From f9bc625d0435383e46614053babbb9b47bde355f Mon Sep 17 00:00:00 2001 From: CI Bot Date: Mon, 24 Jun 2024 20:19:26 +0000 Subject: [PATCH] ci(shared): bump vendored ci files --- .github/dependabot.yml | 4 -- .github/workflows/audit.yml | 22 +++++++++ .github/workflows/check-code.yml | 22 +++++++++ .github/workflows/spelling.yml | 2 +- ci/vendir.lock.yml | 10 ++-- ci/vendir.yml | 4 +- ci/vendor/pipeline-fragments.lib.yml | 54 +++++++++++++++++---- ci/vendor/tasks/chart-open-charts-pr.sh | 7 ++- ci/vendor/tasks/check-code.sh | 10 ++++ ci/vendor/tasks/docker-bump-image-digest.sh | 4 +- 10 files changed, 114 insertions(+), 25 deletions(-) create mode 100644 .github/workflows/audit.yml create mode 100644 .github/workflows/check-code.yml create mode 100644 ci/vendor/tasks/check-code.sh diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ea826799b9..d863f1b63d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,7 +12,3 @@ updates: directory: "/" # Location of package manifests schedule: interval: "daily" -- package-ecosystem: "cargo" - directory: "/" - schedule: - interval: "daily" diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml new file mode 100644 index 0000000000..adf381d89a --- /dev/null +++ b/.github/workflows/audit.yml @@ -0,0 +1,22 @@ +#! Auto synced from Shared CI Resources repository +#! Don't change this file, instead change it in github.com/GaloyMoney/concourse-shared + +name: Audit + +on: + pull_request: + branches: [main] + +jobs: + audit: + name: Audit + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 20 + cache: "yarn" + - run: yarn install --frozen-lockfile + - name: Run audit + run: make audit diff --git a/.github/workflows/check-code.yml b/.github/workflows/check-code.yml new file mode 100644 index 0000000000..4efe9f4070 --- /dev/null +++ b/.github/workflows/check-code.yml @@ -0,0 +1,22 @@ +#! Auto synced from Shared CI Resources repository +#! Don't change this file, instead change it in github.com/GaloyMoney/concourse-shared + +name: Check Code + +on: + pull_request: + branches: [main] + +jobs: + check-code: + name: Check Code + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 20 + cache: "yarn" + - run: yarn install --frozen-lockfile + - name: Run check code + run: make check-code diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml index d29d402d34..b680269998 100644 --- a/.github/workflows/spelling.yml +++ b/.github/workflows/spelling.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Actions Repository - uses: actions/checkout@v4 + uses: actions/checkout@v3 - name: Spell Check Repo uses: crate-ci/typos@master with: diff --git a/ci/vendir.lock.yml b/ci/vendir.lock.yml index 2e5acc07a0..eb13aac1ff 100644 --- a/ci/vendir.lock.yml +++ b/ci/vendir.lock.yml @@ -2,14 +2,14 @@ apiVersion: vendir.k14s.io/v1alpha1 directories: - contents: - git: - commitTitle: 'feat: allow public or private repo selection (#34)' - sha: 53fc9dd805d3574d200e8e6e99f856c0912b52a8 + commitTitle: 'chore: using nix to check-code' + sha: 655c61f11b911126f7af393a2d7b84aff0dd9886 path: . path: ../.github/workflows/vendor - contents: - git: - commitTitle: 'feat: allow public or private repo selection (#34)' - sha: 53fc9dd805d3574d200e8e6e99f856c0912b52a8 + commitTitle: 'chore: using nix to check-code' + sha: 655c61f11b911126f7af393a2d7b84aff0dd9886 path: . - path: ./vendor + path: vendor kind: LockConfig diff --git a/ci/vendir.yml b/ci/vendir.yml index 910167653c..aaf8d1c672 100644 --- a/ci/vendir.yml +++ b/ci/vendir.yml @@ -8,7 +8,7 @@ directories: - path: . # Copy this folder out to .. git: url: https://github.com/GaloyMoney/concourse-shared.git - ref: 53fc9dd805d3574d200e8e6e99f856c0912b52a8 + ref: 655c61f11b911126f7af393a2d7b84aff0dd9886 includePaths: - shared/actions/* excludePaths: @@ -20,7 +20,7 @@ directories: - path: . git: url: https://github.com/GaloyMoney/concourse-shared.git - ref: 53fc9dd805d3574d200e8e6e99f856c0912b52a8 + ref: 655c61f11b911126f7af393a2d7b84aff0dd9886 includePaths: - shared/ci/**/* excludePaths: diff --git a/ci/vendor/pipeline-fragments.lib.yml b/ci/vendor/pipeline-fragments.lib.yml index 8d03d6a924..d1ad0306c8 100644 --- a/ci/vendor/pipeline-fragments.lib.yml +++ b/ci/vendor/pipeline-fragments.lib.yml @@ -44,6 +44,12 @@ source: repository: #@ release_concourse_image() #@ end +#@ def nix_task_image_config(): +type: registry-image +source: + repository: nixpkgs/nix-flakes +#@ end + #@ def slack_failure_notification(): #@ fail_url = "<$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME| :face_with_symbols_on_mouth: $BUILD_JOB_NAME> failed!" put: slack @@ -54,6 +60,27 @@ params: text: #@ fail_url #@ end +#@ def check_code(): +name: check-code +serial: true +plan: +- in_parallel: + - { get: repo, trigger: true } + - { get: pipeline-tasks } + - { get: bundled-deps, trigger: true} +- task: check-code + config: + platform: linux + image_resource: #@ nix_task_image_config() + inputs: + - name: bundled-deps + - name: pipeline-tasks + - name: repo + run: + path: pipeline-tasks/ci/vendor/tasks/check-code.sh +on_failure: #@ slack_failure_notification() +#@ end + #@ def nodejs_check_code(): name: check-code serial: true @@ -265,21 +292,27 @@ plan: run: path: pipeline-tasks/ci/vendor/tasks/docker-prep-docker-build-env.sh - task: build - privileged: true config: platform: linux image_resource: type: registry-image source: - repository: vito/oci-build-task + repository: gcr.io/kaniko-project/executor + tag: debug inputs: - name: repo outputs: - name: image - params: - CONTEXT: repo run: - path: build + path: /kaniko/executor + args: + - --dockerfile=Dockerfile + - --context=repo + - --use-new-run + - --single-snapshot + - --cache=false + - --no-push + - --tar-path=image/image.tar - put: edge-image params: image: image/image.tar @@ -370,6 +403,7 @@ plan: platform: linux image_resource: #@ nodejs_task_image_config() inputs: + - name: repo - name: pipeline-tasks - name: edge-image - name: charts-repo @@ -400,7 +434,7 @@ webhook_token: ((webhook.secret)) name: pipeline-tasks type: git source: - paths: [ci/vendor/*, ci/tasks/*, ci/config/*, ci/apps/tasks/*, Makefile] + paths: [ci/vendor/*, ci/tasks/*, ci/config/*, Makefile] uri: #@ data.values.git_uri branch: #@ data.values.git_branch private_key: #@ data.values.github_private_key @@ -413,14 +447,14 @@ source: tag: edge username: #@ data.values.docker_registry_user password: #@ data.values.docker_registry_password - repository: #@ public_docker_registry() if publicRepo else private_docker_registry() + "/" + data.values.gh_repository + repository: #@ public_docker_registry() + "/" + data.values.gh_repository if publicRepo else private_docker_registry() + "/" + data.values.gh_repository #@ end #@ def nodejs_deps_resource(webhook = False): name: deps type: git source: - paths: [core/api/yarn.lock] + paths: [yarn.lock] uri: #@ data.values.git_uri branch: #@ data.values.git_branch private_key: #@ data.values.github_private_key @@ -477,13 +511,13 @@ source: private_key: #@ data.values.github_private_key #@ end -#@ def versioned_image_resource(): +#@ def versioned_image_resource(publicRepo = True): name: versioned-image type: registry-image source: username: #@ data.values.docker_registry_user password: #@ data.values.docker_registry_password - repository: #@ public_docker_registry() + "/" + data.values.gh_repository + repository: #@ public_docker_registry() + "/" + data.values.gh_repository if publicRepo else private_docker_registry() + "/" + data.values.gh_repository #@ end #@ def gh_release_resource(): diff --git a/ci/vendor/tasks/chart-open-charts-pr.sh b/ci/vendor/tasks/chart-open-charts-pr.sh index 6acf1e03f9..4803ce427f 100755 --- a/ci/vendor/tasks/chart-open-charts-pr.sh +++ b/ci/vendor/tasks/chart-open-charts-pr.sh @@ -6,12 +6,15 @@ set -eu export digest=$(cat ./edge-image/digest) +export ref=$(cat ./repo/.git/short_ref) pushd charts-repo -ref=$(yq e '.image.git_ref' charts/${CHARTS_SUBDIR}/values.yaml) git checkout ${BRANCH} -old_ref=$(yq e '.image.git_ref' charts/${CHARTS_SUBDIR}/values.yaml) + +old_digest=$(yq e '.image.digest' "./charts/${CHARTS_SUBDIR}/values.yaml") +old_ref=$(grep "digest: \"${old_digest}\"" "./charts/${CHARTS_SUBDIR}/values.yaml" \ + | sed -n 's/.*commit_ref=\([^;]*\);.*/\1/p' | tr -d ' \n') cat <> ../body.md # Bump ${CHARTS_SUBDIR} image diff --git a/ci/vendor/tasks/check-code.sh b/ci/vendor/tasks/check-code.sh new file mode 100644 index 0000000000..2dcd1948c4 --- /dev/null +++ b/ci/vendor/tasks/check-code.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +#! Auto synced from Shared CI Resources repository +#! Don't change this file, instead change it in github.com/GaloyMoney/concourse-shared + +set -eu + +pushd repo + +nix develop -c make check-code diff --git a/ci/vendor/tasks/docker-bump-image-digest.sh b/ci/vendor/tasks/docker-bump-image-digest.sh index f47ad5229e..2616b7bc99 100755 --- a/ci/vendor/tasks/docker-bump-image-digest.sh +++ b/ci/vendor/tasks/docker-bump-image-digest.sh @@ -12,7 +12,9 @@ export app_version=$(cat version/version) pushd charts-repo yq -i e '.image.digest = strenv(digest)' ./charts/${CHARTS_SUBDIR}/values.yaml -yq -i e '.image.git_ref = strenv(ref)' ./charts/${CHARTS_SUBDIR}/values.yaml + +sed -i "s|\(digest: \"${digest}\"\).*$|\1 # METADATA:: repository=https://github.com/GaloyMoney/${CHARTS_SUBDIR};commit_ref=${ref};app=${CHARTS_SUBDIR};|g" "./charts/${CHARTS_SUBDIR}/values.yaml" + yq -i e '.appVersion = strenv(app_version)' ./charts/${CHARTS_SUBDIR}/Chart.yaml if [[ -z $(git config --global user.email) ]]; then