[internal] Fixes in CI, module structure and build (#92)

Signed-off-by: v.oleynikov <[email protected]>

Author: duckhawk

.github/workflows/build_prod.yml

@@ -233,4 +233,4 @@ jobs:
           module_tag: ${{ github.ref_name }}
           secondary_repo: "${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}"
           source_repo: ${{ secrets.SOURCE_REPO }}
-          source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
+          source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}

.github/workflows/deploy_dev.yml

@@ -70,5 +70,4 @@ jobs:
           module_tag: ${{ github.event.inputs.tag }}
           source_repo: ${{ secrets.SOURCE_REPO }}
           source_repo_ssh_key: ${{ secrets.SOURCE_REPO_SSH_KEY }}
-          
       - uses: deckhouse/modules-actions/deploy@v2

.github/workflows/go_checks.yaml

@@ -18,34 +18,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
 
-      - name: Setup Go environment
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.24"
-
-      - name: Install golangci-lint
-        run: go install github.com/golangci/golangci-lint/cmd/[email protected]
-
       - name: Run Go lint
-        run: |
-          basedir=$(pwd)
-          failed='false'
-          for i in $(find images -type f -name go.mod);do
-            dir=$(echo $i | sed 's/go.mod$//')
-            cd $basedir/$dir
-            # check all editions
-            for edition in $GO_BUILD_TAGS ;do
-              echo "Running linter in $dir (edition: $edition)"
-              golangci-lint run --build-tags $edition
-              if [ $? -ne 0 ]; then
-                echo "Linter failed in $dir (edition: $edition)"
-                failed='true'
-              fi
-            done
-          done
-          if [ $failed == 'true' ]; then
-            exit 1
-          fi
+        uses: deckhouse/modules-actions/go_linter@v2
 
   go_tests:
     name: Go tests for images
@@ -55,31 +29,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
 
-      - name: Setup Go environment
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.24"
-
       - name: Run Go tests
-        run: |
-          basedir=$(pwd)
-          failed='false'
-          for i in $(find images -type f -name '*_test.go');do
-            dir=$(echo $i | sed 's/[a-z_A-Z0-9-]*_test.go$//')
-            cd $basedir/$dir
-            # check all editions
-            for edition in $GO_BUILD_TAGS ;do
-              echo "Running tests in $dir (edition: $edition)"
-              go test -v -tags $edition
-              if [ $? -ne 0 ]; then
-                echo "Tests failed in $dir (edition: $edition)"
-                failed='true'
-              fi
-            done
-          done
-          if [ $failed == 'true' ]; then
-            exit 1
-          fi
+        uses: deckhouse/modules-actions/go_tests@v2
 
   go_test_coverage:
     name: Go test coverage for images
@@ -89,35 +40,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
 
-      - name: Setup Go environment
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.24"
-
       - name: Run Go test coverage count
-        run: |
-          if [ ! -d "images" ]; then
-              echo "No images/ directory found. Please run this script from the root of the repository."
-              exit 1
-          fi
-
-          find images/ -type f -name "go.mod" | while read -r gomod; do
-              dir=$(dirname "$gomod")
-              
-              echo "Test coverage in $dir"
-              
-              cd "$dir" || continue
-              
-              for tag in $GO_BUILD_TAGS; do
-                  echo "  Build tag: $tag"
-                  
-                  go test ./... -cover -tags "$tag" 
-              done
-              
-              cd - > /dev/null
-              
-              echo "----------------------------------------"
-          done
+        uses: deckhouse/modules-actions/go_test_coverage@v2
 
   go_modules_check:
     name: Go modules version
@@ -127,83 +51,5 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
 
-      - name: Setup Go environment
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.24"
-
       - name: Run Go modules version check
-        run: |
-          search_dir=$(pwd)"/images"
-
-          if [ ! -d "$search_dir" ]; then
-            echo "Directory $search_dir does not exist."
-            exit 1
-          fi
-
-          temp_dir=$(mktemp -d)
-          touch "$temp_dir/incorrect_alert"
-
-          trap 'rm -rf "$temp_dir"' EXIT
-
-          find images/ -type f -name "go.mod" | while read -r gomod; do
-              dir=$(dirname "$gomod")
-              
-              echo "Checking $dir"
-              
-              cd "$dir" || continue
-              
-              go list -m all | grep deckhouse | grep -v '=>' | while IFS= read -r line; do
-                module_name=$(echo "$line" | awk '{print $1}')
-                module_version=$(echo "$line" | awk '{print $2}')
-
-                if [ -z "$module_version" ]; then
-                  echo "  Checking module name $module_name"
-                  correct_module_name="github.com"/"$GITHUB_REPOSITORY"/"$dir"
-                  if [ "$module_name" != "$correct_module_name" ]; then
-                    echo "  Incorrect module name: $module_name, expected: $correct_module_name"
-                    echo "  Incorrect module name: $module_name, expected: $correct_module_name" >> "$temp_dir/incorrect_alert"
-                  else
-                    echo "  Correct module name: $module_name"
-                  fi
-                else
-                  echo "  Checking module tag $module_name"
-                  repository=$(echo "$line" | awk '{print $1}' | awk -F'/' '{ print "https://"$1"/"$2"/"$3".git" }')
-                  pseudo_tag=$(echo "$line" | awk '{print $2}')
-
-                  echo "  Cloning repo $repository into $temp_dir"
-                  if [ ! -d "$temp_dir/$repository" ]; then
-                    git clone "$repository" "$temp_dir/$repository" >/dev/null 2>&1
-                  fi
-
-                  cd "$temp_dir/$repository" || continue
-                  
-                  commit_info=$(git log -1 --pretty=format:"%H %cd" --date=iso-strict -- api/*)
-                  short_hash=$(echo "$commit_info" | awk '{print substr($1,1,12)}')
-                  commit_date=$(echo "$commit_info" | awk '{print $2}')
-                  commit_date=$(date -u -d "$commit_date" +"%Y%m%d%H%M%S")
-                  actual_pseudo_tag="v0.0.0-"$commit_date"-"$short_hash
-                  pseudo_tag_date=$(echo $pseudo_tag | awk -F'-' '{ print $2 }')
-                  echo "  Latest pseudo tag for $repository: $pseudo_tag"
-                  echo "  Actual pseudo tag for $repository: $actual_pseudo_tag"
-
-                  if [[ "$pseudo_tag" != "$actual_pseudo_tag" ]]; then
-                    echo "  Incorrect pseudo tag for repo $repository in file "$go_mod_file" (current: "$pseudo_tag", actual:"$actual_pseudo_tag")"
-                    echo "  Incorrect pseudo tag for repo $repository in file "$go_mod_file" (current: "$pseudo_tag", actual:"$actual_pseudo_tag")" >> $temp_dir"/incorrect_alert"
-                  fi
-                  
-                  cd - >/dev/null 2>&1
-                fi
-              done   
-              
-              cd - > /dev/null
-              
-              echo "----------------------------------------"
-          done
-
-          alert_lines_count=$(cat $temp_dir"/incorrect_alert" | wc -l)
-
-          if [ $alert_lines_count != 0 ]; then
-            echo "We have non-actual pseudo-tags or modules names in repository's go.mod files"
-            exit 1
-          fi
+        uses: deckhouse/modules-actions/go_modules_check@v2

.github/workflows/trivy_image_check.yaml

@@ -1,6 +1,8 @@
 name: Build and checks
 
 on:
+  schedule:
+    - cron: "0 01 * * 0,3"
   pull_request:
     types: [opened, reopened, labeled, synchronize]
   push:
@@ -9,7 +11,16 @@ on:
   workflow_dispatch:
     inputs:
       release_branch:
-        description: "release branch name, example: release-1.68"
+        description: "Optional. Set minor version of release you want to scan. e.g.: 1.23"
+        required: false
+      scan_several_lastest_releases:
+        description: "Optional. Whether to scan last several releases or not. true/false. For scheduled pipelines it is always true. Default is: false."
+        required: false
+      latest_releases_amount:
+        description: "Optional. Number of latest releases to scan. Default is: 3"
+        required: false
+      severity:
+        description: "Optional. Vulnerabilities severity to scan. Default is: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
         required: false
 
 jobs:
@@ -19,40 +30,44 @@ jobs:
     secrets: inherit
   cve_scan_on_pr:
     if: github.event_name == 'pull_request'
-    name: Trivy images check
+    name: CVE scan for PR
     runs-on: [self-hosted, regular]
     needs: [build_dev]
     steps:
       - uses: actions/checkout@v4
-      - uses: deckhouse/modules-actions/cve_scan@v2
+      - uses: deckhouse/modules-actions/cve_scan@v4
         with:
-          image: ${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}
           tag: pr${{ github.event.number }}
           module_name: ${{ vars.MODULE_NAME }}
-          dd_url: ${{secrets.DEFECTDOJO_HOST}}
-          dd_token: ${{secrets.DEFECTDOJO_API_TOKEN}}
-          trivy_registry: ${{ vars.PROD_REGISTRY }}
-          trivy_registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
-          trivy_registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
-          deckhouse_private_repo: ${{secrets.DECKHOUSE_PRIVATE_REPO}}
+          dd_url: ${{ secrets.DEFECTDOJO_HOST }}
+          dd_token: ${{ secrets.DEFECTDOJO_API_TOKEN }}
+          prod_registry: "registry.deckhouse.io"
+          prod_registry_user: "license-token"
+          prod_registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
+          dev_registry: ${{ vars.DEV_REGISTRY }}
+          dev_registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
+          dev_registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
+          deckhouse_private_repo: ${{ secrets.DECKHOUSE_PRIVATE_REPO }}
+          severity: "HIGH,CRITICAL"
   cve_scan:
     if: github.event_name != 'pull_request'
-    name: Trivy images check
+    name: Regular CVE scan
     runs-on: [self-hosted, regular]
     steps:
       - uses: actions/checkout@v4
-      - name: Sets env vars for manual run
-        run: |
-          echo "MODULE_IMAGE_TAG=${{ github.event.inputs.release_branch || 'main' }}" >> $GITHUB_ENV
-        if: github.event_name != 'workflow_dispatch'
-      - uses: deckhouse/modules-actions/cve_scan@v2
+      - uses: deckhouse/modules-actions/cve_scan@v4
         with:
-          image: ${{ vars.DEV_MODULE_SOURCE }}/${{ vars.MODULE_NAME }}
-          tag: ${{ env.MODULE_IMAGE_TAG || 'main' }}
+          tag: ${{ github.event.inputs.release_branch || github.event.repository.default_branch }}
           module_name: ${{ vars.MODULE_NAME }}
-          dd_url: ${{secrets.DEFECTDOJO_HOST}}
-          dd_token: ${{secrets.DEFECTDOJO_API_TOKEN}}
-          trivy_registry: ${{ vars.PROD_REGISTRY }}
-          trivy_registry_user: ${{ vars.PROD_MODULES_REGISTRY_LOGIN }}
-          trivy_registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
-          deckhouse_private_repo: ${{secrets.DECKHOUSE_PRIVATE_REPO}}
+          dd_url: ${{ secrets.DEFECTDOJO_HOST }}
+          dd_token: ${{ secrets.DEFECTDOJO_API_TOKEN }}
+          prod_registry: "registry.deckhouse.io"
+          prod_registry_user: "license-token"
+          prod_registry_password: ${{ secrets.PROD_MODULES_READ_REGISTRY_PASSWORD }}
+          dev_registry: ${{ vars.DEV_REGISTRY }}
+          dev_registry_user: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
+          dev_registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
+          deckhouse_private_repo: ${{ secrets.DECKHOUSE_PRIVATE_REPO }}
+          scan_several_lastest_releases: ${{ github.event.inputs.scan_several_lastest_releases }}
+          latest_releases_amount: ${{ github.event.inputs.latest_releases_amount || '3' }}
+          severity: ${{ github.event.inputs.severity }}

.werf/bundle.yaml

@@ -3,39 +3,39 @@
 image: bundle
 fromImage: builder/scratch
 import:
-# Rendering .werf/images-digests.yaml is required!
-- image: images-digests
-  add: /images_digests.json
-  to: /images_digests.json
-  after: setup
-# Rendering .werf/python-deps.yaml is required!
-- image: python-dependencies
-  add: /lib/python/dist
-  to: /lib/python/dist
-  after: setup
-# Rendering .werf/go-hooks.yaml is required!
-- image: go-hooks-artifact
-  add: /usr/local/bin/go-hooks
-  to: /hooks/go-hooks
-  after: setup    
-# Rendering .werf/choice-edition.yaml is required!
-- image: choice-edition
-  add: /openapi
-  to: /openapi
-  after: setup
+  # Rendering .werf/images-digests.yaml is required!
+  - image: images-digests
+    add: /images_digests.json
+    to: /images_digests.json
+    after: setup
+  # Rendering .werf/python-deps.yaml is required!
+  - image: python-dependencies
+    add: /lib/python/dist
+    to: /lib/python/dist
+    after: setup
+  # Rendering .werf/go-hooks.yaml is required!
+  - image: go-hooks-artifact
+    add: /usr/local/bin/go-hooks
+    to: /hooks/go-hooks
+    after: setup
+  # Rendering .werf/choose-edition.yaml is required!
+  - image: choose-edition
+    add: /openapi
+    to: /openapi
+    after: setup
 git:
-- add: /
-  to: /
-  excludePaths:
-    - hooks/go  
-  includePaths:
-  - .helmignore
-  - charts
-  - crds
-  - docs
-  - enabled
-  - hooks
-  - monitoring
-  - module.yaml
-  - templates
-  - Chart.yaml
+  - add: /
+    to: /
+    excludePaths:
+      - hooks/go
+    includePaths:
+      - .helmignore
+      - charts
+      - crds
+      - docs
+      - enabled
+      - hooks
+      - monitoring
+      - module.yaml
+      - templates
+      - Chart.yaml

.werf/choice-edition.yaml renamed to .werf/choose-edition.yaml

@@ -1,6 +1,6 @@
 # TODO comment here
 ---
-image: choice-edition
+image: choose-edition
 fromImage: builder/alt
 
 git:

module.yaml

@@ -4,4 +4,5 @@ descriptions:
   en: "CSI NFS module"
 requirements:
   bootstrapped: true
+  deckhouse: ">= 1.67"
 namespace: "d8-csi-nfs"