chore: upgrade ci (#57)

Co-authored-by: rdash99 <[email protected]>

.github/.flake8

@@ -0,0 +1,8 @@
+[flake8]
+per-file-ignores =
+    # imported but unused
+    __init__.py: F401
+
+max-complexity = 10
+
+extend-ignore = E501,C901

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+* @JossWhittle
+.github/ @SwanseaUniversityMedical/devops-maintainers

.github/commitlint.config.mjs

@@ -0,0 +1,16 @@
+import { RuleConfigSeverity } from '@commitlint/types';
+
+export default {
+  extends: ['@commitlint/config-conventional'],
+  parserPreset: 'conventional-changelog-conventionalcommits',
+  rules: {
+    'scope-enum': [RuleConfigSeverity.Error, 'always', [
+        '',
+        'deps',
+        'canary-container',
+        'canary-chart',
+        'canary-crds-chart'
+    ]],
+    'subject-case': [RuleConfigSeverity.Error, 'never', []],
+  }
+};

.github/pull_request_template.md

@@ -0,0 +1,14 @@
+## :construction: Suggest a change
+
+A clear and concise description of what you are changing.
+
+## :memo: Pre-merge checklist
+
+Ready to merge? Do not merge until all checks are satisfied.
+- [ ] :chart: Have all `required` CI checks passed on the most recent commit?
+- [ ] :black_nib: Is the PR title a valid and meaningful conventional-commit message? ie. `type(scope): summary`
+- [ ] :boom: Are `breaking changes` declared in the PR title in conventional-commit style? ie. `type!(scope): summary`
+- [ ] :art: Does new code follow the code style of this project? 
+- [ ] :mag: Has new code been spellchecked and linted?
+- [ ] :book: Have docs been updated where necessary?
+- [ ] :poop: Have commits been checked for accidental file inclusions?

.github/renovate.js

@@ -0,0 +1,48 @@
+module.exports = {
+
+  // Uncomment dryRun to test exotic config options without spamming dozens of
+  // pull requests onto a repo that you would then need to clean up...
+  //dryRun: "full",
+
+  // Inherit default config options
+  extends: ["config:base"],
+  configMigration: true,
+
+  // Force use of Conventional Commit messages to avoid Renovate not detecting them
+  semanticCommits: "enabled",
+
+  // Disable limits on the number of pull requests that can be managed simultaneously
+  // since this can sometimes prevent security patches being suggested!
+  prHourlyLimit: 0,
+  prConcurrentLimit: 0,
+
+  // Tell Renovate to re-create or rebase old pull requests when new commits have
+  // since been merged into main...
+  rebaseWhen: "behind-base-branch",
+
+  // Set the default schedule for when pull requests will be created or updated.
+  // If Renovate is run outside of this schedule then it will skip updating pull
+  // requests for dependencies unless they override the schedule.
+  updateNotScheduled: false,
+  timezone: "Europe/London",
+  schedule: [
+    "after 10pm",
+    "before 5am"
+  ],
+
+  // This setting helps handle breaking changes to Renovate bot when its version changes.
+  ignorePrAuthor: true,
+
+  // Automatically assign reviewers to pull requests based on who "owns" the source files
+  // that need to be updated as listed in the CODEOWNERS file in the project repo.
+  reviewersFromCodeOwners: true,
+
+  // Auto discovery is dangerous, never blindly trust the scope of the token!
+  autodiscover: false,
+  // Instead, explicitly list the repos that we should manage pull requests on.
+  // This should realistically only be one repo, the project repo you are currently in.
+  // The default token "should" only have access to this repo...
+  repositories: [
+    "SwanseaUniversityMedical/Canary",
+  ],
+};

.github/workflows/build-canary-chart.yaml

@@ -0,0 +1,60 @@
+name: Build Canary Chart
+
+on:
+  pull_request:
+    # Only consider PRs that change files for this asset, including ci scripts
+    paths:
+      - '.github/workflows/build-canary-chart.yaml'
+      - 'charts/canary/**'
+    # Make sure all workflows that are "required checks" for a given
+    # branch protection rule have the same paths: and branches-ignore:
+    # filters. Otherwise, you can end up in a deadlock waiting on a
+    # required check that will never be executed.
+  push:
+    # Only release off of release and maintenance branches for this asset
+    branches:
+      - 'main'
+    # Only consider pushes that change files for this asset, including ci scripts
+    paths:
+      - '.github/workflows/build-canary-chart.yaml'
+      - 'charts/canary/**'
+
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  # Cancel early on pull requests if new commits are added,
+  # Don't cancel on release pushes
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  # Job name must be unique across repo to target
+  # branch protection rules "required checks" properly!
+  canary-chart:
+    uses: SwanseaUniversityMedical/workflows/.github/workflows/[email protected]
+    with:
+      job-name: canary-chart
+      comment-pr: "true"
+      comment-release: "true"
+      registry: ${{ vars.HARBOR_REGISTRY }}
+      registry-user: ${{ vars.HARBOR_USER }}
+      registry-project: ${{ vars.HARBOR_PROJECT }}
+      registry-repo: canary
+      release-tag-format: 'canary-chart-${version}'
+      cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }}
+      chart: charts/canary
+      test-command: |
+        helm template $CHART \
+          --include-crds \
+          --name-template canary \
+          --namespace canary \
+          --create-namespace \
+          --debug
+
+    secrets:
+      cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }}
+      cosign-password: ${{ secrets.COSIGN_PASSWORD }}
+      registry-token: ${{ secrets.HARBOR_TOKEN }}

.github/workflows/build-canary-container.yaml

@@ -0,0 +1,56 @@
+name: Build Canary Container
+
+on:
+  pull_request:
+    # Only consider PRs that change files for this asset, including ci scripts
+    paths:
+      - '.github/workflows/lint-canary-flake8.yaml'
+      - '.github/workflows/build-canary-container.yaml'
+      - 'containers/canary/**'
+      - 'src/**'
+    # Make sure all workflows that are "required checks" for a given
+    # branch protection rule have the same paths: and branches-ignore:
+    # filters. Otherwise, you can end up in a deadlock waiting on a
+    # required check that will never be executed.
+  push:
+    # Only release off of release and maintenance branches for this asset
+    branches:
+      - 'main'
+    # Only consider pushes that change files for this asset, including ci scripts
+    paths:
+      - '.github/workflows/lint-canary-flake8.yaml'
+      - '.github/workflows/build-canary-container.yaml'
+      - 'containers/canary/**'
+      - 'src/**'
+
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  # Cancel early on pull requests if new commits are added,
+  # Don't cancel on release pushes
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  # Job name must be unique across repo to target
+  # branch protection rules "required checks" properly!
+  canary-container:
+    uses: SwanseaUniversityMedical/workflows/.github/workflows/[email protected]
+    with:
+      job-name: canary-container
+      comment-pr: "true"
+      comment-release: "true"
+      registry: ${{ vars.HARBOR_REGISTRY }}
+      registry-user: ${{ vars.HARBOR_USER }}
+      registry-repo: ${{ vars.HARBOR_PROJECT }}/canary
+      release-tag-format: 'canary-container-${version}'
+      cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }}
+      build-file: containers/canary/Dockerfile
+      build-context: '.'
+    secrets:
+      cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }}
+      cosign-password: ${{ secrets.COSIGN_PASSWORD }}
+      registry-token: ${{ secrets.HARBOR_TOKEN }}

.github/workflows/build-canary-crds-chart.yaml

@@ -0,0 +1,60 @@
+name: Build Canary CRDs Chart
+
+on:
+  pull_request:
+    # Only consider PRs that change files for this asset, including ci scripts
+    paths:
+      - '.github/workflows/build-canary-crds-chart.yaml'
+      - 'charts/canary-crds/**'
+    # Make sure all workflows that are "required checks" for a given
+    # branch protection rule have the same paths: and branches-ignore:
+    # filters. Otherwise, you can end up in a deadlock waiting on a
+    # required check that will never be executed.
+  push:
+    # Only release off of release and maintenance branches for this asset
+    branches:
+      - 'main'
+    # Only consider pushes that change files for this asset, including ci scripts
+    paths:
+      - '.github/workflows/build-canary-crds-chart.yaml'
+      - 'charts/canary-crds/**'
+
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  # Cancel early on pull requests if new commits are added,
+  # Don't cancel on release pushes
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  # Job name must be unique across repo to target
+  # branch protection rules "required checks" properly!
+  canary-chart:
+    uses: SwanseaUniversityMedical/workflows/.github/workflows/[email protected]
+    with:
+      job-name: canary-crds-chart
+      comment-pr: "true"
+      comment-release: "true"
+      registry: ${{ vars.HARBOR_REGISTRY }}
+      registry-user: ${{ vars.HARBOR_USER }}
+      registry-project: ${{ vars.HARBOR_PROJECT }}
+      registry-repo: canary-crds
+      release-tag-format: 'canary-crds-chart-${version}'
+      cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }}
+      chart: charts/canary-crds
+      test-command: |
+        helm template $CHART \
+          --include-crds \
+          --name-template canary-crds \
+          --namespace canary \
+          --create-namespace \
+          --debug
+
+    secrets:
+      cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }}
+      cosign-password: ${{ secrets.COSIGN_PASSWORD }}
+      registry-token: ${{ secrets.HARBOR_TOKEN }}

.github/workflows/lint-canary.yaml

@@ -0,0 +1,39 @@
+name: Lint Canary
+
+on:
+  pull_request:
+    # Only consider PRs that change files for this asset, including ci scripts
+    paths:
+      - '.github/workflows/lint-canary-flake8.yaml'
+      - '.github/workflows/build-canary-container.yaml'
+      - 'containers/canary/**'
+      - 'src/**'
+    # Make sure all workflows that are "required checks" for a given
+    # branch protection rule have the same paths: and branches-ignore:
+    # filters. Otherwise, you can end up in a deadlock waiting on a
+    # required check that will never be executed.
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  # This linting can be cancelled if there is a newer commit to lint
+  cancel-in-progress: true
+
+jobs:
+  canary-flake8:
+    runs-on:
+      labels: [self-hosted, linux, x64]
+      group: light
+
+    steps:
+      - name: clone repo
+        uses: actions/checkout@v4
+
+      - name: install flake8
+        run: pip install flake8
+
+      - name: install flake8 annotations
+        uses: rbialon/flake8-annotations@v1
+
+      - name: run flake8
+        run: |
+          flake8 --config=".github/.flake8" src

.github/workflows/lint-pr-title.yaml

@@ -0,0 +1,19 @@
+name: Lint PR Title
+
+on:
+  pull_request:
+    # Run on all PRs whenever the title could have changed
+    types:
+      - opened
+      - reopened
+      - edited
+      - synchronize
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  # This linting can be cancelled if there is a newer commit to lint
+  cancel-in-progress: true
+
+jobs:
+  pr-title-commitlint:
+    uses: SwanseaUniversityMedical/workflows/.github/workflows/[email protected]