Merge branch 'main' into go123

jetstack · Aug 19, 2024 · cbf1971 · cbf1971
2 parents 5b312eb + e0a12c4
commit cbf1971
Show file tree

Hide file tree

Showing 6 changed files with 87 additions and 16 deletions.
diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -20,14 +20,26 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Setup Golang
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.0
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: go.mod
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804      # v4.0.0
         with:
           version: v1.54
           args: --timeout 10m --exclude SA5011 --verbose --issues-exit-code=0
           only-new-issues: true
 
+  govulncheck:
+    runs-on: ubuntu-latest
+    name: Run govulncheck
+    steps:
+      - id: govulncheck
+        uses: golang/govulncheck-action@v1
+        with:
+           go-version-file: go.mod
+           go-package: ./...
+
   test:
     name: Run unit tests for Go packages
     runs-on: ubuntu-latest
@@ -36,6 +48,8 @@ jobs:
       uses: actions/checkout@v3 # v3.5.3
     - name: Setup Go
       uses: actions/setup-go@v4
+      with:
+        go-version-file: go.mod
 
     - name: Download and required packages
       run: |
@@ -44,13 +58,13 @@ jobs:
     - name: Run all unit tests
       run: make test
 
-    - name: check test coverage
-      uses: vladopajic/go-test-coverage@v2
-      with:
-        config: ./.testcoverage.yml
+    - name: Check test coverage
+      run: |
+        go install github.com/vladopajic/go-test-coverage/v2@latest
+        go-test-coverage --config=./.testcoverage.yml
 
     - name: Generate code coverage artifacts
-      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      uses: actions/upload-artifact@v4
       with:
         name: code-coverage
         path: coverage.out

diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml
@@ -50,3 +50,14 @@ jobs:
             exit 0
           fi
           helm unittest deploy/charts/version-checker
+
+  security_policies:
+    name: Verify that the Helm chart complies with the pod security standards
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Install Kyverno CLI
+        uses: kyverno/[email protected]
+      - uses: azure/setup-helm@v3
+      - run: kyverno apply -p https://github.com/kyverno/policies/pod-security/restricted --git-branch main --resource <(helm template deploy/charts/version-checker/)
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
@@ -0,0 +1,32 @@
+name: 'Close stale issues and PRs'
+
+on:
+  schedule:
+  - cron: '21 1 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
+    runs-on: 'ubuntu-latest'
+    steps:
+    - uses: 'actions/stale@v9'
+      with:
+        stale-issue-message: |-
+          This issue has been automatically marked as stale because it has not had
+          any activity in the last 90 days. It will be closed if no further activity
+          occurs. Thank you for your contributions.
+        stale-issue-label: 'stale'
+        exempt-issue-labels: 'enhancement,security,pinned'
+
+        stale-pr-message: |-
+          This Pull Request is stale because it has been open for 60 days with
+          no activity. It will be closed in 7 days if no further activity.
+        stale-pr-label: 'stale'
+
+        days-before-stale: 90
+        days-before-close: 7
diff --git a/deploy/charts/version-checker/tests/deployment_test.yaml b/deploy/charts/version-checker/tests/deployment_test.yaml
@@ -432,7 +432,14 @@ tests:
         runAsUser: 65534
       securityContext:
         allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - ALL
         readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
     asserts:
       - equal:
           path: spec.template.spec.securityContext
@@ -442,4 +449,11 @@ tests:
           path: spec.template.spec.containers[0].securityContext
           value:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 65534
+            seccompProfile:
+              type: RuntimeDefault
diff --git a/deploy/charts/version-checker/values.yaml b/deploy/charts/version-checker/values.yaml
@@ -127,16 +127,15 @@ resources:
 
 # -- Set container-level security context
 securityContext:
-  {}
-  # allowPrivilegeEscalation: false
-  # capabilities:
-  #   drop:
-  #     - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 65534
-  # seccompProfile:
-  #   type: RuntimeDefault
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 65534
+  seccompProfile:
+    type: RuntimeDefault
 
 # -- Set pod-level security context
 podSecurityContext: {}

diff --git a/go.mod b/go.mod
@@ -2,6 +2,7 @@ module github.com/jetstack/version-checker
 
 go 1.23.0
 
+
 // Do not remove this comment:
 // please place any replace statements here at the top for visibility and add a
 // comment to it as to when it can be removed