diff --git a/.github/scripts/rhel_description.py b/.github/scripts/rhel_description.py new file mode 100644 index 000000000..bafc3a271 --- /dev/null +++ b/.github/scripts/rhel_description.py @@ -0,0 +1,48 @@ +import sys +import requests +import json +import markdown +import os + +repository_description = None + +if ("DESCRIPTION_FILE" not in os.environ or len(os.environ["DESCRIPTION_FILE"]) == 0): + print("::error::Description file environment variable is not specified") + sys.exit(1) +if ("PYXIS_API_TOKEN" not in os.environ or len(os.environ["PYXIS_API_TOKEN"]) == 0): + print("::error::API token environment variable is not specified") + sys.exit(1) +if ("API_URL" not in os.environ or len(os.environ["API_URL"]) == 0): + print("::error::API URL environment variable is not specified") + sys.exit(1) +if ("PROJECT_ID" not in os.environ or len(os.environ["PROJECT_ID"]) == 0): + print("RedHat project ID environment variable is not specified") + sys.exit(1) + +if (os.path.isfile(os.environ["DESCRIPTION_FILE"] + '.md')): + file = open(os.environ["DESCRIPTION_FILE"] + '.md', mode='r') + markdown_data = file.read() + file.close() + repository_description=markdown.markdown(markdown_data) +elif (os.path.isfile(os.environ["DESCRIPTION_FILE"] + '.html')): + file = open(os.environ["DESCRIPTION_FILE"] + '.html', mode='r') + repository_description = file.read() + file.close() + +if (repository_description is None or len(repository_description) == 0): + print("::error::No description file found") + sys.exit(1) + +data = dict() +data['container'] = dict() +data['container']['repository_description'] = repository_description[:32768] + +headers = {'accept' : 'application/json', 'X-API-KEY' : os.environ["PYXIS_API_TOKEN"], 'Content-Type' : 'application/json'} +result = requests.patch(os.environ["API_URL"] + os.environ["PROJECT_ID"], + headers = headers, + data = json.dumps(data)) + +print("::group::Result") +print("Response code: " + str(result.status_code)) +print("Last update date: " + json.loads(result.content)['last_update_date']) +print("::endgroup::") diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 42af9afce..d56e334aa 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -28,4 +28,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: 'Dependency Review' - uses: actions/dependency-review-action@80f10bf419f34980065523f5efca7ebed17576aa # v4.1.0 + uses: actions/dependency-review-action@be8bc500ee15e96754d2a6f2d34be14e945a46f3 # v4.1.2 diff --git a/.github/workflows/rhel_registry_description.yml b/.github/workflows/rhel_registry_description.yml new file mode 100644 index 000000000..dd979db32 --- /dev/null +++ b/.github/workflows/rhel_registry_description.yml @@ -0,0 +1,156 @@ +name: Red Hat Catalog Description + +on: + push: + branches: + - '[0-9]+.[0-9]+' + paths: + - 'Dockerfiles/*/*/README.html' + - 'Dockerfiles/*/*/README.md' + - '.github/workflows/rhel_registry_description.yml' + workflow_dispatch: + +env: + DOCKERFILES_DIRECTORY: "./Dockerfiles" + API_URL: "https://catalog.redhat.com/api/containers/v1/projects/certification/id/" + MATRIX_FILE: "build.json" + +defaults: + run: + shell: bash + +permissions: + contents: read + +jobs: + init: + name: Initialize workflow + runs-on: ubuntu-latest + permissions: + contents: read + outputs: + components: ${{ steps.components.outputs.list }} + zabbix_release: ${{ steps.branch_info.outputs.zabbix_release }} + steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 1 + sparse-checkout: ${{ env.MATRIX_FILE }} + + - name: Check ${{ env.MATRIX_FILE }} file + id: build_exists + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + if [[ ! -f "$MATRIX_FILE" ]]; then + echo "::error::File $MATRIX_FILE is missing" + exit 1 + fi + + - name: Get branch info + id: branch_info + shell: bash + env: + github_ref: ${{ github.ref }} + run: | + result=false + + github_ref=${github_ref##*/} + + echo "::group::Branch metadata" + echo "zabbix_release=${github_ref//.}" + echo "::endgroup::" + + echo "zabbix_release=${github_ref//.}" >> $GITHUB_OUTPUT + + - name: Prepare Zabbix component list + id: components + env: + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + component_list=$(jq -r '.components | map_values(select(.rhel == true)) | keys | @json' "$MATRIX_FILE") + + echo "::group::Zabbix Component List" + echo "$component_list" + echo "::endgroup::" + + echo "list=$component_list" >> $GITHUB_OUTPUT + + publish: + name: Initialize build + runs-on: ubuntu-latest + needs: init + permissions: + contents: read + strategy: + fail-fast: false + matrix: + component: ${{ fromJson(needs.init.outputs.components) }} + steps: + - name: Block egress traffic + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + catalog.redhat.com:443 + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 + + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 1 + + - name: Variables formating + id: var_format + env: + MATRIX_BUILD: ${{ matrix.component }} + run: | + MATRIX_BUILD=${MATRIX_BUILD^^} + MATRIX_BUILD=${MATRIX_BUILD//-/_} + + echo "::group::Result" + echo "matrix_build=${MATRIX_BUILD}" + echo "::endgroup::" + echo "matrix_build=${MATRIX_BUILD}" >> $GITHUB_OUTPUT + + - name: Setup Python 3.x + uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Install Python packages + run: | + python -m pip install --upgrade pip + pip install markdown requests + + - name: Update Red Hat project description + env: + DESCRIPTION_FILE: ${{ format('{0}/{1}/rhel/README', env.DOCKERFILES_DIRECTORY, matrix.component) }} + PROJECT_ID: ${{ secrets[format('RHEL_{0}_{1}_PROJECT', needs.init.outputs.zabbix_release, steps.var_format.outputs.matrix_build)] }} + PYXIS_API_TOKEN: ${{ secrets.REDHAT_API_TOKEN }} + API_URL: ${{ env.API_URL }} + run: | + python ./.github/scripts/rhel_description.py + + - name: Red Hat Gatalog URL + env: + COMPONENT: ${{ matrix.component }} + MATRIX_FILE: ${{ env.MATRIX_FILE }} + run: | + PROJECT_ID=$(jq -r ".components.\"$COMPONENT\".rhel_project" "$MATRIX_FILE") + + echo "::group::URL" + echo "https://catalog.redhat.com/software/containers/${PROJECT_ID}" + echo "::endgroup::" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 3aa8ef685..273d6afeb 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -73,6 +73,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1 + uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3 with: sarif_file: results.sarif