Added github work flows and code linters

opencredo · Jun 11, 2024 · 0f55619 · 0f55619
1 parent 38d77dc
commit 0f55619
Show file tree

Hide file tree

Showing 10 changed files with 279 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,20 @@
+---
+#################################
+# GitHub Dependabot Config info #
+#################################
+version: 2
+updates:
+
+  - package-ecosystem: "devcontainers"
+    directory: "/"
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 100
+
+  - package-ecosystem: github-actions
+    commit-message:
+      prefix: "deps(github-actions)"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 100
diff --git a/.github/linters/.checkov.yaml b/.github/linters/.checkov.yaml
@@ -0,0 +1,10 @@
+---
+quiet: true
+compact: true
+
+skip-check:
+  - CKV_DOCKER_2
+  - CKV2_GHA_1
+
+directory:
+  - test-dir
diff --git a/.github/linters/.gitleaks.toml b/.github/linters/.gitleaks.toml
@@ -0,0 +1,3 @@
+[rules]
+  [rules.generic-api-key]
+    files-exclude = ["internal/configure-pipeline/dependencies/cluster-operator.yml"]
diff --git a/.github/linters/.hadolint.yaml b/.github/linters/.hadolint.yaml
@@ -0,0 +1,12 @@
+---
+failure-threshold: error
+format: tty
+ignored:
+  - DL3045
+  - DL3018
+  - DL3026
+trustedRegistries:
+  - docker.io
+  - ghcr.io
+  - "*.gcr.io"
+  - quay.io
diff --git a/.github/linters/.yaml-lint.yml b/.github/linters/.yaml-lint.yml
@@ -0,0 +1,17 @@
+# For all rules
+ignore: |
+  *dependencies
+  /bin/
+  !/bin/*.lint-me-anyway.yaml
+
+
+rules:
+  key-duplicates:
+    ignore: |
+      generated
+      *.template.yaml
+  trailing-spaces:
+    ignore: |
+      *.ignore-trailing-spaces.yaml
+      /ascii-art/*
+  key-duplicates: disable
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,21 @@
+# Proposed changes
+
+_describe the proposed changes and remove this template text_
+
+## Readiness checklist
+
+In order to have this pull request merged, complete the following tasks.
+
+### Pull request author tasks
+
+- [ ] I included all the needed documentation for this change.
+- [ ] I provided the necessary tests.
+- [ ] I squashed all the commits into a single commit.
+- [ ] I followed the [Conventional Commit v1.0.0 spec](https://www.conventionalcommits.org/en/v1.0.0/).
+- [ ] If this pull request is about and existing issue,
+  I added the `Fix #ISSUE_NUMBER` label to the description of the pull request.
+
+### Promise Flink maintainer tasks
+
+- [ ] Label as `breaking` if this change breaks compatibility with the previous released version.
+- [ ] Label as either: `automation`, `bug`, `documentation`, `enhancement`, `infrastructure`.
diff --git a/.github/workflows/dependabot-automation.yaml b/.github/workflows/dependabot-automation.yaml
@@ -0,0 +1,29 @@
+---
+name: Dependabot automation
+
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    types:
+      - opened
+      - synchronize
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    env:
+      PR_URL: ${{github.event.pull_request.html_url}}
+      GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      # This doesn't trigger an automated merge because we require at approvals
+      - name: Enable auto-merge
+        run: gh pr merge --auto --squash --delete-branch "${PR_URL}"
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,106 @@
+name: Docker
+
+on:
+  workflow_call:
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Bump version and push tag
+        id: tag_version
+        if: github.event_name != 'pull_request'
+        uses: mathieudutour/[email protected]
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create a GitHub release
+        if: github.event_name != 'pull_request'
+        uses: ncipollo/release-action@v1
+        with:
+          tag: ${{ steps.tag_version.outputs.new_tag }}
+          name: Release ${{ steps.tag_version.outputs.new_tag }}
+          body: ${{ steps.tag_version.outputs.changelog }}
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
+        with:
+          cosign-release: "v2.2.3"
+
+      # Set up BuildKit Docker container builder to be able to build
+      # multi-platform images and export cache
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        with:
+          context: shell/internal/configure-pipeline
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          platforms: linux/amd64,linux/arm64
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # # Sign the resulting Docker image digest except on PRs.
+      # # This will only write to the public Rekor transparency log when the Docker
+      # # repository is public to avoid leaking data.  If you would like to publish
+      # # transparency data even for private images, pass --force to cosign below.
+      # # https://github.com/sigstore/cosign
+      # - name: Sign the published Docker image
+      #   if: ${{ github.event_name != 'pull_request' }}
+      #   env:
+      #     # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+      #     TAGS: ${{ steps.meta.outputs.tags }}
+      #     DIGEST: ${{ steps.build-and-push.outputs.digest }}
+      #   # This step uses the identity token to provision an ephemeral certificate
+      #   # against the sigstore community Fulcio instance.
+      #   run: "echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
diff --git a/.github/workflows/entrypoint.yml b/.github/workflows/entrypoint.yml
@@ -0,0 +1,32 @@
+---
+name: Entrypoint
+
+on:
+  # IMPORTANT: workflow_dispatch needs to be entered before other properties
+  workflow_dispatch:
+
+  pull_request:
+    branches:
+      - "main"
+
+permissions:
+  actions: read
+  checks: write
+  contents: write
+  issues: read
+  packages: write
+  pull-requests: write
+  statuses: write
+  security-events: write
+  id-token: write
+
+jobs:
+  linter:
+    name: Linter
+    uses: ./.github/workflows/linter.yml
+    secrets: inherit
+  build:
+    name: Docker
+    needs: linter
+    uses: ./.github/workflows/docker-publish.yml
+    secrets: inherit
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -0,0 +1,29 @@
+---
+name: Lint Code Base
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+  packages: read
+  statuses: write
+
+jobs:
+  lint:
+    name: Lint Codebase
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          # super-linter needs the full git history to get the
+          # list of files that changed across commits
+          fetch-depth: 0
+
+      - name: Super-linter
+        uses: super-linter/[email protected] # x-release-please-version
+        env:
+          DEFAULT_BRANCH: main
+          VALIDATE_KUBERNETES_KUBECONFORM: false
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}