diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml index 54bd0682..e0eead2c 100644 --- a/.github/workflows/backport.yaml +++ b/.github/workflows/backport.yaml @@ -17,7 +17,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - name: Create backport PRs - uses: korthout/backport-action@addffea45a2f0b5682f1d5ba0506f45bc18bf174 # v2.3.0 + uses: korthout/backport-action@e8161d6a0dbfa2651b7daa76cbb75bc7c925bbf3 # v2.4.1 # xref: https://github.com/korthout/backport-action#inputs with: # Use token to allow workflows to be triggered for the created PR diff --git a/.github/workflows/e2e-arm64.yaml b/.github/workflows/e2e-arm64.yaml index e6aa8d2b..34a18134 100644 --- a/.github/workflows/e2e-arm64.yaml +++ b/.github/workflows/e2e-arm64.yaml @@ -63,33 +63,6 @@ jobs: kubectl -n flux-system wait kustomization/tenants --for=condition=ready --timeout=5m kubectl -n apps wait kustomization/dev-team --for=condition=ready --timeout=1m kubectl -n apps wait helmrelease/podinfo --for=condition=ready --timeout=1m - - name: Run monitoring tests - # Keep this test in sync with https://fluxcd.io/flux/guides/monitoring/ - env: - KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }} - run: | - ./bin/flux create source git flux-monitoring \ - --interval=30m \ - --url=https://github.com/fluxcd/flux2 \ - --branch=${GITHUB_REF#refs/heads/} - ./bin/flux create kustomization kube-prometheus-stack \ - --interval=1h \ - --prune \ - --source=flux-monitoring \ - --path="./manifests/monitoring/kube-prometheus-stack" \ - --health-check-timeout=5m \ - --wait - ./bin/flux create kustomization monitoring-config \ - --depends-on=kube-prometheus-stack \ - --interval=1h \ - --prune=true \ - --source=flux-monitoring \ - --path="./manifests/monitoring/monitoring-config" \ - --health-check-timeout=1m \ - --wait - kubectl -n flux-system wait kustomization/kube-prometheus-stack --for=condition=ready --timeout=5m - kubectl -n flux-system wait kustomization/monitoring-config --for=condition=ready --timeout=5m - kubectl -n monitoring wait helmrelease/kube-prometheus-stack --for=condition=ready --timeout=1m - name: Debug failure if: failure() env: diff --git a/.github/workflows/e2e-azure.yaml b/.github/workflows/e2e-azure.yaml index 67743f3f..3f45f046 100644 --- a/.github/workflows/e2e-azure.yaml +++ b/.github/workflows/e2e-azure.yaml @@ -92,7 +92,7 @@ jobs: env: SOPS_VER: 3.7.1 - name: Authenticate to Azure - uses: Azure/login@de95379fe4dadc2defb305917eaa7e5dde727294 # v1.4.6 + uses: Azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.4.6 with: creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}' - name: Set dynamic variables in .env @@ -123,3 +123,14 @@ jobs: echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub export GITREPO_SSH_PUB_PATH=build/ssh/key.pub make test-azure + - name: Ensure resource cleanup + if: ${{ always() }} + env: + ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }} + TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }} + TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }} + TF_VAR_location: ${{ vars.TF_VAR_azure_location }} + run: source .env && make destroy-azure diff --git a/.github/workflows/e2e-gcp.yaml b/.github/workflows/e2e-gcp.yaml index 1e85a4cc..902a24c2 100644 --- a/.github/workflows/e2e-gcp.yaml +++ b/.github/workflows/e2e-gcp.yaml @@ -46,13 +46,13 @@ jobs: env: SOPS_VER: 3.7.1 - name: Authenticate to Google Cloud - uses: google-github-actions/auth@67e9c72af6e0492df856527b474995862b7b6591 # v2.0.0 + uses: google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363 # v2.1.0 id: 'auth' with: credentials_json: '${{ secrets.FLUX2_E2E_GOOGLE_CREDENTIALS }}' token_format: 'access_token' - name: Setup gcloud - uses: google-github-actions/setup-gcloud@5a5f7b85fca43e76e53463acaa9d408a03c98d3a # v2.0.1 + uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - name: Setup QEMU uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Setup Docker Buildx @@ -90,3 +90,13 @@ jobs: echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub export GITREPO_SSH_PUB_PATH=build/ssh/key.pub make test-gcp + - name: Ensure resource cleanup + if: ${{ always() }} + env: + TF_VAR_gcp_project_id: ${{ vars.TF_VAR_gcp_project_id }} + TF_VAR_gcp_region: ${{ vars.TF_VAR_gcp_region }} + TF_VAR_gcp_zone: ${{ vars.TF_VAR_gcp_zone }} + TF_VAR_gcp_email: ${{ secrets.TF_VAR_gcp_email }} + TF_VAR_gcp_keyring: ${{ secrets.TF_VAR_gcp_keyring }} + TF_VAR_gcp_crypto_key: ${{ secrets.TF_VAR_gcp_crypto_key }} + run: source .env && make destroy-gcp diff --git a/.github/workflows/ossf.yaml b/.github/workflows/ossf.yaml index d1b80c1a..d5dee948 100644 --- a/.github/workflows/ossf.yaml +++ b/.github/workflows/ossf.yaml @@ -28,7 +28,7 @@ jobs: repo_token: ${{ secrets.GITHUB_TOKEN }} publish_results: true - name: Upload artifact - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6dc904d7..3b79d224 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -34,7 +34,7 @@ jobs: id: buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - name: Setup Syft - uses: anchore/sbom-action/download-syft@719133684c7d294116626d1344fe64f0d2ff3e9e # v0.15.2 + uses: anchore/sbom-action/download-syft@24b0d5238516480139aa8bc6f92eeb7b54a9eb0a # v0.15.5 - name: Setup Cosign uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 - name: Setup Kustomize