reverting all changes similar to main branch

camunda · Dec 12, 2023 · 3d0f015 · 3d0f015
1 parent cb96e34
commit 3d0f015
Show file tree

Hide file tree

Showing 8 changed files with 458 additions and 6 deletions.
diff --git a/.github/workflows/renovate-config-check.yaml b/.github/workflows/renovate-config-check.yaml
@@ -0,0 +1,18 @@
+name: Renovate - Config Check
+
+on:
+  pull_request:
+    paths:
+    - '.github/renovate.json5'
+  workflow_dispatch: { }
+
+jobs:
+  check:
+    name: Check renovate config 
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+    - name: Validate renovate config
+      uses: docker://renovate/renovate
+      with:
+        args: renovate-config-validator
diff --git a/.github/workflows/renovate-post-upgrade.yaml b/.github/workflows/renovate-post-upgrade.yaml
@@ -25,7 +25,7 @@ jobs:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       with:
         token: '${{ steps.generate-github-token.outputs.token }}'
-    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
+    - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
       with:
         go-version-file: go.mod
         cache: false

diff --git a/.github/workflows/sec-scorecard.yml b/.github/workflows/sec-scorecard.yml
@@ -0,0 +1,68 @@
+name: "Security - Scorecard"
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '42 9 * * 3'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/test-integration-template.yaml b/.github/workflows/test-integration-template.yaml
@@ -0,0 +1,276 @@
+name: "Test - Integration - Template"
+
+on:
+  workflow_call:
+    inputs:
+      identifier:
+        description: The unique identifier of used in the deployment hostname.
+        required: true
+        type: string
+      git-ref:
+        required: false
+        default: main
+        type: string
+      persistent:
+        description: |
+          Keep test deployment after the workflow is done.
+          NOTE: All persistent deployments will be deleted frequently to save costs!
+        required: false
+        default: false
+        type: boolean
+      platforms:
+        default: gke
+        type: string
+      flows:
+        required: false
+        default: install
+        type: string
+      test-enabled:
+        required: false
+        default: true
+        type: boolean
+      extra-values:
+        description: Pass extra values to the Helm chart.
+        required: false
+        type: string
+
+concurrency:
+  group: ${{ github.workflow }}-${{ inputs.identifier }}
+  cancel-in-progress: true
+
+env:
+  TEST_PERSISTENT: ${{ inputs.persistent }}
+  TEST_HOSTNAME_BASE: ci.distro.ultrawombat.com
+  TEST_SCENARIOS_DIR: charts/camunda-platform/test/integration/scenarios
+  # Docker Hub auth to avoid image pull rate limit.
+  TEST_CREATE_DOCKER_LOGIN_SECRET: "TRUE"
+  TEST_DOCKER_USERNAME: ${{ secrets.DISTRO_CI_DOCKER_USERNAME_DOCKERHUB }}
+  TEST_DOCKER_PASSWORD: ${{ secrets.DISTRO_CI_DOCKER_PASSWORD_DOCKERHUB }}
+  # Camunda registry auth to access WebModeler Docker image since it's not public.
+  TEST_DOCKER_USERNAME_CAMUNDA_CLOUD: ${{ secrets.DISTRO_CI_DOCKER_USERNAME_CAMUNDA }}
+  TEST_DOCKER_PASSWORD_CAMUNDA_CLOUD: ${{ secrets.DISTRO_CI_DOCKER_PASSWORD_CAMUNDA }}
+
+jobs:
+  test:
+    name: ${{ matrix.distro.name }} - ${{ matrix.scenario.name }}
+    if: github.event.action != 'closed'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      deployments: write
+    strategy:
+      fail-fast: false
+      matrix:
+        distro:
+        - name: Kubernetes 1.24
+          type: kubernetes
+          platform: gke
+          secret:
+            cluster-name: DISTRO_CI_GCP_GKE_CLUSTER_NAME
+            cluster-location: DISTRO_CI_GCP_GKE_CLUSTER_LOCATION
+            workload-identity-provider: DISTRO_CI_GCP_WORKLOAD_IDENTITY_PROVIDER
+            service-account: DISTRO_CI_GCP_SERVICE_ACCOUNT
+          if: ${{ contains(inputs.platforms, 'gke') }}
+        - name: OpenShift 4.13
+          type: openshift
+          version: 4.13
+          platform: rosa
+          if: ${{ contains(inputs.platforms, 'rosa') }}
+        scenario:
+        - name: Chart Setup
+          desc: Setup chart in production-like setup with Ingress and TLS.
+          flow: install
+          if: ${{ contains(inputs.flows, 'install') }}
+        - name: Chart Upgrade
+          desc: Upgrade chart from the latest released version to the current branch.
+          flow: upgrade
+          if: ${{ contains(inputs.flows, 'upgrade') }}
+        exclude:
+        - distro:
+            if: false
+        - scenario:
+            if: false
+    env:
+      TEST_CLUSTER_TYPE: ${{ matrix.distro.type }}
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      with:
+        # This is needed to load repo GH composite actions if the workflow triggered by workflow_call.
+        repository: camunda/camunda-platform-helm
+        ref: ${{ inputs.git-ref }}
+    # TODO: Later, find a way to abstract the auth for different platforms.
+    - name: Authenticate to GKE
+      if: matrix.distro.platform == 'gke'
+      uses: ./.github/actions/gke-login
+      with:
+        cluster-name: ${{ secrets[matrix.distro.secret.cluster-name] }}
+        cluster-location: ${{ secrets[matrix.distro.secret.cluster-location] }}
+        workload-identity-provider: ${{ secrets[matrix.distro.secret.workload-identity-provider] }}
+        service-account: ${{ secrets[matrix.distro.secret.service-account] }}
+    - name: Set OpenShift authentication vars
+      if: matrix.distro.type == 'openshift'
+      run: |
+        OPENSHIFT_CLUSTER_VERSION="$(echo ${{ matrix.distro.version }} | tr -d '.')"
+        echo "OPENSHIFT_CLUSTER_URL=OPENSHIFT_CLUSTER_URL_${OPENSHIFT_CLUSTER_VERSION}" >> $GITHUB_ENV
+        echo "OPENSHIFT_CLUSTER_USERNAME=OPENSHIFT_CLUSTER_USERNAME_${OPENSHIFT_CLUSTER_VERSION}" >> $GITHUB_ENV
+        echo "OPENSHIFT_CLUSTER_PASSWORD=OPENSHIFT_CLUSTER_PASSWORD_${OPENSHIFT_CLUSTER_VERSION}" >> $GITHUB_ENV
+    - name: Authenticate to OpenShift
+      if: matrix.distro.platform == 'rosa'
+      uses: redhat-actions/oc-login@v1
+      with:
+        openshift_server_url: ${{ secrets[env.OPENSHIFT_CLUSTER_URL] }}
+        openshift_username: ${{ secrets[env.OPENSHIFT_CLUSTER_USERNAME] }}
+        openshift_password: ${{ secrets[env.OPENSHIFT_CLUSTER_PASSWORD] }}
+    - name: Set workflow vars
+      id: vars
+      uses: ./.github/actions/workflow-vars
+      with:
+        persistent: ${{ env.TEST_PERSISTENT }}
+        setup-flow: ${{ matrix.scenario.flow }}
+        platform: ${{ matrix.distro.platform }}
+        identifier-base: ${{ inputs.identifier }}
+        ingress-hostname-base: ${{ env.TEST_HOSTNAME_BASE }}
+    - name: Install env dependencies
+      uses: asdf-vm/actions/install@v3
+    - name: Add Helm repos and dependencies
+      run: |
+        make helm.repos-add
+        make helm.dependency-update
+    - name: Create test namespace
+      run: |
+        echo $TEST_NAMESPACE
+        kubectl delete ns --ignore-not-found=true \
+          -l "github-id=${{ steps.vars.outputs.identifier }},test-flow=${{ matrix.scenario.flow }},test-persistent=true"
+        kubectl create ns $TEST_NAMESPACE
+        kubectl label ns $TEST_NAMESPACE github-run-id=$GITHUB_WORKFLOW_RUN_ID
+        kubectl label ns $TEST_NAMESPACE github-job-id=$GITHUB_WORKFLOW_JOB_ID
+        kubectl label ns $TEST_NAMESPACE github-id=${{ steps.vars.outputs.identifier }}
+        kubectl label ns $TEST_NAMESPACE test-flow=${{ matrix.scenario.flow }}
+        kubectl label ns $TEST_NAMESPACE test-persistent=${{ env.TEST_PERSISTENT }}
+    - name: Copy PRs wildcard certificate
+      run: |
+        kubectl apply -n $TEST_NAMESPACE -f .github/config/external-secret.yaml
+    - name: Start GitHub deployment
+      uses: bobheadxi/deployments@v1
+      id: deployment
+      with:
+        step: start
+        token: ${{ secrets.GITHUB_TOKEN }}
+        env: ${{ steps.vars.outputs.identifier }}
+        ref: ${{ inputs.git-ref }}
+    - name: Pre setup
+      timeout-minutes: 5
+      env:
+        TEST_CHART_FLOW: ${{ matrix.scenario.flow }}
+        TEST_INGRESS_HOST: ${{ steps.vars.outputs.ingress-host }}
+      run: |
+        task -d $TEST_SCENARIOS_DIR/chart-full-setup setup.pre
+
+        echo "Extra values from workflow:"
+        echo "${{ inputs.extra-values }}" > /tmp/extra-values-file.yaml
+        cat /tmp/extra-values-file.yaml
+    - name: 🌟 Setup Camunda chart 🌟
+      env:
+        TEST_CHART_FLOW: ${{ matrix.scenario.flow }}
+        TEST_HELM_EXTRA_ARGS: >-
+          --set global.ingress.host=${{ steps.vars.outputs.ingress-host }}
+          --values /tmp/extra-values-file.yaml
+        TEST_PROMETHEUS_HELM_EXTRA_ARGS: "--set host=${{ steps.ingress.outputs.host }}"
+      run: |
+        task -d $TEST_SCENARIOS_DIR/chart-full-setup setup.exec
+    - name: Post setup
+      timeout-minutes: 5
+      run: |
+        task -d $TEST_SCENARIOS_DIR/chart-full-setup setup.post
+    - name: Pre Upgrade
+      if: matrix.scenario.flow == 'upgrade'
+      run: |
+        task -d $TEST_SCENARIOS_DIR/chart-full-setup upgrade.pre
+    - name: 🌟 Upgrade Camunda chart 🌟
+      if: matrix.scenario.flow == 'upgrade'
+      env:
+        TEST_HELM_EXTRA_ARGS: >-
+          --set global.ingress.host=${{ steps.vars.outputs.ingress-host }}
+          --values /tmp/extra-values-file.yaml
+      run: |
+        task -d $TEST_SCENARIOS_DIR/chart-full-setup upgrade.exec
+    - name: Update GitHub deployment status
+      uses: bobheadxi/deployments@v1
+      with:
+        step: finish
+        token: ${{ secrets.GITHUB_TOKEN }}
+        status: ${{ job.status }}
+        deployment_id: ${{ steps.deployment.outputs.deployment_id }}
+        env_url: https://${{ steps.vars.outputs.ingress-host }}
+        env: ${{ steps.vars.outputs.identifier }}
+        ref: ${{ inputs.git-ref }}
+    - name: ⭐️ Run Preflight TestSuite ⭐️
+      if: inputs.test-enabled
+      timeout-minutes: 10
+      run: |
+        task -d $TEST_SCENARIOS_DIR/chart-full-setup test.preflight
+    - name: ⭐️ Run Core TestSuite ⭐️
+      if: inputs.test-enabled
+      timeout-minutes: 20
+      run: |
+        task -d $TEST_SCENARIOS_DIR/chart-full-setup test.core
+    - name: Get failed Pods info
+      if: failure()
+      uses: ./.github/actions/failed-pods-info
+    # TODO: Use "step: delete-env" to delete the env when the permission issue is fixed.
+    # Even using GH app token with deployment write access doesn't work.
+    # https://github.com/bobheadxi/deployments/issues/145
+    - name: Cleanup GitHub deployment
+      if: always() && (env.TEST_PERSISTENT == 'false' || matrix.distro.type != 'kubernetes')
+      uses: bobheadxi/deployments@v1
+      with:
+        step: deactivate-env
+        token: ${{ secrets.GITHUB_TOKEN }}
+        env: ${{ steps.vars.outputs.identifier }}
+        ref: ${{ inputs.git-ref }}
+    - name: Cleanup test namespace
+      if: always() && (env.TEST_PERSISTENT == 'false' || matrix.distro.type != 'kubernetes')
+      run: |
+        kubectl delete ns --ignore-not-found=true \
+          -l github-run-id=$GITHUB_WORKFLOW_RUN_ID \
+          -l github-job-id=$GITHUB_WORKFLOW_JOB_ID
+
+  clean:
+    name: Clean up persistent resources
+    if: github.event.action == 'closed'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      deployments: write
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+    - name: Set PR vars
+      id: vars
+      uses: ./.github/actions/workflow-vars
+      with:
+        persistent: ${{ env.TEST_PERSISTENT }}
+        platform: gke
+        identifier-base: ${{ inputs.identifier }}
+    # Persistent resources are deployed only on GKE.
+    - name: Authenticate to GKE
+      uses: ./.github/actions/gke-login
+      with:
+        cluster-name: ${{ secrets.DISTRO_CI_GCP_GKE_CLUSTER_NAME }}
+        cluster-location: ${{ secrets.DISTRO_CI_GCP_GKE_CLUSTER_LOCATION }}
+        workload-identity-provider: ${{ secrets.DISTRO_CI_GCP_WORKLOAD_IDENTITY_PROVIDER }}
+        service-account: ${{ secrets.DISTRO_CI_GCP_SERVICE_ACCOUNT }}
+    - name: Cleanup GitHub deployment
+      if: always()
+      uses: bobheadxi/deployments@v1
+      with:
+        step: deactivate-env
+        token: ${{ secrets.GITHUB_TOKEN }}
+        env: ${{ steps.vars.outputs.identifier }}
+        ref: ${{ inputs.git-ref }}
+    - name: Cleanup test namespace
+      if: always()
+      run: |
+        kubectl delete ns --ignore-not-found=true \
+          -l "github-id=${{ steps.vars.outputs.identifier }},test-persistent=true"