Merge branch 'main' into belay_main

Relu808 · Relu808 · commit d23db0e9c66e · 2025-03-27T20:50:01.000-10:00
* main:
  Enabled portage code scan
  Switch to just recording the default (origin) remote URL, isntead of 'owner'
diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
@@ -0,0 +1,23 @@
+name: Scan gatecheck
+run-name: "Scan the gatecheck codebase"
+permissions:
+  contents: read
+  checks: write
+  packages: write
+on:
+  workflow_dispatch:
+  push:
+    branches: [ '*' ]
+    tags: [ '*' ]
+jobs:
+  code_scan:
+    runs-on: ubuntu-latest
+    name: Portage Code Scan
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Portage CD Scans
+        uses: easy-up/portage-cd-actions/image-build-scan-publish/docker@main
+        with:
+          image_build_enabled: 'false'
+          image_scan_enabled: 'false'
diff --git a/.portage.yml b/.portage.yml
@@ -1,39 +1,42 @@
 # Base Configuration
 version: "1"
-imageTag: "ghcr.io/easy-up/gatecheck:latest"  # The full image tag for the target container image (e.g. my-org/my-app:latest)
+# gatecheck doesn't have an official Dockerfile
+# imageTag: "ghcr.io/easy-up/gatecheck:latest"  # The full image tag for the target container image (e.g. my-org/my-app:latest)
 artifactDir: "artifacts"   # Directory for generated artifacts (e.g. ./artifacts)
 gatecheckBundleFilename: "gatecheck-bundle.tar.gz"  # Filename for the gatecheck bundle (e.g. gatecheck-bundle.tar.gz)
 
-# Image Build Configuration
+# Image Build Configuration (gatecheck doesn't have an official Dockerfile)
 imageBuild:
   enabled: false           # Enable/Disable the image build pipeline (true/false)
-  buildDir: "."          # Build directory for image (e.g. ./cmd/portage)
+  buildDir: "."            # Build directory for image (e.g. ./cmd/portage)
   dockerfile: "Dockerfile" # Dockerfile to use (e.g. ./cmd/portage/Dockerfile)
-  platform: ""           # Target platform (e.g. linux/amd64, linux/arm64)
-  target: ""            # Target stage for multi-stage builds (e.g. build, test, publish)
-  cacheTo: ""           # Cache export location (e.g. type=local,dest=path)
-  cacheFrom: ""         # Cache import location (e.g. type=local,src=path)
-  squashLayers: false   # Whether to squash layers (true/false)
-  args: {}              # Build arguments (e.g. BUILD_ARGS=--build-arg=key=value)
+  platform: ""             # Target platform (e.g. linux/amd64, linux/arm64)
+  target: ""               # Target stage for multi-stage builds (e.g. build, test, publish)
+  cacheTo: ""              # Cache export location (e.g. type=local,dest=path)
+  cacheFrom: ""            # Cache import location (e.g. type=local,src=path)
+  squashLayers: false      # Whether to squash layers (true/false)
+  args: {}                 # Build arguments (e.g. BUILD_ARGS=--build-arg=key=value)
 
-# Image Scan Configuration
+# Image Scan Configuration (gatecheck doesn't have an official Dockerfile)
 imageScan:
-  enabled: false           # Enable/Disable the image scan pipeline (true/false)
-  syftFilename: "syft-sbom-report.json" # Filename for the syft sbom report (e.g. syft-sbom-report.json)
-  grypeConfigFilename: "" # Filename for the grype config (e.g. grype-config.json)
+  enabled: false                                        # Enable/Disable the image scan pipeline (true/false)
+  syftFilename: "syft-sbom-report.json"                 # Filename for the syft sbom report (e.g. syft-sbom-report.json)
+  grypeConfigFilename: ""                               # Filename for the grype config (e.g. grype-config.json)
   grypeFilename: "grype-vulnerability-report-full.json" # Filename for the grype vulnerability report (e.g. grype-vulnerability-report-full.json)
-  clamavFilename: "clamav-virus-report.txt" # Filename for the clamav virus report (e.g. clamav-virus-report.txt)
+  clamavFilename: "clamav-virus-report.txt"             # Filename for the clamav virus report (e.g. clamav-virus-report.txt)
 
 # Code Scan Configuration
 codeScan:
-  enabled: true           # Enable/Disable the code scan pipeline (true/false)
+  enabled: true                               # Enable/Disable the code scan pipeline (true/false)
   gitleaksFilename: "gitleaks-secrets-report.json"
   gitleaksSrcDir: "."
   semgrepFilename: "semgrep-sast-report.json" # Filename for the semgrep sast report (e.g. semgrep-sast-report.json)
-  semgrepRules: "p/default" # Semgrep rules to use (e.g. p/default)
-  semgrepExperimental: false # Whether to use experimental semgrep rules (true/false)
-  coverageFile: "" #"coverage/cobertura-coverage.xml"      # Externally generated code coverage file
-  semgrepSrcDir: "."    # Target directory for semgrep scan (e.g. ./cmd/portage)
+  semgrepRules: "p/default"                   # Semgrep rules to use (e.g. p/default)
+  # This is overridden in the portage Dockerfile, but is set to false here for runs on local systems
+  # where the standard Python semgrep is installed
+  semgrepExperimental: false                  # Whether to use the experimental semgrep CLI (true/false)
+  coverageFile: ""                            # "coverage/cobertura-coverage.xml" # Externally generated code coverage file
+  semgrepSrcDir: "."                          # Target directory for semgrep scan (e.g. ./cmd/portage)
 
 # Image Publish Configuration
 imagePublish:
@@ -42,9 +45,8 @@ imagePublish:
 
 # Deploy Configuration
 deploy:
-  enabled: true           # Enable/Disable the deploy pipeline (true/false).  When true, the .gatecheck.yml file is used, otherwise the default gatecheck config is used.
-  gatecheckConfigFilename: ".custom-gatecheck.yml"  # Filename for gatecheck config (e.g. gatecheck-config.json)
-  submit: false            # Whether to submit the artifacts to the configured API endpoint (true/false)
+  enabled: false                                   # Enable/Disable the deploy pipeline (true/false).  When true, the .gatecheck.yml file is used, otherwise the default gatecheck config is used.
+  gatecheckConfigFilename: ".custom-gatecheck.yml" # Filename for gatecheck config (e.g. gatecheck-config.json)
   successWebhooks:
-    - url: "http://localhost:5168/Build/SubmitArtifacts"  # Using the same endpoint from .custom-gatecheck.yml for consistency
-      authorizationVar: "DEPLOY_WEBHOOK_AUTH_HEADER"  # Environment variable containing the auth token
+    - url: "https://belay-api.dev.holomuatech.online/Build/SubmitArtifacts"  # Using the same endpoint from .custom-gatecheck.yml for consistency
+      authorizationVar: "DEPLOY_WEBHOOK_AUTH_TOKEN"  # Environment variable containing the auth token
diff --git a/pkg/archive/bundle.go b/pkg/archive/bundle.go
@@ -50,7 +50,7 @@ type GitContext struct {
 	CommitMessage string          `json:"commitMessage"`
 	Status        []GitFileStatus `json:"status"`
 	Branch        string          `json:"branch"`
-	Owner         string          `json:"owner"`
+	Remote        string          `json:"remote"`
 }
 
 type GitFileStatus struct {
@@ -113,14 +113,13 @@ func GetContext() (*GitContext, error) {
 	slog.Debug("got git commit hash", "hash", strings.TrimSpace(string(commitHash)))
 
 	// Get repository owner from remote URL
+	// TODO: make the name of the default remote configurable, use "origin" as the default
 	gitCmd = exec.Command("git", "remote", "get-url", "origin")
 	remoteURL, err := gitCmd.Output()
 	if err != nil {
 		slog.Error("failed to get remote URL", "error", err)
 		return nil, fmt.Errorf("failed to get remote URL: %w", err)
 	}
-	owner := extractOwnerFromURL(string(remoteURL))
-	slog.Debug("got repository owner", "owner", owner)
 
 	gitCmd = exec.Command("git", "show", "-s", "--format=%cI%n%B", "HEAD")
 	commitDateAndMessageBytes, err := gitCmd.Output()
@@ -183,7 +182,7 @@ func GetContext() (*GitContext, error) {
 		CommitMessage: strings.TrimSpace(commitMessage),
 		Status:        gitFileStatuses,
 		Branch:        strings.TrimSpace(string(branchName)),
-		Owner:         owner,
+		Remote:        string(remoteURL),
 	}, nil
 }
 
@@ -493,29 +492,3 @@ func UntarGzipBundle(src io.Reader, bundle *Bundle) error {
 
 	return nil
 }
-
-// extractOwnerFromURL extracts the owner (user or org) from a git remote URL
-func extractOwnerFromURL(url string) string {
-	url = strings.TrimSpace(url)
-
-	// Handle SSH URLs like git@github.com:owner/repo.git
-	if strings.HasPrefix(url, "git@") {
-		parts := strings.Split(url, ":")
-		if len(parts) > 1 {
-			ownerRepo := strings.Split(parts[1], "/")
-			if len(ownerRepo) > 0 {
-				return strings.TrimSpace(ownerRepo[0])
-			}
-		}
-	}
-
-	// Handle HTTPS URLs like https://github.com/owner/repo.git
-	parts := strings.Split(url, "/")
-	for i, part := range parts {
-		if strings.Contains(part, "github.com") && i+1 < len(parts) {
-			return strings.TrimSpace(parts[i+1])
-		}
-	}
-
-	return ""
-}
