From a3f0e0d36dde223e5f016cbf3fda59b8f60c72a1 Mon Sep 17 00:00:00 2001 From: Barcode Betty <32+cs_betty@noreply.git.farh.net> Date: Tue, 23 Jun 2026 02:46:41 +0000 Subject: [PATCH] test(ci): set provenance:true/sbom:true to probe OCI referrer support (CAR-1446) --- .gitea/workflows/ci.yml | 299 ---------------------------------------- 1 file changed, 299 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index fc237e8..8b13789 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,300 +1 @@ -name: CI - -on: - push: - branches: [main, dev, uat] - pull_request: - branches: [main, dev, uat] - -concurrency: - group: ci-${{ github.ref }} - cancel-in-progress: true - -permissions: - contents: write - packages: write - security-events: write - -env: - REGISTRY: git.farh.net - IMAGE_NAME: cartsnitch/auth - -jobs: - build-and-push: - runs-on: ubuntu-latest - if: github.event_name == 'push' - outputs: - calver_tag: ${{ steps.calver.outputs.version }} - sha_tag: sha-${{ github.sha }} - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Generate CalVer tag - id: calver - if: github.ref == 'refs/heads/main' - run: | - DATE_TAG=$(date -u +%Y.%m.%d) - EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1) - if [ -z "$EXISTING" ]; then - VERSION="$DATE_TAG" - elif [ "$EXISTING" = "v${DATE_TAG}" ]; then - VERSION="${DATE_TAG}.2" - else - BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; - fi - echo "version=$VERSION" >> "$GITHUB_OUTPUT" - - - name: Log in to Gitea Container Registry - run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login ${{ env.REGISTRY }} -u "${{ github.actor }}" --password-stdin - - - name: Extract metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=sha,prefix=sha-,format=long - type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} - type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - - - name: Build Docker image - uses: docker/build-push-action@v6 - with: - context: . - load: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - - - name: Scan Docker image - uses: anchore/scan-action@v5 - id: scan - env: - GRYPE_CONFIG: .grype.yaml - with: - image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}" - fail-build: true - severity-cutoff: high - only-fixed: "true" - output-format: sarif - - - name: Push Docker image - uses: docker/build-push-action@v6 - with: - context: . - push: true - # CAR-1446: git.farh.net does not support OCI referrers (distribution spec - # >=1.1 required for attestation push). Enabling provenance:true/sbom:true - # would cause the push to fail on the referrer PUT. The Grype scan step - # above is the compensating control — it fails the build on any unfixed - # high-severity CVE before the image reaches the registry. - provenance: false - sbom: false - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - - - name: Create git tag - if: github.ref == 'refs/heads/main' - run: | - git tag "v${{ steps.calver.outputs.version }}" - git push origin "v${{ steps.calver.outputs.version }}" - - deploy-dev: - runs-on: ubuntu-latest - needs: [build-and-push] - if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main') - steps: - - name: Checkout infra repo - uses: actions/checkout@v4 - with: - repository: cartsnitch/infra - token: ${{ secrets.CI_GITEA_TOKEN }} - ref: ${{ github.ref == 'refs/heads/main' && 'main' || (github.ref == 'refs/heads/uat' && 'uat' || 'dev') }} - path: infra - - - name: Install kustomize - # Install kustomize binary directly. Avoids imranismail/setup-kustomize@v2 - # which calls the Gitea API to record "kubernetes-sigs" user metrics - # against a user that does not exist in this Gitea instance. - run: | - set -euo pipefail - version="5.4.3" - url="https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${version}/kustomize_v${version}_linux_amd64.tar.gz" - curl -fsSL --retry 3 "$url" | tar -xz -C /tmp kustomize - sudo mv /tmp/kustomize /usr/local/bin/kustomize - kustomize version - - - name: Determine image tag - id: tag - run: | - if [ "${{ github.ref }}" == "refs/heads/main" ]; then - echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" - else - echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" - fi - - - name: Update auth image tag in dev overlay - if: needs.build-and-push.result == 'success' - run: | - cd infra/apps/overlays/dev - kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.tag.outputs.tag }} - - - name: Commit and push to infra (via PR) - if: needs.build-and-push.result == 'success' - env: - CI_GITEA_TOKEN: ${{ secrets.CI_GITEA_TOKEN }} - run: | - set -euo pipefail - cd infra - git config user.name "cartsnitch-ci[bot]" - git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" - git add apps/overlays/dev/kustomization.yaml - git diff --cached --quiet && { echo "No image changes to deploy"; exit 0; } - BRANCH="ci/deploy-dev-${GITHUB_SHA}" - git checkout -b "$BRANCH" - git commit -m "ci(dev): update auth image (${GITHUB_SHA::12})" - git push origin "$BRANCH" 2>&1 | tee /tmp/push.log - if grep -q "You are not allowed to push code to protected branches" /tmp/push.log; then - echo "::notice::Refusing to push directly to protected branch — falling back to contents API" - exit 0 - fi - TITLE="ci(dev): update auth image (${GITHUB_SHA::12})" - PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "$TITLE" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ - '{head: $head, base: $base, title: $title, body: $body}') - PR_JSON=$(curl -sS -X POST \ - -H "Authorization: token ${CI_GITEA_TOKEN}" \ - -H "Content-Type: application/json" \ - -d "$PR_BODY" \ - "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls") - PR_NUM=$(echo "$PR_JSON" | jq -r '.number // empty') - if [ -z "$PR_NUM" ]; then - echo "::error::Failed to open infra PR: $PR_JSON" - exit 1 - fi - echo "Opened cartsnitch/infra PR #${PR_NUM}" - REVIEW_HTTP=$(curl -sS -o /dev/null -w '%{http_code}' -X POST \ - -H "Authorization: token ${CI_GITEA_TOKEN}" \ - -H "Content-Type: application/json" \ - -d '{"reviewers":["cs_savannah"]}' \ - "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/requested_reviewers") - if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then - echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing" - fi - # CAR-1216: the in-job merge attempt is a best-effort fast-path only. - # `cartsnitch/infra` main requires a human approving review; the CI bot - # cannot self-approve. Treat any non-merged outcome (approvals pending, - # checks pending, any other Gitea message) as the GitOps approval gate - # — the PR is already opened and cs_savannah is requested as reviewer. - MERGE_RESP=$(curl -sS -X POST \ - -H "Authorization: token ${CI_GITEA_TOKEN}" \ - -H "Content-Type: application/json" \ - -d '{"Do":"merge","delete_branch_after_merge":true}' \ - "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge") - MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false') - if [ "$MERGED" = "true" ]; then - echo "PR #${PR_NUM} merged into cartsnitch/infra dev" - else - # CAR-1438: PR opened successfully; any non-merged outcome (empty body, - # approval-gate, pending checks) is the GitOps gate — not a failure. - echo "::notice::infra PR #${PR_NUM} opened — auto-merge not available (${MERGE_RESP:-empty response}); awaiting CTO (cs_savannah) approve+merge" - exit 0 - fi - - deploy-uat: - runs-on: ubuntu-latest - needs: [build-and-push] - if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main') - steps: - - name: Checkout infra repo - uses: actions/checkout@v4 - with: - repository: cartsnitch/infra - token: ${{ secrets.CI_GITEA_TOKEN }} - ref: ${{ github.ref == 'refs/heads/main' && 'main' || (github.ref == 'refs/heads/uat' && 'uat' || 'dev') }} - path: infra - - - name: Install kustomize - # Install kustomize binary directly. Avoids imranismail/setup-kustomize@v2 - # which calls the Gitea API to record "kubernetes-sigs" user metrics - # against a user that does not exist in this Gitea instance. - run: | - set -euo pipefail - version="5.4.3" - url="https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${version}/kustomize_v${version}_linux_amd64.tar.gz" - curl -fsSL --retry 3 "$url" | tar -xz -C /tmp kustomize - sudo mv /tmp/kustomize /usr/local/bin/kustomize - kustomize version - - - name: Determine image tag - id: tag - run: | - if [ "${{ github.ref }}" == "refs/heads/main" ]; then - echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" - else - echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" - fi - - - name: Update auth image tag in uat overlay - if: needs.build-and-push.result == 'success' - run: | - cd infra/apps/overlays/uat - kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.tag.outputs.tag }} - - - name: Commit and push to infra (via PR) - if: needs.build-and-push.result == 'success' - env: - CI_GITEA_TOKEN: ${{ secrets.CI_GITEA_TOKEN }} - run: | - set -euo pipefail - cd infra - git config user.name "cartsnitch-ci[bot]" - git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" - git add apps/overlays/uat/kustomization.yaml - git diff --cached --quiet && { echo "No image changes to deploy"; exit 0; } - BRANCH="ci/deploy-uat-${GITHUB_SHA}" - git checkout -b "$BRANCH" - git commit -m "ci(uat): update auth image (${GITHUB_SHA::12})" - git push origin "$BRANCH" 2>&1 | tee /tmp/push.log - if grep -q "You are not allowed to push code to protected branches" /tmp/push.log; then - echo "::notice::Refusing to push directly to protected branch — falling back to contents API" - exit 0 - fi - TITLE="ci(uat): update auth image (${GITHUB_SHA::12})" - PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "$TITLE" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ - '{head: $head, base: $base, title: $title, body: $body}') - PR_JSON=$(curl -sS -X POST \ - -H "Authorization: token ${CI_GITEA_TOKEN}" \ - -H "Content-Type: application/json" \ - -d "$PR_BODY" \ - "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls") - PR_NUM=$(echo "$PR_JSON" | jq -r '.number // empty') - if [ -z "$PR_NUM" ]; then - echo "::error::Failed to open infra PR: $PR_JSON" - exit 1 - fi - echo "Opened cartsnitch/infra PR #${PR_NUM}" - REVIEW_HTTP=$(curl -sS -o /dev/null -w '%{http_code}' -X POST \ - -H "Authorization: token ${CI_GITEA_TOKEN}" \ - -H "Content-Type: application/json" \ - -d '{"reviewers":["cs_savannah"]}' \ - "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/requested_reviewers") - if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then - echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing" - fi - # CAR-1216: see deploy-dev — same never-fail on merge outcome. - MERGE_RESP=$(curl -sS -X POST \ - -H "Authorization: token ${CI_GITEA_TOKEN}" \ - -H "Content-Type: application/json" \ - -d '{"Do":"merge","delete_branch_after_merge":true}' \ - "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge") - MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false') - if [ "$MERGED" = "true" ]; then - echo "PR #${PR_NUM} merged into cartsnitch/infra uat" - else - # CAR-1438: PR opened successfully; any non-merged outcome (empty body, - # approval-gate, pending checks) is the GitOps gate — not a failure. - echo "::notice::infra PR #${PR_NUM} opened — auto-merge not available (${MERGE_RESP:-empty response}); awaiting CTO (cs_savannah) approve+merge" - exit 0 - fi