merge main

Author: sgalsaleh

.github/actions/e2e/action.yml

@@ -89,8 +89,8 @@ runs:
   - name: E2E
     shell: bash
     run: |
-      SHA=${{ github.event.pull_request.head.sha || github.sha }}
-      export SHORT_SHA=dev-${SHA::7}
+      export SHORT_SHA=dev-${GITHUB_SHA::7}
+      echo "${SHORT_SHA}"
       export LICENSE_ID=${{ inputs.license-id }}
       export AIRGAP_LICENSE_ID=${{ inputs.airgap-license-id }}
       export SNAPSHOT_LICENSE_ID=${{ inputs.snapshot-license-id }}

.github/actions/scan-image/action.yml

@@ -0,0 +1,45 @@
+name: Scan image
+description: 'Scan a container image for vulnerabilities and optionally upload the results for GitHub code scanning'
+inputs:
+  image-ref:
+    description: 'The image to scan'
+    required: true
+  upload-sarif:
+    description: 'Whether to upload the scan results as a SARIF file'
+    required: false
+    default: 'false'
+
+runs:
+  using: composite
+  steps:
+    - name: Get image id
+      id: image-id
+      shell: bash
+      run: |
+        image_id=$(${{github.action_path}}/image_id.sh '${{ inputs.image-ref }}')
+        echo "image_id=$image_id" >> $GITHUB_OUTPUT
+
+    - name: Scan image
+      uses: aquasecurity/[email protected]
+      with:
+        image-ref: '${{ inputs.image-ref }}'
+        ignore-unfixed: true
+        severity: CRITICAL,HIGH,MEDIUM
+        exit-code: 1
+
+    - name: Output sarif
+      uses: aquasecurity/[email protected]
+      if: ${{ !cancelled() && inputs.upload-sarif == 'true' }}
+      with:
+        image-ref: '${{ matrix.image }}'
+        format: sarif
+        output: trivy-results.sarif
+        ignore-unfixed: true
+        severity: CRITICAL,HIGH,MEDIUM
+
+    - name: Upload sarif
+      if: ${{ !cancelled() && inputs.upload-sarif == 'true' }}
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: trivy-results.sarif
+        category: 'image-scan:${{ steps.image-id.outputs.image_id }}'

.github/actions/scan-image/image_id.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+if [ "$#" -ne 1 ] || [ "$1" == "" ] || [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
+    echo "Usage: $0 <image_id>"
+    exit 1
+fi
+
+image_id="$1"
+image_id=$(echo "$image_id" | cut -d'@' -f1) # remove digest
+# make sure if there is only one colon it is not the port
+if ! echo "$image_id" | rev | cut -d':' -f1 | rev | grep -q '/' ; then
+    image_id=$(echo "$image_id" | rev | cut -d':' -f2- | rev) # remove tag
+fi
+
+echo -n "$image_id"

.github/dependabot.yml

@@ -3,13 +3,18 @@ version: 2
 updates:
   - package-ecosystem: "gomod"
     directory: "/"
+    open-pull-requests-limit: 25
+    schedule:
+      interval: "weekly"
+      day: "saturday"
     labels:
       - "dependencies"
       - "go"
       - "type::chore"
-    schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 25
+    groups:
+      security:
+        update-types:
+          - "patch"
 
   - package-ecosystem: "github-actions"
     directory: "/"
@@ -19,3 +24,4 @@ updates:
       - "type::chore"
     schedule:
       interval: "weekly"
+      day: "saturday"

.github/workflows/automated-prs-manager.yaml

@@ -0,0 +1,102 @@
+name: Automated PRs Manager
+
+on:
+  schedule:
+  - cron: "0 */6 * * *" # every 6 hours
+  workflow_dispatch: {}
+
+jobs:
+  list-prs:
+    runs-on: ubuntu-latest
+    outputs:
+      prs: ${{ steps.list-prs.outputs.prs }}
+    env:
+      GH_TOKEN: ${{ secrets.REPLICATED_GH_PAT }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: List PRs
+        id: list-prs
+        run: |
+          set -euo pipefail
+
+          # list prs that are less than 24h old and exclude prs from forks
+
+          dependabot_prs=$(
+            gh pr list \
+              --author 'dependabot[bot]' \
+              --json url,createdAt,headRefName,headRepository,headRepositoryOwner \
+              -q '.[] | select((.createdAt | fromdateiso8601 > now - 24*60*60) and .headRepositoryOwner.login == "replicatedhq" and .headRepository.name == "embedded-cluster")'
+          )
+
+          replicated_ci_prs=$(
+            gh pr list \
+              --author 'replicated-ci' \
+              --json url,createdAt,headRefName,headRepository,headRepositoryOwner \
+              -q '.[] | select((.createdAt | fromdateiso8601 > now - 24*60*60) and .headRepositoryOwner.login == "replicatedhq" and .headRepository.name == "embedded-cluster")'
+          )
+
+          prs=$(echo "$dependabot_prs" "$replicated_ci_prs" | jq -sc '. | unique')
+          echo "prs=$prs" >> "$GITHUB_OUTPUT"
+
+  process-prs:
+    needs: list-prs
+    runs-on: ubuntu-latest
+    if: needs.list-prs.outputs.prs != '[]'
+    strategy:
+      matrix:
+        pr: ${{ fromJson(needs.list-prs.outputs.prs) }}
+      fail-fast: false
+      max-parallel: 1
+    env:
+      GH_TOKEN: ${{ secrets.REPLICATED_GH_PAT }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ matrix.pr.headRefName }}
+
+      - name: Process PR
+        run: |
+          set -euo pipefail
+
+          echo "Checking status of tests..."
+          run_id=$(gh run list --branch "${{ matrix.pr.headRefName }}" --workflow ci --limit 1 --json databaseId -q '.[0].databaseId')
+
+          # If there are still pending jobs, skip.
+
+          num_of_pending_jobs=$(gh run view "$run_id" --json jobs -q '.jobs[] | select(.conclusion == "") | .name' | wc -l)
+          if [ "$num_of_pending_jobs" -gt 0 ]; then
+            echo "There are still pending jobs. Skipping."
+            exit 0
+          fi
+
+          # If all tests and required checks passed, approve and merge.
+
+          if gh run view "$run_id" --json jobs -q '.jobs[] | select(.name == "validate-success") | .conclusion' | grep -q "success"; then
+            if gh pr checks "${{ matrix.pr.url }}" --required; then
+              echo "All tests and required checks passed. Approving and merging."
+              echo -e "LGTM :thumbsup: \n\nThis PR was automatically approved and merged by the [automated-prs-manager](https://github.com/replicatedhq/embedded-cluster/blob/main/.github/workflows/automated-prs-manager.yaml) GitHub action" > body.txt
+              gh pr review --approve "${{ matrix.pr.url }}" --body-file body.txt
+              sleep 10
+              gh pr merge --auto --squash "${{ matrix.pr.url }}"
+              exit 0
+            else
+              echo "All tests passed, but some required PR checks have not. Skipping."
+              exit 0
+            fi
+          fi
+
+          # If more than half of the e2e jobs are successful, re-run the failed jobs.
+
+          num_of_jobs=$(gh run view "$run_id" --json jobs -q '.jobs[] | select(.name | startswith("e2e")) | .name' | wc -l)
+          num_of_successful_jobs=$(gh run view "$run_id" --json jobs -q '.jobs[] | select((.name | startswith("e2e")) and (.conclusion == "success")) | .name' | wc -l)
+
+          if [ "$num_of_successful_jobs" -gt $((num_of_jobs / 2)) ]; then
+            echo "More than half of the e2e jobs are successful. Re-running failed jobs."
+            gh run rerun "$run_id" --failed
+            exit 0
+          fi
+
+          echo "Less than half of the e2e jobs are successful. Skipping."