sysdiglabs
diff --git a/‎.envrc‎
Lines changed: 4 additions & 0 deletions b/‎.envrc‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/git-chglog/CHANGELOG.tpl.md‎
Lines changed: 27 additions & 0 deletions b/‎.github/git-chglog/CHANGELOG.tpl.md‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎.github/git-chglog/config.yml‎
Lines changed: 32 additions & 0 deletions b/‎.github/git-chglog/config.yml‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yaml‎
Lines changed: 52 additions & 48 deletions b/‎.github/workflows/ci.yaml‎
Lines changed: 52 additions & 48 deletions
diff --git a/‎.github/workflows/release.yaml‎
Lines changed: 110 additions & 37 deletions b/‎.github/workflows/release.yaml‎
Lines changed: 110 additions & 37 deletions
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 31 additions & 0 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 31 additions & 0 deletions
@@ -0,0 +1,4 @@
+has nix && use flake
+watch_file *.nix
+dotenv_if_exists .env # You can create a .env file with your env vars for this project. You can also use .secrets if you are using act. See the line below.
+dotenv_if_exists .secrets # Used by [act](https://nektosact.com/) to load secrets into the pipelines
@@ -0,0 +1,27 @@
+{{ range .Versions }}
+{{ range .CommitGroups -}}
+### {{ .Title }}
+
+{{ range .Commits -}}
+* {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
+{{ end }}
+{{ end -}}
+
+{{- if .RevertCommits -}}
+### Reverts
+
+{{ range .RevertCommits -}}
+* {{ .Revert.Header }}
+{{ end }}
+{{ end -}}
+
+{{- if .NoteGroups -}}
+{{ range .NoteGroups -}}
+### {{ .Title }}
+
+{{ range .Notes }}
+{{ .Body }}
+{{ end }}
+{{ end -}}
+{{ end -}}
+{{ end -}}
@@ -0,0 +1,32 @@
+style: github
+template: CHANGELOG.tpl.md
+info:
+  title: CHANGELOG
+  repository_url: https://github.com/sysdiglabs/harbor-scanner-sysdig-secure
+options:
+  commits:
+    # filters:
+    #   Type:
+    #     - feat
+    #     - fix
+    #     - perf
+    #     - refactor
+  commit_groups:
+    title_maps:
+      feat: Features
+      fix: Bug Fixes
+      perf: Performance Improvements
+      refactor: Code Refactoring
+      ci: Continuous Integration
+      docs: Documentation
+      chore: Small Modifications
+      build: Compilation & Dependencies
+  header:
+    pattern: "^(\\w*)(?:\\(([\\w\\$\\.\\-\\*\\s]*)\\))?\\:\\s(.*)$"
+    pattern_maps:
+      - Type
+      - Scope
+      - Subject
+  notes:
+    keywords:
+      - BREAKING CHANGE
@@ -1,66 +1,70 @@
-name: CI
+name: CI - Pull Request
 
 on:
   pull_request:
     branches:
       - master
-  push:
-    branches:
-    - master
 
 jobs:
-  build-and-test:
-    name: Build and Test
+  lint:
+    name: Lint
     runs-on: ubuntu-latest
-
+    defaults:
+      run:
+        shell: nix develop --command bash {0}
     steps:
-    - name: Set up Go
-      uses: actions/setup-go@v2
-      with:
-        go-version: ^1.16
+      - name: Fetch code
+        uses: actions/checkout@v4
 
-    - name: Check out code
-      uses: actions/checkout@v2
+      - name: Install nix
+        uses: DeterminateSystems/nix-installer-action@main
 
-    - name: Cache Go modules
-      uses: actions/cache@v3
-      with:
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-
+      - name: Configure Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
 
-    - name: Get dependencies
-      run: |
-        go get -v -t -d ./...
-        go install github.com/onsi/ginkgo/[email protected]
+      - name: Run lint
+        run: |
+          just lint
 
-    - name: Build
-      run: go build ./...
+  pre-commit:
+    name: Pre-commit
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: nix develop --command bash {0}
+    steps:
+      - name: Fetch code
+        uses: actions/checkout@v4
 
-    - name: Test
-      run: make test
-      env:
-        SECURE_API_TOKEN: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
-        SECURE_URL: ${{ vars.SECURE_URL }}
+      - name: Install nix
+        uses: DeterminateSystems/nix-installer-action@main
 
-  docker:
-    name: Build Docker Image
-    runs-on: ubuntu-latest
-    needs: build-and-test
+      - name: Configure Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
 
+      - name: Run pre-commit
+        run: |
+          pre-commit run -a
+
+  build-and-test:
+    name: Build and test
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: nix develop --command bash {0}
     steps:
-    - name: Check out code
-      uses: actions/checkout@v2
+      - name: Fetch code
+        uses: actions/checkout@v4
+
+      - name: Install nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Configure Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
 
-    - name: Build and push Docker image
-      uses: docker/build-push-action@v1
-      with:
-        username: ${{ secrets.SYSDIGLABS_DOCKERHUB_USER }}
-        password: ${{ secrets.SYSDIGLABS_DOCKERHUB_TOKEN }}
-        repository: sysdiglabs/harbor-scanner-sysdig-secure
-        dockerfile: build/Dockerfile
-        add_git_labels: true
-        tags: ci
+      - name: Run tests
+        run: |
+          just test
+        env:
+          SECURE_API_TOKEN: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
+          SECURE_URL: ${{ vars.SECURE_URL }}
@@ -1,44 +1,117 @@
-name: Release
+name: Release new version
 
 on:
   push:
-    tags:
-      - v*
-
+    branches:
+      - master
+    paths:
+      - package.nix
 jobs:
-  release:
+  get-newer-version:
     runs-on: ubuntu-latest
+    outputs:
+      new-version: ${{ steps.check.outputs.new_version }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+          fetch-depth: 0
+
+      - name: Extract version from package.nix
+        id: extract
+        run: |
+          VERSION=$(grep -m1 'version\s*=' package.nix | sed -E 's/.*version\s*=\s*"([^"]+)".*/\1/')
+          echo "Extracted version: $VERSION"
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Get latest tag
+        id: latest
+        run: |
+          LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "none")
+          echo "Latest tag: $LATEST_TAG"
+          echo "latest_tag=$LATEST_TAG" >> $GITHUB_OUTPUT
+
+      - name: Check if version is new
+        id: check
+        run: |
+          VERSION="${{ steps.extract.outputs.version }}"
+          LATEST="${{ steps.latest.outputs.latest_tag }}"
+          if [ "v$VERSION" = "$LATEST" ]; then
+            echo "No new version detected."
+            echo "new_version=" >> $GITHUB_OUTPUT
+          else
+            echo "New version detected: $VERSION"
+            echo "new_version=$VERSION" >> $GITHUB_OUTPUT
+          fi
 
+  build-push-dockerhub:
+    name: Build and Push to DockerHub
+    needs: [ get-newer-version ]
+    if: needs.get-newer-version.outputs.new-version != ''
+    runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-
-    - name: Extract tag name
-      id: tag
-      run: echo ::set-output name=VERSION::$(echo "${{ github.ref }}" | sed -e 's/.*\/v\(.*\)/\1/')
-
-    - name: Create release
-      id: create_release
-      uses: actions/create-release@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        tag_name: ${{ github.ref }}
-        release_name: ${{ github.ref }}
-        draft: true
-        prerelease: false
-        body: |
-          This is the ${{ github.ref }} release of Harbor Scanner Adapter for Sysdig Secure
-
-          ### Major Changes
-          ### Minor Changes
-          ### Bug fixes
-
-    - name: Build and push Docker image
-      uses: docker/build-push-action@v1
-      with:
-        username: ${{ secrets.SYSDIGLABS_DOCKERHUB_USER }}
-        password: ${{ secrets.SYSDIGLABS_DOCKERHUB_TOKEN }}
-        repository: sysdiglabs/harbor-scanner-sysdig-secure
-        add_git_labels: true
-        dockerfile: build/Dockerfile
-        tags: latest, ${{ steps.tag.outputs.VERSION }}
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Configure Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Build
+        run: nix build -L .#harbor-adapter-docker
+
+      - name: Load in docker
+        run: |
+          docker load -i ./result
+          docker tag sysdiglabs/harbor-scanner-sysdig-secure:${{ needs.get-newer-version.outputs.new-version }} sysdiglabs/harbor-scanner-sysdig-secure:latest
+          docker images
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.SYSDIGLABS_DOCKERHUB_USER }}
+          password: ${{ secrets.SYSDIGLABS_DOCKERHUB_TOKEN }}
+
+      - name: Push to Docker Hub
+        run: |
+          docker push sysdiglabs/harbor-scanner-sysdig-secure:${{ needs.get-newer-version.outputs.new-version }}
+          docker push sysdiglabs/harbor-scanner-sysdig-secure:latest
+
+  release:
+    name: Create release at Github
+    needs: [ get-newer-version ]
+    if: needs.get-newer-version.outputs.new-version != ''
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # Required for release creation
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Configure Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Install git-chglog
+        run: nix profile install nixpkgs#git-chglog
+
+      - name: Tag with version v${{ needs.get-newer-version.outputs.new-version }}
+        run: git tag v${{ needs.get-newer-version.outputs.new-version }}
+
+      - name: Generate changelog
+        run: git-chglog -c .github/git-chglog/config.yml -o RELEASE_CHANGELOG.md $(git describe --tags $(git rev-list --tags --max-count=1))
+
+      - name: Create release
+        uses: softprops/action-gh-release@v2
+        with:
+          name: v${{ needs.get-newer-version.outputs.new-version }}
+          tag_name: v${{ needs.get-newer-version.outputs.new-version }}
+          prerelease: false
+          body_path: RELEASE_CHANGELOG.md
@@ -16,3 +16,6 @@
 # vendor/
 
 .idea
+.direnv/
+.secrets
+result
@@ -0,0 +1,31 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+    - id: trailing-whitespace
+    - id: check-yaml
+      args:
+      - --allow-multiple-documents
+      - --unsafe
+    - id: no-commit-to-branch
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.33.0
+    hooks:
+    - id: check-github-workflows
+  - repo: local
+    hooks:
+    -   id: format
+        pass_filenames: false
+        name: Go fmt
+        entry: just fmt
+        language: system
+    -   id: lint
+        pass_filenames: false
+        name: Go lint
+        entry: just lint
+        language: system
+    -   id: check_vulns
+        pass_filenames: false
+        name: Check vulnerabilities
+        entry: trivy fs . --exit-code 1 --ignore-unfixed --quiet
+        language: system