diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 5ea4e0b0..b2a6c5b0 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -64,9 +64,11 @@ jobs: - name: Check if only release file in PR working-directory: ./chart-verifier id: check_version_in_PR + env: + API_URL: ${{ github.event.pull_request._links.self.href }} run: | # check if release file only is included in PR - ve1/bin/release-checker --api-url=${{ github.event.pull_request._links.self.href }} + ve1/bin/release-checker --api-url="${API_URL}" - name: Get Date id: get-date @@ -96,10 +98,10 @@ jobs: run: | # build a podman image image_tag="test" - echo "Building container image using podman for the tests, tagging as $image_tag" - make build-image IMAGE_TAG=$image_tag - podman build -t quay.io/redhat-certification/chart-verifier:$image_tag . - echo "podman_image_tag=$image_tag" | tee -a $GITHUB_OUTPUT + echo "Building container image using podman for the tests, tagging as ${image_tag}" + make build-image "IMAGE_TAG=${image_tag}" + podman build -t "quay.io/redhat-certification/chart-verifier:${image_tag}" . + echo "podman_image_tag=${image_tag}" | tee -a $GITHUB_OUTPUT - name: Create tarfile id: create-tarfile @@ -112,6 +114,7 @@ jobs: working-directory: ./chart-verifier env: KUBECONFIG: /tmp/ci-kubeconfig + EVENT_NUMBER: ${{ github.event.number }} run: | # oc login API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d) @@ -120,11 +123,11 @@ jobs: if [ $GITHUB_REPOSITORY == "redhat-certification/chart-verifier" ]; then # TODO: temporarily allow for skipping TLS verification as the new cluster uses local-only certificates # This if logic isn't removed to remind us to come back and swap this out when a valid cert is put in place. - oc login --insecure-skip-tls-verify --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER} + oc login --insecure-skip-tls-verify --token="${{ secrets.CLUSTER_TOKEN }}" --server="${API_SERVER}" else - oc login --insecure-skip-tls-verify --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER} + oc login --insecure-skip-tls-verify --token="${{ secrets.CLUSTER_TOKEN }}" --server="${API_SERVER}" fi - ve1/bin/sa-for-chart-testing --create charts-${{ github.event.number }} --token token.txt --server ${API_SERVER} + ve1/bin/sa-for-chart-testing --create "charts-${EVENT_NUMBER}" --token token.txt --server "${API_SERVER}" - name: Run the tests working-directory: ./chart-verifier @@ -142,11 +145,12 @@ jobs: working-directory: ./chart-verifier env: KUBECONFIG: /tmp/ci-kubeconfig + EVENT_NUMBER: ${{ github.event.number }} run: | # delete the namespace API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d) - oc login --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER} - ve1/bin/sa-for-chart-testing --delete charts-${{ github.event.number }} + oc login --token="${{ secrets.CLUSTER_TOKEN }}" --server="${API_SERVER}" + ve1/bin/sa-for-chart-testing --delete "charts-${EVENT_NUMBER}" - name: Set up Python scripts on main branch run: | @@ -158,16 +162,21 @@ jobs: - name: Check for restricted files and user permissiom id: check_authorization + env: + API_URL: ${{ github.event.pull_request._links.self.href }} + API_USER: ${{ github.event.pull_request.user.login }} run: | # check for a restricted file and, if found, check user has permissiom - ve1/bin/check-user --api-url=${{ github.event.pull_request._links.self.href }} --user=${{ github.event.pull_request.user.login }} + ve1/bin/check-user --api-url="${API_URL}" --user="${API_USER}" - name: Check if version updated id: check_version_updated if: ${{ steps.check_version_in_PR.outputs.PR_includes_release == 'true' }} + env: + PR_VERSION: ${{ steps.check_version_in_PR.outputs.PR_version }} run: | # check if version file was changed - ve1/bin/release-checker --version=${{ steps.check_version_in_PR.outputs.PR_version }} + ve1/bin/release-checker --version="${PR_VERSION}" - name: Approve PR id: approve_pr diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 8bf8a3f7..e0bce860 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -78,7 +78,9 @@ jobs: - name: Result from "Send Message to helm_dev slack channel" if: ${{ always() && github.event_name == 'schedule' && steps.codeql_analysis.conclusion != 'success' }} - run: echo "The result was ${{ steps.notify_dev.outputs.slack-result }}" + env: + SLACK_RESULT: ${{ steps.notify_dev.outputs.slack-result }} + run: echo "The result was ${SLACK_RESULT}" - name: Send message to helm_notify slack channel id: notify @@ -91,4 +93,6 @@ jobs: - name: Result from "Send Message to helm_notify slack channel" if: ${{ always() && github.event_name == 'schedule' && steps.codeql_analysis.conclusion == 'success' }} - run: echo "The result was ${{ steps.notify.outputs.slack-result }}" + env: + SLACK_RESULT: ${{ steps.notify.outputs.slack-result }} + run: echo "The result was ${SLACK_RESULT}" diff --git a/.github/workflows/dev_release.yaml b/.github/workflows/dev_release.yaml index f51c4e03..10a1b555 100644 --- a/.github/workflows/dev_release.yaml +++ b/.github/workflows/dev_release.yaml @@ -45,7 +45,7 @@ jobs: id: create-tarfile run: | # check if release file only is included in PR - ve1/bin/tar-file --release=${DEV_RELEASE} + ve1/bin/tar-file --release="${DEV_RELEASE}" - name: Delete previous release and tag id: delete-previous diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index a46946b5..16f7cb5b 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -28,12 +28,14 @@ jobs: - name: Build container images id: build_container_images + env: + COMMIT_ID: ${{ steps.get_commit_id.outputs.commit_id }} run: | podman version # Build podman images locally - make build-image IMAGE_TAG=${{ steps.get_commit_id.outputs.commit_id }} QUAY_EXPIRE_AFTER=1w + make build-image "IMAGE_TAG=${COMMIT_ID}" QUAY_EXPIRE_AFTER=1w make build-image IMAGE_TAG=main - podman tag ${{ env.CONTAINER_REGISTRY }}/chart-verifier:main ${{ env.CONTAINER_REGISTRY }}/chart-verifier:${{ env.DEV_RELEASE }} + podman tag "${CONTAINER_REGISTRY}/chart-verifier:main" "${CONTAINER_REGISTRY}/chart-verifier:${DEV_RELEASE}" - name: Push to quay.io id: push_to_quay diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5bd9dde7..f9e5a55f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -60,25 +60,31 @@ jobs: - name: Build binary and make tarball id: build_bin + env: + RELEASE_VERSION: ${{ steps.get_tag.outputs.release_version }} run: | make bin - TARBALL_NAME="chart-verifier-${{ steps.get_tag.outputs.release_version }}.tgz" - tar -zcvf $TARBALL_NAME -C out/ chart-verifier - export TARBALL_PATH=$(realpath $TARBALL_NAME) + TARBALL_NAME="chart-verifier-${RELEASE_VERSION}.tgz" + tar -zcvf "$TARBALL_NAME" -C out/ chart-verifier + export TARBALL_PATH=$(realpath "$TARBALL_NAME") echo "tarball_path=$TARBALL_PATH" | tee -a $GITHUB_OUTPUT - name: Check that the tag matches the current version id: check_tag_and_version + env: + RELEASE_VERSION: ${{ steps.get_tag.outputs.release_version }} run: | - release_version=${{ steps.get_tag.outputs.release_version }} bin_version=$(out/chart-verifier version --as-data | jq -r .version) - if [[ "$release_version" != "$bin_version" ]]; then - echo "Binary version ($bin_version) doesn't match tag ($release_version)" && exit 1 + if [[ "${RELEASE_VERSION}" != "$bin_version" ]]; then + echo "Binary version ($bin_version) doesn't match tag (${RELEASE_VERSION})" && exit 1 fi - name: Generate SBOM filename id: generate_sbom_filename - run: echo sbom_filename="${{ github.event.repository.name }}-${{ steps.get_tag.outputs.release_version }}-sbom.spdx.json" | tee -a $GITHUB_OUTPUT + env: + REPOSITORY_NAME: ${{ github.event.repository.name }} + RELEASE_VERSION: ${{ steps.get_tag.outputs.release_version }} + run: echo sbom_filename="${REPOSITORY_NAME}-${RELEASE_VERSION}-sbom.spdx.json" | tee -a $GITHUB_OUTPUT - name: Generate SBOM continue-on-error: true @@ -122,12 +128,14 @@ jobs: - name: Build container images id: build_container_images + env: + RELEASE_VERSION: ${{ steps.get_tag.outputs.release_version }} run: | # Build podman images locally - make build-image IMAGE_TAG=${{ steps.get_tag.outputs.release_version }} IMAGE_REPO=${{ secrets.IMAGE_REGISTRY }} + make build-image "IMAGE_TAG=${RELEASE_VERSION}" "IMAGE_REPO=${{ secrets.IMAGE_REGISTRY }}" podman tag \ - ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get_tag.outputs.release_version }} \ - ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:latest + "${{ secrets.IMAGE_REGISTRY }}/${IMAGE_NAME}:${RELEASE_VERSION}" \ + "${{ secrets.IMAGE_REGISTRY }}/${IMAGE_NAME}:latest" - name: Push to quay.io id: push_to_quay @@ -143,16 +151,20 @@ jobs: - name: Sign published image id: sign-image + env: + DIGEST: ${{ steps.push_to_quay.outputs.digest }} run: | cosign sign \ --yes \ - --registry-username ${{ secrets.QUAY_BOT_USERNAME }} \ - --registry-password ${{ secrets.QUAY_BOT_TOKEN }} \ - ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push_to_quay.outputs.digest }} + --registry-username "${{ secrets.QUAY_BOT_USERNAME }}" \ + --registry-password "${{ secrets.QUAY_BOT_TOKEN }}" \ + "${{ secrets.IMAGE_REGISTRY }}/${IMAGE_NAME}@${DIGEST}" - name: Verify the image signature + env: + RELEASE_VERSION: ${{ steps.get_tag.outputs.release_version }} run: | cosign verify \ - --certificate-identity https://github.com/${{ github.repository }}/.github/workflows/release.yaml@refs/tags/${{ steps.get_tag.outputs.release_version }} \ + --certificate-identity "https://github.com/${GITHUB_REPOSITORY}/.github/workflows/release.yaml@refs/tags/${RELEASE_VERSION}" \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ - ${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get_tag.outputs.release_version }} + "${{ secrets.IMAGE_REGISTRY }}/${IMAGE_NAME}:${RELEASE_VERSION}"