Merge branch 'main' into 1706-add-shellcheck

.github/workflows/codeql.yml

@@ -44,17 +44,17 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+        uses: github/codeql-action/init@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v3.28.6
         with:
           languages: ${{ matrix.language }}
 
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+        uses: github/codeql-action/autobuild@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v3.28.6
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+        uses: github/codeql-action/analyze@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v3.28.6
         with:
           category: "/language:${{matrix.language}}"
 

.github/workflows/docs.yml

@@ -33,7 +33,7 @@ jobs:
     steps:
       - name: Get token to trigger defenseunicorns/pepr-docs workflow
         id: get_workflow_trigger_token
-        uses: peter-murray/workflow-application-token-action@8e4e6fbf6fcc8a272781d97597969d21b3812974 # v4.0.0
+        uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343 # v4.0.1
         with:
           application_id: ${{ secrets.DOCS_WORKFLOW_GITHUB_APP_ID }}
           application_private_key: ${{ secrets.DOCS_WORKFLOW_GITHUB_APP_SECRET }}

.github/workflows/nightlies.yml

@@ -0,0 +1,47 @@
+name: Nightlies
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+
+      - name: Use Node.js 20
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: 20
+          registry-url: "https://registry.npmjs.org"
+          cache: "npm"
+
+      - name: "Pepr Controller: Login to GHCR"
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: dummy
+          password: ${{ github.token }}
+
+      - name: Publish to GHCR and NPM
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: ./scripts/nightlies.sh

.github/workflows/release.yml

@@ -48,7 +48,7 @@ jobs:
 
           npm install -g npm
 
-          npm run version
+          npm run set:version
 
           # Build Controller Image
           docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/pepr/controller:${{ github.ref_name }} .

.github/workflows/scorecard.yml

@@ -60,6 +60,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v2.2.4
+        uses: github/codeql-action/upload-sarif@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v2.2.4
         with:
           sarif_file: results.sarif

integration/cli/build.noembed.test.ts

@@ -48,8 +48,8 @@ describe("build", () => {
           const argz = [`--no-embed`].join(" ");
           const build = await pepr.cli(testModule, { cmd: `pepr build ${argz}` });
           expect(build.exitcode).toBe(0);
-          expect(build.stderr.join("").trim()).toContain("Error: Cannot find module");
-          expect(build.stdout.join("").trim()).toContain("");
+          expect(build.stderr.join("").trim()).toContain("");
+          expect(build.stdout.join("").trim()).toContain("Module built successfully at");
 
           packageJson = await resource.fromFile(`${testModule}/package.json`);
           uuid = packageJson.pepr.uuid;

package.json

@@ -22,9 +22,9 @@
     "ci": "npm ci",
     "gen-data-json": "node hack/build-template-data.js",
     "prebuild": "rm -fr dist/* && npm run gen-data-json",
-    "version": "node scripts/set-version.js",
     "build": "tsc && node build.mjs && npm pack",
     "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .",
+    "set:version": "node scripts/set-version.js",
     "test": "npm run test:unit && npm run test:journey",
     "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'",
     "test:integration": "npm run test:integration:prep && npm run test:integration:run",

scripts/nightlies.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+# Script to build and publish nightly versions of Pepr Controller and Pepr CLI.
+
+set -e
+npm install -g npm
+
+LATEST_VERSION=$(npx --yes pepr@latest --version 2>/dev/null)
+RAW_NIGHTLY_VERSION=$(npx --yes pepr@nightly --version 2>/dev/null || echo "none")
+
+if [[ "$RAW_NIGHTLY_VERSION" == "none" ]]; then
+    echo "No nightly version found. Setting NIGHTLY_VERSION=0."
+    NIGHTLY_VERSION=0
+else
+    NIGHTLY_VERSION_PART=$(echo "$RAW_NIGHTLY_VERSION" | grep -oE "nightly\.([0-9]+)" | cut -d. -f2)
+
+    BASE_NIGHTLY_VERSION=${RAW_NIGHTLY_VERSION%-nightly*}
+    if [[ "$LATEST_VERSION" > "$BASE_NIGHTLY_VERSION" ]]; then
+        echo "Nightly version is less than the latest version. Resetting NIGHTLY_VERSION to 0."
+        NIGHTLY_VERSION=0
+    else
+        NIGHTLY_VERSION=$((NIGHTLY_VERSION_PART + 1))
+        echo "Incrementing NIGHTLY_VERSION to $NIGHTLY_VERSION."
+    fi
+fi
+
+FULL_VERSION="${LATEST_VERSION}-nightly.${NIGHTLY_VERSION}"
+
+echo "FULL_VERSION=$FULL_VERSION" >> "$GITHUB_ENV"
+
+npm version --no-git-tag-version "$FULL_VERSION"
+
+docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/pepr/controller:v"$FULL_VERSION" .
+
+npm install 
+npm run build
+
+npm publish --tag "nightly"

src/cli/build.helpers.ts

@@ -12,6 +12,34 @@ import { generateAllYaml } from "../lib/assets/yaml/generateAllYaml";
 import { webhookConfigGenerator } from "../lib/assets/webhooks";
 import { generateZarfYamlGeneric } from "../lib/assets/yaml/generateZarfYaml";
 
+interface ImageOptions {
+  customImage?: string;
+  registryInfo?: string;
+  peprVersion?: string;
+  registry?: string;
+}
+/**
+ * Assign image string
+ * @param imageOptions CLI options for image
+ * @returns image string
+ */
+export function assignImage(imageOptions: ImageOptions): string {
+  const { customImage, registryInfo, peprVersion, registry } = imageOptions;
+  if (customImage) {
+    return customImage;
+  }
+
+  if (registryInfo) {
+    return `${registryInfo}/custom-pepr-controller:${peprVersion}`;
+  }
+
+  if (registry) {
+    return checkIronBankImage(registry, "", peprVersion!);
+  }
+
+  return "";
+}
+
 export type Reloader = (opts: BuildResult<BuildOptions>) => void | Promise<void>;
 /**
  * Determine the RBAC mode based on the CLI options and the module's config
@@ -114,19 +142,6 @@ export async function handleCustomImageBuild(
   }
 }
 
-/**
- * Disables embedding of deployment files into output module
- * @param embed
- * @param path
- * @returns
- */
-export function handleEmbedding(embed: boolean, path: string): void {
-  if (!embed) {
-    console.info(`✅ Module built successfully at ${path}`);
-    return;
-  }
-}
-
 /**
  * Check if the capability names are valid
  * @param capabilities The capabilities to check

src/cli/build.test.ts

@@ -4,12 +4,13 @@
 import {
   determineRbacMode,
   handleCustomOutputDir,
-  handleEmbedding,
   handleValidCapabilityNames,
   handleCustomImageBuild,
   checkIronBankImage,
   validImagePullSecret,
+  assignImage,
 } from "./build.helpers";
+
 import { createDirectoryIfNotExists } from "../lib/filesystemService";
 import { expect, describe, it, jest, beforeEach } from "@jest/globals";
 import { createDockerfile } from "../lib/included-files";
@@ -29,6 +30,52 @@ jest.mock("../lib/filesystemService", () => ({
   createDirectoryIfNotExists: jest.fn(),
 }));
 
+describe("assignImage", () => {
+  const mockPeprVersion = "1.0.0";
+
+  it("should return the customImage if provided", () => {
+    const result = assignImage({
+      customImage: "pepr:dev",
+      registryInfo: "docker.io/defenseunicorns",
+      peprVersion: mockPeprVersion,
+      registry: "my-registry",
+    });
+    expect(result).toBe("pepr:dev");
+  });
+
+  it("should return registryInfo with custom-pepr-controller and peprVersion if customImage is not provided", () => {
+    const result = assignImage({
+      customImage: "",
+      registryInfo: "docker.io/defenseunicorns",
+      peprVersion: mockPeprVersion,
+      registry: "my-registry",
+    });
+    expect(result).toBe(`docker.io/defenseunicorns/custom-pepr-controller:1.0.0`);
+  });
+
+  it("should return IronBank image if registry is provided and others are not", () => {
+    const result = assignImage({
+      customImage: "",
+      registryInfo: "",
+      peprVersion: mockPeprVersion,
+      registry: "Iron Bank",
+    });
+    expect(result).toBe(
+      `registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v${mockPeprVersion}`,
+    );
+  });
+
+  it("should return an empty string if none of the conditions are met", () => {
+    const result = assignImage({
+      customImage: "",
+      registryInfo: "",
+      peprVersion: "",
+      registry: "",
+    });
+    expect(result).toBe("");
+  });
+});
+
 describe("determineRbacMode", () => {
   it("should allow CLI options to overwrite module config", () => {
     const opts = { rbacMode: "admin" };
@@ -171,32 +218,6 @@ describe("handleCustomImageBuild", () => {
     expect(mockedExecSync).not.toHaveBeenCalled();
   });
 });
-describe("handleEmbedding", () => {
-  const consoleInfoSpy = jest.spyOn(console, "info").mockImplementation(() => {});
-
-  beforeEach(() => {
-    jest.clearAllMocks();
-  });
-
-  it("should log success message if embed is false", () => {
-    const embed = false;
-    const path = "test/path";
-
-    handleEmbedding(embed, path);
-
-    expect(consoleInfoSpy).toHaveBeenCalledWith(`✅ Module built successfully at ${path}`);
-  });
-
-  it("should not log success message if embed is true", () => {
-    const embed = true;
-    const path = "test/path";
-
-    handleEmbedding(embed, path);
-
-    expect(consoleInfoSpy).not.toHaveBeenCalled();
-  });
-});
-
 describe("handleValidCapabilityNames", () => {
   const mockExit = jest.spyOn(process, "exit").mockImplementation(() => {
     return undefined as never;