diff --git a/pipelines/cleanup-aws/pipeline.yml b/pipelines/cleanup-aws/pipeline.yml index 68c52e72e..3f93ab3c6 100644 --- a/pipelines/cleanup-aws/pipeline.yml +++ b/pipelines/cleanup-aws/pipeline.yml @@ -1,4 +1,4 @@ -# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 display: @@ -11,9 +11,9 @@ resources: type: git icon: github source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) jobs: diff --git a/pipelines/dockerfile-builders/pipeline.yml b/pipelines/dockerfile-builders/pipeline.yml index fa7f841af..0016ef22a 100644 --- a/pipelines/dockerfile-builders/pipeline.yml +++ b/pipelines/dockerfile-builders/pipeline.yml @@ -55,9 +55,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: [ dockerfiles/k8s-app-deployer/Dockerfile ] - name: k8s-app-deployer-image @@ -75,9 +75,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: [ dockerfiles/deployment-yaml-formatter/Dockerfile ] - name: deployment-yaml-formatter-image @@ -95,9 +95,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: [ dockerfiles/integration-test-runner/Dockerfile ] - name: integration-test-runner-beta-dockerfile @@ -105,9 +105,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: [ dockerfiles/integration-test-runner-beta/Dockerfile ] - name: integration-test-runner-image @@ -135,9 +135,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: [ dockerfiles/code-coverage-uploader/Dockerfile ] - name: code-coverage-uploader-image @@ -155,9 +155,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: - dockerfiles/pool-trigger-resource/Dockerfile - "dockerfiles/pool-trigger-resource/assets/*" @@ -257,9 +257,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: [ dockerfiles/k8s-code-generator/* ] - name: test-forward-proxy-image-ghcr @@ -277,9 +277,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: [ dockerfiles/test-forward-proxy/* ] - name: test-bitnami-ldap-image-ghcr @@ -297,9 +297,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: [ dockerfiles/test-bitnami-ldap/Dockerfile ] - name: test-dex-image @@ -317,9 +317,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: [ dockerfiles/test-dex/Dockerfile ] - name: test-cfssl-image @@ -337,9 +337,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: [ dockerfiles/test-cfssl/Dockerfile ] - name: test-kubectl-image @@ -357,9 +357,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: [ dockerfiles/test-kubectl/Dockerfile ] - name: gh-cli-image @@ -377,9 +377,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: [ dockerfiles/gh-cli/Dockerfile ] - name: crane-image @@ -397,9 +397,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: [ dockerfiles/crane/Dockerfile ] - name: eks-deployer-dockerfile @@ -407,9 +407,9 @@ resources: icon: github <<: *check-every-for-dockerfile source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) paths: [ dockerfiles/eks-deployer/Dockerfile ] - name: eks-deployer-image diff --git a/pipelines/kind-node-builder/pipeline.yml b/pipelines/kind-node-builder/pipeline.yml index cdfac3955..48a9778bc 100644 --- a/pipelines/kind-node-builder/pipeline.yml +++ b/pipelines/kind-node-builder/pipeline.yml @@ -50,9 +50,9 @@ resources: type: git icon: github source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) - name: daily type: time diff --git a/pipelines/main/pipeline.yml b/pipelines/main/pipeline.yml index 818de7f7c..8f0afc714 100644 --- a/pipelines/main/pipeline.yml +++ b/pipelines/main/pipeline.yml @@ -118,7 +118,7 @@ meta: image: integration-test-runner-image timeout: 15m params: - GCS_BUCKET: pinniped-ci-archive + GCS_BUCKET: pinniped-ci-logs GCP_PROJECT: ((gcp-project-name)) GCP_USERNAME: ((gcp-cluster-diagnostic-uploader-username)) GCP_JSON_KEY: ((gcp-cluster-diagnostic-uploaded-json-key)) @@ -299,26 +299,35 @@ resources: icon: github check_every: 1m source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: main - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) + + - name: pinniped-write + type: git + icon: github + check_every: 10m + source: + uri: https://github.com/vmware/pinniped.git + branch: main + username: ((ci-bot-access-token-with-public-repo-write-permission)) - name: pinniped-ci type: git icon: github source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) - name: homebrew-pinniped type: git icon: github check_every: 5m source: - uri: git@github.com:vmware-tanzu/homebrew-pinniped.git + uri: https://github.com/vmware/homebrew-pinniped.git branch: main - private_key: ((homebrew-repo-read-write-deploy-key)) + username: ((ci-bot-access-token-with-public-repo-write-permission)) - name: ci-build-image type: registry-image @@ -1818,10 +1827,12 @@ jobs: # The following Jumpcloud params will cause the integration tests to use Jumpcloud instead of OpenLDAP. # We don't need to run these on every version of Kubernetes for Kind in this pipeline, so we choose to run # them on one version to get some coverage. - <<: *jumpcloud_integration_env_vars + # TODO: replace this with some other LDAP and open firewall for outgoing LDAP and LDAPs +# <<: *jumpcloud_integration_env_vars # The following AD params enable the ActiveDirectory integration tests. We don't need to run these on every # version of Kubernetes for Kind in this pipeline, so we choose to run them on one version to get some coverage. - <<: *active_directory_integration_env_vars + # TODO: bring this back with a new AD server +# <<: *active_directory_integration_env_vars # The following params enable the GitHub integration tests. We don't need to run these on every # version of Kubernetes for Kind in this pipeline, so we choose to run them on one version to get some coverage. <<: *github_integration_env_vars @@ -2684,7 +2695,7 @@ jobs: timeout: 30m file: pinniped-ci/pipelines/shared-tasks/update-version-and-cli-docs/task.yml input_mapping: { pinniped-in: pinniped } - - put: pinniped + - put: pinniped-write params: repository: pinniped-out diff --git a/pipelines/pull-requests/pipeline.yml b/pipelines/pull-requests/pipeline.yml index 1245d887d..28b888e44 100644 --- a/pipelines/pull-requests/pipeline.yml +++ b/pipelines/pull-requests/pipeline.yml @@ -91,7 +91,7 @@ meta: image: integration-test-runner-image timeout: 15m params: - GCS_BUCKET: pinniped-ci-archive + GCS_BUCKET: pinniped-ci-logs GCP_PROJECT: ((gcp-project-name)) GCP_USERNAME: ((gcp-cluster-diagnostic-uploader-username)) GCP_JSON_KEY: ((gcp-cluster-diagnostic-uploaded-json-key)) @@ -923,7 +923,8 @@ jobs: version: every passed: # First we list everything that should be triggered by the first ready-for-int. - - scan-image + # TODO: bring back scan-image after upgrading Golang to resolve CVEs in a PR +# - scan-image - integration-test-oldest - integration-test-latest - integration-test-latest-arm64 @@ -1219,10 +1220,12 @@ jobs: # The following Jumpcloud params will cause the integration tests to use Jumpcloud instead of OpenLDAP. # We don't need to run these on every version of Kubernetes for Kind in this pipeline, so we choose to run # them on one version to get some coverage. - <<: *jumpcloud_integration_env_vars + # TODO: replace this with some other LDAP and open firewall for outgoing LDAP and LDAPs +# <<: *jumpcloud_integration_env_vars # The following AD params enable the ActiveDirectory integration tests. We don't need to run these on every # version of Kubernetes for Kind in this pipeline, so we choose to run them on one version to get some coverage. - <<: *active_directory_integration_env_vars + # TODO: bring this back with a new AD server +# <<: *active_directory_integration_env_vars # The following params enable the GitHub integration tests. We don't need to run these on every # version of Kubernetes for Kind in this pipeline, so we choose to run them on one version to get some coverage. <<: *github_integration_env_vars diff --git a/pipelines/security-scan/pipeline.yml b/pipelines/security-scan/pipeline.yml index 14ec4500e..353c66b63 100644 --- a/pipelines/security-scan/pipeline.yml +++ b/pipelines/security-scan/pipeline.yml @@ -1,4 +1,4 @@ -# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 display: @@ -63,9 +63,9 @@ resources: type: git icon: github source: - uri: git@github.com:vmware-tanzu/pinniped.git + uri: https://github.com/vmware/pinniped.git branch: ci - private_key: ((source-repo-deploy-key)) + username: ((ci-bot-access-token-with-read-only-public-repos)) - name: pinniped-latest-release-image type: registry-image @@ -263,7 +263,6 @@ jobs: image: gh-cli-image file: pinniped-ci/pipelines/shared-tasks/create-or-update-pr/task.yml params: - DEPLOY_KEY: ((source-repo-deploy-key)) GH_TOKEN: ((ci-bot-access-token-with-public-repo-write-permission)) input_mapping: pinniped: pinniped-out diff --git a/pipelines/shared-tasks/create-or-update-pr/task.sh b/pipelines/shared-tasks/create-or-update-pr/task.sh index c0484631c..77a97e600 100755 --- a/pipelines/shared-tasks/create-or-update-pr/task.sh +++ b/pipelines/shared-tasks/create-or-update-pr/task.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 set -euo pipefail @@ -12,22 +12,10 @@ cd pinniped # Print the current status to the log. git status -# Copied from https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints -github_hosts=' -github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl -github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= -github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= -' - # Prepare to be able to do commits and pushes. -ssh_dir="$HOME"/.ssh/ -mkdir "$ssh_dir" -echo "$github_hosts" >"$ssh_dir"/known_hosts -echo "${DEPLOY_KEY}" >"$ssh_dir"/id_rsa -chmod 600 "$ssh_dir"/id_rsa git config user.email "pinniped-ci-bot@users.noreply.github.com" git config user.name "Pinny" -git remote add ssh_origin "git@github.com:vmware-tanzu/pinniped.git" +git remote add https_origin "${GH_TOKEN}@https://github.com/vmware/pinniped.git" # Add all the changed files. git add . @@ -45,7 +33,7 @@ fi # Check if the branch already exists on the remote. new_branch="no" -if [[ -z "$(git ls-remote ssh_origin "$branch")" ]]; then +if [[ -z "$(git ls-remote https_origin "$branch")" ]]; then echo "The branch does not already exist, so create it." git checkout -b "$branch" git status @@ -56,7 +44,7 @@ else git status git stash # Fetch all the remote branches so we can use one of them. - git fetch ssh_origin + git fetch https_origin # The branch already exists, so reuse it. git checkout "$branch" # Pull to sync up commits with the remote branch. @@ -83,7 +71,7 @@ git commit -m "Bump dependencies" if [[ "$new_branch" == "yes" ]]; then # Push the new branch to the remote. echo "Pushing the new branch." - git push --set-upstream ssh_origin "$branch" + git push --set-upstream https_origin "$branch" else # Force push the existing branch to the remote. echo "Force pushing the existing branch."