Merge pull request #1945 from fridex/refresh-scorecards

Run prescriptions-refresh-job for Security Scorecards

prescriptions-refresh-job/base/argo-workflows/prescriptions-refresh-scorecards.yaml

@@ -0,0 +1,78 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: WorkflowTemplate
+metadata:
+  name: prescriptions-refresh-scorecards
+spec:
+  templates:
+    - name: scorecards
+      resubmitPendingPods: true
+      container:
+        name: scorecards
+        image: prescriptions-refresh-job
+        env:
+          - name: SENTRY_DSN
+            valueFrom:
+              secretKeyRef:
+                name: thoth
+                key: sentry-dsn
+          - name: GIT_SSH_COMMAND
+            # Needed to keep weak host verification for git clone.
+            value: "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+          - name: THOTH_DEPLOYMENT_NAME
+            valueFrom:
+              configMapKeyRef:
+                name: thoth
+                key: deployment-name
+          - name: APP_SCRIPT
+            value: app.sh
+          - name: THOTH_PRESCRIPTIONS_REFRESH_RANDOMIZE
+            value: "1"
+          - name: THOTH_PRESCRIPTIONS_REFRESH_SUBCOMMAND
+            value: scorecards
+          - name: GITHUB_PRIVATE_KEY_PATH
+            value: /opt/app-root/src/.github/github-privatekey
+          - name: THOTH_LOGGING_NO_JSON
+            valueFrom:
+              configMapKeyRef:
+                name: thoth
+                key: logging-no-json
+          - name: THOTH_PRESCRIPTIONS_REFRESH_GITHUB_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: kebechet
+                key: github-oauth-token
+          - name: GITHUB_APP_ID
+            valueFrom:
+              secretKeyRef:
+                name: kebechet
+                key: GITHUB_APP_ID
+          - name: THOTH_PRESCRIPTIONS_REFRESH_GITHUB_LABELS
+            value: bot
+          - name: THOTH_PRESCRIPTIONS_REFRESH_REPO
+            value: [email protected]:thoth-station/prescriptions.git
+          - name: THOTH_PRESCRIPTIONS_REFRESH_DEBUG
+            value: "1"
+          - name: PROMETHEUS_PUSHGATEWAY_HOST
+            valueFrom:
+              configMapKeyRef:
+                key: pushgateway-host
+                name: prometheus
+          - name: PROMETHEUS_PUSHGATEWAY_PORT
+            valueFrom:
+              configMapKeyRef:
+                key: pushgateway-port
+                name: prometheus
+        resources:
+          limits:
+            cpu: 250m
+            memory: 256Mi
+          requests:
+            cpu: 250m
+            memory: 256Mi
+        volumeMounts:
+          - name: ssh-config
+            mountPath: /opt/app-root/src/.ssh
+          - name: github-app-privatekey
+            mountPath: /opt/app-root/src/.github/
+            readOnly: true

prescriptions-refresh-job/base/argo-workflows/prescriptions-refresh.yaml

@@ -83,3 +83,9 @@ spec:
                 template: gh-release-notes
               continueOn:
                 failed: true
+            - name: scorecards
+              templateRef:
+                name: prescriptions-refresh-scorecards
+                template: scorecards
+              continueOn:
+                failed: true

prescriptions-refresh-job/base/kustomization.yaml

@@ -6,5 +6,6 @@ commonLabels:
   app.kubernetes.io/managed-by: aicoe-thoth-devops
 resources:
   - argo-workflows/prescriptions-refresh-gh.yaml
+  - argo-workflows/prescriptions-refresh-scorecards.yaml
   - argo-workflows/prescriptions-refresh.yaml
   - imagestream.yaml