From 87733cab1d39b8cddd9508ebcf245fc3898bce16 Mon Sep 17 00:00:00 2001 From: Florent Morselli Date: Sun, 17 Dec 2023 14:04:40 +0100 Subject: [PATCH] Badges, CI/CD and templates --- .github/CONTRIBUTING.md | 13 +- .github/ISSUE_TEMPLATE/1_Bug_report.md | 21 ---- .github/ISSUE_TEMPLATE/1_Bug_report.yaml | 42 +++++++ .github/ISSUE_TEMPLATE/2_Feature_request.md | 12 -- .github/ISSUE_TEMPLATE/2_Feature_request.yaml | 17 +++ .github/ISSUE_TEMPLATE/3_Documentation.yaml | 10 ++ .../ISSUE_TEMPLATE/3_Documentation_issue.md | 5 - .github/ISSUE_TEMPLATE/config.yml | 5 +- .github/PULL_REQUEST_TEMPLATE.md | 32 +++-- .github/dependabot.yml | 23 +++- .github/stale.yml | 2 +- .github/workflows/codeql.yml | 76 ++++++++++++ .github/workflows/dependency-review.yml | 20 +++ .github/workflows/lock-closed-issues.yml | 23 ++++ .../workflows/release-on-milestone-closed.yml | 114 ++++++++++++++++++ .github/workflows/scorecards.yml | 63 ++++++++++ README.md | 2 + 17 files changed, 411 insertions(+), 69 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/1_Bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/1_Bug_report.yaml delete mode 100644 .github/ISSUE_TEMPLATE/2_Feature_request.md create mode 100644 .github/ISSUE_TEMPLATE/2_Feature_request.yaml create mode 100644 .github/ISSUE_TEMPLATE/3_Documentation.yaml delete mode 100644 .github/ISSUE_TEMPLATE/3_Documentation_issue.md create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/lock-closed-issues.yml create mode 100644 .github/workflows/release-on-milestone-closed.yml create mode 100644 .github/workflows/scorecards.yml diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index 21ab573..7cc67ce 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -11,9 +11,14 @@ Few rules to ease code reviews and merges: - You MUST write (or update) unit tests when bugs are fixed or features are added. - You SHOULD write documentation. -To contribute use [Pull Requests](https://help.github.com/articles/using-pull-requests), please, write commit messages that make sense, and rebase your branch before submitting your PR. +We use [Git-Flow](http://jeffkreeftmeijer.com/2010/why-arent-you-using-git-flow/) to automate our git branching +workflow. -May be asked to squash your commits too. This is used to "clean" your Pull Request before merging it, avoiding commits such as fix tests, fix 2, fix 3, etc. +To contribute use [Pull Requests](https://help.github.com/articles/using-pull-requests), please, write commit messages +that make sense, and rebase your branch before submitting your PR. + +May be asked to squash your commits too. This is used to "clean" your Pull Request before merging it, avoiding commits +such as fix tests, fix 2, fix 3, etc. Run test suite ------------ @@ -21,7 +26,3 @@ Run test suite * install composer: `curl -s http://getcomposer.org/installer | php` * install dependencies: `php composer.phar install` * run tests: `vendor/bin/phpunit` -* check and fix coding standards: - * `vendor/bin/phpstan analyse` - * `vendor/bin/rector process` - * `vendor/bin/ecs check --fix` diff --git a/.github/ISSUE_TEMPLATE/1_Bug_report.md b/.github/ISSUE_TEMPLATE/1_Bug_report.md deleted file mode 100644 index 3a3e9fd..0000000 --- a/.github/ISSUE_TEMPLATE/1_Bug_report.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: 🐛 Bug Report -about: ⚠ī¸ See below for security reports -labels: Bug - ---- - -**Version(s) affected**: x.y.z - -**Description** - - -**How to reproduce** - - -**Possible Solution** - - -**Additional context** - diff --git a/.github/ISSUE_TEMPLATE/1_Bug_report.yaml b/.github/ISSUE_TEMPLATE/1_Bug_report.yaml new file mode 100644 index 0000000..d3f26cf --- /dev/null +++ b/.github/ISSUE_TEMPLATE/1_Bug_report.yaml @@ -0,0 +1,42 @@ +name: 🐛 Bug Report +description: ⚠ī¸ NEVER report security issues, email security AT spomky-labs.com instead +labels: Bug +body: + - type: input + id: affected-versions + attributes: + label: Version(s) affected + placeholder: x.y.z + validations: + required: true + - type: textarea + id: description + attributes: + label: Description + description: A clear and concise description of the problem + validations: + required: true + - type: textarea + id: how-to-reproduce + attributes: + label: How to reproduce + description: | + ⚠ī¸ This is the most important part of the report ⚠ī¸ + Without a way to easily reproduce your issue, there is little chance we will be able to help you and work on a fix. + Please, take the time to show us some code and/or config that is needed for others to reproduce the problem easily. + Most of the time, creating a "bug reproducer" is the best way to help us and increases the chances someone + will have a look at it. + validations: + required: true + - type: textarea + id: possible-solution + attributes: + label: Possible Solution + description: | + Optional: only if you have suggestions on a fix/reason for the bug + Don't hesitate to create a pull request with your solution, it helps get faster feedback. + - type: textarea + id: additional-context + attributes: + label: Additional Context + description: "Optional: any other context about the problem: log messages, screenshots, etc." diff --git a/.github/ISSUE_TEMPLATE/2_Feature_request.md b/.github/ISSUE_TEMPLATE/2_Feature_request.md deleted file mode 100644 index 8ffd974..0000000 --- a/.github/ISSUE_TEMPLATE/2_Feature_request.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -name: 🚀 Feature Request -about: Ideas for new features and improvements - ---- - -**Description** - - -**Example** - diff --git a/.github/ISSUE_TEMPLATE/2_Feature_request.yaml b/.github/ISSUE_TEMPLATE/2_Feature_request.yaml new file mode 100644 index 0000000..52b3de7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/2_Feature_request.yaml @@ -0,0 +1,17 @@ +name: 🚀 Feature Request +description: RFC and ideas for new features and improvements +body: + - type: textarea + id: description + attributes: + label: Description + description: A clear and concise description of the new feature + validations: + required: true + - type: textarea + id: example + attributes: + label: Example + description: | + A simple example of the new feature in action (include PHP code, YAML config, etc.) + If the new feature changes an existing feature, include a simple before/after comparison. diff --git a/.github/ISSUE_TEMPLATE/3_Documentation.yaml b/.github/ISSUE_TEMPLATE/3_Documentation.yaml new file mode 100644 index 0000000..1c5ac89 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/3_Documentation.yaml @@ -0,0 +1,10 @@ +name: 📖 Documentation Issue +description: To report typo or obsolete section in the documentation +body: + - type: textarea + id: description + attributes: + label: Description + description: A clear and concise description of the error you found in the documentation + validations: + required: true diff --git a/.github/ISSUE_TEMPLATE/3_Documentation_issue.md b/.github/ISSUE_TEMPLATE/3_Documentation_issue.md deleted file mode 100644 index 26cd199..0000000 --- a/.github/ISSUE_TEMPLATE/3_Documentation_issue.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -name: 📖 Documentation Issue -about: To report typo or obsolete section in the documentation - ---- diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index dde06cf..6d11ce2 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -2,4 +2,7 @@ blank_issues_enabled: false contact_links: - name: Support Question url: https://spomky-labs.com/contact/ - about: We use GitHub issues only to discuss about bugs and new features. For this kind of questions about using the library, please use Stackoverflow (or similar) or send a quote request at https://spomky-labs.com/contact/ + about:| + We use GitHub issues only to discuss about bugs and new features. + For this kind of questions about using the framework or third-party bundles, + please email us contact AT spomky-labs.com for quoting diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 1beb0a3..029817b 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,19 +1,17 @@ -| Q | A -| ------------- | --- -| Branch? | -| Bug fix? | yes/no -| New feature? | yes/no -| Deprecations? | yes/no -| Tickets | Fix #... -| License | MIT +Target branch: +Resolves issue # + + +- [ ] It is a Bug fix +- [ ] It is a New feature +- [ ] Breaks BC +- [ ] Includes Deprecations + \ No newline at end of file +Please consider the following requirement: +* Modification of existing tests should be avoided unless deemed necessary. +* You MUST never open a PR related to a security issue. Contact Spomky in private at https://gitter.im/Spomky/ +--> diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5a98fda..8da8957 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,8 +1,19 @@ version: 2 updates: -- package-ecosystem: composer - directory: "/" - schedule: - interval: daily - time: "04:00" - open-pull-requests-limit: 10 + - package-ecosystem: "composer" + directory: "/" + schedule: + interval: "weekly" + day: "friday" + versioning-strategy: "widen" + open-pull-requests-limit: 20 + allow: + - dependency-type: all + labels: [ "dependencies" ] + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + open-pull-requests-limit: 20 + labels: [ "dependencies" ] diff --git a/.github/stale.yml b/.github/stale.yml index 3c84124..19367a6 100644 --- a/.github/stale.yml +++ b/.github/stale.yml @@ -1,4 +1,4 @@ -daysUntilStale: 60 +daysUntilStale: 30 daysUntilClose: 7 staleLabel: wontfix markComment: > diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..077b22d --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,76 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "*.*.x" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "4.6.x", "4.7.x" ] + schedule: + - cron: '37 10 * * 4' + +jobs: + analyze: + name: Analyze + runs-on: ${{ 'ubuntu-latest' }} + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..b0dedc4 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,20 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v3 diff --git a/.github/workflows/lock-closed-issues.yml b/.github/workflows/lock-closed-issues.yml new file mode 100644 index 0000000..4c7990d --- /dev/null +++ b/.github/workflows/lock-closed-issues.yml @@ -0,0 +1,23 @@ +name: 'Lock Issues' + +on: + schedule: + - cron: '0 0 * * *' + +jobs: + lock: + runs-on: ubuntu-latest + steps: + - uses: dessant/lock-threads@v4 + with: + github-token: ${{ github.token }} + issue-inactive-days: '31' + exclude-issue-created-before: '' + exclude-any-issue-labels: '' + add-issue-labels: '' + issue-comment: > + This thread has been automatically locked since there has not been + any recent activity after it was closed. Please open a new issue for + related bugs. + issue-lock-reason: 'resolved' + process-only: 'issues' diff --git a/.github/workflows/release-on-milestone-closed.yml b/.github/workflows/release-on-milestone-closed.yml new file mode 100644 index 0000000..010d441 --- /dev/null +++ b/.github/workflows/release-on-milestone-closed.yml @@ -0,0 +1,114 @@ +# https://help.github.com/en/categories/automating-your-workflow-with-github-actions + +name: "Automatic Releases" + +on: + milestone: + types: + - "closed" + +jobs: + release: + name: "Release" + runs-on: ubuntu-latest + + steps: + - name: "Checkout" + uses: "actions/checkout@v3" + + - name: "Release" + uses: "laminas/automatic-releases@1.24.0" + with: + command-name: "laminas:automatic-releases:release" + env: + "SHELL_VERBOSITY": "3" + "GITHUB_TOKEN": ${{ secrets.ORGANIZATION_ADMIN_TOKEN }} + "SIGNING_SECRET_KEY": ${{ secrets.SIGNING_SECRET_KEY }} + "GIT_AUTHOR_NAME": ${{ secrets.GIT_AUTHOR_NAME }} + "GIT_AUTHOR_EMAIL": ${{ secrets.GIT_AUTHOR_EMAIL }} + + merge-up: + name: "Create Merge-Up Pull Request" + runs-on: ubuntu-latest + if: ${{ always() }} + needs: "release" + + steps: + - name: "Checkout" + uses: "actions/checkout@v3" + + - name: "Create Merge-Up Pull Request" + uses: "laminas/automatic-releases@1.24.0" + with: + command-name: "laminas:automatic-releases:create-merge-up-pull-request" + env: + "SHELL_VERBOSITY": "3" + "GITHUB_TOKEN": ${{ secrets.GITHUB_TOKEN }} + "SIGNING_SECRET_KEY": ${{ secrets.SIGNING_SECRET_KEY }} + "GIT_AUTHOR_NAME": ${{ secrets.GIT_AUTHOR_NAME }} + "GIT_AUTHOR_EMAIL": ${{ secrets.GIT_AUTHOR_EMAIL }} + + switch: + name: "Create and/or Switch to new Release Branch" + runs-on: ubuntu-latest + if: ${{ always() }} + needs: "merge-up" + + steps: + - name: "Checkout" + uses: "actions/checkout@v3" + + - name: "Create and/or Switch to new Release Branch" + uses: "laminas/automatic-releases@1.24.0" + with: + command-name: "laminas:automatic-releases:switch-default-branch-to-next-minor" + env: + "SHELL_VERBOSITY": "3" + "GITHUB_TOKEN": ${{ secrets.ORGANIZATION_ADMIN_TOKEN }} + "SIGNING_SECRET_KEY": ${{ secrets.SIGNING_SECRET_KEY }} + "GIT_AUTHOR_NAME": ${{ secrets.GIT_AUTHOR_NAME }} + "GIT_AUTHOR_EMAIL": ${{ secrets.GIT_AUTHOR_EMAIL }} + + bump: + name: "Bump Changelog Version On Originating Release Branch" + runs-on: ubuntu-latest + if: ${{ always() }} + needs: "switch" + + steps: + - name: "Checkout" + uses: "actions/checkout@v3" + with: + fetch-depth: 0 + + - name: "Bump Changelog Version On Originating Release Branch" + uses: "laminas/automatic-releases@1.24.0" + with: + command-name: "laminas:automatic-releases:bump-changelog" + env: + "SHELL_VERBOSITY": "3" + "GITHUB_TOKEN": ${{ secrets.GITHUB_TOKEN }} + "SIGNING_SECRET_KEY": ${{ secrets.SIGNING_SECRET_KEY }} + "GIT_AUTHOR_NAME": ${{ secrets.GIT_AUTHOR_NAME }} + "GIT_AUTHOR_EMAIL": ${{ secrets.GIT_AUTHOR_EMAIL }} + + milestones: + name: "Create new milestones" + runs-on: ubuntu-latest + if: ${{ always() }} + needs: "bump" + + steps: + - name: "Checkout" + uses: "actions/checkout@v3" + + - name: "Create new milestones" + uses: "laminas/automatic-releases@1.24.0" + with: + command-name: "laminas:automatic-releases:create-milestones" + env: + "SHELL_VERBOSITY": "3" + "GITHUB_TOKEN": ${{ secrets.GITHUB_TOKEN }} + "SIGNING_SECRET_KEY": ${{ secrets.SIGNING_SECRET_KEY }} + "GIT_AUTHOR_NAME": ${{ secrets.GIT_AUTHOR_NAME }} + "GIT_AUTHOR_EMAIL": ${{ secrets.GIT_AUTHOR_EMAIL }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000..9fb688f --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,63 @@ +name: Scorecards supply-chain security + +on: + # Only the default branch is supported. + branch_protection_rule: + schedule: + - cron: '34 4 * * 6' + push: + branches: [ "4.6.x", "4.7.x" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Used to receive a badge. (Upcoming feature) + id-token: write + # Needs for private repositories. + contents: read + actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@v3.5.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@v2.2.0 + with: + results_file: results.sarif + results_format: sarif + # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + + # Publish the results for public repositories to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@v3.1.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v2.3.3 + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index aee5071..d721a63 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,8 @@ Progressive Web App for Symfony [![Latest Unstable Version](https://poser.pugx.org/spomky-labs/phpwa/v/unstable.png)](https://packagist.org/packages/spomky-labs/phpwa) [![License](https://poser.pugx.org/spomky-labs/phpwa/license.png)](https://packagist.org/packages/spomky-labs/phpwa) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/spomky-labs/phpwa/badge)](https://api.securityscorecards.dev/projects/github.com/spomky-labs/phpwa) + # Scope This bundle provides the [spomky-labs/phpwa](https://github.com/spomky-labs/phpwa) bundle for Symfony.