Align files (#992)

* Align files

* Update .nancy-ignore

---------

Co-authored-by: github-actions <action@github.com>
Co-authored-by: Laszlo Uveges <laszlo@giantswarm.io>

.circleci/config.yml

@@ -1,6 +1,6 @@
 version: 2.1
 orbs:
-  architect: giantswarm/architect@4.27.0
+  architect: giantswarm/architect@4.28.1
 
 workflows:
   build:

.github/workflows/zz_generated.check_values_schema.yaml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@5.15.0
+#    devctl@5.22.0
 #
 name: 'Values and schema'
 on:
@@ -9,8 +9,9 @@ on:
       - master
       - main
     paths:
-      - 'helm/**/values.yaml'
-      - 'helm/**/values.schema.json'
+      - 'helm/**/values.yaml'         # default helm chart values
+      - 'helm/**/values.schema.json'  # schema
+      - 'helm/**/ci/ci-values.yaml'   # overrides for CI (can contain required entries)
 
 jobs:
   check:
@@ -29,6 +30,15 @@ jobs:
 
       - name: 'Check if values.yaml is a valid instance of values.schema.json'
         run: |
-          HELM_DIR=$(dirname $(git diff --name-only origin/${GITHUB_BASE_REF} origin/${GITHUB_HEAD_REF} \
-           | grep 'helm/[-a-z].*\/values\.' | head -1))
-          ${HOME}/yajsv -s ${HELM_DIR}/values.schema.json ${HELM_DIR}/values.yaml
+          HELM_DIR=$(git diff --name-only origin/${GITHUB_BASE_REF} ${GITHUB_SHA} \
+           | grep 'helm/[-a-z].*\/' | head -1 | awk -F '/' '{print $1"/"$2}')
+          VALUES=${HELM_DIR}/values.yaml
+          if [ -f ${HELM_DIR}/ci/ci-values.yaml ]; then
+            # merge ci-values.yaml into values.yaml (providing required values)
+            echo -e "\nMerged values:\n=============="
+            yq '. *= load("'${HELM_DIR}'/ci/ci-values.yaml")' ${HELM_DIR}/values.yaml | tee ${HELM_DIR}/combined-values.yaml
+            echo -e "\n==============\n"
+            VALUES=${HELM_DIR}/combined-values.yaml
+          fi
+
+          ${HOME}/yajsv -s ${HELM_DIR}/values.schema.json ${VALUES}

.github/workflows/zz_generated.create_release.yaml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@5.15.0
+#    devctl@5.22.0
 #
 name: Create Release
 on:
@@ -90,12 +90,12 @@ jobs:
       - gather_facts
     steps:
       - name: Install architect
-        uses: giantswarm/install-binary-action@v1.0.0
+        uses: giantswarm/install-binary-action@v1.1.0
         with:
           binary: "architect"
-          version: "6.1.0"
+          version: "6.11.0"
       - name: Install semver
-        uses: giantswarm/install-binary-action@v1.0.0
+        uses: giantswarm/install-binary-action@v1.1.0
         with:
           binary: "semver"
           version: "3.2.0"
@@ -122,22 +122,22 @@ jobs:
           fi
       - name: Set up git identity
         run: |
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
+          git config --local user.email "dev@giantswarm.io"
+          git config --local user.name "taylorbot"
       - name: Commit changes
         run: |
           file="${{ needs.gather_facts.outputs.project_go_path }}"
           git add $file
           git commit -m "Bump version to ${{ steps.update_project_go.outputs.new_version }}"
       - name: Push changes
         env:
-          REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"
+          REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git"
           branch: "${{ github.ref }}-version-bump"
         run: |
           git push "${REMOTE_REPO}" HEAD:${{ env.branch }}
       - name: Create PR
         env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}"
           base: "${{ github.ref }}"
           branch: "${{ github.ref }}-version-bump"
           version: "${{ needs.gather_facts.outputs.version }}"
@@ -171,22 +171,22 @@ jobs:
           path: ./CHANGELOG.md
       - name: Set up git identity
         run: |
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
+          git config --local user.email "dev@giantswarm.io"
+          git config --local user.name "taylorbot"
       - name: Create tag
         run: |
           version="${{ needs.gather_facts.outputs.version }}"
           git tag "v$version" ${{ github.sha }}
       - name: Push tag
         env:
-          REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"
+          REMOTE_REPO: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git"
         run: |
           git push "${REMOTE_REPO}" --tags
       - name: Create release
         id: create_gh_release
         uses: actions/create-release@v1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}"
         with:
           body: ${{ steps.changelog_reader.outputs.changes }}
           tag_name: "v${{ needs.gather_facts.outputs.version }}"
@@ -200,7 +200,7 @@ jobs:
     if: ${{ needs.gather_facts.outputs.version }}
     steps:
       - name: Install semver
-        uses: giantswarm/install-binary-action@v1.0.0
+        uses: giantswarm/install-binary-action@v1.1.0
         with:
           binary: "semver"
           version: "3.0.0"

.github/workflows/zz_generated.create_release_pr.yaml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@5.15.0
+#    devctl@5.22.0
 #
 name: Create Release PR
 on:
@@ -44,7 +44,7 @@ jobs:
       repo_name: ${{ steps.gather_facts.outputs.repo_name }}
       branch: ${{ steps.gather_facts.outputs.branch }}
       base: ${{ steps.gather_facts.outputs.base }}
-      is_major: ${{ steps.gather_facts.outputs.is_major }}
+      needs_major_bump: ${{ steps.gather_facts.outputs.needs_major_bump }}
       skip: ${{ steps.pr_exists.outputs.skip }}
       version: ${{ steps.gather_facts.outputs.version }}
     steps:
@@ -65,7 +65,7 @@ jobs:
 
           version="$(echo $head | awk -F# '{print $NF}')"
           if [[ $version =~ ^major|minor|patch$ ]]; then
-            gh auth login --with-token <<<$(echo -n ${{ secrets.GITHUB_TOKEN }})
+            gh auth login --with-token <<<$(echo -n ${{ secrets.TAYLORBOT_GITHUB_ACTION }})
             gh_api_get_latest_release_version()
             {
               if ! version="$(gh api "repos/$1/releases/latest" --jq '.tag_name[1:] | split(".") | .[0], .[1], .[2]')"
@@ -94,7 +94,9 @@ jobs:
                 version_major=$((version_major+1))
                 version_minor=0
                 version_patch=0
-                echo "is_major=true" >> $GITHUB_OUTPUT
+                if [[ "${version_major}" != "1" ]]; then
+                  echo "needs_major_bump=true" >> $GITHUB_OUTPUT
+                fi
                 ;;
               *)
                 echo "Unknown Semver level provided"
@@ -109,8 +111,8 @@ jobs:
             version_patch=$(echo "${version}" | cut -d "." -f 3)
             # This will help us detect versions with suffixes as majors, i.e 3.0.0-alpha1.
             # Even though it's a pre-release, it's still a major.
-            if [[ $version_minor = 0 && $version_patch =~ ^0.* ]]; then
-              echo "is_major=true" >> $GITHUB_OUTPUT
+            if [[ $version_minor = 0 && $version_patch =~ ^0.* && $version_major != 1 ]]; then
+              echo "needs_major_bump=true" >> $GITHUB_OUTPUT
             fi
           fi
           repo_name="$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')"
@@ -122,10 +124,12 @@ jobs:
       - name: Check if PR exists
         id: pr_exists
         env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}"
         run: |
-          if gh pr view --repo ${{ github.repository }} ${{ steps.gather_facts.outputs.branch }} | grep -i 'state:[[:space:]]*open' >/dev/null; then
-            gh pr view --repo ${{ github.repository }} ${{ steps.gather_facts.outputs.branch }}
+          head="${{ steps.gather_facts.outputs.branch }}"
+          branch="${head#refs/heads/}" # Strip "refs/heads/" prefix.
+          if gh pr view --repo "${{ github.repository }}" "${branch}" --json state --jq .state | grep -i 'open' > /dev/null; then
+            gh pr view --repo "${{ github.repository }}" "${branch}"
             echo "skip=true" >> $GITHUB_OUTPUT
           else
             echo "skip=false" >> $GITHUB_OUTPUT
@@ -143,10 +147,10 @@ jobs:
         with:
           go-version: '=1.18.1'
       - name: Install architect
-        uses: giantswarm/install-binary-action@v1.0.0
+        uses: giantswarm/install-binary-action@v1.1.0
         with:
           binary: "architect"
-          version: "6.1.0"
+          version: "6.11.0"
       - name: Checkout code
         uses: actions/checkout@v3
         with:
@@ -198,14 +202,14 @@ jobs:
 
       - name: Bump go module defined in go.mod if needed
         run: |
-          if [ "${{ needs.gather_facts.outputs.is_major }}" = true ] && test -f "go.mod"; then
-            go install github.com/marwan-at-work/mod/cmd/mod@v0.4.2
+          if [ "${{ needs.gather_facts.outputs.needs_major_bump }}" = true ] && test -f "go.mod"; then
+            go install github.com/marwan-at-work/mod/cmd/mod@v0.5.0
             mod upgrade
           fi
       - name: Set up git identity
         run: |
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
+          git config --local user.email "dev@giantswarm.io"
+          git config --local user.name "taylorbot"
       - name: Create release commit
         env:
           version: "${{ needs.gather_facts.outputs.version }}"
@@ -214,12 +218,12 @@ jobs:
           git commit -m "Release v${{ env.version }}"
       - name: Push changes
         env:
-          remote_repo: "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"
+          remote_repo: "https://${{ github.actor }}:${{ secrets.TAYLORBOT_GITHUB_ACTION }}@github.com/${{ github.repository }}.git"
         run: |
           git push "${remote_repo}" HEAD:${{ needs.gather_facts.outputs.branch }}
       - name: Create PR
         env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          GITHUB_TOKEN: "${{ secrets.TAYLORBOT_GITHUB_ACTION }}"
           base: "${{ needs.gather_facts.outputs.base }}"
           version: "${{ needs.gather_facts.outputs.version }}"
         run: |

.github/workflows/zz_generated.gitleaks.yaml

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@5.15.0
+#    devctl@5.22.0
 #
 name: gitleaks
 

.nancy-ignore

@@ -35,4 +35,22 @@ CVE-2022-21221 until=2023-06-30
 # pkg:golang/k8s.io/apiserver@v0.25.2
 sonatype-2022-6522 until=2023-06-30
 
+# pkg:golang/github.com/containerd/containerd@v1.6.12
+CVE-2023-25173 until=2023-06-30
+CVE-2023-25153 until=2023-06-30
+
+# pkg:golang/github.com/denisenkom/go-mssqldb@v0.9.0
+sonatype-2023-1010 until=2023-06-30
+
+# pkg:golang/github.com/opencontainers/runc@v1.1.2
+CVE-2023-28642 until=2023-06-30
+CVE-2023-27561 until=2023-06-30
+CVE-2023-25809 until=2023-06-30
+
+# pkg:golang/golang.org/x/net@v0.5.0
+CVE-2022-41723 until=2023-06-30
+
+# pkg:golang/k8s.io/apiserver@v0.25.2
+CVE-2020-8561 until=2023-06-30
+
 CVE-2023-25165 until=2023-06-30

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2016 - 2022 Giant Swarm GmbH
+   Copyright 2016 - 2023 Giant Swarm GmbH
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

Makefile

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@5.15.0
+#    devctl@5.22.0
 #
 
 include Makefile.*.mk

Makefile.gen.app.mk

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@5.15.0
+#    devctl@5.22.0
 #
 
 ##@ App
@@ -9,7 +9,7 @@ YQ=docker run --rm -u $$(id -u) -v $${PWD}:/workdir mikefarah/yq:4.29.2
 HELM_DOCS=docker run --rm -u $$(id -u) -v $${PWD}:/helm-docs jnorwood/helm-docs:v1.11.0
 
 ifdef APPLICATION
-DEPS := $(shell ls $(APPLICATION)/charts)
+DEPS := $(shell find $(APPLICATION)/charts -maxdepth 2 -name "Chart.yaml" -printf "%h\n")
 endif
 
 .PHONY: lint-chart check-env update-chart helm-docs update-deps $(DEPS)
@@ -24,7 +24,7 @@ lint-chart: check-env ## Runs ct against the default chart.
 	docker run -it --rm -v /tmp/$(APPLICATION)-test:/wd --workdir=/wd --name ct $(IMAGE) ct lint --validate-maintainers=false --charts="helm/$(APPLICATION)"
 	rm -rf /tmp/$(APPLICATION)-test
 
-update-chart: check-env ## Sync chat with upstream repo.
+update-chart: check-env ## Sync chart with upstream repo.
 	@echo "====> $@"
 	vendir sync
 	$(MAKE) update-deps
@@ -33,8 +33,9 @@ update-deps: check-env $(DEPS) ## Update Helm dependencies.
 	cd $(APPLICATION) && helm dependency update
 
 $(DEPS): check-env ## Update main Chart.yaml with new local dep versions.
-	new_version=`$(YQ) .version $(APPLICATION)/charts/$@/Chart.yaml` && \
-	$(YQ) -i e "with(.dependencies[]; select(.name == \"$@\") | .version = \"$$new_version\")" $(APPLICATION)/Chart.yaml
+	dep_name=$(shell basename $@) && \
+	new_version=`$(YQ) .version $(APPLICATION)/charts/$$dep_name/Chart.yaml` && \
+	$(YQ) -i e "with(.dependencies[]; select(.name == \"$$dep_name\") | .version = \"$$new_version\")" $(APPLICATION)/Chart.yaml
 
 helm-docs: check-env ## Update $(APPLICATION) README.
 	$(HELM_DOCS) -c $(APPLICATION) -g $(APPLICATION)

Makefile.gen.go.mk

@@ -1,6 +1,6 @@
 # DO NOT EDIT. Generated with:
 #
-#    devctl@5.15.0
+#    devctl@5.22.0
 #
 
 APPLICATION    := $(shell go list -m | cut -d '/' -f 3)

renovate.json

@@ -47,5 +47,13 @@
     "zricethezav/gitleaks-action",
     "actions/setup-go"
   ],
+  "regexManagers": [
+    {
+      "fileMatch": ["^helm\\/.+\\/values\\.yaml$"],
+      "matchStrings": ["repo: (?<depName>.*)\n(\\s)*version: (?<currentValue>.*?)\n"],
+      "datasourceTemplate": "github-releases",
+      "extractVersionTemplate": "^v(?<version>.*)$"
+    }
+  ],
   "schedule": [ "after 6am on thursday" ]
 }