chore(repo): rework makefile and add renovate mangers for pre-commit …

…and makefile binaries

Signed-off-by: Oliver Bähler <[email protected]>

.github/configs/lintconf.yaml

@@ -1,6 +1,8 @@
-
 ---
 rules:
+  truthy:
+    level: warning
+    check-keys: false
   braces:
     min-spaces-inside: 0
     max-spaces-inside: 0
@@ -39,5 +41,3 @@ rules:
   new-lines:
     type: unix
   trailing-spaces: enable
-  truthy:
-    level: warning

.github/workflows/check-commit.yml

@@ -3,14 +3,15 @@ permissions: {}
 
 on:
   push:
-    branches: [ "*" ]
+    branches:
+      - "*"
   pull_request:
-    branches: [ "*" ]
+    branches:
+      - "*"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
-
 jobs:
   commit_lint:
     runs-on: ubuntu-24.04
@@ -19,5 +20,3 @@ jobs:
         with:
           fetch-depth: 0
       - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
-        with:
-          firstParent: true

.github/workflows/docker-build.yml

@@ -0,0 +1,45 @@
+name: Build images
+permissions: {}
+on:
+  pull_request:
+    branches:
+      - "*"
+    paths:
+      - '.github/workflows/docker-*.yml'
+      - 'api/**'
+      - 'controllers/**'
+      - 'pkg/**'
+      - 'e2e/*'
+      - '.ko.yaml'
+      - 'go.*'
+      - 'main.go'
+      - 'Makefile'
+
+jobs:
+  build-images:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: ko build
+        run: VERSION=${{ github.ref_name }} make ko-build-all
+      - name: Trivy Scan Image
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+        env:
+          # Trivy is returning TOOMANYREQUESTS
+          # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
+          TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/helm-test.yml

@@ -3,13 +3,25 @@ permissions: {}
 
 on:
   pull_request:
-    branches: [ "main" ]
+    branches:
+      - "main"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
+  linter-artifacthub:
+    runs-on: ubuntu-latest
+    container:
+      image: artifacthub/ah
+      options: --user root
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Run ah lint
+        working-directory: ./charts/
+        run: ah lint
   lint:
     runs-on: ubuntu-24.04
     steps:
@@ -31,7 +43,7 @@ jobs:
           fi
       - name: Run chart-testing (lint)
         run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml
-        
+
       - name: Run docs-testing (helm-docs)
         id: helm-docs
         run: |
@@ -43,7 +55,17 @@ jobs:
           else
             echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
           fi
-
+      - name: Run schema-testing (helm-schema)
+        id: helm-schema
+        run: |
+          make helm-schema
+          if [[ $(git diff --stat) != '' ]]; then
+            echo -e '\033[0;31mSchema outdated! (Run make helm-schema locally and commit)\033[0m ❌'
+            git diff --color
+            exit 1
+          else
+            echo -e '\033[0;32mSchema up to date\033[0m ✔'
+          fi
       - name: Run chart-testing (install)
         run: HELM_KIND_CONFIG="./hack/kind-cluster.yml" make helm-test
-        if: steps.list-changed.outputs.changed == 'true'
+        if: steps.list-changed.outputs.changed == 'true'

.github/workflows/lint.yml

@@ -3,15 +3,25 @@ permissions: {}
 
 on:
   push:
-    branches: [ "*" ]
+    branches:
+      - "*"
   pull_request:
-    branches: [ "*" ]
+    branches:
+      - "*"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
+  yamllint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Install yamllint
+        run: pip install yamllint
+      - name: Lint YAML files
+        run: yamllint --strict -c=.github/configs/lintconf.yaml
   golangci:
     name: lint
     runs-on: ubuntu-24.04

.github/workflows/seccomp.yaml

@@ -3,14 +3,16 @@ permissions: {}
 
 on:
   pull_request:
-    branches: [ "*" ]
+    branches:
+      - "*"
     paths:
       - '.github/workflows/e2e.yml'
       - 'api/**'
       - 'controllers/**'
       - 'pkg/**'
       - 'e2e/*'
-      - 'Dockerfile'
+      - '.ko.yaml'
+      - 'Dockerfile.tracing'
       - 'go.*'
       - 'main.go'
       - 'Makefile'
@@ -25,10 +27,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # differently from the e2e workflow
-        # we don't need all the versions of kubernetes
-        # to generate the seccomp profile.
-        k8s-version: [ 'v1.30.0' ]
+        k8s-version:
+          - "v1.30.0"
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -51,4 +51,3 @@ jobs:
         with:
           name: capsule-seccomp
           path: capsule-seccomp.json
-

.pre-commit-config.yaml

@@ -2,9 +2,9 @@ repos:
 - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
   rev: v9.20.0
   hooks:
-      - id: commitlint
-        stages: [commit-msg]
-        additional_dependencies: ['@commitlint/config-conventional', 'commitlint-plugin-function-rules']
+  - id: commitlint
+    stages: [commit-msg]
+    additional_dependencies: ['@commitlint/config-conventional', 'commitlint-plugin-function-rules']
 - repo: https://github.com/pre-commit/pre-commit-hooks
   rev: v3.2.0
   hooks:
@@ -13,28 +13,33 @@ repos:
   - id: double-quote-string-fixer
   - id: end-of-file-fixer
   - id: trailing-whitespace
+- repo: https://github.com/adrienverge/yamllint
+  rev: v1.29.0
+  hooks:
+  - id: yamllint
+    args: [--strict, -c=.github/configs/lintconf.yaml]
 - repo: local
   hooks:
-    - id: run-helm-docs
-      name: Execute helm-docs
-      entry: make helm-docs
-      language: system
-      files: ^charts/
-    - id: run-helm-schema
-      name: Execute helm-schema
-      entry: make helm-schema
-      language: system
-      files: ^charts/
-    - id: run-helm-lint
-      name: Execute helm-lint
-      entry: make helm-lint
-      language: system
-      files: ^charts/
-    - id: golangci-lint
-      name: Execute golangci-lint
-      entry: make golint
-      language: system
-      files: \.go$
+  - id: run-helm-docs
+    name: Execute helm-docs
+    entry: make helm-docs
+    language: system
+    files: ^charts/
+  - id: run-helm-schema
+    name: Execute helm-schema
+    entry: make helm-schema
+    language: system
+    files: ^charts/
+  - id: run-helm-lint
+    name: Execute helm-lint
+    entry: make helm-lint
+    language: system
+    files: ^charts/
+  - id: golangci-lint
+    name: Execute golangci-lint
+    entry: make golint
+    language: system
+    files: \.go$
 - repo: https://github.com/tekwizely/pre-commit-golang
   rev: v1.0.0-rc.1
   hooks: