Merge branch 'main' into update-sonar-docs

kosli-dev · Sep 26, 2024 · 82f4853 · 82f4853
2 parents 84616ab + a43fc6f
commit 82f4853
Show file tree

Hide file tree

Showing 43 changed files with 910 additions and 261 deletions.
diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml
diff --git a/.github/workflows/init_kosli.yml b/.github/workflows/init_kosli.yml
@@ -77,7 +77,7 @@ jobs:
                 --org ${{inputs.kosli_org}}
 
 
-        - name: Attest never alone data to Kosli Trail
+        - name: Report never-alone attestation to Kosli
           if: ${{ github.ref == 'refs/heads/main' }}
           env:
             KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
@@ -88,15 +88,16 @@ jobs:
             ./bin/never_alone/get_commit_and_pr_info.sh -c ${GITHUB_SHA} -o ${USER_DATA_FILENAME} 
             
             PR_URL=$(cat ${USER_DATA_FILENAME} | jq -r '.pullRequest.url // empty')
-            PR_ANNOTATE_ARG=""
             if [ -n "$PR_URL" ]; then
                 PR_ANNOTATE_ARG="--annotate pull_request=$PR_URL"
+            else
+                PR_ANNOTATE_ARG=""
             fi
 
             kosli attest generic \
-              --org ${{inputs.kosli_org}} \
-              --flow ${{inputs.flow_name}} \
-              --trail ${{inputs.trail_name}} \
+              --org=${{inputs.kosli_org}} \
+              --flow=${{inputs.flow_name}} \
+              --trail=${{inputs.trail_name}} \
               --name=never-alone-data \
               --compliant=true \
               --user-data="${USER_DATA_FILENAME}" \

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -49,12 +49,12 @@ jobs:
       FLOW_TEMPLATE_FILE: ${{ needs.pre-build.outputs.trail_template_file }}
       KOSLI_ORG: kosli-public
     secrets:
-      kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}
+      kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }}
       pr_github_token: ${{ secrets.GITHUB_TOKEN }}
 
 
   test:
-    needs: [pre-build]
+    needs: [pre-build, init-kosli]
     uses: ./.github/workflows/test.yml
     with:
       AWS_ACCOUNT_ID: 772819027869
@@ -71,9 +71,9 @@ jobs:
       bitbucket_password: ${{ secrets.KOSLI_BITBUCKET_PASSWORD }}
       jira_api_token: ${{ secrets.KOSLI_JIRA_API_TOKEN }}
       slack_webhook: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }}
-      slack_channel: ${{ secrets.MERKELY_SLACK_CI_FAILURES_CHANNEL }}
+      slack_channel: ci-failures
       snyk_token: ${{ secrets.SNYK_TOKEN }}
-      kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}
+      kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }}
 
   docker:
     needs: [pre-build, test, init-kosli]
@@ -86,8 +86,8 @@ jobs:
       kosli_org: kosli-public
     secrets:
       slack_webhook: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }}
-      slack_channel: ${{ secrets.MERKELY_SLACK_CI_FAILURES_CHANNEL }} 
+      slack_channel: ci-failures
       ghcr_user: ${{ secrets.GHCR_USER }}
       ghcr_token: ${{ secrets.GHCR_TOKEN }}
-      kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}
+      kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }}
       snyk_token: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/never_alone_trail.yml b/.github/workflows/never_alone_trail.yml
@@ -15,6 +15,12 @@ on:
           attestation_name:
             required: true
             type: string
+          parent_flow_name:
+            required: false
+            type: string
+          parent_trail_name:
+            required: false
+            type: string
           kosli_org:
             required: true
             type: string
@@ -41,8 +47,7 @@ jobs:
         - name: setup-kosli-cli
           uses: kosli-dev/setup-cli-action@v2
           with:
-            version:
-                ${{ vars.KOSLI_CLI_VERSION }}
+            version: ${{ vars.KOSLI_CLI_VERSION }}
 
         - name: Update never-alone flow
           env:
@@ -58,12 +63,14 @@ jobs:
             KOSLI_ORG: ${{ inputs.kosli_org }}
             GH_TOKEN: ${{ github.token }}
           run: |
-            BASE_COMMIT=$(./bin/never_alone/get_commit_of_latest_release.sh)
+            START_COMMIT_SHA=$(./bin/never_alone/get_commit_of_latest_release.sh)
             
             ./bin/never_alone/create_never_alone_trail.sh \
               -f ${{inputs.flow_name}} \
               -t ${{inputs.trail_name}} \
-              -b ${BASE_COMMIT} \
-              -p ${GITHUB_SHA} \
+              -b ${START_COMMIT_SHA} \
+              -c ${GITHUB_SHA} \
               -s ${{inputs.source_flow_name}} \
-              -n ${{inputs.attestation_name}}
+              -n ${{inputs.attestation_name}} \
+              -p ${{inputs.parent_flow_name}} \
+              -q ${{inputs.parent_trail_name}}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -44,7 +44,7 @@ jobs:
         FLOW_TEMPLATE_FILE: ${{ needs.pre-build.outputs.trail_template_file }}
         KOSLI_ORG: kosli-public
       secrets:
-        kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}
+        kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }}
         pr_github_token: ${{ secrets.GITHUB_TOKEN }}
 
   never-alone-trail:
@@ -55,13 +55,15 @@ jobs:
         TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }}
         SOURCE_FLOW_NAME: cli
         ATTESTATION_NAME: never-alone-data
+        PARENT_FLOW_NAME: cli-release
+        PARENT_TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }}
         KOSLI_ORG: kosli-public
       secrets:
-        kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}
+        kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }}
         pr_github_token: ${{ secrets.GITHUB_TOKEN }}        
 
   test:
-    needs: [pre-build]
+    needs: [pre-build, init-kosli]
     uses: ./.github/workflows/test.yml
     with:
       AWS_ACCOUNT_ID: 772819027869
@@ -77,13 +79,13 @@ jobs:
       azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
       bitbucket_password: ${{ secrets.KOSLI_BITBUCKET_PASSWORD }}
       slack_webhook: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }}
-      slack_channel: ${{ secrets.MERKELY_SLACK_CI_FAILURES_CHANNEL }}
+      slack_channel: ci-failures
       jira_api_token: ${{ secrets.KOSLI_JIRA_API_TOKEN }}
       snyk_token: ${{ secrets.SNYK_TOKEN }}
-      kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}
+      kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }}
 
   docker:
-    needs: [test, pre-build, init-kosli, never-alone-trail]
+    needs: [pre-build, init-kosli, test, never-alone-trail]
     uses: ./.github/workflows/docker.yml
     with:
       tag: ${{ needs.pre-build.outputs.tag }}
@@ -93,10 +95,10 @@ jobs:
       kosli_org: kosli-public
     secrets:
       slack_webhook: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }}
-      slack_channel: ${{ secrets.MERKELY_SLACK_CI_FAILURES_CHANNEL }} 
+      slack_channel: ci-failures
       ghcr_user: ${{ secrets.GHCR_USER }}
       ghcr_token: ${{ secrets.GHCR_TOKEN }}
-      kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}
+      kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }}
       snyk_token: ${{ secrets.SNYK_TOKEN }}
 
   goreleaser:
@@ -166,7 +168,7 @@ jobs:
       trail_name: ${{ needs.pre-build.outputs.trail_name }}
       kosli_org: kosli-public
     secrets:
-      kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}
+      kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }}
 
   homebrew-pr:
     needs: [goreleaser, pre-build]

diff --git a/.github/workflows/secret-expire-check.yml b/.github/workflows/secret-expire-check.yml
@@ -0,0 +1,38 @@
+name: Daily Check to see if any secrets will expire soon
+
+on:
+  workflow_dispatch:
+  schedule: # At 04:00 every morning
+    - cron: '0 04 * * *'
+
+
+jobs:
+  secret-expire-check:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run check if any secrets will expire within next month
+        id: secrete-expire-check-month
+        run: |
+          ./bin/check_secret_expire.sh $(date -d "+1 month" +"%Y-%m-%d")
+
+      - name: Slack Notification on Failure
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_CHANNEL: secret-expire
+          SLACK_WEBHOOK: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }}
+          SLACK_USERNAME: GithubActions
+          SLACK_COLOR: ${{ job.status }}
+          SLACKIFY_MARKDOWN: true
+          SLACK_TITLE: Secret has expired
+          SLACK_MESSAGE: "Some secrets in `cli` is about to or has expired. Please check the \
+              [log](${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}) \
+              for more details."
+          SLACK_FOOTER:
diff --git a/bin/check_secret_expire.sh b/bin/check_secret_expire.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeu
+
+SCRIPT_NAME=check_secret_expire.sh
+ROOT_DIR=$(dirname $(readlink -f $0))/..
+NOW_DATE=$(date +%Y-%m-%d)
+
+print_help()
+{
+    cat <<EOF
+Usage: $SCRIPT_NAME <options> [yyyy-mm-dd]
+
+Will search all txt-files in secrets directory to see if any of them
+has a secret that has expired. You can specify a date if you want to
+know if something expires in the future
+
+Options are:
+  -h          Print this help menu
+EOF
+}
+
+check_arguments()
+{
+    while getopts "h" opt; do
+        case $opt in
+            h)
+                print_help
+                exit 1
+                ;;
+            \?)
+                echo "Invalid option: -$OPTARG" >&2
+                exit 1
+                ;;
+        esac
+    done
+
+    # Remove options from command line
+    shift $((OPTIND-1))
+
+    if [ $# -eq 1 ]; then
+        NOW_DATE=$1; shift
+    fi
+}
+
+echo_if_secret_expired()
+{
+    local file=$1; shift
+    local now_date=$1; shift
+    local expire_date now_sec expire_sec
+    expire_date=$(grep "secret-expire:" ${file} | sed "s/secret-expire: *//")
+
+    if [[ ! "${now_date}" < "${expire_date}" ]]; then
+        grep "secret-name:" ${file} | sed "s/secret-name: */  /" | tr '\n' ' '
+        grep "secret-expire:" ${file}
+        return 1
+    fi
+    return 0
+}
+
+main()
+{
+    check_arguments "$@"
+    local file
+    local result=0
+    echo "The following is a list of secrets in 'secrets/*txt' which will have expired on ${NOW_DATE}"
+    for file in ${ROOT_DIR}/secrets/*txt; do
+        echo_if_secret_expired ${file} ${NOW_DATE} || result=1
+    done
+    return $result
+}
+
+main "$@"