diff --git a/.github/workflows/cache-trivy-db.yml b/.github/workflows/cache-trivy-db.yml new file mode 100644 index 0000000..c00f160 --- /dev/null +++ b/.github/workflows/cache-trivy-db.yml @@ -0,0 +1,22 @@ +name: Mirror Trivy DB + +on: + schedule: + - cron: '0 0 * * *' # daily + workflow_dispatch: + +jobs: + mirror: + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - name: Install crane + uses: imjasonh/setup-crane@v0.4 + + - name: Log in to GHCR + run: crane auth login ghcr.io -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} + + - name: Mirror Trivy DB + run: | + crane copy ghcr.io/aquasecurity/trivy-db:2 ghcr.io/carvel-dev/release-scripts/trivy-db:2 diff --git a/.github/workflows/published_release.yml b/.github/workflows/published_release.yml index e3119a7..fb2f444 100644 --- a/.github/workflows/published_release.yml +++ b/.github/workflows/published_release.yml @@ -17,7 +17,7 @@ jobs: outputs: yttValuesFile: ${{ steps.get-checksums-from-release.outputs.result }} steps: - - uses: actions/github-script@v5 + - uses: actions/github-script@v9 id: check-if-latest-release with: result-encoding: string @@ -46,7 +46,7 @@ jobs: } return 0 - - uses: actions/github-script@v5 + - uses: actions/github-script@v9 id: get-checksums-from-release if: startsWith(github.ref, 'refs/tags/') && ${{ !env.ACT }} with: @@ -127,7 +127,7 @@ jobs: ${{ steps.get-checksums-from-release.outputs.result }} EOF - name: Upload Release information file - uses: actions/upload-artifact@v4.4.3 + uses: actions/upload-artifact@v7 with: name: ytt-data-values-for-release path: ./release.yml @@ -136,16 +136,16 @@ jobs: needs: process-release-information steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 - name: Download ytt data values file with release information - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@v8 with: name: ytt-data-values-for-release path: ./tmp/release.yml - name: Install ytt - uses: carvel-dev/setup-action@v1 + uses: carvel-dev/setup-action@v2 with: only: ytt - name: Generate Homebrew File @@ -157,7 +157,7 @@ jobs: cat $filename - name: Upload Homebrew File - uses: actions/upload-artifact@v4.4.3 + uses: actions/upload-artifact@v7 with: name: homebrew-formula path: ./${{ github.event.client_payload.toolName }}.rb @@ -172,22 +172,75 @@ jobs: artifactName: homebrew-formula artifactPath: . + prepare-documentation-update: + runs-on: ubuntu-latest + needs: [process-release-information,update-releases-yaml] + if: endsWith(github.event.client_payload.tagName, '.0') + steps: + - name: Install ytt + uses: carvel-dev/setup-action@v2 + with: + only: ytt + token: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout website + uses: actions/checkout@v6 + with: + fetch-depth: 0 + repository: 'carvel-dev/carvel' + ref: develop + path: website + - name: Run documentation update + env: + TAG_NAME: ${{ github.event.client_payload.tagName }} + TOOL_NAME: ${{ github.event.client_payload.toolName }} + DEPLOY_PRIVATE_KEY: ${{ secrets.INSTALL_SH_DEPLOY_PRIVATE_KEY }} + run: | + set -e -x + pushd website/site + docVersion=$(echo "${TAG_NAME}" | awk -F. '{print $1"."$2".x"}') + ./hack/release-doc.sh "${TOOL_NAME}" "${docVersion}" + timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + + AUTHOR_EMAIL='carvel-bot@users.noreply.github.com' + AUTHOR_NAME='carvel-bot' + MESSAGE="chore: auto-update documentation for ${TOOL_NAME} ${docVersion} ${timestamp}" + + remote_repo="git@github.com:carvel-dev/carvel" + + TMP_DEPLOY_PRIV_KEY=$(mktemp /tmp/deploy-key.XXXXXX) || exit 1 + trap "rm -f ${TMP_DEPLOY_PRIV_KEY}" EXIT + set +x + echo "${DEPLOY_PRIVATE_KEY}" > "${TMP_DEPLOY_PRIV_KEY}" + chmod 600 "${TMP_DEPLOY_PRIV_KEY}" + eval $(ssh-agent -s) + ssh-add "${TMP_DEPLOY_PRIV_KEY}" + set -x + + git config http.sslVerify true + git config --local user.email "${AUTHOR_EMAIL}" + git config --local user.name "${AUTHOR_NAME}" + + git add . + + git commit -m "${MESSAGE}" || exit 0 + git push "${remote_repo}" HEAD:develop --follow-tags + popd prepare-releases-file-for-install-sh: runs-on: ubuntu-latest needs: process-release-information steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 - name: Download ytt data values file with release information - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@v8 with: name: ytt-data-values-for-release path: ./tmp/release.yml - name: Install ytt - uses: carvel-dev/setup-action@v1 + uses: carvel-dev/setup-action@v2 with: only: ytt token: ${{ secrets.GITHUB_TOKEN }} @@ -197,7 +250,7 @@ jobs: ./scripts/generate_releases_yaml.sh ./tmp/release.yml > ./tmp/releases.yaml mv ./tmp/releases.yaml ./releases.yaml - name: Upload releases.yaml File - uses: actions/upload-artifact@v4.4.3 + uses: actions/upload-artifact@v7 with: name: releases-yaml path: releases.yaml diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index 41e9d31..dba79cf 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -64,11 +64,6 @@ jobs: # Build Binary File ./hack/build.sh - - name: Trivy Cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.githubToken }} - - name: Read dismissed CVEs from Github run: | set -o pipefail @@ -92,7 +87,7 @@ jobs: output: 'trivy-results.sarif' exit-code: 1 ignore-unfixed: true - cache-dir: .trivy + db-repository: ghcr.io/carvel-dev/release-scripts/trivy-db:2 - name: Upload Trivy scan results to GitHub Security tab if: always() diff --git a/scripts/install_sh/install.sh.txt b/scripts/install_sh/install.sh.txt index f3415ad..14dc561 100644 --- a/scripts/install_sh/install.sh.txt +++ b/scripts/install_sh/install.sh.txt @@ -9,6 +9,22 @@ if test -z "$BASH_VERSION"; then exit 1 fi +# Function to check for required commands +check_command() { + command -v "$1" >/dev/null 2>&1 || { echo >&2 "Error: $1 is required but not installed."; exit 1; } +} + +# Determine SHA-256 checksum command based on platform availability. +# shasum -a 256 is the macOS/BSD equivalent of sha256sum. +if command -v sha256sum >/dev/null 2>&1; then + CHECKSUM_CMD="sha256sum" +elif command -v shasum >/dev/null 2>&1; then + CHECKSUM_CMD="shasum -a 256" +else + echo >&2 "Error: no SHA-256 checksum tool found; install sha256sum (Linux) or shasum (macOS/BSD)" + exit 1 +fi + install() { set -euo pipefail @@ -17,11 +33,10 @@ install() { if [ -x "$(command -v wget)" ]; then dl_bin="wget -nv -O-" else + check_command curl dl_bin="curl -s -L" fi - shasum -v 1>/dev/null 2>&1 || (echo "Missing shasum binary" && exit 1) - if [[ `uname` == Darwin ]]; then binary_type=darwin-amd64 (@ for val in data.values.products: @)(@ for asset in val.assets: @)(@ if asset.os == "darwin" and asset.arch=="amd64": @) @@ -37,7 +52,7 @@ install() { (@ for val in data.values.products: @) echo "Installing (@= val.product @)..." $dl_bin (@= addProtocol(val.github.url) @)/releases/download/(@= val.version @)/(@= val.product @)-${binary_type} > /tmp/(@= val.product @) - echo "${(@= val.product @)_checksum} /tmp/(@= val.product @)" | shasum -c - + echo "${(@= val.product @)_checksum} /tmp/(@= val.product @)" | $CHECKSUM_CMD -c - mv /tmp/(@= val.product @) ${dst_dir}/(@= val.product @) chmod +x ${dst_dir}/(@= val.product @) echo "Installed ${dst_dir}/(@= val.product @) (@= val.version @)"