'
  GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
  GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
- - name: Notify failure via Slack
- if: ${{ failure() }}
- uses: archive/github-actions-slack@master
- with:
- slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }}
- slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }}
- slack-text: "❌ `${{ env.REPO_FULL_NAME }}`: prerelease pipeline failed."
  - name: Test package installability
  uses: newrelic/integrations-pkg-test-action/linux@v1
  with:
@@ -138,13 +131,6 @@ jobs:
  if: startsWith(matrix.test-upgrade, 'false')
  shell: bash
  run: build/windows/upload_msi.sh ${INTEGRATION} ${{ matrix.goarch }} ${TAG}
- - name: Notify failure via Slack
- if: ${{ failure() }}
- uses: archive/github-actions-slack@master
- with:
- slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }}
- slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }}
- slack-text: "❌ `${{ env.REPO_FULL_NAME }}`: prerelease pipeline failed."
 
  publish-to-s3:
  name: Send release assets to S3
@@ -189,3 +175,15 @@ jobs:
  packageLocation: repo
  stagingRepo: true
  upgrade: false
+
+ notify-failure:
+ if: ${{ always() && failure() }}
+ needs: [test-nix, test-windows, test-integration-nix, prerelease, package-win, publish-to-s3]
+ runs-on: ubuntu-latest
+ steps:
+ - name: Notify failure via Slack
+ uses: archive/github-actions-slack@master
+ with:
+ slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }}
+ slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }}
+ slack-text: "❌ `${{ env.ORIGINAL_REPO_NAME }}`: [prerelease pipeline failed](${{ github.server_url }}/${{ env.ORIGINAL_REPO_NAME }}/actions/runs/${{ github.run_id }})."
@@ -1,4 +1,4 @@
-name: Release pipeline
+name: Create release artifacts
 
 on:
  release:

@@ -5,6 +5,7 @@ on:
  branches:
  - main
  - master
+ - renovate/**
  pull_request:
 
 env:
@@ -29,6 +30,8 @@ jobs:
  continue-on-error: ${{ github.event_name != 'pull_request' }}
  with:
  only-new-issues: true
+ - name: Check if CHANGELOG is valid
+ uses: newrelic/release-toolkit/validate-markdown@v1
 
  snyk:
  name: Run security checks via snyk

@@ -0,0 +1,47 @@
+name: Security Scan
+
+on:
+ push:
+ branches:
+ - master
+ - main
+ - renovate/**
+ pull_request:
+ schedule:
+ - cron: "0 3 * * *"
+
+jobs:
+ trivy:
+ name: Trivy security scan
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Run Trivy vulnerability scanner in repo mode
+ uses: aquasecurity/trivy-action@0.7.1
+ if: ${{ ! github.event.schedule }} # Do not run inline checks when running periodically
+ with:
+ scan-type: fs
+ ignore-unfixed: true
+ exit-code: 1
+ severity: 'HIGH,CRITICAL'
+ skip-dirs: 'build'
+
+ - name: Run Trivy vulnerability scanner sarif output
+ uses: aquasecurity/trivy-action@0.7.1
+ if: ${{ github.event.schedule }} # Generate sarif when running periodically
+ with:
+ scan-type: fs
+ ignore-unfixed: true
+ severity: 'HIGH,CRITICAL'
+ format: 'template'
+ template: '@/contrib/sarif.tpl'
+ output: 'trivy-results.sarif'
+ skip-dirs: 'build'
+
+ - name: Upload Trivy scan results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v2
+ if: ${{ github.event.schedule }} # Upload sarif when running periodically
+ with:
+ sarif_file: 'trivy-results.sarif'
@@ -0,0 +1,20 @@
+name: Trigger prerelease creation
+
+# This workflow triggers a prerelease creation with changelog and the release notes created by the release toolkit.
+# This workflow should be triggered merely from the default branch.
+# If you wish to be 100% free creating a prerelease, just create it manually.
+
+on:
+ workflow_dispatch:
+ schedule:
+ - cron: "30 9 * * 2"
+
+jobs:
+ prerelease:
+ uses: newrelic/coreint-automation/.github/workflows/trigger_prerelease.yaml@v1
+ secrets:
+ bot_token: ${{ secrets.COREINT_BOT_TOKEN }}
+ slack_channel: ${{ secrets.COREINT_SLACK_CHANNEL }}
+ slack_token: ${{ secrets.COREINT_SLACK_TOKEN }}
+ with:
+ rt-included-files: go.mod,go.sum
@@ -58,4 +58,7 @@ dist/
 src/versioninfo.json
 src/resource.syso
 
-vendor/
+vendor/
+
+# Release toolkit
+CHANGELOG.partial.md
@@ -1,12 +1,18 @@
-# Change Log
+# Changelog
 
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+Unreleased section should follow [Release Toolkit](https://github.com/newrelic/release-toolkit#render-markdown-and-update-markdown)
+
+## Unreleased
+### enhancement
+ - bumped golang version pinning 1.20.6
+
 ## 2.9.0 (2023-06-06)
-# Changed
+### Changed
 - Update Go version to 1.20
 
 ## 2.8.7 (2022-12-31)

@@ -26,8 +26,15 @@ compile:
  @echo "=== $(INTEGRATION) === [ compile ]: Building $(BINARY_NAME)..."
  @go build -o bin/$(BINARY_NAME) $(GO_FILES)
 
+# rt-update-changelog runs the release-toolkit run.sh script by piping it into bash to update the CHANGELOG.md.
+# It also passes down to the script all the flags added to the make target. To check all the accepted flags,
+# see: https://github.com/newrelic/release-toolkit/blob/main/contrib/ohi-release-notes/run.sh
+# e.g. `make rt-update-changelog -- -v`
+rt-update-changelog:
+ curl "https://raw.githubusercontent.com/newrelic/release-toolkit/v1/contrib/ohi-release-notes/run.sh" | bash -s -- $(filter-out $@,$(MAKECMDGOALS))
+
 # Include thematic Makefiles
 include $(CURDIR)/build/ci.mk
 include $(CURDIR)/build/release.mk
 
-.PHONY: all build clean compile test
+.PHONY: all build clean compile test rt-update-changelog
@@ -1,4 +1,4 @@
-FROM golang:1.20-buster
+FROM golang:1.20.6-bookworm
 
 ARG GH_VERSION='1.9.2'