TykTechnologies · alephnull · Oct 27, 2023 · Oct 27, 2023
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,6 +1,6 @@
 
 # Generated by: gromit policy
-# Generated on: Wed Jul 26 08:25:03 UTC 2023
+# Generated on: Fri Oct 27 04:05:19 UTC 2023
 
 version: 2
 updates:

@@ -1,12 +1,11 @@
 # Generated by: gromit policy
-# Generated on: Wed Jul 26 08:25:03 UTC 2023
+# Generated on: Fri Oct 27 04:05:19 UTC 2023
 
 # Distribution channels covered by this workflow
 # - Ubuntu and Debian
 # - RHEL and AL
 # - docker hub
 # - devenv ECR
-# - AWS mktplace (not active atm)
 # - Cloudsmith
 
 name: Release
@@ -21,25 +20,29 @@ on:
       - 'v*'
 
 env:
-  SLACK_CLI_TOKEN: ${{ secrets.BENDER_TOKEN }}
   GOPRIVATE: github.com/TykTechnologies
 
 jobs:
   goreleaser:
     name: '${{ matrix.golang_cross }}'
     runs-on: ubuntu-latest
     container: 'tykio/golang-cross:${{ matrix.golang_cross }}'
+    permissions:
+      id-token: write   # AWS OIDC JWT
+      contents: read    # actions/checkout
     strategy:
       fail-fast: false
       matrix:
-        golang_cross: [ 1.19-bullseye ]
-        include:
+        golang_cross:
+          - 1.19-bullseye 
+        include: 
           - golang_cross: 1.19-bullseye
-            goreleaser: 'ci/goreleaser/goreleaser.yml' 
+            goreleaser: 'ci/goreleaser/goreleaser.yml'
+            cgo:  0  
             rpmvers: 'el/7 el/8 el/9 amazon/2 amazon/2023'
-            debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy debian/jessie debian/buster debian/bullseye'
+            debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy debian/jessie debian/buster debian/bullseye debian/bookworm' 
     outputs:
-      tag: ${{ steps.targets.outputs.tag }}
+      tags: ${{ steps.metadata.outputs.tags }}
 
     steps:
       - name: Fix private module deps
@@ -74,40 +77,32 @@ jobs:
           username: ${{ secrets.CLOUDSMITH_USERNAME }}
           password: ${{ secrets.CLOUDSMITH_API_KEY }}
 
-      - name: Unlock agent and set tag
-        id: targets
-        shell: bash
+      - name: Unlock agent
         env:
           NFPM_STD_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }}
           GPG_FINGERPRINT: 12B5D62C28F57592D1575BD51ED14C59E37DAC20
           PKG_SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
-        run: |
+        run:
           ci/bin/unlock-agent.sh
-          current_tag=${GITHUB_REF##*/}
-          echo "tag=${current_tag}" >> $GITHUB_OUTPUT
 
-      - name: Delete old release assets
-        if: startsWith(github.ref, 'refs/tags')
-        uses: mknejp/delete-release-assets@v1
+
+
+      - uses: actions/cache@v3
         with:
-          token: ${{ github.token }}
-          tag: ${{ github.ref }}
-          fail-if-no-assets: false
-          fail-if-no-release: false
-          assets: |
-            *.deb
-            *.rpm
-            *.tar.gz
-            *.txt.sig
-            *.txt
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
 
       - uses: goreleaser/goreleaser-action@v4
         with:
           version: latest
           args: release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot' || '' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CGO_ENABLED: 0
+          CGO_ENABLED: ${{ matrix.cgo }}
           NFPM_STD_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }}
           NFPM_PAYG_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }}
           GPG_FINGERPRINT: 12B5D62C28F57592D1575BD51ED14C59E37DAC20
@@ -116,88 +111,65 @@ jobs:
           DEBVERS: ${{ matrix.debvers }}
           RPMVERS: ${{ matrix.rpmvers }}
           PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
-      - uses: actions/upload-artifact@v3
-        with:
-          name: deb
-          retention-days: 1
-          path: |
-            dist/*.deb
-            !dist/*PAYG*.deb
-
-      - uses: actions/upload-artifact@v3
-        with:
-          name: rpm
-          retention-days: 1
-          path: |
-            dist/*.rpm
-            !dist/*PAYG*.rpm
-  ci:
-    needs:
-      - goreleaser
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write   # This is required for requesting the JWT
-      contents: read    # This is required for actions/checkout
-
-    steps:
-      - name: Shallow checkout of tyk-pump
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 1
-
       - uses: aws-actions/configure-aws-credentials@v2
         with:
           role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk
           role-session-name: cipush
           aws-region: eu-central-1
+          # Don't mask to pass it across job boundaries
+          mask-aws-account-id: false
 
-      - name: Login to Amazon ECR
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v1
-
-      - uses: actions/download-artifact@v3
+      - uses: aws-actions/amazon-ecr-login@v1
+        id: ecr
         with:
-          name: deb
+          mask-password: 'true'
 
-      - name: Docker metadata
+      - name: Docker metadata for CI
         id: metadata
         uses: docker/metadata-action@v4
         with:
-          images: ${{ steps.login-ecr.outputs.registry }}/tyk-pump
+          images: ${{ steps.ecr.outputs.registry }}/tyk-pump
           flavor: |
             latest=false
-            prefix=v
           tags: |
-              type=semver,pattern=v{{version}}
-              type=semver,pattern=v{{major}}.{{minor}}
-              type=semver,pattern=v{{major}}
-              type=ref,event=branch
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha,format=long
+            type=semver,pattern=v{{major}}.{{minor}},prefix=v
+            type=semver,pattern=v{{version}},prefix=v
 
-      - uses: docker/setup-qemu-action@v2
-
-      - uses: docker/setup-buildx-action@v2
+      - name: CI push
+        shell: bash
+        env:
+          t: ${{ steps.metadata.outputs.tags }}
+          build_tag: ${{ startswith(github.ref, 'refs/tags') && github.ref_name || 'v0.0.0' }}
+        run: |
+          set +e
+          IFS=$'\n' tags=($t)
+          for tag in "${tags[@]}"; do
+             for arch in amd64 arm64; do
+                 docker tag tykio/tyk-pump-docker-pub:${build_tag}-${arch} ${tag}-${arch} && docker push ${tag}-${arch}
+             done
+             docker manifest create ${tag} ${tag}-amd64 ${tag}-arm64 && docker manifest push ${tag}
+          done
 
-      - name: CI build
-        uses: docker/build-push-action@v4
+      - uses: actions/upload-artifact@v3
         with:
-          push: true
-          context: "."
-          file: ci/Dockerfile.std
-          platforms: linux/amd64,linux/arm64
-          tags: |
-            ${{ steps.metadata.outputs.tags }}
-            ${{ steps.login-ecr.outputs.registry }}/tyk-pump:${{ needs.goreleaser.outputs.tag }}
-            ${{ steps.login-ecr.outputs.registry }}/tyk-pump:${{ github.sha }}
+          name: deb
+          retention-days: 1
+          path: |
+            dist/*.deb
+            !dist/*PAYG*.deb
 
-  sbom:
-    needs: ci
-    uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@main
-    secrets:
-      TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }}
-      DEPDASH_URL: ${{ secrets.DEPDASH_URL }}
-      DEPDASH_KEY: ${{ secrets.DEPDASH_KEY }}
-      ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}
+      - uses: actions/upload-artifact@v3
+        with:
+          name: rpm
+          retention-days: 1
+          path: |
+            dist/*.rpm
+            !dist/*PAYG*.rpm 
 
+# TODO: PR comment, using just one comment and updating, not a new comment each time
 
   upgrade-deb:
     if: startsWith(github.ref, 'refs/tags')
@@ -213,10 +185,11 @@ jobs:
           - amd64
           - arm64
         distro:
-          - ubuntu:jammy
           - ubuntu:bionic
           - ubuntu:focal
+          - ubuntu:jammy
           - debian:bullseye
+          - debian:bookworm
 
     steps:
       - uses: actions/checkout@v3
@@ -260,8 +233,9 @@ jobs:
       fail-fast: false
       matrix:
         distro:
-          - ubi9/ubi
-          - ubi8/ubi
+          - amazonlinux:2023
+          - registry.access.redhat.com/ubi8/ubi
+          - registry.access.redhat.com/ubi9/ubi
 
     steps:
       - uses: actions/checkout@v3
@@ -276,7 +250,7 @@ jobs:
 
       - name: generate dockerfile
         run: |
-          echo 'FROM registry.access.redhat.com/${{ matrix.distro }}
+          echo 'FROM ${{ matrix.distro }}
           COPY tyk-pump*.x86_64.rpm /tyk-pump.rpm
           RUN yum install --allowerasing -y curl
           RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-pump/script.rpm.sh | bash && yum install -y tyk-pump-1.6.0-1
@@ -293,19 +267,20 @@ jobs:
           push: false
 
   smoke-tests:
-    if: startsWith(github.ref, 'refs/tags')
     needs:
       - goreleaser
+    permissions:
+      id-token: write   # This is required for requesting the JWT
+      contents: read    # This is required for actions/checkout
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 1
-
-      - name: Run tests
+      - name: Run ci/tests
         shell: bash
-        env:
+        env:        
           GITHUB_TAG: ${{ github.ref }}
         run: |
           set -eaxo pipefail
@@ -335,3 +310,11 @@ jobs:
               fi
           done
 
+
+  sbom:
+    needs: goreleaser
+    uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@main
+    secrets:
+      DEPDASH_URL: ${{ secrets.DEPDASH_URL }}
+      DEPDASH_KEY: ${{ secrets.DEPDASH_KEY }}
+      ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}
@@ -1,6 +1,5 @@
-
 # Generated by: gromit policy
-# Generated on: Wed Jul 26 08:25:03 UTC 2023
+# Generated on: Fri Oct 27 04:05:19 UTC 2023
 
 FROM debian:bullseye-slim
 ARG TARGETARCH
@@ -10,9 +9,8 @@ ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update \
     && apt-get dist-upgrade -y ca-certificates
 
-
 # Remove some things to decrease CVE surface
-RUN  apt-get remove -y --allow-remove-essential --auto-remove curl libtiff5 ncurses-base \
+RUN dpkg --purge --force-remove-essential curl ncurses-base \
 	&& rm /usr/bin/passwd && rm /usr/sbin/adduser
 
 # Clean up caches, unwanted .a and .o files

@@ -1,6 +1,6 @@
 
 # Generated by: gromit policy
-# Generated on: Wed Jul 26 08:25:03 UTC 2023
+# Generated on: Fri Oct 27 04:05:19 UTC 2023
 
 packer {
   required_plugins {

@@ -1,5 +1,5 @@
 # Generated by: gromit policy
-# Generated on: Wed Jul 26 08:25:03 UTC 2023
+# Generated on: Fri Oct 27 04:05:19 UTC 2023
 
 # Check the documentation at http://goreleaser.com
 # This project needs CGO_ENABLED=1 and the cross-compiler toolchains for
@@ -14,15 +14,16 @@ builds:
     goarch:
       - amd64
       - arm64
+      - s390x
     binary: tyk-pump
 
 dockers:
   # Build tykio/tyk-pump-docker-pub, docker.tyk.io/tyk-pump/tyk-pump (amd64)
   - ids:
       - std
     image_templates:
-      - "tykio/tyk-pump-docker-pub:{{ .Tag }}-amd64"
-      - "docker.tyk.io/tyk-pump/tyk-pump:{{ .Tag }}-amd64"
+      - "tykio/tyk-pump-docker-pub:{{.Tag}}-amd64"
+      - "docker.tyk.io/tyk-pump/tyk-pump:{{.Tag}}-amd64"
     build_flag_templates:
       - "--build-arg=PORTS=80"
       - "--platform=linux/amd64"
@@ -43,8 +44,8 @@ dockers:
   - ids:
       - std
     image_templates:
-      - "tykio/tyk-pump-docker-pub:{{ .Tag }}-arm64"
-      - "docker.tyk.io/tyk-pump/tyk-pump:{{ .Tag }}-arm64"
+      - "tykio/tyk-pump-docker-pub:{{.Tag}}-arm64"
+      - "docker.tyk.io/tyk-pump/tyk-pump:{{.Tag}}-arm64"
     build_flag_templates:
       - "--build-arg=PORTS=80"
       - "--platform=linux/arm64"
@@ -128,6 +129,11 @@ publishers:
     cmd: /pc.sh {{ .ArtifactPath }}
 
 
+# This disables archives
+archives:
+  - format: binary
+    allow_different_binary_count: true
+
 checksum:
   disable: true
 

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # Generated by: gromit policy
-# Generated on: Wed Jul 26 08:25:03 UTC 2023
+# Generated on: Fri Oct 27 04:05:19 UTC 2023
 
 echo "Creating user and group..."
 GROUPNAME="tyk"