chore: Revert "feat(kustomize): Add origin annotations to calculate b… #3887
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| versionBump: | |
| description: 'The part of the version to bump' | |
| required: true | |
| default: 'patch' | |
| type: choice | |
| options: | |
| - patch | |
| - minor | |
| - major | |
| push: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - 'docs/**' | |
| - 'INTHEWILD.md' | |
| - 'README.md' | |
| - 'CHANGELOG.md' | |
| - '.github/**' | |
| - checkov/version.py | |
| - kubernetes/requirements.txt | |
| - coverage.svg | |
| - '.swm/**' | |
| - '.pre-commit-config.yaml' | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: 'build' | |
| cancel-in-progress: true | |
| jobs: | |
| security: | |
| uses: ./.github/workflows/security-shared.yml | |
| secrets: inherit | |
| integration-tests: | |
| strategy: | |
| fail-fast: true | |
| matrix: | |
| python: ["3.7", "3.8", "3.9", "3.10", "3.11"] | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 | |
| - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4 | |
| with: | |
| python-version: ${{ matrix.python }} | |
| - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3 | |
| - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2 | |
| if: ${{ runner.os != 'windows' }} | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install pipenv | |
| run: | | |
| python -m pip install --no-cache-dir --upgrade pipenv | |
| - name: Build & install checkov package | |
| run: | | |
| # remove venv, if exists | |
| pipenv --rm || true | |
| pipenv --python ${{ matrix.python }} | |
| pipenv run pip install pytest pytest-xdist | |
| pipenv run python setup.py sdist bdist_wheel | |
| bash -c 'pipenv run pip install dist/checkov-*.whl' | |
| - name: Clone Terragoat - vulnerable terraform | |
| run: git clone https://github.com/bridgecrewio/terragoat | |
| - name: Clone Cfngoat - vulnerable cloudformation | |
| run: git clone https://github.com/bridgecrewio/cfngoat | |
| - name: Clone Kubernetes-goat - vulnerable kubernetes | |
| run: git clone https://github.com/madhuakula/kubernetes-goat | |
| - name: Clone kustomize-goat - vulnerable kustomize | |
| run: git clone https://github.com/bridgecrewio/kustomizegoat | |
| - name: Create checkov reports | |
| run: | | |
| # Just making sure the API key tests don't run on PRs | |
| bash -c './integration_tests/prepare_data.sh "${{ matrix.os }}" "${{ matrix.python }}"' | |
| env: | |
| LOG_LEVEL: INFO | |
| BC_KEY: ${{ secrets.BC_API_KEY }} | |
| TF_REGISTRY_TOKEN: ${{ secrets.TFC_TOKEN }} | |
| GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run integration tests | |
| run: | | |
| pipenv run pytest integration_tests | |
| prisma-tests: | |
| runs-on: [ self-hosted, public, linux, x64 ] | |
| steps: | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 | |
| - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4 | |
| with: | |
| python-version: 3.7 | |
| - name: Install pipenv | |
| run: | | |
| python -m pip install --no-cache-dir --upgrade pipenv | |
| - name: Clone Terragoat - vulnerable terraform | |
| run: git clone https://github.com/bridgecrewio/terragoat | |
| - name: Build & install checkov package | |
| run: | | |
| # remove venv, if exists | |
| pipenv --rm || true | |
| pipenv --python 3.7 | |
| pipenv run pip install pytest pytest-xdist | |
| pipenv run python setup.py sdist bdist_wheel | |
| pipenv run pip install dist/checkov-*.whl | |
| - name: Run checkov with Prisma creds | |
| env: | |
| PRISMA_KEY: ${{ secrets.PRISMA_KEY }} | |
| PRISMA_API_URL: ${{ secrets.PRISMA_API_URL }} | |
| run: | | |
| pipenv run checkov -s -d terragoat --bc-api-key "$PRISMA_KEY" --repo-id yuvalyacoby/terragoat > checkov_report_prisma.txt | |
| grep "prismacloud.io" checkov_report_prisma.txt | |
| exit $? | |
| unit-tests: | |
| timeout-minutes: 30 | |
| runs-on: [self-hosted, public, linux, x64] | |
| steps: | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 | |
| - name: Set up Python 3.7 | |
| uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4 | |
| with: | |
| python-version: 3.7 | |
| - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1 # v2 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install pipenv | |
| run: | | |
| python -m pip install --no-cache-dir --upgrade pipenv | |
| - name: Install dependencies | |
| run: | | |
| # remove venv, if exists | |
| pipenv --rm || true | |
| pipenv --python 3.7 | |
| pipenv install --dev | |
| - name: Test with pytest | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| pipenv run python -m pytest tests | |
| bump-version: | |
| needs: [integration-tests, unit-tests, prisma-tests] | |
| runs-on: [self-hosted, public, linux, x64] | |
| environment: release | |
| permissions: | |
| contents: write | |
| # IMPORTANT: this permission is mandatory for trusted publishing to pypi | |
| id-token: write | |
| timeout-minutes: 30 | |
| steps: | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 | |
| with: | |
| token: ${{ secrets.GH_PAT_SECRET }} | |
| - name: Import GPG key | |
| id: import_gpg | |
| uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41 # v5 | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.PASSPHRASE }} | |
| - name: Set up Python 3.7 | |
| uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4 | |
| with: | |
| python-version: 3.7 | |
| - name: Install pipenv | |
| run: | | |
| python -m pip install --no-cache-dir --upgrade pipenv | |
| - name: Install dependencies | |
| run: | | |
| # remove venv, if exists | |
| pipenv --rm || true | |
| pipenv --python 3.7 | |
| pipenv install | |
| - name: Calculate version | |
| run: | | |
| git fetch --tags --force | |
| latest_tag="$(git describe --tags "$(git rev-list --tags --max-count=1)")" | |
| echo "latest tag: $latest_tag" | |
| if [[ -z "${{ inputs.versionBump }}" ]] | |
| then | |
| version="patch" | |
| else | |
| version="${{ inputs.versionBump }}" | |
| fi | |
| case $version in | |
| minor) | |
| new_tag=$(echo "$latest_tag" | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a, $2+b+1 , 0)}') | |
| ;; | |
| major) | |
| new_tag=$(echo "$latest_tag" | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a+1, 0 , 0)}') | |
| ;; | |
| patch) | |
| new_tag=$(echo "$latest_tag" | awk -F. -v a="$1" -v b="$2" -v c="$3" '{printf("%d.%d.%d", $1+a, $2+b , $3+1)}') | |
| ;; | |
| esac | |
| echo "new tag: $new_tag" | |
| echo "version=$new_tag" >> "$GITHUB_OUTPUT" | |
| # grab major version for later image tag usage | |
| major_version=$(echo "${new_tag}" | head -c1) | |
| echo "major_version=$major_version" >> "$GITHUB_OUTPUT" | |
| id: calculateVersion | |
| - name: version | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} | |
| run: | | |
| ## update docs | |
| export PYTHONPATH='.' | |
| # change the doc links to proper markdown versions | |
| export CHECKOV_CREATE_MARKDOWN_HYPERLINKS='True' | |
| git pull | |
| for i in cloudformation terraform kubernetes serverless arm dockerfile secrets github_configuration gitlab_configuration bitbucket_configuration github_actions gitlab_ci bicep openapi bitbucket_pipelines argo_workflows circleci_pipelines azure_pipelines ansible all | |
| do | |
| export scansdoc="docs/5.Policy Index/$i.md" | |
| echo "---" > "$scansdoc" | |
| echo "layout: default" >> "$scansdoc" | |
| echo "title: $i resource scans" >> "$scansdoc" | |
| echo "nav_order: 1" >> "$scansdoc" | |
| echo "---" >> "$scansdoc" | |
| echo "" >> "$scansdoc" | |
| echo "# $i resource scans (auto generated)" >> "$scansdoc" | |
| echo "" >> "$scansdoc" | |
| pipenv run python checkov/main.py --list --framework "$i" >> "$scansdoc" | |
| done | |
| #add cloudformation scans to serverless | |
| export scansdoc="docs/5.Policy Index/serverless.md" | |
| pipenv run python checkov/main.py --list --framework cloudformation >> "$scansdoc" | |
| git add "docs/5.Policy Index/*" | |
| git commit --reuse-message="HEAD@{1}" || echo "No changes to commit" | |
| git config --global user.name 'GitHub Actions Bot' | |
| git config --global user.email '[email protected]' | |
| new_tag=${{ steps.calculateVersion.outputs.version }} | |
| echo "new tag: $new_tag" | |
| ## update python version | |
| echo "version = '$new_tag'" > 'checkov/version.py' | |
| echo "checkov==$new_tag" > 'kubernetes/requirements.txt' | |
| git commit --reuse-message="HEAD@{1}" checkov/version.py kubernetes/requirements.txt || echo "No changes to commit" | |
| git push origin | |
| git tag $new_tag | |
| git push --tags | |
| id: version | |
| - name: create python package | |
| run: | | |
| pipenv run python setup.py sdist bdist_wheel | |
| - name: Publish a Python distribution to PyPI | |
| uses: pypa/gh-action-pypi-publish@f5622bde02b04381239da3573277701ceca8f6a0 # v1 | |
| - name: sleep and wait for package to refresh | |
| run: | | |
| sleep 2m | |
| outputs: | |
| version: ${{ steps.calculateVersion.outputs.version }} | |
| major_version: ${{ steps.calculateVersion.outputs.major_version }} | |
| publish-checkov-dockerhub: | |
| needs: bump-version | |
| uses: bridgecrewio/gha-reusable-workflows/.github/workflows/publish-image.yaml@main | |
| permissions: | |
| contents: read | |
| id-token: write # Enable OIDC | |
| packages: write | |
| with: | |
| image_name_dockerhub: bridgecrew/checkov | |
| image_name_ghcr: ghcr.io/${{ github.repository }} | |
| image_tag_full: ${{ needs.bump-version.outputs.version }} | |
| image_tag_short: ${{ needs.bump-version.outputs.major_version }} | |
| runner: "['self-hosted', 'public', 'linux', 'x64']" | |
| secrets: | |
| BC_API_KEY: ${{ secrets.BC_API_KEY }} | |
| DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
| DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| publish-checkov-k8s-dockerhub: | |
| needs: bump-version | |
| uses: bridgecrewio/gha-reusable-workflows/.github/workflows/publish-image.yaml@main | |
| permissions: | |
| contents: read | |
| id-token: write # Enable OIDC | |
| packages: write | |
| with: | |
| image_name_dockerhub: bridgecrew/checkov-k8s | |
| image_name_ghcr: ghcr.io/${{ github.repository }}-k8s | |
| image_tag_full: ${{ needs.bump-version.outputs.version }} | |
| image_tag_short: ${{ needs.bump-version.outputs.major_version }} | |
| dockerfile_path: kubernetes/Dockerfile | |
| runner: "['self-hosted', 'public', 'linux', 'x64']" | |
| secrets: | |
| BC_API_KEY: ${{ secrets.BC_API_KEY }} | |
| DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
| DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| publish-checkov-pyston-dockerhub: | |
| runs-on: [self-hosted, public, linux, x64] | |
| needs: bump-version | |
| environment: release | |
| steps: | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 | |
| - name: Get release version | |
| id: versions | |
| run: | | |
| checkov_version=${{ needs.bump-version.outputs.version }} | |
| checkov_major_version=$(echo "${checkov_version}" | head -c1) | |
| echo "version=$checkov_version" >> "$GITHUB_OUTPUT" | |
| echo "major_version=$checkov_major_version" >> "$GITHUB_OUTPUT" | |
| - name: Publish to Registry | |
| uses: elgohr/Publish-Docker-Github-Action@43dc228e327224b2eda11c8883232afd5b34943b # v5 | |
| with: | |
| name: bridgecrew/checkov | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| tags: "pyston,${{ steps.versions.outputs.version }}-pyston,${{ steps.versions.outputs.major_version }}-pyston" | |
| dockerfile: Dockerfile.pyston | |
| buildoptions: "--no-cache" | |
| update-bridgecrew-projects: | |
| needs: publish-checkov-dockerhub | |
| runs-on: [self-hosted, public, linux, x64] | |
| environment: release | |
| steps: | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 | |
| - name: update checkov release | |
| run: | | |
| curl -X POST "https://jenkins-webhook.bridgecrew.cloud/buildByToken/build?job=Open-Source/upgrade-checkov&token=${{ secrets.BC_JENKINS_TOKEN }}" | |
| # trigger checkov-action update | |
| curl -XPOST -u "${{ secrets.GH_PAT_USER}}:${{secrets.GH_PAT_SECRET}}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/checkov-action/dispatches --data '{"event_type": "build"}' | |
| # trigger bridgecrew-py update | |
| curl -XPOST -u "${{ secrets.GH_PAT_USER}}:${{secrets.GH_PAT_SECRET}}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/bridgecrew-py/dispatches --data '{"event_type": "build"}' | |
| # trigger whorf update | |
| curl -XPOST -u "${{ secrets.GH_PAT_USER}}:${{secrets.GH_PAT_SECRET}}" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/bridgecrewio/whorf/dispatches --data '{"event_type": "release"}' |