From febee603d8c07ed1becb8d4a559087f93aca7bdf Mon Sep 17 00:00:00 2001 From: Ralph Hightower <32745442+RalphHightower@users.noreply.github.com> Date: Sat, 30 Nov 2024 16:59:39 -0500 Subject: [PATCH] [improve](build): base workflows --- .github/workflows/ci.yaml | 30 ++++++ .github/workflows/codeql.yml | 105 ++++++++----------- .github/workflows/dependency-review.yml | 22 ++++ .github/workflows/jekyll.yml | 66 ++++++++++++ .github/workflows/permission_advisor.yml | 27 +++++ .github/workflows/readme-checker.yml | 19 ++++ .github/workflows/release-please.yml | 25 +++++ .github/workflows/release.yml | 33 ++++++ .github/workflows/scorecard.yml | 36 +++++++ .github/workflows/semantic-release.yml | 124 +++++++++++++++++++++++ .github/workflows/test.yml | 86 ++++++++++++++++ 11 files changed, 510 insertions(+), 63 deletions(-) create mode 100644 .github/workflows/ci.yaml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/jekyll.yml create mode 100644 .github/workflows/permission_advisor.yml create mode 100644 .github/workflows/readme-checker.yml create mode 100644 .github/workflows/release-please.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/scorecard.yml create mode 100644 .github/workflows/semantic-release.yml create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..5090123 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,30 @@ +name: ci.yml – Continuous Integration +on: + push: + branches: + - main + pull_request: + branches: + - main +permissions: + contents: read + +jobs: + build: + name: "Test with Jekyll ${{ matrix.jekyll }}" + runs-on: "ubuntu-latest" + strategy: + matrix: + jekyll: ["~> 3.9", "~> 4.2"] + env: + JEKYLL_VERSION: ${{ matrix.jekyll }} + steps: + - name: Checkout Repository + uses: actions/checkout@v4.2.2 + - name: Set Up Ruby 3.3.6 + uses: ruby/setup-ruby@v1.202.0 + with: + ruby-version: 3.3.6 + bundler-cache: true + - name: Run tests + run: script/cibuild diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7fc262a..031f793 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,86 +9,65 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # -name: "CodeQL Advanced" +name: "CodeQL" on: push: - branches: [ "main" ] + branches: ["main"] pull_request: - branches: [ "main" ] + # The branches below must be a subset of the branches above + branches: ["main"] schedule: - - cron: '25 23 * * 4' + - cron: "0 0 * * 1" + +permissions: + contents: read jobs: analyze: - name: Analyze (${{ matrix.language }}) - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners (GitHub.com only) - # Consider using larger runners or machines with greater resources for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + name: Analyze + runs-on: ubuntu-latest permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories actions: read contents: read + security-events: write strategy: fail-fast: false matrix: - include: - - language: c-cpp - build-mode: autobuild - - language: csharp - build-mode: none - # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + language: ["ruby"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + steps: - - name: Checkout repository - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v4.2.2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/autobuild@v2.19.3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v3.27.4 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2.19.3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..287f583 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,22 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'dependency – Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v4.2.2 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4.5.0 diff --git a/.github/workflows/jekyll.yml b/.github/workflows/jekyll.yml new file mode 100644 index 0000000..7925cee --- /dev/null +++ b/.github/workflows/jekyll.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: jekyll.yml – Deploy Jekyll site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main", "_staging", "next"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4.2.2 + - name: Setup Ruby + uses: ruby/setup-ruby@v1.202.0 + with: + ruby-version: '3.3.6' # Not needed with a .ruby-version file + bundler-cache: true # runs 'bundle install' and caches installed gems automatically + cache-version: 1 # Increment this number if you need to re-download cached gems + - name: Setup Pages + id: pages + uses: actions/configure-pages@v5.0.0 + - name: Build with Jekyll + # Outputs to the './_site' directory by default + run: bundle exec jekyll build --trace --incremental --baseurl "${{ steps.pages.outputs.base_path }}" + env: + JEKYLL_ENV: production + JEKYLL_GITHUB_TOKEN: ${{secrets.JEKYLL_METADATA_TOKEN}} + LOG_LEVEL: debug + - name: Upload artifact + # Automatically uploads an artifact from the './_site' directory by default + uses: actions/upload-pages-artifact@v3.0.1 + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@4.0.5 diff --git a/.github/workflows/permission_advisor.yml b/.github/workflows/permission_advisor.yml new file mode 100644 index 0000000..9c00c37 --- /dev/null +++ b/.github/workflows/permission_advisor.yml @@ -0,0 +1,27 @@ +# Sample workflow to run the action +name: permission_advisor.yml — Permissions Advisor + +permissions: + actions: read + +on: + workflow_dispatch: + inputs: + name: + description: 'The name of the workflow file to analyze' + required: true + type: string + count: + description: 'How many last runs to analyze' + required: false + type: number + default: 10 + +jobs: + advisor: + runs-on: ubuntu-latest + steps: + - uses: GitHubSecurityLab/actions-permissions/advisor@v1.0.2-beta4 + with: + name: ${{ inputs.name }} + count: ${{ inputs.count }} diff --git a/.github/workflows/readme-checker.yml b/.github/workflows/readme-checker.yml new file mode 100644 index 0000000..9f426c8 --- /dev/null +++ b/.github/workflows/readme-checker.yml @@ -0,0 +1,19 @@ +name: readme-checker.yml – Checks for suggested markdown +on: [push, pull_request] + +permissions: + contents: read + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4.2.2 + - name: Checking markdown + uses: DavidAnson/markdownlint-cli2-action@v18.0.0 + with: + globs: | + *.md + **/*.md + !test/*.md diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 0000000..dd5295e --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,25 @@ +name: release-please.yml – Automate releases with Conventional Commit Messages. +on: + push: + branches: + - main + +permissions: + pull-requests: write + +name: release-please + +jobs: + release-please: + runs-on: ubuntu-latest + steps: + - uses: googleapis/release-please-action@4.1.3 + with: + contents: write + # this assumes that you have created a personal access token + # (PAT) and configured it as a GitHub action secret named + # `MY_RELEASE_PLEASE_TOKEN` (this secret name is not important). + token: ${{ secrets.GITHUB_TOKEN }} + # this is a built-in strategy in release-please, see "Action Inputs" + # for more options + release-type: simple diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..1de2b14 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,33 @@ +name: release.yml – Release +on: + push: + branches: + - master + - next + - beta + - "*.x" +permissions: + contents: read # for checkout +jobs: + release: + permissions: + contents: write # to be able to publish a GitHub release + issues: write # to be able to comment on released issues + pull-requests: write # to be able to comment on released pull requests + id-token: write # to enable use of OIDC for npm provenance + name: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4.2.2 + - uses: actions/setup-node@v4.1.0 + with: + cache: npm + node-version: lts/* + - run: npm clean-install + - run: corepack npm audit signatures + # pinned version updated automatically by Renovate. + # details at https://semantic-release.gitbook.io/semantic-release/usage/installation#global-installation + - run: npx semantic-release@v24.2.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NPM_TOKEN: ${{ secrets.SEMANTIC_RELEASE_BOT_NPM_TOKEN }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..9c84fa1 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,36 @@ +name: scorecard.yml — OpenSSF Scorecard +"on": + schedule: + - cron: 31 2 * * 1 + push: + branches: + - master +permissions: read-all +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + steps: + - name: Checkout code + uses: actions/checkout@v4.2.2 + with: + persist-credentials: false + - name: Run analysis + uses: ossf/scorecard-action@v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + - name: Upload artifact + uses: actions/upload-artifact@v4.4.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@v2.19.3 + with: + sarif_file: results.sarif diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml new file mode 100644 index 0000000..bb5c52e --- /dev/null +++ b/.github/workflows/semantic-release.yml @@ -0,0 +1,124 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + + +name: systematic-release.yml – Pull Request + +on: + pull_request: + types: + - opened + - reopened + - edited + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.number }} + cancel-in-progress: true + +permissions: + contents: read + # contents: write # to be able to publish a GitHub release + issues: write # to be able to comment on released issues + pull-requests: write # to be able to comment on released pull requests + id-token: write # to enable use of OIDC for npm provenance name: Check pull request title + +jobs: + main: + runs-on: ubuntu-latest + steps: + name: semantic release + uses: amannn/action-semantic-pull-request@v5.5.3 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + # Type abbreviation comments: + # feat -> feature + # blog, info (2023-08-07 RalphHightower) + types: | + blog + cleanup + docs + feat + fix + improve + info + refactor + revert + # Scope abbreviation comments: + # biz -> business layer (2023-08-07 RalphHightower) + # cli -> command line interface + # data -> data access layer (2023-08-07 RalphHightower) + # fn -> Pulsar Functions + # grammar -> Language corrections: grammar, spelling (RalphHightower 202308-06) + # io -> Pulsar Connectors + # md -> Markdown (2023-07-30 RalphHightower) + # offload -> tiered storage + # sec -> security + # sql -> Pulsar Trino Plugin + # trans -> transaction (2023-08-07 RalphHightower) + # txn -> transaction + # ws -> websocket + # ml -> managed ledger + # zk -> zookeeper + # bk -> bookkeeper + # ui -> user interface (2023-08-07 RalphHightower) + scopes: | + admin + biz + bk + broker + build + ci + cli + client + config + data + doc + docs + fn + grammar + io + md + meta + misc + ml + monitor + offload + proxy + schema + sec + site + sql + scss + storage + test + trans + txn + ws + ui + yml + zk + pip + # The pull request's title should be fulfilled the following pattern: + # + # [][] + # + # ... where valid types and scopes can be found above; for example: + # + # [fix][test] flaky test V1_ProxyAuthenticationTest.anonymousSocketTest + headerPattern: '^\[(\w*?)\](?:\[(.*?)\])?(?:\s*)(.*)$' + headerPatternCorrespondence: type, scope, subject diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..cb0258a --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,86 @@ +name: test.yml — Test + +on: + push: + branches: + - master + # renovate/** branches are generated by https://github.com/apps/renovate + - renovate/** + + pull_request: + types: + - opened + - synchronize + +permissions: + contents: read # to fetch code (actions/checkout) + +env: + FORCE_COLOR: 1 + NPM_CONFIG_COLOR: always + +jobs: + # verify against ranges defined as supported in engines.node + test_matrix: + strategy: + matrix: + node-version: + - 20.8.1 + - 20 + - 21 + + runs-on: ubuntu-latest + timeout-minutes: 5 + + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@v4.2.2 + - run: git config --global user.name github-actions + - run: git config --global user.email github-actions@github.com + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4.1.0 + with: + node-version: ${{ matrix.node-version }} + cache: npm + - run: npm clean-install + - run: corepack npm audit signatures + - run: npm test + + # verify against the node version defined for development in the .nvmrc + test_dev: + runs-on: ubuntu-latest + timeout-minutes: 5 + + steps: + - name: Test + - uses: actions/checkout@v4.2.2 + - run: git config --global user.name github-actions + - run: git config --global user.email github-actions@github.com + - name: Use Node.js from .nvmrc + uses: actions/setup-node@v4.1.0 + with: + node-version-file: .nvmrc + cache: npm + - run: npm clean-install + - run: corepack npm audit signatures + - run: npm test + + # separate job to set as required in branch protection, + # as the build names above change each time Node versions change + test: + runs-on: ubuntu-latest + needs: + - test_dev + - test_matrix + if: ${{ !cancelled() }} + steps: + - name: All matrix versions passed + if: ${{ !(contains(needs.*.result, 'failure')) }} + run: exit 0 + - name: Some matrix version failed + if: ${{ contains(needs.*.result, 'failure') }} + run: exit 1