wip: new(prow): pigeon integration

config/clusters/ecr.tf

@@ -59,4 +59,11 @@ resource "aws_ecr_repository" "update_rules_index" {
   encryption_configuration {
     encryption_type = "KMS"
   }
+}
+
+resource "aws_ecr_repository" "sync_ghrepos_secrets_vars" {
+  name = "test-infra/sync-ghrepos-secrets-vars"
+  encryption_configuration {
+    encryption_type = "KMS"
+  }
 }

config/jobs/build-prow-images/build-images.yaml

@@ -280,3 +280,31 @@ presubmits:
           privileged: true
       nodeSelector:
         Archtype: "x86"
+  - name: build-images-sync-ghrepos-secrets-vars
+    decorate: true
+    path_alias: github.com/falcosecurity/test-infra
+    skip_report: false
+    agent: kubernetes
+    run_if_changed: '^images/sync-ghrepos-secrets-vars/'
+    branches:
+      - ^master$
+    spec:
+      containers:
+      - command:
+          - "/home/prow/go/src/github.com/falcosecurity/test-infra/images/build.sh"
+        args:
+          - "/home/prow/go/src/github.com/falcosecurity/test-infra/images/sync-ghrepos-secrets-vars"
+        env:
+        - name: AWS_REGION
+          value: eu-west-1
+        image: 292999226676.dkr.ecr.eu-west-1.amazonaws.com/test-infra/docker-dind
+        imagePullPolicy: Always
+        resources:
+          requests:
+            memory: 3Gi
+            cpu: 1.5
+            ephemeral-storage: "2Gi"
+        securityContext:
+          privileged: true
+      nodeSelector:
+        Archtype: "x86"

config/jobs/build-prow-images/publish-images.yaml

@@ -281,3 +281,31 @@ postsubmits:
           privileged: true
       nodeSelector:
         Archtype: "x86"        
+  - name: publish-images-sync-ghrepos-secrets-vars
+    decorate: true
+    path_alias: github.com/falcosecurity/test-infra
+    skip_report: false
+    agent: kubernetes
+    run_if_changed: '^images/sync-ghrepos-secrets-vars/'
+    branches:
+      - ^master$
+    spec:
+      containers:
+      - command:
+          - "/home/prow/go/src/github.com/falcosecurity/test-infra/images/publish.sh"
+        args:
+          - "/home/prow/go/src/github.com/falcosecurity/test-infra/images/sync-ghrepos-secrets-vars"
+        env:
+        - name: AWS_REGION
+          value: eu-west-1
+        image: 292999226676.dkr.ecr.eu-west-1.amazonaws.com/test-infra/docker-dind
+        imagePullPolicy: Always
+        resources:
+          requests:
+            memory: 3Gi
+            cpu: 1.5
+            ephemeral-storage: "2Gi"
+        securityContext:
+          privileged: true
+      nodeSelector:
+        Archtype: "x86"

config/jobs/sync-ghrepos-secrets-vars/sync-ghrepos-secrets-vars.yaml

@@ -0,0 +1,53 @@
+presubmits:
+  falcosecurity/test-infra:
+  - name: sync-ghrepos-secrets-vars-presubmit
+    branches:
+        - ^master$
+    decorate: true
+    max_concurrency: 1
+    skip_report: false
+    run_if_changed: '^config/pigeon.yaml$|^config/jobs/pigeon/.*'
+    spec:
+      containers:
+        - image: 292999226676.dkr.ecr.eu-west-1.amazonaws.com/test-infra/pigeon:latest
+          command:
+            - pigeon
+          args:
+            - --dry-run
+            - --gh-token /etc/github-token/oauth
+            - --conf config/pigeon.yaml
+          volumeMounts:
+            - name: github
+              mountPath: /etc/github-token
+      volumes:
+        - name: github
+          secret:
+            secretName: oauth-token
+      nodeSelector:
+        Archtype: "x86"
+postsubmits:
+  falcosecurity/test-infra:
+    - name: sync-ghrepos-secrets-vars-postsubmit
+      branches:
+        - ^master$
+      decorate: true
+      max_concurrency: 1
+      skip_report: false
+      run_if_changed: '^config/pigeon.yaml$|^config/jobs/pigeon/.*'
+      spec:
+        containers:
+          - image: 292999226676.dkr.ecr.eu-west-1.amazonaws.com/test-infra/pigeon:latest
+            command:
+              - pigeon
+            args:
+              - --gh-token /etc/github-token/oauth
+              - --conf config/pigeon.yaml
+            volumeMounts:
+              - name: github
+                mountPath: /etc/github-token
+        volumes:
+          - name: github
+            secret:
+              secretName: oauth-token
+        nodeSelector:
+          Archtype: "x86"

config/pigeon.yaml

@@ -0,0 +1,23 @@
+# Example configuration
+# orgs:
+#   falcosecurity:
+#     actions:
+#       variables:
+#         orgVar1: "orgValue1"
+#       secrets:
+#         - orgSecret0
+#     repos:
+#       test-infra:
+#         actions:
+#           variables:
+#             repoVar1: "repoValue1"
+#             repoVar2: "repoValue2"
+#           secrets:
+#             - repoSecret0
+#       plugins:
+#         actions:
+#           variables:
+#             repoVar3: "repoValue3"
+#             repoVar4: "repoValue4"
+#           secrets:
+#             - repoSecret0

images/sync-ghrepos-secrets-vars/Dockerfile

@@ -0,0 +1,12 @@
+FROM golang:1.18 AS pigeon
+
+RUN curl -s "https://api.github.com/repos/falcosecurity/pigeon/releases/latest" | grep "browser_download_url.*tar.gz" \
+| cut -d : -f 2,3 \
+| tr -d \" \
+| xargs wget -qO- \
+| tar -xvz
+
+FROM ubuntu:22.04
+RUN apt-get update && apt-get install -y libsodium-dev
+
+COPY --from=pigeon /go/pigeon /bin

images/sync-ghrepos-secrets-vars/Makefile

@@ -0,0 +1,23 @@
+SHELL := /bin/bash
+
+IMG_SLUG := test-infra
+IMG_NAME := sync-ghrepos-secrets-vars
+IMG_TAG ?= latest
+
+ACCOUNT := 292999226676
+DOCKER_PUSH_REPOSITORY = dkr.ecr.eu-west-1.amazonaws.com
+
+IMAGE := "$(ACCOUNT).$(DOCKER_PUSH_REPOSITORY)/$(IMG_SLUG)/$(IMG_NAME):$(IMG_TAG)"
+
+build-push: build-image push-image
+
+build-image:
+	docker build --no-cache -t "$(IMG_SLUG)/$(IMG_NAME)" .
+
+push-image:
+	docker tag "$(IMG_SLUG)/$(IMG_NAME)" $(IMAGE)
+	docker push $(IMAGE)
+
+local-registry:
+	docker tag "$(IMG_SLUG)/$(IMG_NAME)" localhost:5000/$(IMG_NAME)
+	docker push localhost:5000/$(IMG_NAME)