From a33d34a036aaddad8bb03d7cf59155647038cac2 Mon Sep 17 00:00:00 2001 From: Nikola Jokic Date: Thu, 17 Apr 2025 12:19:15 +0200 Subject: [PATCH] Pin third party actions (#3981) --- .github/actions/setup-arc-e2e/action.yaml | 28 +- .../setup-docker-environment/action.yaml | 12 +- .github/workflows/arc-publish-chart.yaml | 286 +++++++++--------- .github/workflows/arc-publish.yaml | 11 +- .github/workflows/arc-release-runners.yaml | 7 +- .github/workflows/arc-validate-chart.yaml | 50 ++- .github/workflows/arc-validate-runners.yaml | 38 +-- .github/workflows/gha-publish-chart.yaml | 29 +- .github/workflows/gha-validate-chart.yaml | 41 +-- .github/workflows/global-publish-canary.yaml | 61 ++-- .github/workflows/go.yaml | 29 +- .golangci.yaml | 4 +- Makefile | 4 +- .../pipelines/eks-integration-tests.yaml | 16 +- .../pipelines/runner-integration-tests.yaml | 23 +- charts/.ci/ct-config-gha.yaml | 6 +- charts/.ci/ct-config.yaml | 4 +- charts/.ci/scripts/local-kube-score.sh | 3 +- test/e2e/e2e_test.go | 6 +- 19 files changed, 331 insertions(+), 327 deletions(-) diff --git a/.github/actions/setup-arc-e2e/action.yaml b/.github/actions/setup-arc-e2e/action.yaml index 0cccd465..ec5b55af 100644 --- a/.github/actions/setup-arc-e2e/action.yaml +++ b/.github/actions/setup-arc-e2e/action.yaml @@ -1,9 +1,9 @@ -name: 'Setup ARC E2E Test Action' -description: 'Build controller image, create kind cluster, load the image, and exchange ARC configure token.' +name: "Setup ARC E2E Test Action" +description: "Build controller image, create kind cluster, load the image, and exchange ARC configure token." inputs: app-id: - description: 'GitHub App Id for exchange access token' + description: "GitHub App Id for exchange access token" required: true app-pk: description: "GitHub App private key for exchange access token" @@ -20,30 +20,31 @@ inputs: outputs: token: - description: 'Token to use for configure ARC' + description: "Token to use for configure ARC" value: ${{steps.config-token.outputs.token}} runs: using: "composite" steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 with: - # Pinning v0.9.1 for Buildx and BuildKit v0.10.6 - # BuildKit v0.11 which has a bug causing intermittent - # failures pushing images to GHCR - version: v0.9.1 - driver-opts: image=moby/buildkit:v0.10.6 + # Pinning v0.9.1 for Buildx and BuildKit v0.10.6 + # BuildKit v0.11 which has a bug causing intermittent + # failures pushing images to GHCR + version: v0.9.1 + driver-opts: image=moby/buildkit:v0.10.6 - name: Build controller image - uses: docker/build-push-action@v5 + # https://github.com/docker/build-push-action/releases/tag/v6.15.0 + uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 with: file: Dockerfile platforms: linux/amd64 load: true build-args: | DOCKER_IMAGE_NAME=${{inputs.image-name}} - VERSION=${{inputs.image-tag}} + VERSION=${{inputs.image-tag}} tags: | ${{inputs.image-name}}:${{inputs.image-tag}} no-cache: true @@ -56,8 +57,9 @@ runs: - name: Get configure token id: config-token + # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0 uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3 with: application_id: ${{ inputs.app-id }} application_private_key: ${{ inputs.app-pk }} - organization: ${{ inputs.target-org}} \ No newline at end of file + organization: ${{ inputs.target-org}} diff --git a/.github/actions/setup-docker-environment/action.yaml b/.github/actions/setup-docker-environment/action.yaml index f083ff07..6053125e 100644 --- a/.github/actions/setup-docker-environment/action.yaml +++ b/.github/actions/setup-docker-environment/action.yaml @@ -24,23 +24,27 @@ runs: shell: bash - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + # https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + # https://github.com/docker/setup-buildx-action/releases/tag/v3.10.0 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 with: version: latest - name: Login to DockerHub if: ${{ github.event_name == 'release' || github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.password != '' }} - uses: docker/login-action@v3 + # https://github.com/docker/login-action/releases/tag/v3.4.0 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 with: username: ${{ inputs.username }} password: ${{ inputs.password }} - name: Login to GitHub Container Registry if: ${{ github.event_name == 'release' || github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.ghcr_password != '' }} - uses: docker/login-action@v3 + # https://github.com/docker/login-action/releases/tag/v3.4.0 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 with: registry: ghcr.io username: ${{ inputs.ghcr_username }} diff --git a/.github/workflows/arc-publish-chart.yaml b/.github/workflows/arc-publish-chart.yaml index 96f03f22..5cada00e 100644 --- a/.github/workflows/arc-publish-chart.yaml +++ b/.github/workflows/arc-publish-chart.yaml @@ -5,18 +5,18 @@ name: Publish ARC Helm Charts on: push: branches: - - master + - master paths: - - 'charts/**' - - '.github/workflows/arc-publish-chart.yaml' - - '!charts/actions-runner-controller/docs/**' - - '!charts/gha-runner-scale-set-controller/**' - - '!charts/gha-runner-scale-set/**' - - '!**.md' + - "charts/**" + - ".github/workflows/arc-publish-chart.yaml" + - "!charts/actions-runner-controller/docs/**" + - "!charts/gha-runner-scale-set-controller/**" + - "!charts/gha-runner-scale-set/**" + - "!**.md" workflow_dispatch: inputs: force: - description: 'Force publish even if the chart version is not bumped' + description: "Force publish even if the chart version is not bumped" type: boolean required: true default: false @@ -39,86 +39,89 @@ jobs: outputs: publish-chart: ${{ steps.publish-chart-step.outputs.publish }} steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 - - name: Set up Helm - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 - with: - version: ${{ env.HELM_VERSION }} + - name: Set up Helm + # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 + with: + version: ${{ env.HELM_VERSION }} - - name: Set up kube-score - run: | - wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score - chmod 755 kube-score + - name: Set up kube-score + run: | + wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score + chmod 755 kube-score - - name: Kube-score generated manifests - run: helm template --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score - --ignore-test pod-networkpolicy --ignore-test deployment-has-poddisruptionbudget --ignore-test deployment-has-host-podantiaffinity --ignore-test container-security-context --ignore-test pod-probes --ignore-test container-image-tag --enable-optional-test container-security-context-privileged --enable-optional-test container-security-context-readonlyrootfilesystem + - name: Kube-score generated manifests + run: helm template --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score - --ignore-test pod-networkpolicy --ignore-test deployment-has-poddisruptionbudget --ignore-test deployment-has-host-podantiaffinity --ignore-test container-security-context --ignore-test pod-probes --ignore-test container-image-tag --enable-optional-test container-security-context-privileged --enable-optional-test container-security-context-readonlyrootfilesystem - # python is a requirement for the chart-testing action below (supports yamllint among other tests) - - uses: actions/setup-python@v5 - with: - python-version: '3.11' + # python is a requirement for the chart-testing action below (supports yamllint among other tests) + - uses: actions/setup-python@v5 + with: + python-version: "3.11" - - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.0 + - name: Set up chart-testing + # https://github.com/helm/chart-testing-action/releases/tag/v2.7.0 + uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b - - name: Run chart-testing (list-changed) - id: list-changed - run: | - changed=$(ct list-changed --config charts/.ci/ct-config.yaml) - if [[ -n "$changed" ]]; then - echo "changed=true" >> $GITHUB_OUTPUT - fi + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --config charts/.ci/ct-config.yaml) + if [[ -n "$changed" ]]; then + echo "changed=true" >> $GITHUB_OUTPUT + fi - - name: Run chart-testing (lint) - run: | - ct lint --config charts/.ci/ct-config.yaml + - name: Run chart-testing (lint) + run: | + ct lint --config charts/.ci/ct-config.yaml - - name: Create kind cluster - if: steps.list-changed.outputs.changed == 'true' - uses: helm/kind-action@v1.4.0 + - name: Create kind cluster + if: steps.list-changed.outputs.changed == 'true' + # https://github.com/helm/kind-action/releases/tag/v1.12.0 + uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 - # We need cert-manager already installed in the cluster because we assume the CRDs exist - - name: Install cert-manager - if: steps.list-changed.outputs.changed == 'true' - run: | - helm repo add jetstack https://charts.jetstack.io --force-update - helm install cert-manager jetstack/cert-manager --set installCRDs=true --wait + # We need cert-manager already installed in the cluster because we assume the CRDs exist + - name: Install cert-manager + if: steps.list-changed.outputs.changed == 'true' + run: | + helm repo add jetstack https://charts.jetstack.io --force-update + helm install cert-manager jetstack/cert-manager --set installCRDs=true --wait - - name: Run chart-testing (install) - if: steps.list-changed.outputs.changed == 'true' - run: ct install --config charts/.ci/ct-config.yaml + - name: Run chart-testing (install) + if: steps.list-changed.outputs.changed == 'true' + run: ct install --config charts/.ci/ct-config.yaml - # WARNING: This relies on the latest release being at the top of the JSON from GitHub and a clean chart.yaml - - name: Check if Chart Publish is Needed - id: publish-chart-step - run: | - CHART_TEXT=$(curl -fs https://raw.githubusercontent.com/${{ github.repository }}/master/charts/actions-runner-controller/Chart.yaml) - NEW_CHART_VERSION=$(echo "$CHART_TEXT" | grep version: | cut -d ' ' -f 2) - RELEASE_LIST=$(curl -fs https://api.github.com/repos/${{ github.repository }}/releases | jq .[].tag_name | grep actions-runner-controller | cut -d '"' -f 2 | cut -d '-' -f 4) - LATEST_RELEASED_CHART_VERSION=$(echo $RELEASE_LIST | cut -d ' ' -f 1) + # WARNING: This relies on the latest release being at the top of the JSON from GitHub and a clean chart.yaml + - name: Check if Chart Publish is Needed + id: publish-chart-step + run: | + CHART_TEXT=$(curl -fs https://raw.githubusercontent.com/${{ github.repository }}/master/charts/actions-runner-controller/Chart.yaml) + NEW_CHART_VERSION=$(echo "$CHART_TEXT" | grep version: | cut -d ' ' -f 2) + RELEASE_LIST=$(curl -fs https://api.github.com/repos/${{ github.repository }}/releases | jq .[].tag_name | grep actions-runner-controller | cut -d '"' -f 2 | cut -d '-' -f 4) + LATEST_RELEASED_CHART_VERSION=$(echo $RELEASE_LIST | cut -d ' ' -f 1) - echo "CHART_VERSION_IN_MASTER=$NEW_CHART_VERSION" >> $GITHUB_ENV - echo "LATEST_CHART_VERSION=$LATEST_RELEASED_CHART_VERSION" >> $GITHUB_ENV + echo "CHART_VERSION_IN_MASTER=$NEW_CHART_VERSION" >> $GITHUB_ENV + echo "LATEST_CHART_VERSION=$LATEST_RELEASED_CHART_VERSION" >> $GITHUB_ENV - # Always publish if force is true - if [[ $NEW_CHART_VERSION != $LATEST_RELEASED_CHART_VERSION || "${{ inputs.force }}" == "true" ]]; then - echo "publish=true" >> $GITHUB_OUTPUT - else - echo "publish=false" >> $GITHUB_OUTPUT - fi + # Always publish if force is true + if [[ $NEW_CHART_VERSION != $LATEST_RELEASED_CHART_VERSION || "${{ inputs.force }}" == "true" ]]; then + echo "publish=true" >> $GITHUB_OUTPUT + else + echo "publish=false" >> $GITHUB_OUTPUT + fi - - name: Job summary - run: | - echo "Chart linting has been completed." >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "**Status:**" >> $GITHUB_STEP_SUMMARY - echo "- chart version in master: ${{ env.CHART_VERSION_IN_MASTER }}" >> $GITHUB_STEP_SUMMARY - echo "- latest chart version: ${{ env.LATEST_CHART_VERSION }}" >> $GITHUB_STEP_SUMMARY - echo "- publish new chart: ${{ steps.publish-chart-step.outputs.publish }}" >> $GITHUB_STEP_SUMMARY + - name: Job summary + run: | + echo "Chart linting has been completed." >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Status:**" >> $GITHUB_STEP_SUMMARY + echo "- chart version in master: ${{ env.CHART_VERSION_IN_MASTER }}" >> $GITHUB_STEP_SUMMARY + echo "- latest chart version: ${{ env.LATEST_CHART_VERSION }}" >> $GITHUB_STEP_SUMMARY + echo "- publish new chart: ${{ steps.publish-chart-step.outputs.publish }}" >> $GITHUB_STEP_SUMMARY publish-chart: if: needs.lint-chart.outputs.publish-chart == 'true' @@ -133,80 +136,81 @@ jobs: CHART_TARGET_BRANCH: master steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 - - name: Configure Git - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - name: Get Token - id: get_workflow_token - uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3 - with: - application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }} - application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }} - organization: ${{ env.CHART_TARGET_ORG }} + - name: Get Token + id: get_workflow_token + # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0 + uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3 + with: + application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }} + application_private_key: ${{ secrets.ACTIONS_ACCESS_PK }} + organization: ${{ env.CHART_TARGET_ORG }} - - name: Install chart-releaser - uses: helm/chart-releaser-action@v1.4.1 - with: - install_only: true - install_dir: ${{ github.workspace }}/bin + - name: Install chart-releaser + uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f + with: + install_only: true + install_dir: ${{ github.workspace }}/bin - - name: Package and upload release assets - run: | - cr package \ - ${{ github.workspace }}/charts/actions-runner-controller/ \ - --package-path .cr-release-packages + - name: Package and upload release assets + run: | + cr package \ + ${{ github.workspace }}/charts/actions-runner-controller/ \ + --package-path .cr-release-packages - cr upload \ - --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \ - --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \ - --package-path .cr-release-packages \ - --token ${{ secrets.GITHUB_TOKEN }} + cr upload \ + --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \ + --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \ + --package-path .cr-release-packages \ + --token ${{ secrets.GITHUB_TOKEN }} - - name: Generate updated index.yaml - run: | - cr index \ - --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \ - --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \ - --index-path ${{ github.workspace }}/index.yaml \ - --token ${{ secrets.GITHUB_TOKEN }} \ - --push \ - --pages-branch 'gh-pages' \ - --pages-index-path 'index.yaml' + - name: Generate updated index.yaml + run: | + cr index \ + --owner "$(echo ${{ github.repository }} | cut -d '/' -f 1)" \ + --git-repo "$(echo ${{ github.repository }} | cut -d '/' -f 2)" \ + --index-path ${{ github.workspace }}/index.yaml \ + --token ${{ secrets.GITHUB_TOKEN }} \ + --push \ + --pages-branch 'gh-pages' \ + --pages-index-path 'index.yaml' - # Chart Release was never intended to publish to a different repo - # this workaround is intended to move the index.yaml to the target repo - # where the github pages are hosted - - name: Checkout target repository - uses: actions/checkout@v4 - with: - repository: ${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }} - path: ${{ env.CHART_TARGET_REPO }} - ref: ${{ env.CHART_TARGET_BRANCH }} - token: ${{ steps.get_workflow_token.outputs.token }} + # Chart Release was never intended to publish to a different repo + # this workaround is intended to move the index.yaml to the target repo + # where the github pages are hosted + - name: Checkout target repository + uses: actions/checkout@v4 + with: + repository: ${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }} + path: ${{ env.CHART_TARGET_REPO }} + ref: ${{ env.CHART_TARGET_BRANCH }} + token: ${{ steps.get_workflow_token.outputs.token }} - - name: Copy index.yaml - run: | - cp ${{ github.workspace }}/index.yaml ${{ env.CHART_TARGET_REPO }}/actions-runner-controller/index.yaml + - name: Copy index.yaml + run: | + cp ${{ github.workspace }}/index.yaml ${{ env.CHART_TARGET_REPO }}/actions-runner-controller/index.yaml - - name: Commit and push to target repository - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - git add . - git commit -m "Update index.yaml" - git push - working-directory: ${{ github.workspace }}/${{ env.CHART_TARGET_REPO }} + - name: Commit and push to target repository + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + git add . + git commit -m "Update index.yaml" + git push + working-directory: ${{ github.workspace }}/${{ env.CHART_TARGET_REPO }} - - name: Job summary - run: | - echo "New helm chart has been published" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "**Status:**" >> $GITHUB_STEP_SUMMARY - echo "- New [index.yaml](https://github.com/${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}/tree/master/actions-runner-controller) pushed" >> $GITHUB_STEP_SUMMARY + - name: Job summary + run: | + echo "New helm chart has been published" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Status:**" >> $GITHUB_STEP_SUMMARY + echo "- New [index.yaml](https://github.com/${{ env.CHART_TARGET_ORG }}/${{ env.CHART_TARGET_REPO }}/tree/master/actions-runner-controller) pushed" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/arc-publish.yaml b/.github/workflows/arc-publish.yaml index 37d67e9f..1a9328ca 100644 --- a/.github/workflows/arc-publish.yaml +++ b/.github/workflows/arc-publish.yaml @@ -9,17 +9,17 @@ on: workflow_dispatch: inputs: release_tag_name: - description: 'Tag name of the release to publish' + description: "Tag name of the release to publish" required: true push_to_registries: - description: 'Push images to registries' + description: "Push images to registries" required: true type: boolean default: false permissions: - contents: write - packages: write + contents: write + packages: write env: TARGET_ORG: actions-runner-controller @@ -43,7 +43,7 @@ jobs: - uses: actions/setup-go@v5 with: - go-version-file: 'go.mod' + go-version-file: "go.mod" - name: Install tools run: | @@ -73,6 +73,7 @@ jobs: - name: Get Token id: get_workflow_token + # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0 uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3 with: application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }} diff --git a/.github/workflows/arc-release-runners.yaml b/.github/workflows/arc-release-runners.yaml index 55ced306..da1fbf54 100644 --- a/.github/workflows/arc-release-runners.yaml +++ b/.github/workflows/arc-release-runners.yaml @@ -7,10 +7,10 @@ on: # are available to the workflow run push: branches: - - 'master' + - "master" paths: - - 'runner/VERSION' - - '.github/workflows/arc-release-runners.yaml' + - "runner/VERSION" + - ".github/workflows/arc-release-runners.yaml" env: # Safeguard to prevent pushing images to registeries after build @@ -39,6 +39,7 @@ jobs: - name: Get Token id: get_workflow_token + # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0 uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3 with: application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }} diff --git a/.github/workflows/arc-validate-chart.yaml b/.github/workflows/arc-validate-chart.yaml index f38a3fc3..d93fa27f 100644 --- a/.github/workflows/arc-validate-chart.yaml +++ b/.github/workflows/arc-validate-chart.yaml @@ -5,20 +5,20 @@ on: branches: - master paths: - - 'charts/**' - - '.github/workflows/arc-validate-chart.yaml' - - '!charts/actions-runner-controller/docs/**' - - '!**.md' - - '!charts/gha-runner-scale-set-controller/**' - - '!charts/gha-runner-scale-set/**' + - "charts/**" + - ".github/workflows/arc-validate-chart.yaml" + - "!charts/actions-runner-controller/docs/**" + - "!**.md" + - "!charts/gha-runner-scale-set-controller/**" + - "!charts/gha-runner-scale-set/**" push: paths: - - 'charts/**' - - '.github/workflows/arc-validate-chart.yaml' - - '!charts/actions-runner-controller/docs/**' - - '!**.md' - - '!charts/gha-runner-scale-set-controller/**' - - '!charts/gha-runner-scale-set/**' + - "charts/**" + - ".github/workflows/arc-validate-chart.yaml" + - "!charts/actions-runner-controller/docs/**" + - "!**.md" + - "!charts/gha-runner-scale-set-controller/**" + - "!charts/gha-runner-scale-set/**" workflow_dispatch: env: KUBE_SCORE_VERSION: 1.10.0 @@ -45,34 +45,19 @@ jobs: fetch-depth: 0 - name: Set up Helm - # Using https://github.com/Azure/setup-helm/releases/tag/v4.2 + # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0 uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 with: version: ${{ env.HELM_VERSION }} - - name: Set up kube-score - run: | - wget https://github.com/zegl/kube-score/releases/download/v${{ env.KUBE_SCORE_VERSION }}/kube-score_${{ env.KUBE_SCORE_VERSION }}_linux_amd64 -O kube-score - chmod 755 kube-score - - - name: Kube-score generated manifests - run: helm template --values charts/.ci/values-kube-score.yaml charts/* | ./kube-score score - - --ignore-test pod-networkpolicy - --ignore-test deployment-has-poddisruptionbudget - --ignore-test deployment-has-host-podantiaffinity - --ignore-test container-security-context - --ignore-test pod-probes - --ignore-test container-image-tag - --enable-optional-test container-security-context-privileged - --enable-optional-test container-security-context-readonlyrootfilesystem - # python is a requirement for the chart-testing action below (supports yamllint among other tests) - uses: actions/setup-python@v5 with: - python-version: '3.11' + python-version: "3.11" - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.0 + # https://github.com/helm/chart-testing-action/releases/tag/v2.7.0 + uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b - name: Run chart-testing (list-changed) id: list-changed @@ -87,7 +72,8 @@ jobs: ct lint --config charts/.ci/ct-config.yaml - name: Create kind cluster - uses: helm/kind-action@v1.4.0 + # https://github.com/helm/kind-action/releases/tag/v1.12.0 + uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 if: steps.list-changed.outputs.changed == 'true' # We need cert-manager already installed in the cluster because we assume the CRDs exist diff --git a/.github/workflows/arc-validate-runners.yaml b/.github/workflows/arc-validate-runners.yaml index 9d559c37..5b7da04f 100644 --- a/.github/workflows/arc-validate-runners.yaml +++ b/.github/workflows/arc-validate-runners.yaml @@ -3,17 +3,17 @@ name: Validate ARC Runners on: pull_request: branches: - - '**' + - "**" paths: - - 'runner/**' - - 'test/startup/**' - - '!**.md' + - "runner/**" + - "test/startup/**" + - "!**.md" permissions: contents: read concurrency: - # This will make sure we only apply the concurrency limits on pull requests + # This will make sure we only apply the concurrency limits on pull requests # but not pushes to master branch by making the concurrency group name unique # for pushes group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} @@ -25,28 +25,16 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: shellcheck - uses: reviewdog/action-shellcheck@v1 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - path: "./runner" - pattern: | - *.sh - *.bash - update-status - # Make this consistent with `make shellsheck` - shellcheck_flags: "--shell bash --source-path runner" - exclude: "./.git/*" - check_all_files_with_shebangs: "false" - # Set this to "true" once we addressed all the shellcheck findings - fail_on_error: "false" + - name: "Run shellcheck" + run: make shellcheck + test-runner-entrypoint: name: Test entrypoint runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v4 - - name: Run tests - run: | - make acceptance/runner/startup + - name: Run tests + run: | + make acceptance/runner/startup diff --git a/.github/workflows/gha-publish-chart.yaml b/.github/workflows/gha-publish-chart.yaml index 251af8e8..572f5da3 100644 --- a/.github/workflows/gha-publish-chart.yaml +++ b/.github/workflows/gha-publish-chart.yaml @@ -4,27 +4,27 @@ on: workflow_dispatch: inputs: ref: - description: 'The branch, tag or SHA to cut a release from' + description: "The branch, tag or SHA to cut a release from" required: false type: string - default: '' + default: "" release_tag_name: - description: 'The name to tag the controller image with' + description: "The name to tag the controller image with" required: true type: string - default: 'canary' + default: "canary" push_to_registries: - description: 'Push images to registries' + description: "Push images to registries" required: true type: boolean default: false publish_gha_runner_scale_set_controller_chart: - description: 'Publish new helm chart for gha-runner-scale-set-controller' + description: "Publish new helm chart for gha-runner-scale-set-controller" required: true type: boolean default: false publish_gha_runner_scale_set_chart: - description: 'Publish new helm chart for gha-runner-scale-set' + description: "Publish new helm chart for gha-runner-scale-set" required: true type: boolean default: false @@ -72,10 +72,11 @@ jobs: echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + # https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 with: # Pinning v0.9.1 for Buildx and BuildKit v0.10.6 # BuildKit v0.11 which has a bug causing intermittent @@ -84,14 +85,16 @@ jobs: driver-opts: image=moby/buildkit:v0.10.6 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + # https://github.com/docker/login-action/releases/tag/v3.4.0 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build & push controller image - uses: docker/build-push-action@v5 + # https://github.com/docker/build-push-action/releases/tag/v6.15.0 + uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 with: file: Dockerfile platforms: linux/amd64,linux/arm64 @@ -140,7 +143,7 @@ jobs: echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT - name: Set up Helm - # Using https://github.com/Azure/setup-helm/releases/tag/v4.2 + # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0 uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 with: version: ${{ env.HELM_VERSION }} @@ -188,7 +191,7 @@ jobs: echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT - name: Set up Helm - # Using https://github.com/Azure/setup-helm/releases/tag/v4.2 + # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0 uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 with: version: ${{ env.HELM_VERSION }} diff --git a/.github/workflows/gha-validate-chart.yaml b/.github/workflows/gha-validate-chart.yaml index a33fd74e..4ff1e023 100644 --- a/.github/workflows/gha-validate-chart.yaml +++ b/.github/workflows/gha-validate-chart.yaml @@ -5,16 +5,16 @@ on: branches: - master paths: - - 'charts/**' - - '.github/workflows/gha-validate-chart.yaml' - - '!charts/actions-runner-controller/**' - - '!**.md' + - "charts/**" + - ".github/workflows/gha-validate-chart.yaml" + - "!charts/actions-runner-controller/**" + - "!**.md" push: paths: - - 'charts/**' - - '.github/workflows/gha-validate-chart.yaml' - - '!charts/actions-runner-controller/**' - - '!**.md' + - "charts/**" + - ".github/workflows/gha-validate-chart.yaml" + - "!charts/actions-runner-controller/**" + - "!**.md" workflow_dispatch: env: KUBE_SCORE_VERSION: 1.16.1 @@ -41,7 +41,7 @@ jobs: fetch-depth: 0 - name: Set up Helm - # Using https://github.com/Azure/setup-helm/releases/tag/v4.2 + # Using https://github.com/Azure/setup-helm/releases/tag/v4.2.0 uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 with: version: ${{ env.HELM_VERSION }} @@ -49,10 +49,11 @@ jobs: # python is a requirement for the chart-testing action below (supports yamllint among other tests) - uses: actions/setup-python@v5 with: - python-version: '3.11' + python-version: "3.11" - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.0 + # https://github.com/helm/chart-testing-action/releases/tag/v2.7.0 + uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b - name: Run chart-testing (list-changed) id: list-changed @@ -68,13 +69,14 @@ jobs: ct lint --config charts/.ci/ct-config-gha.yaml - name: Set up docker buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 if: steps.list-changed.outputs.changed == 'true' with: version: latest - name: Build controller image - uses: docker/build-push-action@v5 + # https://github.com/docker/build-push-action/releases/tag/v6.15.0 + uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 if: steps.list-changed.outputs.changed == 'true' with: file: Dockerfile @@ -89,7 +91,8 @@ jobs: cache-to: type=gha,mode=max - name: Create kind cluster - uses: helm/kind-action@v1.4.0 + # https://github.com/helm/kind-action/releases/tag/v1.12.0 + uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 if: steps.list-changed.outputs.changed == 'true' with: cluster_name: chart-testing @@ -97,11 +100,11 @@ jobs: - name: Load image into cluster if: steps.list-changed.outputs.changed == 'true' run: | - export DOCKER_IMAGE_NAME=test-arc - export VERSION=dev - export IMG_RESULT=load - make docker-buildx - kind load docker-image test-arc:dev --name chart-testing + export DOCKER_IMAGE_NAME=test-arc + export VERSION=dev + export IMG_RESULT=load + make docker-buildx + kind load docker-image test-arc:dev --name chart-testing - name: Run chart-testing (install) if: steps.list-changed.outputs.changed == 'true' diff --git a/.github/workflows/global-publish-canary.yaml b/.github/workflows/global-publish-canary.yaml index ba4796a9..9d84a10e 100644 --- a/.github/workflows/global-publish-canary.yaml +++ b/.github/workflows/global-publish-canary.yaml @@ -7,30 +7,30 @@ on: branches: - master paths-ignore: - - '**.md' - - '.github/actions/**' - - '.github/ISSUE_TEMPLATE/**' - - '.github/workflows/e2e-test-dispatch-workflow.yaml' - - '.github/workflows/gha-e2e-tests.yaml' - - '.github/workflows/arc-publish.yaml' - - '.github/workflows/arc-publish-chart.yaml' - - '.github/workflows/gha-publish-chart.yaml' - - '.github/workflows/arc-release-runners.yaml' - - '.github/workflows/global-run-codeql.yaml' - - '.github/workflows/global-run-first-interaction.yaml' - - '.github/workflows/global-run-stale.yaml' - - '.github/workflows/arc-update-runners-scheduled.yaml' - - '.github/workflows/validate-arc.yaml' - - '.github/workflows/arc-validate-chart.yaml' - - '.github/workflows/gha-validate-chart.yaml' - - '.github/workflows/arc-validate-runners.yaml' - - '.github/dependabot.yml' - - '.github/RELEASE_NOTE_TEMPLATE.md' - - 'runner/**' - - '.gitignore' - - 'PROJECT' - - 'LICENSE' - - 'Makefile' + - "**.md" + - ".github/actions/**" + - ".github/ISSUE_TEMPLATE/**" + - ".github/workflows/e2e-test-dispatch-workflow.yaml" + - ".github/workflows/gha-e2e-tests.yaml" + - ".github/workflows/arc-publish.yaml" + - ".github/workflows/arc-publish-chart.yaml" + - ".github/workflows/gha-publish-chart.yaml" + - ".github/workflows/arc-release-runners.yaml" + - ".github/workflows/global-run-codeql.yaml" + - ".github/workflows/global-run-first-interaction.yaml" + - ".github/workflows/global-run-stale.yaml" + - ".github/workflows/arc-update-runners-scheduled.yaml" + - ".github/workflows/validate-arc.yaml" + - ".github/workflows/arc-validate-chart.yaml" + - ".github/workflows/gha-validate-chart.yaml" + - ".github/workflows/arc-validate-runners.yaml" + - ".github/dependabot.yml" + - ".github/RELEASE_NOTE_TEMPLATE.md" + - "runner/**" + - ".gitignore" + - "PROJECT" + - "LICENSE" + - "Makefile" # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps permissions: @@ -59,6 +59,7 @@ jobs: - name: Get Token id: get_workflow_token + # https://github.com/peter-murray/workflow-application-token-action/releases/tag/v3.0.0 uses: peter-murray/workflow-application-token-action@dc0413987a085fa17d19df9e47d4677cf81ffef3 with: application_id: ${{ secrets.ACTIONS_ACCESS_APP_ID }} @@ -93,7 +94,8 @@ jobs: uses: actions/checkout@v4 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + # https://github.com/docker/login-action/releases/tag/v3.4.0 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 with: registry: ghcr.io username: ${{ github.actor }} @@ -110,16 +112,19 @@ jobs: echo "repository_owner=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + # https://github.com/docker/setup-qemu-action/releases/tag/v3.6.0 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + # https://github.com/docker/setup-buildx-action/releases/tag/v3.10.0 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 with: version: latest # Unstable builds - run at your own risk - name: Build and Push - uses: docker/build-push-action@v5 + # https://github.com/docker/build-push-action/releases/tag/v6.15.0 + uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 with: context: . file: ./Dockerfile diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml index 40112c2c..10fe3eb1 100644 --- a/.github/workflows/go.yaml +++ b/.github/workflows/go.yaml @@ -4,16 +4,16 @@ on: branches: - master paths: - - '.github/workflows/go.yaml' - - '**.go' - - 'go.mod' - - 'go.sum' + - ".github/workflows/go.yaml" + - "**.go" + - "go.mod" + - "go.sum" pull_request: paths: - - '.github/workflows/go.yaml' - - '**.go' - - 'go.mod' - - 'go.sum' + - ".github/workflows/go.yaml" + - "**.go" + - "go.mod" + - "go.sum" permissions: contents: read @@ -32,7 +32,7 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: - go-version-file: 'go.mod' + go-version-file: "go.mod" cache: false - name: fmt run: go fmt ./... @@ -45,13 +45,14 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: - go-version-file: 'go.mod' + go-version-file: "go.mod" cache: false - name: golangci-lint - uses: golangci/golangci-lint-action@v6 + # https://github.com/golangci/golangci-lint-action/releases/tag/v6.5.2 + uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 with: only-new-issues: true - version: v1.55.2 + version: v1.64.8 generate: runs-on: ubuntu-latest @@ -59,7 +60,7 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: - go-version-file: 'go.mod' + go-version-file: "go.mod" cache: false - name: Generate run: make generate @@ -72,7 +73,7 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: - go-version-file: 'go.mod' + go-version-file: "go.mod" - run: make manifests - name: Check diff run: git diff --exit-code diff --git a/.golangci.yaml b/.golangci.yaml index eca46937..19ecff43 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -1,8 +1,8 @@ run: - timeout: 3m + timeout: 5m output: formats: - - format: github-actions + - format: colored-line-number path: stdout linters-settings: errcheck: diff --git a/Makefile b/Makefile index 134f2927..6c87bfd2 100644 --- a/Makefile +++ b/Makefile @@ -20,7 +20,7 @@ KUBECONTEXT ?= kind-acceptance CLUSTER ?= acceptance CERT_MANAGER_VERSION ?= v1.1.1 KUBE_RBAC_PROXY_VERSION ?= v0.11.0 -SHELLCHECK_VERSION ?= 0.8.0 +SHELLCHECK_VERSION ?= 0.10.0 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion) CRD_OPTIONS ?= "crd:generateEmbeddedObjectMeta=true,allowDangerousTypes=true" @@ -204,7 +204,7 @@ generate: controller-gen # Run shellcheck on runner scripts shellcheck: shellcheck-install - $(TOOLS_PATH)/shellcheck --shell bash --source-path runner runner/*.sh hack/*.sh + $(TOOLS_PATH)/shellcheck --shell bash --source-path runner runner/*.sh runner/update-status hack/*.sh docker-buildx: export DOCKER_CLI_EXPERIMENTAL=enabled ;\ diff --git a/acceptance/pipelines/eks-integration-tests.yaml b/acceptance/pipelines/eks-integration-tests.yaml index a0ed5e65..0fb86e95 100644 --- a/acceptance/pipelines/eks-integration-tests.yaml +++ b/acceptance/pipelines/eks-integration-tests.yaml @@ -5,22 +5,23 @@ on: env: IRSA_ROLE_ARN: - ASSUME_ROLE_ARN: - AWS_REGION: + ASSUME_ROLE_ARN: + AWS_REGION: jobs: assume-role-in-runner-test: - runs-on: ['self-hosted', 'Linux'] + runs-on: ["self-hosted", "Linux"] steps: - name: Test aws-actions/configure-aws-credentials Action - uses: aws-actions/configure-aws-credentials@v1 + # https://github.com/aws-actions/configure-aws-credentials/releases/tag/v4.1.0 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 with: aws-region: ${{ env.AWS_REGION }} role-to-assume: ${{ env.ASSUME_ROLE_ARN }} role-duration-seconds: 900 assume-role-in-container-test: - runs-on: ['self-hosted', 'Linux'] - container: + runs-on: ["self-hosted", "Linux"] + container: image: amazon/aws-cli env: AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token @@ -29,7 +30,8 @@ jobs: - /var/run/secrets/eks.amazonaws.com/serviceaccount/token:/var/run/secrets/eks.amazonaws.com/serviceaccount/token steps: - name: Test aws-actions/configure-aws-credentials Action in container - uses: aws-actions/configure-aws-credentials@v1 + # https://github.com/aws-actions/configure-aws-credentials/releases/tag/v4.1.0 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 with: aws-region: ${{ env.AWS_REGION }} role-to-assume: ${{ env.ASSUME_ROLE_ARN }} diff --git a/acceptance/pipelines/runner-integration-tests.yaml b/acceptance/pipelines/runner-integration-tests.yaml index 63b42a97..e85f2ffa 100644 --- a/acceptance/pipelines/runner-integration-tests.yaml +++ b/acceptance/pipelines/runner-integration-tests.yaml @@ -8,8 +8,8 @@ env: jobs: run-step-in-container-test: - runs-on: ['self-hosted', 'Linux'] - container: + runs-on: ["self-hosted", "Linux"] + container: image: alpine steps: - name: Test we are working in the container @@ -21,7 +21,7 @@ jobs: exit 1 fi setup-python-test: - runs-on: ['self-hosted', 'Linux'] + runs-on: ["self-hosted", "Linux"] steps: - name: Print native Python environment run: | @@ -41,12 +41,12 @@ jobs: echo "Python version detected : $(python --version 2>&1)" fi setup-node-test: - runs-on: ['self-hosted', 'Linux'] + runs-on: ["self-hosted", "Linux"] steps: - uses: actions/setup-node@v2 with: - node-version: '12' - - name: Test actions/setup-node works + node-version: "12" + - name: Test actions/setup-node works run: | VERSION=$(node --version | cut -c 2- | cut -d '.' -f1) if [[ $VERSION != '12' ]]; then @@ -57,13 +57,14 @@ jobs: echo "Node version detected : $(node --version 2>&1)" fi setup-ruby-test: - runs-on: ['self-hosted', 'Linux'] + runs-on: ["self-hosted", "Linux"] steps: - - uses: ruby/setup-ruby@v1 + # https://github.com/ruby/setup-ruby/releases/tag/v1.227.0 + - uses: ruby/setup-ruby@1a615958ad9d422dd932dc1d5823942ee002799f with: ruby-version: 3.0 bundler-cache: true - - name: Test ruby/setup-ruby works + - name: Test ruby/setup-ruby works run: | VERSION=$(ruby --version | cut -d ' ' -f2 | cut -d '.' -f1-2) if [[ $VERSION != '3.0' ]]; then @@ -74,8 +75,8 @@ jobs: echo "Ruby version detected : $(ruby --version 2>&1)" fi python-shell-test: - runs-on: ['self-hosted', 'Linux'] - steps: + runs-on: ["self-hosted", "Linux"] + steps: - name: Test Python shell works run: | import os diff --git a/charts/.ci/ct-config-gha.yaml b/charts/.ci/ct-config-gha.yaml index baf8bc43..b0a15a37 100644 --- a/charts/.ci/ct-config-gha.yaml +++ b/charts/.ci/ct-config-gha.yaml @@ -1,9 +1,11 @@ # This file defines the config for "ct" (chart tester) used by the helm linting GitHub workflow +remote: origin +target-branch: master lint-conf: charts/.ci/lint-config.yaml chart-repos: - jetstack=https://charts.jetstack.io check-version-increment: false # Disable checking that the chart version has been bumped charts: -- charts/gha-runner-scale-set-controller -- charts/gha-runner-scale-set + - charts/gha-runner-scale-set-controller + - charts/gha-runner-scale-set skip-clean-up: true diff --git a/charts/.ci/ct-config.yaml b/charts/.ci/ct-config.yaml index 55ebad54..45be8be9 100644 --- a/charts/.ci/ct-config.yaml +++ b/charts/.ci/ct-config.yaml @@ -1,7 +1,9 @@ # This file defines the config for "ct" (chart tester) used by the helm linting GitHub workflow +remote: origin +target-branch: master lint-conf: charts/.ci/lint-config.yaml chart-repos: - jetstack=https://charts.jetstack.io check-version-increment: false # Disable checking that the chart version has been bumped charts: -- charts/actions-runner-controller + - charts/actions-runner-controller diff --git a/charts/.ci/scripts/local-kube-score.sh b/charts/.ci/scripts/local-kube-score.sh index 3982b388..a8592dfd 100755 --- a/charts/.ci/scripts/local-kube-score.sh +++ b/charts/.ci/scripts/local-kube-score.sh @@ -1,6 +1,5 @@ #!/bin/bash - for chart in `ls charts`; do helm template --values charts/$chart/ci/ci-values.yaml charts/$chart | kube-score score - \ @@ -12,4 +11,4 @@ helm template --values charts/$chart/ci/ci-values.yaml charts/$chart | kube-scor --enable-optional-test container-security-context-privileged \ --enable-optional-test container-security-context-readonlyrootfilesystem \ --ignore-test container-security-context -done \ No newline at end of file +done diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index 207cc84a..e1a0f4a5 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -1181,7 +1181,7 @@ func installActionsWorkflow(t *testing.T, testName, runnerLabel, testResultCMNam steps = append(steps, testing.Step{ Name: "Set up Docker Buildx", - Uses: "docker/setup-buildx-action@v1", + Uses: "docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2", With: setupBuildXActionWith, }, testing.Step{ @@ -1193,7 +1193,7 @@ func installActionsWorkflow(t *testing.T, testName, runnerLabel, testResultCMNam Run: "docker run --rm test1", }, testing.Step{ - Uses: "addnab/docker-run-action@v3", + Uses: "addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185", With: &testing.With{ Image: "test1", Run: "hello", @@ -1234,7 +1234,7 @@ func installActionsWorkflow(t *testing.T, testName, runnerLabel, testResultCMNam steps = append(steps, testing.Step{ - Uses: "azure/setup-kubectl@v1", + Uses: "azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f", With: &testing.With{ Version: "v1.24.0", },