Docs auto update

.github/workflows/cache-trivy-db.yml

@@ -0,0 +1,22 @@
+name: Mirror Trivy DB
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # daily
+  workflow_dispatch:
+
+jobs:
+  mirror:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Install crane
+        uses: imjasonh/setup-crane@v0.4
+
+      - name: Log in to GHCR
+        run: crane auth login ghcr.io -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Mirror Trivy DB
+        run: |
+            crane copy ghcr.io/aquasecurity/trivy-db:2 ghcr.io/carvel-dev/release-scripts/trivy-db:2

.github/workflows/published_release.yml

@@ -17,7 +17,7 @@ jobs:
     outputs:
       yttValuesFile: ${{ steps.get-checksums-from-release.outputs.result }}
     steps:
-      - uses: actions/github-script@v5
+      - uses: actions/github-script@v9
         id: check-if-latest-release
         with:
           result-encoding: string
@@ -46,7 +46,7 @@ jobs:
             }
             return 0
 
-      - uses: actions/github-script@v5
+      - uses: actions/github-script@v9
         id: get-checksums-from-release
         if: startsWith(github.ref, 'refs/tags/') && ${{ !env.ACT }}
         with:
@@ -127,7 +127,7 @@ jobs:
           ${{ steps.get-checksums-from-release.outputs.result }}
           EOF
       - name: Upload Release information file
-        uses: actions/upload-artifact@v4.4.3
+        uses: actions/upload-artifact@v7
         with:
           name: ytt-data-values-for-release
           path: ./release.yml
@@ -136,16 +136,16 @@ jobs:
     needs: process-release-information
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - name: Download ytt data values file with release information
-        uses: actions/download-artifact@v4.1.7
+        uses: actions/download-artifact@v8
         with:
           name: ytt-data-values-for-release
           path: ./tmp/release.yml
       - name: Install ytt
-        uses: carvel-dev/setup-action@v1
+        uses: carvel-dev/setup-action@v2
         with:
           only: ytt
       - name: Generate Homebrew File
@@ -157,7 +157,7 @@ jobs:
 
           cat $filename
       - name: Upload Homebrew File
-        uses: actions/upload-artifact@v4.4.3
+        uses: actions/upload-artifact@v7
         with:
           name: homebrew-formula
           path: ./${{ github.event.client_payload.toolName }}.rb
@@ -172,22 +172,75 @@ jobs:
       artifactName: homebrew-formula
       artifactPath: .
 
+  prepare-documentation-update:
+    runs-on: ubuntu-latest
+    needs: [process-release-information,update-releases-yaml]
+    if: endsWith(github.event.client_payload.tagName, '.0')
+    steps:
+      - name: Install ytt
+        uses: carvel-dev/setup-action@v2
+        with:
+          only: ytt
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Checkout website
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          repository: 'carvel-dev/carvel'
+          ref: develop
+          path: website
+      - name: Run documentation update
+        env:
+          TAG_NAME: ${{ github.event.client_payload.tagName }}
+          TOOL_NAME: ${{ github.event.client_payload.toolName }}
+          DEPLOY_PRIVATE_KEY: ${{ secrets.INSTALL_SH_DEPLOY_PRIVATE_KEY }}
+        run: |
+          set -e -x
+          pushd website/site
+          docVersion=$(echo "${TAG_NAME}" | awk -F. '{print $1"."$2".x"}')
+          ./hack/release-doc.sh "${TOOL_NAME}" "${docVersion}"
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+          AUTHOR_EMAIL='carvel-bot@users.noreply.github.com'
+          AUTHOR_NAME='carvel-bot'
+          MESSAGE="chore: auto-update documentation for ${TOOL_NAME} ${docVersion} ${timestamp}"
+
+          remote_repo="git@github.com:carvel-dev/carvel"
+
+          TMP_DEPLOY_PRIV_KEY=$(mktemp /tmp/deploy-key.XXXXXX) || exit 1
+          trap "rm -f ${TMP_DEPLOY_PRIV_KEY}" EXIT
+          set +x
+          echo "${DEPLOY_PRIVATE_KEY}" > "${TMP_DEPLOY_PRIV_KEY}"
+          chmod 600 "${TMP_DEPLOY_PRIV_KEY}"
+          eval $(ssh-agent -s)
+          ssh-add "${TMP_DEPLOY_PRIV_KEY}"
+          set -x
+
+          git config http.sslVerify true
+          git config --local user.email "${AUTHOR_EMAIL}"
+          git config --local user.name "${AUTHOR_NAME}"
+
+          git add .
+
+          git commit -m "${MESSAGE}" || exit 0
 
+          git push "${remote_repo}" HEAD:develop --follow-tags
+          popd
   prepare-releases-file-for-install-sh:
     runs-on: ubuntu-latest
     needs: process-release-information
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - name: Download ytt data values file with release information
-        uses: actions/download-artifact@v4.1.7
+        uses: actions/download-artifact@v8
         with:
           name: ytt-data-values-for-release
           path: ./tmp/release.yml
       - name: Install ytt
-        uses: carvel-dev/setup-action@v1
+        uses: carvel-dev/setup-action@v2
         with:
           only: ytt
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -197,7 +250,7 @@ jobs:
           ./scripts/generate_releases_yaml.sh ./tmp/release.yml > ./tmp/releases.yaml
           mv ./tmp/releases.yaml ./releases.yaml
       - name: Upload releases.yaml File
-        uses: actions/upload-artifact@v4.4.3
+        uses: actions/upload-artifact@v7
         with:
           name: releases-yaml
           path: releases.yaml

.github/workflows/trivy-scan.yml

@@ -64,11 +64,6 @@ jobs:
           # Build Binary File
           ./hack/build.sh
 
-      - name: Trivy Cache
-        uses: yogeshlonkar/trivy-cache-action@v0
-        with:
-          gh-token: ${{ secrets.githubToken }}
-
       - name: Read dismissed CVEs from Github
         run: |
           set -o pipefail
@@ -92,7 +87,7 @@ jobs:
           output: 'trivy-results.sarif'
           exit-code: 1
           ignore-unfixed: true
-          cache-dir: .trivy
+          db-repository: ghcr.io/carvel-dev/release-scripts/trivy-db:2
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: always()

scripts/install_sh/install.sh.txt

@@ -9,6 +9,22 @@ if test -z "$BASH_VERSION"; then
   exit 1
 fi
 
+# Function to check for required commands
+check_command() {
+    command -v "$1" >/dev/null 2>&1 || { echo >&2 "Error: $1 is required but not installed."; exit 1; }
+}
+
+# Determine SHA-256 checksum command based on platform availability.
+# shasum -a 256 is the macOS/BSD equivalent of sha256sum.
+if command -v sha256sum >/dev/null 2>&1; then
+    CHECKSUM_CMD="sha256sum"
+elif command -v shasum >/dev/null 2>&1; then
+    CHECKSUM_CMD="shasum -a 256"
+else
+    echo >&2 "Error: no SHA-256 checksum tool found; install sha256sum (Linux) or shasum (macOS/BSD)"
+    exit 1
+fi
+
 install() {
   set -euo pipefail
 
@@ -17,11 +33,10 @@ install() {
   if [ -x "$(command -v wget)" ]; then
     dl_bin="wget -nv -O-"
   else
+    check_command curl
     dl_bin="curl -s -L"
   fi
 
-  shasum -v 1>/dev/null 2>&1 || (echo "Missing shasum binary" && exit 1)
-
   if [[ `uname` == Darwin ]]; then
     binary_type=darwin-amd64
     (@ for val in data.values.products: @)(@ for asset in val.assets: @)(@ if asset.os == "darwin" and asset.arch=="amd64": @)
@@ -37,7 +52,7 @@ install() {
   (@ for val in data.values.products: @)
   echo "Installing (@= val.product @)..."
   $dl_bin (@= addProtocol(val.github.url) @)/releases/download/(@= val.version @)/(@= val.product @)-${binary_type} > /tmp/(@= val.product @)
-  echo "${(@= val.product @)_checksum}  /tmp/(@= val.product @)" | shasum -c -
+  echo "${(@= val.product @)_checksum}  /tmp/(@= val.product @)" | $CHECKSUM_CMD -c -
   mv /tmp/(@= val.product @) ${dst_dir}/(@= val.product @)
   chmod +x ${dst_dir}/(@= val.product @)
   echo "Installed ${dst_dir}/(@= val.product @) (@= val.version @)"