Skyscanner
diff --git a/‎.github/workflows/README.md‎
Lines changed: 1 addition & 9 deletions b/‎.github/workflows/README.md‎
Lines changed: 1 addition & 9 deletions
diff --git a/‎.github/workflows/ci-build.yaml‎
Lines changed: 100 additions & 71 deletions b/‎.github/workflows/ci-build.yaml‎
Lines changed: 100 additions & 71 deletions
diff --git a/‎.github/workflows/image-reuse.yaml‎
Lines changed: 9 additions & 8 deletions b/‎.github/workflows/image-reuse.yaml‎
Lines changed: 9 additions & 8 deletions
diff --git a/‎.github/workflows/image.yaml‎
Lines changed: 69 additions & 53 deletions b/‎.github/workflows/image.yaml‎
Lines changed: 69 additions & 53 deletions
@@ -3,20 +3,14 @@
 | Workflow           | Description                                                    |
 |--------------------|----------------------------------------------------------------|
 | ci-build.yaml      | Build, lint, test, codegen, build-ui, analyze, e2e-test        |
-| codeql.yaml        | CodeQL analysis                                                |
 | image-reuse.yaml   | Build, push, and Sign container images                         |
 | image.yaml         | Build container image for PR's & publish for push events       |
-| init-release.yaml  | Build manifests and version then create a PR for release branch|
-| pr-title-check.yaml| Lint PR for semantic information                               |
-| release.yaml       | Build images, cli-binaries, provenances, and post actions      |
-| scorecard.yaml     | Generate scorecard for supply-chain security                   |
-| update-snyk.yaml   | Scheduled snyk reports                                         |
 
 # Reusable workflows
 
 ## image-reuse.yaml
 
-- The resuable workflow can be used to publish or build images with multiple container registries(Quay,GHCR, dockerhub), and then sign them with cosign when an image is published.
+- The reusable workflow can be used to publish or build images with multiple container registries(Quay,GHCR, dockerhub), and then sign them with cosign when an image is published.
 - A GO version `must` be specified e.g. 1.21
 - The image name for each registry *must* contain the tag. Note: multiple tags are allowed for each registry using a CSV type.
 - Multiple platforms can be specified e.g. linux/amd64,linux/arm64
@@ -26,9 +20,7 @@
 | Inputs            | Description                         | Type        | Required | Defaults        |
 |-------------------|-------------------------------------|-------------|----------|-----------------|
 | go-version        | Version of Go to be used            | string      | true     | none            |
-| quay_image_name   | Full image name and tag             | CSV, string | false    | none            |
 | ghcr_image_name   | Full image name and tag             | CSV, string | false    | none            |
-| docker_image_name | Full image name and tag             | CSV, string | false    | none            |
 | platforms         | Platforms to build (linux/amd64)    | CSV, string | false    | linux/amd64     |
 | push              | Whether to push image/s to registry | boolean     | false    | false           |
 | target            | Target build stage                  | string      | false    | none            |
 
@@ -67,15 +67,16 @@ jobs:
         if: ${{ github.ref_type != 'tag'}}
 
       - name: Setup Golang
-        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: ${{ inputs.go-version }}
+          cache: false
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
 
-      - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
-      - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Setup tags for container image as a CSV type
         run: |
@@ -102,23 +103,23 @@ jobs:
             echo 'EOF' >> $GITHUB_ENV
 
       - name: Login to Quay.io
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: quay.io
           username: ${{ secrets.quay_username }}
           password: ${{ secrets.quay_password }}
         if: ${{ inputs.quay_image_name && inputs.push }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
           username: ${{ secrets.ghcr_username }}
           password: ${{ secrets.ghcr_password }}
         if: ${{ inputs.ghcr_image_name && inputs.push }}
 
       - name: Login to dockerhub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           username: ${{ secrets.docker_username }}
           password: ${{ secrets.docker_password }}
@@ -141,7 +142,7 @@ jobs:
 
       - name: Build and push container image
         id: image
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 #v6.10.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
         with:
           context: .
           platforms: ${{ inputs.platforms }}
 
@@ -3,11 +3,19 @@ name: Image
 on:
   push:
     branches:
-      - master
+      # We use skyscanner-internal/master as the base branch for integration
+      # This branch contains our CI changes and is not meant for direct contributions.
+      # Our internal development is to be merged into here.
+      # The changes that are ready for contribution should be cherry-picked to skyscanner-contrib/master.
+      - skyscanner-internal/master
+      # Branches to be used for development and testing. They should be based on skyscanner-internal/master.
+      - skyscanner-internal/develop/**
   pull_request:
     branches:
-      - master
-    types: [ labeled, unlabeled, opened, synchronize, reopened ]
+      - skyscanner-internal/master
+      # Cleaned up, ready for contribution PRs are to be cherry-picked here
+      - skyscanner-contrib/master
+    types: [labeled, unlabeled, opened, synchronize, reopened]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -19,7 +27,7 @@ jobs:
   set-vars:
     permissions:
       contents: read
-    if: github.repository == 'argoproj/argo-cd'
+    if: github.repository == 'Skyscanner/argo-cd'
     runs-on: ubuntu-22.04
     outputs:
       image-tag: ${{ steps.image.outputs.tag}}
@@ -28,7 +36,13 @@ jobs:
       - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
 
       - name: Set image tag for ghcr
-        run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
+        run: |
+          # Get the branch name
+          BRANCH_NAME=${GITHUB_REF#refs/heads/}
+          # Sanitize branch name for container registry compliance
+          SANITIZED_BRANCH=$(echo "$BRANCH_NAME" | sed -e 's/\//-/g' | tr '[:upper:]' '[:lower:]')
+          # Set the image tag with sanitized branch name
+          echo "tag=$(cat ./VERSION)-${SANITIZED_BRANCH}-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
         id: image
 
       - name: Determine image platforms to use
@@ -37,7 +51,7 @@ jobs:
           IMAGE_PLATFORMS=linux/amd64
           if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-multi-image') }}" == "true" ]]
           then
-            IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
+            IMAGE_PLATFORMS=linux/amd64,linux/arm64
           fi
           echo "Building image for platforms: $IMAGE_PLATFORMS"
           echo "platforms=$IMAGE_PLATFORMS" >> $GITHUB_OUTPUT
@@ -46,74 +60,76 @@ jobs:
     needs: [set-vars]
     permissions:
       contents: read
-      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
       id-token: write # for creating OIDC tokens for signing.
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name != 'push' }}
+    if: ${{ github.repository == 'Skyscanner/argo-cd' && github.event_name != 'push' }}
     uses: ./.github/workflows/image-reuse.yaml
     with:
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
       # renovate: datasource=golang-version packageName=golang
-      go-version: 1.23.3
+      go-version: 1.24.4
       platforms: ${{ needs.set-vars.outputs.platforms }}
       push: false
 
   build-and-publish:
     needs: [set-vars]
     permissions:
       contents: read
-      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
       id-token: write # for creating OIDC tokens for signing.
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    if: ${{ github.repository == 'Skyscanner/argo-cd' && github.event_name == 'push' }}
     uses: ./.github/workflows/image-reuse.yaml
     with:
-      quay_image_name: quay.io/argoproj/argocd:latest
-      ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
+      # quay_image_name: quay.io/argoproj/argocd:latest
+      ghcr_image_name: ghcr.io/skyscanner/argocd:${{ needs.set-vars.outputs.image-tag }}
       # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
       # renovate: datasource=golang-version packageName=golang
-      go-version: 1.23.3
+      go-version: 1.24.4
       platforms: ${{ needs.set-vars.outputs.platforms }}
       push: true
     secrets:
-      quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
-      quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}
+      #quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
+      #quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}
       ghcr_username: ${{ github.actor }}
       ghcr_password: ${{ secrets.GITHUB_TOKEN }}
 
-  build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io
-    needs:
-      - build-and-publish
-    permissions:
-      actions: read # for detecting the Github Actions environment.
-      id-token: write # for creating OIDC tokens for signing.
-      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
-    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
-    with:
-      image: ghcr.io/argoproj/argo-cd/argocd
-      digest: ${{ needs.build-and-publish.outputs.image-digest }}
-      registry-username: ${{ github.actor }}
-    secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }}
-
-  Deploy:
-    needs:
-      - build-and-publish
-      - set-vars
-    permissions:
-      contents: write  # for git to push upgrade commit if not already deployed
-      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
-    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
-      - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
-        env:
-          TOKEN: ${{ secrets.TOKEN }}
-      - run: |
-          docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
-          git config --global user.email 'ci@argoproj.com'
-          git config --global user.name 'CI'
-          git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push)
-        working-directory: argoproj-deployments/argocd
+  # TODO: Needs allowlisting
+  # build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io
+  #   needs:
+  #     - build-and-publish
+  #   permissions:
+  #     actions: read # for detecting the Github Actions environment.
+  #     id-token: write # for creating OIDC tokens for signing.
+  #     packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
+  #   if: ${{ github.repository == 'Skyscanner/argo-cd' && github.event_name == 'push' }}
+  #   # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+  #   uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+  #   with:
+  #     image: ghcr.io/argoproj/argo-cd/argocd
+  #     digest: ${{ needs.build-and-publish.outputs.image-digest }}
+  #     registry-username: ${{ github.actor }}
+  #   secrets:
+  #     registry-password: ${{ secrets.GITHUB_TOKEN }}
 
+  # TODO: We would need to fork this repo as well and repoint it to our argocd-deployments repo.
+  # Do we want this?
+  # Deploy:
+  #   needs:
+  #     - build-and-publish
+  #     - set-vars
+  #   permissions:
+  #     contents: write # for git to push upgrade commit if not already deployed
+  #     packages: write # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+  #   if: ${{ github.repository == 'Skyscanner/argo-cd' && github.event_name == 'push' }}
+  #   runs-on: ubuntu-22.04
+  #   steps:
+  #     - uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
+  #     - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
+  #       env:
+  #         TOKEN: ${{ secrets.TOKEN }}
+  #     - run: |
+  #         docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
+  #         git config --global user.email 'ci@argoproj.com'
+  #         git config --global user.name 'CI'
+  #         git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push)
+  #       working-directory: argoproj-deployments/argocd