Dev

.github/dependabot.yml

@@ -12,32 +12,8 @@ updates:
       pip-packages:
         patterns:
           - "*"
-  - package-ecosystem: "pip"
-    directory: "/docs"
-    schedule:
-      interval: "weekly"
-    commit-message:
-      prefix: "update"
-    insecure-external-code-execution: "deny"
-    target-branch: "dev"
-    groups:
-      pip-packages:
-        patterns:
-          - "*"
-  - package-ecosystem: "pip"
-    directory: "/tests"
-    schedule:
-      interval: "monthly"
-    commit-message:
-      prefix: "update"
-    insecure-external-code-execution: "deny"
-    target-branch: "dev"
-    groups:
-      pip-packages:
-        patterns:
-          - "*"
   - package-ecosystem: "docker"
-    directory: "/docker"
+    directory: "/build"
     schedule:
       interval: "daily"
     commit-message:

.github/workflows/.reusable-cleanup-registry.yml

@@ -9,10 +9,10 @@ jobs:
   cleanup-registry:
     runs-on: ubuntu-latest
     steps:
-      - name: Cleanup test images in 'connaisseur-test'
+      - name: Cleanup test images
         uses: snok/container-retention-policy@3d27e6a0361deed0b7dc5099a82eadd07924b177 # v2.1.3
         with:
-          image-names: connaisseur-test
+          image-names: semgr8s-test
           cut-off: three weeks ago UTC+1
           timestamp-to-use: updated_at
           account-type: org
@@ -21,17 +21,17 @@ jobs:
       - name: Cleanup dangling images without tag
         uses: snok/container-retention-policy@3d27e6a0361deed0b7dc5099a82eadd07924b177 # v2.1.3
         with:
-          image-names: connaisseur*
+          image-names: semgr8s*
           untagged-only: true
           cut-off: four hours ago UTC+1
           timestamp-to-use: updated_at
           account-type: org
           org-name: sse-secure-systems
           token: ${{ secrets.GHCR_PAT }}
-      - name: Cleanup all connaisseur images
+      - name: Cleanup all images
         uses: snok/container-retention-policy@3d27e6a0361deed0b7dc5099a82eadd07924b177 # v2.1.3
         with:
-          image-names: connaisseur
+          image-names: semgr8s
           skip-tags: master, develop, v*, sha256-*
           cut-off: four days ago UTC+1
           timestamp-to-use: updated_at

.github/workflows/.reusable-docs.yml

@@ -11,9 +11,11 @@ on:
         default: "none"
 
 jobs:
-  deploy:
+  docs:
     runs-on: ubuntu-latest
-    if: inputs.skip != 'all'
+    if: |
+      (github.actor != 'dependabot[bot]') &&
+      inputs.skip != 'all'
     permissions:
       contents: write
     steps:

.github/workflows/.reusable-integration-test.yml

@@ -29,13 +29,210 @@ env:
   IMAGEPULLSECRET: dockerconfigjson-ghcr
 
 jobs:
-  do-nothing:
+  integration-test:
     name: functional
     runs-on: ubuntu-latest
     if: inputs.skip != 'all'
     #    permissions:  #TODO: reactivate for non-private
     #      packages: read
+    env:
+      IMAGE: ${{ inputs.build_image_repository }}
+      TAG: ${{ inputs.build_tag }}
+    strategy:
+      fail-fast: false
+      matrix:
+        integration-test-arg:
+          [
+            "basic",
+          ]
     steps:
-      - name: Do nothing
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Login with registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ inputs.build_registry }}
+          username: ${{ inputs.repo_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install yq
         run: |
-          sleep 1
+          sudo snap install yq
+      - uses: ./.github/actions/k8s-version-config
+        name: Setup k8s cluster
+        with:
+          k8s-version: v1.25
+      - name: Run test
+        run: |
+          bash tests/integration/main.sh "${{ matrix.integration-test-arg }}"
+      - name: Display semgr8s configuration
+        if: always()
+        run: |
+          echo "::group::values.yaml"
+          yq e '... comments=""' charts/semgr8s/values.yaml
+          echo "::endgroup::"
+      - name: Display k8s state if integration test failed
+        if: failure()
+        run: |
+          kubectl describe deployments.apps -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+          kubectl describe pods -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+      - name: Display logs if integration test failed
+        if: failure()
+        run: |
+          kubectl logs -n semgr8ns -lapp.kubernetes.io/name=semgr8s --prefix=true --tail=-1
+
+  optional-integration-test:
+    name: optional
+    runs-on: ubuntu-latest
+    if: |
+      inputs.skip != 'non-required' &&
+      inputs.skip != 'all'
+    #    permissions:  #TODO: reactivate for non-private
+    #      packages: read
+    env:
+      IMAGE: ${{ inputs.build_image_repository }}
+      TAG: ${{ inputs.build_tag }}
+    strategy:
+      fail-fast: false
+      matrix:
+        integration-test-arg:
+          [
+            "rules",
+          ]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Login with registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ inputs.build_registry }}
+          username: ${{ inputs.repo_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install yq
+        run: |
+          sudo snap install yq
+      - uses: ./.github/actions/k8s-version-config
+        name: Setup k8s cluster
+        with:
+          k8s-version: v1.25
+      - name: Run test
+        run: |
+          bash tests/integration/main.sh "${{ matrix.integration-test-arg }}"
+      - name: Display semgr8s configuration
+        if: always()
+        run: |
+          echo "::group::values.yaml"
+          yq e '... comments=""' charts/semgr8s/values.yaml
+          echo "::endgroup::"
+      - name: Display k8s state if integration test failed
+        if: failure()
+        run: |
+          kubectl describe deployments.apps -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+          kubectl describe pods -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+      - name: Display logs if integration test failed
+        if: failure()
+        run: |
+          kubectl logs -n semgr8ns -lapp.kubernetes.io/name=semgr8s --prefix=true --tail=-1
+
+  k8s-versions:
+    name: k8s versions
+    runs-on: ubuntu-latest
+    if: inputs.skip != 'all'
+    #    permissions:  #TODO: reactivate for non-private
+    #      packages: read
+    env:
+      IMAGE: ${{ inputs.build_image_repository }}
+      TAG: ${{ inputs.build_tag }}
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version: [
+            "v1.25",
+            "v1.26",
+            "v1.27",
+            "v1.28",
+          ]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Login with registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ inputs.build_registry }}
+          username: ${{ inputs.repo_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install yq
+        run: |
+          sudo snap install yq
+      - uses: ./.github/actions/k8s-version-config
+        name: Setup k8s cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+      - name: Run pre-config and workload integration tests
+        run: |
+          bash tests/integration/main.sh "basic"
+      - name: Display k8s state and logs if integration test failed
+        if: failure()
+        run: |
+          kubectl describe deployments.apps -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+          kubectl describe pods -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+          kubectl logs -n semgr8ns -lapp.kubernetes.io/name=semgr8s --prefix=true --tail=-1
+      - name: Display semgr8s configuration
+        if: always()
+        run: |
+          echo "::group::values.yaml"
+          yq e '... comments=""' charts/semgr8s/values.yaml
+          echo "::endgroup::"
+
+  optional-k8s-versions:
+    name: optional k8s versions
+    runs-on: ubuntu-latest
+    if: |
+      inputs.skip != 'non-required' &&
+      inputs.skip != 'all'
+    #    permissions:  #TODO: reactivate for non-private
+    #      packages: read
+    env:
+      IMAGE: ${{ inputs.build_image_repository }}
+      TAG: ${{ inputs.build_tag }}
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version: [
+            "v1.20",
+            "v1.21",
+            "v1.22",
+            "v1.23",
+            "v1.24",
+          ]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Login with registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ inputs.build_registry }}
+          username: ${{ inputs.repo_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install yq
+        run: |
+          sudo snap install yq
+      - uses: ./.github/actions/k8s-version-config
+        name: Setup k8s cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+      - name: Run pre-config and workload integration tests
+        run: |
+          bash tests/integration/main.sh "basic"
+      - name: Display k8s state and logs if integration test failed
+        if: failure()
+        run: |
+          kubectl describe deployments.apps -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+          kubectl describe pods -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+          kubectl logs -n semgr8ns -lapp.kubernetes.io/name=semgr8s --prefix=true --tail=-1
+      - name: Display semgr8s configuration
+        if: always()
+        run: |
+          echo "::group::values.yaml"
+          yq e '... comments=""' charts/semgr8s/values.yaml
+          echo "::endgroup::"
+

.github/workflows/nightly-build.yml

@@ -0,0 +1,27 @@
+name: nightly-build
+
+#permissions: {}  #TODO: reactivate for non-private
+
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  ci:
+    uses: ./.github/workflows/.reusable-ci.yml
+    #    permissions:  #TODO: adjust for non-private
+    secrets: inherit
+    with:
+      #TODO: adjust for non private
+      skip_build: 'none'
+      skip_compliance_checks: 'all'
+      skip_unit_tests: 'all'
+      skip_sast: 'all'
+      skip_sca: 'none'
+      skip_docs: 'all'
+      skip_integration_tests: 'none'
+      output_type: 'sarif'

.github/workflows/nightly.yaml

@@ -0,0 +1,59 @@
+name: nightly
+
+#permissions: {}  #TODO: reactivate for non-private
+
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build:
+    uses: ./.github/workflows/.reusable-build.yml
+    #    permissions:  #TODO: reactivate for non-private
+    #      packages: write
+    secrets: inherit
+    with:
+      skip: "non-required"
+
+  compliance:
+    uses: ./.github/workflows/.reusable-compliance.yml
+    #    permissions:  #TODO: reactivate for non-private
+    #      contents: write
+    #      id-token: write
+    #      security-events: write
+    #      actions: read
+    #      checks: read
+    #      deployments: read
+    #      issues: read
+    #      discussions: read
+    #      packages: read
+    #      pages: read
+    #      pull-requests: read
+    #      repository-projects: read
+    #      statuses: read
+    secrets: inherit
+    with:
+      skip: "none"
+
+  sca-released:
+    name: sca (released)
+    uses: ./.github/workflows/.reusable-sca.yml
+    needs: [build]
+    #    permissions:  #TODO: reactivate for non-private
+    #      contents: write
+    #      security-events: write
+    #      packages: read
+    secrets: inherit
+    with:
+      image: ${{ needs.build.outputs.original_image }}
+      skip: "none"
+      output: "table"
+
+  cleanup-registry:
+    uses: ./.github/workflows/.reusable-cleanup-registry.yml
+    needs: [build]
+    secrets: inherit