Merge branch 'master' into restore-snapshot-parallelism

kanisterio · Jun 26, 2024 · 40797bb · 40797bb
2 parents 82f3fa9 + 766794e
commit 40797bb
Show file tree

Hide file tree

Showing 71 changed files with 962 additions and 497 deletions.
diff --git a/.github/workflows/atlas-image-build.yaml b/.github/workflows/atlas-image-build.yaml
@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
-      - uses: tj-actions/changed-files@d6babd6899969df1a11d14c368283ea4436bca78 # v44.5.2
+      - uses: tj-actions/changed-files@cc733854b1f224978ef800d29e4709d5ee2883e4 # v44.5.5
         name: Get changed files
         id: changed-files
         with:
@@ -57,7 +57,7 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Build and push
-      uses: docker/build-push-action@94f8f8c2eec4bc3f1d78c1755580779804cb87b2 # v6.0.1
+      uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
       with:
         context: "{{defaultContext}}:docker/mongodb-atlas"
         push: true

diff --git a/.github/workflows/example-images-scanning.yaml b/.github/workflows/example-images-scanning.yaml
@@ -0,0 +1,17 @@
+name: Example images scanning
+permissions:
+  contents: read
+on:
+  workflow_dispatch:
+  workflow_run:
+    workflows: ["Build and test"]
+    types:
+      - completed
+    branches:
+      - master
+
+jobs:
+  scan-images:
+    uses: ./.github/workflows/images-vulnerability-scanning.yaml
+    with:
+      images_file: "build/example_images.json"
diff --git a/.github/workflows/grype-vulnerability-scanner.yaml b/.github/workflows/grype-vulnerability-scanner.yaml
diff --git a/.github/workflows/images-vulnerability-scanning.yaml b/.github/workflows/images-vulnerability-scanning.yaml
@@ -0,0 +1,59 @@
+name: Images vulnerability scanning
+permissions:
+  contents: read
+on:
+  workflow_call:
+    inputs:
+      images_file:
+        required: true
+        type: string
+
+jobs:
+  discover-images:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Read JSON file
+        id: images-json
+        ## Select images file and print it to the output var
+        run: |
+          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+          echo "images_json<<$EOF" >> $GITHUB_OUTPUT
+          cat ${{ inputs.images_file }} >> $GITHUB_OUTPUT
+          echo "$EOF" >> $GITHUB_OUTPUT
+      - name: Showing output variable
+        run: echo ${{fromJson(steps.images-json.outputs.images_json)}}
+    outputs:
+      images-json: ${{steps.images-json.outputs.images_json}}
+  report-analysis:
+    runs-on: ubuntu-latest
+    needs:
+      - discover-images
+    strategy:
+      max-parallel: 3
+      fail-fast: false
+      matrix:
+        images: ${{fromJson(needs.discover-images.outputs.images-json).images}}
+    name: ${{ matrix.images }}
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Printing Image Registry
+        id: image-registry
+        run: echo "image_registry=${{fromJson(needs.discover-images.outputs.images-json).image_registry}}" >>  "$GITHUB_ENV"
+      - name: Printing Image Tag
+        id: image-tag
+        run: echo "image_tag=${{fromJson(needs.discover-images.outputs.images-json).tag}}" >>  "$GITHUB_ENV"
+      - name: Printing Image Path
+        run: echo "image_path=${{env.image_registry}}/${{matrix.images}}:${{env.image_tag}}" >> "$GITHUB_ENV"
+      - name: Running vulnerability scanner
+        uses: anchore/scan-action@v3
+        id: vulnerability-scanning
+        with:
+          image: ${{env.image_path}}
+          fail-build: false
+          output-format: json
+          only-fixed: true
+          severity-cutoff: medium
+      - name: Parsing vulnerability scanner report
+        run: go run pkg/tools/grype_report_parser_tool.go -s "Medium,High,Critical" -p results.json --github
+
diff --git a/.github/workflows/kanister-image-build.yaml b/.github/workflows/kanister-image-build.yaml
@@ -71,7 +71,7 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Build and push
-      uses: docker/build-push-action@94f8f8c2eec4bc3f1d78c1755580779804cb87b2 # v6.0.1
+      uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
       with:
         context: "{{defaultContext}}:docker/build"
         platforms: linux/amd64,linux/arm64

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -44,6 +44,22 @@ jobs:
     - name: restore_gosum
       run: echo "${{needs.gomod.outputs.gosum}}" > go.sum
     - run: make golint
+
+  reno_lint:
+    runs-on: ubuntu-20.04
+    needs: gomod
+    steps:
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      with:
+        fetch-depth: 0
+    - name: reset_git_extension
+      run: git config --unset-all extensions.worktreeconfig
+    - name: reno_lint
+      run: make reno-lint
+    ## Reno lint does not catch some errors which make reno report fail
+    - name: reno_report_check
+      run: make reno-report
+
   test:
     runs-on: ubuntu-20.04
     needs: gomod

diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml
@@ -0,0 +1,57 @@
+name: Pre release
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: 'Image tag in the format x.x.x'
+        required: true
+        type: string
+
+env:
+  RELEASE_TAG: ${{ inputs.release_tag }}
+  PRERELEASE_DOCS_BRANCH: 'dg8d45z'
+
+jobs:
+  ## TODO we can add a condition like github.actor.role == 'Maintainer' to limit trigger to maintainers only
+  create_pr:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
+    steps:
+    - name: checkout_repo
+      uses: actions/checkout@v4
+      with:
+        fetch-tags: true
+        fetch-depth: 0 # necessary for CURRENT_TAG tracing
+    - name: fetch_tags
+      run: git fetch --tags origin
+    - name: bump_version
+      run: |
+        export CURRENT_TAG=$(git describe --abbrev=0 --tags)
+        echo ./build/bump_version.sh "${CURRENT_TAG}" "${RELEASE_TAG}"
+        ./build/bump_version.sh "${CURRENT_TAG}" "${RELEASE_TAG}"
+        make reno-report VERSION="${RELEASE_TAG}"
+    - name: commit_changes
+      run: |
+        git config --global user.name 'Kasten Production'
+        git config --global user.email '[email protected]'
+        git checkout -B "kan-docs-${PRERELEASE_DOCS_BRANCH}-${RELEASE_TAG}"
+        git add -A
+        git commit -s -m "pre-release: Update version to ${RELEASE_TAG}"
+    - name: push_changes
+      run: git push origin "kan-docs-${PRERELEASE_DOCS_BRANCH}-${RELEASE_TAG}"
+    - name: create_pr_body
+      run: |
+        echo "Update version to ${RELEASE_TAG}" > PR_BODY_FILE
+        echo "" >> PR_BODY_FILE
+        echo "Please check the changelog for the following merges:" >> PR_BODY_FILE
+        export CURRENT_TAG=$(git describe --abbrev=0 --tags)
+        git log ${CURRENT_TAG}..kan-docs-${PRERELEASE_DOCS_BRANCH}-${RELEASE_TAG} --pretty="- %h: %s"  | grep -v ': test' | grep -v ': doc' | grep -v ': build' | grep -v ': deps'  >> PR_BODY_FILE
+    - name: create_pr
+      run: |
+        gh pr create --title "pre-release: Update version to ${RELEASE_TAG}" -F PR_BODY_FILE --head "kan-docs-${PRERELEASE_DOCS_BRANCH}-${RELEASE_TAG}" --base master --reviewer pavannd1,viveksinghggits,hairyhum --label kueue
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
diff --git a/.github/workflows/published-images-scanning.yaml b/.github/workflows/published-images-scanning.yaml
@@ -0,0 +1,17 @@
+name: Published images scanning
+permissions:
+  contents: read
+on:
+  workflow_dispatch:
+  workflow_run:
+    workflows: ["Build and test"]
+    types:
+      - completed
+    branches:
+      - master
+
+jobs:
+  scan-images:
+    uses: ./.github/workflows/images-vulnerability-scanning.yaml
+    with:
+      images_file: "build/published_images.json"
diff --git a/.gitignore b/.gitignore
@@ -8,3 +8,6 @@
 /dist
 **/*.swp
 /.idea
+/releasenotes/config.yaml
+CHANGELOG.rst
+CHANGELOG_CURRENT.rst
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -153,5 +153,6 @@ changelog:
     exclude:
     - '^docs:'
     - '^test:'
+    - '^pre-release:'
 archives:
   - allow_different_binary_count: true
diff --git a/CODE_REVIEW.md b/CODE_REVIEW.md
@@ -0,0 +1,74 @@
+# Code review requiements
+
+This document describes responsibilities of code reviewers when reviewing PRs.
+
+Pull request process is described in [contributing guide](./CONTRIBUTING.md#submitting-pull-requests)
+
+## Base checklist
+
+- All automated test steps pass (e.g. tests, lints, build)
+- PR title follows [commit conventions](CONTRIBUTING.md#commit-conventions)
+    - If PR format is different, reviewer should change it to follow the conventions
+- PR has a description with reasoning and change overview
+    - If description is missing but clear for reviewer, reviewer may request the author to add the description or edit description by themselves
+- New feature or fix has tests proving it works
+    - Reviewer should request changes from contributor to add tests
+- If change in the PR needs documentation
+    - Reviewer should request new docs or update to existing docs
+    - `/docs` and `/docs_new` need to be kept in sync until we deprecate `/docs`
+- If PR introduces breaking changes, fixes a bug or adds a new feature, there should be a [release note](#release-notes)
+    - Reviewer may request changes from the contributor to add a release note
+    - Reviewer may add a release note by themself in order to unblock the merge process
+
+## Requesting changes
+
+It's recommended to request changes by submitting `comment` type reviews.
+`Request changes` type review would block merging until requester approves the
+changes, this can slow down the process if there are multiple reviewers.
+
+## Approving and merging
+
+We use `kueue` bot to merge approved PRs.
+
+If PR is approved, all checks are passing and it has the `kueue` label, it will
+be automatically squashed and merged.
+
+For PRs from Kanister developers, the author should add the `kueue` label after
+PR was approved.
+
+For PRs from community members, the reviewer should add the `kueue` label.
+
+## Release notes
+
+Kanister is using the [reno](https://docs.openstack.org/reno/latest/) tool to generate changelogs from release note files.
+
+To add release note one could run:
+
+```
+make reno-new note=<note_name>
+```
+
+Note name should be a short description of a change.
+
+File format is described in [reno docs](https://docs.openstack.org/reno/latest/user/usage.html#editing-a-release-note)
+
+Typical examples would be:
+
+```
+---
+features:
+  - Added new functionality doing X
+```
+
+Or:
+
+```
+---
+fixes:
+  - Fixed bug with pod output format
+upgrade:
+  - Make sure custom blueprints follow pod output format spec
+```
+
+See [release notes](./releasenotes/README.md) for more info.
+
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -95,6 +95,16 @@ We are using squash and merge approach to PRs which means that commit descriptio
 
 It's recommended to use conventional commits when strarting a PR, but follow-up commits in the PR don't have to follow the convention.
 
+### Release notes
+
+If submitted change fixes a bug, introduces a new feature or breaking change, contributor should add a release note.
+Kanister is using the [reno](https://docs.openstack.org/reno/latest/) tool to track release notes.
+
+Release note can be added with `make reno-new note=<note_name>` command, which will create a note file.
+Contributor should edit and commit the note file.
+
+See [release notes](./releasenotes/README.md) for more info.
+
 ### Submitting Pull Requests
 
 **PR titles should be in following format:**