ci: use global org workflows (#282)

* ci: use global workflows

Signed-off-by: Tyler Gillson <[email protected]>

* chore: trigger CI

Signed-off-by: Tyler Gillson <[email protected]>

* ci: add back workflow_dispatch directives

Signed-off-by: Tyler Gillson <[email protected]>

* ci: fix typos

Signed-off-by: Tyler Gillson <[email protected]>

* ci: fix test Make target

Signed-off-by: Tyler Gillson <[email protected]>

---------

Signed-off-by: Tyler Gillson <[email protected]>

Author: TylerGillson

.github/workflows/bulwark-gitleaks.yaml

@@ -0,0 +1,10 @@
+name: GitLeaks
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  call-gitleaks:
+    uses: validator-labs/workflows/.github/workflows/gitleaks.yaml@main
+    secrets: inherit

.github/workflows/bulwark-golicences.yaml

@@ -0,0 +1,10 @@
+name: GoLicenses
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  call-golicenses:
+    uses: validator-labs/workflows/.github/workflows/golicenses.yaml@main
+    secrets: inherit

.github/workflows/bulwark-gosec.yaml

@@ -0,0 +1,10 @@
+name: GoSec
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  call-gosec:
+    uses: validator-labs/workflows/.github/workflows/gosec.yaml@main
+    secrets: inherit

.github/workflows/bulwark-govulncheck.yaml

@@ -0,0 +1,10 @@
+name: GoVulnCheck
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  call-govulncheck:
+    uses: validator-labs/workflows/.github/workflows/govulncheck.yaml@main
+    secrets: inherit

.github/workflows/gitleaks.yaml

@@ -5,105 +5,8 @@ on:
     branches:
       - main
       - '[0-9]+.[0-9]+.x'
-  workflow_dispatch:
-
-env:
-  REGISTRY: quay.io
-  GITHUB_PAGES_BRANCH: gh_pages
-
-defaults:
-  run:
-    shell: bash
 
 jobs:
-  release-please:
-    permissions:
-      contents: write  # for google-github-actions/release-please-action to create release commit
-      pull-requests: write  # for google-github-actions/release-please-action to create release PR
-    runs-on: [self-hosted, Linux, X64, validator]
-    outputs:
-      releases_created: ${{ steps.release.outputs.releases_created }}
-      tag_name: ${{ steps.release.outputs.tag_name }}
-    # Release-please creates a PR that tracks all changes
-    steps:
-      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
-
-      - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4
-        id: release
-        with:
-          token: ${{ secrets.PAT }}
-
-  release-charts:
-    needs: release-please
-    permissions:
-      contents: write
-    runs-on: [self-hosted, Linux, X64, validator]
-    if: needs.release-please.outputs.releases_created == 'true'
-    steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
-      - name: Publish Helm chart
-        uses: stefanprodan/helm-gh-pages@master
-        with:
-          token: ${{ secrets.PAT }}
-          charts_dir: chart
-          owner: validator-labs
-          branch: ${{ env.GITHUB_PAGES_BRANCH }}
-          commit_username: validator-labs-bot
-          commit_email: [email protected]
-          
-  build-container:
-    if: needs.release-please.outputs.releases_created == 'true'
-    needs:
-      - release-please
-    runs-on: [self-hosted, Linux, X64, validator]
-    permissions:
-      contents: write
-      packages: write
-      id-token: write
-    env:
-      IMAGE_TAG: quay.io/validator-labs/validator:${{ needs.release-please.outputs.tag_name }}
-      IMAGE_NAME: validator
-    steps:
-      - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
-        with:
-          submodules: recursive
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
-        with:
-          registry: "quay.io"
-          username: ${{ secrets.QUAY_USER }}
-          password: ${{ secrets.QUAY_TOKEN }}
-
-      - name: Build Docker Image
-        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5
-        with:
-          context: .
-          file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64
-          target: production
-          tags: |
-            ${{ env.IMAGE_TAG }}
-          builder: ${{ steps.buildx.outputs.name }}
-          push: true
-          cache-from: type=gha,scope=${{ github.ref_name }}-${{ env.IMAGE_TAG }}
-          cache-to: type=gha,scope=${{ github.ref_name }}-${{ env.IMAGE_TAG }}
-
-      - name: Generate SBOM
-        uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0
-        with:
-          image: ${{ env.IMAGE_TAG }}
-          artifact-name: sbom-${{ env.IMAGE_NAME }}
-          output-file: ./sbom-${{ env.IMAGE_NAME }}.spdx.json
-
-      - name: Attach SBOM to release
-        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2
-        with:
-          tag_name: ${{ needs.release-please.outputs.tag_name }}
-          files: ./sbom-${{ env.IMAGE_NAME }}.spdx.json
+  call-release:
+    uses: validator-labs/workflows/.github/workflows/release.yaml@main
+    secrets: inherit

.github/workflows/golicences.yaml

@@ -7,82 +7,7 @@ on:
   pull_request:
   workflow_dispatch:
 
-concurrency:
-  group: test-${{ github.ref }}
-  cancel-in-progress: true
-
 jobs:
-  test:
-    name: Run Unit & Integration Tests
-    runs-on: [self-hosted, Linux, X64, validator]
-    steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
-
-      - name: Set up Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
-        with:
-          cache: false
-          go-version-file: go.mod
-
-      - name: Set up Helm
-        run: make helm
-
-      - name: Test
-        run: make test
-
-      - name: Workaround for https://github.com/codecov/feedback/issues/263
-        run: |
-          git config --global --add safe.directory "$GITHUB_WORKSPACE"
-
-      - name: Codecov
-        uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4
-        with:
-          file: ./cover.out
-          fail_ci_if_error: true
-          token: ${{ secrets.CODECOV_TOKEN }}
-
-  test-chart:
-    name: Run Helm Chart Tests
-    runs-on: [self-hosted, Linux, X64, validator]
-    if: "!(contains(github.head_ref, 'release-please') || contains(github.ref, 'release-please'))"
-    steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
-        with:
-          fetch-depth: 0
-
-      - name: Set up Helm
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4
-        with:
-          version: v3.11.2
-
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5
-        with:
-          python-version: '3.9'
-          check-latest: true
-
-      - name: Set up chart-testing
-        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
-
-      - name: Run chart-testing (list-changed)
-        id: list-changed
-        run: |
-          set -ex
-          changed=$(ct list-changed --chart-dirs chart --target-branch ${{ github.event.repository.default_branch }})
-          echo $changed
-          if [[ -n "$changed" ]]; then
-            echo "changed=true" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Run chart-testing (lint)
-        if: steps.list-changed.outputs.changed == 'true'
-        run: |
-          cd $GITHUB_WORKSPACE
-          ct lint --validate-maintainers=false --check-version-increment=false --chart-dirs chart --target-branch ${{ github.event.repository.default_branch }}
-
-      - name: Create kind cluster
-        if: steps.list-changed.outputs.changed == 'true'
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
-
-      - name: Run chart-testing (install)
-        if: steps.list-changed.outputs.changed == 'true'
-        run: ct install --chart-dirs chart  --target-branch ${{ github.event.repository.default_branch }}
+  call-test:
+    uses: validator-labs/workflows/.github/workflows/test.yaml@main
+    secrets: inherit

.github/workflows/gosec.yaml

@@ -66,7 +66,7 @@ vet: ## Run go vet against code.
 	go vet ./...
 
 .PHONY: test
-test: manifests generate fmt vet envtest ## Run tests.
+test: manifests generate fmt vet envtest helm ## Run tests.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out
 
 ##@ Build