NVIDIA · ArangoGutierrez · Feb 13, 2025 · Feb 13, 2025 · Feb 13, 2025 · Feb 13, 2025
@@ -0,0 +1,39 @@
+# Copyright 2025 NVIDIA CORPORATION
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: CI Pipeline
+
+on:
+  push:
+    branches:
+      - "pull-request/[0-9]+"
+      - main
+      - release-*
+
+jobs:
+    code-scanning:
+      uses: ./.github/workflows/code_scanning.yaml
+
+    golang:
+      uses: ./.github/workflows/golang.yaml
+
+    image:
+      uses: ./.github/workflows/image.yaml
+      needs: [golang, code-scanning]
+      secrets: inherit
+
+    e2e-test:
+      needs: golang
+      secrets: inherit
+      uses: ./.github/workflows/e2e.yaml
@@ -15,17 +15,14 @@
 name: "CodeQL"
 
 on:
+  workflow_call: {}
   pull_request:
     types:
       - opened
       - synchronize
     branches:
       - main
       - release-*
-  push:
-    branches:
-      - main
-      - release-*
   schedule:
     - cron: '31 11 * * 4'
 

@@ -15,14 +15,20 @@
 name: End-to-end Tests
 
 on:
-  workflow_run:
-    workflows: [Go]
-    types:
-      - completed
-    branches:
-      - "pull-request/[0-9]+"
-      - main
-      - release-*
+  workflow_call:
+    secrets:
+      AWS_ACCESS_KEY_ID:
+        required: true
+      AWS_SECRET_ACCESS_KEY:
+        required: true
+      AWS_SSH_KEY:
+        required: true
+      E2E_SSH_USER:
+        required: true
+      SLACK_BOT_TOKEN:
+        required: true
+      SLACK_CHANNEL_ID:
+        required: true
 
 jobs:
   e2e-test:

@@ -0,0 +1,78 @@
+## Copyright (c) 2024, NVIDIA CORPORATION.  All rights reserved.## 
+## Licensed under the Apache License, Version 2.0 (the "License");
+## you may not use this file except in compliance with the License.
+## You may obtain a copy of the License at
+##
+##     http://www.apache.org/licenses/LICENSE-2.0 
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## 
+
+name: Go
+
+on:
+  workflow_call: {}
+  pull_request:
+    types:
+      - opened
+      - synchronize
+    branches:
+      - main
+      - release-*
+
+jobs:
+  variables:
+    runs-on: ubuntu-latest
+    outputs: 
+      GOLANG_VERSION: ${{ steps.go_version.outputs.GOLANG_VERSION }}
+    steps:
+    - uses: actions/checkout@v4
+      name: Checkout code
+
+    - name: Get Golang version
+      id: go_version
+      run: |
+        GOLANG_VERSION=$(./hack/golang-version.sh)
+        echo "GOLANG_VERSION=${GOLANG_VERSION##GOLANG_VERSION := }" >> $GITHUB_OUTPUT
+
+  check:
+    runs-on: ubuntu-latest
+    needs: variables
+    steps:
+    - uses: actions/checkout@v4
+      name: Checkout code
+
+    - name: Install Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ needs.variables.outputs.GOLANG_VERSION }}
+
+    - name: Lint
+      uses: golangci/golangci-lint-action@v6
+      with:
+        version: latest
+        args: -v --timeout 5m
+        skip-cache: true
+
+    - name: Check golang modules
+      run: | 
+        make check-modules
+
+  build:
+    name: Build
+    needs: variables
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ needs.variables.outputs.GOLANG_VERSION }}
+
+      - run: make build-cli
@@ -15,16 +15,7 @@
 name: Image
 
 on:
-  pull_request:
-    branches:
-      - 'main'
-      - 'release-*'
-  push:
-    tags:
-      - 'v*.*.*'  
-    branches:
-      - 'main'
-      - 'release-*'
+  workflow_call:
 
 jobs:
   docker:

@@ -1,4 +1,4 @@
-name: AWS Periodic Cleanup
+name: Periodic actions
 
 on:
   schedule:

@@ -0,0 +1,22 @@
+run:
+  timeout: 10m
+
+linters:
+  enable:
+    - contextcheck
+    - errcheck
+    - gocritic
+    - gofmt
+    - goimports
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - misspell
+    - staticcheck
+    - unconvert
+  disable: []
+
+linters-settings:
+  goimports:
+    local-prefixes: github.com/NVIDIA/holodeck
@@ -8,7 +8,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-.PHONY: build fmt verify release
+.PHONY: build fmt verify release lint vendor mod-tidy mod-vendor mod-verify check-vendor
 
 GO_CMD ?= go
 GO_FMT ?= gofmt
@@ -27,6 +27,44 @@ IMAGE_TAG := $(IMAGE_REPO):$(IMAGE_TAG_NAME)
 
 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 
+# Apply go fmt to the codebase
+fmt:
+	go list -f '{{.Dir}}' $(MODULE)/... \
+		| xargs gofmt -s -l -w
+
+goimports:
+	go list -f {{.Dir}} $(MODULE)/... \
+		| xargs goimports -local $(MODULE) -w
+
+lint:
+	golangci-lint run ./...
+
+mod-tidy:
+	@for mod in $$(find . -name go.mod); do \
+	    echo "Tidying $$mod..."; ( \
+	        cd $$(dirname $$mod) && go mod tidy \
+            ) || exit 1; \
+	done
+
+mod-verify:
+	@for mod in $$(find . -name go.mod); do \
+	    echo "Verifying $$mod..."; ( \
+	        cd $$(dirname $$mod) && go mod verify | sed 's/^/  /g' \
+	    ) || exit 1; \
+	done
+
+mod-vendor: mod-tidy
+	@for mod in $$(find . -name go.mod -not -path "./deployments/*"); do \
+	    echo "Vendoring $$mod..."; ( \
+	        cd $$(dirname $$mod) && go mod vendor \
+	    ) || exit 1; \
+	done
+
+vendor: mod-vendor
+
+check-modules: | mod-tidy mod-verify mod-vendor
+	git diff --quiet HEAD -- $$(find . -name go.mod -o -name go.sum -o -name vendor)
+
 build-action:
 	@rm -rf bin
 	GOOS=linux $(GO_CMD) build -o /go/bin/$(BINARY_NAME) cmd/action/main.go

@@ -17,8 +17,9 @@
 package ci
 
 import (
+	"crypto/rand"
 	"fmt"
-	"math/rand"
+	"log"
 	"os"
 
 	"github.com/NVIDIA/holodeck/api/holodeck/v1alpha1"
@@ -57,7 +58,7 @@ func Run(log *logger.FunLogger) error {
 		log.Info("Environment condition is Terminated no need to run Holodeck")
 		return nil
 	} else if err != nil {
-		log.Warning(err.Error())
+		log.Warning("%s", err.Error())
 	}
 	if err := cleanup(log); err != nil {
 		return err
@@ -138,10 +139,15 @@ func setCfgName(cfg *v1alpha1.Environment) {
 
 func generateUID() string {
 	const charset = "abcdefghijklmnopqrstuvwxyz0123456789"
-
 	b := make([]byte, 8)
+
+	_, err := rand.Read(b)
+	if err != nil {
+		log.Fatalf("failed to generate secure random UID: %v", err)
+	}
+
 	for i := range b {
-		b[i] = charset[rand.Intn(len(charset))]
+		b[i] = charset[int(b[i])%len(charset)]
 	}
 
 	return string(b)

@@ -26,9 +26,9 @@
 	"github.com/NVIDIA/holodeck/pkg/jyaml"
 	"github.com/NVIDIA/holodeck/pkg/provider/aws"
 	"github.com/NVIDIA/holodeck/pkg/provisioner"
-	"golang.org/x/crypto/ssh"
 
 	cli "github.com/urfave/cli/v2"
+	"golang.org/x/crypto/ssh"
 )
 
 type options struct {
@@ -143,7 +143,7 @@
 		Auth: []ssh.AuthMethod{
 			ssh.PublicKeys(signer),
 		},
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(), // nolint:gosec
 	}
 
 	connectionFailed := false

@@ -0,0 +1,22 @@
+#!/bin/bash
+# Copyright 2024 NVIDIA CORPORATION
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+SCRIPTS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )"/../hack && pwd )"
+
+DOCKERFILE_ROOT=${SCRIPTS_DIR}/../deployments/devel
+
+GOLANG_VERSION=$(grep -E "^FROM golang:.*$" ${DOCKERFILE_ROOT}/Dockerfile | grep -oE "[0-9\.]+")
+
+echo $GOLANG_VERSION