Regolibrary v2 - new relelase workflow

[YiscahLevySilas1]

User description

Overview

This PR (together with the fixes in PRs #606 , #607 #608 ) addresses the issue #577.
The create-release workflow will now create a new release with the major tag that will be used in kubescape from now on, maintaining the latest release as it is to support backward compatibility.

---

Type

enhancement, documentation

---

Description

• Introduced a new GitHub Actions workflow for creating and publishing tags, which includes comprehensive testing and artifact handling.
• Removed the old workflow for creating releases without system tests to streamline the release process.
• Updated the release workflow trigger configuration to remove the tag push trigger.
• Removed an outdated attack track related to external workloads with cluster takeover roles to keep the attack tracks relevant and updated.

---

Changes walkthrough

	Relevant files
Enhancement	create-release-v2.yaml Introduce New Release Workflow with Enhanced Testing and Artifact Handling .github/workflows/create-release-v2.yaml Introduced a new GitHub Actions workflow for creating and publishing tags with testing and artifact handling. Includes steps for testing PR checks, building and testing Rego artifacts, running end-to-end tests with Kubescape, and creating a new tag and release. Artifacts are generated, metadata files are stripped of their extensions, and a new release is created with the generated artifacts. Documentation is updated with the latest controls and rules as part of the release process. +183/-0  create-release-without-st.yaml Remove Old Release Workflow Without System Tests                  .github/workflows/create-release-without-st.yaml Removed the workflow for creating releases without system tests. +0/-128
Configuration changes	create-release.yaml Update Release Workflow Trigger Configuration                        .github/workflows/create-release.yaml Removed the trigger for tag pushes from the release workflow. +1/-5
Documentation	external-wl-with-cluster-takeover-roles.json Remove Attack Track for External Workload with Cluster Takeover Roles attack-tracks/external-wl-with-cluster-takeover-roles.json Removed an attack track related to external workloads with cluster takeover roles. +0/-20

---

✨ PR-Agent usage:
Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

[github-actions]

Summary:

• License scan: failure
• Credentials scan: failure
• Vulnerabilities scan: failure
• Unit test: success
• Go linting: success

[codiumai-pr-agent-free]

PR Description updated to latest commit (9c52252)

[codiumai-pr-agent-free]

PR Review

⏱️ Estimated effort to review [1-5]	4, because the PR introduces a significant overhaul of the release workflow, including the addition of new testing and artifact handling steps. The complexity and size of the changes, spanning multiple files and workflows, necessitate a thorough review to ensure correctness, compatibility, and adherence to best practices.
🧪 Relevant tests	Yes
🔍 Possible issues	Missing Failure Handling: The new workflow lacks explicit steps for handling failures in intermediate steps, which could lead to incomplete or erroneous releases.
	Hardcoded Values: The use of hardcoded values (e.g., Go version, Python version) may limit flexibility and future compatibility. Consider using environment variables or parameters for these values.
	Dependency on External Actions: The workflow relies heavily on external GitHub Actions. While this is not inherently problematic, it introduces a dependency on these actions' availability and stability. Ensure that these actions are maintained and consider pinning them to specific versions for reliability.
🔒 Security concerns	No

---

✨ Review tool usage guide:

---

Overview:
The review tool scans the PR code changes, and generates a PR review. The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on any PR.
When commenting, to edit configurations related to the review tool (pr_reviewer section), use the following template:

/review --pr_reviewer.some_config1=... --pr_reviewer.some_config2=...

With a configuration file, use the following template:

[pr_reviewer]
some_config1=...
some_config2=...

Utilizing extra instructions The review tool can be configured with extra instructions, which can be used to guide the model to a feedback tailored to the needs of your project. Be specific, clear, and concise in the instructions. With extra instructions, you are the prompter. Specify the relevant sub-tool, and the relevant aspects of the PR that you want to emphasize. Examples for extra instructions: [pr_reviewer] # /review # extra_instructions=""" In the 'possible issues' section, emphasize the following: - Does the code logic cover relevant edge cases? - Is the code logic clear and easy to understand? - Is the code logic efficient? ... """ Use triple quotes to write multi-line instructions. Use bullet points to make the instructions more readable.

How to enable\disable automation When you first install PR-Agent app, the default mode for the review tool is: pr_commands = ["/review", ...] meaning the review tool will run automatically on every PR, with the default configuration. Edit this field to enable/disable the tool, or to change the used configurations

Auto-labels The review tool can auto-generate two specific types of labels for a PR: a possible security issue label, that detects possible security issues (enable_review_labels_security flag) a Review effort [1-5]: x label, where x is the estimated effort to review the PR (enable_review_labels_effort flag)

Extra sub-tools The review tool provides a collection of possible feedbacks about a PR. It is recommended to review the possible options, and choose the ones relevant for your use case. Some of the feature that are disabled by default are quite useful, and should be considered for enabling. For example: require_score_review, require_soc2_ticket, require_can_be_split_review, and more.

Auto-approve PRs By invoking: /review auto_approve The tool will automatically approve the PR, and add a comment with the approval. To ensure safety, the auto-approval feature is disabled by default. To enable auto-approval, you need to actively set in a pre-defined configuration file the following: [pr_reviewer] enable_auto_approval = true (this specific flag cannot be set with a command line argument, only in the configuration file, committed to the repository) You can also enable auto-approval only if the PR meets certain requirements, such as that the estimated_review_effort is equal or below a certain threshold, by adjusting the flag: [pr_reviewer] maximal_review_effort = 5

More PR-Agent commands To invoke the PR-Agent, add a comment using one of the following commands: /review: Request a review of your Pull Request. /describe: Update the PR title and description based on the contents of the PR. /improve [--extended]: Suggest code improvements. Extended mode provides a higher quality feedback. /ask <QUESTION>: Ask a question about the PR. /update_changelog: Update the changelog based on the PR's contents. /add_docs 💎: Generate docstring for new components introduced in the PR. /generate_labels 💎: Generate labels for the PR based on the PR's contents. /analyze 💎: Automatically analyzes the PR, and presents changes walkthrough for each component. See the tools guide for more details. To list the possible configuration parameters, add a /config comment.

See the review usage page for a comprehensive guide on using this tool.

[codiumai-pr-agent-free]

PR Code Suggestions

Category	Suggestions
Best practice	Use specific versions of GitHub Actions to ensure workflow stability. Consider using a more specific version of the actions/checkout and actions/setup-go actions to ensure stability and predictability in your workflow. Using a specific version helps to avoid unexpected changes when new versions of the actions are released. .github/workflows/create-release-v2.yaml [27-33] -- uses: actions/checkout@v2 -- uses: actions/setup-go@v2 +- uses: actions/[email protected] # Use the latest stable version +- uses: actions/[email protected] # Use the latest stable version
	Pin actions to a full length commit SHA for increased workflow reliability. To ensure the reliability of your workflow, consider pinning the actions to a full length commit SHA instead of using tags like @v2 or @main. This prevents potential issues from unexpected changes in actions. .github/workflows/create-release-v2.yaml [17-33] -uses: kubescape/workflows/.github/workflows/go-basic-tests.yaml@main -uses: actions/checkout@v2 -uses: actions/setup-go@v2 +uses: kubescape/workflows/.github/workflows/go-basic-tests.yaml@abcdef1234567890abcdef1234567890abcdef12 # Example SHA +uses: actions/checkout@abcdef1234567890abcdef1234567890abcdef12 # Example SHA +uses: actions/setup-go@abcdef1234567890abcdef1234567890abcdef12 # Example SHA
Security	Avoid using sudo in GitHub Actions workflows for better security. It's recommended to avoid using sudo in GitHub Actions workflows when possible, as it can introduce security risks by elevating privileges unnecessarily. Instead, consider using containerized actions or setup actions that do not require sudo. .github/workflows/create-release-v2.yaml [38] -sudo apt update && sudo apt install -y cmake +# Consider using a Docker container or a setup action that installs cmake without needing sudo
Maintainability	Use environment variables for repeated version numbers to simplify updates. To enhance the maintainability of the workflow, consider using environment variables for repeated values such as Go and Python versions. This approach makes it easier to update the versions in one place. .github/workflows/create-release-v2.yaml [19-44] -GO_VERSION: '1.21' -go-version: 1.21 -python-version: 3.10.6 +env: + GO_VERSION: '1.21' + PYTHON_VERSION: '3.10.6' +with: + go-version: ${{ env.GO_VERSION }} + python-version: ${{ env.PYTHON_VERSION }}
Enhancement	Use warn instead of error for if-no-files-found to prevent unnecessary workflow failures. For the if-no-files-found option in the actions/upload-artifact action, consider using warn instead of error to prevent the workflow from failing if no files are found. This can be useful in scenarios where the presence of artifacts is not guaranteed. .github/workflows/create-release-v2.yaml [78] -if-no-files-found: error +if-no-files-found: warn # This will log a warning instead of failing the workflow

---

✨ Improve tool usage guide:

---

Overview:
The improve tool scans the PR code changes, and automatically generates suggestions for improving the PR code. The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on a PR.
When commenting, to edit configurations related to the improve tool (pr_code_suggestions section), use the following template:

/improve --pr_code_suggestions.some_config1=... --pr_code_suggestions.some_config2=...

With a configuration file, use the following template:

[pr_code_suggestions]
some_config1=...
some_config2=...

Enabling\disabling automation When you first install the app, the default mode for the improve tool is: pr_commands = ["/improve --pr_code_suggestions.summarize=true", ...] meaning the improve tool will run automatically on every PR, with summarization enabled. Delete this line to disable the tool from running automatically.

Utilizing extra instructions Extra instructions are very important for the improve tool, since they enable to guide the model to suggestions that are more relevant to the specific needs of the project. Be specific, clear, and concise in the instructions. With extra instructions, you are the prompter. Specify relevant aspects that you want the model to focus on. Examples for extra instructions: [pr_code_suggestions] # /improve # extra_instructions=""" Emphasize the following aspects: - Does the code logic cover relevant edge cases? - Is the code logic clear and easy to understand? - Is the code logic efficient? ... """ Use triple quotes to write multi-line instructions. Use bullet points to make the instructions more readable.

A note on code suggestions quality While the current AI for code is getting better and better (GPT-4), it's not flawless. Not all the suggestions will be perfect, and a user should not accept all of them automatically. Suggestions are not meant to be simplistic. Instead, they aim to give deep feedback and raise questions, ideas and thoughts to the user, who can then use his judgment, experience, and understanding of the code base. Recommended to use the 'extra_instructions' field to guide the model to suggestions that are more relevant to the specific needs of the project, or use the custom suggestions 💎 tool With large PRs, best quality will be obtained by using 'improve --extended' mode.

More PR-Agent commands To invoke the PR-Agent, add a comment using one of the following commands: /review: Request a review of your Pull Request. /describe: Update the PR title and description based on the contents of the PR. /improve [--extended]: Suggest code improvements. Extended mode provides a higher quality feedback. /ask <QUESTION>: Ask a question about the PR. /update_changelog: Update the changelog based on the PR's contents. /add_docs 💎: Generate docstring for new components introduced in the PR. /generate_labels 💎: Generate labels for the PR based on the PR's contents. /analyze 💎: Automatically analyzes the PR, and presents changes walkthrough for each component. See the tools guide for more details. To list the possible configuration parameters, add a /config comment.

See the improve usage page for a more comprehensive guide on using this tool.

[github-actions]

Summary:

• License scan: failure
• Credentials scan: failure
• Vulnerabilities scan: failure
• Unit test: success
• Go linting: success

[dwertent]

Please confirm this was tested on a different repo :)

[YiscahLevySilas1]

Please confirm this was tested on a different repo :)

yes, excluding some test steps, but the release flow was tested

[github-actions]

Summary:

• License scan: failure
• Credentials scan: failure
• Vulnerabilities scan: failure
• Unit test: success
• Go linting: success

[github-actions]

Summary:

• License scan: failure
• Credentials scan: failure
• Vulnerabilities scan: failure
• Unit test: success
• Go linting: success