From ec32a8ec51a32751b355225c7943a4c9e89a8d01 Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Tue, 28 Jan 2025 16:06:17 -0500 Subject: [PATCH 1/8] chore: restore early exit on build no-embed (#1731) ## Description When running a build using `--no-embed` the build should _not_ generate the Pepr module as a secret as used during typical builds. As we were working towards reducing statements in the build file a function was created to handle the embed option and stop execution. This PR updates the function to stop execution which was causing the command to write to `stdErr` While implementing this fix I encountered errors and needed to satisfy eslint configs ```bash src/cli/build.ts 131:13 warning Async arrow function has too many statements (21). Maximum allowed is 20 max-statements 131:13 warning Async arrow function has a complexity of 11. Maximum allowed is 10 complexity ``` ## Related Issue Fixes #1659 Relates to # ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Unit, [Journey](https://github.com/defenseunicorns/pepr/tree/main/journey), [E2E Tests](https://github.com/defenseunicorns/pepr-excellent-examples), [docs](https://github.com/defenseunicorns/pepr/tree/main/docs), [adr](https://github.com/defenseunicorns/pepr/tree/main/adr) added or updated as needed - [x] [Contributor Guide Steps](https://docs.pepr.dev/main/contribute/#submitting-a-pull-request) followed --------- Signed-off-by: Case Wylie Co-authored-by: Barrett <81570928+btlghrants@users.noreply.github.com> Co-authored-by: Sam Mayer --- integration/cli/build.noembed.test.ts | 4 +- src/cli/build.helpers.ts | 41 ++++++--- src/cli/build.test.ts | 75 +++++++++------ src/cli/build.ts | 126 +++++++++++++------------- 4 files changed, 141 insertions(+), 105 deletions(-) diff --git a/integration/cli/build.noembed.test.ts b/integration/cli/build.noembed.test.ts index b99ba8ddb..9a7a5aa67 100644 --- a/integration/cli/build.noembed.test.ts +++ b/integration/cli/build.noembed.test.ts @@ -48,8 +48,8 @@ describe("build", () => { const argz = [`--no-embed`].join(" "); const build = await pepr.cli(testModule, { cmd: `pepr build ${argz}` }); expect(build.exitcode).toBe(0); - expect(build.stderr.join("").trim()).toContain("Error: Cannot find module"); - expect(build.stdout.join("").trim()).toContain(""); + expect(build.stderr.join("").trim()).toContain(""); + expect(build.stdout.join("").trim()).toContain("Module built successfully at"); packageJson = await resource.fromFile(`${testModule}/package.json`); uuid = packageJson.pepr.uuid; diff --git a/src/cli/build.helpers.ts b/src/cli/build.helpers.ts index 4690e045d..19bbfa632 100644 --- a/src/cli/build.helpers.ts +++ b/src/cli/build.helpers.ts @@ -12,6 +12,34 @@ import { generateAllYaml } from "../lib/assets/yaml/generateAllYaml"; import { webhookConfigGenerator } from "../lib/assets/webhooks"; import { generateZarfYamlGeneric } from "../lib/assets/yaml/generateZarfYaml"; +interface ImageOptions { + customImage?: string; + registryInfo?: string; + peprVersion?: string; + registry?: string; +} +/** + * Assign image string + * @param imageOptions CLI options for image + * @returns image string + */ +export function assignImage(imageOptions: ImageOptions): string { + const { customImage, registryInfo, peprVersion, registry } = imageOptions; + if (customImage) { + return customImage; + } + + if (registryInfo) { + return `${registryInfo}/custom-pepr-controller:${peprVersion}`; + } + + if (registry) { + return checkIronBankImage(registry, "", peprVersion!); + } + + return ""; +} + export type Reloader = (opts: BuildResult) => void | Promise; /** * Determine the RBAC mode based on the CLI options and the module's config @@ -114,19 +142,6 @@ export async function handleCustomImageBuild( } } -/** - * Disables embedding of deployment files into output module - * @param embed - * @param path - * @returns - */ -export function handleEmbedding(embed: boolean, path: string): void { - if (!embed) { - console.info(`✅ Module built successfully at ${path}`); - return; - } -} - /** * Check if the capability names are valid * @param capabilities The capabilities to check diff --git a/src/cli/build.test.ts b/src/cli/build.test.ts index bc45128b6..bbe33dd7e 100644 --- a/src/cli/build.test.ts +++ b/src/cli/build.test.ts @@ -4,12 +4,13 @@ import { determineRbacMode, handleCustomOutputDir, - handleEmbedding, handleValidCapabilityNames, handleCustomImageBuild, checkIronBankImage, validImagePullSecret, + assignImage, } from "./build.helpers"; + import { createDirectoryIfNotExists } from "../lib/filesystemService"; import { expect, describe, it, jest, beforeEach } from "@jest/globals"; import { createDockerfile } from "../lib/included-files"; @@ -29,6 +30,52 @@ jest.mock("../lib/filesystemService", () => ({ createDirectoryIfNotExists: jest.fn(), })); +describe("assignImage", () => { + const mockPeprVersion = "1.0.0"; + + it("should return the customImage if provided", () => { + const result = assignImage({ + customImage: "pepr:dev", + registryInfo: "docker.io/defenseunicorns", + peprVersion: mockPeprVersion, + registry: "my-registry", + }); + expect(result).toBe("pepr:dev"); + }); + + it("should return registryInfo with custom-pepr-controller and peprVersion if customImage is not provided", () => { + const result = assignImage({ + customImage: "", + registryInfo: "docker.io/defenseunicorns", + peprVersion: mockPeprVersion, + registry: "my-registry", + }); + expect(result).toBe(`docker.io/defenseunicorns/custom-pepr-controller:1.0.0`); + }); + + it("should return IronBank image if registry is provided and others are not", () => { + const result = assignImage({ + customImage: "", + registryInfo: "", + peprVersion: mockPeprVersion, + registry: "Iron Bank", + }); + expect(result).toBe( + `registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v${mockPeprVersion}`, + ); + }); + + it("should return an empty string if none of the conditions are met", () => { + const result = assignImage({ + customImage: "", + registryInfo: "", + peprVersion: "", + registry: "", + }); + expect(result).toBe(""); + }); +}); + describe("determineRbacMode", () => { it("should allow CLI options to overwrite module config", () => { const opts = { rbacMode: "admin" }; @@ -171,32 +218,6 @@ describe("handleCustomImageBuild", () => { expect(mockedExecSync).not.toHaveBeenCalled(); }); }); -describe("handleEmbedding", () => { - const consoleInfoSpy = jest.spyOn(console, "info").mockImplementation(() => {}); - - beforeEach(() => { - jest.clearAllMocks(); - }); - - it("should log success message if embed is false", () => { - const embed = false; - const path = "test/path"; - - handleEmbedding(embed, path); - - expect(consoleInfoSpy).toHaveBeenCalledWith(`✅ Module built successfully at ${path}`); - }); - - it("should not log success message if embed is true", () => { - const embed = true; - const path = "test/path"; - - handleEmbedding(embed, path); - - expect(consoleInfoSpy).not.toHaveBeenCalled(); - }); -}); - describe("handleValidCapabilityNames", () => { const mockExit = jest.spyOn(process, "exit").mockImplementation(() => { return undefined as never; diff --git a/src/cli/build.ts b/src/cli/build.ts index 373904864..f99676d31 100644 --- a/src/cli/build.ts +++ b/src/cli/build.ts @@ -11,23 +11,21 @@ import { RootCmd } from "./root"; import { Option } from "commander"; import { parseTimeout } from "../lib/helpers"; import { peprFormat } from "./format"; +import { ModuleConfig } from "../lib/core/module"; import { watchForChanges, determineRbacMode, - handleEmbedding, + assignImage, handleCustomOutputDir, handleValidCapabilityNames, handleCustomImageBuild, - checkIronBankImage, validImagePullSecret, generateYamlAndWriteToDisk, } from "./build.helpers"; -import { ModuleConfig } from "../lib/core/module"; const peprTS = "pepr.ts"; let outputDir: string = "dist"; export type Reloader = (opts: BuildResult) => void | Promise; - export type PeprNestedFields = Pick< ModuleConfig, | "uuid" @@ -64,7 +62,7 @@ type BuildModuleReturn = { path: string; cfg: PeprConfig; uuid: string; -} | void; +}; export default function (program: RootCmd): void { program @@ -134,68 +132,70 @@ export default function (program: RootCmd): void { // Build the module const buildModuleResult = await buildModule(undefined, opts.entryPoint, opts.embed); - if (buildModuleResult?.cfg && buildModuleResult.path && buildModuleResult.uuid) { - const { cfg, path, uuid } = buildModuleResult; - // Files to include in controller image for WASM support - const { includedFiles } = cfg.pepr; - - let image = opts.customImage || ""; - - // Check if there is a custom timeout defined - if (opts.timeout !== undefined) { - cfg.pepr.webhookTimeout = opts.timeout; - } - - if (opts.registryInfo !== undefined) { - console.info(`Including ${includedFiles.length} files in controller image.`); - - // for journey test to make sure the image is built - image = `${opts.registryInfo}/custom-pepr-controller:${cfg.pepr.peprVersion}`; - - // only actually build/push if there are files to include - await handleCustomImageBuild(includedFiles, cfg.pepr.peprVersion, cfg.description, image); - } - - // If building without embedding, exit after building - handleEmbedding(opts.embed, path); - - // set the image version if provided - opts.version ? (cfg.pepr.peprVersion = opts.version) : null; - - // Generate a secret for the module - const assets = new Assets( - { - ...cfg.pepr, - appVersion: cfg.version, - description: cfg.description, - alwaysIgnore: { - namespaces: cfg.pepr.alwaysIgnore?.namespaces, - }, - // Can override the rbacMode with the CLI option - rbacMode: determineRbacMode(opts, cfg), - }, - path, - opts.withPullSecret === "" ? [] : [opts.withPullSecret], - ); - // If registry is set to Iron Bank, use Iron Bank image - image = checkIronBankImage(opts.registry, image, cfg.pepr.peprVersion); + const { cfg, path, uuid } = buildModuleResult!; + const image = assignImage({ + customImage: opts.customImage, + registryInfo: opts.registryInfo, + peprVersion: cfg.pepr.peprVersion, + registry: opts.registry, + }); + + // Check if there is a custom timeout defined + if (opts.timeout !== undefined) { + cfg.pepr.webhookTimeout = opts.timeout; + } - // if image is a custom image, use that instead of the default - image !== "" ? (assets.image = image) : null; + if (opts.registryInfo !== undefined) { + console.info(`Including ${cfg.pepr.includedFiles.length} files in controller image.`); + // for journey test to make sure the image is built - // Ensure imagePullSecret is valid - validImagePullSecret(opts.withPullSecret); + // only actually build/push if there are files to include + await handleCustomImageBuild( + cfg.pepr.includedFiles, + cfg.pepr.peprVersion, + cfg.description, + image, + ); + } - handleValidCapabilityNames(assets.capabilities); - await generateYamlAndWriteToDisk({ - uuid, - outputDir, - imagePullSecret: opts.withPullSecret, - zarf: opts.zarf, - assets, - }); + // If building without embedding, exit after building + if (!opts.embed) { + console.info(`✅ Module built successfully at ${path}`); + return; } + // set the image version if provided + opts.version ? (cfg.pepr.peprVersion = opts.version) : null; + + // Generate a secret for the module + const assets = new Assets( + { + ...cfg.pepr, + appVersion: cfg.version, + description: cfg.description, + alwaysIgnore: { + namespaces: cfg.pepr.alwaysIgnore?.namespaces, + }, + // Can override the rbacMode with the CLI option + rbacMode: determineRbacMode(opts, cfg), + }, + path, + opts.withPullSecret === "" ? [] : [opts.withPullSecret], + ); + + image !== "" ? (assets.image = image) : null; + + // Ensure imagePullSecret is valid + validImagePullSecret(opts.withPullSecret); + + handleValidCapabilityNames(assets.capabilities); + await generateYamlAndWriteToDisk({ + uuid, + outputDir, + imagePullSecret: opts.withPullSecret, + zarf: opts.zarf, + assets, + }); }); } @@ -253,7 +253,7 @@ export async function buildModule( reloader?: Reloader, entryPoint = peprTS, embed = true, -): Promise { +): Promise { try { const { cfg, modulePath, path, uuid } = await loadModule(entryPoint); From cc7fabba1abb2ed5372e49899cdcf5b97086934a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 28 Jan 2025 22:30:20 +0000 Subject: [PATCH 2/8] chore: bump @types/node from 22.10.10 to 22.12.0 in the development-dependencies group (#1737) Bumps the development-dependencies group with 1 update: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node). Updates `@types/node` from 22.10.10 to 22.12.0
Commits

Most Recent Ignore Conditions Applied to This Pull Request | Dependency Name | Ignore Conditions | | --- | --- | | @types/node | [>= 20.a, < 21] |
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@types/node&package-manager=npm_and_yarn&previous-version=22.10.10&new-version=22.12.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index d2098d42a..f4eb1fb39 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2686,9 +2686,9 @@ "license": "MIT" }, "node_modules/@types/node": { - "version": "22.10.10", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.10.10.tgz", - "integrity": "sha512-X47y/mPNzxviAGY5TcYPtYL8JsY3kAq2n8fMmKoRCxq/c4v4pyGNCzM2R6+M5/umG4ZfHuT+sgqDYqWc9rJ6ww==", + "version": "22.12.0", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.12.0.tgz", + "integrity": "sha512-Fll2FZ1riMjNmlmJOdAyY5pUbkftXslB5DgEzlIuNaiWhXd00FhWxVC/r4yV/4wBb9JfImTu+jiSvXTkJ7F/gA==", "license": "MIT", "dependencies": { "undici-types": "~6.20.0" From 25db809b79398c37f869819fe8bc7a607f6aeacb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 28 Jan 2025 22:46:24 +0000 Subject: [PATCH 3/8] chore: bump peter-murray/workflow-application-token-action from 4.0.0 to 4.0.1 (#1740) Bumps [peter-murray/workflow-application-token-action](https://github.com/peter-murray/workflow-application-token-action) from 4.0.0 to 4.0.1.
Release notes

Sourced from peter-murray/workflow-application-token-action's releases.

v4.0.1

Updating dependencies to resolve security vulnerabilities

Commits

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=peter-murray/workflow-application-token-action&package-manager=github_actions&previous-version=4.0.0&new-version=4.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 9899799e3..eccbb40f9 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Get token to trigger defenseunicorns/pepr-docs workflow id: get_workflow_trigger_token - uses: peter-murray/workflow-application-token-action@8e4e6fbf6fcc8a272781d97597969d21b3812974 # v4.0.0 + uses: peter-murray/workflow-application-token-action@d17e3a9a36850ea89f35db16c1067dd2b68ee343 # v4.0.1 with: application_id: ${{ secrets.DOCS_WORKFLOW_GITHUB_APP_ID }} application_private_key: ${{ secrets.DOCS_WORKFLOW_GITHUB_APP_SECRET }} From 2f52362357c948b16390e55c502e540d5e2861b5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 28 Jan 2025 22:46:30 +0000 Subject: [PATCH 4/8] chore: bump github/codeql-action from 3.28.5 to 3.28.6 (#1739) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.5 to 3.28.6.
Release notes

Sourced from github/codeql-action's releases.

v3.28.6

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.6 - 27 Jan 2025

  • Re-enable debug artifact upload for CLI versions 2.20.3 or greater. #2726

See the full CHANGELOG.md for more information.

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

3.28.6 - 27 Jan 2025

  • Re-enable debug artifact upload for CLI versions 2.20.3 or greater. #2726

3.28.5 - 24 Jan 2025

  • Update default CodeQL bundle version to 2.20.3. #2717

3.28.4 - 23 Jan 2025

No user facing changes.

3.28.3 - 22 Jan 2025

  • Update default CodeQL bundle version to 2.20.2. #2707
  • Fix an issue downloading the CodeQL Bundle from a GitHub Enterprise Server instance which occurred when the CodeQL Bundle had been synced to the instance using the CodeQL Action sync tool and the Actions runner did not have Zstandard installed. #2710
  • Uploading debug artifacts for CodeQL analysis is temporarily disabled. #2712

3.28.2 - 21 Jan 2025

No user facing changes.

3.28.1 - 10 Jan 2025

  • CodeQL Action v2 is now deprecated, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v3. For more information, see this changelog post. #2677
  • Update default CodeQL bundle version to 2.20.1. #2678

3.28.0 - 20 Dec 2024

  • Bump the minimum CodeQL bundle version to 2.15.5. #2655
  • Don't fail in the unusual case that a file is on the search path. #2660.

3.27.9 - 12 Dec 2024

No user facing changes.

3.27.8 - 12 Dec 2024

  • Fixed an issue where streaming the download and extraction of the CodeQL bundle did not respect proxy settings. #2624

3.27.7 - 10 Dec 2024

... (truncated)

Commits
  • 17a820b Merge pull request #2735 from github/aeisenberg/fix-permissions
  • 3a4eae0 Add extra permission to mergeback workflow
  • 4e83f6b Merge pull request #2732 from github/update-v3.28.6-b49419044
  • 64ad47c Update changelog for v3.28.6
  • b494190 Merge pull request #2726 from github/aeisenberg/reenable-artifact-upload
  • a879704 Clarify test fail;ure message
  • 62c322f Add better comments around artifact upload tests
  • c6b2861 Merge pull request #2731 from github/dependabot/npm_and_yarn/npm-e1e9e6cd15
  • 297e89a Merge pull request #2723 from github/marcogario/start-proxy_tests
  • 357e0ce Update checked-in dependencies
  • Additional commits viewable in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=3.28.5&new-version=3.28.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3f4d9c389..b04f356cd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -44,17 +44,17 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 + uses: github/codeql-action/init@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v3.28.6 with: languages: ${{ matrix.language }} # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 + uses: github/codeql-action/autobuild@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v3.28.6 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 + uses: github/codeql-action/analyze@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v3.28.6 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 08bbbb530..cf56a5106 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -60,6 +60,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v2.2.4 + uses: github/codeql-action/upload-sarif@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v2.2.4 with: sarif_file: results.sarif From 2e03a4699df7fdb79edc2d1ac61a6fb80449a85a Mon Sep 17 00:00:00 2001 From: Sam Mayer Date: Wed, 29 Jan 2025 09:50:04 -0600 Subject: [PATCH 5/8] fix: tolerate optional fields from external pepr module definitions (#1732) ## Description This PR relates to an issue where customLabels were not being applied to a Helm chart after running `pepr build`. ## Related Issue Relates to #1713 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Unit, [Journey](https://github.com/defenseunicorns/pepr/tree/main/journey), [E2E Tests](https://github.com/defenseunicorns/pepr-excellent-examples), [docs](https://github.com/defenseunicorns/pepr/tree/main/docs), [adr](https://github.com/defenseunicorns/pepr/tree/main/adr) added or updated as needed - [x] [Contributor Guide Steps](https://docs.pepr.dev/main/contribute/#submitting-a-pull-request) followed --- src/cli/init/templates.ts | 11 +++++---- src/lib/assets/index.test.ts | 4 +++- src/lib/core/module.ts | 44 ++++++++++++++++++++---------------- 3 files changed, 33 insertions(+), 26 deletions(-) diff --git a/src/cli/init/templates.ts b/src/cli/init/templates.ts index abb51de5e..ca127fbb0 100644 --- a/src/cli/init/templates.ts +++ b/src/cli/init/templates.ts @@ -6,16 +6,17 @@ import { inspect } from "util"; import { v4 as uuidv4, v5 as uuidv5 } from "uuid"; import eslintJSON from "../../templates/.eslintrc.template.json"; +import peprSnippetsJSON from "../../templates/pepr.code-snippets.json"; import prettierJSON from "../../templates/.prettierrc.json"; import samplesJSON from "../../templates/capabilities/hello-pepr.samples.json"; -import { gitIgnore, helloPeprTS, packageJSON, peprTS, readmeMd } from "../../templates/data.json"; -import peprSnippetsJSON from "../../templates/pepr.code-snippets.json"; import settingsJSON from "../../templates/settings.json"; import tsConfigJSON from "../../templates/tsconfig.module.json"; -import { sanitizeName } from "./utils"; +import { CustomLabels } from "../../lib/core/module"; import { InitOptions } from "../types"; -import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node"; import { OnError, RbacMode } from "./enums"; +import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node"; +import { gitIgnore, helloPeprTS, packageJSON, peprTS, readmeMd } from "../../templates/data.json"; +import { sanitizeName } from "./utils"; export const { dependencies, devDependencies, peerDependencies, scripts, version } = packageJSON; @@ -30,7 +31,7 @@ type peprPackageJSON = { uuid: string; onError: OnError; webhookTimeout: number; - customLabels: { namespace: Record }; + customLabels: CustomLabels; alwaysIgnore: { namespaces: string[] }; includedFiles: string[]; env: object; diff --git a/src/lib/assets/index.test.ts b/src/lib/assets/index.test.ts index 54422d0c4..524ecdda3 100644 --- a/src/lib/assets/index.test.ts +++ b/src/lib/assets/index.test.ts @@ -3,6 +3,7 @@ import { it, describe, expect } from "@jest/globals"; import { createWebhookYaml } from "./index"; import { kind } from "kubernetes-fluent-client"; +import { ModuleConfig } from "../core/module"; describe("createWebhookYaml", () => { const webhookConfiguration = new kind.MutatingWebhookConfiguration(); @@ -37,13 +38,14 @@ describe("createWebhookYaml", () => { }, ]; - const moduleConfig = { + const moduleConfig: ModuleConfig = { onError: "reject", webhookTimeout: 15, uuid: "some-uuid", alwaysIgnore: { namespaces: ["kube-system", "pepr-system"], }, + customLabels: { namespace: { "pepr.dev": "" } }, }; it("replaces placeholders in the YAML correctly", () => { diff --git a/src/lib/core/module.ts b/src/lib/core/module.ts index dde53af81..ad37b64a4 100644 --- a/src/lib/core/module.ts +++ b/src/lib/core/module.ts @@ -12,37 +12,41 @@ import { V1PolicyRule as PolicyRule } from "@kubernetes/client-node"; import { resolveIgnoreNamespaces } from "../assets/webhooks"; /** Custom Labels Type for package.json */ -export interface CustomLabels { - namespace?: Record; -} -/** Global configuration for the Pepr runtime. */ -export type ModuleConfig = { + +export type CustomLabels = { namespace: Record } | Record; + +/** Configuration that MAY be set a Pepr module's package.json. */ +export type ModuleConfigOptions = { /** The Pepr version this module uses */ - peprVersion?: string; + peprVersion: string; /** The user-defined version of the module */ - appVersion?: string; - /** A unique identifier for this Pepr module. This is automatically generated by Pepr. */ - uuid: string; + appVersion: string; /** A description of the Pepr module and what it does. */ - description?: string; + description: string; /** The webhookTimeout */ - webhookTimeout?: number; + webhookTimeout: number; /** Reject K8s resource AdmissionRequests on error. */ - onError?: string; - /** Configure global exclusions that will never be processed by Pepr. */ - alwaysIgnore: WebhookIgnore; + onError: string; /** Define the log level for the in-cluster controllers */ - logLevel?: string; + logLevel: string; /** Propagate env variables to in-cluster controllers */ - env?: Record; - /** Custom Labels for Kubernetes Objects */ - customLabels?: CustomLabels; + env: Record; /** Custom RBAC rules */ - rbac?: PolicyRule[]; + rbac: PolicyRule[]; /** The RBAC mode; if "scoped", generates scoped rules, otherwise uses wildcard rules. */ - rbacMode?: string; + rbacMode: string; + /** Custom Labels for Kubernetes Objects */ + customLabels: CustomLabels; }; +/** Global configuration for the Pepr runtime. */ +export type ModuleConfig = { + /** A unique identifier for this Pepr module. This is automatically generated by Pepr. */ + uuid: string; + /** Configure global exclusions that will never be processed by Pepr. */ + alwaysIgnore: WebhookIgnore; +} & Partial; + export type PackageJSON = { description: string; pepr: ModuleConfig; From 967eb05e8a1c58224ef73b9d9589f941306d7d66 Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Wed, 29 Jan 2025 12:35:30 -0500 Subject: [PATCH 6/8] chore: nightly releases of pepr cli and controller image (#1738) ## Description As the next step in Pepr's automation journey this PR creates nightly releases of the CLI and controller image. As discussed, the nightly is version is as followings, `pepr_version`-night.[0-x]`. The first time this is run, there will be a nightly of the current release with a prerelease version of 0 that will increment as many times as the task is run until the next release comes out, then it will start over at 0. The tag is always set to nightly, the latest pepr code can be utilized through `npx pepr@nightly [command]` ## Related Issue Fixes #1692 Relates to #1096 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Unit, [Journey](https://github.com/defenseunicorns/pepr/tree/main/journey), [E2E Tests](https://github.com/defenseunicorns/pepr-excellent-examples), [docs](https://github.com/defenseunicorns/pepr/tree/main/docs), [adr](https://github.com/defenseunicorns/pepr/tree/main/adr) added or updated as needed - [x] [Contributor Guide Steps](https://docs.pepr.dev/main/contribute/#submitting-a-pull-request) followed --------- Signed-off-by: Case Wylie --- .github/workflows/nightlies.yml | 47 +++++++++++++++++++++++++++++++++ scripts/nightlies.sh | 38 ++++++++++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 .github/workflows/nightlies.yml create mode 100755 scripts/nightlies.sh diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml new file mode 100644 index 000000000..72a616d47 --- /dev/null +++ b/.github/workflows/nightlies.yml @@ -0,0 +1,47 @@ +name: Nightlies + +on: + schedule: + - cron: "0 0 * * *" + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + + permissions: + contents: read + packages: write + id-token: write + + steps: + - name: Harden Runner + uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 + + - name: Use Node.js 20 + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 + with: + node-version: 20 + registry-url: "https://registry.npmjs.org" + cache: "npm" + + - name: "Pepr Controller: Login to GHCR" + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: dummy + password: ${{ github.token }} + + - name: Publish to GHCR and NPM + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + run: ./scripts/nightlies.sh diff --git a/scripts/nightlies.sh b/scripts/nightlies.sh new file mode 100755 index 000000000..4d44ea26b --- /dev/null +++ b/scripts/nightlies.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +# SPDX-License-Identifier: Apache-2.0 +# SPDX-FileCopyrightText: 2023-Present The Pepr Authors + +# Script to build and publish nightly versions of Pepr Controller and Pepr CLI. + +set -e +npm install -g npm + +LATEST_VERSION=$(npx --yes pepr@latest --version 2>/dev/null) +RAW_NIGHTLY_VERSION=$(npx --yes pepr@nightly --version 2>/dev/null || echo "none") + +if [[ "$RAW_NIGHTLY_VERSION" == "none" ]]; then + echo "No nightly version found. Setting NIGHTLY_VERSION=0." + NIGHTLY_VERSION=0 +else + NIGHTLY_VERSION_PART=$(echo "$RAW_NIGHTLY_VERSION" | grep -oE "nightly\.([0-9]+)" | cut -d. -f2) + + BASE_NIGHTLY_VERSION=${RAW_NIGHTLY_VERSION%-nightly*} + if [[ "$LATEST_VERSION" > "$BASE_NIGHTLY_VERSION" ]]; then + echo "Nightly version is less than the latest version. Resetting NIGHTLY_VERSION to 0." + NIGHTLY_VERSION=0 + else + NIGHTLY_VERSION=$((NIGHTLY_VERSION_PART + 1)) + echo "Incrementing NIGHTLY_VERSION to $NIGHTLY_VERSION." + fi +fi + +FULL_VERSION="${LATEST_VERSION}-nightly.${NIGHTLY_VERSION}" + +echo "FULL_VERSION=$FULL_VERSION" >> "$GITHUB_ENV" + +npm version --no-git-tag-version "$FULL_VERSION" + +docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/pepr/controller:"$FULL_VERSION" . + +npm publish --tag "nightly" From 52bf35d63652607b5afd1d925c3e66a51be9516a Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Wed, 29 Jan 2025 14:55:57 -0500 Subject: [PATCH 7/8] chore: rename npm version command for nightlies to work (#1742) ## Description We run `npm version --no-git-tag-version "$FULL_VERSION"` to update the version in package.json before a release. In Pepr Core, we accidentally had overridden that command with a custom command that we use when we publish SLSA. This fixes it and SLSA will still work ## Related Issue Fixes # Relates to # ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Unit, [Journey](https://github.com/defenseunicorns/pepr/tree/main/journey), [E2E Tests](https://github.com/defenseunicorns/pepr-excellent-examples), [docs](https://github.com/defenseunicorns/pepr/tree/main/docs), [adr](https://github.com/defenseunicorns/pepr/tree/main/adr) added or updated as needed - [x] [Contributor Guide Steps](https://docs.pepr.dev/main/contribute/#submitting-a-pull-request) followed --------- Signed-off-by: Case Wylie --- .github/workflows/release.yml | 2 +- package.json | 2 +- scripts/nightlies.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index deaa21377..32c2d45d0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,7 +48,7 @@ jobs: npm install -g npm - npm run version + npm run set:version # Build Controller Image docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/pepr/controller:${{ github.ref_name }} . diff --git a/package.json b/package.json index 4c5aaa6a7..d9d74a831 100644 --- a/package.json +++ b/package.json @@ -22,9 +22,9 @@ "ci": "npm ci", "gen-data-json": "node hack/build-template-data.js", "prebuild": "rm -fr dist/* && npm run gen-data-json", - "version": "node scripts/set-version.js", "build": "tsc && node build.mjs && npm pack", "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .", + "set:version": "node scripts/set-version.js", "test": "npm run test:unit && npm run test:journey", "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'", "test:integration": "npm run test:integration:prep && npm run test:integration:run", diff --git a/scripts/nightlies.sh b/scripts/nightlies.sh index 4d44ea26b..73a372800 100755 --- a/scripts/nightlies.sh +++ b/scripts/nightlies.sh @@ -33,6 +33,6 @@ echo "FULL_VERSION=$FULL_VERSION" >> "$GITHUB_ENV" npm version --no-git-tag-version "$FULL_VERSION" -docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/pepr/controller:"$FULL_VERSION" . +docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/pepr/controller:v"$FULL_VERSION" . npm publish --tag "nightly" From 6b6dbfc434ab45818bc8fe375f51028c5e7ae9b6 Mon Sep 17 00:00:00 2001 From: Case Wylie Date: Wed, 29 Jan 2025 15:08:19 -0500 Subject: [PATCH 8/8] chore: quick fix on npm install and npm build for nightly (#1743) ## Description Needs to be installed and build before pushing to registry ## Related Issue Fixes # Relates to # ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Unit, [Journey](https://github.com/defenseunicorns/pepr/tree/main/journey), [E2E Tests](https://github.com/defenseunicorns/pepr-excellent-examples), [docs](https://github.com/defenseunicorns/pepr/tree/main/docs), [adr](https://github.com/defenseunicorns/pepr/tree/main/adr) added or updated as needed - [x] [Contributor Guide Steps](https://docs.pepr.dev/main/contribute/#submitting-a-pull-request) followed --------- Signed-off-by: Case Wylie --- scripts/nightlies.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/nightlies.sh b/scripts/nightlies.sh index 73a372800..cd2cb19f4 100755 --- a/scripts/nightlies.sh +++ b/scripts/nightlies.sh @@ -35,4 +35,7 @@ npm version --no-git-tag-version "$FULL_VERSION" docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/pepr/controller:v"$FULL_VERSION" . +npm install +npm run build + npm publish --tag "nightly"