From 462a1eef43ffddefc787bda0a3790946712c9fe0 Mon Sep 17 00:00:00 2001 From: Benjamin FERNANDEZ Date: Fri, 21 Jul 2023 12:33:05 +0200 Subject: [PATCH] Change github actions --- .github/workflows/artifacts.yaml | 157 ----------------------- .github/workflows/checks-release.yaml | 18 +++ .github/workflows/checks.yaml | 51 ++++++-- .github/workflows/ci.yaml | 173 -------------------------- ADOPTERS.md | 16 --- MAINTAINERS | 6 - 6 files changed, 60 insertions(+), 361 deletions(-) delete mode 100644 .github/workflows/artifacts.yaml create mode 100644 .github/workflows/checks-release.yaml delete mode 100644 .github/workflows/ci.yaml delete mode 100644 ADOPTERS.md delete mode 100644 MAINTAINERS diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml deleted file mode 100644 index 88239c6e78..0000000000 --- a/.github/workflows/artifacts.yaml +++ /dev/null @@ -1,157 +0,0 @@ -name: Artifacts - -on: - workflow_call: - inputs: - publish: - description: Publish artifacts to the artifact store - default: false - required: false - type: boolean - outputs: - container-image-name: - description: Container image name - value: ${{ jobs.container-image.outputs.name }} - container-image-digest: - description: Container image digest - value: ${{ jobs.container-image.outputs.digest }} - container-image-ref: - description: Container image ref - value: ${{ jobs.container-image.outputs.ref }} - -permissions: - contents: read - -jobs: - container-image: - name: Container image - runs-on: ubuntu-latest - - strategy: - matrix: - variant: - - alpine - - distroless - - permissions: - contents: read - packages: write - id-token: write - security-events: write - - outputs: - name: ${{ steps.image-name.outputs.value }} - digest: ${{ steps.build.outputs.digest }} - ref: ${{ steps.image-ref.outputs.value }} - - steps: - - name: Checkout repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - - name: Set up QEMU - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a # v2.8.0 - - - name: Set up Syft - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 - - - name: Set image name - id: image-name - run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT" - - - name: Gather build metadata - id: meta - uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 - with: - images: | - ${{ steps.image-name.outputs.value }} - dexidp/dex - flavor: | - latest = false - tags: | - type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }} - type=ref,event=pr,prefix=pr-,enable=${{ matrix.variant == 'alpine' }} - type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }} - type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.variant == 'alpine' }} - type=ref,event=branch,suffix=-${{ matrix.variant }} - type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.variant }} - type=semver,pattern={{raw}},suffix=-${{ matrix.variant }} - type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }} - labels: | - org.opencontainers.image.documentation=https://dexidp.io/docs/ - - # Multiple exporters are not supported yet - # See https://github.com/moby/buildkit/pull/2760 - - name: Determine build output - uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1 - id: build-output - with: - cond: ${{ inputs.publish }} - if_true: type=image,push=true - if_false: type=oci,dest=image.tar - - - name: Login to GitHub Container Registry - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ github.token }} - if: inputs.publish - - - name: Set image ref - id: image-ref - run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" - - - name: Fetch image - run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar - if: inputs.publish - - # Uncomment the following lines for debugging: - # - name: Upload image as artifact - # uses: actions/upload-artifact@v3 - # with: - # name: "[${{ github.job }}] OCI tarball" - # path: image.tar - - - name: Extract OCI tarball - run: | - mkdir -p image - tar -xf image.tar -C image - - # - name: List tags - # run: skopeo --insecure-policy list-tags oci:image - # - # # See https://github.com/anchore/syft/issues/1545 - # - name: Extract image from multi-arch image - # run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy oci:image:${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} docker-archive:docker.tar - # - # - name: Generate SBOM - # run: syft -o spdx-json=sbom-spdx.json docker-archive:docker.tar - # - # - name: Upload SBOM as artifact - # uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - # with: - # name: "[${{ github.job }}] SBOM" - # path: sbom-spdx.json - # retention-days: 5 - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2 - with: - input: image - format: sarif - output: trivy-results.sarif - - - name: Upload Trivy scan results as artifact - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: "[${{ github.job }}] Trivy scan results" - path: trivy-results.sarif - retention-days: 5 - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 - with: - sarif_file: trivy-results.sarif diff --git a/.github/workflows/checks-release.yaml b/.github/workflows/checks-release.yaml new file mode 100644 index 0000000000..2d093d503e --- /dev/null +++ b/.github/workflows/checks-release.yaml @@ -0,0 +1,18 @@ +name: Check release + +on: + pull_request: + branches: ['release-orange'] + +jobs: + release-label: + name: Release note label + runs-on: ubuntu-latest + + steps: + - name: Check minimum labels + uses: mheap/github-action-required-labels@v5 + with: + mode: minimum + count: 1 + labels: "release-note/ignore, kind/feature, release-note/new-feature, kind/enhancement, release-note/enhancement, kind/bug, release-note/bug-fix, release-note/breaking-change, release-note/deprecation, area/dependencies, release-note/dependency-update" diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 5a1cd80f17..62d61b249b 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -1,18 +1,51 @@ -name: PR Checks +name: Checks on: + push: + branches: ['release-orange'] pull_request: - types: [opened, labeled, unlabeled, synchronize] + branches: ['release-orange'] jobs: - release-label: - name: Release note label + lint: + name: Lint runs-on: ubuntu-latest steps: - - name: Check minimum labels - uses: mheap/github-action-required-labels@v5 + - name: Checkout repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - name: Set up Go + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + with: + go-version: "1.20" + + - name: Download golangci-lint + run: make bin/golangci-lint + + - name: Lint + run: make lint + + security-scan: + name: Trivy vulnerability scanner + runs-on: ubuntu-latest + steps: + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2 + with: + #input: image + scan-type: 'fs' + format: sarif + output: trivy-results.sarif + + - name: Upload Trivy scan results as artifact + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + with: + name: "[${{ github.job }}] Trivy scan results" + path: trivy-results.sarif + retention-days: 5 + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 with: - mode: minimum - count: 1 - labels: "release-note/ignore, kind/feature, release-note/new-feature, kind/enhancement, release-note/enhancement, kind/bug, release-note/bug-fix, release-note/breaking-change, release-note/deprecation, area/dependencies, release-note/dependency-update" + sarif_file: trivy-results.sarif diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml deleted file mode 100644 index 0b9713773b..0000000000 --- a/.github/workflows/ci.yaml +++ /dev/null @@ -1,173 +0,0 @@ -name: CI - -on: - push: - branches: [ master ] - pull_request: - -permissions: - contents: read - -jobs: - test: - name: Test - runs-on: ubuntu-latest - - services: - postgres: - image: postgres:10.8 - ports: - - 5432 - options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 - - postgres-ent: - image: postgres:10.8 - ports: - - 5432 - options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 - - mysql: - image: mysql:5.7 - env: - MYSQL_ROOT_PASSWORD: root - MYSQL_DATABASE: dex - ports: - - 3306 - options: --health-cmd "mysql -proot -e \"show databases;\"" --health-interval 10s --health-timeout 5s --health-retries 5 - - mysql-ent: - image: mysql:5.7 - env: - MYSQL_ROOT_PASSWORD: root - MYSQL_DATABASE: dex - ports: - - 3306 - options: --health-cmd "mysql -proot -e \"show databases;\"" --health-interval 10s --health-timeout 5s --health-retries 5 - - etcd: - image: gcr.io/etcd-development/etcd:v3.5.0 - ports: - - 2379 - env: - ETCD_LISTEN_CLIENT_URLS: http://0.0.0.0:2379 - ETCD_ADVERTISE_CLIENT_URLS: http://0.0.0.0:2379 - options: --health-cmd "ETCDCTL_API=3 etcdctl --endpoints http://localhost:2379 endpoint health" --health-interval 10s --health-timeout 5s --health-retries 5 - - keystone: - image: openio/openstack-keystone:rocky - ports: - - 5000 - - 35357 - options: --health-cmd "curl --fail http://localhost:5000/v3" --health-interval 10s --health-timeout 5s --health-retries 5 - - steps: - - name: Checkout repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - - name: Set up Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 - with: - go-version: "1.20" - - - name: Download tool dependencies - run: make deps - - # Ensure that generated files were committed. - # It can help us determine, that the code is in the intermediate state, which should not be tested. - # Thus, heavy jobs like creating a kind cluster and testing / linting will be skipped. - - name: Verify - run: make verify - - - name: Start services - run: docker-compose -f docker-compose.test.yaml up -d - - - name: Create kind cluster - uses: helm/kind-action@v1.8.0 - with: - version: "v0.17.0" - node_image: "kindest/node:v1.25.3@sha256:cd248d1438192f7814fbca8fede13cfe5b9918746dfa12583976158a834fd5c5" - - - name: Test - run: make testall - env: - DEX_MYSQL_DATABASE: dex - DEX_MYSQL_USER: root - DEX_MYSQL_PASSWORD: root - DEX_MYSQL_HOST: 127.0.0.1 - DEX_MYSQL_PORT: ${{ job.services.mysql.ports[3306] }} - - DEX_MYSQL_ENT_DATABASE: dex - DEX_MYSQL_ENT_USER: root - DEX_MYSQL_ENT_PASSWORD: root - DEX_MYSQL_ENT_HOST: 127.0.0.1 - DEX_MYSQL_ENT_PORT: ${{ job.services.mysql-ent.ports[3306] }} - - DEX_POSTGRES_DATABASE: postgres - DEX_POSTGRES_USER: postgres - DEX_POSTGRES_PASSWORD: postgres - DEX_POSTGRES_HOST: localhost - DEX_POSTGRES_PORT: ${{ job.services.postgres.ports[5432] }} - - DEX_POSTGRES_ENT_DATABASE: postgres - DEX_POSTGRES_ENT_USER: postgres - DEX_POSTGRES_ENT_PASSWORD: postgres - DEX_POSTGRES_ENT_HOST: localhost - DEX_POSTGRES_ENT_PORT: ${{ job.services.postgres-ent.ports[5432] }} - - DEX_ETCD_ENDPOINTS: http://localhost:${{ job.services.etcd.ports[2379] }} - - DEX_LDAP_HOST: localhost - DEX_LDAP_PORT: 389 - DEX_LDAP_TLS_PORT: 636 - - DEX_KEYSTONE_URL: http://localhost:${{ job.services.keystone.ports[5000] }} - DEX_KEYSTONE_ADMIN_URL: http://localhost:${{ job.services.keystone.ports[35357] }} - DEX_KEYSTONE_ADMIN_USER: demo - DEX_KEYSTONE_ADMIN_PASS: DEMO_PASS - - DEX_KUBERNETES_CONFIG_PATH: ~/.kube/config - - lint: - name: Lint - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - - name: Set up Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 - with: - go-version: "1.20" - - - name: Download golangci-lint - run: make bin/golangci-lint - - - name: Lint - run: make lint - - artifacts: - name: Artifacts - uses: ./.github/workflows/artifacts.yaml - with: - publish: ${{ github.event_name == 'push' }} - secrets: - DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - permissions: - contents: read - packages: write - id-token: write - security-events: write - - dependency-review: - name: Dependency review - runs-on: ubuntu-latest - if: github.event_name == 'pull_request' - - steps: - - name: Checkout repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - - name: Dependency Review - uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6 diff --git a/ADOPTERS.md b/ADOPTERS.md deleted file mode 100644 index fddaa38f20..0000000000 --- a/ADOPTERS.md +++ /dev/null @@ -1,16 +0,0 @@ -# Adopters - -This is a list of production adopters of Dex (in alphabetical order): - -- [Argo CD](https://argoproj.github.io/cd) integrates Dex to provide convenient Single Sign On capabilities to its web UI and CLI -- [Aspect](https://www.aspect.com/) uses Dex for authenticating users across their Kubernetes infrastructure (using Kubernetes OIDC support). -- [Banzai Cloud](https://banzaicloud.com) is using Dex for authenticating to its Pipeline control plane and also to authenticate users against provisioned Kubernetes clusters (via Kubernetes OIDC support). -- [Chef](https://chef.io) uses Dex for authenticating users in [Chef Automate](https://automate.chef.io/). The code is Open Source, available at [`github.com/chef/automate`](https://github.com/chef/automate). -- [Elastisys](https://elastisys.com) uses Dex for authentication in their [Compliant Kubernetes](https://compliantkubernetes.io) distribution, including SSO to the custom dashboard, Grafana, Kibana, and Harbor. -- [Flant](https://flant.com) uses Dex for providing access to core components of [Managed Kubernetes as a Service](https://flant.com/services/managed-kubernetes-as-a-service), integration with various authentication providers, plugging custom applications. -- [JuliaBox](https://juliabox.com/) is leveraging federated OIDC provided by Dex for authenticating users to their compute infrastructure based on Kubernetes. -- [Kasten](https://www.kasten.io) is using Dex for authenticating access to the dashboard of [K10](https://www.kasten.io/product/), a Kubernetes-native platform for backup, disaster recovery and mobility of Kubernetes applications. K10 is widely used by a variety of customers including large enterprises, financial services, design firms, and IT companies. -- [Kyma](https://kyma-project.io) is using Dex to authenticate access to Kubernetes API server (even for managed Kubernetes like Google Kubernetes Engine or Azure Kubernetes Service) and for protecting web UI of [Kyma Console](https://github.com/kyma-project/console) and other UIs integrated in Kyma ([Grafana](https://github.com/grafana/grafana), [Loki](https://github.com/grafana/loki), and [Jaeger](https://github.com/jaegertracing/jaeger)). Kyma is an open-source project ([`github.com/kyma-project`](https://github.com/kyma-project/kyma)) designed natively on Kubernetes, that allows you to extend and customize your applications in a quick and modern way, using serverless computing or microservice architecture. -- [Pusher](https://pusher.com) uses Dex for authenticating users across their Kubernetes infrastructure (using Kubernetes OIDC support) in conjunction with the [OAuth2 Proxy](https://github.com/pusher/oauth2_proxy) for protecting web UIs. -- [Pydio](https://pydio.com/) Pydio Cells is an open source sync & share platform written in Go. Cells is using Dex as an OIDC service for authentication and authorizations. Check out [Pydio Cells repository](https://github.com/pydio/cells) for more information and/or to contribute. -- [sigstore](https://sigstore.dev) uses Dex for authentication in their public Fulcio instance, which is a certificate authority for code signing certificates bound to OIDC-based identities. diff --git a/MAINTAINERS b/MAINTAINERS deleted file mode 100644 index b95c2499de..0000000000 --- a/MAINTAINERS +++ /dev/null @@ -1,6 +0,0 @@ -Joel Speed (@JoelSpeed) -Maksim Nabokikh (@nabokihms) -Mark Sagi-Kazar (@sagikazarmark) -Nandor Kracser (@bonifaido) -Rithu John (@rithujohn191) -Stephen Augustus (@justaugustus)