update use of env vars, check dependabot (#3152)

Signed-off-by: Alex Meijer <alexander.meijer@ibm.com>

.github/actions/build-container/action.yaml

@@ -52,5 +52,8 @@ runs:
 
       - name: Build and push (multiarch) OpenCost
         shell: bash
+        env:
+          IMAGE_TAG: ${{ inputs.image_tag }}
+          RELEASE_VERSION: ${{ inputs.release_version }}
         run: |
-          just build '${{ inputs.image_tag }}' '${{ inputs.release_version }}'
+          just build '$IMAGE_TAG' '$RELEASE_VERSION'

.github/workflows/auto_label_issues.yml

@@ -4,6 +4,8 @@ on:
   issues:
     types: [opened]
 
+permissions: {}
+
 jobs:
   automate-issues-labels:
     runs-on: ubuntu-latest

.github/workflows/build-and-publish-develop.yml

@@ -10,6 +10,8 @@ concurrency:
   group: build-opencost-develop
   cancel-in-progress: false
 
+permissions: {}
+
 env:
   # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
@@ -31,8 +33,11 @@ jobs:
 
       - name: Set OpenCost Image Tags
         id: tags
+        env: 
+          REPO: ${{ github.repository_owner }}
+          SHORTHASH: ${{ steps.sha.outputs.OC_SHORTHASH }}
         run: |
-          echo "IMAGE_TAG=ghcr.io/${{ github.repository_owner }}/opencost:develop-${{ steps.sha.outputs.OC_SHORTHASH }}" >> $GITHUB_OUTPUT
+          echo "IMAGE_TAG=ghcr.io/$REPO/opencost:develop-$SHORTHASH" >> $GITHUB_OUTPUT
 
       - name: Build and publish container
         uses: ./.github/actions/build-container 
@@ -46,12 +51,15 @@ jobs:
         uses: imjasonh/setup-crane@v0.4
 
       - name: Tag and push latest image
+        env:
+          IMAGE_TAG: ${{ steps.tags.outputs.IMAGE_TAG }}
         run: |
           # Extract the repository part (everything before the last colon)
-          REPO=$(echo "${{ steps.tags.outputs.IMAGE_TAG }}" | sed 's/:.*$//')
+          REPO=$(echo "$IMAGE_TAG" | sed 's/:.*$//')
           # Create the new tag
           NEW_TAG="${REPO}:develop-latest"
-          echo "Copying ${{ steps.tags.outputs.IMAGE_TAG }} to ${NEW_TAG}"
-          crane copy "${{ steps.tags.outputs.IMAGE_TAG }}" "${NEW_TAG}"
+          echo "Copying $IMAGE_TAG to ${NEW_TAG}"
+          crane copy "$IMAGE_TAG" "${NEW_TAG}"
+
 
 

.github/workflows/build-and-publish-release.yml

@@ -10,6 +10,8 @@ on:
         description: "Version of the release"
         required: true
 
+permissions: {}
+
 concurrency:
   group: build-opencost
   cancel-in-progress: true
@@ -33,10 +35,12 @@ jobs:
 
       - name: Determine Version Number
         id: version_number
+        env:
+          RELEASE_VERSION: ${{ inputs.release_version }}
         run: |
           if [ -z "${TRIGGERED_TAG}" ];
           then
-            version=${{ inputs.release_version }}
+            version=$RELEASE_VERSION
           else
             version=$TRIGGERED_TAG
           fi
@@ -48,14 +52,17 @@ jobs:
           fi
 
       - name: Show Input Values
+        env:
+          RELEASE_VERSION: ${{ inputs.release_version }}
         run: |
-          echo "release version: ${{ inputs.release_version }}"
+          echo "release version: $RELEASE_VERSION"
 
       - name: Make Branch Name
         id: branch
+        env:
+          RELEASE_VERSION: ${{ steps.version_number.outputs.RELEASE_VERSION }}
         run: |
-          VERSION_NUMBER=${{ steps.version_number.outputs.RELEASE_VERSION }}
-          echo "BRANCH_NAME=v${VERSION_NUMBER%.*}" >> $GITHUB_OUTPUT
+          echo "BRANCH_NAME=v${RELEASE_VERSION%.*}" >> $GITHUB_OUTPUT
 
       - name: Checkout Repo
         uses: actions/checkout@v4
@@ -69,10 +76,14 @@ jobs:
 
       - name: Set OpenCost Image Tags
         id: tags
+        env:
+          REPO_OWNER: ${{ github.repository_owner }}
+          RELEASE_VERSION: ${{ steps.version_number.outputs.RELEASE_VERSION }}
+          OC_SHORTHASH: ${{ steps.sha.outputs.OC_SHORTHASH }}
         run: |
-          echo "IMAGE_TAG=ghcr.io/${{ github.repository_owner }}/opencost:${{ steps.sha.outputs.OC_SHORTHASH }}" >> $GITHUB_OUTPUT
-          echo "IMAGE_TAG_LATEST=ghcr.io/${{ github.repository_owner }}/opencost:latest" >> $GITHUB_OUTPUT
-          echo "IMAGE_TAG_VERSION=ghcr.io/${{ github.repository_owner }}/opencost:${{ steps.version_number.outputs.RELEASE_VERSION }}" >> $GITHUB_OUTPUT
+          echo "IMAGE_TAG=ghcr.io/$REPO_OWNER/opencost:$OC_SHORTHASH" >> $GITHUB_OUTPUT
+          echo "IMAGE_TAG_LATEST=ghcr.io/$REPO_OWNER/opencost:latest" >> $GITHUB_OUTPUT
+          echo "IMAGE_TAG_VERSION=ghcr.io/$REPO_OWNER/opencost:$RELEASE_VERSION" >> $GITHUB_OUTPUT
 
       - name: Build and publish container
         uses: ./.github/actions/build-container 
@@ -93,7 +104,11 @@ jobs:
         uses: imjasonh/setup-crane@v0.4
 
       - name: Copy tags
+        env:
+          IMAGE_TAG: ${{ steps.tags.outputs.IMAGE_TAG }}
+          IMAGE_TAG_LATEST: ${{ steps.tags.outputs.IMAGE_TAG_LATEST }}
+          IMAGE_TAG_VERSION: ${{ steps.tags.outputs.IMAGE_TAG_VERSION }}
         run: |
-          crane copy '${{ steps.tags.outputs.IMAGE_TAG }}' '${{ steps.tags.outputs.IMAGE_TAG_LATEST }}'
-          crane copy '${{ steps.tags.outputs.IMAGE_TAG }}' '${{ steps.tags.outputs.IMAGE_TAG_VERSION }}'
+          crane copy '$IMAGE_TAG' '$IMAGE_TAG_LATEST'
+          crane copy '$IMAGE_TAG' '$IMAGE_TAG_VERSION'
 

.github/workflows/build-test-image.yml

@@ -7,6 +7,7 @@ on:
     branches:
       - develop
 
+permissions: {}
 
 env:
   REGISTRY: ghcr.io
@@ -26,11 +27,15 @@ jobs:
               organization: opencost
           - name: determine if actor is a maintainer
             id: determine-maintainer
+            env:
+              TEAMS: ${{ join(steps.teamAffiliation.outputs.teams, ',') }}
+              ACTOR: ${{ github.actor }}
+              IS_MAINTAINER: ${{ contains(join(steps.teamAffiliation.outputs.teams, ','), 'OpenCost Maintainers') || github.actor == 'dependabot[bot]' }}
             run: |
-                echo "Actor: ${{ github.actor }}"
-                echo "teams: ${{ join(steps.teamAffiliation.outputs.teams, ',') }}"
-                echo "Is maintainer: ${{ contains(steps.teamAffiliation.outputs.teams, 'OpenCost Maintainers') }}"
-                echo "ismaintainer=${{ contains(steps.teamAffiliation.outputs.teams, 'OpenCost Maintainers') }}" >> $GITHUB_OUTPUT
+                echo "Actor: $ACTOR"
+                echo "teams: $TEAMS"
+                echo "Is maintainer: $IS_MAINTAINER"
+                echo "ismaintainer=$IS_MAINTAINER" >> $GITHUB_OUTPUT
       
   build-and-publish-test-image:
     runs-on: ubuntu-latest
@@ -50,8 +55,11 @@ jobs:
           echo "OC_SHORTHASH=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
       - name: Set OpenCost Image Tags
         id: tags
+        env:
+          REPO_OWNER: ${{ github.repository_owner }}
+          OC_SHORTHASH: ${{ steps.sha.outputs.OC_SHORTHASH }}
         run: |
-          echo "IMAGE_TAG=ghcr.io/${{ github.repository_owner }}/opencost:test-${{ steps.sha.outputs.OC_SHORTHASH }}" >> $GITHUB_OUTPUT
+          echo "IMAGE_TAG=ghcr.io/$REPO_OWNER/opencost:test-$OC_SHORTHASH" >> $GITHUB_OUTPUT
       - name: Build and publish container
         uses: ./.github/actions/build-container
         with:

.github/workflows/build-test.yaml

@@ -12,6 +12,8 @@ on:
   merge_group:
     types: [checks_requested]
 
+permissions: {}
+
 jobs:
   validate-protobuf:
     runs-on: ubuntu-latest

.github/workflows/integration-testing.yaml

@@ -16,6 +16,7 @@ concurrency:
     group: ${{ github.event.merge_group.head.sha || github.event.pull_request.head.sha || github.ref }}-intg-tests
     cancel-in-progress: false
 
+permissions: {}
 jobs:
     check_actor_permissions:
       runs-on: ubuntu-latest
@@ -32,10 +33,14 @@ jobs:
             organization: opencost
         - name: determine if actor is a maintainer
           id: determine-maintainer
+          env:
+            TEAMS: ${{ join(steps.teamAffiliation.outputs.teams, ',') }}
+            ACTOR: ${{ github.actor }}
+            IS_MAINTAINER: ${{ contains(join(steps.teamAffiliation.outputs.teams, ','), 'OpenCost Maintainers') || github.actor == 'dependabot[bot]' }}
           run: |
-              echo "Actor: ${{ github.actor }}"
-              echo "Is maintainer: ${{ contains(steps.teamAffiliation.outputs.teams, 'OpenCost Maintainers') }}"
-              echo "ismaintainer=${{ contains(steps.teamAffiliation.outputs.teams, 'OpenCost Maintainers') }}" >> $GITHUB_OUTPUT
+              echo "Actor: $ACTOR"
+              echo "Is maintainer: $IS_MAINTAINER"
+              echo "ismaintainer=$IS_MAINTAINER" >> $GITHUB_OUTPUT
   
     noop-tests:
         needs: check_actor_permissions
@@ -71,21 +76,26 @@ jobs:
                  echo "OC_SHORTHASH=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
           - name: Set image tags
             id: set_image_tags
+            env:
+              OC_SHORTHASH: ${{ steps.sha.outputs.OC_SHORTHASH }}
+              REPO_OWNER: ${{ github.repository_owner }}
+              EVENT_NAME: ${{ github.event_name }}
+              PR_NUMBER: ${{ github.event.pull_request.number }}
             run: |
-                    echo "github.event_name: ${{ github.event_name }}"
-                    if [[ "${{ github.event_name }}" == "merge_group" ]]; then
-                      echo "IMAGE_TAG=ghcr.io/${{ github.repository_owner }}/opencost:test-${{ steps.sha.outputs.OC_SHORTHASH }}" >> $GITHUB_OUTPUT
-                      echo "NAMESPACE=merge-queue-oc-${{ steps.sha.outputs.OC_SHORTHASH }}" >> $GITHUB_OUTPUT
+                    echo "github.event_name: $EVENT_NAME"
+                    if [[ "$EVENT_NAME" == "merge_group" ]]; then
+                      echo "IMAGE_TAG=ghcr.io/$REPO_OWNER/opencost:test-$OC_SHORTHASH" >> $GITHUB_OUTPUT
+                      echo "NAMESPACE=merge-queue-oc-$OC_SHORTHASH" >> $GITHUB_OUTPUT
                       echo "mainbranch=false" >> $GITHUB_OUTPUT
-                    elif [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
+                    elif [[ "$EVENT_NAME" == "pull_request_target" ]]; then
                       echo "building on maintainer pull request branch"
-                      echo "IMAGE_TAG=ghcr.io/${{ github.repository_owner }}/opencost:test-${{ steps.sha.outputs.OC_SHORTHASH }}" >> $GITHUB_OUTPUT
-                      echo "NAMESPACE=pr-${{ github.event.pull_request.number }}-oc-${{ steps.sha.outputs.OC_SHORTHASH }}" >> $GITHUB_OUTPUT
+                      echo "IMAGE_TAG=ghcr.io/$REPO_OWNER/opencost:test-$OC_SHORTHASH" >> $GITHUB_OUTPUT
+                      echo "NAMESPACE=pr-$PR_NUMBER-oc-$OC_SHORTHASH" >> $GITHUB_OUTPUT
                       echo "mainbranch=false" >> $GITHUB_OUTPUT
                     else
                       echo "building on develop branch"
-                      echo "IMAGE_TAG=ghcr.io/${{ github.repository_owner }}/opencost:develop-${{ steps.sha.outputs.OC_SHORTHASH }}" >> $GITHUB_OUTPUT
-                      echo "NAMESPACE=develop-oc-${{ steps.sha.outputs.OC_SHORTHASH }}" >> $GITHUB_OUTPUT
+                      echo "IMAGE_TAG=ghcr.io/$REPO_OWNER/opencost:develop-$OC_SHORTHASH" >> $GITHUB_OUTPUT
+                      echo "NAMESPACE=develop-oc-$OC_SHORTHASH" >> $GITHUB_OUTPUT
                       echo "mainbranch=true" >> $GITHUB_OUTPUT
                     fi
 
@@ -98,20 +108,22 @@ jobs:
 
           - name: wait for docker image to be ready
             id: wait_for_image_ready
+            env:
+              IMAGE_TAG: ${{ steps.set_image_tags.outputs.IMAGE_TAG }}
             run: |
                 max_attempts=100
                 # Loop until the Docker image can be pulled
-                until docker manifest inspect ${{ steps.set_image_tags.outputs.IMAGE_TAG }}; do
-                    echo "Waiting for Docker image ${{ steps.set_image_tags.outputs.IMAGE_TAG }} to be available, $max_attempts tries remain..."
+                until docker manifest inspect $IMAGE_TAG; do
+                    echo "Waiting for Docker image $IMAGE_TAG to be available, $max_attempts tries remain..."
                     sleep 6
                     max_attempts=$((max_attempts - 1))
                     if [[ $max_attempts -eq 0 ]]; then
-                        echo "Docker image ${{ steps.set_image_tags.outputs.IMAGE_TAG }} is not available after 10 minutes. Exiting..."
+                        echo "Docker image $IMAGE_TAG is not available after 10 minutes. Exiting..."
                         exit 1
                     fi
                 done
 
-                echo "Docker image ${{ steps.set_image_tags.outputs.IMAGE_TAG }} is ready!"
+                echo "Docker image $IMAGE_TAG is ready!"
                 
                 echo "passed=true" >> $GITHUB_OUTPUT
                 
@@ -131,21 +143,24 @@ jobs:
         permissions: {}
         steps:
           - name: Wait for DNS to resolve
+            id: wait-for-dns
+            env:
+              NAMESPACE: ${{ needs.wait_for_image_ready.outputs.NAMESPACE }}
             run: |
-              echo "Waiting for ${{ needs.wait_for_image_ready.outputs.NAMESPACE }}.infra.opencost.io to resolve in DNS..."
+              echo "Waiting for $NAMESPACE.infra.opencost.io to resolve in DNS..."
               
               max_attempts=60
-              until host ${{ needs.wait_for_image_ready.outputs.NAMESPACE }}.infra.opencost.io; do
-                echo "DNS not yet resolved for ${{ needs.wait_for_image_ready.outputs.NAMESPACE }}.infra.opencost.io, $max_attempts tries remain..."
+              until host $NAMESPACE.infra.opencost.io; do
+                echo "DNS not yet resolved for $NAMESPACE.infra.opencost.io, $max_attempts tries remain..."
                 sleep 10
                 max_attempts=$((max_attempts - 1))
                 if [[ $max_attempts -eq 0 ]]; then
-                  echo "DNS resolution failed for ${{ needs.wait_for_image_ready.outputs.NAMESPACE }}.infra.opencost.io after 10 minutes. Exiting..."
+                  echo "DNS resolution failed for $NAMESPACE.infra.opencost.io after 10 minutes. Exiting..."
                   exit 1
                 fi
               done
               
-              echo "DNS resolved successfully for ${{ needs.wait_for_image_ready.outputs.NAMESPACE }}.infra.opencost.io!"
+              echo "DNS resolved successfully for $NAMESPACE.infra.opencost.io!"
 
     run-tests:
         needs: [wait_for_image_ready, build-test-stack, wait-for-dns]
@@ -157,8 +172,23 @@ jobs:
             namespace: "${{ needs.wait_for_image_ready.outputs.NAMESPACE }}"
             target_branch: "${{ github.event.pull_request.head.ref || 'main' }}"
     
-    teardown-test-stack:
+    hold-on-failure:
         needs: [wait_for_image_ready, run-tests]
+        if: ${{ needs.run-tests.outputs.passed == 'false' }}
+        runs-on: ubuntu-latest
+        permissions: {}
+        steps:
+          - name: Hold stack for investigation
+            env:
+              NAMESPACE: ${{ needs.wait_for_image_ready.outputs.NAMESPACE }}
+            run: |
+              echo "Tests failed. Holding stack up for 1 hour for investigation..."
+              echo "Stack namespace: $NAMESPACE"
+              echo "Stack will be automatically torn down after 1 hour"
+              sleep 3600
+    
+    teardown-test-stack:
+        needs: [wait_for_image_ready, run-tests, hold-on-failure]
         if: ${{ (always() && !cancelled()) && ( github.event.event_name == 'schedule'  || github.event_name == 'push' || github.event_name == 'merge_group' || (github.event_name == 'pull_request_target'  && needs.check_actor_permissions.outputs.ismaintainer == 'true')) }}
         uses: opencost/opencost-infra/.github/workflows/destroy-stack.yaml@main
         secrets: inherit 
@@ -173,13 +203,17 @@ jobs:
         if: ${{ always() }}
         steps:
           - name: Check success
+            id: check-success
+            env:
+              IS_NOOP: ${{ needs.noop-tests.outputs.is_noop }}
+              PASSED: ${{ needs.run-tests.outputs.passed }}
             run: |
-              if [[ "${{ needs.noop-tests.outputs.is_noop }}" == "true" ]]; then
+              if [[ "$IS_NOOP" == "true" ]]; then
                 echo "No-op tests, skipping success check"
                 exit 0
               fi
               
-              if [[ "${{ needs.run-tests.outputs.passed }}" != "true" ]]; then
+              if [[ "$PASSED" != "true" ]]; then
                 echo "One or more integration tests failed"
                 exit 1
               fi

.github/workflows/label-comments.yml

@@ -6,6 +6,8 @@ on:
   issues:
     types: [opened, reopened, closed]
 
+permissions: {}
+
 jobs:
   set-follow-up-label:
     runs-on: ubuntu-latest

.github/workflows/promote-to-demo.yaml

@@ -10,6 +10,7 @@ concurrency:
   group: build-opencost-develop
   cancel-in-progress: false
 
+permissions: {}
 jobs:
   prep-image-name:
     runs-on: ubuntu-latest
@@ -26,8 +27,11 @@ jobs:
 
       - name: Set OpenCost Image Tags
         id: tags
+        env:
+          REPO_OWNER: ${{ github.repository_owner }} 
+          OC_SHORTHASH: ${{ steps.sha.outputs.OC_SHORTHASH }}
         run: |
-          echo "IMAGE_TAG=ghcr.io/${{ github.repository_owner }}/opencost:develop-${{ steps.sha.outputs.OC_SHORTHASH }}" >> $GITHUB_OUTPUT
+          echo "IMAGE_TAG=ghcr.io/$REPO_OWNER/opencost:develop-$OC_SHORTHASH" >> $GITHUB_OUTPUT
  
   install-on-demo:
     needs: [prep-image-name]

.github/workflows/sonar.yaml

@@ -3,6 +3,9 @@ on:
   workflow_run:
     workflows: ["Build/Test"]
     types: [completed]
+
+permissions: {}
+
 jobs:
   sonar:
     name: Sonar

.github/workflows/stale.yml

@@ -3,6 +3,8 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions: {}
+
 jobs:
   stale:
     runs-on: ubuntu-latest

Dockerfile

@@ -42,14 +42,17 @@ LABEL org.opencontainers.image.title=kubecost-cost-model
 LABEL org.opencontainers.image.url=https://opencost.io
 
 RUN apk add --update --no-cache ca-certificates
+
 COPY --from=build-env /go/bin/app /go/bin/app
-ADD --chmod=644 ./THIRD_PARTY_LICENSES.txt /THIRD_PARTY_LICENSES.txt
-ADD --chmod=644 ./configs/default.json /models/default.json
-ADD --chmod=644 ./configs/azure.json /models/azure.json
-ADD --chmod=644 ./configs/aws.json /models/aws.json
-ADD --chmod=644 ./configs/gcp.json /models/gcp.json
-ADD --chmod=644 ./configs/alibaba.json /models/alibaba.json
-ADD --chmod=644 ./configs/oracle.json /models/oracle.json
-ADD --chmod=644 ./configs/otc.json /models/otc.json
+ADD --chmod=400 ./THIRD_PARTY_LICENSES.txt /THIRD_PARTY_LICENSES.txt
+ADD --chmod=500 ./configs/default.json /models/default.json
+ADD --chmod=500 ./configs/azure.json /models/azure.json
+ADD --chmod=500 ./configs/aws.json /models/aws.json
+ADD --chmod=500 ./configs/gcp.json /models/gcp.json
+ADD --chmod=500 ./configs/alibaba.json /models/alibaba.json
+ADD --chmod=500 ./configs/oracle.json /models/oracle.json
+ADD --chmod=500 ./configs/otc.json /models/otc.json
+RUN chown -R 1001:1001 /models
+
 USER 1001
 ENTRYPOINT ["/go/bin/app"]

Dockerfile.cross

@@ -16,14 +16,15 @@ ARG binarypath
 
 RUN apk add --update --no-cache ca-certificates
 
-ADD --chmod=644 ./THIRD_PARTY_LICENSES.txt /THIRD_PARTY_LICENSES.txt
-ADD --chmod=644 ./configs/default.json /models/default.json
-ADD --chmod=644 ./configs/azure.json /models/azure.json
-ADD --chmod=644 ./configs/aws.json /models/aws.json
-ADD --chmod=644 ./configs/gcp.json /models/gcp.json
-ADD --chmod=644 ./configs/alibaba.json /models/alibaba.json
-ADD --chmod=644 ./configs/oracle.json /models/oracle.json
-ADD --chmod=644 ./configs/otc.json /models/otc.json
+ADD --chmod=400 ./THIRD_PARTY_LICENSES.txt /THIRD_PARTY_LICENSES.txt
+ADD --chmod=500 ./configs/default.json /models/default.json
+ADD --chmod=500 ./configs/azure.json /models/azure.json
+ADD --chmod=500 ./configs/aws.json /models/aws.json
+ADD --chmod=500 ./configs/gcp.json /models/gcp.json
+ADD --chmod=500 ./configs/alibaba.json /models/alibaba.json
+ADD --chmod=500 ./configs/oracle.json /models/oracle.json
+ADD --chmod=500 ./configs/otc.json /models/otc.json
+RUN chown -R 1001:1001 /models
 
 COPY ${binarypath} /go/bin/app
 

core/pkg/protocol/http_test.go

@@ -184,3 +184,4 @@ func TestHTTPProtocol_WriteData_Structure(t *testing.T) {
 	assert.NotContains(t, body, "message")
 	assert.NotContains(t, body, "warning")
 }
+