diff --git a/.github/workflows/auto-update.yaml b/.github/workflows/auto-update.yaml index f53bd21..959d9bd 100644 --- a/.github/workflows/auto-update.yaml +++ b/.github/workflows/auto-update.yaml @@ -20,5 +20,5 @@ concurrency: jobs: auto-update: - uses: defenseunicorns/uds-common/.github/workflows/callable-auto-update.yaml@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7 + uses: defenseunicorns/uds-common/.github/workflows/callable-auto-update.yaml@chainguard-creds # testing secrets: inherit # Inherits all secrets from the parent workflow. diff --git a/.github/workflows/chainguard.yaml b/.github/workflows/chainguard.yaml new file mode 100644 index 0000000..c550c88 --- /dev/null +++ b/.github/workflows/chainguard.yaml @@ -0,0 +1,25 @@ +# Copyright 2024-2026 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +name: Test Chainguard Login + +on: + workflow_dispatch: + pull_request: + types: [opened, reopened, synchronize] + +permissions: + contents: read + id-token: write + +jobs: + chainguard-login: + runs-on: ubuntu-latest + steps: + - name: Login to Chainguard + uses: chainguard-dev/setup-chainctl@2cddd35a2f120d9973e58094dc6878c93cf58c28 # v0.5.1 + with: + identity: ${{ secrets.CHAINGUARD_IDENTITY }} + + # - name: Pull a cgr.dev image to verify auth + # run: docker pull cgr.dev/chainguard/static:latest diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index a491bcd..6b0caf7 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -15,4 +15,4 @@ permissions: jobs: validate: - uses: defenseunicorns/uds-common/.github/workflows/callable-commitlint.yaml@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7 + uses: defenseunicorns/uds-common/.github/workflows/callable-commitlint.yaml@chainguard-creds # testing diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 9e7274c..266bd8b 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -15,5 +15,5 @@ permissions: jobs: validate: - uses: defenseunicorns/uds-common/.github/workflows/callable-lint.yaml@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7 + uses: defenseunicorns/uds-common/.github/workflows/callable-lint.yaml@chainguard-creds # testing secrets: inherit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2435d8c..b3ea8dc 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -27,7 +27,7 @@ jobs: exclude: - flavor: registry1 architecture: arm64 - uses: defenseunicorns/uds-common/.github/workflows/callable-publish.yaml@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7 + uses: defenseunicorns/uds-common/.github/workflows/callable-publish.yaml@chainguard-creds # testing with: flavor: ${{ matrix.flavor }} options: --set BASE_REPO="ghcr.io/uds-packages" diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 708103e..1ded191 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -18,5 +18,5 @@ jobs: packages: read # Allows reading the content of the repository's packages. id-token: write # Allows authentication to Chainguard via OIDC. pull-requests: write # Allows writing the scan results comment to the pull request. - uses: defenseunicorns/uds-common/.github/workflows/callable-scan.yaml@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7 + uses: defenseunicorns/uds-common/.github/workflows/callable-scan.yaml@chainguard-creds # testing secrets: inherit # Inherits all secrets from the parent workflow. diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 128e5e5..073bec1 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -1,36 +1,36 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial +# # Copyright 2024 Defense Unicorns +# # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial -name: Scorecards supply-chain security -on: - # Only the default branch is supported. - branch_protection_rule: - schedule: - - cron: '30 1 * * 6' - push: - branches: ["main"] +# name: Scorecards supply-chain security +# on: +# # Only the default branch is supported. +# branch_protection_rule: +# schedule: +# - cron: '30 1 * * 6' +# push: +# branches: ["main"] -# Declare default permissions as read only. -permissions: read-all +# # Declare default permissions as read only. +# permissions: read-all -jobs: - validate: - permissions: - actions: read - attestations: read - checks: read - contents: read - deployments: read - discussions: read - issues: read - packages: read - pages: read - pull-requests: read - repository-projects: read - statuses: read - # Needed to upload the results to code-scanning dashboard. - security-events: write - # Used to receive a badge. - id-token: write - uses: defenseunicorns/uds-common/.github/workflows/callable-scorecard.yaml@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7 - secrets: inherit +# jobs: +# validate: +# permissions: +# actions: read +# attestations: read +# checks: read +# contents: read +# deployments: read +# discussions: read +# issues: read +# packages: read +# pages: read +# pull-requests: read +# repository-projects: read +# statuses: read +# # Needed to upload the results to code-scanning dashboard. +# security-events: write +# # Used to receive a badge. +# id-token: write +# uses: defenseunicorns/uds-common/.github/workflows/callable-scorecard.yaml@chainguard-creds # testing +# secrets: inherit diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index fb90937..0c82818 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -29,7 +29,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: test-flavor - uses: defenseunicorns/uds-common/.github/actions/test-flavor@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7 + uses: defenseunicorns/uds-common/.github/actions/test-flavor@chainguard-creds # testing id: test-flavor outputs: upgrade-flavors: ${{ steps.test-flavor.outputs.upgrade-flavors }} @@ -41,7 +41,7 @@ jobs: matrix: type: [install, upgrade] flavor: [upstream, registry1, unicorn] - uses: defenseunicorns/uds-common/.github/workflows/callable-test.yaml@ca1b4cfb1cee43c7b3d15461e53fd873660de821 # v1.24.7 + uses: defenseunicorns/uds-common/.github/workflows/callable-test.yaml@chainguard-creds # testing with: options: --set BASE_REPO="ghcr.io/uds-packages" upgrade-flavors: ${{ needs.check-flavor.outputs.upgrade-flavors }} diff --git a/tasks.yaml b/tasks.yaml index 7d702ad..713d5bf 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -3,15 +3,15 @@ includes: - test: ./tasks/test.yaml - - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/create.yaml - - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/publish.yaml - - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/lint.yaml - - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/pull.yaml - - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/deploy.yaml - - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/setup.yaml - - actions: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/actions.yaml - - badge: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/badge.yaml - - upgrade: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.24.7/tasks/upgrade.yaml + - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/create.yaml + - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/publish.yaml + - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/lint.yaml + - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/pull.yaml + - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/deploy.yaml + - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/setup.yaml + - actions: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/actions.yaml + - badge: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/badge.yaml + - upgrade: https://raw.githubusercontent.com/defenseunicorns/uds-common/chainguard-creds/tasks/upgrade.yaml tasks: - name: default @@ -20,7 +20,7 @@ tasks: - task: create-dev-package - task: setup:k3d-test-cluster - task: create-deploy-test-bundle - +# - name: create-dev-package description: Create the Postgres Operator package actions: @@ -42,7 +42,7 @@ tasks: - task: create:test-bundle - task: deploy:test-bundle -# CI will execute the following (via uds-common/.github/workflows/callable-[test|publish].yaml) so they need to be here with these names + # CI will execute the following (via uds-common/.github/workflows/callable-[test|publish].yaml) so they need to be here with these names - name: test-install description: Test the health of a Postgres Operator deployment diff --git a/zarf.yaml b/zarf.yaml index b874dc9..9836943 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -86,10 +86,10 @@ components: valuesFiles: - ./values/unicorn-config-values.yaml images: - - quay.io/rfcurated/zalando/postgres-operator:1.15-jammy-scratch-fips-rfcurated + - cgr.dev/defenseunicorns.com/postgres-operator:1.15.1 - quay.io/rfcurated/zalando/postgres-operator/logical-backup:1.15-jammy-scratch-fips-rfcurated - - quay.io/rfcurated/zalando/pgbouncer:32-jammy-rfcurated + - cgr.dev/defenseunicorns.com/pgbouncer:1.25.1 # Docker image that provides PostgreSQL and Patroni bundled together for PostgreSQL HA - - quay.io/rfcurated/zalando/spilo-17:4.0-p3-jammy-fips-rfcurated + - cgr.dev/defenseunicorns.com/spilo-17:4.1.2 # Container image that provides the postgres-exporter sidecar to create a metrics endpoint - - quay.io/rfcurated/prometheuscommunity/postgres-exporter:0.19.1-jammy-scratch-bnt-fips-rfcurated + - cgr.dev/defenseunicorns.com/prometheus-postgres-exporter:0.19.1