diff --git a/.github/workflows/alauda-auto-tag.yaml b/.github/workflows/alauda-auto-tag.yaml new file mode 100644 index 00000000..01d35d9c --- /dev/null +++ b/.github/workflows/alauda-auto-tag.yaml @@ -0,0 +1,87 @@ +name: Auto Tag for Alauda + +on: + push: + branches: + - 'alauda-v*' + +permissions: + contents: write # create tags and releases + packages: write # upload packages + +jobs: + tag: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 # fetch all tags + + - name: Set up Git + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + + - name: Extract version and tag prefix + id: extract + run: | + BRANCH_NAME="${GITHUB_REF#refs/heads/}" + echo "Branch: $BRANCH_NAME" + + PREFIX="${BRANCH_NAME%%-*}" # alauda + BASE_VERSION="${BRANCH_NAME#${PREFIX}-}" # v0.62.1 + + VERSION_NO_V="${BASE_VERSION#v}" # 0.62.1 + MAJOR=$(echo "$VERSION_NO_V" | cut -d. -f1) + MINOR=$(echo "$VERSION_NO_V" | cut -d. -f2) + PATCH=$(echo "$VERSION_NO_V" | cut -d. -f3) + + echo "MAJOR: $MAJOR, MINOR: $MINOR, PATCH: $PATCH" + + # PATCH + 1 + NEXT_PATCH=$((PATCH + 1)) + echo "NEXT_PATCH=$NEXT_PATCH" + + NEXT_VERSION="v${MAJOR}.${MINOR}.${NEXT_PATCH}" # v0.62.2 + echo "NEXT_VERSION=$NEXT_VERSION" + + TAG_PREFIX="${NEXT_VERSION}-${PREFIX}" # v0.62.2-alauda + echo "TAG_PREFIX=$TAG_PREFIX" + + echo "prefix=$PREFIX" >> $GITHUB_OUTPUT + echo "base_version=$BASE_VERSION" >> $GITHUB_OUTPUT + echo "tag_prefix=$TAG_PREFIX" >> $GITHUB_OUTPUT + + - name: Find latest tag with this prefix + id: latest + run: | + TAG_PREFIX="${{ steps.extract.outputs.tag_prefix }}" + echo "Looking for tags with prefix: $TAG_PREFIX" + + EXISTING_TAGS=$(git tag --list "${TAG_PREFIX}-*" | sort -V) + echo "Existing tags: $EXISTING_TAGS" + + MAX_INDEX=-1 + for tag in $EXISTING_TAGS; do + NUM=${tag##*-} + if [[ "$NUM" =~ ^[0-9]+$ && "$NUM" -gt "$MAX_INDEX" ]]; then + MAX_INDEX=$NUM + fi + done + + NEW_INDEX=$((MAX_INDEX + 1)) + NEW_TAG="${TAG_PREFIX}-${NEW_INDEX}" + + echo "new_tag=$NEW_TAG" >> $GITHUB_OUTPUT + + - name: Create and push new tag + run: | + NEW_TAG="${{ steps.latest.outputs.new_tag }}" + git tag "$NEW_TAG" + git push origin "$NEW_TAG" + + release-alauda: + name: Release Alauda + needs: [tag] + uses: ./.github/workflows/reusable-release-alauda.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 56a260fb..5c4081ba 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -2,9 +2,9 @@ name: Build on: pull_request: - branches: ['main'] + branches: ['main', 'alauda-v*'] push: - branches: [ main ] + branches: ['main', 'alauda-v*'] schedule: - cron: '0 0 * * *' diff --git a/.github/workflows/release-alauda.yaml b/.github/workflows/release-alauda.yaml new file mode 100644 index 00000000..8898f8d7 --- /dev/null +++ b/.github/workflows/release-alauda.yaml @@ -0,0 +1,16 @@ +name: Release Alauda + +on: + push: + tags: + - "v*-alauda-*" + workflow_dispatch: + +permissions: + contents: write # create releases + packages: write # upload packages + +jobs: + release-alauda: + name: Release Alauda + uses: ./.github/workflows/reusable-release-alauda.yaml diff --git a/.github/workflows/reusable-release-alauda.yaml b/.github/workflows/reusable-release-alauda.yaml new file mode 100644 index 00000000..5749df85 --- /dev/null +++ b/.github/workflows/reusable-release-alauda.yaml @@ -0,0 +1,33 @@ +name: Release Alauda + +on: + workflow_call: + +permissions: + contents: write + packages: write + +jobs: + release: + name: alauda-release + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4.1.6 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: false + + - name: Set up GoReleaser + uses: goreleaser/goreleaser-action@v6 + with: + version: v2.1.0 + args: release -f=.goreleaser-alauda.yml + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scan-alauda.yaml b/.github/workflows/scan-alauda.yaml new file mode 100644 index 00000000..54637346 --- /dev/null +++ b/.github/workflows/scan-alauda.yaml @@ -0,0 +1,34 @@ +name: Scan vulnerabilities for Alauda +on: + schedule: + - cron: '0 0 * * *' + workflow_dispatch: + +jobs: + build: + name: Scan Go vulnerabilities + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4.1.6 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: "image/git-init/go.mod" + cache: false + + - name: Set up GoReleaser + uses: goreleaser/goreleaser-action@v6 + with: + version: v2.1.0 + args: release --snapshot -f=.goreleaser-alauda.yml + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'rootfs' + scan-ref: 'dist/git-init_linux_amd64_v1/alauda-git-init' + exit-code: 1 diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md new file mode 100644 index 00000000..7a16179e --- /dev/null +++ b/DEVELOPMENT.md @@ -0,0 +1,65 @@ +# Git alauda Branch Development Guide + +## Background + +Previously, git was used as a general-purpose CLI in multiple plugins, each needing to fix git's own vulnerabilities independently. + +To avoid duplicate work, we forked the current repository from [git](https://github.com/tektoncd-catalog/git-clone.git) and maintain it through the `alauda-vx.xx.xx` branch. + +We use [renovate](https://gitlab-ce.alauda.cn/devops/tech-research/renovate/-/blob/main/docs/quick-start/0002-quick-start.md) to automatically fix vulnerabilities in corresponding versions. + +## Repository Structure + +Based on the original code, the following content has been added: + +- [alauda-auto-tag.yaml](./.github/workflows/alauda-auto-tag.yaml): Automatically tags and triggers goreleaser when a PR is merged into the `alauda-vx.xx.xx` branch +- [release-alauda.yaml](./.github/workflows/release-alauda.yaml): Supports tag updates or manual triggering of goreleaser (this pipeline is not triggered when tags are automatically created in actions, as actions are designed not to recursively trigger multiple actions) +- [reusable-release-alauda.yaml](./.github/workflows/reusable-release-alauda.yaml): Executes goreleaser to create releases +- [scan-alauda.yaml](.github/workflows/scan-alauda.yaml): Performs trivy vulnerability scans (`rootfs` scans go binary) +- [.goreleaser-alauda.yml](image/git-init/.goreleaser-alauda.yml): Configuration file for releasing alauda versions + +## Special Modifications + +1. [.goreleaser-alauda.yml](image/git-init/.goreleaser-alauda.yml) is located in the build directory `image/git-init` +2. The trigger condition for [build.yaml](.github/workflows/build.yaml) has been added with the `alauda-v*` branch + +## Pipelines + +### Triggered When Submitting a PR + +- [build.yaml](.github/workflows/build.yaml): Official testing pipeline, including unit tests, integration tests, etc. + +### Triggered When Merging into the alauda-vx.xx.xx Branch + +- [alauda-auto-tag.yaml](.github/workflows/alauda-auto-tag.yaml): Automatically tags and triggers goreleaser +- [reusable-release-alauda.yaml](.github/workflows/reusable-release-alauda.yaml): Executes goreleaser to create releases (triggered by `alauda-auto-tag.yaml`) + +### Scheduled or Manual Triggering + +- [scan-alauda.yaml](.github/workflows/scan-alauda.yaml): Performs trivy vulnerability scans (`rootfs` scans go binary) + +### Others + +Other officially maintained pipelines have not been modified, and some irrelevant pipelines have been disabled on the Action page. + +## Renovate Vulnerability Fixing Mechanism + +The renovate configuration file is [renovate.json](https://github.com/AlaudaDevops/trivy/blob/main/renovate.json) + +1. renovate detects vulnerabilities in branches and submits PRs for fixes +2. PRs automatically run tests +3. After all tests pass, renovate automatically merges the PR +4. After the branch is updated, an action automatically tags (e.g., v0.62.1-alauda-0, both patch version and the last digit will increment) +5. goreleaser automatically publishes releases based on tags + +## Maintenance Plan + +When upgrading to a new version, follow these steps: + +1. Create an alauda branch from the corresponding tag, for example, the `v0.62.1` tag corresponds to the `alauda-v0.62.1` branch +2. Cherry-pick previous alauda branch changes to the new branch and push + +Renovate automatic fixing mechanism: +1. After renovate submits a PR, pipelines will automatically run; if all tests pass, the PR will be automatically merged +2. After merging into the `alauda-v0.62.1` branch, goreleaser will automatically create a `v0.62.2-alauda-0` release (note: not `v0.62.1-alauda-0`, because upgrading the version allows renovate to recognize it) +3. renovate configured in other plugins will automatically fetch artifacts from releases based on configuration diff --git a/image/git-init/.goreleaser-alauda.yml b/image/git-init/.goreleaser-alauda.yml new file mode 100644 index 00000000..99fc8ad9 --- /dev/null +++ b/image/git-init/.goreleaser-alauda.yml @@ -0,0 +1,64 @@ +# This is an example .goreleaser.yml file with some sensible defaults. +# Make sure to check the documentation at https://goreleaser.com + +# The lines below are called `modelines`. See `:help modeline` +# Feel free to remove those if you don't want/need to use them. +# yaml-language-server: $schema=https://goreleaser.com/static/schema.json +# vim: set ts=2 sw=2 tw=0 fo=cnqoj + +version: 2 + +before: + hooks: + # You may remove this if you don't use go modules. + - go mod tidy + +builds: + - id: git-init + env: + - CGO_ENABLED=0 + - GODEBUG="http2server=0" + - GOFLAGS=-buildvcs=false + goos: + - linux + goarch: + - amd64 + - arm64 + ldflags: + - -w -s -X knative.dev/pkg/changeset.rev={{.Version}} + flags: + - -trimpath + tags: + - disable_gcp + main: ./image/git-init + binary: alauda-git-init + +archives: + - id: archive + format: tar.gz + name_template: >- + {{ .ProjectName }}_ + {{- title .Os }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} + {{- if .Arm }}v{{ .Arm }}{{ end }} + format_overrides: + - goos: windows + format: zip + +changelog: + sort: asc + filters: + exclude: + - "^docs:" + - "^test:" + +release: + footer: >- + + --- + + This release is intended for use only as part of the Alauda product suite. + It is not recommended for use by individuals or teams outside of Alauda. + Any consequences arising from its use are the sole responsibility of the user.