diff --git a/.github/workflows/on_prerelease.yml b/.github/workflows/on_prerelease.yml new file mode 100644 index 0000000..8e4c29c --- /dev/null +++ b/.github/workflows/on_prerelease.yml @@ -0,0 +1,16 @@ +name: Prerelease pipeline + +on: + release: + types: + - prereleased + tags: + - 'v*' + +jobs: + pre-release: + uses: newrelic/coreint-automation/.github/workflows/reusable_pre_release.yaml@v2 + with: + tag: ${{ github.event.release.tag_name }} + integration: "mongodb" + secrets: inherit diff --git a/.github/workflows/on_push_pr.yml b/.github/workflows/on_push_pr.yml new file mode 100644 index 0000000..c93694c --- /dev/null +++ b/.github/workflows/on_push_pr.yml @@ -0,0 +1,16 @@ +name: Push/PR pipeline + +on: + push: + branches: + - main + - master + - renovate/** + pull_request: + +jobs: + push-pr: + uses: newrelic/coreint-automation/.github/workflows/reusable_push_pr.yaml@v2 + with: + integration: mongodb + secrets: inherit diff --git a/.github/workflows/on_release.yml b/.github/workflows/on_release.yml new file mode 100644 index 0000000..f974d7a --- /dev/null +++ b/.github/workflows/on_release.yml @@ -0,0 +1,16 @@ +name: Create release artifacts + +on: + release: + types: + - released + tags: + - 'v*' + +jobs: + release: + uses: newrelic/coreint-automation/.github/workflows/reusable_on_release.yaml@v2 + with: + integration: mongodb + tag: ${{ github.event.release.tag_name }} + secrets: inherit diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml deleted file mode 100644 index 6136746..0000000 --- a/.github/workflows/prerelease.yml +++ /dev/null @@ -1,216 +0,0 @@ -name: Prerelease pipeline - -on: - release: - types: - - prereleased - tags: - - 'v*' - -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - INTEGRATION: "mongodb" - ORIGINAL_REPO_NAME: 'newrelic/nri-mongodb' - REPO_FULL_NAME: ${{ github.event.repository.full_name }} - TAG: ${{ github.event.release.tag_name }} - -jobs: - snyk: - name: Run security checks via snyk - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v2 - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Scan code for vulnerabilities - env: - SNYK_TOKEN: ${{ secrets.COREINT_SNYK_TOKEN }} - run: make ci/snyk-test - - test-nix: - name: Run unit tests on *Nix - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v2 - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Unit tests - run: make ci/test - - test-windows: - name: Run unit tests on Windows - runs-on: windows-2022 - env: - GOPATH: ${{ github.workspace }} - defaults: - run: - working-directory: src/github.com/${{env.ORIGINAL_REPO_NAME}} - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - path: src/github.com/${{env.ORIGINAL_REPO_NAME}} - - name: Install Go - uses: actions/setup-go@v3 - with: - go-version-file: "src/github.com/${{ env.ORIGINAL_REPO_NAME }}/go.mod" - - name: Running unit tests - shell: pwsh - run: | - .\build\windows\unit_tests.ps1 - - test-integration-nix: - name: Run integration tests on *Nix - runs-on: ubuntu-22.04 - defaults: - run: - working-directory: src/github.com/${{env.ORIGINAL_REPO_NAME}} - steps: - - name: Check out code - uses: actions/checkout@v2 - with: - fetch-depth: 1 - path: src/github.com/${{env.ORIGINAL_REPO_NAME}} - - name: Install Go - uses: actions/setup-go@v3 - with: - go-version-file: "src/github.com/${{ env.ORIGINAL_REPO_NAME }}/go.mod" - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Integration test - env: - GOPATH: ${{ github.workspace }} - run: make integration-test - - prerelease: - name: Build binary for *Nix/Win, create archives for *Nix/Win, create packages for *Nix, upload all artifacts into GH Release assets - runs-on: ubuntu-22.04 - needs: [test-nix, test-windows, test-integration-nix, snyk] - steps: - - uses: actions/checkout@v2 - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Pre release - run: make ci/prerelease - env: - GPG_MAIL: 'infrastructure-eng@newrelic.com' - GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }} - GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded - - name: Test package installability - uses: newrelic/integrations-pkg-test-action/linux@v1 - with: - tag: ${{ env.TAG }} - integration: nri-${{ env.INTEGRATION }} - - package-win: - name: Create MSI & Upload into GH Release assets - runs-on: windows-2022 - needs: [prerelease] - env: - GOPATH: ${{ github.workspace }} - PFX_CERTIFICATE_BASE64: ${{ secrets.OHAI_PFX_CERTIFICATE_BASE64 }} # base64 encoded - PFX_CERTIFICATE_DESCRIPTION: 'New Relic' - PFX_PASSPHRASE: ${{ secrets.OHAI_PFX_PASSPHRASE }} - defaults: - run: - working-directory: src/github.com/${{env.ORIGINAL_REPO_NAME}} - strategy: - matrix: - goarch: [amd64,386] - test-upgrade: [true,false] - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - path: src/github.com/${{env.ORIGINAL_REPO_NAME}} - - name: Get PFX certificate from GH secrets - shell: bash - run: printf "%s" "$PFX_CERTIFICATE_BASE64" | base64 -d - > wincert.pfx - - name: Download zip from GH Release assets and extract .exe - shell: pwsh - run: | - build\windows\download_zip_extract_exe.ps1 "$env:INTEGRATION" ${{ matrix.goarch }} "$env:TAG" "$env:REPO_FULL_NAME" - - name: Create MSI - shell: pwsh - run: | - build\windows\package_msi.ps1 -integration "$env:INTEGRATION" -arch ${{ matrix.goarch }} -tag "$env:TAG" -pfx_passphrase "$env:PFX_PASSPHRASE" -pfx_certificate_description "$env:PFX_CERTIFICATE_DESCRIPTION" - - name: Test win packages installation - uses: newrelic/integrations-pkg-test-action/windows@v1 - with: - tag: ${{ env.TAG }} - integration: nri-${{ env.INTEGRATION }} - arch: ${{ matrix.goarch }} - upgrade: ${{ matrix.test-upgrade }} - - name: Upload MSI to GH - if: startsWith(matrix.test-upgrade, 'false') - shell: bash - run: | - build/windows/upload_msi.sh ${INTEGRATION} ${{ matrix.goarch }} ${TAG} - - publish-to-s3: - name: Send release assets to S3 - runs-on: ubuntu-22.04 - needs: [package-win] - steps: - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Publish to S3 action - uses: newrelic/infrastructure-publish-action@v1 - env: - AWS_S3_BUCKET_NAME: "nr-downloads-ohai-staging" - AWS_S3_LOCK_BUCKET_NAME: "onhost-ci-lock-staging" - with: - disable_lock: false - run_id: ${{ github.run_id }} - tag: ${{env.TAG}} - app_name: "nri-${{env.INTEGRATION}}" - repo_name: ${{ env.ORIGINAL_REPO_NAME }} - access_point_host: "staging" - # 'ohi' is for integrations - schema: "ohi" - aws_region: "us-east-1" - aws_role_arn: ${{ secrets.OHAI_AWS_ROLE_ARN_STAGING }} - aws_role_session_name: ${{ secrets.OHAI_AWS_ROLE_SESSION_NAME_STAGING }} - aws_access_key_id: ${{ secrets.OHAI_AWS_ACCESS_KEY_ID_STAGING }} - aws_secret_access_key: ${{ secrets.OHAI_AWS_SECRET_ACCESS_KEY_STAGING }} - aws_s3_bucket_name: ${{ env.AWS_S3_BUCKET_NAME }} - # used for locking in case of concurrent releases - aws_s3_lock_bucket_name: ${{ env.AWS_S3_LOCK_BUCKET_NAME }} - # used for signing package stuff - gpg_passphrase: ${{ secrets.OHAI_GPG_PASSPHRASE }} - gpg_private_key_base64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} - - name: Test uploaded package installability - uses: newrelic/integrations-pkg-test-action/linux@v1 - with: - tag: ${{ env.TAG }} - integration: nri-${{ env.INTEGRATION }} - packageLocation: repo - stagingRepo: true - upgrade: false - - notify-failure: - if: ${{ always() && failure() }} - needs: [ test-nix, test-windows, prerelease, package-win, publish-to-s3 ] - runs-on: ubuntu-latest - steps: - - name: Notify failure via Slack - uses: archive/github-actions-slack@master - with: - slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }} - slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }} - slack-text: "❌ `${{ env.ORIGINAL_REPO_NAME }}`: [prerelease pipeline failed](${{ github.server_url }}/${{ env.ORIGINAL_REPO_NAME }}/actions/runs/${{ github.run_id }})." diff --git a/.github/workflows/push_pr.yml b/.github/workflows/push_pr.yml deleted file mode 100644 index a64ba61..0000000 --- a/.github/workflows/push_pr.yml +++ /dev/null @@ -1,123 +0,0 @@ -name: Push/PR - -on: - push: - branches: - - main - - master - - renovate/** - pull_request: - -env: - TAG: "v0.0.0" # needed for goreleaser windows builds - REPO_FULL_NAME: ${{ github.event.repository.full_name }} - ORIGINAL_REPO_NAME: "newrelic/nri-mongodb" - DOCKER_LOGIN_AVAILABLE: ${{ secrets.OHAI_DOCKER_HUB_ID }} -jobs: - static-analysis: - name: Run all static analysis checks - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v2 - - uses: newrelic/newrelic-infra-checkers@v1 - - name: golangci-lint - uses: golangci/golangci-lint-action@v3 - continue-on-error: ${{ github.event_name != 'pull_request' }} - with: - only-new-issues: true - - name: Check if CHANGELOG is valid - uses: newrelic/release-toolkit/validate-markdown@v1 - - snyk: - name: Run security checks via snyk - runs-on: ubuntu-22.04 - env: - SNYK_TOKEN: ${{ secrets.COREINT_SNYK_TOKEN }} - steps: - - uses: actions/checkout@v2 - - name: Login to DockerHub - if: ${{env.DOCKER_LOGIN_AVAILABLE}} - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Scan code for vulnerabilities - if: ${{env.SNYK_TOKEN}} - run: make ci/snyk-test - - test-nix: - name: Run unit tests on *Nix - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v2 - - name: Login to DockerHub - if: ${{env.DOCKER_LOGIN_AVAILABLE}} - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Unit tests - run: make ci/test - - test-windows: - name: Run unit tests on Windows - runs-on: windows-2022 - env: - GOPATH: ${{ github.workspace }} - defaults: - run: - working-directory: src/github.com/${{ env.ORIGINAL_REPO_NAME }} - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - path: src/github.com/${{env.ORIGINAL_REPO_NAME}} - - name: Install Go - uses: actions/setup-go@v3 - with: - go-version-file: "src/github.com/${{ env.ORIGINAL_REPO_NAME }}/go.mod" - - name: Running unit tests - shell: pwsh - run: | - .\build\windows\unit_tests.ps1 - - test-integration-nix: - name: Run integration tests on *Nix - runs-on: ubuntu-22.04 - defaults: - run: - working-directory: src/github.com/${{env.ORIGINAL_REPO_NAME}} - steps: - - name: Check out code - uses: actions/checkout@v2 - with: - fetch-depth: 1 - path: src/github.com/${{env.ORIGINAL_REPO_NAME}} - - name: Install Go - uses: actions/setup-go@v3 - with: - go-version-file: "src/github.com/${{ env.ORIGINAL_REPO_NAME }}/go.mod" - - name: Login to DockerHub - if: ${{env.DOCKER_LOGIN_AVAILABLE}} - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Integration test - env: - GOPATH: ${{ github.workspace }} - run: make integration-test - - test-build: - name: Test binary compilation for all platforms:arch - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v2 - - name: Login to DockerHub - if: ${{env.DOCKER_LOGIN_AVAILABLE}} - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Build all platforms:arch - run: make ci/build diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 09ab32f..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,72 +0,0 @@ -name: Create release artifacts - -on: - release: - types: - - released - tags: - - 'v*' - -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - INTEGRATION: "mongodb" - ORIGINAL_REPO_NAME: ${{ github.event.repository.full_name }} - TAG: ${{ github.event.release.tag_name }} - -jobs: - - publish-to-s3: - name: Send release assets to S3 - runs-on: ubuntu-22.04 - steps: - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.OHAI_DOCKER_HUB_ID }} - password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }} - - name: Publish to S3 action - uses: newrelic/infrastructure-publish-action@v1 - env: - AWS_S3_BUCKET_NAME: "nr-downloads-main" - AWS_S3_LOCK_BUCKET_NAME: "onhost-ci-lock" - AWS_REGION: "us-east-1" - with: - # lock enabled - disable_lock: false - run_id: ${{ github.run_id }} - tag: ${{env.TAG}} - app_name: "nri-${{env.INTEGRATION}}" - repo_name: ${{ env.ORIGINAL_REPO_NAME }} - access_point_host: "production" - # 'ohi' is for integrations - schema: "ohi" - aws_region: ${{ env.AWS_REGION }} - aws_role_arn: ${{ secrets.OHAI_AWS_ROLE_ARN_PRODUCTION }} - aws_role_session_name: ${{ secrets.OHAI_AWS_ROLE_SESSION_NAME_PRODUCTION }} - aws_access_key_id: ${{ secrets.OHAI_AWS_ACCESS_KEY_ID_PRODUCTION }} - aws_secret_access_key: ${{ secrets.OHAI_AWS_SECRET_ACCESS_KEY_PRODUCTION }} - aws_s3_bucket_name: ${{ env.AWS_S3_BUCKET_NAME }} - # used for locking in case of concurrent releases - aws_s3_lock_bucket_name: ${{ env.AWS_S3_LOCK_BUCKET_NAME }} - # used for signing package stuff - gpg_passphrase: ${{ secrets.OHAI_GPG_PASSPHRASE }} - gpg_private_key_base64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} - - name: Test package from prod repo - uses: newrelic/integrations-pkg-test-action/linux@v1 - with: - tag: ${{ env.TAG }} - integration: 'nri-${{ env.INTEGRATION }}' # Required, with nri- prefix - packageLocation: repo - upgrade: false - - notify-failure: - if: ${{ always() && failure() }} - needs: [ publish-to-s3 ] - runs-on: ubuntu-latest - steps: - - name: Notify failure via Slack - uses: archive/github-actions-slack@master - with: - slack-bot-user-oauth-access-token: ${{ secrets.COREINT_SLACK_TOKEN }} - slack-channel: ${{ secrets.COREINT_SLACK_CHANNEL }} - slack-text: "❌ `${{ env.ORIGINAL_REPO_NAME }}`: [release pipeline failed](${{ github.server_url }}/${{ env.ORIGINAL_REPO_NAME }}/actions/runs/${{ github.run_id }})." diff --git a/.github/workflows/repolinter.yml b/.github/workflows/repolinter.yml index acb921f..a239f6a 100644 --- a/.github/workflows/repolinter.yml +++ b/.github/workflows/repolinter.yml @@ -1,31 +1,10 @@ -# NOTE: This file should always be named `repolinter.yml` to allow # workflow_dispatch to work properly name: Repolinter Action -# NOTE: This workflow will ONLY check the default branch! -# Currently there is no elegant way to specify the default -# branch in the event filtering, so branches are instead -# filtered in the "Test Default Branch" step. -on: [push, workflow_dispatch] +on: + push: + workflow_dispatch: jobs: - repolint: - name: Run Repolinter - runs-on: ubuntu-latest - steps: - - name: Test Default Branch - id: default-branch - uses: actions/github-script@v2 - with: - script: | - const data = await github.repos.get(context.repo) - return data.data && data.data.default_branch === context.ref.split('/').slice(-1)[0] - - name: Checkout Self - if: ${{ steps.default-branch.outputs.result == 'true' }} - uses: actions/checkout@v2 - - name: Run Repolinter - if: ${{ steps.default-branch.outputs.result == 'true' }} - uses: newrelic/repolinter-action@v1 - with: - config_url: https://raw.githubusercontent.com/newrelic/.github/main/repolinter-rulesets/community-plus.yml - output_type: issue + repolinter: + uses: newrelic/coreint-automation/.github/workflows/reusable_repolinter.yaml@v2 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index fad9a8d..185f20e 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -11,41 +11,7 @@ on: - cron: "0 3 * * *" jobs: - trivy: - name: Trivy security scan - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@0.12.0 - if: ${{ ! github.event.schedule }} # Do not run inline checks when running periodically - with: - scan-type: fs - ignore-unfixed: true - exit-code: 1 - severity: 'HIGH,CRITICAL' - skip-dirs: 'build' - # test private key - skip-files: 'tests/integration/tls_cert/redis.key' - - - name: Run Trivy vulnerability scanner sarif output - uses: aquasecurity/trivy-action@0.12.0 - if: ${{ github.event.schedule }} # Generate sarif when running periodically - with: - scan-type: fs - ignore-unfixed: true - severity: 'HIGH,CRITICAL' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - skip-dirs: 'build' - # test private key - skip-files: 'tests/integration/tls_cert/redis.key' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - if: ${{ github.event.schedule }} # Upload sarif when running periodically - with: - sarif_file: 'trivy-results.sarif' + security: + uses: newrelic/coreint-automation/.github/workflows/reusable_security.yaml@v2 + with: + skip-dirs: "build"