From 2bb2bd8560fe4b3fd24891606599ecf0a803c4c6 Mon Sep 17 00:00:00 2001 From: Curt Bushko Date: Tue, 12 Apr 2022 12:00:22 -0400 Subject: [PATCH] [CRT] Enable Orchestrator (#1159) - This PR needs to be merged before I can start testing the orchestrator - Note: This will not break anything as it is the orchestrator that needs these files - Turning on builds, slack notifications, signing/notarizing, security scanning of artifacts we create --- .release/ci.hcl | 271 +++++++++++++++++++++++++++++++++++++ .release/security-scan.hcl | 14 ++ 2 files changed, 285 insertions(+) create mode 100644 .release/ci.hcl create mode 100644 .release/security-scan.hcl diff --git a/.release/ci.hcl b/.release/ci.hcl new file mode 100644 index 0000000000..64e5a97034 --- /dev/null +++ b/.release/ci.hcl @@ -0,0 +1,271 @@ +schema = "1" + +project "consul-k8s" { + team = "consul-k8s" + slack { + notification_channel = "CBXF3CGAF" # team-consul-kubernetes + } + github { + organization = "hashicorp" + repository = "consul-k8s" + release_branches = [ + # The CRT tool does not support * as a branch name + "main", + "cb/crt-testing" + ] + } +} + +event "merge" { + // "entrypoint" to use if build is not run automatically + // i.e. send "merge" complete signal to orchestrator to trigger build +} + +event "build" { + depends = ["merge"] + action "build" { + organization = "hashicorp" + repository = "consul-k8s" + workflow = "build" + } +} + +event "upload-dev" { + depends = ["build"] + action "upload-dev" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "upload-dev" + depends = ["build"] + } + + notification { + on = "fail" + } +} + +event "security-scan-binaries" { + depends = ["upload-dev"] + action "security-scan-binaries" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "security-scan-binaries" + config = "security-scan.hcl" + } + + notification { + on = "fail" + } +} + +event "security-scan-containers" { + depends = ["security-scan-binaries"] + action "security-scan-containers" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "security-scan-containers" + config = "security-scan.hcl" + } + + notification { + on = "fail" + } +} + +event "notarize-darwin-amd64" { + depends = ["security-scan-containers"] + action "notarize-darwin-amd64" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "notarize-darwin-amd64" + } + + notification { + on = "fail" + } +} + +event "notarize-darwin-arm64" { + depends = ["notarize-darwin-amd64"] + action "notarize-darwin-arm64" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "notarize-darwin-arm64" + } + + notification { + on = "fail" + } +} + +event "notarize-windows-386" { + depends = ["notarize-darwin-arm64"] + action "notarize-windows-386" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "notarize-windows-386" + } + + notification { + on = "fail" + } +} + +event "notarize-windows-amd64" { + depends = ["notarize-windows-386"] + action "notarize-windows-amd64" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "notarize-windows-amd64" + } + + notification { + on = "fail" + } +} + +event "sign" { + depends = ["notarize-windows-amd64"] + action "sign" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "sign" + } + + notification { + on = "fail" + } +} + +event "sign-linux-rpms" { + depends = ["sign"] + action "sign-linux-rpms" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "sign-linux-rpms" + } + + notification { + on = "fail" + } +} + +event "verify" { + depends = ["sign-linux-rpms"] + action "verify" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "verify" + } + + notification { + on = "always" + } +} + +event "promote-dev-docker" { + depends = ["verify"] + action "promote-dev-docker" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "promote-dev-docker" + depends = ["verify"] + } + + notification { + on = "fail" + } +} + + +## These are promotion and post-publish events +## they should be added to the end of the file after the verify event stanza. + +event "trigger-staging" { +// This event is dispatched by the bob trigger-promotion command +// and is required - do not delete. +} + +event "promote-staging" { + depends = ["trigger-staging"] + action "promote-staging" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "promote-staging" + } + + notification { + on = "always" + } +} + +event "promote-staging-new-hc-releases" { + depends = ["promote-staging"] + action "promote-staging-new-hc-releases" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "promote-staging-new-hc-releases" + config = "release-metadata.hcl" + } + + notification { + on = "fail" + } +} + +event "promote-staging-docker" { + depends = ["promote-staging-new-hc-releases"] + action "promote-staging-docker" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "promote-staging-docker" + } + + notification { + on = "always" + } +} + +event "trigger-production" { +// This event is dispatched by the bob trigger-promotion command +// and is required - do not delete. +} + +event "promote-production" { + depends = ["trigger-production"] + action "promote-production" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "promote-production" + } + + notification { + on = "always" + } +} + +event "promote-production-docker" { + depends = ["promote-production"] + action "promote-production-docker" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "promote-production-docker" + } + + notification { + on = "always" + } +} + +event "promote-production-packaging" { + depends = ["promote-production-docker"] + action "promote-production-packaging" { + organization = "hashicorp" + repository = "crt-workflows-common" + workflow = "promote-production-packaging" + } + + notification { + on = "always" + } +} diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl new file mode 100644 index 0000000000..6a571ed06f --- /dev/null +++ b/.release/security-scan.hcl @@ -0,0 +1,14 @@ +container { + dependencies = true + alpine_secdb = true + secrets = true +} + +binary { + secrets = true + go_modules = true + osv = true + oss_index = true + nvd = true +} +