From 7cf015ec072d8e029139b9e17812ad439f4f03ab Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> Date: Fri, 22 Nov 2024 13:42:00 -0700 Subject: [PATCH 1/8] bk pipeline updates Signed-off-by: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> --- .buildkite/pipeline.yml | 44 ++++++++++++++++++---------------------- sonar-project.properties | 3 +-- 2 files changed, 21 insertions(+), 26 deletions(-) diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index 26153d4..a7b01be 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -29,26 +29,14 @@ steps: environment: - "GOTOOLCHAIN=auto" artifact_paths: ["coverage.out"] - - group: ":closed_lock_with_key: Security Checks" - depends_on: "go_test" - key: "security" - steps: - - label: ":closed_lock_with_key: gosec" - key: "gosec" - plugins: - - docker#v5.12.0: - image: "securego/gosec:2.20.0" - command: ["-no-fail", "-exclude-generated", "-fmt sonarqube", "-out", "results.txt", "./..."] - environment: - - "GOTOOLCHAIN=auto" - artifact_paths: ["results.txt"] - label: ":github: upload PR reports" key: "scan-upload-pr" if: build.pull_request.id != null - depends_on: ["gosec", "go_test"] + depends_on: ["go_test"] plugins: - - artifacts#v1.9.4: - download: "results.txt" + - cluster-secrets#v1.0.0: + variables: + SONAR_TOKEN: SONAR_TOKEN - artifacts#v1.9.4: download: "coverage.out" step: "go_test" @@ -61,10 +49,11 @@ steps: - label: ":github: upload reports" key: "scan-upload" if: build.branch == "main" - depends_on: ["gosec", "go_test"] + depends_on: ["go_test"] plugins: - - artifacts#v1.9.4: - download: results.txt + - cluster-secrets#v1.0.0: + variables: + SONAR_TOKEN: SONAR_TOKEN - artifacts#v1.9.4: download: coverage.out step: "go_test" @@ -104,6 +93,13 @@ steps: #!/bin/bash ls plugins: + - cluster-secrets#v1.0.0: + variables: + SECRET_GHCR_PUBLISH_TOKEN: SECRET_GHCR_PUBLISH_TOKEN + - docker-login#v3.0.0: + username: openlane-bender + password-env: SECRET_GHCR_PUBLISH_TOKEN + server: ghcr.io - theopenlane/docker-metadata#v1.0.0: images: - "${IMAGE_REPO}" @@ -121,6 +117,7 @@ steps: ignore-unfixed: true security-checks: config,secret,vuln skip-files: "cosign.key,Dockerfile.dev" + trivy-version: "0.57.1" - label: ":docker: docker build and publish" key: "docker-build" cancel_on_build_failing: true @@ -134,6 +131,9 @@ steps: #!/bin/bash ls plugins: + - cluster-secrets#v1.0.0: + variables: + SECRET_GHCR_PUBLISH_TOKEN: SECRET_GHCR_PUBLISH_TOKEN - docker-login#v3.0.0: username: openlane-bender password-env: SECRET_GHCR_PUBLISH_TOKEN @@ -156,6 +156,7 @@ steps: ignore-unfixed: true security-checks: config,secret,vuln skip-files: "cosign.key,Dockerfile.dev" + trivy-version: "0.57.1" - label: ":docker: docker build and publish" key: "docker-build-and-tag" if: build.tag != null @@ -183,8 +184,3 @@ steps: platforms: linux/{{matrix.platform}} build-args: - NAME=${APP_NAME} - - equinixmetal-buildkite/trivy#v1.19.0: - severity: CRITICAL,HIGH - ignore-unfixed: true - security-checks: config,secret,vuln - skip-files: "cosign.key,Dockerfile.dev" diff --git a/sonar-project.properties b/sonar-project.properties index 6b6e3c3..a561d51 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -13,5 +13,4 @@ sonar.test.inclusions=**/*_test.go sonar.test.exclusions=**/vendor/** sonar.sourceEncoding=UTF-8 -sonar.go.coverage.reportPaths=coverage.out -sonar.externalIssuesReportPaths=results.txt \ No newline at end of file +sonar.go.coverage.reportPaths=coverage.out \ No newline at end of file From e92119953ef9adc90aa6367b9fa3c555674a7e16 Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> Date: Fri, 22 Nov 2024 13:54:59 -0700 Subject: [PATCH 2/8] set buildplatform Signed-off-by: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> --- .buildkite/pipeline.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index a7b01be..eacf17d 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -3,6 +3,7 @@ env: IMAGE_REPO: ghcr.io/theopenlane/${APP_NAME} IMAGE_TAG: ${BUILDKITE_BUILD_NUMBER}-${BUILDKITE_COMMIT:0:8} SONAR_HOST: "https://sonarcloud.io" + BUILDPLATFORM: "linux/amd64" steps: - group: ":test_tube: Tests" From 887308865ea0c8d7b4ee42c267e09ca82ba49eef Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> Date: Fri, 22 Nov 2024 13:58:25 -0700 Subject: [PATCH 3/8] set buildplatform Signed-off-by: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> --- .buildkite/pipeline.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index eacf17d..e17874d 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -3,7 +3,6 @@ env: IMAGE_REPO: ghcr.io/theopenlane/${APP_NAME} IMAGE_TAG: ${BUILDKITE_BUILD_NUMBER}-${BUILDKITE_COMMIT:0:8} SONAR_HOST: "https://sonarcloud.io" - BUILDPLATFORM: "linux/amd64" steps: - group: ":test_tube: Tests" @@ -113,6 +112,7 @@ steps: platforms: linux/{{matrix.platform}} build-args: - NAME=${APP_NAME} + - BUILDPLATFORM="linux/amd64" - equinixmetal-buildkite/trivy#v1.19.0: severity: CRITICAL,HIGH ignore-unfixed: true @@ -152,6 +152,7 @@ steps: platforms: linux/{{matrix.platform}} build-args: - NAME=${APP_NAME} + - BUILDPLATFORM="linux/amd64" - equinixmetal-buildkite/trivy#v1.19.0: severity: CRITICAL,HIGH ignore-unfixed: true @@ -185,3 +186,4 @@ steps: platforms: linux/{{matrix.platform}} build-args: - NAME=${APP_NAME} + - BUILDPLATFORM="linux/amd64" From 7560e5ae2d88c58380fd30cde199da3fe523efcf Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> Date: Fri, 22 Nov 2024 17:32:21 -0700 Subject: [PATCH 4/8] Test a different image Signed-off-by: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> --- .buildkite/pipeline.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index e17874d..45fac35 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -1,3 +1,6 @@ +agents: + queue: "riverboat-test" + env: APP_NAME: ${BUILDKITE_PIPELINE_SLUG} IMAGE_REPO: ghcr.io/theopenlane/${APP_NAME} From 978aa4d9b835d94cf12fea6a8fdb7b9a162a5283 Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> Date: Fri, 22 Nov 2024 17:34:27 -0700 Subject: [PATCH 5/8] remove arg Signed-off-by: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> --- .buildkite/pipeline.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index 45fac35..07f7045 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -115,7 +115,6 @@ steps: platforms: linux/{{matrix.platform}} build-args: - NAME=${APP_NAME} - - BUILDPLATFORM="linux/amd64" - equinixmetal-buildkite/trivy#v1.19.0: severity: CRITICAL,HIGH ignore-unfixed: true @@ -155,7 +154,6 @@ steps: platforms: linux/{{matrix.platform}} build-args: - NAME=${APP_NAME} - - BUILDPLATFORM="linux/amd64" - equinixmetal-buildkite/trivy#v1.19.0: severity: CRITICAL,HIGH ignore-unfixed: true @@ -189,4 +187,3 @@ steps: platforms: linux/{{matrix.platform}} build-args: - NAME=${APP_NAME} - - BUILDPLATFORM="linux/amd64" From 019b20f5fef5ad85d81f97670e5cb3786c6bba64 Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> Date: Fri, 22 Nov 2024 17:40:06 -0700 Subject: [PATCH 6/8] what Signed-off-by: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> --- .buildkite/pipeline.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index 07f7045..c99cf51 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -92,9 +92,7 @@ steps: platform: - amd64 - arm64 - commands: | - #!/bin/bash - ls + commands: plugins: - cluster-secrets#v1.0.0: variables: @@ -171,6 +169,9 @@ steps: commands: | #!/bin/bash plugins: + - cluster-secrets#v1.0.0: + variables: + SECRET_GHCR_PUBLISH_TOKEN: SECRET_GHCR_PUBLISH_TOKEN - docker-login#v3.0.0: username: openlane-bender password-env: SECRET_GHCR_PUBLISH_TOKEN From 7c566c30f34749f6ad978400002456105df0bf39 Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> Date: Fri, 22 Nov 2024 17:43:54 -0700 Subject: [PATCH 7/8] put back Signed-off-by: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> --- .buildkite/pipeline.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index c99cf51..e4ab3ae 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -92,7 +92,9 @@ steps: platform: - amd64 - arm64 - commands: + commands: | + #!/bin/bash + ls plugins: - cluster-secrets#v1.0.0: variables: From 5fcabe33eec4371d5a236b13090e736887ecf32e Mon Sep 17 00:00:00 2001 From: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> Date: Tue, 10 Dec 2024 20:42:35 -0700 Subject: [PATCH 8/8] remove agents from top Signed-off-by: Sarah Funkhouser <147884153+golanglemonade@users.noreply.github.com> --- .buildkite/pipeline.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml index e4ab3ae..34957e8 100644 --- a/.buildkite/pipeline.yml +++ b/.buildkite/pipeline.yml @@ -1,6 +1,3 @@ -agents: - queue: "riverboat-test" - env: APP_NAME: ${BUILDKITE_PIPELINE_SLUG} IMAGE_REPO: ghcr.io/theopenlane/${APP_NAME}