diff --git a/.github/workflows/alauda-auto-tag.yaml b/.github/workflows/alauda-auto-tag.yaml new file mode 100644 index 0000000000..f3b08279a7 --- /dev/null +++ b/.github/workflows/alauda-auto-tag.yaml @@ -0,0 +1,87 @@ +name: Auto Tag for Alauda + +on: + push: + branches: + - 'alauda-v*' + +permissions: + contents: write # create tags and releases + packages: write # upload packages + +jobs: + tag: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 # fetch all tags + + - name: Set up Git + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + + - name: Extract version and tag prefix + id: extract + run: | + BRANCH_NAME="${GITHUB_REF#refs/heads/}" + echo "Branch: $BRANCH_NAME" + + PREFIX="${BRANCH_NAME%%-*}" # alauda + BASE_VERSION="${BRANCH_NAME#${PREFIX}-}" # v0.62.1 + + VERSION_NO_V="${BASE_VERSION#v}" # 0.62.1 + MAJOR=$(echo "$VERSION_NO_V" | cut -d. -f1) + MINOR=$(echo "$VERSION_NO_V" | cut -d. -f2) + PATCH=$(echo "$VERSION_NO_V" | cut -d. -f3) + + echo "MAJOR: $MAJOR, MINOR: $MINOR, PATCH: $PATCH" + + # PATCH + 1 + NEXT_PATCH=$((PATCH + 1)) + echo "NEXT_PATCH=$NEXT_PATCH" + + NEXT_VERSION="v${MAJOR}.${MINOR}.${NEXT_PATCH}" # v0.62.2 + echo "NEXT_VERSION=$NEXT_VERSION" + + TAG_PREFIX="${NEXT_VERSION}-${PREFIX}" # v0.62.2-alauda + echo "TAG_PREFIX=$TAG_PREFIX" + + echo "prefix=$PREFIX" >> $GITHUB_OUTPUT + echo "base_version=$BASE_VERSION" >> $GITHUB_OUTPUT + echo "tag_prefix=$TAG_PREFIX" >> $GITHUB_OUTPUT + + - name: Find latest tag with this prefix + id: latest + run: | + TAG_PREFIX="${{ steps.extract.outputs.tag_prefix }}" + echo "Looking for tags with prefix: $TAG_PREFIX" + + EXISTING_TAGS=$(git tag --list "${TAG_PREFIX}-*" | sort -V) + echo "Existing tags: $EXISTING_TAGS" + + MAX_INDEX=-1 + for tag in $EXISTING_TAGS; do + NUM=${tag##*-} + if [[ "$NUM" =~ ^[0-9]+$ && "$NUM" -gt "$MAX_INDEX" ]]; then + MAX_INDEX=$NUM + fi + done + + NEW_INDEX=$((MAX_INDEX + 1)) + NEW_TAG="${TAG_PREFIX}-${NEW_INDEX}" + + echo "new_tag=$NEW_TAG" >> $GITHUB_OUTPUT + + - name: Create and push new tag + run: | + NEW_TAG="${{ steps.latest.outputs.new_tag }}" + git tag "$NEW_TAG" + git push origin "$NEW_TAG" + + release-alauda: + name: Release Alauda + needs: [tag] + uses: ./.github/workflows/reusable-release-alauda.yaml diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 973cecb9b2..268653363b 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -10,15 +10,15 @@ jobs: runs-on: ubuntu-latest steps: + - name: Check out code into the Go module directory + uses: actions/checkout@v4 + - name: Set up Go uses: actions/setup-go@v5 with: - go-version: '^1.20' + go-version-file: go.mod id: go - - name: Check out code into the Go module directory - uses: actions/checkout@v4 - - name: Get dependencies run: | go get -v -t -d ./... diff --git a/.github/workflows/release-alauda.yaml b/.github/workflows/release-alauda.yaml new file mode 100644 index 0000000000..8898f8d740 --- /dev/null +++ b/.github/workflows/release-alauda.yaml @@ -0,0 +1,16 @@ +name: Release Alauda + +on: + push: + tags: + - "v*-alauda-*" + workflow_dispatch: + +permissions: + contents: write # create releases + packages: write # upload packages + +jobs: + release-alauda: + name: Release Alauda + uses: ./.github/workflows/reusable-release-alauda.yaml diff --git a/.github/workflows/reusable-release-alauda.yaml b/.github/workflows/reusable-release-alauda.yaml new file mode 100644 index 0000000000..5749df851d --- /dev/null +++ b/.github/workflows/reusable-release-alauda.yaml @@ -0,0 +1,33 @@ +name: Release Alauda + +on: + workflow_call: + +permissions: + contents: write + packages: write + +jobs: + release: + name: alauda-release + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4.1.6 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: false + + - name: Set up GoReleaser + uses: goreleaser/goreleaser-action@v6 + with: + version: v2.1.0 + args: release -f=.goreleaser-alauda.yml + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scan-alauda.yaml b/.github/workflows/scan-alauda.yaml new file mode 100644 index 0000000000..c8bc631033 --- /dev/null +++ b/.github/workflows/scan-alauda.yaml @@ -0,0 +1,34 @@ +name: Scan vulnerabilities for Alauda +on: + schedule: + - cron: '0 0 * * *' + workflow_dispatch: + +jobs: + build: + name: Scan Go vulnerabilities + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4.1.6 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: "go.mod" + cache: false + + - name: Set up GoReleaser + uses: goreleaser/goreleaser-action@v6 + with: + version: v2.1.0 + args: release --snapshot -f=.goreleaser-alauda.yml + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'rootfs' + scan-ref: 'dist/yq_linux_amd64_v1/alauda-yq' + exit-code: 1 diff --git a/.github/workflows/sync-to-nexus.yml b/.github/workflows/sync-to-nexus.yml new file mode 100644 index 0000000000..b538433538 --- /dev/null +++ b/.github/workflows/sync-to-nexus.yml @@ -0,0 +1,100 @@ +name: Sync Release To Nexus + +# Triggers a Tekton PipelineRun on the in-cluster ARC runner whenever an +# alauda-suffixed tag is pushed. The pipeline waits for the corresponding +# GitHub Release to be ready, then mirrors its assets to the internal +# Nexus under both a versioned path and a `latest/` channel. + +on: + push: + tags: + - 'v*-alauda-*' + +jobs: + trigger-sync: + # Base ARC runner image already bundles tkn / kubectl / curl / jq / yq; + # no `container:` override needed. + runs-on: alauda-devops-runner + steps: + - name: create PipelineRun and follow logs + env: + TEKTON_NS: devops + # Pipeline source: catalog "extras" via Tekton Hub resolver. + # Bump PIPELINE_VERSION together with catalog releases. + PIPELINE_CATALOG: extras + PIPELINE_NAME: sync-github-release-to-nexus + PIPELINE_VERSION: "0.1" + # Component-aware PipelineRun name so the run is identifiable + # at a glance in `kubectl get pipelinerun` listings: + # `sync---`. `github.event.repository.name` + # is just the repo without the owner (e.g. `yq`, `yq-private`, + # `trivy`, `cosign`, `chains`). `run_id` is globally unique; + # `run_attempt` disambiguates retries of the same run. + PR_NAME: sync-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} + REPO: ${{ github.repository }} + # On `push: tags:` events, github.ref_name is the tag itself. + TAG: ${{ github.ref_name }} + RELEASE_URL: ${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ github.ref_name }} + run: | + set -euo pipefail + + # Source-repo label uses dots instead of slashes to satisfy + # Kubernetes label value charset (no '/'). + SOURCE_REPO_LABEL="${REPO//\//.}" + + # Create PipelineRun with metadata.name (not generateName) so the + # PR name is known up front for `tkn pr logs -f` below. + # github-token workspace intentionally omitted: forks are public, + # pipeline declares it `optional: true` and falls back to anonymous. + cat <- + {{ .ProjectName }}_ + {{- title .Os }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} + {{- if .Arm }}v{{ .Arm }}{{ end }} + format_overrides: + - goos: windows + format: zip + +changelog: + sort: asc + filters: + exclude: + - "^docs:" + - "^test:" + +release: + footer: >- + + --- + + This release is intended for use only as part of the Alauda product suite. + It is not recommended for use by individuals or teams outside of Alauda. + Any consequences arising from its use are the sole responsibility of the user. diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md new file mode 100644 index 0000000000..7cce5a4457 --- /dev/null +++ b/DEVELOPMENT.md @@ -0,0 +1,64 @@ +# YQ alauda Branch Development Guide + +## Background + +Previously, yq was used as a general-purpose CLI across multiple plugins, each needing to fix vulnerabilities in yq independently. + +To avoid duplicated efforts, we forked the [yq](https://github.com/mikefarah/yq) repository and maintain it through branches named `alauda-vx.xx.xx`. + +We use [renovate](https://gitlab-ce.alauda.cn/devops/tech-research/renovate/-/blob/main/docs/quick-start/0002-quick-start.md) to automatically fix vulnerabilities in corresponding versions. + +## Repository Structure + +Based on the original code, the following content has been added: + +- [alauda-auto-tag.yaml](./.github/workflows/alauda-auto-tag.yaml): Automatically tags and triggers goreleaser when a PR is merged into the `alauda-vx.xx.xx` branch +- [release-alauda.yaml](./.github/workflows/release-alauda.yaml): Supports triggering goreleaser manually or upon tag updates (this pipeline isn't triggered when tags are created by actions due to GitHub Actions design limitations) +- [reusable-release-alauda.yaml](./.github/workflows/reusable-release-alauda.yaml): Executes goreleaser to create a release +- [scan-alauda.yaml](.github/workflows/scan-alauda.yaml): Runs trivy vulnerability scans (`rootfs` scans for Go binaries) +- [.goreleaser-alauda.yml](.goreleaser-alauda.yml): Configuration file for releasing alauda versions + +## Special Modifications + +None at present + +## Pipelines + +### Triggered on PR Submission + +- [tests.yaml](.github/workflows/tests.yaml): Official testing pipeline including unit tests, integration tests, etc. + +### Triggered on Merge to alauda-vx.xx.xx Branch + +- [alauda-auto-tag.yaml](.github/workflows/alauda-auto-tag.yaml): Automatically tags and triggers goreleaser +- [reusable-release-alauda.yaml](.github/workflows/reusable-release-alauda.yaml): Executes goreleaser to create a release (triggered by `alauda-auto-tag.yaml`) + +### Scheduled or Manual Triggering + +- [scan-alauda.yaml](.github/workflows/scan-alauda.yaml): Runs trivy vulnerability scans (`rootfs` scans for Go binaries) + +### Others + +Other officially maintained pipelines remain unchanged; some irrelevant pipelines have been disabled on the Actions page. + +## Renovate Vulnerability Fix Mechanism + +The renovate configuration file is [renovate.json](https://github.com/AlaudaDevops/trivy/blob/main/renovate.json) + +1. renovate detects vulnerabilities in the branch and submits a PR for fixes +2. Tests run automatically on the PR +3. After all tests pass, renovate automatically merges the PR +4. After the branch updates, an action automatically tags the commit (e.g., v0.62.1-alauda-0, with patch version and last digit incremented) +5. goreleaser automatically publishes a release based on the tag + +## Maintenance Plan + +When upgrading to a new version, follow these steps: + +1. Create an alauda branch from the corresponding tag, e.g., tag `v0.62.1` corresponds to branch `alauda-v0.62.1` +2. Cherry-pick previous alauda branch changes onto the new branch and push + +Renovate automatic fix mechanism: +1. After renovate submits a PR, pipelines run automatically; if all tests pass, the PR will be merged automatically +2. After merging into the `alauda-v0.62.1` branch, goreleaser will automatically create a `v0.62.2-alauda-0` release (note: not `v0.62.1-alauda-0`, because upgrading the version allows renovate to recognize it) +3. renovate configured in other plugins will automatically fetch artifacts from the release according to its configuration diff --git a/Dockerfile b/Dockerfile index ba15203631..a598c449ce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.5 AS builder +FROM golang:1.26.2 AS builder WORKDIR /go/src/mikefarah/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index d1dddc9182..51209dc664 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.24.5 +FROM golang:1.26.2 RUN apt-get update && \ apt-get install -y npm && \ diff --git a/cmd/utils_test.go b/cmd/utils_test.go index 67d45110da..f782bfccce 100644 --- a/cmd/utils_test.go +++ b/cmd/utils_test.go @@ -3,6 +3,7 @@ package cmd import ( "fmt" "os" + "slices" "strings" "testing" @@ -907,15 +908,8 @@ func (f *mockBoolFlag) Type() string { // Helper function to compare string slices func stringsEqual(a, b []string) bool { - if len(a) != len(b) { - return false - } - for i := range a { - if a[i] != b[i] { - return false - } - } - return true + // Use the standard library comparator to avoid manual index handling. + return slices.Equal(a, b) } func TestSetupColors(t *testing.T) { diff --git a/go.mod b/go.mod index 4d2625e6c2..f0a1cc4c1f 100644 --- a/go.mod +++ b/go.mod @@ -30,6 +30,4 @@ require ( golang.org/x/sys v0.34.0 // indirect ) -go 1.24 - -toolchain go1.24.1 +go 1.26.2 diff --git a/scripts/devtools.sh b/scripts/devtools.sh index 7dac5be4af..2f501825de 100755 --- a/scripts/devtools.sh +++ b/scripts/devtools.sh @@ -1,5 +1,11 @@ #!/bin/sh set -ex + +# Keep tooling installation deterministic and aligned with the active Go toolchain. +# This avoids prebuilt golangci-lint binaries being built by an older Go version. +GOLANGCI_LINT_VERSION=v2.11.2 +GOSEC_VERSION=v2.22.5 + go mod download golang.org/x/tools@latest -curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.1.5 -curl -sSfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s v2.22.5 \ No newline at end of file +go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@${GOLANGCI_LINT_VERSION} +curl -sSfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s ${GOSEC_VERSION}