-
Notifications
You must be signed in to change notification settings - Fork 153
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into restore-snapshot-parallelism
- Loading branch information
Showing
71 changed files
with
962 additions
and
497 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
name: Example images scanning | ||
permissions: | ||
contents: read | ||
on: | ||
workflow_dispatch: | ||
workflow_run: | ||
workflows: ["Build and test"] | ||
types: | ||
- completed | ||
branches: | ||
- master | ||
|
||
jobs: | ||
scan-images: | ||
uses: ./.github/workflows/images-vulnerability-scanning.yaml | ||
with: | ||
images_file: "build/example_images.json" |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
name: Images vulnerability scanning | ||
permissions: | ||
contents: read | ||
on: | ||
workflow_call: | ||
inputs: | ||
images_file: | ||
required: true | ||
type: string | ||
|
||
jobs: | ||
discover-images: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
- name: Read JSON file | ||
id: images-json | ||
## Select images file and print it to the output var | ||
run: | | ||
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | ||
echo "images_json<<$EOF" >> $GITHUB_OUTPUT | ||
cat ${{ inputs.images_file }} >> $GITHUB_OUTPUT | ||
echo "$EOF" >> $GITHUB_OUTPUT | ||
- name: Showing output variable | ||
run: echo ${{fromJson(steps.images-json.outputs.images_json)}} | ||
outputs: | ||
images-json: ${{steps.images-json.outputs.images_json}} | ||
report-analysis: | ||
runs-on: ubuntu-latest | ||
needs: | ||
- discover-images | ||
strategy: | ||
max-parallel: 3 | ||
fail-fast: false | ||
matrix: | ||
images: ${{fromJson(needs.discover-images.outputs.images-json).images}} | ||
name: ${{ matrix.images }} | ||
steps: | ||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
- name: Printing Image Registry | ||
id: image-registry | ||
run: echo "image_registry=${{fromJson(needs.discover-images.outputs.images-json).image_registry}}" >> "$GITHUB_ENV" | ||
- name: Printing Image Tag | ||
id: image-tag | ||
run: echo "image_tag=${{fromJson(needs.discover-images.outputs.images-json).tag}}" >> "$GITHUB_ENV" | ||
- name: Printing Image Path | ||
run: echo "image_path=${{env.image_registry}}/${{matrix.images}}:${{env.image_tag}}" >> "$GITHUB_ENV" | ||
- name: Running vulnerability scanner | ||
uses: anchore/scan-action@v3 | ||
id: vulnerability-scanning | ||
with: | ||
image: ${{env.image_path}} | ||
fail-build: false | ||
output-format: json | ||
only-fixed: true | ||
severity-cutoff: medium | ||
- name: Parsing vulnerability scanner report | ||
run: go run pkg/tools/grype_report_parser_tool.go -s "Medium,High,Critical" -p results.json --github | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
name: Pre release | ||
|
||
on: | ||
workflow_dispatch: | ||
inputs: | ||
release_tag: | ||
description: 'Image tag in the format x.x.x' | ||
required: true | ||
type: string | ||
|
||
env: | ||
RELEASE_TAG: ${{ inputs.release_tag }} | ||
PRERELEASE_DOCS_BRANCH: 'dg8d45z' | ||
|
||
jobs: | ||
## TODO we can add a condition like github.actor.role == 'Maintainer' to limit trigger to maintainers only | ||
create_pr: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
pull-requests: write | ||
contents: write | ||
steps: | ||
- name: checkout_repo | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-tags: true | ||
fetch-depth: 0 # necessary for CURRENT_TAG tracing | ||
- name: fetch_tags | ||
run: git fetch --tags origin | ||
- name: bump_version | ||
run: | | ||
export CURRENT_TAG=$(git describe --abbrev=0 --tags) | ||
echo ./build/bump_version.sh "${CURRENT_TAG}" "${RELEASE_TAG}" | ||
./build/bump_version.sh "${CURRENT_TAG}" "${RELEASE_TAG}" | ||
make reno-report VERSION="${RELEASE_TAG}" | ||
- name: commit_changes | ||
run: | | ||
git config --global user.name 'Kasten Production' | ||
git config --global user.email '[email protected]' | ||
git checkout -B "kan-docs-${PRERELEASE_DOCS_BRANCH}-${RELEASE_TAG}" | ||
git add -A | ||
git commit -s -m "pre-release: Update version to ${RELEASE_TAG}" | ||
- name: push_changes | ||
run: git push origin "kan-docs-${PRERELEASE_DOCS_BRANCH}-${RELEASE_TAG}" | ||
- name: create_pr_body | ||
run: | | ||
echo "Update version to ${RELEASE_TAG}" > PR_BODY_FILE | ||
echo "" >> PR_BODY_FILE | ||
echo "Please check the changelog for the following merges:" >> PR_BODY_FILE | ||
export CURRENT_TAG=$(git describe --abbrev=0 --tags) | ||
git log ${CURRENT_TAG}..kan-docs-${PRERELEASE_DOCS_BRANCH}-${RELEASE_TAG} --pretty="- %h: %s" | grep -v ': test' | grep -v ': doc' | grep -v ': build' | grep -v ': deps' >> PR_BODY_FILE | ||
- name: create_pr | ||
run: | | ||
gh pr create --title "pre-release: Update version to ${RELEASE_TAG}" -F PR_BODY_FILE --head "kan-docs-${PRERELEASE_DOCS_BRANCH}-${RELEASE_TAG}" --base master --reviewer pavannd1,viveksinghggits,hairyhum --label kueue | ||
env: | ||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
name: Published images scanning | ||
permissions: | ||
contents: read | ||
on: | ||
workflow_dispatch: | ||
workflow_run: | ||
workflows: ["Build and test"] | ||
types: | ||
- completed | ||
branches: | ||
- master | ||
|
||
jobs: | ||
scan-images: | ||
uses: ./.github/workflows/images-vulnerability-scanning.yaml | ||
with: | ||
images_file: "build/published_images.json" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,3 +8,6 @@ | |
/dist | ||
**/*.swp | ||
/.idea | ||
/releasenotes/config.yaml | ||
CHANGELOG.rst | ||
CHANGELOG_CURRENT.rst |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -153,5 +153,6 @@ changelog: | |
exclude: | ||
- '^docs:' | ||
- '^test:' | ||
- '^pre-release:' | ||
archives: | ||
- allow_different_binary_count: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
# Code review requiements | ||
|
||
This document describes responsibilities of code reviewers when reviewing PRs. | ||
|
||
Pull request process is described in [contributing guide](./CONTRIBUTING.md#submitting-pull-requests) | ||
|
||
## Base checklist | ||
|
||
- All automated test steps pass (e.g. tests, lints, build) | ||
- PR title follows [commit conventions](CONTRIBUTING.md#commit-conventions) | ||
- If PR format is different, reviewer should change it to follow the conventions | ||
- PR has a description with reasoning and change overview | ||
- If description is missing but clear for reviewer, reviewer may request the author to add the description or edit description by themselves | ||
- New feature or fix has tests proving it works | ||
- Reviewer should request changes from contributor to add tests | ||
- If change in the PR needs documentation | ||
- Reviewer should request new docs or update to existing docs | ||
- `/docs` and `/docs_new` need to be kept in sync until we deprecate `/docs` | ||
- If PR introduces breaking changes, fixes a bug or adds a new feature, there should be a [release note](#release-notes) | ||
- Reviewer may request changes from the contributor to add a release note | ||
- Reviewer may add a release note by themself in order to unblock the merge process | ||
|
||
## Requesting changes | ||
|
||
It's recommended to request changes by submitting `comment` type reviews. | ||
`Request changes` type review would block merging until requester approves the | ||
changes, this can slow down the process if there are multiple reviewers. | ||
|
||
## Approving and merging | ||
|
||
We use `kueue` bot to merge approved PRs. | ||
|
||
If PR is approved, all checks are passing and it has the `kueue` label, it will | ||
be automatically squashed and merged. | ||
|
||
For PRs from Kanister developers, the author should add the `kueue` label after | ||
PR was approved. | ||
|
||
For PRs from community members, the reviewer should add the `kueue` label. | ||
|
||
## Release notes | ||
|
||
Kanister is using the [reno](https://docs.openstack.org/reno/latest/) tool to generate changelogs from release note files. | ||
|
||
To add release note one could run: | ||
|
||
``` | ||
make reno-new note=<note_name> | ||
``` | ||
|
||
Note name should be a short description of a change. | ||
|
||
File format is described in [reno docs](https://docs.openstack.org/reno/latest/user/usage.html#editing-a-release-note) | ||
|
||
Typical examples would be: | ||
|
||
``` | ||
--- | ||
features: | ||
- Added new functionality doing X | ||
``` | ||
|
||
Or: | ||
|
||
``` | ||
--- | ||
fixes: | ||
- Fixed bug with pod output format | ||
upgrade: | ||
- Make sure custom blueprints follow pod output format spec | ||
``` | ||
|
||
See [release notes](./releasenotes/README.md) for more info. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.