stolostron · yiraeChristineKim · Jan 24, 2023 · Jan 25, 2023 · Jan 26, 2023 · Jan 26, 2023
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,16 +4,20 @@ updates:
   - package-ecosystem: "npm"
     directory: "/website"
     schedule:
-      interval: "daily"
+      interval: "weekly"
     commit-message:
       prefix: "chore"
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
     commit-message:
       prefix: "chore"
+    groups:
+      all:
+        patterns:
+        - "*"
 
   - package-ecosystem: "gomod"
     directory: "/"
@@ -26,3 +30,36 @@ updates:
         update-types:
         - "version-update:semver-major"
         - "version-update:semver-minor"
+    groups:
+      k8s:
+        patterns:
+        - "k8s.io/*"
+        - "sigs.k8s.io/*"
+
+  - package-ecosystem: "docker"
+    directory: /
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "docker"
+    directory: "/build/tooling"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "docker"
+    directory: "/test/externaldata/dummy-provider"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "docker"
+    directory: "/test/image"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
diff --git a/.github/workflows/benchmark.yaml b/.github/workflows/benchmark.yaml
@@ -3,47 +3,47 @@ on:
   issue_comment:
     types: [created]
 
-jobs:  
+permissions:
+  contents: read
+
+jobs:
   benchmark:
     name: "Benchmark"
     if: github.event.issue.pull_request && github.event.comment.body == '/benchmark'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     timeout-minutes: 60
     permissions:
       contents: write
       pull-requests: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
       - uses: izhangzhihao/delete-comment@98aa1ea5c6304048edf951c20b3114e03c785c79
-        with: 
+        with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           delete_user_name: github-actions[bot]
           issue_number: ${{ github.event.issue.number }}
 
-      - name: install kubebuilder
-        run: |
-          curl -L -O "https://github.com/kubernetes-sigs/kubebuilder/releases/download/v${KUBEBUILDER_VERSION}/kubebuilder_${KUBEBUILDER_VERSION}_linux_amd64.tar.gz" &&\
-            tar -zxvf kubebuilder_${KUBEBUILDER_VERSION}_linux_amd64.tar.gz &&\
-            sudo mv kubebuilder_${KUBEBUILDER_VERSION}_linux_amd64 /usr/local/kubebuilder
-        env:
-          KUBEBUILDER_VERSION: 2.3.1
-
       - name: Update status
-        uses: peter-evans/create-or-update-comment@v2
+        uses: peter-evans/create-or-update-comment@c6c9a1a66007646a28c153e2a8580a5bad27bcfa # v3.0.2
         with:
           issue-number: ${{ github.event.issue.number }}
           body: |
             [Running benchmark here...](${{ github.server.url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
 
       - name: Check out base code into the Go module directory
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.5.2
         with:
           ref: ${{ github.base_ref }}
 
       - name: Run benchmarks on base ref
         run: make benchmark-test BENCHMARK_FILE_NAME="../base_benchmarks.txt"
-      
+
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.5.2
 
       - name: Run benchmark with incoming changes
         run: make benchmark-test BENCHMARK_FILE_NAME="pr_benchmarks.txt"
@@ -61,11 +61,11 @@ jobs:
           echo '$delimiter' >> $GITHUB_OUTPUT
 
       - name: Create commit comment
-        uses: peter-evans/create-or-update-comment@v2
+        uses: peter-evans/create-or-update-comment@c6c9a1a66007646a28c153e2a8580a5bad27bcfa # v3.0.2
         with:
           issue-number: ${{ github.event.issue.number }}
           body: |
             This PR compares its performance to the latest released version. If it performs significantly lower, consider optimizing your changes to improve the performance.
-            ```  
+            ```
             ${{ steps.get-comment-body.outputs.msg }}
             ```
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -11,21 +11,26 @@ permissions: read-all
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       security-events: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@a34ca99b4610d924e04c68db79e503e1f79f9f02
+        uses: github/codeql-action/init@fdcae64e1484d349b3366718cdfef3d404390e85
         with:
           languages: go
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@a34ca99b4610d924e04c68db79e503e1f79f9f02
+        uses: github/codeql-action/autobuild@fdcae64e1484d349b3366718cdfef3d404390e85
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@a34ca99b4610d924e04c68db79e503e1f79f9f02
+        uses: github/codeql-action/analyze@fdcae64e1484d349b3366718cdfef3d404390e85
diff --git a/.github/workflows/dapr-pubsub.yaml b/.github/workflows/dapr-pubsub.yaml
@@ -0,0 +1,64 @@
+name: dapr-pubsub
+on:
+  push:
+    paths:
+      - "pkg/pubsub/dapr"
+      - "test/pubsub/**"
+  pull_request:
+    paths:
+      - "pkg/pubsub/dapr"
+      - "test/pubsub/**"
+permissions: read-all
+
+jobs:
+  dapr_test:
+    name: "Dapr pubsub test"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+    strategy:
+      matrix:
+        DAPR_VERSION: ["1.10"]
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+
+    - name: Bootstrap e2e
+      run: |
+        mkdir -p $GITHUB_WORKSPACE/bin
+        mkdir .tmp
+        echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
+        make e2e-bootstrap
+        make e2e-helm-install
+        helm repo add dapr https://dapr.github.io/helm-charts/
+        helm repo add bitnami https://charts.bitnami.com/bitnami
+        helm repo update
+        helm upgrade --install dapr dapr/dapr --version=${{ matrix.DAPR_VERSION }} --namespace dapr-system --create-namespace --wait --debug
+        helm upgrade --install redis bitnami/redis --namespace default --set image.tag=7.0-debian-11 --wait --debug
+        make e2e-subscriber-build-load-image
+        make e2e-subscriber-deploy
+
+    - name: Run e2e
+      run: |
+        make docker-buildx IMG=gatekeeper-e2e:latest
+        make e2e-build-load-externaldata-image
+        make docker-buildx-crds CRD_IMG=gatekeeper-crds:latest
+        kind load docker-image --name kind gatekeeper-e2e:latest gatekeeper-crds:latest
+        kubectl create ns gatekeeper-system
+        make e2e-publisher-deploy
+        make e2e-helm-deploy HELM_REPO=gatekeeper-e2e HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest ENABLE_PUBSUB=true
+        make test-e2e ENABLE_PUBSUB_TESTS=1
+
+    - name: Save logs
+      if: ${{ always() }}
+      run: |
+        kubectl logs -n fake-subscriber -l app=sub --tail=-1 > logs-audit-subscribe.json
+        kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit-publish.json
+
+    - name: Upload artifacts
+      uses: actions/upload-artifact@v3
+      if: ${{ always() }}
+      with:
+        name: pubsub-logs
+        path: |
+          logs-*.json
+
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, 
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.5.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0
diff --git a/.github/workflows/license-lint.yaml b/.github/workflows/license-lint.yaml
@@ -0,0 +1,42 @@
+name: license-lint
+on:
+  push:
+    paths:
+      - "go.mod"
+      - "go.sum"
+      - "vendor/**"
+  pull_request:
+    paths:
+      - "go.mod"
+      - "go.sum"
+      - "vendor/**"
+
+permissions:
+  contents: read
+
+jobs:
+  license-lint:
+    name: "license-lint"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - name: Set up Go
+        uses: actions/setup-go@v4 # v4.0.1
+        with:
+          go-version: "1.21"
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v3.5.2
+
+      - name: license-lint
+        run: |
+          export GOPATH="$HOME/go"
+          PATH="$GOPATH/bin:$PATH"
+          ./third_party/k8s.io/kubernetes/hack/verify-licenses.sh
diff --git a/.github/workflows/pre-release.yaml b/.github/workflows/pre-release.yaml
@@ -0,0 +1,73 @@
+name: pre-release
+on:
+  push:
+    branches:
+      - master
+
+permissions: read-all
+
+env:
+  IMAGE_REPO: openpolicyagent/gatekeeper
+  CRD_IMAGE_REPO: openpolicyagent/gatekeeper-crds
+  GATOR_IMAGE_REPO: openpolicyagent/gator
+
+jobs:
+  pre-release:
+    name: "Pre Release"
+    runs-on: "ubuntu-22.04"
+    if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'open-policy-agent/gatekeeper'
+    timeout-minutes: 30
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
+
+      - name: Publish development
+        run: |
+          make docker-login
+
+          tokenUri="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${{ env.IMAGE_REPO }}:pull&scope=repository:${{ env.CRD_IMAGE_REPO }}:pull&scope=repository:${{ env.GATOR_IMAGE_REPO }}:pull"
+          bearerToken="$(curl --silent --get $tokenUri | jq --raw-output '.token')"
+          listUri="https://registry-1.docker.io/v2/${{ env.IMAGE_REPO }}/tags/list"
+          authz="Authorization: Bearer $bearerToken"
+          version_list="$(curl --silent --get -H "Accept: application/json" -H "$authz" $listUri | jq --raw-output '.')"
+          exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
+          if [[ $exists == null ]]
+          then
+            make docker-buildx-dev \
+              DEV_TAG=${GITHUB_SHA::7} \
+              PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
+              OUTPUT_TYPE=type=registry \
+              GENERATE_ATTESTATIONS=true
+          fi
+
+          listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list"
+          version_list="$(curl --silent --get -H "Accept: application/json" -H "$authz" $listUri | jq --raw-output '.')"
+          exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
+          if [[ $exists == null ]]
+          then
+            make docker-buildx-crds-dev \
+              DEV_TAG=${GITHUB_SHA::7} \
+              PLATFORM="linux/amd64,linux/arm64" \
+              OUTPUT_TYPE=type=registry \
+              GENERATE_ATTESTATIONS=true
+          fi
+
+          listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list"
+          version_list="$(curl --silent --get -H "Accept: application/json" -H "$authz" $listUri | jq --raw-output '.')"
+          exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
+          if [[ $exists == null ]]
+          then
+            make docker-buildx-gator-dev \
+              DEV_TAG=${GITHUB_SHA::7} \
+              PLATFORM="linux/amd64,linux/arm64,linux/arm/v7" \
+              OUTPUT_TYPE=type=registry \
+              GENERATE_ATTESTATIONS=true
+          fi
+        env:
+          DOCKER_USER: ${{ secrets.DOCKER_USER }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}