Merge pull request #1 from SUSE/set-up-policies

PLAT-1431 Set up policies

Author: tmuntaner

.github/actions/get-policy-metadata/action.yaml

@@ -0,0 +1,125 @@
+name: "kubewarden-policy-gh-action-dependencies"
+description: "Install all the binaries needed inside of GH action"
+branding:
+  icon: "package"
+  color: "blue"
+inputs:
+  KWCTL_VERSION:
+    description: "kwctl release to be installed"
+    required: false
+    default: v1.31.0
+  SYFT_VERSION:
+    description: "syft release to be installed"
+    required: false
+    default: "1.28.0"
+  arch:
+    description: "syft arch to be installed"
+    required: false
+    default: "linux_amd64" # windows_amd64, darwin_amd64
+  BINARYEN_VERSION:
+    description: "binaryen release to be installed"
+    required: false
+    default: "116"
+runs:
+  using: "composite"
+  steps:
+    - name: Install cosign
+      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+    - name: Install kwctl
+      shell: bash
+      run: |
+        #!/bin/bash
+        set -e
+
+        # Build name of gihub release asset
+        OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]' | sed 's/macos/darwin/')
+        ARCH=$(echo "${{ runner.arch }}" | sed -E 's/X64/x86_64/; s/ARM64/aarch64/')
+        ASSET="kwctl-${OS}-${ARCH}"
+
+        INSTALL_DIR=$HOME/.kwctl
+        RELEASE_URL="download/${{ inputs.KWCTL_VERSION }}"
+        [ "${{ inputs.KWCTL_VERSION }}" == "latest" ] && RELEASE_URL="latest/download"
+
+        mkdir -p $INSTALL_DIR
+        curl -sL https://github.com/kubewarden/kwctl/releases/$RELEASE_URL/$ASSET.zip -o $INSTALL_DIR/$ASSET.zip
+        unzip -o $INSTALL_DIR/$ASSET.zip -d $INSTALL_DIR
+        rm $INSTALL_DIR/$ASSET.zip
+
+        mv $INSTALL_DIR/$ASSET $INSTALL_DIR/kwctl
+        chmod 755 $INSTALL_DIR/kwctl
+        echo $INSTALL_DIR >> $GITHUB_PATH
+
+        $INSTALL_DIR/kwctl -V
+    - name: Install bats
+      shell: bash
+      run: sudo apt install -y bats
+    - name: Install SBOM generator tool
+      shell: bash
+      if: ${{ inputs.arch != 'windows_amd64' }}
+      run: |
+        #!/bin/bash
+        set -e
+
+        INSTALL_DIR=$HOME/.syft
+
+        mkdir -p $INSTALL_DIR
+
+        curl -sL https://github.com/anchore/syft/releases/download/v${{ inputs.SYFT_VERSION }}/syft_${{ inputs.SYFT_VERSION }}_${{ inputs.arch }}.tar.gz -o $INSTALL_DIR/syft.tar.gz
+        tar xvf $INSTALL_DIR/syft.tar.gz -C $INSTALL_DIR
+        rm $INSTALL_DIR/syft.tar.gz
+
+        echo $INSTALL_DIR >> $GITHUB_PATH
+
+    - name: Install SBOM generator tool
+      shell: bash
+      if: ${{ inputs.arch == 'windows_amd64' }}
+      run: |
+        #!/bin/bash
+        set -e
+
+        INSTALL_DIR=$HOME/.syft
+
+        mkdir -p $INSTALL_DIR
+
+        curl -sL https://github.com/anchore/syft/releases/download/v${{ inputs.SYFT_VERSION  }}/syft_${{ inputs.SYFT_VERSION }}_windows_amd64.zip -o $INSTALL_DIR/syft.zip
+        unzip -n $INSTALL_DIR/syft.zip -d $INSTALL_DIR
+        rm $INSTALL_DIR/syft.zip
+
+        echo $INSTALL_DIR >> $GITHUB_PATH
+    - name: Install binaryen tool
+      shell: bash
+      run: |
+        #!/bin/bash
+        set -e
+
+        INSTALL_DIR=$HOME/.binaryen
+
+        mkdir -p $INSTALL_DIR
+
+        curl -sL https://github.com/WebAssembly/binaryen/releases/download/version_${{ inputs.BINARYEN_VERSION }}/binaryen-version_${{ inputs.BINARYEN_VERSION }}-x86_64-linux.tar.gz -o $INSTALL_DIR/binaryen.tar.gz
+        tar xvf $INSTALL_DIR/binaryen.tar.gz -C $INSTALL_DIR
+        mv $INSTALL_DIR/binaryen-version_${{ inputs.BINARYEN_VERSION }}/bin/* $INSTALL_DIR
+        rm $INSTALL_DIR/binaryen.tar.gz
+        rm -rf $INSTALL_DIR/binaryen-version_${{ inputs.BINARYEN_VERSION }}
+
+        echo $INSTALL_DIR >> $GITHUB_PATH
+    - name: Setup rust toolchain
+      run: |
+        rustup toolchain install stable  --profile minimal --target wasm32-wasip1
+        rustup override set stable
+      shell: bash
+    - name: Install tinygo
+      shell: bash
+      run: |
+        wget https://github.com/tinygo-org/tinygo/releases/download/v0.39.0/tinygo_0.39.0_amd64.deb
+        sudo dpkg -i tinygo_0.39.0_amd64.deb
+    - name: Install semver tool
+      shell: bash
+      run: |
+        INSTALL_DIR="$HOME"/.semver
+        mkdir -p "$INSTALL_DIR"
+        wget -O "$INSTALL_DIR"/semver https://github.com/fsaintjacques/semver-tool/raw/3.4.0/src/semver
+        chmod +x "$INSTALL_DIR"/semver
+        echo "$INSTALL_DIR" >> "$GITHUB_PATH"
+    - name: Install updatecli
+      uses: updatecli/updatecli-action@719e3592d124cbf826da704cbe557e1221dd4bba # v2.94.0

.github/actions/install-dependencies/action.yaml

@@ -0,0 +1,125 @@
+name: "kubewarden-policy-gh-action-dependencies"
+description: "Install all the binaries needed inside of GH action"
+branding:
+  icon: "package"
+  color: "blue"
+inputs:
+  KWCTL_VERSION:
+    description: "kwctl release to be installed"
+    required: false
+    default: v1.29.1
+  SYFT_VERSION:
+    description: "syft release to be installed"
+    required: false
+    default: "1.28.0"
+  arch:
+    description: "syft arch to be installed"
+    required: false
+    default: "linux_amd64" # windows_amd64, darwin_amd64
+  BINARYEN_VERSION:
+    description: "binaryen release to be installed"
+    required: false
+    default: "116"
+runs:
+  using: "composite"
+  steps:
+    - name: Install cosign
+      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+    - name: Install kwctl
+      shell: bash
+      run: |
+        #!/bin/bash
+        set -e
+
+        # Build name of gihub release asset
+        OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]' | sed 's/macos/darwin/')
+        ARCH=$(echo "${{ runner.arch }}" | sed -E 's/X64/x86_64/; s/ARM64/aarch64/')
+        ASSET="kwctl-${OS}-${ARCH}"
+
+        INSTALL_DIR=$HOME/.kwctl
+        RELEASE_URL="download/${{ inputs.KWCTL_VERSION }}"
+        [ "${{ inputs.KWCTL_VERSION }}" == "latest" ] && RELEASE_URL="latest/download"
+
+        mkdir -p $INSTALL_DIR
+        curl -sL https://github.com/kubewarden/kwctl/releases/$RELEASE_URL/$ASSET.zip -o $INSTALL_DIR/$ASSET.zip
+        unzip -o $INSTALL_DIR/$ASSET.zip -d $INSTALL_DIR
+        rm $INSTALL_DIR/$ASSET.zip
+
+        mv $INSTALL_DIR/$ASSET $INSTALL_DIR/kwctl
+        chmod 755 $INSTALL_DIR/kwctl
+        echo $INSTALL_DIR >> $GITHUB_PATH
+
+        $INSTALL_DIR/kwctl -V
+    - name: Install bats
+      shell: bash
+      run: sudo apt install -y bats
+    - name: Install SBOM generator tool
+      shell: bash
+      if: ${{ inputs.arch != 'windows_amd64' }}
+      run: |
+        #!/bin/bash
+        set -e
+
+        INSTALL_DIR=$HOME/.syft
+
+        mkdir -p $INSTALL_DIR
+
+        curl -sL https://github.com/anchore/syft/releases/download/v${{ inputs.SYFT_VERSION }}/syft_${{ inputs.SYFT_VERSION }}_${{ inputs.arch }}.tar.gz -o $INSTALL_DIR/syft.tar.gz
+        tar xvf $INSTALL_DIR/syft.tar.gz -C $INSTALL_DIR
+        rm $INSTALL_DIR/syft.tar.gz
+
+        echo $INSTALL_DIR >> $GITHUB_PATH
+
+    - name: Install SBOM generator tool
+      shell: bash
+      if: ${{ inputs.arch == 'windows_amd64' }}
+      run: |
+        #!/bin/bash
+        set -e
+
+        INSTALL_DIR=$HOME/.syft
+
+        mkdir -p $INSTALL_DIR
+
+        curl -sL https://github.com/anchore/syft/releases/download/v${{ inputs.SYFT_VERSION  }}/syft_${{ inputs.SYFT_VERSION }}_windows_amd64.zip -o $INSTALL_DIR/syft.zip
+        unzip -n $INSTALL_DIR/syft.zip -d $INSTALL_DIR
+        rm $INSTALL_DIR/syft.zip
+
+        echo $INSTALL_DIR >> $GITHUB_PATH
+    - name: Install binaryen tool
+      shell: bash
+      run: |
+        #!/bin/bash
+        set -e
+
+        INSTALL_DIR=$HOME/.binaryen
+
+        mkdir -p $INSTALL_DIR
+
+        curl -sL https://github.com/WebAssembly/binaryen/releases/download/version_${{ inputs.BINARYEN_VERSION }}/binaryen-version_${{ inputs.BINARYEN_VERSION }}-x86_64-linux.tar.gz -o $INSTALL_DIR/binaryen.tar.gz
+        tar xvf $INSTALL_DIR/binaryen.tar.gz -C $INSTALL_DIR
+        mv $INSTALL_DIR/binaryen-version_${{ inputs.BINARYEN_VERSION }}/bin/* $INSTALL_DIR
+        rm $INSTALL_DIR/binaryen.tar.gz
+        rm -rf $INSTALL_DIR/binaryen-version_${{ inputs.BINARYEN_VERSION }}
+
+        echo $INSTALL_DIR >> $GITHUB_PATH
+    - name: Setup rust toolchain
+      run: |
+        rustup toolchain install stable  --profile minimal --target wasm32-wasip1
+        rustup override set stable
+      shell: bash
+    - name: Install tinygo
+      shell: bash
+      run: |
+        wget https://github.com/tinygo-org/tinygo/releases/download/v0.39.0/tinygo_0.39.0_amd64.deb
+        sudo dpkg -i tinygo_0.39.0_amd64.deb
+    - name: Install semver tool
+      shell: bash
+      run: |
+        INSTALL_DIR="$HOME"/.semver
+        mkdir -p "$INSTALL_DIR"
+        wget -O "$INSTALL_DIR"/semver https://github.com/fsaintjacques/semver-tool/raw/3.4.0/src/semver
+        chmod +x "$INSTALL_DIR"/semver
+        echo "$INSTALL_DIR" >> "$GITHUB_PATH"
+    - name: Install updatecli
+      uses: updatecli/updatecli-action@719e3592d124cbf826da704cbe557e1221dd4bba # v2.94.0

.github/workflows/ci.yaml

@@ -0,0 +1,50 @@
+name: Continuous integration
+on:
+  workflow_dispatch:
+  pull_request:
+  schedule:
+    - cron: "0 21 * * *"
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  calculate-policy-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      policy_working_dirs: ${{ steps.calculate-policy-dirs.outputs.policy_working_dirs }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0 # checkout all history to do git diff
+      - name: calculate which policies need a CI job
+        id: calculate-policy-dirs
+        shell: bash
+        run: |
+          git remote -v
+
+          policies_working_dirs=($(find policies -maxdepth 2 -name Makefile -exec dirname '{}' \;))
+          if [ "${{github.event_name}}" == "pull_request" ]; then
+            # list only changes of files in `policies/`:
+            git_files="$(git diff --no-color --find-renames --find-copies --name-only origin/${{ github.base_ref }} ${{ github.sha }} -- policies)"
+
+            # build policy_working_dirs:
+            policies_working_dirs=($(echo "$git_files" | cut -d/ -f1,2 ))
+          fi
+
+          declare -p policies_working_dirs # for debug
+          policy_working_dirs=$(jq --compact-output --null-input '$ARGS.positional | map(select(. != "policies/Cargo.lock" and . != "policies/Cargo.toml" and . != "policies/go.mod" and . != "policies/go.sum")) | unique' --args -- "${policies_working_dirs[@]}")
+          echo "policy_working_dirs=$policy_working_dirs"
+          echo "policy_working_dirs=$policy_working_dirs" >> $GITHUB_OUTPUT
+
+  continuos-integration:
+    uses: ./.github/workflows/reusable-ci.yaml
+    needs: calculate-policy-matrix
+    if: ${{ needs.calculate-policy-matrix.outputs.policy_working_dirs != '[]' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        policy-working-dir: ${{ fromJSON(needs.calculate-policy-matrix.outputs.policy_working_dirs) }}
+    with:
+      policy-working-dir: ${{ matrix.policy-working-dir }}

.github/workflows/reusable-ci.yaml

@@ -0,0 +1,78 @@
+on:
+  workflow_call:
+    inputs:
+      policy-working-dir:
+        description: "Working directory of the policy. Useful for repos with policies in folders"
+        required: false
+        type: string
+        default: "."
+
+jobs:
+  linter:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: "1.25"
+      - uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v9.0.0
+        with:
+          version: "latest"
+          install-only: true
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Install dependencies
+        uses: ./.github/actions/install-dependencies
+      - name: Policy linter
+        shell: bash
+        run: |
+          make -C ${{ inputs.policy-working-dir}} lint
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: "1.25"
+      - uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v9.0.0
+        with:
+          version: "latest"
+          install-only: true
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Install dependencies
+        uses: ./.github/actions/install-dependencies
+      - name: Build policy
+        shell: bash
+        run: |
+          make -C ${{ inputs.policy-working-dir}} policy.wasm
+  unit-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: "1.25"
+      - uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v9.0.0
+        with:
+          version: "latest"
+          install-only: true
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Install dependencies
+        uses: ./.github/actions/install-dependencies
+      - name: Policy unit tests
+        shell: bash
+        run: |
+          make -C ${{ inputs.policy-working-dir}} test
+  e2e-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: "1.25"
+      - uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v9.0.0
+        with:
+          version: "latest"
+          install-only: true
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Install dependencies
+        uses: ./.github/actions/install-dependencies
+      - name: Policy integration test
+        shell: bash
+        run: |
+          make -C ${{ inputs.policy-working-dir}} e2e-tests

.gitignore

@@ -1,4 +1,6 @@
 qodana.yaml
+.github/workflows/qodana_code_quality.yml
+bin
 
 ### VisualStudioCode template
 .vscode/*