diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..27dac58 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,4 @@ +# Please do not attempt to edit this file without the direct consent from the DevOps team. This file is managed centrally. +# Contact @scott45 + +* @scott45 \ No newline at end of file diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml deleted file mode 100644 index 1ae15e5..0000000 --- a/.github/workflows/bench.yml +++ /dev/null @@ -1,43 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 - -name: Benchmark CI -env: - GITHUB_TOKEN: ${{ secrets.GH_WRITE_TOKEN }} - REPO_NAME: 'performance-benchmark' - PROCCESSOR_REPO_NAME: ${{ github.event.repository.name }} -on: - push: - branches: - - 'main' -jobs: - bench: - runs-on: ubuntu-latest - steps: - - name: Clone repo - run: | - git clone https://user:$GITHUB_TOKEN@github.com/${{ github.repository_owner }}/${{ env.REPO_NAME }} - cd ${{ env.REPO_NAME }} - git config --local user.email "action@github.com" - git config --local user.name "GitHub Action" - - name: Switch to temp branch - run: | - cd ${{ env.REPO_NAME }} - git checkout temp-holder - git pull - cat "${{ env.PROCCESSOR_REPO_NAME }}".csv >> "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp - git add "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp - git stash - git checkout main - git stash apply - - name: Write data - run: | - cd ${{ env.REPO_NAME }} - echo -n $'\n' >> "${{ env.PROCCESSOR_REPO_NAME }}".csv - cat "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp >> "${{ env.PROCCESSOR_REPO_NAME }}".csv - git reset "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp - git add "${{ env.PROCCESSOR_REPO_NAME }}".csv - git commit -m "#${{ github.event.number }} Pushed update of ${{ env.PROCCESSOR_REPO_NAME }}" - - name: push data - run: | - cd ${{ env.REPO_NAME }} - git push origin main \ No newline at end of file diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index 500f7d3..273f607 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -13,6 +13,8 @@ # For more information on Codacy Analysis CLI in general, see # https://github.com/codacy/codacy-analysis-cli. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Codacy Security Scan on: @@ -29,6 +31,7 @@ permissions: jobs: codacy-security-scan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 88abae3..6212b29 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,6 +11,9 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: "CodeQL" on: @@ -24,6 +27,7 @@ on: jobs: analyze: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' name: Analyze runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} permissions: diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml index 68efbd2..6aee786 100644 --- a/.github/workflows/conventional-commits.yml +++ b/.github/workflows/conventional-commits.yml @@ -7,6 +7,8 @@ # This GitHub Actions workflow validates the title of pull requests (PRs) to ensure they follow conventional commit standards. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: PR Conventional Commit Validation on: @@ -16,6 +18,7 @@ on: jobs: validate-pr-title: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job steps: - name: Checkout code diff --git a/.github/workflows/dco-check.yml b/.github/workflows/dco-check.yml index af42602..861c0ea 100644 --- a/.github/workflows/dco-check.yml +++ b/.github/workflows/dco-check.yml @@ -2,6 +2,8 @@ # This GitHub Actions workflow checks that all commits in a pull request (PR) have a "Signed-off-by" line to ensure Developer Certificate of Origin (DCO) compliance. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: DCO # Trigger the workflow on pull request events @@ -9,6 +11,7 @@ on: [pull_request] jobs: dco: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' # Define the runner environment runs-on: ubuntu-latest diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index b8a269e..577adb6 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -6,6 +6,10 @@ # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement + + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: 'Dependency Review' on: [pull_request] diff --git a/.github/workflows/dockerfile-linter.yml b/.github/workflows/dockerfile-linter.yml deleted file mode 100644 index 89f8cb4..0000000 --- a/.github/workflows/dockerfile-linter.yml +++ /dev/null @@ -1,49 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# hadoint is a Dockerfile linter written in Haskell -# that helps you build best practice Docker images. -# More details at https://github.com/hadolint/hadolint - -name: Hadolint - -on: - push: - branches: [ "dev", "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "dev" ] - schedule: - - cron: '17 13 * * 0' - -permissions: - contents: read - -jobs: - hadolint: - name: Run hadolint scanning - runs-on: ubuntu-latest - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run hadolint - uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 - with: - dockerfile: ./Dockerfile - format: sarif - output-file: hadolint-results.sarif - no-fail: true - - - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: hadolint-results.sarif - wait-for-processing: true \ No newline at end of file diff --git a/.github/workflows/dockerhub-image-build.yml b/.github/workflows/dockerhub-image-build.yml deleted file mode 100644 index dbf7b8f..0000000 --- a/.github/workflows/dockerhub-image-build.yml +++ /dev/null @@ -1,60 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# GitHub recommends pinning actions to a commit SHA. -# To get a newer version, you will need to update the SHA. -# You can also reference a tag or branch, but the action may change without warning. - -name: Publish Docker image - -on: - release: - types: [published] - -jobs: - push_to_registry: - name: Push Docker image to Docker Hub - runs-on: ubuntu-latest - permissions: - packages: write - contents: read - attestations: write - id-token: write - steps: - - name: Check out the repo - uses: actions/checkout@v4 - - - name: Log in to Docker Hub - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 - with: - images: my-docker-hub-namespace/my-docker-hub-repository - - - name: Build and push Docker image - id: push - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 - with: - context: . - file: ./Dockerfile - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - - - * name: Generate artifact attestation - uses: actions/attest-build-provenance@v1 - with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} - subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true - diff --git a/.github/workflows/gpg-verify.yml b/.github/workflows/gpg-verify.yml index 9c0ab8f..56b6f3c 100644 --- a/.github/workflows/gpg-verify.yml +++ b/.github/workflows/gpg-verify.yml @@ -2,12 +2,15 @@ # This GitHub Actions workflow checks that all commits in a pull request (PR) have been verified with GPG signatures. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: GPG Verify on: [pull_request] # Trigger this workflow on pull request events jobs: gpg-verify: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job steps: - uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action diff --git a/.github/workflows/milestone.yml b/.github/workflows/milestone.yml index 7173e0f..8b5bb6a 100644 --- a/.github/workflows/milestone.yml +++ b/.github/workflows/milestone.yml @@ -2,6 +2,8 @@ # This GitHub Actions workflow is designed to close a milestone and trigger a release workflow. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Milestone Workflow # This workflow can be manually triggered with a specified milestone ID. @@ -15,6 +17,7 @@ on: jobs: close_milestone: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/njsscan.yml b/.github/workflows/njsscan.yml index 255c0f7..d1bddf2 100644 --- a/.github/workflows/njsscan.yml +++ b/.github/workflows/njsscan.yml @@ -8,6 +8,8 @@ # This workflow integrates njsscan with GitHub's Code Scanning feature # nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: njsscan sarif on: @@ -24,6 +26,7 @@ permissions: jobs: njsscan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml index 5922eb5..373ddd2 100644 --- a/.github/workflows/node.js.yml +++ b/.github/workflows/node.js.yml @@ -3,6 +3,8 @@ # This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Node.js CI env: @@ -19,6 +21,7 @@ on: branches: [ "dev", "main" ] jobs: build: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest name: run build strategy: @@ -39,6 +42,7 @@ jobs: run: npm run build lint: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest name: check style strategy: @@ -60,6 +64,7 @@ jobs: run: npm run lint test: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest name: check tests strategy: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..b62fa6c --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,161 @@ +# SPDX-License-Identifier: Apache-2.0 + +name: Publish dev npm package to GitHub + +on: + push: + branches: + - 'dev' + paths-ignore: + - package.json + - package-lock.json + workflow_dispatch: + +jobs: + build-and-publish: + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN_LIB }} + permissions: + packages: write + contents: read + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup Node.js (.npmrc) + uses: actions/setup-node@v3 + with: + node-version: 16.x + registry-url: https://npm.pkg.github.com/ + # Defaults to the user or organization that owns the workflow file + scope: '@frmscoe' + + - name: Set up NPM authentication + run: | + echo "//npm.pkg.github.com/:_authToken=${{ secrets.GH_TOKEN_LIB }}" > ~/.npmrc + cat .npmrc + + - name: Configure Git + run: | + git config user.email ${{ secrets.GH_EMAIL }} + git config user.name ${{ secrets.GH_USERNAME }} + + - name: Version bumping + env: + GH_TOKEN: '${{ secrets.GH_TOKEN }}' + run: | + commit_message=$(git log -1 --pretty=%B) + echo "Commit message: $commit_message" + if [[ "$commit_message" == *'feat!:'* ]]; then + npm version major + elif [[ "$commit_message" == *"feat:"* ]]; then + npm version minor + else + npm version prerelease --preid=rc + fi + + - name: Install dependencies + run: npm ci + env: + GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + + - name: Build library + run: npm run build + + - name: Publish package + run: npm publish + env: + GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + NODE_AUTH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + + - name: Capture Version + id: capture_version + run: | + export version=$(jq -r '.version' package.json) + echo "VERSION=$version" >> $GITHUB_ENV + + - name: Push Changes in package.json and make PRs + run: | + export GH_USERNAME=${{ secrets.GH_USERNAME }} + export GH_TOKEN=${{ secrets.GH_TOKEN_LIB }} + git config --global user.name ${{ secrets.GH_USERNAME }} + + # Clear the GITHUB_TOKEN environment variable and use a temporary file for gh authentication + echo "${{ secrets.GH_TOKEN_LIB }}" > /tmp/gh_token + unset GITHUB_TOKEN + unset GH_TOKEN + gh auth login --with-token < /tmp/gh_token + + git clone https://${{ secrets.GH_USERNAME }}:${{ secrets.GH_TOKEN_LIB }}@github.com/${{ github.repository }}.git + REPO_NAME=$(basename -s .git https://github.com/${{ github.repository }}.git) + cd $REPO_NAME + echo "Currently in repository directory: $(pwd)" + + if git ls-remote --heads origin version-bump | grep version-bump; then + # Branch exists, pull the latest changes + git checkout version-bump + git pull origin version-bump + else + # Branch does not exist, create it + git checkout -b version-bump + fi + + git config --global user.email ${{ secrets.GH_EMAIL }} + git config --global user.name ${{ secrets.GH_USERNAME }} + + # print current version + sed -i 's/"version": "[^"]*"/"version": "'"${{ env.VERSION }}"'"/' package.json + cat package.json + git add . + git commit -m "chore: Bump version after publishing to Github NPM" || echo "No changes to commit" + git push origin version-bump || git push origin version-bump --force + + gh pr create --title "build: Automated PR; Bump version after publishing to Github NPM" --body "This pull request updates the version in the `package.json` and `package-lock.json` after the package was published." --base dev --head version-bump --assignee ${{ secrets.GH_USERNAME }} --label build || echo "PR already exists, updating existing PR" + PR_ID=$(gh pr view --json number -q ".number") + echo "PR_ID=$pr_id" >> $GITHUB_ENV + + # Cleanup + rm /tmp/gh_token + + # Send Slack Notification + - name: Send Slack Notification + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + run: | + # Fetch the PR ID from the environment + PR_ID=${{ env.PR_ID }} + + curl -X POST -H 'Content-type: application/json' --data '{ + "blocks": [ + { + "type": "header", + "text": { + "type": "plain_text", + "text": "New NPM GitHub package published :white_check_mark:", + "emoji": true + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Github Repository:*\nhttps://github.com/${{ github.repository }}" + }, + { + "type": "mrkdwn", + "text": "*Pull Requests:*\n" + } + ] + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "Please head over to the github repository and merge the PR linked above to update the `package.json` with the newly published npm package." + } + } + ] + }' $SLACK_WEBHOOK_URL diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f5d0a21..3058564 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Release Workflow on: @@ -11,6 +13,7 @@ on: jobs: release: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest steps: # Checkout the main branch with all history @@ -210,7 +213,7 @@ jobs: # Attach changelog as an artifact - name: Attach Changelog to Release - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: Changelog path: /home/runner/work/changelog.txt @@ -228,30 +231,37 @@ jobs: draft: false prerelease: false - # Update the CHANGELOG.md file in the repository - - name: Update CHANGELOG.md + - name: Get Latest Release run: | - NEW_VERSION=${{ steps.bump_version.outputs.new_version }} - CHANGELOG_CONTENTS=$(cat /home/runner/work/changelog.txt) - # Prepend the new changelog content to the existing CHANGELOG.md below SPDX-License-Identifier section - echo -e "$(head -n 2 CHANGELOG.md)\n\n## $NEW_VERSION\n\n$CHANGELOG_CONTENTS\n\n$(tail -n +3 CHANGELOG.md)" > CHANGELOG.md - git config --global user.name "github-actions[bot]" - git config --global user.email "github-actions[bot]@users.noreply.github.com" - git add CHANGELOG.md - git commit -m "chore: Update CHANGELOG.md for $NEW_VERSION" - git push origin HEAD:main + echo "LATEST_RELEASE=$(gh release list --limit 1 | awk '{print $1}')" >> $GITHUB_ENV + echo "The latest release tag is $LATEST_RELEASE" + + - name: Send Slack Notification env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - # Update the VERSION file - - name: Update VERSION file + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} run: | - NEW_VERSION=${{ steps.bump_version.outputs.new_version }} - echo -e "# SPDX-License-Identifier: Apache-2.0\n\n$NEW_VERSION" > VERSION - git config --global user.name "github-actions[bot]" - git config --global user.email "github-actions[bot]@users.noreply.github.com" - git add VERSION - git commit -m "chore: Update VERSION to $NEW_VERSION" - git push origin HEAD:main - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + curl -X POST -H 'Content-type: application/json' --data '{ + "blocks": [ + { + "type": "header", + "text": { + "type": "plain_text", + "text": "New Release Alert :tazama:", + "emoji": true + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Github Repository:*\nhttps://github.com/${{ github.repository }}" + }, + { + "type": "mrkdwn", + "text": "*Release:*\n" + } + ] + } + ] + }' ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 0000000..1abab3f --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,44 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency +# submission API. + +# For more information on the Anchore sbom-action usage +# and parameters, see https://github.com/anchore/sbom-action. For more +# information about the Anchore SBOM tool, Syft, see +# https://github.com/anchore/syft + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: Anchore Syft SBOM scan + +on: + push: + branches: [ "main" ] + +permissions: + contents: write + +jobs: + Anchore-Build-Scan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + permissions: + contents: write # required to upload to the Dependency submission API + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v4 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Scan the image and upload dependency results + uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a + with: + image: "localbuild/testimage:latest" + artifact-name: image.spdx.json + dependency-snapshot: true diff --git a/.github/workflows/sync-workflows.yml b/.github/workflows/sync-workflows.yml index 22d4f22..82e9faf 100644 --- a/.github/workflows/sync-workflows.yml +++ b/.github/workflows/sync-workflows.yml @@ -2,16 +2,19 @@ # This GitHub Actions workflow syncs workflows from a central repository to other repositories when a pull request is merged. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Sync Workflows on: - pull_request: - types: [closed] # Trigger this workflow when a pull request is closed - branches: [ "dev" ] # The branches below must be a subset of the branches above + push: + branches: + - dev # The branches below must be a subset of the branches above + workflow_dispatch: jobs: - sync: - if: github.event.pull_request.merged == true # Run this job only if the pull request was merged + Sync_All_Repos_Common_Workflows: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job steps: - name: Checkout Central Workflows Repo # Step to checkout the repository containing the central workflows @@ -47,7 +50,40 @@ jobs: - name: Sync Workflows to Other Repos # Step to sync workflows to other repositories env: - REPOS: ${{ vars.TARGET_REPOS }} # List of repositories to sync workflows to + REPOS: | # List of repositories to sync workflows to + rule-001 + rule-002 + rule-003 + rule-004 + rule-006 + rule-007 + rule-008 + rule-010 + rule-011 + rule-016 + rule-017 + rule-018 + rule-020 + rule-021 + rule-024 + rule-025 + rule-026 + rule-027 + rule-028 + rule-030 + rule-044 + rule-045 + rule-048 + rule-054 + rule-063 + rule-074 + rule-075 + rule-076 + rule-078 + rule-083 + rule-084 + rule-090 + rule-091 SPECIFIC_FILES: ${{ vars.SPECIFIC_FILES }} # List of specific files not to copy to certain repositories SPECIFIC_REPOS: ${{ vars.SPECIFIC_REPOS }} # List of specific repositories needing specific files not included PR_REVIEWERS: ${{ vars.PR_REVIEWERS }} # List of reviewers diff --git a/.github/workflows/terraform-security.yml b/.github/workflows/terraform-security.yml deleted file mode 100644 index ea0b88e..0000000 --- a/.github/workflows/terraform-security.yml +++ /dev/null @@ -1,40 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: tfsec - -on: - push: - branches: [ "dev", "main" ] - pull_request: - branches: [ "dev" ] - schedule: - - cron: '31 11 * * 1' - -jobs: - tfsec: - name: Run tfsec sarif report - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - steps: - - name: Clone repo - uses: actions/checkout@v4 - - - name: Run tfsec - uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 - with: - sarif_file: tfsec.sarif - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: tfsec.sarif diff --git a/workflow-docs/bench.md b/workflow-docs/bench.md new file mode 100644 index 0000000..732be5e --- /dev/null +++ b/workflow-docs/bench.md @@ -0,0 +1,29 @@ +## Workflow Name: Benchmark CI + +#### Purpose: + +- This workflow automates the process of updating and pushing benchmark data to the main branch of a repository. + +#### Environment Variables: + +`GITHUB_TOKEN`: GitHub token for authentication. + +`REPO_NAME`: The repository name where benchmark data is stored. + +`PROCCESSOR_REPO_NAME`: The name of the repository triggering the workflow. + +#### Trigger Events: + +`On`: push to the main branch. + +- Runs on: ubuntu-latest + +#### Workflow Steps: + +- Clone repo: Clone the benchmark repository using the GitHub token. + +- Switch to temp branch: Switch to a temporary branch, stash changes, and prepare the data file for update. + +- Write data: Append new benchmark data from the triggering repository to the CSV file and commit the changes. + +- Push data: Push the updated data back to the main branch of the benchmark repository. diff --git a/workflow-docs/codacy.md b/workflow-docs/codacy.md new file mode 100644 index 0000000..c27ee37 --- /dev/null +++ b/workflow-docs/codacy.md @@ -0,0 +1,33 @@ +## Workflow Name: Codacy Security Scan + +#### Purpose: + +- This workflow performs security scans on the codebase using Codacy and uploads the results in SARIF format to GitHub. + +#### Trigger Events: + +`Push`: Runs on pushes to the dev and main branches. + +`Pull Requests`: Runs on pull requests targeting dev and main. + +`Scheduled`: Runs every Thursday at 00:17 UTC. + +#### Permissions: + +`contents: read`: Allows reading repository contents. + +`security-events`: write: Allows uploading SARIF results. + +`actions: read`: Required for private repositories to retrieve Action run status. + +- Runs on: ubuntu-latest + +#### Workflow Steps: + +- Checkout Code: Uses actions/checkout@v4 to clone the repository. + +- Run Codacy Analysis CLI: Executes Codacy's CLI to scan the codebase, generating a SARIF file. + +- Upload SARIF Results: Uploads the SARIF file to GitHub using github/codeql-action/upload-sarif@v3. + +- This workflow ensures that security issues in the codebase are identified and reported efficiently. diff --git a/workflow-docs/codeql.md b/workflow-docs/codeql.md new file mode 100644 index 0000000..b1e2f7b --- /dev/null +++ b/workflow-docs/codeql.md @@ -0,0 +1,36 @@ +## Workflow Name: CodeQL + +#### Purpose: + +- This workflow automates the process of scanning code for vulnerabilities using GitHub's CodeQL analysis. + +#### Trigger Events: + +`Push`: Runs on pushes to the dev and main branches. + +`Pull Requests`: Runs on pull requests targeting dev and main. + +`Scheduled`: Runs every Thursday at 00:34 UTC. + +#### Permissions: + +`actions: read` + +`contents: read` + +`security-events: write` + +#### Workflow Steps: + +- Checkout Repository: Uses actions/checkout@v4 to clone the repository. + +- Initialize CodeQL: Prepares the CodeQL environment for the specified languages. + +- Autobuild: Automatically builds the codebase (useful for compiled languages). + +- Perform CodeQL Analysis: Executes the CodeQL scan and uploads results. + +#### Language Support: +The workflow is configured to scan JavaScript code but can be extended to support other languages like Java, Python, Go, etc. + +This setup ensures that your code is continuously analyzed for security vulnerabilities and quality issues. diff --git a/workflow-docs/conventional-commits.md b/workflow-docs/conventional-commits.md new file mode 100644 index 0000000..1042800 --- /dev/null +++ b/workflow-docs/conventional-commits.md @@ -0,0 +1,25 @@ +## Workflow Name: PR Conventional Commit Validation + +#### Purpose: + +- This workflow automatically validates the title of a pull request (PR) to ensure it follows conventional commit guidelines. It also applies corresponding GitHub labels based on the commit type. + +- Uses the ytanikin/PRConventionalCommits@1.1.0 action. + +- Validates the PR title against a set of predefined conventional commit types (e.g., feat, fix, docs). + +- Maps these types to corresponding GitHub labels and applies them to the PR. + +- Utilizes a GitHub token for authentication and label management. + +- This workflow helps enforce commit message conventions and improve PR management by automatically labeling PRs based on their titles. + +#### Trigger Events: + +`Pull Request Events`: The workflow is triggered when a pull request is opened, synchronized, reopened, or edited. + +#### Workflow Steps: + +- Checkout Code: Uses actions/checkout@v4 to check out the repository. + +- PR Conventional Commit Validation: diff --git a/workflow-docs/dco-check.md b/workflow-docs/dco-check.md new file mode 100644 index 0000000..313b334 --- /dev/null +++ b/workflow-docs/dco-check.md @@ -0,0 +1,25 @@ +## Workflow Name: DCO (Developer Certificate of Origin) + +#### Purpose: + +- This workflow automatically checks whether each commit in a pull request (PR) has a "Signed-off-by" line, ensuring compliance with the Developer Certificate of Origin (DCO). + +- Retrieves commits between the head and base branches. + +- Verifies that each commit contains a "Signed-off-by" line. + +- Lists any non-compliant commits and fails the job if any are found. + +- This workflow enforces DCO compliance, ensuring that all contributions are properly signed off, indicating that the contributor agrees to the terms of the DCO. + +#### Trigger Events: + +`Pull Request`: The workflow triggers whenever a pull request event occurs (e.g., opened, updated). + +#### Workflow Steps: + +- Checkout Repository: + +- Set Up Environment Variables: + +- Check for DCO Sign-off: diff --git a/workflow-docs/dependency-review.md b/workflow-docs/dependency-review.md new file mode 100644 index 0000000..dd211c7 --- /dev/null +++ b/workflow-docs/dependency-review.md @@ -0,0 +1,25 @@ +## Workflow Name: Dependency Review + +#### Purpose: + +- This workflow automatically reviews the dependencies of a project whenever a pull request (PR) is opened or updated, ensuring that new dependencies are checked for security vulnerabilities and other issues. + +- This workflow helps maintain the security and stability of your project by automatically reviewing new or updated dependencies in pull requests. + +#### Trigger Events: + +`Pull Request`: The workflow runs whenever a pull request is created or updated. + +#### Permissions: + +`Contents`: read: Grants the action read-only access to the repository contents. + +- Runs on: ubuntu-latest + +#### Workflow Steps: + +- Checkout Repository: + +- Dependency Review: + +Uses actions/dependency-review-action@v4 to analyze the dependencies of the project and identify any potential issues. diff --git a/workflow-docs/dockerfile-linter.md b/workflow-docs/dockerfile-linter.md new file mode 100644 index 0000000..b4b33bb --- /dev/null +++ b/workflow-docs/dockerfile-linter.md @@ -0,0 +1,37 @@ +## Workflow Name: Hadolint + +#### Purpose: + +- This workflow automates the linting of Dockerfiles using Hadolint and uploads the results to GitHub in SARIF format for further analysis. + +- This workflow ensures that Dockerfiles are automatically checked for best practices and potential issues, with results easily accessible within GitHub. + +#### Trigger Events: + +`Push`: Runs on pushes to the dev and main branches. + +`Pull Request`: Runs on pull requests targeting the dev branch. + +`Scheduled`: Runs every Sunday at 13:17 UTC. + +#### Permissions: + +`Contents: read:` Grants read-only access to the repository contents. + +`Security-events: write:` Allows uploading SARIF results. + +`Actions: read:` Required for private repositories to retrieve Action run status. + +- Runs on: ubuntu-latest + +#### Workflow Steps: + +- Checkout Code + +- Run Hadolint + +Generates a SARIF file with the results. + +- Upload Analysis Results: + +Uses github/codeql-action/upload-sarif@v2 to upload the SARIF file to GitHub for security analysis and code scanning. diff --git a/workflow-docs/dockerhub-image-build.md b/workflow-docs/dockerhub-image-build.md new file mode 100644 index 0000000..2b79609 --- /dev/null +++ b/workflow-docs/dockerhub-image-build.md @@ -0,0 +1,42 @@ +## Workflow Name: Publish Docker Image + +Purpose: + +- This workflow automates the process of building, tagging, and pushing Docker images to Docker Hub whenever a new release is published. + +#### Trigger Events: + +`Release`: The workflow is triggered when a release is published. + +#### Jobs: + +- push_to_registry: + +- Runs on: ubuntu-latest + +#### Permissions: + +`Packages: write:` Allows pushing packages to the Docker registry. + +`Contents: read:` Grants read access to the repository contents. + +`Attestations: write:` Allows writing attestations. + +`ID-Token: write:` Required for generating artifact attestations. + +#### Workflow Steps: + +- Check Out the Repo: + +- Log in to Docker Hub: + +Uses docker/login-action to authenticate with Docker Hub using credentials stored in GitHub Secrets. + +- Extract Metadata: + +Uses docker/metadata-action to generate Docker image tags and labels. + +- Build and Push Docker Image: + +Uses docker/build-push-action to build the Docker image and push it to Docker Hub with the generated tags and labels. +Generate Artifact Attestation: diff --git a/workflow-docs/gpg-verify.md b/workflow-docs/gpg-verify.md new file mode 100644 index 0000000..c25a42f --- /dev/null +++ b/workflow-docs/gpg-verify.md @@ -0,0 +1,27 @@ +## Workflow Name: GPG Verify + +#### Purpose: + +- This workflow automatically verifies the GPG signatures of commits in a pull request, ensuring that all commits are signed and verified as part of the code review process. + +- This workflow helps enforce the use of GPG-signed commits, adding an extra layer of security to the contribution process. + +- If any commit fails the GPG verification, the workflow fails, ensuring only verified commits are merged. + +#### Trigger Events: + +`Pull Request`: The workflow triggers whenever a pull request is opened or updated. + +- Runs on: ubuntu-latest + +#### Workflow Steps: + +- Checkout Repository: + +- Set Up Environment Variables: + +Captures the head and base references of the pull request and sets up necessary environment variables. + +- Check GPG Verification Status: + +Retrieves the list of commits in the pull request. For each commit, it checks the GPG verification status using GitHub's API. diff --git a/workflow-docs/milestone.md b/workflow-docs/milestone.md new file mode 100644 index 0000000..bfaf74e --- /dev/null +++ b/workflow-docs/milestone.md @@ -0,0 +1,31 @@ +## Workflow Name: Milestone Workflow + +#### Purpose: + +- This workflow is designed to close a specific milestone on GitHub and trigger a release workflow. It is manually triggered with a specified milestone ID. + +- This workflow streamlines the process of managing milestones and automates the transition to the release process. + +#### Trigger Events: + +`Workflow Dispatch`: This workflow is triggered manually with a milestoneId input. + +- Runs on: ubuntu-latest + +#### Workflow Steps: + +- Checkout Repository: + +Uses actions/checkout@v2 to clone the repository. + +- Set Up Environment Variables: + +Sets up necessary environment variables, including the GitHub token, milestone number, and GitHub API URL. + +- Close Milestone: + +Uses the GitHub API to close the specified milestone. + +- Trigger Release Workflow: + +Triggers another workflow for releasing, passing the milestone number as a payload using the peter-evans/repository-dispatch@v1 action. diff --git a/workflow-docs/njsscan.md b/workflow-docs/njsscan.md new file mode 100644 index 0000000..aa60450 --- /dev/null +++ b/workflow-docs/njsscan.md @@ -0,0 +1,32 @@ +## Workflow Name: njsscan sarif + +#### Purpose: + +- This GitHub workflow is designed to run the njsscan code scanning tool and upload the results as a SARIF (Static Analysis Results Interchange Format) report to GitHub. Here's a detailed breakdown of the workflow: + +- This workflow ensures that every push and pull request to the dev and main branches, as well as a weekly scheduled run, triggers a security scan using njsscan. The results are then uploaded to GitHub in SARIF format, allowing the repository maintainers to review and address potential security issues. + +#### Trigger Events + +`push`: + +`branches: [ "dev", "main" ]`: The workflow will trigger whenever there is a push to the dev or main branches. + +`pull_request`: + +`branches: [ "dev", "main" ]`: The workflow will also trigger when a pull request is made targeting the dev or main branches. + +`schedule`: + +`cron: '17 17 * * 1'`: The workflow is scheduled to run automatically every Monday at 17:17 UTC. + + +#### permissions: + +`contents`: read: Grants read access to the repository contents for the entire workflow. + +#### Workflow Steps + +- Checkout the code + +- njsscan diff --git a/workflow-docs/nodejs.md b/workflow-docs/nodejs.md new file mode 100644 index 0000000..6fe802d --- /dev/null +++ b/workflow-docs/nodejs.md @@ -0,0 +1,83 @@ +## Workflow Name: Node.js CI + +#### Purpose: + +- This GitHub workflow is designed for Continuous Integration (CI) of a Node.js project. It includes three jobs: building the project, checking the code style, and running tests. Here's a detailed breakdown of the workflow: + +#### Environment Variables + +`env`: + +`GH_TOKEN`: ${{ secrets.GITHUB_TOKEN }}: A secret token used to authenticate with GitHub, stored securely in GitHub secrets. +NPM_SCOPE`: "@frmscoe": The scope for the npm packages, typically used for scoped packages. + +``NPM_REGISTRY`: "https://npm.pkg.github.com/": The npm registry URL where the scoped packages are hosted. + +`NODE_ENV`: 'test': The environment variable used to specify the environment as 'test'. + +`STARTUP_TYPE`: 'nats': A custom environment variable indicating the type of startup, possibly related to the messaging system used in the project. + +#### Triggers Events + +`push`: + +`branches: [ "dev", "main" ]`: The workflow triggers on a push to the dev or main branches. + +`pull_request`: + +`branches: [ "dev", "main" ]`: The workflow also triggers when a pull request is opened targeting the dev or main branches. +Jobs + +- The workflow is divided into three jobs: `build`, `lint`, and `test`. + +1. Build Job + +#### build: + +- runs-on: ubuntu-latest: This job runs on the latest available version of Ubuntu. + +- steps: + +Checkout the code: + +Install dependencies: + +run: npm ci: Installs the project dependencies using npm in a clean environment. + +Run build: + +run: npm run build: Executes the build script to compile the project. + +2. Lint Job + +#### lint: + +- runs-on: ubuntu-latest: The job runs on the latest Ubuntu version. + +- steps: + +Checkout code: + +Install dependencies: + +Check linting: + +3. Test Job + +#### test: + +- runs-on: ubuntu-latest: The job runs on Ubuntu. + +steps: + +Checkout code: + +Install dependencies: + +Run tests: + +#### Summary + +- This workflow is a complete CI pipeline for a Node.js project. It tests the code on multiple Node.js versions, checks the code style, and runs the build process. + +- The environment variables and registry settings are configured to work with a specific npm scope hosted on GitHub. The workflow runs on pushes and pull requests to the dev and main branches, ensuring continuous integration of the project code. diff --git a/workflow-docs/release.md b/workflow-docs/release.md new file mode 100644 index 0000000..8506c1a --- /dev/null +++ b/workflow-docs/release.md @@ -0,0 +1,45 @@ +## GitHub Action Workflow Documentation: Release + +#### Purpose + +- This GitHub Action workflow, named Release Workflow, automates the process of creating a new release based on merged pull requests, generating a changelog, and updating relevant files like CHANGELOG.md and VERSION. + +- The workflow is triggered by a repository_dispatch event, specifically of type release, which can be used to trigger the workflow programmatically. + +- This workflow is an automated process that handles the entire release lifecycle, including version bumping, changelog generation, and updating repository files. It's triggered by an external event, making it suitable for use with external tools or scripts that manage release processes. + +- The workflow is robust, ensuring that all necessary release tasks are completed consistently and accurately. + +#### Workflow Breakdown + +##### Trigger + +`on: repository_dispatch`: The workflow is triggered by a repository_dispatch event. + +`types: [release`]: The workflow listens for the release event type. + +`properties: milestone_number`: The workflow accepts a milestone_number property, which is a string representing the milestone ID associated with the release. + +#### Workflow Steps: + +- Checkout Repository: + +- Get the Latest Tag in the Repository: + +- Determine Release Type: + +- Bump Version: + +- Get Milestone Details: + +- Generate Changelog + +- Display Changelog: + +- Attach Changelog to Release: + +- Create Release: + +- Update CHANGELOG.md File: + +- Update VERSION File: diff --git a/workflow-docs/sync-workflows.md b/workflow-docs/sync-workflows.md new file mode 100644 index 0000000..8b1e2f5 --- /dev/null +++ b/workflow-docs/sync-workflows.md @@ -0,0 +1,40 @@ +## GitHub Action Workflow Documentation: Sync Workflows + +#### Purpose + +- This GitHub Action workflow automates the process of synchronizing workflow files across multiple repositories whenever a pull request (PR) is merged into the dev branch. + +- This workflow ensures that all specified repositories maintain consistent CI/CD workflows by automatically syncing changes from a central repository when updates are made. + +#### Trigger Event + +`pull_request` + +`types: [closed]` - This workflow triggers when a pull request is closed. + +`branches: [ "dev" ]` - It specifically listens to pull requests merged into the dev branch. + + +#### Jobs + +- Job: sync + +`Condition`: + +if: github.event.pull_request.merged == true - This job only runs if the pull request was successfully merged. + +- Runs on: ubuntu-latest - The job uses the latest Ubuntu runner. + +#### Workflow Steps + +- Checkout Central Workflows Repo + +- Set up Git + +- Install GitHub CLI + +- Get PR author details + +- Sync Workflows to Other Repos + +- Cleanup: Temporary files used for GitHub CLI authentication are removed after the operation. diff --git a/workflow-docs/terraform-security.md b/workflow-docs/terraform-security.md new file mode 100644 index 0000000..321ffae --- /dev/null +++ b/workflow-docs/terraform-security.md @@ -0,0 +1,43 @@ +## GitHub Action Workflow Documentation: tfsec + +#### Purpose + +- This GitHub Action workflow is designed to run tfsec, a security scanner for Terraform code, on specified branches, pull requests, and a scheduled basis. It generates a SARIF report (a standard format for security issues) and uploads it to GitHub. + +- This workflow automates security scanning of Terraform code using tfsec. It runs on pushes to the dev and main branches, on pull requests targeting dev, and on a scheduled basis. + +- The SARIF report generated by tfsec is uploaded to GitHub, enabling security issues to be tracked and managed directly within the GitHub repository. + +#### Trigger Events + +`push`: + +`branches`: [ "dev", "main" ] - The workflow triggers when code is pushed to the dev or main branches. + +`pull_request`: + +`branches`: [ "dev" ] - The workflow triggers when a pull request is opened or updated against the dev branch. + +`schedule`: + +`cron`: '31 11 * * 1' - The workflow runs every Monday at 11:31 AM UTC, ensuring regular scans even if no code changes occur. + +- runs-on: ubuntu-latest - The job runs on the latest Ubuntu runner. + +#### permissions: + +`actions: read` - Grants read access to the actions in the repository. + +`contents: read` - Grants read access to the repository contents. + +`security-events: write` - Grants write access to security events, which is necessary to upload the SARIF report. + +#### Workflow Steps + +- Clone Repository + +- Run tfsec + +- Upload SARIF file + +sarif_file: tfsec.sarif - This specifies the path to the SARIF file that will be uploaded to GitHub's security tab for analysis.