Scaffolding

.github/workflows/release.yml.template

@@ -0,0 +1,111 @@
+on:
+  push:
+    branches:
+    - main
+    - master
+    tags:
+    - 'v*'
+
+name: Publish Wasm module
+
+jobs:
+  test:
+    name: Test Suite
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          override: true
+      - uses: actions-rs/cargo@v1
+        with:
+          command: test
+
+  build:
+    name: Build and publish policy
+    runs-on: ubuntu-latest
+    needs: test
+    env:
+      WASM_BINARY_NAME: readonly_root_filesystem_psp_policy
+      OCI_TARGET: ghcr.io/kubewarden/policies/readonly-root-filesystem-psp-policy
+      METADATA_FILE: metadata.yml
+      KWCTL_VERSION: v0.1.9
+    steps:
+      -
+        name: Checkout code
+        uses: actions/checkout@v2
+      -
+        name: Prepare Rust environment
+        uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          target: wasm32-unknown-unknown
+      -
+        name: Download kwctl
+        run: |
+          curl -L https://github.com/kubewarden/kwctl/releases/download/${{env.KWCTL_VERSION}}/kwctl-linux-amd64.zip -o kwctl.zip
+          unzip kwctl.zip
+          chmod 755 kwctl
+      -
+        name: Build Wasm module
+        uses: actions-rs/cargo@v1
+        with:
+          command: build
+          args: --target=wasm32-unknown-unknown --release
+      -
+        name: Annotate Wasm module
+        run: |
+          ./kwctl annotate -m ${{ env.METADATA_FILE }} -o policy-annotated.wasm target/wasm32-unknown-unknown/release/${WASM_BINARY_NAME}.wasm
+
+      -
+        name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Publish Wasm policy artifact to OCI registry with the 'latest' tag
+        if: ${{ startsWith(github.ref, 'refs/heads/') }}
+        run: |
+          ./kwctl push policy-annotated.wasm ${{ env.OCI_TARGET }}:latest
+      -
+        name: Publish Wasm policy artifact to OCI registry with the version tag and 'latest'
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        run: |
+          export OCI_TAG=$(echo $GITHUB_REF | sed -e "s|refs/tags/||")
+          ./kwctl push policy-annotated.wasm ${{ env.OCI_TARGET }}:${OCI_TAG}
+      -
+        name: Create Release
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ github.ref }}
+          draft: false
+          prerelease: false
+      -
+        name: Upload Release Asset
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: policy-annotated.wasm
+          asset_name: policy.wasm
+          asset_content_type: application/wasm
+      -
+        name: Notify policy-hub
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        uses: kubewarden/notify-policy-hub@main
+        with:
+          USERNAME: chimera-kube-bot
+          PAT: ${{ secrets.WORKFLOW_PAT }}

.github/workflows/test.yml

@@ -0,0 +1,59 @@
+on: [push, pull_request]
+name: Continuous integration
+jobs:
+  check:
+    name: Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          override: true
+      - uses: actions-rs/cargo@v1
+        with:
+          command: check
+  test:
+    name: Test Suite
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          override: true
+      - uses: actions-rs/cargo@v1
+        with:
+          command: test
+  fmt:
+    name: Rustfmt
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          override: true
+      - run: rustup component add rustfmt
+      - uses: actions-rs/cargo@v1
+        with:
+          command: fmt
+          args: --all -- --check
+  clippy:
+    name: Clippy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          override: true
+      - run: rustup component add clippy
+      - uses: actions-rs/cargo@v1
+        with:
+          command: clippy
+          args: -- -D warnings

.gitignore

@@ -0,0 +1,8 @@
+/target
+
+
+# Added by cargo
+#
+# already existing elements were commented out
+
+#/target

Cargo.toml

@@ -0,0 +1,19 @@
+[package]
+name = "readonly-root-filesystem-psp-policy"
+version = "0.1.0"
+authors = ["Flavio Castelli <[email protected]>"]
+edition = "2018"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[lib]
+crate-type = ["cdylib"]
+
+[dependencies]
+k8s-openapi = { version = "0.11.0", features = ["v1_20"] }
+kubewarden-policy-sdk = "0.2.3"
+lazy_static = "1.4"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+slog = "2.7"
+wapc-guest = "0.4.0"