diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml deleted file mode 100644 index d61aab6d5..000000000 --- a/.github/workflows/ci.yaml +++ /dev/null @@ -1,166 +0,0 @@ -name: ci - -on: - workflow_dispatch: - push: - branches: - - 'develop' - - 'release/*' - pull_request: - branches: - - 'develop' - - 'release/*' - - 'feat/*' - - 'fix/*' - - 'refactor/*' - types: - - opened - - reopened - - synchronize - - ready_for_review - -env: - DOCKER_HUB_REPO: portainerci/portainer-ce - EXTENSION_HUB_REPO: portainerci/portainer-docker-extension - GO_VERSION: 1.21.11 - NODE_VERSION: 18.x - -jobs: - build_images: - strategy: - matrix: - config: - - { platform: linux, arch: amd64, version: "" } - - { platform: linux, arch: arm64, version: "" } - - { platform: linux, arch: arm, version: "" } - - { platform: linux, arch: ppc64le, version: "" } - - { platform: windows, arch: amd64, version: 1809 } - - { platform: windows, arch: amd64, version: ltsc2022 } - runs-on: ubuntu-latest - if: github.event.pull_request.draft == false - steps: - - name: '[preparation] checkout the current branch' - uses: actions/checkout@v4.1.1 - with: - ref: ${{ github.event.inputs.branch }} - - name: '[preparation] set up golang' - uses: actions/setup-go@v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - - name: '[preparation] set up node.js' - uses: actions/setup-node@v4.0.1 - with: - node-version: ${{ env.NODE_VERSION }} - cache: 'yarn' - - name: '[preparation] set up qemu' - uses: docker/setup-qemu-action@v3.0.0 - - name: '[preparation] set up docker context for buildx' - run: docker context create builders - - name: '[preparation] set up docker buildx' - uses: docker/setup-buildx-action@v3.0.0 - with: - endpoint: builders - - name: '[preparation] docker login' - uses: docker/login-action@v3.0.0 - with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_PASSWORD }} - - name: '[preparation] set the container image tag' - run: | - if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then - # use the release branch name as the tag for release branches - # for instance, release/2.19 becomes 2.19 - CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2) - elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then - # use pr${{ github.event.number }} as the tag for pull requests - # for instance, pr123 - CONTAINER_IMAGE_TAG="pr${{ github.event.number }}" - else - # replace / with - in the branch name - # for instance, feature/1.0.0 -> feature-1.0.0 - CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g') - fi - - echo "CONTAINER_IMAGE_TAG=${CONTAINER_IMAGE_TAG}-${{ matrix.config.platform }}${{ matrix.config.version }}-${{ matrix.config.arch }}" >> $GITHUB_ENV - - name: '[execution] build linux & windows portainer binaries' - run: | - export YARN_VERSION=$(yarn --version) - export WEBPACK_VERSION=$(yarn list webpack --depth=0 | grep webpack | awk -F@ '{print $2}') - export BUILDNUMBER=${GITHUB_RUN_NUMBER} - GIT_COMMIT_HASH_LONG=${{ github.sha }} - export GIT_COMMIT_HASH_SHORT={GIT_COMMIT_HASH_LONG:0:7} - - NODE_ENV="testing" - if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then - NODE_ENV="production" - fi - - make build-all PLATFORM=${{ matrix.config.platform }} ARCH=${{ matrix.config.arch }} ENV=${NODE_ENV} - env: - CONTAINER_IMAGE_TAG: ${{ env.CONTAINER_IMAGE_TAG }} - - name: '[execution] build and push docker images' - run: | - if [ "${{ matrix.config.platform }}" == "windows" ]; then - mv dist/portainer dist/portainer.exe - docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} --build-arg OSVERSION=${{ matrix.config.version }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile . - else - docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile . - docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" -f build/${{ matrix.config.platform }}/alpine.Dockerfile . - - if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then - docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile . - docker buildx build --output=type=registry --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" -f build/${{ matrix.config.platform }}/alpine.Dockerfile . - fi - fi - env: - CONTAINER_IMAGE_TAG: ${{ env.CONTAINER_IMAGE_TAG }} - build_manifests: - runs-on: ubuntu-latest - if: github.event.pull_request.draft == false - needs: [build_images] - steps: - - name: '[preparation] docker login' - uses: docker/login-action@v3.0.0 - with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_PASSWORD }} - - name: '[preparation] set up docker context for buildx' - run: docker version && docker context create builders - - name: '[preparation] set up docker buildx' - uses: docker/setup-buildx-action@v3.0.0 - with: - endpoint: builders - - name: '[execution] build and push manifests' - run: | - if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then - # use the release branch name as the tag for release branches - # for instance, release/2.19 becomes 2.19 - CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2) - elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then - # use pr${{ github.event.number }} as the tag for pull requests - # for instance, pr123 - CONTAINER_IMAGE_TAG="pr${{ github.event.number }}" - else - # replace / with - in the branch name - # for instance, feature/1.0.0 -> feature-1.0.0 - CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g') - fi - docker buildx imagetools create -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" \ - "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64" \ - "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64" \ - "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm" \ - "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-ppc64le" \ - "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-windows1809-amd64" \ - "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-windowsltsc2022-amd64" - - docker buildx imagetools create -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" \ - "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64-alpine" \ - "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64-alpine" \ - "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm-alpine" \ - "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-ppc64le-alpine" - - if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then - docker buildx imagetools create -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}" \ - "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64" \ - "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64" - fi diff --git a/.github/workflows/label-conflcts.yaml b/.github/workflows/label-conflcts.yaml deleted file mode 100644 index 7b3f65208..000000000 --- a/.github/workflows/label-conflcts.yaml +++ /dev/null @@ -1,15 +0,0 @@ -on: - push: - branches: - - develop - - 'release/**' -jobs: - triage: - runs-on: ubuntu-latest - steps: - - uses: mschilde/auto-label-merge-conflicts@master - with: - CONFLICT_LABEL_NAME: 'has conflicts' - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - MAX_RETRIES: 10 - WAIT_MS: 60000 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml deleted file mode 100644 index c7cf7f4d5..000000000 --- a/.github/workflows/lint.yml +++ /dev/null @@ -1,55 +0,0 @@ -name: Lint - -on: - push: - branches: - - master - - develop - - release/* - pull_request: - branches: - - master - - develop - - release/* - types: - - opened - - reopened - - synchronize - - ready_for_review - -env: - GO_VERSION: 1.21.9 - NODE_VERSION: 18.x - -jobs: - run-linters: - name: Run linters - runs-on: ubuntu-latest - if: github.event.pull_request.draft == false - - steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 - with: - node-version: ${{ env.NODE_VERSION }} - cache: 'yarn' - - uses: actions/setup-go@v4 - with: - go-version: ${{ env.GO_VERSION }} - - run: yarn --frozen-lockfile - - name: Run linters - uses: wearerequired/lint-action@v1 - with: - eslint: true - eslint_extensions: ts,tsx,js,jsx - prettier: true - prettier_dir: app/ - gofmt: true - gofmt_dir: api/ - - name: Typecheck - uses: icrawl/action-tsc@v1 - - name: GolangCI-Lint - uses: golangci/golangci-lint-action@v3 - with: - version: v1.55.2 - args: --timeout=10m -c .golangci.yaml diff --git a/.github/workflows/nightly-security-scan.yml b/.github/workflows/nightly-security-scan.yml deleted file mode 100644 index 236d35797..000000000 --- a/.github/workflows/nightly-security-scan.yml +++ /dev/null @@ -1,252 +0,0 @@ -name: Nightly Code Security Scan - -on: - schedule: - - cron: '0 20 * * *' - workflow_dispatch: - -env: - GO_VERSION: 1.21.9 - -jobs: - client-dependencies: - name: Client Dependency Check - runs-on: ubuntu-latest - if: >- # only run for develop branch - github.ref == 'refs/heads/develop' - outputs: - js: ${{ steps.set-matrix.outputs.js_result }} - steps: - - name: checkout repository - uses: actions/checkout@master - - - name: scan vulnerabilities by Snyk - uses: snyk/actions/node@master - continue-on-error: true # To make sure that artifact upload gets called - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - json: true - - - name: upload scan result as develop artifact - uses: actions/upload-artifact@v3 - with: - name: js-security-scan-develop-result - path: snyk.json - - - name: develop scan report export to html - run: | - $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/js-result") - - - name: upload html file as artifact - uses: actions/upload-artifact@v3 - with: - name: html-js-result-${{github.run_id}} - path: js-result.html - - - name: analyse vulnerabilities - id: set-matrix - run: | - result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix) - echo "js_result=${result}" >> $GITHUB_OUTPUT - - server-dependencies: - name: Server Dependency Check - runs-on: ubuntu-latest - if: >- # only run for develop branch - github.ref == 'refs/heads/develop' - outputs: - go: ${{ steps.set-matrix.outputs.go_result }} - steps: - - name: checkout repository - uses: actions/checkout@master - - - name: install Go - uses: actions/setup-go@v3 - with: - go-version: ${{ env.GO_VERSION }} - - - name: download Go modules - run: cd ./api && go get -t -v -d ./... - - - name: scan vulnerabilities by Snyk - continue-on-error: true # To make sure that artifact upload gets called - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - run: | - yarn global add snyk - snyk test --file=./go.mod --json-file-output=snyk.json 2>/dev/null || : - - - name: upload scan result as develop artifact - uses: actions/upload-artifact@v3 - with: - name: go-security-scan-develop-result - path: snyk.json - - - name: develop scan report export to html - run: | - $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/go-result") - - - name: upload html file as artifact - uses: actions/upload-artifact@v3 - with: - name: html-go-result-${{github.run_id}} - path: go-result.html - - - name: analyse vulnerabilities - id: set-matrix - run: | - result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix) - echo "go_result=${result}" >> $GITHUB_OUTPUT - - image-vulnerability: - name: Image Vulnerability Check - runs-on: ubuntu-latest - if: >- - github.ref == 'refs/heads/develop' - outputs: - image-trivy: ${{ steps.set-trivy-matrix.outputs.image_trivy_result }} - image-docker-scout: ${{ steps.set-docker-scout-matrix.outputs.image_docker_scout_result }} - steps: - - name: scan vulnerabilities by Trivy - uses: docker://docker.io/aquasec/trivy:latest - continue-on-error: true - with: - args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress portainerci/portainer:develop - - - name: upload Trivy image security scan result as artifact - uses: actions/upload-artifact@v3 - with: - name: image-security-scan-develop-result - path: image-trivy.json - - - name: develop Trivy scan report export to html - run: | - $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-trivy-result") - - - name: upload html file as Trivy artifact - uses: actions/upload-artifact@v3 - with: - name: html-image-result-${{github.run_id}} - path: image-trivy-result.html - - - name: analyse vulnerabilities from Trivy - id: set-trivy-matrix - run: | - result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=matrix) - echo "image_trivy_result=${result}" >> $GITHUB_OUTPUT - - - name: scan vulnerabilities by Docker Scout - uses: docker/scout-action@v1 - continue-on-error: true - with: - command: cves - image: portainerci/portainer:develop - sarif-file: image-docker-scout.json - dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }} - dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }} - - - name: upload Docker Scout image security scan result as artifact - uses: actions/upload-artifact@v3 - with: - name: image-security-scan-develop-result - path: image-docker-scout.json - - - name: develop Docker Scout scan report export to html - run: | - $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=table --export --export-filename="/data/image-docker-scout-result") - - - name: upload html file as Docker Scout artifact - uses: actions/upload-artifact@v3 - with: - name: html-image-result-${{github.run_id}} - path: image-docker-scout-result.html - - - name: analyse vulnerabilities from Docker Scout - id: set-docker-scout-matrix - run: | - result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=matrix) - echo "image_docker_scout_result=${result}" >> $GITHUB_OUTPUT - - result-analysis: - name: Analyse Scan Results - needs: [client-dependencies, server-dependencies, image-vulnerability] - runs-on: ubuntu-latest - if: >- - github.ref == 'refs/heads/develop' - strategy: - matrix: - js: ${{fromJson(needs.client-dependencies.outputs.js)}} - go: ${{fromJson(needs.server-dependencies.outputs.go)}} - image-trivy: ${{fromJson(needs.image-vulnerability.outputs.image-trivy)}} - image-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.image-docker-scout)}} - steps: - - name: display the results of js, Go, and image scan - run: | - echo "${{ matrix.js.status }}" - echo "${{ matrix.go.status }}" - echo "${{ matrix.image-trivy.status }}" - echo "${{ matrix.image-docker-scout.status }}" - echo "${{ matrix.js.summary }}" - echo "${{ matrix.go.summary }}" - echo "${{ matrix.image-trivy.summary }}" - echo "${{ matrix.image-docker-scout.summary }}" - - - name: send message to Slack - if: >- - matrix.js.status == 'failure' || - matrix.go.status == 'failure' || - matrix.image-trivy.status == 'failure' || - matrix.image-docker-scout.status == 'failure' - uses: slackapi/slack-github-action@v1.23.0 - with: - payload: | - { - "blocks": [ - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "Code Scanning Result (*${{ github.repository }}*)\n*<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub Actions Workflow URL>*" - } - } - ], - "attachments": [ - { - "color": "#FF0000", - "blocks": [ - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "*JS dependency check*: *${{ matrix.js.status }}*\n${{ matrix.js.summary }}" - } - }, - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "*Go dependency check*: *${{ matrix.go.status }}*\n${{ matrix.go.summary }}" - } - }, - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "*Image Trivy vulnerability check*: *${{ matrix.image-trivy.status }}*\n${{ matrix.image-trivy.summary }}\n" - } - }, - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": "*Image Docker Scout vulnerability check*: *${{ matrix.image-docker-scout.status }}*\n${{ matrix.image-docker-scout.summary }}\n" - } - } - ] - } - ] - } - env: - SLACK_WEBHOOK_URL: ${{ secrets.SECURITY_SLACK_WEBHOOK_URL }} - SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK diff --git a/.github/workflows/pr-security.yml b/.github/workflows/pr-security.yml deleted file mode 100644 index fc84cf87e..000000000 --- a/.github/workflows/pr-security.yml +++ /dev/null @@ -1,298 +0,0 @@ -name: PR Code Security Scan - -on: - pull_request_review: - types: - - submitted - - edited - paths: - - 'package.json' - - 'go.mod' - - 'build/linux/Dockerfile' - - 'build/linux/alpine.Dockerfile' - - 'build/windows/Dockerfile' - - '.github/workflows/pr-security.yml' - -env: - GO_VERSION: 1.21.9 - NODE_VERSION: 18.x - -jobs: - client-dependencies: - name: Client Dependency Check - runs-on: ubuntu-latest - if: >- - github.event.pull_request && - github.event.review.body == '/scan' && - github.event.pull_request.draft == false - outputs: - jsdiff: ${{ steps.set-diff-matrix.outputs.js_diff_result }} - steps: - - name: checkout repository - uses: actions/checkout@master - - - name: scan vulnerabilities by Snyk - uses: snyk/actions/node@master - continue-on-error: true # To make sure that artifact upload gets called - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - json: true - - - name: upload scan result as pull-request artifact - uses: actions/upload-artifact@v3 - with: - name: js-security-scan-feat-result - path: snyk.json - - - name: download artifacts from develop branch built by nightly scan - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - mv ./snyk.json ./js-snyk-feature.json - (gh run download -n js-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || : - if [[ -e ./snyk.json ]]; then - mv ./snyk.json ./js-snyk-develop.json - else - echo "null" > ./js-snyk-develop.json - fi - - - name: pr vs develop scan report comparison export to html - run: | - $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/js-snyk-feature.json" --compare-to="/data/js-snyk-develop.json" --output-type=table --export --export-filename="/data/js-result") - - - name: upload html file as artifact - uses: actions/upload-artifact@v3 - with: - name: html-js-result-compare-to-develop-${{github.run_id}} - path: js-result.html - - - name: analyse different vulnerabilities against develop branch - id: set-diff-matrix - run: | - result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/js-snyk-feature.json" --compare-to="/data/js-snyk-develop.json" --output-type=matrix) - echo "js_diff_result=${result}" >> $GITHUB_OUTPUT - - server-dependencies: - name: Server Dependency Check - runs-on: ubuntu-latest - if: >- - github.event.pull_request && - github.event.review.body == '/scan' && - github.event.pull_request.draft == false - outputs: - godiff: ${{ steps.set-diff-matrix.outputs.go_diff_result }} - steps: - - name: checkout repository - uses: actions/checkout@master - - - name: install Go - uses: actions/setup-go@v3 - with: - go-version: ${{ env.GO_VERSION }} - - - name: download Go modules - run: cd ./api && go get -t -v -d ./... - - - name: scan vulnerabilities by Snyk - continue-on-error: true # To make sure that artifact upload gets called - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - run: | - yarn global add snyk - snyk test --file=./go.mod --json-file-output=snyk.json 2>/dev/null || : - - - name: upload scan result as pull-request artifact - uses: actions/upload-artifact@v3 - with: - name: go-security-scan-feature-result - path: snyk.json - - - name: download artifacts from develop branch built by nightly scan - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - mv ./snyk.json ./go-snyk-feature.json - (gh run download -n go-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || : - if [[ -e ./snyk.json ]]; then - mv ./snyk.json ./go-snyk-develop.json - else - echo "null" > ./go-snyk-develop.json - fi - - - name: pr vs develop scan report comparison export to html - run: | - $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=table --export --export-filename="/data/go-result") - - - name: upload html file as artifact - uses: actions/upload-artifact@v3 - with: - name: html-go-result-compare-to-develop-${{github.run_id}} - path: go-result.html - - - name: analyse different vulnerabilities against develop branch - id: set-diff-matrix - run: | - result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=matrix) - echo "go_diff_result=${result}" >> $GITHUB_OUTPUT - - image-vulnerability: - name: Image Vulnerability Check - runs-on: ubuntu-latest - if: >- - github.event.pull_request && - github.event.review.body == '/scan' && - github.event.pull_request.draft == false - outputs: - imagediff-trivy: ${{ steps.set-diff-trivy-matrix.outputs.image_diff_trivy_result }} - imagediff-docker-scout: ${{ steps.set-diff-docker-scout-matrix.outputs.image_diff_docker_scout_result }} - steps: - - name: checkout code - uses: actions/checkout@master - - - name: install Go - uses: actions/setup-go@v3 - with: - go-version: ${{ env.GO_VERSION }} - - - name: install Node.js - uses: actions/setup-node@v3 - with: - node-version: ${{ env.NODE_VERSION }} - - - name: Install packages - run: yarn --frozen-lockfile - - - name: build - run: make build-all - - - name: set up docker buildx - uses: docker/setup-buildx-action@v2 - - - name: build and compress image - uses: docker/build-push-action@v4 - with: - context: . - file: build/linux/Dockerfile - tags: local-portainer:${{ github.sha }} - outputs: type=docker,dest=/tmp/local-portainer-image.tar - - - name: load docker image - run: | - docker load --input /tmp/local-portainer-image.tar - - - name: scan vulnerabilities by Trivy - uses: docker://docker.io/aquasec/trivy:latest - continue-on-error: true - with: - args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress local-portainer:${{ github.sha }} - - - name: upload Trivy image security scan result as artifact - uses: actions/upload-artifact@v3 - with: - name: image-security-scan-feature-result - path: image-trivy.json - - - name: download Trivy artifacts from develop branch built by nightly scan - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - mv ./image-trivy.json ./image-trivy-feature.json - (gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || : - if [[ -e ./image-trivy.json ]]; then - mv ./image-trivy.json ./image-trivy-develop.json - else - echo "null" > ./image-trivy-develop.json - fi - - - name: pr vs develop Trivy scan report comparison export to html - run: | - $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-trivy-result") - - - name: upload html file as Trivy artifact - uses: actions/upload-artifact@v3 - with: - name: html-image-result-compare-to-develop-${{github.run_id}} - path: image-trivy-result.html - - - name: analyse different vulnerabilities against develop branch by Trivy - id: set-diff-trivy-matrix - run: | - result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=matrix) - echo "image_diff_trivy_result=${result}" >> $GITHUB_OUTPUT - - - name: scan vulnerabilities by Docker Scout - uses: docker/scout-action@v1 - continue-on-error: true - with: - command: cves - image: local-portainer:${{ github.sha }} - sarif-file: image-docker-scout.json - dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }} - dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }} - - - name: upload Docker Scout image security scan result as artifact - uses: actions/upload-artifact@v3 - with: - name: image-security-scan-feature-result - path: image-docker-scout.json - - - name: download Docker Scout artifacts from develop branch built by nightly scan - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - mv ./image-docker-scout.json ./image-docker-scout-feature.json - (gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || : - if [[ -e ./image-docker-scout.json ]]; then - mv ./image-docker-scout.json ./image-docker-scout-develop.json - else - echo "null" > ./image-docker-scout-develop.json - fi - - - name: pr vs develop Docker Scout scan report comparison export to html - run: | - $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=table --export --export-filename="/data/image-docker-scout-result") - - - name: upload html file as Docker Scout artifact - uses: actions/upload-artifact@v3 - with: - name: html-image-result-compare-to-develop-${{github.run_id}} - path: image-docker-scout-result.html - - - name: analyse different vulnerabilities against develop branch by Docker Scout - id: set-diff-docker-scout-matrix - run: | - result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=matrix) - echo "image_diff_docker_scout_result=${result}" >> $GITHUB_OUTPUT - - result-analysis: - name: Analyse Scan Result Against develop Branch - needs: [client-dependencies, server-dependencies, image-vulnerability] - runs-on: ubuntu-latest - if: >- - github.event.pull_request && - github.event.review.body == '/scan' && - github.event.pull_request.draft == false - strategy: - matrix: - jsdiff: ${{fromJson(needs.client-dependencies.outputs.jsdiff)}} - godiff: ${{fromJson(needs.server-dependencies.outputs.godiff)}} - imagediff-trivy: ${{fromJson(needs.image-vulnerability.outputs.imagediff-trivy)}} - imagediff-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.imagediff-docker-scout)}} - steps: - - name: check job status of diff result - if: >- - matrix.jsdiff.status == 'failure' || - matrix.godiff.status == 'failure' || - matrix.imagediff-trivy.status == 'failure' || - matrix.imagediff-docker-scout.status == 'failure' - run: | - echo "${{ matrix.jsdiff.status }}" - echo "${{ matrix.godiff.status }}" - echo "${{ matrix.imagediff-trivy.status }}" - echo "${{ matrix.imagediff-docker-scout.status }}" - echo "${{ matrix.jsdiff.summary }}" - echo "${{ matrix.godiff.summary }}" - echo "${{ matrix.imagediff-trivy.summary }}" - echo "${{ matrix.imagediff-docker-scout.summary }}" - exit 1 diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml deleted file mode 100644 index db5203798..000000000 --- a/.github/workflows/rebase.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Automatic Rebase -on: - issue_comment: - types: [created] -jobs: - rebase: - name: Rebase - if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') - runs-on: ubuntu-latest - steps: - - name: Checkout the latest code - uses: actions/checkout@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - fetch-depth: 0 # otherwise, you will fail to push refs to dest repo - - name: Automatic Rebase - uses: cirrus-actions/rebase@1.4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml deleted file mode 100644 index 878948206..000000000 --- a/.github/workflows/stale.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Close Stale Issues -on: - schedule: - - cron: '0 12 * * *' - workflow_dispatch: -jobs: - stale: - runs-on: ubuntu-latest - permissions: - issues: write - - steps: - - uses: actions/stale@v8 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - - # Issue Config - days-before-issue-stale: 60 - days-before-issue-close: 7 - stale-issue-label: 'status/stale' - exempt-all-issue-milestones: true # Do not stale issues in a milestone - exempt-issue-labels: kind/enhancement, kind/style, kind/workaround, kind/refactor, bug/need-confirmation, bug/confirmed, status/discuss - stale-issue-message: 'This issue has been marked as stale as it has not had recent activity, it will be closed if no further activity occurs in the next 7 days. If you believe that it has been incorrectly labelled as stale, leave a comment and the label will be removed.' - close-issue-message: 'Since no further activity has appeared on this issue it will be closed. If you believe that it has been incorrectly closed, leave a comment mentioning `portainer/support` and one of our staff will then review the issue. Note - If it is an old bug report, make sure that it is reproduceable in the latest version of Portainer as it may have already been fixed.' - - # Pull Request Config - days-before-pr-stale: -1 # Do not stale pull request - days-before-pr-close: -1 # Do not close pull request diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml deleted file mode 100644 index e8a479bfa..000000000 --- a/.github/workflows/test.yaml +++ /dev/null @@ -1,76 +0,0 @@ -name: Test - -env: - GO_VERSION: 1.21.9 - NODE_VERSION: 18.x - -on: - workflow_dispatch: - pull_request: - branches: - - master - - develop - - release/* - types: - - opened - - reopened - - synchronize - - ready_for_review - push: - branches: - - master - - develop - - release/* - -jobs: - test-client: - runs-on: ubuntu-latest - if: github.event.pull_request.draft == false - - steps: - - name: 'checkout the current branch' - uses: actions/checkout@v4.1.1 - with: - ref: ${{ github.event.inputs.branch }} - - - name: 'set up node.js' - uses: actions/setup-node@v4.0.1 - with: - node-version: ${{ env.NODE_VERSION }} - cache: 'yarn' - - - run: yarn --frozen-lockfile - - - name: Run tests - run: make test-client ARGS="--maxWorkers=2 --minWorkers=1" - - test-server: - strategy: - matrix: - config: - - { platform: linux, arch: amd64 } - - { platform: linux, arch: arm64 } - - { platform: windows, arch: amd64, version: 1809 } - - { platform: windows, arch: amd64, version: ltsc2022 } - runs-on: ubuntu-latest - if: github.event.pull_request.draft == false - - steps: - - name: 'checkout the current branch' - uses: actions/checkout@v4.1.1 - with: - ref: ${{ github.event.inputs.branch }} - - - name: 'set up golang' - uses: actions/setup-go@v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - - - name: 'install dependencies' - run: make test-deps PLATFORM=linux ARCH=amd64 - - - name: 'update $PATH' - run: echo "$(pwd)/dist" >> $GITHUB_PATH - - - name: 'run tests' - run: make test-server diff --git a/.github/workflows/validate-openapi-spec.yaml b/.github/workflows/validate-openapi-spec.yaml deleted file mode 100644 index 820ac885c..000000000 --- a/.github/workflows/validate-openapi-spec.yaml +++ /dev/null @@ -1,39 +0,0 @@ -name: Validate OpenAPI specs - -on: - pull_request: - branches: - - master - - develop - - 'release/*' - types: - - opened - - reopened - - synchronize - - ready_for_review - -env: - GO_VERSION: 1.21.9 - NODE_VERSION: 18.x - -jobs: - openapi-spec: - runs-on: ubuntu-latest - if: github.event.pull_request.draft == false - steps: - - uses: actions/checkout@v3 - - - uses: actions/setup-go@v3 - with: - go-version: ${{ env.GO_VERSION }} - - - name: Download golang modules - run: cd ./api && go get -t -v -d ./... - - uses: actions/setup-node@v3 - with: - node-version: ${{ env.NODE_VERSION }} - cache: 'yarn' - - run: yarn --frozen-lockfile - - - name: Validate OpenAPI Spec - run: make docs-validate