Skip to content

fix: resolved security vulnerabilities in starboard #3054

fix: resolved security vulnerabilities in starboard

fix: resolved security vulnerabilities in starboard #3054

Workflow file for this run

---
# This workflow is triggered on push or pull request for the main branch.
# It runs tests and various checks to validate that the proposed changes
# will not introduce any regression after merging the code to the main branch.
name: Build
on:
push:
branches:
- main
paths-ignore:
- '.github/ISSUE_TEMPLATE/*.md'
- '*.md'
- 'docs/**'
- 'mkdocs.yml'
- 'LICENSE'
- 'NOTICE'
pull_request:
branches:
- main
paths-ignore:
- '.github/ISSUE_TEMPLATE/*.md'
- '*.md'
- 'docs/**'
- 'mkdocs.yml'
- 'LICENSE'
- 'NOTICE'
env:
GO_VERSION: "1.21.6"
KIND_VERSION: "v0.17.0"
KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
# Disable permissions granted to the GITHUB_TOKEN for all the available scopes.
permissions: {}
# Cancel any in-flight jobs for the same PR branch so there's only one active at a time.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
verify-code:
name: Verify code
runs-on: ubuntu-20.04
steps:
- name: Setup Go
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
- name: Checkout code
uses: actions/checkout@v3
- name: Verify Go code
uses: golangci/[email protected]
with:
args: --verbose
version: latest
skip-pkg-cache: true
skip-build-cache: true
- name: Verify YAML code
uses: ibiqlik/action-yamllint@v3
- name: Vendor Go modules
run: go mod vendor
- name: Verify generated Go code
run: GOPATH="$(go env GOPATH)" ./hack/verify-codegen.sh
unit-tests:
name: Run unit tests
runs-on: ubuntu-20.04
steps:
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
- name: Checkout code
uses: actions/checkout@v3
- name: Run unit tests
run: make unit-tests
- name: Upload code coverage
uses: codecov/codecov-action@v3
with:
files: ./coverage.txt
itest-starboard-cli:
name: Run integration tests / Starboard CLI
needs:
- unit-tests
- verify-code
runs-on: ubuntu-20.04
timeout-minutes: 15
steps:
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Kubernetes cluster (KIND)
uses: engineerd/[email protected]
with:
version: ${{ env.KIND_VERSION }}
image: ${{ env.KIND_IMAGE }}
- name: Test connection to Kubernetes cluster
run: |
kubectl cluster-info
kubectl wait --for=condition=Ready nodes --all --timeout=300s
kubectl describe node
- name: Run integration tests
run: |
make itests-starboard
env:
KUBECONFIG: /home/runner/.kube/config
STARBOARD_TEST_CLI_LOG_LEVEL: "0"
- name: Upload code coverage
uses: codecov/codecov-action@v3
with:
files: ./itest/starboard/coverage.txt
itest-starboard-operator:
name: Run integration tests / Starboard Operator
needs:
- unit-tests
- verify-code
runs-on: ubuntu-20.04
timeout-minutes: 15
steps:
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Kubernetes cluster (KIND)
uses: engineerd/[email protected]
with:
version: ${{ env.KIND_VERSION }}
image: ${{ env.KIND_IMAGE }}
- name: Test connection to Kubernetes cluster
run: |
kubectl cluster-info
kubectl wait --for=condition=Ready nodes --all --timeout=300s
kubectl describe node
- name: Run integration tests
run: |
kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml \
-f deploy/crd/configauditreports.crd.yaml \
-f deploy/crd/clusterconfigauditreports.crd.yaml \
-f deploy/crd/clustercompliancereports.crd.yaml \
-f deploy/crd/clustercompliancedetailreports.crd.yaml \
-f deploy/crd/ciskubebenchreports.crd.yaml
kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
-f deploy/static/02-starboard-operator.rbac.yaml
kubectl apply -f deploy/static/03-starboard-operator.config.yaml \
-f deploy/static/04-starboard-operator.policies.yaml
make itests-starboard-operator
env:
KUBECONFIG: /home/runner/.kube/config
OPERATOR_NAMESPACE: starboard-system
OPERATOR_TARGET_NAMESPACES: default
- name: Upload code coverage
uses: codecov/codecov-action@v3
with:
files: ./itest/starboard-operator/coverage.txt
integration-operator-conftest:
name: Integration / Operator / Conftest
needs:
- unit-tests
- verify-code
runs-on: ubuntu-20.04
timeout-minutes: 15
steps:
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Kubernetes cluster (KIND)
uses: engineerd/[email protected]
with:
version: ${{ env.KIND_VERSION }}
image: ${{ env.KIND_IMAGE }}
- name: Test connection to Kubernetes cluster
run: |
kubectl cluster-info
kubectl wait --for=condition=Ready nodes --all --timeout=300s
kubectl describe node
- name: Run integration tests
run: |
kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml \
-f deploy/crd/configauditreports.crd.yaml \
-f deploy/crd/clusterconfigauditreports.crd.yaml \
-f deploy/crd/clustercompliancereports.crd.yaml \
-f deploy/crd/clustercompliancedetailreports.crd.yaml \
-f deploy/crd/ciskubebenchreports.crd.yaml
kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
-f deploy/static/02-starboard-operator.rbac.yaml
kubectl apply -f deploy/static/03-starboard-operator.config.yaml
make integration-operator-conftest
env:
KUBECONFIG: /home/runner/.kube/config
- name: Upload code coverage
uses: codecov/codecov-action@v3
with:
files: ./itest/starboard-operator/configauditreport/conftest/coverage.txt
test-helm-chart:
if: "false" # TODO It's broken on a release candidate PRs because it's using container image that has not been released yet.
name: Test Helm Chart
needs:
- itest-starboard-cli
- itest-starboard-operator
- integration-operator-conftest
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install Helm
uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab # v1.1
with:
version: v3.5.0
- name: Set up python
uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 # v2.3.0
with:
python-version: 3.7
- name: Setup Chart Linting
id: lint
uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a # v2.1.0
- name: Setup Kubernetes cluster (KIND)
uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 # v1.2.0
with:
version: ${{ env.KIND_VERSION }}
image: ${{ env.KIND_IMAGE }}
- name: Run chart-testing
run: ct lint-and-install --validate-maintainers=false --charts deploy/helm