diff --git a/.github/workflows/daily.yaml b/.github/workflows/daily.yaml deleted file mode 100644 index 0455fe73f31..00000000000 --- a/.github/workflows/daily.yaml +++ /dev/null @@ -1,403 +0,0 @@ -name: "Chore: Daily Tasks" - -on: - schedule: - - cron: "0 0 * * *" - workflow_dispatch: - -permissions: - issues: write - pull-requests: write - -concurrency: - group: lock - -jobs: - generate-readme: - runs-on: ubuntu-latest - name: "Generate readme files" - container: - image: ghcr.io/truecharts/devcontainer:3.1.10@sha256:c239addf725eb5cedf79517f8089fdafdc32b5270d1893ee87ae6e511b9bcae3 - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - with: - token: ${{ secrets.BOT_TOKEN }} - fetch-depth: 1 - - - name: Setting repo parent dir as safe safe.directory - run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - - name: generate readme.md - shell: bash - run: | - for train in stable operators SCALE incubator games enterprise develop non-free deprecated dependency core; do - for chart in charts/${train}/*; do - if [ -d "${chart}" ]; then - echo "Generating readme.md for ${train}/${chart}" - cp "templates/README.md.tpl" "${chart}/README.md" - sed -i "s/TRAINPLACEHOLDER/${train}/" "${chart}/README.md" - sed -i "s/CHARTPLACEHOLDER/${chartname}/" "${chart}/README.md" - fi - done - done - - name: generate HelmIgnore - shell: bash - run: | - for train in stable operators SCALE incubator games enterprise develop non-free deprecated dependency core; do - for chart in charts/${train}/*; do - if [ -d "${chart}" ]; then - echo "Attempting to sync HelmIgnore file for: ${chartname}" - rm -rf ${chart}/.helmignore - cp templates/chart/.helmignore ${chart}/ - fi - done - done - - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - with: - repository: truecharts/website - path: website - fetch-depth: 1 - token: ${{ secrets.BOT_TOKEN }} - - - name: Bump and Sync - shell: bash - run: | - # Designed to ensure the appversion in Chart.yaml is in sync with the primary Chart tag if found - # Also makes sure that home link is pointing to the correct url - sync_tag() { - local chart="$1" - local chartname="$2" - local train="$3" - echo "Attempting to sync primary tag with appversion for: ${chartname}" - local tag="$(cat ${chart}/values.yaml | grep '^ tag: ' | awk -F" " '{ print $2 }' | head -1)" - tag="${tag%%@*}" - tag="${tag##\"}" - tag="${tag:-auto}" - tag=$(echo $tag | sed "s/release-//g") - tag=$(echo $tag | sed "s/release_//g") - tag=$(echo $tag | sed "s/version-//g") - tag=$(echo $tag | sed "s/version_//g") - tag="${tag#*V.}" - tag="${tag#*v-}" - tag="${tag#*v}" - tag="${tag%-*}" - tag="${tag:0:10}" - tag="${tag%-}" - tag="${tag%_}" - tag="${tag%.}" - echo "Updating tag of ${chartname} to ${tag}..." - sed -i -e "s|appVersion: .*|appVersion: \"${tag}\"|" "${chart}/Chart.yaml" - echo "Updating icon of ${chartname}..." - sed -i -e "s|icon: .*|icon: https:\/\/truecharts.org\/img\/hotlink-ok\/chart-icons\/${chartname}.png|" "${chart}/Chart.yaml" - echo "Updating home of ${chartname}..." - sed -i -e "s|home: .*|home: https:\/\/truecharts.org\/charts\/${train}\/${chartname}|" "${chart}/Chart.yaml" - echo "Attempting to update sources of ${chartname}..." - echo "Using go-yq verion: <$(go-yq -V)>" - # Get current sources, exluding those that may have been added automatically. - curr_sources=$( - go-yq ' - .sources[] | - select( - . != "https://github.com/truecharts*" and - . != "https://ghcr*" and - . != "docker.io*" and - . != "https://docker.io*" and - . != "https://hub.docker*" and - . != "https://fleet.*" and - . != "https://github.com/truecharts/containers/tree/master/mirror/*" and - . != "https://public.ecr.aws*" and - . != "https://ocir.io*" and - . != "https://gcr*" and - . != "https://azurecr*" and - . != "https://quay*" and - . != "https://lscr*" and - . != "https://github.com/truecharts/containers*" and - . == "http*" - ) - ' \ - "${chart}/Chart.yaml" - ) - # Empty sources list in-place - go-yq -i 'del(.sources.[])' "${chart}/Chart.yaml" - # Add truechart source - tcsource="https://github.com/truecharts/charts/tree/master/charts/$train/$chartname" go-yq -i '.sources += env(tcsource)' "${chart}/Chart.yaml" - # Get the container image name that was parsed out of the Dockerfile for the website. - container=$(cat website/docs/charts/description_list.md | grep "\[${chartname}\]" | cut -f3 -d '|' | grep -v 'Not Found' || echo "" || echo "failed-container-fetch") - # Convert the container image name to a URL. - if [ ! -z "$container" ]; then - prefix="" - case "$container" in - lscr.io/linuxserver/*) - prefix="https://fleet.linuxserver.io/image?name=" - container=${container#lscr.io/} - ;; - tccr.io/truecharts/*) - prefix="https://github.com/truecharts/containers/tree/master/mirror" - container=${container#tccr.io/truecharts/} - ;; - mcr.microsoft.com/*) - prefix="" - ;; - public.ecr.aws/*) - prefix="https://gallery.ecr.aws/" - container=${container#public.ecr.aws/} - ;; - ghcr.io/*) - prefix="https://" - ;; - quay.io/*) - prefix="https://" - ;; - gcr.io/*) - prefix="https://" - ;; - *.azurecr.io/*) - prefix="" - ;; - *.ocir.io/*) - prefix="" - ;; - # There have been a number of domains used for the Docker Hub registry over the years. - # NOTE: This is also the default case! - docker.io/*|index.docker.io/*|registry-1.docker.io/*|registry.hub.docker.com/*|*) - prefix="https://hub.docker.com/r/" - container=${container#docker.io/} - container=${container#index.docker.io/} - container=${container#registry-1.docker.io/} - container=${container#registry.hub.docker.com/} - # If the image name does not contain a slash it is a Docker Official Image. - if [ "$container" == "${container////}" ]; then - prefix="https://hub.docker.com/_/" - # If the user name is library it is a Docker Official Image. - elif [ "${container%%/*}" == "library" ]; then - prefix="https://hub.docker.com/_/" - container=${container#library/} - fi - # Avoid creating a bad link since an unsupported registry may have been used. - slashes=${container//[^\/]/} - # Bail out if the image name has more than 1 slash. - if [ ${#slashes} -gt 1 ]; then - prefix="" - echo "WARNING: Not assuming '$container' is a Docker Hub image" - fi - ;; - esac - if [ -n "${prefix}" ]; then - container="${prefix}${container}" go-yq -i '.sources += env(container) | .sources |= unique' "${chart}/Chart.yaml" - fi - fi - # Add the rest of the sources - while IFS= read -r line; do - src="$line" go-yq -i '.sources += env(src)' "${chart}/Chart.yaml" || echo "src set error" - done <<< "$curr_sources" - echo "Sources of ${chartname} updated!" - } - export -f sync_tag - - for train in enterprise stable operators incubator dependency; do - echo "Correcting Chart.yaml for Train: ${train}..." - for chart in $(ls "charts/${train}"); do - echo "Correcting Chart.yaml for Chart: ${chart}..." - sync_tag "charts/${train}/${chart}" "${chart}" "${train}" || echo "failed" - done - done - - - name: Fix Fixable Pre-Commit issues - shell: bash - if: inputs.chartChangesDetected == 'true' - run: | - echo "Running pre-commit test-and-cleanup..." - pre-commit run --all ||: - # Fix sh files to always be executable - find . -name '*.sh' | xargs chmod +x - - - name: Cleanup - run: | - rm -rf changes.json - rm -rf master - - - name: Commit changes - run: | - git config user.name "TrueCharts-Bot" - git config user.email "bot@truecharts.org" - git pull - git add --all - git commit -sm "Commit daily changes" || exit 0 - git push - - generate-security-reports: - runs-on: ubuntu-latest - name: "Generate Security Reports" - container: - image: ghcr.io/truecharts/devcontainer:3.1.10@sha256:c239addf725eb5cedf79517f8089fdafdc32b5270d1893ee87ae6e511b9bcae3 - steps: - - name: Install Kubernetes tools - uses: yokawasa/action-setup-kube-tools@af4ebb1af1efd30c5bd84a2e9773355ad6362a33 # v0.9.3 - with: - setup-tools: | - helmv3 - helm: "3.8.0" - - - name: Prep Helm - run: | - helm repo add truecharts https://charts.truecharts.org - helm repo add truecharts-library https://library-charts.truecharts.org - helm repo add truecharts-deps https://deps.truecharts.org - helm repo add jetstack https://charts.jetstack.io - helm repo add vmwaretanzu https://vmware-tanzu.github.io/helm-charts - helm repo add cnpg https://cloudnative-pg.github.io/charts - helm repo add metallb https://metallb.github.io/metallb - helm repo add prometheus-community https://prometheus-community.github.io/helm-charts - helm repo update - - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - with: - token: ${{ secrets.BOT_TOKEN }} - fetch-depth: 1 - - - name: Setting repo parent dir as safe safe.directory - run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - - name: Checkout website - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - with: - fetch-depth: 1 - repository: truecharts/website - token: ${{ secrets.BOT_TOKEN }} - path: website - - - name: fetch dependencies - shell: bash - run: | - .github/scripts/fetch_helm_deps.sh - - - name: generate security reports - shell: bash - run: | - #!/bin/bash - render() { - local chart="$1" - local chartname="$2" - local train="$3" - echo "Rendering helm-template for ${chartname}" - mkdir -p ${chart}/render - helm template ${chart} >> ${chart}/render/app.yaml || echo "Helm template failed..." - } - helm_sec_scan() { - local chart="$1" - local chartname="$2" - local train="$3" - echo "Scanning helm security for ${chartname}" - mkdir -p ${chart}/render - rm -rf website/docs/charts/${train}/${chartname}/helm-security.md || echo "removing old helm-security file failed..." - echo "# Helm Security" >> website/docs/charts/${train}/${chartname}/helm-security.md - echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md - echo "## Helm-Chart" >> website/docs/charts/${train}/${chartname}/helm-security.md - echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md - echo "##### Scan Results" >> website/docs/charts/${train}/${chartname}/helm-security.md - echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md - trivy config --namespaces builtin.kubernetes.* -f template --template "@./templates/trivy-config.tpl" ${chart}/render >> website/docs/charts/${train}/${chartname}/helm-security.md || echo "trivy scan failed..." - } - container_sec_scan() { - local chart="$1" - local chartname="$2" - local train="$3" - echo "Scanning container security for ${chartname}" - mkdir -p ${chart}/render - rm -rf website/docs/charts/${train}/${chartname}/container-security.md || echo "removing old container-security file failed..." - echo "# Container Security" >> website/docs/charts/${train}/${chartname}/container-security.md - echo "" >> website/docs/charts/${train}/${chartname}/container-security.md - echo "##### Detected Containers" >> website/docs/charts/${train}/${chartname}/container-security.md - echo "" >> website/docs/charts/${train}/${chartname}/container-security.md - find ${chart}/render/ -name '*.yaml' -type f -exec cat {} \; | grep image: | sed "s/image: //g" | sed "s/\"//g" >> ${chart}/render/containers.tmp - cat ${chart}/render/containers.tmp >> website/docs/charts/${train}/${chartname}/container-security.md - echo "" >> website/docs/charts/${train}/${chartname}/container-security.md - echo "##### Scan Results" >> website/docs/charts/${train}/${chartname}/container-security.md - echo "" >> website/docs/charts/${train}/${chartname}/container-security.md - for container in $(cat ${chart}/render/containers.tmp | sort | uniq); do - if [[ "$container" == *"truecharts/alpine"* || "$container" == *"truecharts/ubuntu"* || "$container" == *"truecharts/kubectl"* ]]; then - echo "Skipping ${container}, as it's a shared common container..." - else - echo "**Container: ${container}**" >> website/docs/charts/${train}/${chartname}/container-security.md - echo "" >> website/docs/charts/${train}/${chartname}/container-security.md - trivy image --security-checks vuln -f template --template "@./templates/trivy-container.tpl" ${container} >> website/docs/charts/${train}/${chartname}/container-security.md || echo "trivy container scan failed..." - echo "" >> website/docs/charts/${train}/${chartname}/container-security.md - fi - done - } - cleanfiles() { - local chart="$1" - local chartname="$2" - local train="$3" - echo "sanitising website output for ${chartname}..." - rm -rf ${chart}/render - sed -i 's|
|
|g' website/docs/charts/${train}/${chartname}/helm-security.md ||: - sed -i 's|
|
|g' website/docs/charts/${train}/${chartname}/container-security.md ||: - sed -i 's|
|
|g' website/docs/charts/${train}/${chartname}/helm-security.md ||: - sed -i 's|
|
|g' website/docs/charts/${train}/${chartname}/container-security.md ||: - } - for train in enterprise stable operators incubator dependency; do - echo "Processing Charts for Train: ${train}..." - for chart in $(ls "charts/${train}"); do - render "charts/${train}/${chart}" ${chart} ${train} || echo "rendering failed for ${chart}" - helm_sec_scan "charts/${train}/${chart}" ${chart} ${train} || echo "helm chart processing failed for ${chart}" - if [ ${train} == "enterprise" ]; then - container_sec_scan "charts/${train}/${chart}" ${chart} ${train} || echo "container processing failed for ${chart}" - fi - cleanfiles "charts/${train}/${chart}" ${chart} ${train} || echo "cleaning failed for ${chart}" - done - done - echo "finsihed security scan" - - - name: Commit Website Changes - run: | - cd website - git config user.name "TrueCharts-Bot" - git config user.email "bot@truecharts.org" - git pull - git add --all - git commit -sm "Commit released docs for TrueCharts" || exit 0 - git push - - lock-threads: - runs-on: ubuntu-latest - steps: - - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5 - with: - github-token: ${{ secrets.BOT_TOKEN }} - issue-inactive-days: "7" - exclude-any-issue-labels: "" - issue-comment: "This issue is locked to prevent necro-posting on closed issues. Please create a new issue or contact staff on discord of the problem persists" - issue-lock-reason: "" - pr-inactive-days: "7" - pr-comment: "This PR is locked to prevent necro-posting on closed PRs. Please create a issue or contact staff on discord if you want to further discuss this" - pr-lock-reason: "resolved" - log-output: true - - check-contributors: - name: Check Contributors - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 - with: - token: ${{ secrets.BOT_TOKEN }} - fetch-depth: 1 - - - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4 - with: - node-version: 18 - - - uses: borales/actions-yarn@97ba8bebfe5b549bb7999261698a52a81fd62f1b # v4.2.0 - with: - cmd: install --frozen-lockfile - - - name: List missing and unknown contributors - env: - PRIVATE_TOKEN: ${{ secrets.BOT_TOKEN }} - run: | - awk -F', ' '{ for( i=1; i<=NF; i++ ) print $i }' <<<$(yarn all-contributors check)