From 491dc23cbbfe0a77e062fe3eb0c3c4c0a1f04ffa Mon Sep 17 00:00:00 2001 From: Knative Automation Date: Wed, 8 Dec 2021 01:30:25 +0000 Subject: [PATCH] Update actions Signed-off-by: Knative Automation --- .github/workflows/knative-boilerplate.yaml | 96 ++++++++ .github/workflows/knative-donotsubmit.yaml | 61 +++++ .github/workflows/knative-security.yaml | 50 ++++ .github/workflows/knative-stale.yaml | 49 ++++ .github/workflows/knative-style.yaml | 259 +++++++++++++++++++++ .github/workflows/knative-verify.yaml | 76 ++++++ 6 files changed, 591 insertions(+) create mode 100644 .github/workflows/knative-boilerplate.yaml create mode 100644 .github/workflows/knative-donotsubmit.yaml create mode 100644 .github/workflows/knative-security.yaml create mode 100644 .github/workflows/knative-stale.yaml create mode 100644 .github/workflows/knative-style.yaml create mode 100644 .github/workflows/knative-verify.yaml diff --git a/.github/workflows/knative-boilerplate.yaml b/.github/workflows/knative-boilerplate.yaml new file mode 100644 index 00000000..2a0b01ba --- /dev/null +++ b/.github/workflows/knative-boilerplate.yaml @@ -0,0 +1,96 @@ +# Copyright 2020 The Knative Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file is automagically synced here from github.com/knative-sandbox/.github +# repo by knobots: https://github.com/knative-sandbox/knobots and will be overwritten. + +name: Boilerplate + +on: + pull_request: + branches: [ 'main', 'master', 'release-*' ] + +jobs: + + check: + name: Boilerplate Check + runs-on: ubuntu-latest + strategy: + fail-fast: false # Keep running if one leg fails. + matrix: + extension: + - go + - sh + + # Map between extension and human-readable name. + include: + - extension: go + language: Go + - extension: sh + language: Bash + + steps: + + - name: Set up Go 1.17.x + uses: actions/setup-go@v2 + with: + go-version: 1.17.x + id: go + + - name: Check out code + uses: actions/checkout@v2 + + - name: Install Tools + run: | + TEMP_PATH="$(mktemp -d)" + cd $TEMP_PATH + + echo '::group::🐶 Installing reviewdog ... https://github.com/reviewdog/reviewdog' + curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b "${TEMP_PATH}" 2>&1 + echo '::endgroup::' + + echo '::group:: Installing boilerplate-check ... https://github.com/mattmoor/boilerplate-check' + go install github.com/mattmoor/boilerplate-check/cmd/boilerplate-check@latest + echo '::endgroup::' + + echo "${TEMP_PATH}" >> $GITHUB_PATH + + - id: boilerplate_txt + uses: andstor/file-existence-action@v1 + with: + files: ./hack/boilerplate/boilerplate.${{ matrix.extension }}.txt + - name: ${{ matrix.language }} license boilerplate + shell: bash + if: ${{ steps.boilerplate_txt.outputs.files_exists == 'true' }} + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }} + run: | + set -e + cd "${GITHUB_WORKSPACE}" || exit 1 + + echo '::group:: Running github.com/mattmoor/boilerplate-check for ${{ matrix.language }} with reviewdog 🐶 ...' + # Don't fail because of boilerplate-check + set +o pipefail + boilerplate-check check \ + --boilerplate ./hack/boilerplate/boilerplate.${{ matrix.extension }}.txt \ + --file-extension ${{ matrix.extension }} \ + --exclude "(vendor|third_party)/" | + reviewdog -efm="%A%f:%l: %m" \ + -efm="%C%.%#" \ + -name="${{ matrix.language }} headers" \ + -reporter="github-pr-check" \ + -filter-mode="diff_context" \ + -fail-on-error="true" \ + -level="error" + echo '::endgroup::' diff --git a/.github/workflows/knative-donotsubmit.yaml b/.github/workflows/knative-donotsubmit.yaml new file mode 100644 index 00000000..cec5c307 --- /dev/null +++ b/.github/workflows/knative-donotsubmit.yaml @@ -0,0 +1,61 @@ +# Copyright 2020 The Knative Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file is automagically synced here from github.com/knative-sandbox/.github +# repo by knobots: https://github.com/knative-sandbox/knobots and will be overwritten. + +name: Do Not Submit + +on: + pull_request: + branches: [ 'main', 'master', 'release-*' ] + +jobs: + + donotsubmit: + name: Do Not Submit + runs-on: ubuntu-latest + + steps: + - name: Check out code + uses: actions/checkout@v2 + + - name: Do Not Submit + shell: bash + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }} + run: | + set -e + cd "${GITHUB_WORKSPACE}" || exit 1 + + TEMP_PATH="$(mktemp -d)" + PATH="${TEMP_PATH}:$PATH" + + echo '::group::🐶 Installing reviewdog ... https://github.com/reviewdog/reviewdog' + curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b "${TEMP_PATH}" 2>&1 + echo '::endgroup::' + + echo '::group:: Running DO NOT SUBMIT with reviewdog 🐶 ...' + # Don't fail because of grep + set +o pipefail + find . -type f -not -path './vendor/*' -not -path './third_party/*' -not -path './.git/*' -not -path './.github/workflows/*' | + xargs grep -n "DO NOT SUBMIT" | + reviewdog -efm="%f:%l:%m" \ + -name="DO NOT SUBMIT" \ + -reporter="github-pr-check" \ + -filter-mode="added" \ + -fail-on-error="true" \ + -level="error" + + echo '::endgroup::' diff --git a/.github/workflows/knative-security.yaml b/.github/workflows/knative-security.yaml new file mode 100644 index 00000000..fbfe531d --- /dev/null +++ b/.github/workflows/knative-security.yaml @@ -0,0 +1,50 @@ +# Copyright 2020 The Knative Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file is automagically synced here from github.com/knative-sandbox/.github +# repo by knobots: https://github.com/knative-sandbox/knobots and will be overwritten. + +name: 'Security' + +on: + push: + branches: [ 'main', 'master', 'release-*' ] + + pull_request: + branches: [ 'main', 'master', 'release-*' ] + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: go + + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 diff --git a/.github/workflows/knative-stale.yaml b/.github/workflows/knative-stale.yaml new file mode 100644 index 00000000..899890a3 --- /dev/null +++ b/.github/workflows/knative-stale.yaml @@ -0,0 +1,49 @@ +# Copyright 2020 The Knative Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file is automagically synced here from github.com/knative-sandbox/.github +# repo by knobots: https://github.com/knative-sandbox/knobots and will be overwritten. + +name: 'Close stale' + +on: + schedule: + - cron: '0 1 * * *' + +jobs: + stale: + runs-on: 'ubuntu-latest' + steps: + - uses: 'actions/stale@v3' + with: + repo-token: '${{ secrets.GITHUB_TOKEN }}' # No need to setup + + stale-issue-message: |- + This issue is stale because it has been open for 90 days with no + activity. It will automatically close after 30 more days of + inactivity. Reopen the issue with `/reopen`. Mark the issue as + fresh by adding the comment `/remove-lifecycle stale`. + stale-issue-label: 'lifecycle/stale' + exempt-issue-labels: 'lifecycle/frozen,triage/accepted' + + stale-pr-message: |- + This Pull Request is stale because it has been open for 90 days with + no activity. It will automatically close after 30 more days of + inactivity. Reopen with `/reopen`. Mark as fresh by adding the + comment `/remove-lifecycle stale`. + stale-pr-label: 'lifecycle/stale' + exempt-pr-labels: 'lifecycle/frozen' + + days-before-stale: 90 + days-before-close: 30 diff --git a/.github/workflows/knative-style.yaml b/.github/workflows/knative-style.yaml new file mode 100644 index 00000000..bbd30678 --- /dev/null +++ b/.github/workflows/knative-style.yaml @@ -0,0 +1,259 @@ +# Copyright 2020 The Knative Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file is automagically synced here from github.com/knative-sandbox/.github +# repo by knobots: https://github.com/knative-sandbox/knobots and will be overwritten. + +name: Code Style + +on: + pull_request: + branches: [ 'main', 'master', 'release-*' ] + +jobs: + + autoformat: + name: Auto-format and Check + runs-on: ubuntu-latest + strategy: + fail-fast: false # Keep running if one leg fails. + matrix: + tool: + - goimports + - gofmt + + include: + - tool: gofmt + options: -s + - tool: goimports + package: golang.org/x/tools/cmd/goimports@latest + + steps: + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.17.x + id: go + + - name: Check out code + uses: actions/checkout@v2 + + - name: Install Dependencies + if: ${{ matrix.package != '' }} + run: | + cd $(mktemp -d) + go install ${{ matrix.package }} + + - name: ${{ matrix.tool }} ${{ matrix.options }} + shell: bash + run: > + ${{ matrix.tool }} ${{ matrix.options }} -w + $(find . + -path './vendor' -prune + -o -path './third_party' -prune + -o -name '*.pb.go' -prune + -o -name 'wire_gen.go' -prune + -o -type f -name '*.go' -print) + + - name: Verify ${{ matrix.tool }} + shell: bash + run: | + # From: https://backreference.org/2009/12/23/how-to-match-newlines-in-sed/ + # This is to leverage this workaround: + # https://github.com/actions/toolkit/issues/193#issuecomment-605394935 + function urlencode() { + sed ':begin;$!N;s/\n/%0A/;tbegin' + } + if [[ $(git diff-index --name-only HEAD --) ]]; then + for x in $(git diff-index --name-only HEAD --); do + echo "::error file=$x::Please run ${{ matrix.tool }} ${{ matrix.options }}.%0A$(git diff $x | urlencode)" + done + echo "${{ github.repository }} is out of style. Please run ${{ matrix.tool }} ${{ matrix.options }}." + exit 1 + fi + echo "${{ github.repository }} is formatted correctly." + + lint: + name: Lint + runs-on: ubuntu-latest + + steps: + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.17.x + id: go + + - name: Check out code + uses: actions/checkout@v2 + + - id: golangci_configuration + uses: andstor/file-existence-action@v1 + with: + files: .golangci.yaml + - name: Go Lint + if: steps.golangci_configuration.outputs.files_exists == 'true' + uses: golangci/golangci-lint-action@v2 + with: + version: v1.43 + + - name: Install Tools + env: + WOKE_VERSION: v0.13.0 + run: | + TEMP_PATH="$(mktemp -d)" + cd $TEMP_PATH + + echo '::group::🐶 Installing reviewdog ... https://github.com/reviewdog/reviewdog' + curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s -- -b "${TEMP_PATH}" 2>&1 + echo '::endgroup::' + + echo '::group:: Installing misspell ... https://github.com/client9/misspell' + curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | sh -s -- -b "${TEMP_PATH}" 2>&1 + echo '::endgroup::' + + echo '::group:: Installing woke ... https://github.com/get-woke/woke' + curl -sfL https://raw.githubusercontent.com/get-woke/woke/main/install.sh | sh -s -- -b "${TEMP_PATH}" "${WOKE_VERSION}" 2>&1 + echo '::endgroup::' + + echo "${TEMP_PATH}" >> $GITHUB_PATH + + - name: misspell + shell: bash + if: ${{ always() }} + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }} + run: | + set -e + cd "${GITHUB_WORKSPACE}" || exit 1 + + echo '::group:: Running github.com/client9/misspell with reviewdog 🐶 ...' + # Don't fail because of misspell + set +o pipefail + # Exclude generated and vendored files, plus some legacy + # paths until we update all .gitattributes + git ls-files | + git check-attr --stdin linguist-generated | grep -Ev ': (set|true)$' | cut -d: -f1 | + git check-attr --stdin linguist-vendored | grep -Ev ': (set|true)$' | cut -d: -f1 | + git check-attr --stdin ignore-lint | grep -Ev ': (set|true)$' | cut -d: -f1 | + grep -Ev '^(vendor/|third_party/|.git)' | + xargs misspell -i importas -error | + reviewdog -efm="%f:%l:%c: %m" \ + -name="github.com/client9/misspell" \ + -reporter="github-pr-check" \ + -filter-mode="added" \ + -fail-on-error="true" \ + -level="error" + + echo '::endgroup::' + + - name: trailing whitespace + shell: bash + if: ${{ always() }} + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }} + run: | + set -e + cd "${GITHUB_WORKSPACE}" || exit 1 + + echo '::group:: Flagging trailing whitespace with reviewdog 🐶 ...' + # Don't fail because of grep + set +o pipefail + + # Exclude generated and vendored files, plus some legacy + # paths until we update all .gitattributes + git ls-files | + git check-attr --stdin linguist-generated | grep -Ev ': (set|true)$' | cut -d: -f1 | + git check-attr --stdin linguist-vendored | grep -Ev ': (set|true)$' | cut -d: -f1 | + git check-attr --stdin ignore-lint | grep -Ev ': (set|true)$' | cut -d: -f1 | + grep -Ev '^(vendor/|third_party/|.git)' | + xargs grep -nE " +$" | + reviewdog -efm="%f:%l:%m" \ + -name="trailing whitespace" \ + -reporter="github-pr-check" \ + -filter-mode="added" \ + -fail-on-error="true" \ + -level="error" + + echo '::endgroup::' + + - name: EOF newline + shell: bash + if: ${{ always() }} + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }} + run: | + set -e + cd "${GITHUB_WORKSPACE}" || exit 1 + + echo '::group:: Flagging missing EOF newlines with reviewdog 🐶 ...' + # Don't fail because of misspell + set +o pipefail + # Lint exclude rule: + # - nothing in vendor/ + # - nothing in third_party + # - nothing in .git/ + # - no *.ai (Adobe Illustrator) files. + LINT_FILES=$(git ls-files | + git check-attr --stdin linguist-generated | grep -Ev ': (set|true)$' | cut -d: -f1 | + git check-attr --stdin linguist-vendored | grep -Ev ': (set|true)$' | cut -d: -f1 | + git check-attr --stdin ignore-lint | grep -Ev ': (set|true)$' | cut -d: -f1 | + grep -Ev '^(vendor/|third_party/|.git)' | + grep -v '\.ai$') + + for x in $LINT_FILES; do + # Based on https://stackoverflow.com/questions/34943632/linux-check-if-there-is-an-empty-line-at-the-end-of-a-file + if [[ -f $x && ! ( -s "$x" && -z "$(tail -c 1 $x)" ) ]]; then + # We add 1 to `wc -l` here because of this limitation (from the man page): + # Characters beyond the final character will not be included in the line count. + echo $x:$((1 + $(wc -l $x | tr -s ' ' | cut -d' ' -f 1))): Missing newline + fi + done | + reviewdog -efm="%f:%l: %m" \ + -name="EOF Newline" \ + -reporter="github-pr-check" \ + -filter-mode="added" \ + -fail-on-error="true" \ + -level="error" + + echo '::endgroup::' + + # This is mostly copied from https://github.com/get-woke/woke-action-reviewdog/blob/main/entrypoint.sh + # since their action is not yet released under a stable version. + - name: Language + if: ${{ always() && github.event_name == 'pull_request' }} + shell: bash + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }} + run: | + set -e + cd "${GITHUB_WORKSPACE}" || exit 1 + + # Create a minimal .wokeignore if none already exist. + if [ ! -f .wokeignore ]; then + cat > .wokeignore <