From e66ffc03c5f04f17b83dbb2531067697c174c784 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 23 Nov 2025 16:02:15 +0000 Subject: [PATCH 1/2] chore(deps): Bump github/codeql-action from 4.31.2 to 4.31.4 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.2 to 4.31.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0499de31b99561a6d14a36a5f662c2a54f91beee...e12f0178983d466f2f6028f5cc7a6d786fd97f4b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/artifacts.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml index 435e10d..f481913 100644 --- a/.github/workflows/artifacts.yaml +++ b/.github/workflows/artifacts.yaml @@ -188,7 +188,7 @@ jobs: retention-days: 5 - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v3.29.5 + uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v3.29.5 with: sarif_file: trivy-results.sarif @@ -323,6 +323,6 @@ jobs: retention-days: 5 - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v3.29.5 + uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v3.29.5 with: sarif_file: trivy-results.sarif From a2066eac7b163f71dbd46f286ba59ce99c69f8f8 Mon Sep 17 00:00:00 2001 From: Bence Csati Date: Wed, 26 Nov 2025 11:01:28 +0100 Subject: [PATCH 2/2] remove nix Signed-off-by: Bence Csati --- .dockerignore | 2 - .envrc | 4 - .github/renovate.json | 16 --- .github/workflows/ci.yaml | 102 ++++++-------- .gitignore | 3 - .go-version | 1 + .licensei.toml | 2 +- Makefile | 4 + README.md | 7 +- flake.lock | 276 -------------------------------------- flake.nix | 132 ------------------ 11 files changed, 49 insertions(+), 500 deletions(-) delete mode 100644 .envrc delete mode 100644 .github/renovate.json create mode 100644 .go-version delete mode 100644 flake.lock delete mode 100644 flake.nix diff --git a/.dockerignore b/.dockerignore index 1435231..7405c77 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,5 +1,3 @@ -/.devenv/ -/.direnv/ /.github/ /bin/ /build/ diff --git a/.envrc b/.envrc deleted file mode 100644 index 3ce7171..0000000 --- a/.envrc +++ /dev/null @@ -1,4 +0,0 @@ -if ! has nix_direnv_version || ! nix_direnv_version 2.3.0; then - source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.3.0/direnvrc" "sha256-Dmd+j63L84wuzgyjITIfSxSD57Tx7v51DMxVZOsiUD8=" -fi -use flake . --impure diff --git a/.github/renovate.json b/.github/renovate.json deleted file mode 100644 index 6edfd4f..0000000 --- a/.github/renovate.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": [ - "schedule:earlyMondays", - ":disableDependencyDashboard" - ], - "enabledManagers": [ - "nix" - ], - "nix": { - "enabled": true - }, - "lockFileMaintenance": { - "enabled": true - } -} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c3176de..345e475 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -19,13 +19,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - - name: Set up Nix - uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v27 + - name: Set up Go + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: - extra_nix_config: | - access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} + go-version-file: '.go-version' - name: Set up Go cache uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 @@ -37,11 +36,8 @@ jobs: restore-keys: | ${{ github.job }}-${{ runner.os }}-go- - - name: Prepare Nix shell - run: nix develop --impure .#ci - - name: Build - run: nix develop --impure .#ci -c make build + run: make build test: name: Test @@ -51,11 +47,10 @@ jobs: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Set up Nix - uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v27 + - name: Set up Go + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: - extra_nix_config: | - access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} + go-version-file: '.go-version' - name: Set up Go cache uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 @@ -67,11 +62,8 @@ jobs: restore-keys: | ${{ github.job }}-${{ runner.os }}-go- - - name: Prepare Nix shell - run: nix develop --impure .#ci - - name: Test - run: nix develop --impure .#ci -c make test + run: make test lint: name: Lint @@ -81,11 +73,10 @@ jobs: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Set up Nix - uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v27 + - name: Set up Go + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: - extra_nix_config: | - access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} + go-version-file: '.go-version' - name: Set up Go cache uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 @@ -97,11 +88,25 @@ jobs: restore-keys: | ${{ github.job }}-${{ runner.os }}-go- - - name: Prepare Nix shell - run: nix develop --impure .#ci + - name: Make deps + run: make deps - - name: Lint - run: nix develop --impure .#ci -c make lint -j + - name: Lint Go code + run: make lint-go + + - name: Lint Helm charts + run: make lint-helm + + - name: Run Hadolint + uses: hadolint/hadolint-action@v3.3.0 + with: + dockerfile: Dockerfile + config: .hadolint.yaml + + - name: Run Yamllint + run: | + pip install --user yamllint + yamllint . license-check: name: License check @@ -111,11 +116,10 @@ jobs: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Set up Nix - uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v27 + - name: Set up Go + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: - extra_nix_config: | - access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} + go-version-file: '.go-version' - name: Set up Go cache uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 @@ -137,39 +141,19 @@ jobs: licensei-v1-main licensei-v1 - - name: Prepare Nix shell - run: nix develop --impure .#ci + - name: Make deps + run: make deps - name: Populate license cache - run: nix develop --impure .#ci -c licensei cache + run: make license-cache env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Check licenses - run: nix develop --impure .#ci -c make license-check + run: make license-check env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - dev: - name: Developer environment - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Set up Nix - uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v27 - with: - extra_nix_config: | - access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - - - name: Check - run: nix flake check --impure - - - name: Dev shell - run: nix develop --impure - artifacts: name: Artifacts uses: ./.github/workflows/artifacts.yaml @@ -207,14 +191,10 @@ jobs: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Set up Nix - uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v27 + - name: Set up Go + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: - extra_nix_config: | - access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - - - name: Prepare Nix shell - run: nix develop --impure .#ci + go-version-file: '.go-version' - name: Download docker image uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 @@ -227,7 +207,7 @@ jobs: name: "[helm-chart] package" - name: Test - run: nix develop --impure .#ci -c make test-e2e + run: make test-e2e env: KIND_K8S_VERSION: ${{ matrix.k8s_version }} LOAD_IMAGE_ARCHIVE: ${{ github.workspace }}/docker.tar diff --git a/.gitignore b/.gitignore index 5a3cd4b..03358bf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,3 @@ -/.devenv/ -/.direnv/ -/.pre-commit-config.yaml /bin/ /build/ /tmp/ diff --git a/.go-version b/.go-version new file mode 100644 index 0000000..f9e8384 --- /dev/null +++ b/.go-version @@ -0,0 +1 @@ +1.24.1 diff --git a/.licensei.toml b/.licensei.toml index a0e0f89..beef02e 100644 --- a/.licensei.toml +++ b/.licensei.toml @@ -25,7 +25,7 @@ ignored = [ [header] authors = ["Cisco", "Bank-Vaults Maintainers"] -ignorePaths = [".direnv", ".devenv", "vendor"] +ignorePaths = ["vendor"] ignoreFiles = ["zz_generated.*.go"] template = """// Copyright © :YEAR: :AUTHOR: // diff --git a/Makefile b/Makefile index c4099ba..4c068a4 100644 --- a/Makefile +++ b/Makefile @@ -123,6 +123,10 @@ lint-yaml: fmt: ## Run go fmt against code $(GOLANGCI_LINT_BIN) run --fix +.PHONY: license-cache +license-cache: ## Populate license cache + $(LICENSEI_BIN) cache + .PHONY: license-check license-check: ## Run license check $(LICENSEI_BIN) check diff --git a/README.md b/README.md index cf9d476..60b3193 100644 --- a/README.md +++ b/README.md @@ -62,11 +62,8 @@ file](https://github.com/bank-vaults/vault-secrets-reloader/blob/main/e2e/deploy ## Development -**For an optimal developer experience, it is recommended to install [Nix](https://nixos.org/download.html) and -[direnv](https://direnv.net/docs/installation.html).** - -_Alternatively, install [Go](https://go.dev/dl/) on your computer then run `make deps` to install the rest of the -dependencies._ +Install [Go](https://go.dev/dl/) on your computer then run `make deps` to install the rest of the +dependencies. Make sure Docker is installed with Compose and Buildx. diff --git a/flake.lock b/flake.lock deleted file mode 100644 index a012471..0000000 --- a/flake.lock +++ /dev/null @@ -1,276 +0,0 @@ -{ - "nodes": { - "cachix": { - "inputs": { - "devenv": [ - "devenv" - ], - "flake-compat": [ - "devenv", - "flake-compat" - ], - "git-hooks": [ - "devenv", - "git-hooks" - ], - "nixpkgs": [ - "devenv", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1760971495, - "narHash": "sha256-IwnNtbNVrlZIHh7h4Wz6VP0Furxg9Hh0ycighvL5cZc=", - "owner": "cachix", - "repo": "cachix", - "rev": "c5bfd933d1033672f51a863c47303fc0e093c2d2", - "type": "github" - }, - "original": { - "owner": "cachix", - "ref": "latest", - "repo": "cachix", - "type": "github" - } - }, - "devenv": { - "inputs": { - "cachix": "cachix", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "git-hooks": "git-hooks", - "nix": "nix", - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1762706931, - "narHash": "sha256-rsegLsEHnUsfUDN4e/Z534yJIi4Yi6qMA3LI5LK0YwA=", - "owner": "cachix", - "repo": "devenv", - "rev": "9a8147b9345ecbb1321890ce7603df1507b1125d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "devenv", - "type": "github" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1761588595, - "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "devenv", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1760948891, - "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1762440070, - "narHash": "sha256-xxdepIcb39UJ94+YydGP221rjnpkDZUlykKuF54PsqI=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "26d05891e14c88eb4a5d5bee659c0db5afb609d8", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "git-hooks": { - "inputs": { - "flake-compat": [ - "devenv", - "flake-compat" - ], - "gitignore": "gitignore", - "nixpkgs": [ - "devenv", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1760663237, - "narHash": "sha256-BflA6U4AM1bzuRMR8QqzPXqh8sWVCNDzOdsxXEguJIc=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "devenv", - "git-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "nix": { - "inputs": { - "flake-compat": [ - "devenv", - "flake-compat" - ], - "flake-parts": [ - "devenv", - "flake-parts" - ], - "git-hooks-nix": [ - "devenv", - "git-hooks" - ], - "nixpkgs": [ - "devenv", - "nixpkgs" - ], - "nixpkgs-23-11": [ - "devenv" - ], - "nixpkgs-regression": [ - "devenv" - ] - }, - "locked": { - "lastModified": 1761648602, - "narHash": "sha256-H97KSB/luq/aGobKRuHahOvT1r7C03BgB6D5HBZsbN8=", - "owner": "cachix", - "repo": "nix", - "rev": "3e5644da6830ef65f0a2f7ec22830c46285bfff6", - "type": "github" - }, - "original": { - "owner": "cachix", - "ref": "devenv-2.30.6", - "repo": "nix", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1761313199, - "narHash": "sha256-wCIACXbNtXAlwvQUo1Ed++loFALPjYUA3dpcUJiXO44=", - "owner": "cachix", - "repo": "devenv-nixpkgs", - "rev": "d1c30452ebecfc55185ae6d1c983c09da0c274ff", - "type": "github" - }, - "original": { - "owner": "cachix", - "ref": "rolling", - "repo": "devenv-nixpkgs", - "type": "github" - } - }, - "nixpkgs-23-05": { - "locked": { - "lastModified": 1705957679, - "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1761765539, - "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1762482733, - "narHash": "sha256-g/da4FzvckvbiZT075Sb1/YDNDr+tGQgh4N8i5ceYMg=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "e1ebeec86b771e9d387dd02d82ffdc77ac753abc", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "devenv": "devenv", - "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_2", - "nixpkgs-23-05": "nixpkgs-23-05" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/flake.nix b/flake.nix deleted file mode 100644 index 81daf4b..0000000 --- a/flake.nix +++ /dev/null @@ -1,132 +0,0 @@ -{ - description = "A Kubernetes Controller that reloads workloads on a referenced secret change in HashiCorp Vault"; - - inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; - nixpkgs-23-05.url = "github:NixOS/nixpkgs/release-23.05"; # TODO: remove once helm is fixed - flake-parts.url = "github:hercules-ci/flake-parts"; - devenv.url = "github:cachix/devenv"; - }; - - outputs = inputs@{ flake-parts, ... }: - flake-parts.lib.mkFlake { inherit inputs; } { - imports = [ - inputs.devenv.flakeModule - ]; - - systems = [ "x86_64-linux" "x86_64-darwin" "aarch64-darwin" ]; - - perSystem = { config, self', inputs', pkgs, system, ... }: rec { - devenv.shells = { - default = { - languages = { - go.enable = true; - go.package = pkgs.go_1_24; - }; - - services = { - vault = { - enable = true; - package = self'.packages.vault; - }; - }; - - pre-commit.hooks = { - nixpkgs-fmt.enable = true; - yamllint.enable = true; - hadolint.enable = true; - }; - - packages = with pkgs; [ - gnumake - - kind - kubectl - kustomize - # kubernetes-helm - helm-docs - - k3d - - crc - - golangci-lint - yamllint - hadolint - ] ++ [ - inputs'.nixpkgs-23-05.legacyPackages.kubernetes-helm - self'.packages.licensei - ]; - - env = { - KUBECONFIG = "${config.devenv.shells.default.env.DEVENV_STATE}/kube/config"; - KIND_CLUSTER_NAME = "vault-secrets-reloader"; - - HELM_CACHE_HOME = "${config.devenv.shells.default.env.DEVENV_STATE}/helm/cache"; - HELM_CONFIG_HOME = "${config.devenv.shells.default.env.DEVENV_STATE}/helm/config"; - HELM_DATA_HOME = "${config.devenv.shells.default.env.DEVENV_STATE}/helm/data"; - - VAULT_TOKEN = "227e1cce-6bf7-30bb-2d2a-acc854318caf"; - }; - - # https://github.com/cachix/devenv/issues/528#issuecomment-1556108767 - containers = pkgs.lib.mkForce { }; - }; - - ci = devenv.shells.default; - }; - - packages = { - # TODO: create flake in source repo - licensei = pkgs.buildGoModule rec { - pname = "licensei"; - version = "0.8.0"; - - src = pkgs.fetchFromGitHub { - owner = "goph"; - repo = "licensei"; - rev = "v${version}"; - sha256 = "sha256-Pvjmvfk0zkY2uSyLwAtzWNn5hqKImztkf8S6OhX8XoM="; - }; - - vendorHash = "sha256-ZIpZ2tPLHwfWiBywN00lPI1R7u7lseENIiybL3+9xG8="; - - subPackages = [ "cmd/licensei" ]; - - ldflags = [ - "-w" - "-s" - "-X main.version=v${version}" - ]; - }; - - vault = pkgs.buildGoModule rec { - pname = "vault"; - version = "1.14.8"; - - src = pkgs.fetchFromGitHub { - owner = "hashicorp"; - repo = "vault"; - rev = "v${version}"; - sha256 = "sha256-sGCODCBgsxyr96zu9ntPmMM/gHVBBO+oo5+XsdbCK4E="; - }; - - vendorHash = "sha256-zpHjZjgCgf4b2FAJQ22eVgq0YGoVvxGYJ3h/3ZRiyrQ="; - - proxyVendor = true; - - subPackages = [ "." ]; - - tags = [ "vault" ]; - ldflags = [ - "-s" - "-w" - "-X github.com/hashicorp/vault/sdk/version.GitCommit=${src.rev}" - "-X github.com/hashicorp/vault/sdk/version.Version=${version}" - "-X github.com/hashicorp/vault/sdk/version.VersionPrerelease=" - ]; - }; - }; - }; - }; -}