build(deps): Bump aquasecurity/trivy-action from 0.29.0 to 0.30.0 (#1523) (#1527)

Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.29.0 to 0.30.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](aquasecurity/trivy-action@0.29.0...0.30.0)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: marcofranssen

.github/workflows/main.yaml

@@ -8,6 +8,7 @@ on:
     tags:
       - 'v*'
     paths:
+      - ".github/workflows/main.yaml"
       - ".github/workflows/build-op-image.yaml"
       - "apis/**"
       - "cmd/**"
@@ -16,6 +17,7 @@ on:
       - "manifests/setup/setup.yaml"
       - "tests/**"
       - "pkg/**"
+      - "**/*.sh"
       - "Makefile"
       - "go.mod"
       - "go.sum"
@@ -24,6 +26,7 @@ on:
       - 'master'
       - 'release-*'
     paths:
+      - ".github/workflows/main.yaml"
       - ".github/workflows/build-op-image.yaml"
       - "apis/**"
       - "cmd/**"
@@ -32,6 +35,7 @@ on:
       - "manifests/setup/setup.yaml"
       - "tests/**"
       - "pkg/**"
+      - "**/*.sh"
       - "Makefile"
       - "go.mod"
       - "go.sum"
@@ -54,6 +58,9 @@ jobs:
           go-version-file: go.mod
           cache-dependency-path: go.sum
 
+      - name: Check shell scripts
+        run: make shellcheck
+
       - name: Go mod
         run: |
           export PATH=$PATH:$(go env GOPATH)/bin

Makefile

@@ -47,6 +47,9 @@ help: ## Display this help.
 
 ##@ Development
 
+shellcheck:
+	@find . -type f -name *.sh -exec docker run --rm -v $(shell pwd):/mnt koalaman/shellcheck:stable {} +
+
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./apis/fluentbit/..." output:crd:artifacts:config=config/crd/bases
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./apis/fluentd/..." output:crd:artifacts:config=config/crd/bases
@@ -69,7 +72,7 @@ ENVTEST_ASSETS_DIR=$(shell pwd)/testbin
 
 install-setup-envtest: ## Install the setup-envtest tool if it is not already installed
 	if ! command -v setup-envtest &> /dev/null; then \
-	    go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest; \
+		go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest; \
 	fi
 
 setup-envtest: install-setup-envtest ## Download and set up the envtest binary

cmd/fluent-watcher/hooks/post-hook.sh

@@ -9,7 +9,7 @@ set -e
 
 HOST_ARCH=$(uname -m)
 
-if [ x"${HOST_ARCH}" == x"aarch64" ]; then
+if [ "${HOST_ARCH}" == "aarch64" ]; then
     echo "Building arm64 image natively"
     exit
 fi

cmd/upgrade/upgrade.sh

@@ -8,52 +8,53 @@ function error_exit {
 }
 
 function migrate(){
-## Converting an existing configuration to a new one
-local oldKind=$1
-local newKind=$2
-local list=$(kubectl get  $oldKind.logging.kubesphere.io -A -o json) || error_exit "Cannot get resource $oldKind"
-local name=($(echo $list | jq -r '.items[].metadata.name | @json'))
-local labels=($(echo $list | jq -r '.items[].metadata.labels | @json'))
-local spec=($(echo $list | jq -r '.items[].spec | @json'))
-local ns=($(echo $list | jq -r '.items[].metadata.namespace | @json'))
-local size=${#spec[*]}
-echo "Number of original $oldKind configuration files:$size"
-for((i=0;i<${size};i++));do
-if [[ "${kind}" = "fluentbits" ]]; then
-cluster_resource_list[i]="{
-\"apiVersion\": \"fluentbit.fluent.io/v1alpha2\",
-\"kind\": \"${newKind}\",
-\"metadata\": {
-\"name\": ${name[i]},
-\"labels\": ${labels[i]},
-\"namespace\": \"${ns}\"
-},
-\"spec\": ${spec[i]}
-}"
-else
-cluster_resource_list[i]="{
-\"apiVersion\": \"fluentbit.fluent.io/v1alpha2\",
-\"kind\": \"${kind}\",
-\"metadata\": {
-\"name\": ${name[i]},
-\"labels\": ${labels[i]}
-},
-\"spec\": ${spec[i]}
-}"
-fi
-done
+  ## Converting an existing configuration to a new one
+  local list name labels spec ns size
+  local oldKind=$1
+  local newKind=$2
+  list=$(kubectl get "$oldKind.logging.kubesphere.io" -A -o json) || error_exit "Cannot get resource $oldKind"
+  mapfile -t name < <(echo "$list" | jq -r '.items[].metadata.name | @json')
+  mapfile -t labels < <(echo "$list" | jq -r '.items[].metadata.labels | @json')
+  mapfile -t spec < <(echo "$list" | jq -r '.items[].spec | @json')
+  mapfile -t ns < <(echo "$list" | jq -r '.items[].metadata.namespace | @json')
+  size=${#spec[*]}
+  echo "Number of original $oldKind configuration files:$size"
+  for ((i=0; i < size; i++)); do
+  if [[ "$newKind" = "fluentbits" ]]; then
+    cluster_resource_list[i]="{
+    \"apiVersion\": \"fluentbit.fluent.io/v1alpha2\",
+    \"kind\": \"${newKind}\",
+    \"metadata\": {
+    \"name\": ${name[i]},
+    \"labels\": ${labels[i]},
+    \"namespace\": \"${ns[i]}\"
+    },
+    \"spec\": ${spec[i]}
+    }"
+  else
+    cluster_resource_list[i]="{
+    \"apiVersion\": \"fluentbit.fluent.io/v1alpha2\",
+    \"kind\": \"${oldKind}\",
+    \"metadata\": {
+    \"name\": ${name[i]},
+    \"labels\": ${labels[i]}
+    },
+    \"spec\": ${spec[i]}
+    }"
+  fi
+  done
 
-## Uninstall the fluentbit-operator and the original configuration
-for((i=0;i<${size};i++));do
-echo "${name[i]}"
-  temp=$(echo ${name[i]} | sed 's/"//g')
-  echo "$temp"
-   kubectl delete  $oldKind.logging.kubesphere.io $temp -n ${namespace}
-done
+  ## Uninstall the fluentbit-operator and the original configuration
+  for ((i=0; i < size; i++)); do
+  echo "${name[i]}"
+    temp="${name[i]//\"/}"
+    echo "$temp"
+    kubectl delete "$oldKind.logging.kubesphere.io" "$temp" -n ${namespace}
+  done
 
-for((i=0;i<${size};i++));do
-echo ${cluster_resource_list[i]} | kubectl apply -f - || error_exit "Cannot apply resource $oldKind"
-done
+  for ((i=0; i<size; i++)); do
+    kubectl apply -f "${cluster_resource_list[i]}" || error_exit "Cannot apply resource $oldKind"
+  done
 }
 
 migrate "Input" "ClusterInput"
@@ -65,15 +66,15 @@ migrate "FluentBit" "FluentBit"
 
 # Determine if Deployment exists
 if kubectl get deployment -n $namespace $FluentbitOperator >/dev/null 2>&1; then
-    # Delete Deployment if it exists
-    kubectl delete deployment -n $namespace $FluentbitOperator
-    kubectl delete clusterrolebinding kubesphere:operator:fluentbit-operator
-    kubectl delete clusterrole kubesphere:operator:fluentbit-operator
-    kubectl delete serviceaccount fluentbit-operator -n $namespace
-    echo "Deployment $FluentbitOperator deleted"
+  # Delete Deployment if it exists
+  kubectl delete deployment -n $namespace $FluentbitOperator
+  kubectl delete clusterrolebinding kubesphere:operator:fluentbit-operator
+  kubectl delete clusterrole kubesphere:operator:fluentbit-operator
+  kubectl delete serviceaccount fluentbit-operator -n $namespace
+  echo "Deployment $FluentbitOperator deleted"
 else
-    # If it does not exist, output the message
-    echo "Deployment $FluentbitOperator does not exist"
+  # If it does not exist, output the message
+  echo "Deployment $FluentbitOperator does not exist"
 fi
 
 ## Delete the old crd

hack/update-codegen.sh

@@ -10,38 +10,39 @@ SCRIPT_ROOT=$(git rev-parse --show-toplevel)
 
 # Grab code-generator version from go.sum.
 CODEGEN_VERSION=$(grep 'k8s.io/code-generator' go.sum | awk '{print $2}' | head -1 |cut -b 1-7)
-CODEGEN_PKG=$(echo `go env GOPATH`"/pkg/mod/k8s.io/code-generator@${CODEGEN_VERSION}")
+CODEGEN_PKG="$(go env GOPATH)/pkg/mod/k8s.io/code-generator@${CODEGEN_VERSION}"
 
 # code-generator does work with go.mod but makes assumptions about
 # the project living in `$GOPATH/src`. To work around this and support
 # any location; create a temporary directory, use this as an output
 # base, and copy everything back once generated.
 TEMP_DIR=$(mktemp -d)
 cleanup() {
-    echo ">> Removing ${TEMP_DIR}"
-    rm -rf ${TEMP_DIR}
+  echo ">> Removing ${TEMP_DIR}"
+  rm -rf "$TEMP_DIR"
 }
 trap "cleanup" EXIT SIGINT
 
 echo ">> Temporary output directory ${TEMP_DIR}"
 
 # Ensure we can execute.
-chmod +x ${CODEGEN_PKG}/kube_codegen.sh 
+chmod +x "${CODEGEN_PKG}/kube_codegen.sh"
 
 PACKAGE_PATH_BASE="github.com/fluent/fluent-operator/v3"
 
 mkdir -p "${TEMP_DIR}/${PACKAGE_PATH_BASE}/apis/fluentbit" \
          "${TEMP_DIR}/${PACKAGE_PATH_BASE}/apis/fluentd" \
          "${TEMP_DIR}/${PACKAGE_PATH_BASE}/apis/generated"
 
-source ${CODEGEN_PKG}/kube_codegen.sh kube::codegen::gen_client \
-    --output-dir "${TEMP_DIR}" \
+# shellcheck source=/dev/null
+source "${CODEGEN_PKG}/kube_codegen.sh" kube::codegen::gen_client \
+    --output-dir "$TEMP_DIR" \
     --with-watch \
     --output-pkg "${PACKAGE_PATH_BASE}/apis/generated" \
     --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
     ./apis
 
-ls -lha $TEMP_DIR
+ls -lha "$TEMP_DIR"
 
 # Copy everything back.
-cp -r "${TEMP_DIR}/${PACKAGE_PATH_BASE}/." "${SCRIPT_ROOT}" 
+cp -r "${TEMP_DIR}/${PACKAGE_PATH_BASE}/." "$SCRIPT_ROOT"

hack/update-helm-package.sh

@@ -1,3 +1,5 @@
+#!/usr/bin/env bash
+
 set -o errexit
 set -o nounset
 set -o pipefail
@@ -6,4 +8,8 @@ FLUENT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd -P)"
 FLUENT_HELM_DIR=${FLUENT_ROOT}/charts/fluent-operator
 _tmpdir=/tmp/fluent-operator
 
-cd $FLUENT_HELM_DIR && helm package . -d ${_tmpdir} > /dev/null && mv ${_tmpdir}/*.tgz $FLUENT_HELM_DIR/../fluent-operator.tgz && rm -rf "${_tmpdir}"
+pushd "$FLUENT_HELM_DIR" >/dev/null
+helm package . -d ${_tmpdir} > /dev/null
+mv ${_tmpdir}/*.tgz "$FLUENT_HELM_DIR/../fluent-operator.tgz"
+rm -rf "${_tmpdir}"
+popd >/dev/null

hack/verify-codegen.sh

@@ -8,15 +8,14 @@ set -o pipefail
 
 SCRIPT_ROOT=$(git rev-parse --show-toplevel)
 
-
 DIFFROOT="${SCRIPT_ROOT}/apis"
 TMP_DIFFROOT="${SCRIPT_ROOT}/_tmp/apis"
 
 _tmp="${SCRIPT_ROOT}/_tmp"
 
 cleanup() {
     echo ">> Removing ${_tmp}"
-    rm -rf ${_tmp}
+    rm -rf "${_tmp}"
 }
 trap "cleanup" EXIT SIGINT
 
@@ -36,4 +35,4 @@ then
 else
   echo "${DIFFROOT} is out of date. Please rerun make generate"
   exit 1
-fi
+fi

hack/verify-crds.sh

@@ -4,7 +4,7 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-SCRIPT_ROOT=$(dirname "${BASH_SOURCE}")/..
+SCRIPT_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
 CRD_OPTIONS="crd:generateEmbeddedObjectMeta=true,allowDangerousTypes=true"
 
 DIFFROOT="${SCRIPT_ROOT}/config/crd/bases/"
@@ -21,8 +21,8 @@ cleanup
 mkdir -p "${TMP_DIFFROOT}"
 cp -a "${DIFFROOT}"/* "${TMP_DIFFROOT}"
 
-./bin/controller-gen $CRD_OPTIONS rbac:roleName=manager-role webhook paths="./apis/fluentbit/..." output:crd:artifacts:config=config/crd/bases/
-./bin/controller-gen $CRD_OPTIONS rbac:roleName=manager-role webhook paths="./apis/fluentd/..." output:crd:artifacts:config=config/crd/bases/
+./bin/controller-gen "$CRD_OPTIONS" rbac:roleName=manager-role webhook paths="./apis/fluentbit/..." output:crd:artifacts:config=config/crd/bases/
+./bin/controller-gen "$CRD_OPTIONS" rbac:roleName=manager-role webhook paths="./apis/fluentd/..." output:crd:artifacts:config=config/crd/bases/
 echo "diffing ${DIFFROOT} against freshly generated crds"
 ret=0
 diff -Naupr "${DIFFROOT}" "${TMP_DIFFROOT}" || ret=$?

hack/verify-helm-package.sh

@@ -1,3 +1,5 @@
+#!/usr/bin/env bash
+
 set -o errexit
 set -o nounset
 set -o pipefail
@@ -8,9 +10,14 @@ _tmpdir=/tmp/fluent-operator
 
 function verify:package:helm:files {
     mkdir -p ${_tmpdir}
-    cd $FLUENT_HELM_DIR && helm package . -d ${_tmpdir} > /dev/null && mv ${_tmpdir}/*.tgz ${_tmpdir}/fluent-operator.tgz
-    helm_checksum=$(tar -xOzf ${FLUENT_HELM_DIR}/../fluent-operator.tgz | sort | sha1sum | awk '{ print $1 }')
-    temp_helm_checksum=$(tar -xOzf ${_tmpdir}/fluent-operator.tgz | sort | sha1sum | awk '{ print $1 }')
+
+    pushd "$FLUENT_HELM_DIR" >/dev/null
+    helm package . -d ${_tmpdir} > /dev/null
+    mv ${_tmpdir}/*.tgz "${_tmpdir}/fluent-operator.tgz"
+    helm_checksum=$(tar -xOzf "${FLUENT_HELM_DIR}/../fluent-operator.tgz" | sort | sha1sum | awk '{ print $1 }')
+    temp_helm_checksum=$(tar -xOzf "${_tmpdir}/fluent-operator.tgz" | sort | sha1sum | awk '{ print $1 }')
+    popd >/dev/null
+
     if [ "$helm_checksum" != "$temp_helm_checksum" ]; then
       echo "Helm package fluent-operator.tgz not updated or the helm chart is not expected."
       echo "Please run:  make update-helm-package"
@@ -23,7 +30,6 @@ function cleanup {
   rm -rf "${_tmpdir}"
 }
 
-trap "cleanup" EXIT SIGINT
+trap cleanup EXIT SIGINT
 
 verify:package:helm:files
-cleanup