Merge branch 'main' into k0s-1-29

Author: emosbaugh

.github/actions/e2e/action.yml

@@ -7,24 +7,6 @@ inputs:
   is-large-runner:
     description: 'Whether the test is running on a large runner'
     required: true
-  airgap-license-id:
-    description: 'airgap-enabled license id to use for e2e tests'
-    required: true
-  snapshot-license-id:
-    description: 'snapshot-enabled license id to use for e2e tests'
-    required: true
-  snapshot-license:
-    description: 'snapshot-enabled license (b64) to use for e2e tests'
-    required: true
-  license-id:
-    description: 'license id to use for e2e tests'
-    required: true
-  airgap-snapshot-license-id:
-    description: 'airgap-snapshot-enabled license id to use for e2e tests'
-    required: true
-  license:
-    description: 'license (b64) to use for e2e tests'
-    required: true
   dr-aws-access-key-id:
     description: 'Disaster Recovery AWS Access Key ID'
     required: true
@@ -96,12 +78,6 @@ runs:
     run: |
       export SHORT_SHA=${{ inputs.version-specifier }}
       echo "${SHORT_SHA}"
-      export LICENSE_ID=${{ inputs.license-id }}
-      export AIRGAP_LICENSE_ID=${{ inputs.airgap-license-id }}
-      export SNAPSHOT_LICENSE_ID=${{ inputs.snapshot-license-id }}
-      export AIRGAP_SNAPSHOT_LICENSE_ID=${{ inputs.airgap-snapshot-license-id }}
-      echo "${{ inputs.license }}" | base64 --decode > e2e/license.yaml
-      echo "${{ inputs.snapshot-license }}" | base64 --decode > e2e/snapshot-license.yaml
       export DR_AWS_S3_ENDPOINT=https://s3.amazonaws.com
       export DR_AWS_S3_REGION=us-east-1
       export DR_AWS_S3_BUCKET=kots-testim-snapshots

.github/actions/scan-image/action.yml

@@ -1,4 +1,4 @@
-name: Scan image
+name: Scan Container Image Grype SARIF
 description: 'Scan a container image for vulnerabilities and optionally upload the results for GitHub code scanning'
 inputs:
   image-ref:
@@ -7,7 +7,35 @@ inputs:
   upload-sarif:
     description: 'Whether to upload the scan results as a SARIF file'
     required: false
-    default: 'false'
+    default: 'true'
+  severity-cutoff:
+    description: 'Minimum severity to report (critical, high, medium, low, negligible)'
+    required: false
+    default: 'medium'
+  fail-build:
+    description: 'Fail the workflow if vulnerabilities are found'
+    required: false
+    default: 'true'
+  output-file:
+    description: 'Output file name for SARIF results'
+    required: false
+    default: 'results.sarif'
+  timeout-minutes:
+    description: 'Maximum time in minutes to wait for the scan to complete'
+    required: false
+    default: '30'
+  retention-days:
+    description: 'Number of days to retain the scan results artifact'
+    required: false
+    default: '90'
+  category-prefix:
+    description: 'Prefix to use for the SARIF category name'
+    required: false
+    default: 'image-scan-'
+  only-fixed:
+    description: 'Only report vulnerabilities that have a fix available'
+    required: false
+    default: 'true'
 
 runs:
   using: composite
@@ -18,29 +46,92 @@ runs:
       run: |
         image_id=$(${{github.action_path}}/image_id.sh '${{ inputs.image-ref }}')
         echo "image_id=$image_id" >> $GITHUB_OUTPUT
+    
+    - name: Extract image details
+      id: image_details
+      shell: bash
+      run: |
+        IMAGE_NAME=$(echo "${{ inputs.image-ref }}" | cut -d':' -f1)
+        IMAGE_TAG=$(echo "${{ inputs.image-ref }}" | cut -d':' -f2 | cut -d'@' -f1)
+        [[ "$IMAGE_TAG" == "$IMAGE_NAME" ]] && IMAGE_TAG="latest"
+        SAFE_NAME=$(echo "${IMAGE_NAME}-${IMAGE_TAG}" | sed 's/[\/:]/-/g')
+        SAFE_IMAGE_NAME=$(echo "${IMAGE_NAME}" | sed 's/[\/:]/-/g')
+        {
+          echo "image_name=${IMAGE_NAME}"
+          echo "image_tag=${IMAGE_TAG}"
+          echo "safe_name=${SAFE_NAME}"
+          echo "safe_image_name=${SAFE_IMAGE_NAME}"
 
-    - name: Scan image
-      uses: aquasecurity/[email protected]
+        } >> "$GITHUB_OUTPUT"
+
+    - name: Scan image with Grype
+      uses: anchore/scan-action@v6
+      id: scan
+      continue-on-error: ${{ inputs.fail-build != 'true' }}
       with:
-        image-ref: '${{ inputs.image-ref }}'
-        ignore-unfixed: true
-        severity: CRITICAL,HIGH,MEDIUM
-        exit-code: 1
-        trivyignores: .trivyignore
-
-    - name: Output sarif
-      uses: aquasecurity/[email protected]
+        image: "${{ inputs.image-ref }}"
+        fail-build: "${{ inputs.fail-build }}"
+        severity-cutoff: "${{ inputs.severity-cutoff }}"
+        output-format: sarif
+        output-file: "${{ inputs.output-file }}"
+        by-cve: true
+        only-fixed: "${{ inputs.only-fixed }}"
+
+    - name: Check scan status
+      if: steps.scan.outcome == 'failure' && inputs.fail-build == 'true'
+      shell: bash
+      run: |
+        echo "::error::Scan failed for image ${{ inputs.image-ref }}"
+        echo "Please check the scan logs above for details"
+        exit 1
+
+    - name: Enrich or generate SARIF
       if: ${{ !cancelled() && inputs.upload-sarif == 'true' }}
-      with:
-        image-ref: '${{ matrix.image }}'
-        format: sarif
-        output: trivy-results.sarif
-        ignore-unfixed: true
-        severity: CRITICAL,HIGH,MEDIUM
+      shell: bash
+      run: |
+        if [ ! -f ${{ inputs.output-file }} ]; then
+          echo "No SARIF file found — creating minimal empty SARIF"
+          echo '{"version":"2.1.0","runs":[{"tool":{"driver":{"name":"Anchore Grype","informationUri":"https://github.com/anchore/grype","rules":[]}},"results":[],"properties":{"isFallbackSarif":true}}]}' > ${{ inputs.output-file }}
+        fi
+
+        jq --arg imageRef "${{ inputs.image-ref }}" \
+           --arg repo "replicatedhq/embedded-cluster" \
+           --arg name "${{ steps.image_details.outputs.image_name }}" \
+           --arg tag "${{ steps.image_details.outputs.image_tag }}" \
+           --arg scanTime "$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \
+           --arg digest "$(echo "${{ inputs.image-ref }}" | grep -o 'sha256:[a-f0-9]*' || true)" \
+           '.runs[0].properties = {
+              "imageRef": (if ($name | startswith("replicatedhq/embedded-cluster/")) then $name else ($name | sub("proxy\\.replicated\\.com/anonymous/(?:ttl\\.sh/runner/|registry\\.k8s\\.io/|kotsadm/|ttl\\.sh/replicated/|replicated/)"; "replicatedhq/embedded-cluster/")) end + ":" + $tag + (if $digest != "" then "@" + $digest else "" end)),
+              "repository": $repo,
+              "scanTime": $scanTime,
+              "imageMetadata": {
+                "name": (if ($name | startswith("replicatedhq/embedded-cluster/")) then $name else ($name | sub("proxy\\.replicated\\.com/anonymous/(?:ttl\\.sh/runner/|registry\\.k8s\\.io/|kotsadm/|ttl\\.sh/replicated/|replicated/)"; "replicatedhq/embedded-cluster/")) end),
+                "tag": $tag,
+                "digest": ($digest | if . == "" then null else . end),
+                "repoDigest": (if ($name | startswith("replicatedhq/embedded-cluster/")) then $name else ($name | sub("proxy\\.replicated\\.com/anonymous/(?:ttl\\.sh/runner/|registry\\.k8s\\.io/|kotsadm/|ttl\\.sh/replicated/|replicated/)"; "replicatedhq/embedded-cluster/")) end + "@" + ($digest | if . == "" then null else . end)),
+                "labels": {},
+                "annotations": {
+                  "scanTime": $scanTime,
+                  "tool": "grype",
+                  "toolVersion": "latest"
+                }
+              }
+            }' ${{ inputs.output-file }} > enriched-results.sarif
 
-    - name: Upload sarif
+        mv enriched-results.sarif ${{ inputs.output-file }}
+
+    - name: Upload SARIF file
       if: ${{ !cancelled() && inputs.upload-sarif == 'true' }}
       uses: github/codeql-action/upload-sarif@v3
       with:
-        sarif_file: trivy-results.sarif
-        category: 'image-scan:${{ steps.image-id.outputs.image_id }}'
+        sarif_file: ${{ inputs.output-file }}
+        category: '${{ inputs.category-prefix }}${{ steps.image_details.outputs.safe_image_name }}'
+
+
+    - name: Archive scan results
+      if: ${{ !cancelled() && inputs.upload-sarif == 'true' }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: "sarif-${{ steps.image_details.outputs.safe_name }}"
+        path: ${{ inputs.output-file }}
+        retention-days: ${{ inputs.retention-days }}

.github/workflows/ci.yaml

@@ -176,6 +176,8 @@ jobs:
 
       - uses: oras-project/setup-oras@v1
 
+      - uses: imjasonh/[email protected]
+
       - name: Install dagger
         run: |
           curl -fsSL https://dl.dagger.io/dagger/install.sh | sh
@@ -248,6 +250,8 @@ jobs:
 
       - uses: oras-project/setup-oras@v1
 
+      - uses: imjasonh/[email protected]
+
       - name: Install dagger
         run: |
           curl -fsSL https://dl.dagger.io/dagger/install.sh | sh
@@ -355,6 +359,8 @@ jobs:
 
       - uses: oras-project/setup-oras@v1
 
+      - uses: imjasonh/[email protected]
+
       - name: Install dagger
         run: |
           curl -fsSL https://dl.dagger.io/dagger/install.sh | sh
@@ -682,17 +688,9 @@ jobs:
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
       - name: Free up runner disk space
         uses: ./.github/actions/free-disk-space
-      - name: Write license files
-        run: |
-          echo "${{ secrets.STAGING_EMBEDDED_CLUSTER_LICENSE }}" | base64 --decode > e2e/license.yaml
-          echo "${{ secrets.STAGING_EMBEDDED_CLUSTER_SNAPSHOT_LICENSE }}" | base64 --decode > e2e/snapshot-license.yaml
       - name: Run test
         env:
           SHORT_SHA: dev-${{ needs.git-sha.outputs.git_sha }}
-          LICENSE_ID: ${{ secrets.STAGING_EMBEDDED_CLUSTER_LICENSE_ID }}
-          AIRGAP_LICENSE_ID: ${{ secrets.STAGING_EMBEDDED_CLUSTER_AIRGAP_LICENSE_ID }}
-          SNAPSHOT_LICENSE_ID: ${{ secrets.STAGING_EMBEDDED_CLUSTER_SNAPSHOT_LICENSE_ID }}
-          AIRGAP_SNAPSHOT_LICENSE_ID: ${{ secrets.STAGING_EMBEDDED_CLUSTER_AIRGAP_SNAPSHOT_LICENSE_ID }}
           DR_AWS_S3_ENDPOINT: https://s3.amazonaws.com
           DR_AWS_S3_REGION: us-east-1
           DR_AWS_S3_BUCKET: kots-testim-snapshots
@@ -764,12 +762,6 @@ jobs:
         with:
           test-name: '${{ matrix.test }}'
           is-large-runner: ${{ matrix.runner == 'embedded-cluster-2' }}
-          airgap-license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_AIRGAP_LICENSE_ID }}
-          snapshot-license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_SNAPSHOT_LICENSE_ID }}
-          snapshot-license: ${{ secrets.STAGING_EMBEDDED_CLUSTER_SNAPSHOT_LICENSE }}
-          airgap-snapshot-license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_AIRGAP_SNAPSHOT_LICENSE_ID }}
-          license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_LICENSE_ID }}
-          license: ${{ secrets.STAGING_EMBEDDED_CLUSTER_LICENSE }}
           dr-aws-access-key-id: ${{ secrets.TESTIM_AWS_ACCESS_KEY_ID }}
           dr-aws-secret-access-key: ${{ secrets.TESTIM_AWS_SECRET_ACCESS_KEY }}
           k0s-version: ${{ needs.build-current.outputs.k0s_version }}
@@ -807,12 +799,6 @@ jobs:
         with:
           test-name: '${{ matrix.test }}'
           is-large-runner: ${{ matrix.runner == 'embedded-cluster-2' }}
-          airgap-license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_AIRGAP_LICENSE_ID }}
-          snapshot-license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_SNAPSHOT_LICENSE_ID }}
-          snapshot-license: ${{ secrets.STAGING_EMBEDDED_CLUSTER_SNAPSHOT_LICENSE }}
-          airgap-snapshot-license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_AIRGAP_SNAPSHOT_LICENSE_ID }}
-          license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_LICENSE_ID }}
-          license: ${{ secrets.STAGING_EMBEDDED_CLUSTER_LICENSE }}
           dr-aws-access-key-id: ${{ secrets.TESTIM_AWS_ACCESS_KEY_ID }}
           dr-aws-secret-access-key: ${{ secrets.TESTIM_AWS_SECRET_ACCESS_KEY }}
           k0s-version: ${{ needs.build-current.outputs.k0s_version }}
@@ -824,7 +810,7 @@ jobs:
   # it is used for the github branch protection rule
   validate-success:
     name: Validate success # this name is used by .github/workflows/automated-prs-manager.yaml
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     needs:
       - e2e
       - e2e-main

.github/workflows/image-deps-updater.yaml

@@ -26,7 +26,7 @@ on:
 
 jobs:
   compile-buildtools:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
     - name: Checkout
       uses: actions/checkout@v4
@@ -48,7 +48,7 @@ jobs:
         path: output/bin/buildtools
 
   update-addon-images:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     needs: [compile-buildtools]
     strategy:
       fail-fast: false

.github/workflows/image-scan.yaml

@@ -135,3 +135,9 @@ jobs:
         with:
           image-ref: '${{ matrix.image }}'
           upload-sarif: ${{ github.ref == 'refs/heads/main' }}
+          fail-build: 'true'
+          severity-cutoff: 'medium'
+          output-file: 'results.sarif'
+          retention-days: '90'
+          category-prefix: 'image-scan-'
+          only-fixed: 'true'

.github/workflows/release-prod.yaml

@@ -150,6 +150,8 @@ jobs:
 
       - uses: oras-project/setup-oras@v1
 
+      - uses: imjasonh/[email protected]
+
       - name: Download buildtools artifact
         uses: actions/download-artifact@v4
         with:
@@ -427,7 +429,8 @@ jobs:
           path: output/bin
       - name: Download current binary
         env:
-          LICENSE_ID: ${{ secrets.STAGING_EMBEDDED_CLUSTER_LICENSE_ID }}
+          # staging ci license id
+          LICENSE_ID: 2cQCFfBxG7gXDmq1yAgPSM4OViF
         run: |
           export APP_VERSION="appver-${{ github.ref_name }}"
           curl --retry 5 --retry-all-errors -fL -o embedded-cluster-smoke-test-staging-app-ci.tgz "https://ec-e2e-replicated-app.testcluster.net/embedded/embedded-cluster-smoke-test-staging-app/ci/${APP_VERSION}" -H "Authorization: $LICENSE_ID"
@@ -514,17 +517,9 @@ jobs:
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
       - name: Free up runner disk space
         uses: ./.github/actions/free-disk-space
-      - name: Write license files
-        run: |
-          echo "${{ secrets.STAGING_EMBEDDED_CLUSTER_LICENSE }}" | base64 --decode > e2e/license.yaml
-          echo "${{ secrets.STAGING_EMBEDDED_CLUSTER_SNAPSHOT_LICENSE }}" | base64 --decode > e2e/snapshot-license.yaml
       - name: Run test
         env:
           SHORT_SHA: ${{ github.ref_name }}
-          LICENSE_ID: ${{ secrets.STAGING_EMBEDDED_CLUSTER_LICENSE_ID }}
-          AIRGAP_LICENSE_ID: ${{ secrets.STAGING_EMBEDDED_CLUSTER_AIRGAP_LICENSE_ID }}
-          SNAPSHOT_LICENSE_ID: ${{ secrets.STAGING_EMBEDDED_CLUSTER_SNAPSHOT_LICENSE_ID }}
-          AIRGAP_SNAPSHOT_LICENSE_ID: ${{ secrets.STAGING_EMBEDDED_CLUSTER_AIRGAP_SNAPSHOT_LICENSE_ID }}
           DR_AWS_S3_ENDPOINT: https://s3.amazonaws.com
           DR_AWS_S3_REGION: us-east-1
           DR_AWS_S3_BUCKET: kots-testim-snapshots
@@ -598,12 +593,6 @@ jobs:
         with:
           test-name: '${{ matrix.test }}'
           is-large-runner: ${{ matrix.runner == 'embedded-cluster-2' }}
-          airgap-license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_AIRGAP_LICENSE_ID }}
-          snapshot-license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_SNAPSHOT_LICENSE_ID }}
-          snapshot-license: ${{ secrets.STAGING_EMBEDDED_CLUSTER_SNAPSHOT_LICENSE }}
-          airgap-snapshot-license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_AIRGAP_SNAPSHOT_LICENSE_ID }}
-          license-id: ${{ secrets.STAGING_EMBEDDED_CLUSTER_LICENSE_ID }}
-          license: ${{ secrets.STAGING_EMBEDDED_CLUSTER_LICENSE }}
           dr-aws-access-key-id: ${{ secrets.TESTIM_AWS_ACCESS_KEY_ID }}
           dr-aws-secret-access-key: ${{ secrets.TESTIM_AWS_SECRET_ACCESS_KEY }}
           version-specifier: ${{ github.ref_name }}
@@ -616,7 +605,7 @@ jobs:
   # this job will validate that all the tests passed
   validate-release-success:
     name: Validate success
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     needs:
       - e2e
       - e2e-docker