diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index 8908e21..eb3695e 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -20,7 +20,9 @@ jobs: - name: Checkout code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup Golang - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.0 + uses: actions/setup-go@v4 + with: + go-version-file: go.mod - name: Run golangci-lint uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0 with: @@ -28,6 +30,16 @@ jobs: args: --timeout 10m --exclude SA5011 --verbose --issues-exit-code=0 only-new-issues: true + govulncheck: + runs-on: ubuntu-latest + name: Run govulncheck + steps: + - id: govulncheck + uses: golang/govulncheck-action@v1 + with: + go-version-file: go.mod + go-package: ./... + test: name: Run unit tests for Go packages runs-on: ubuntu-latest @@ -36,6 +48,8 @@ jobs: uses: actions/checkout@v3 # v3.5.3 - name: Setup Go uses: actions/setup-go@v4 + with: + go-version-file: go.mod - name: Download and required packages run: | @@ -44,13 +58,13 @@ jobs: - name: Run all unit tests run: make test - - name: check test coverage - uses: vladopajic/go-test-coverage@v2 - with: - config: ./.testcoverage.yml + - name: Check test coverage + run: | + go install github.com/vladopajic/go-test-coverage/v2@latest + go-test-coverage --config=./.testcoverage.yml - name: Generate code coverage artifacts - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@v4 with: name: code-coverage path: coverage.out diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml index 66b298f..3690b32 100644 --- a/.github/workflows/helm-test.yaml +++ b/.github/workflows/helm-test.yaml @@ -50,3 +50,14 @@ jobs: exit 0 fi helm unittest deploy/charts/version-checker + + security_policies: + name: Verify that the Helm chart complies with the pod security standards + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Install Kyverno CLI + uses: kyverno/action-install-cli@v0.2.0 + - uses: azure/setup-helm@v3 + - run: kyverno apply -p https://github.com/kyverno/policies/pod-security/restricted --git-branch main --resource <(helm template deploy/charts/version-checker/) diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml new file mode 100644 index 0000000..42634e1 --- /dev/null +++ b/.github/workflows/stale.yaml @@ -0,0 +1,32 @@ +name: 'Close stale issues and PRs' + +on: + schedule: + - cron: '21 1 * * *' + +permissions: + contents: read + +jobs: + stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs + runs-on: 'ubuntu-latest' + steps: + - uses: 'actions/stale@v9' + with: + stale-issue-message: |- + This issue has been automatically marked as stale because it has not had + any activity in the last 90 days. It will be closed if no further activity + occurs. Thank you for your contributions. + stale-issue-label: 'stale' + exempt-issue-labels: 'enhancement,security,pinned' + + stale-pr-message: |- + This Pull Request is stale because it has been open for 60 days with + no activity. It will be closed in 7 days if no further activity. + stale-pr-label: 'stale' + + days-before-stale: 90 + days-before-close: 7 diff --git a/deploy/charts/version-checker/tests/deployment_test.yaml b/deploy/charts/version-checker/tests/deployment_test.yaml index 029416a..0a538f7 100644 --- a/deploy/charts/version-checker/tests/deployment_test.yaml +++ b/deploy/charts/version-checker/tests/deployment_test.yaml @@ -432,7 +432,14 @@ tests: runAsUser: 65534 securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault asserts: - equal: path: spec.template.spec.securityContext @@ -442,4 +449,11 @@ tests: path: spec.template.spec.containers[0].securityContext value: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault diff --git a/deploy/charts/version-checker/values.yaml b/deploy/charts/version-checker/values.yaml index 427043b..5d6f39a 100644 --- a/deploy/charts/version-checker/values.yaml +++ b/deploy/charts/version-checker/values.yaml @@ -127,16 +127,15 @@ resources: # -- Set container-level security context securityContext: - {} - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 65534 - # seccompProfile: - # type: RuntimeDefault + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault # -- Set pod-level security context podSecurityContext: {} diff --git a/go.mod b/go.mod index fe1da3d..4c2a667 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,7 @@ module github.com/jetstack/version-checker go 1.23.0 + // Do not remove this comment: // please place any replace statements here at the top for visibility and add a // comment to it as to when it can be removed