Skip to content

Release Chef Integration v1.0.0 #877

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
stas-schaller wants to merge 30 commits into
base: master
Choose a base branch
from
Open

Release Chef Integration v1.0.0 #877

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
f9b0fd3
Adding Keeper-Chef Integration
yash-metron Jul 15, 2025
c08e3e7
Updated README file
yash-metron Jul 15, 2025
d959323
Updated Readme.md file.
yash-metron Jul 16, 2025
4d07b59
Address review comments
yash-metron Jul 18, 2025
c1b2b2f
Update metadata
yash-metron Jul 18, 2025
e3b3d51
Merge pull request #9 from metron-labs/chef_integration_dev
yash-metron Jul 18, 2025
0f3df50
Upated license in metadata
yash-metron Jul 18, 2025
cfc3ed6
Added sensitive true to hide output logs
yash-metron Jul 28, 2025
de592ff
Added github action to publish chef integration.
yash-metron Sep 2, 2025
ec8ebd3
Updated spec files.
yash-metron Sep 4, 2025
4277c42
Updated Chef resources as per the new Chef version.
yash-metron Sep 4, 2025
6b00fc4
Updated Chef commands in publish-chef-supermarket.yml
ysolanki-ks Sep 4, 2025
a4e2e61
Addressed the review comments given by the Keeper team.
ysolanki-ks Sep 10, 2025
e16bf43
Added ruby to resuable sbom, updated secrets, updated knife commands …
stas-schaller Sep 23, 2025
83158e3
Merge pull request #15 from stas-schaller/workflow-and-readme-additions
yash-metron Sep 29, 2025
ddcf5e1
Resolved merge conflict in reusable sbom
stas-schaller Oct 23, 2025
f18e952
Fix: Resolve bugs in Chef integration
yash-metron Nov 3, 2025
57b4205
Merge branch 'master' into release/integration/chef/v1.0.0
stas-schaller Dec 2, 2025
ea0df27
Merge Chef integration v1.0.0 from metron-labs
stas-schaller Dec 2, 2025
4b04f13
refactor: replace reusable SBOM workflow with inline scanning in Chef…
stas-schaller Dec 2, 2025
83d96af
fix: add proper knife authentication for Chef Supermarket publishing
stas-schaller Dec 2, 2025
3a32d69
fix: add explicit permissions to workflow jobs (CodeQL alerts 113, 15…
stas-schaller Dec 2, 2025
5600696
revert: remove Ruby support from reusable SBOM workflow
stas-schaller Dec 2, 2025
1be1b4d
chore: update Chef cookbook version to 1.0.0 and add repository URLs
stas-schaller Dec 2, 2025
39b18e0
addressed cookbook execution issues on windows
amuley-ks Dec 11, 2025
a239ccd
updated recipies and resources
adityam-metron Dec 13, 2025
e7ac754
updated logic to install python automatically on windows
adityam-metron Dec 15, 2025
5e4a41a
fixed the python installation on windows, fixed linting issue
adityam-metron Dec 16, 2025
685f61e
Merge branch 'Keeper-Security:master' into fix-chef-cookbook-executio…
adityam-metron Dec 17, 2025
3132ee1
Merge pull request #882 from metron-labs/fix-chef-cookbook-execution-…
stas-schaller Dec 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
239 changes: 239 additions & 0 deletions .github/workflows/publish.chefsupermaket.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,239 @@
name: Publish to Chef Supermarket
on:
workflow_dispatch:
inputs:
publish:
description: 'Publish to Chef Supermarket (uncheck to build only)'
required: false
default: 'true'
type: boolean

jobs:
get-version:
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
version: ${{ steps.extract-version.outputs.version }}
steps:
- uses: actions/checkout@v4
- name: Extract version from metadata.rb
id: extract-version
working-directory: ./integration/keeper_secrets_manager_chef/cookbooks/keeper_secrets_manager
run: |
echo "Detecting Chef cookbook version..."
if [ -f "metadata.rb" ]; then
VERSION=$(grep "version" "metadata.rb" | awk '{print $2}' | tr -d "'\"")
echo "Detected version: ${VERSION}"
else
VERSION="1.0.0"
echo "Could not detect version, using default: ${VERSION}"
fi
echo "version=${VERSION}" >> $GITHUB_OUTPUT


generate-sbom:
name: Generate SBOM
needs: get-version
runs-on: ubuntu-latest
permissions:
contents: read
timeout-minutes: 10

defaults:
run:
working-directory: ./integration/keeper_secrets_manager_chef/cookbooks/keeper_secrets_manager

steps:
- name: Get the source code
uses: actions/checkout@v4

- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.2.4'
working-directory: ./integration/keeper_secrets_manager_chef/cookbooks/keeper_secrets_manager

- name: Install Syft and Manifest CLI
run: |
echo "Installing Syft v1.18.1..."
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /tmp/bin v1.18.1
export PATH="/tmp/bin:$PATH"

echo "Installing Manifest CLI v0.18.3..."
curl -sSfL https://raw.githubusercontent.com/manifest-cyber/cli/main/install.sh | sh -s -- -b /tmp/bin v0.18.3

- name: Generate and publish SBOM
env:
MANIFEST_TOKEN: ${{ secrets.MANIFEST_TOKEN }}
PROJECT_VERSION: ${{ needs.get-version.outputs.version }}
run: |
export PATH="/tmp/bin:$PATH"

echo "Creating Syft configuration for Ruby scanning..."
cat > syft-config.yaml << 'EOF'
package:
search:
scope: all-layers
cataloger:
enabled: true
java:
enabled: false
python:
enabled: false
nodejs:
enabled: false
ruby:
enabled: true
search-unindexed-archives: true
search-indexed-archives: true
EOF

echo "Generating SBOM with Manifest CLI..."
/tmp/bin/manifest sbom . \
--generator=syft \
--name=keeper-secrets-manager-chef \
--version=${PROJECT_VERSION} \
--output=spdx-json \
--file=chef-sbom.json \
--api-key=${MANIFEST_TOKEN} \
--publish=true \
--asset-label=application,sbom-generated,ruby,chef \
--generator-config=syft-config.yaml

echo "SBOM generated and uploaded successfully: chef-sbom.json"

- name: Archive SBOM
uses: actions/upload-artifact@v4
with:
name: sbom-chef-${{ needs.get-version.outputs.version }}
path: ./integration/keeper_secrets_manager_chef/cookbooks/keeper_secrets_manager/chef-sbom.json
retention-days: 90


publish-chef-supermarket:
needs: [get-version, generate-sbom]
if: ${{ github.event.inputs.publish == 'true' }}
runs-on: ubuntu-latest
environment: prod
permissions:
contents: read
timeout-minutes: 20

defaults:
run:
working-directory: ./integration/keeper_secrets_manager_chef/cookbooks/keeper_secrets_manager

steps:
- name: Get the source code
uses: actions/checkout@v4

- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.2.4'

- name: Retrieve secrets from KSM
id: ksmsecrets
uses: Keeper-Security/ksm-action@master
with:
keeper-secret-config: ${{ secrets.KSM_CHEF_SUPERMARKET_CONFIG }}
secrets: |
b9vSxs5Dn-yJTPYr7Yvfmg/field/login > CHEF_USER
b9vSxs5Dn-yJTPYr7Yvfmg/file/keepersecurity.pem > file:keepersecurity.pem
b9vSxs5Dn-yJTPYr7Yvfmg/custom_field/server_url > CHEF_SERVER_URL

- name: Configure knife authentication
run: |
mkdir -p ~/.chef

# Move the client key from workspace to ~/.chef
mv "${{ github.workspace }}/keepersecurity.pem" ~/.chef/client.pem
chmod 600 ~/.chef/client.pem

# Verify key file exists and has correct permissions
ls -la ~/.chef/client.pem
echo "Client key file created with permissions: $(stat -f '%A' ~/.chef/client.pem)"

# Create knife config
cat > ~/.chef/config.rb << EOF
node_name '${{ steps.ksmsecrets.outputs.CHEF_USER }}'
client_key File.expand_path('~/.chef/client.pem')
chef_server_url '${{ steps.ksmsecrets.outputs.CHEF_SERVER_URL }}'
cookbook_path [File.expand_path('.')]
EOF

echo "Knife configuration created:"
cat ~/.chef/config.rb

- name: Get current version and validate
id: version
run: |
if [[ -f "metadata.rb" ]]; then
VERSION=$(grep "version" metadata.rb | awk '{print $2}' | tr -d "'\"")
echo "current_version=$VERSION" >> $GITHUB_OUTPUT
echo "Current version: $VERSION"
else
echo "Error: metadata.rb not found"
exit 1
fi

- name: Check if version already exists on Chef Supermarket
env:
VERSION: ${{ steps.version.outputs.current_version }}
run: |
echo "Checking if version $VERSION exists on Supermarket..."
RESULT=$(curl -s "https://supermarket.chef.io/api/v1/cookbooks/keeper_secrets_manager/versions/${VERSION}")
if echo "$RESULT" | grep -q '"version"'; then
echo "Error: Version $VERSION already exists on Chef Supermarket!"
exit 1
fi
echo "Version $VERSION is available for publishing"

- name: Install Chef Workstation
run: |
echo "Installing Chef Workstation..."
curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chef-workstation
chef --version

- name: Run linting (Cookstyle)
run: |
echo "Running cookstyle..."
cookstyle || exit 1

- name: Run ChefSpec tests
run: |
echo "Running ChefSpec tests..."
rspec || exit 1

- name: Publish to Chef Supermarket
env:
VERSION: ${{ steps.version.outputs.current_version }}
run: |
echo "Publishing to Chef Supermarket..."
echo "Using knife configuration from ~/.chef/config.rb"

# Verify knife configuration
knife ssl check || echo "Warning: SSL check failed, but continuing..."

# Share cookbook to Supermarket
knife supermarket share keeper_secrets_manager "Utilities" \
--supermarket-site https://supermarket.chef.io \
--cookbook-path .

echo "Successfully published version $VERSION to Chef Supermarket!"

- name: Create release summary
env:
VERSION: ${{ steps.version.outputs.current_version }}
run: |
echo "## Chef Cookbook Published Successfully!" >> $GITHUB_STEP_SUMMARY
echo "**Version:** $VERSION" >> $GITHUB_STEP_SUMMARY
echo "**Cookbook:** keeper_secrets_manager" >> $GITHUB_STEP_SUMMARY
echo "**Supermarket URL:** https://supermarket.chef.io/cookbooks/keeper_secrets_manager" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Validation Results" >> $GITHUB_STEP_SUMMARY
echo "- Cookstyle: Passed" >> $GITHUB_STEP_SUMMARY
echo "- ChefSpec Tests: Passed" >> $GITHUB_STEP_SUMMARY
echo "- Cookbook Build: Successful" >> $GITHUB_STEP_SUMMARY
echo "- Supermarket Publish: Successful" >> $GITHUB_STEP_SUMMARY
Loading
Loading