-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from theopenlane/init
Init
- Loading branch information
Showing
36 changed files
with
1,209 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
env: | ||
APP_NAME: ${BUILDKITE_PIPELINE_SLUG} | ||
IMAGE_REPO: ghcr.io/theopenlane/${APP_NAME} | ||
SONAR_HOST: "https://sonarcloud.io" | ||
steps: | ||
- group: ":test_tube: tests" | ||
key: "tests" | ||
steps: | ||
- label: ":golangci-lint: lint :lint-roller:" | ||
cancel_on_build_failing: true | ||
key: "lint" | ||
plugins: | ||
- docker#v5.11.0: | ||
image: "registry.hub.docker.com/golangci/golangci-lint:latest-alpine" | ||
command: ["golangci-lint", "run", "-v"] | ||
always-pull: true | ||
environment: | ||
- "GOTOOLCHAIN=auto" | ||
- label: ":golang: go test" | ||
key: "go_test" | ||
plugins: | ||
- docker#v5.11.0: | ||
image: golang:1.23.0 | ||
command: ["go", "test", "-coverprofile=coverage.out", "./..."] | ||
artifact_paths: ["coverage.out"] | ||
- group: ":closed_lock_with_key: Security Checks" | ||
depends_on: "tests" | ||
key: "security" | ||
steps: | ||
- label: ":closed_lock_with_key: gosec" | ||
key: "gosec" | ||
plugins: | ||
- docker#v5.11.0: | ||
image: "registry.hub.docker.com/securego/gosec:2.20.0" | ||
command: ["-no-fail", "-exclude-generated", "-fmt sonarqube", "-out", "results.txt", "./..."] | ||
environment: | ||
- "GOTOOLCHAIN=auto" | ||
artifact_paths: ["results.txt"] | ||
- label: ":github: upload PR reports" | ||
key: "scan-upload-pr" | ||
if: build.pull_request.id != null | ||
depends_on: ["gosec", "go_test"] | ||
plugins: | ||
- artifacts#v1.9.4: | ||
download: "results.txt" | ||
- artifacts#v1.9.4: | ||
download: "coverage.out" | ||
step: "go_test" | ||
- docker#v5.11.0: | ||
image: "sonarsource/sonar-scanner-cli:5" | ||
environment: | ||
- "SONAR_TOKEN" | ||
- "SONAR_HOST_URL=$SONAR_HOST" | ||
- "SONAR_SCANNER_OPTS=-Dsonar.pullrequest.branch=$BUILDKITE_BRANCH -Dsonar.pullrequest.base=$BUILDKITE_PULL_REQUEST_BASE_BRANCH -Dsonar.pullrequest.key=$BUILDKITE_PULL_REQUEST" | ||
- label: ":github: upload reports" | ||
key: "scan-upload" | ||
if: build.branch == "main" | ||
depends_on: ["gosec", "go_test"] | ||
plugins: | ||
- artifacts#v1.9.4: | ||
download: results.txt | ||
- artifacts#v1.9.4: | ||
download: coverage.out | ||
step: "go_test" | ||
- docker#v5.11.0: | ||
image: "sonarsource/sonar-scanner-cli:5" | ||
environment: | ||
- "SONAR_TOKEN" | ||
- "SONAR_HOST_URL=$SONAR_HOST" |
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
* @theopenlane/blacksmiths |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
# Contributing | ||
|
||
Given external users will not have write to the branches in this repository, you'll need to follow the forking process to open a PR - [here](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork) is a guide from github on how to do so. | ||
|
||
Please also read our main [contributing guide](https://github.com/theopenlane/.github/blob/main/CONTRIBUTING.md) in addition to this one; the main guide mostly says that we'd like for you to open an issue first but it's not hard-required, and that we accept all forms of proposed changes given the state of this code base (in it's infancy, still!) | ||
|
||
## Pre-requisites to a PR | ||
|
||
This repository contains a number of code generating functions / utilities which take schema modifications and scaffold out resolvers, graphql API schemas, openAPI specifications, among other things. To ensure you've generated all the necessary dependencies run `task pr`; this will run the entirety of the commands required to safely generate a PR. If for some reason one of the commands fails / encounters an error, you will need to debug the individual steps. It should be decently easy to follow the `Taskfile` in the root of this repository. | ||
|
||
### Pre-Commit Hooks | ||
|
||
We have several `pre-commit` hooks that should be run before pushing a commit. Make sure this is installed: | ||
|
||
```bash | ||
brew install pre-commit | ||
pre-commit install | ||
``` | ||
|
||
You can optionally run against all files: | ||
|
||
```bash | ||
pre-commit run --all-files | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
--- | ||
name: Bug report | ||
about: Create a report to help us improve | ||
title: "[Bug]" | ||
labels: bug | ||
assignees: '' | ||
|
||
--- | ||
|
||
**Describe the bug or issue you're encountering** | ||
|
||
|
||
**What are the relevant steps to reproduce, including the version(s) of the relevant software?** | ||
|
||
|
||
**What is the expected behavior?** |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
--- | ||
name: Feature request | ||
about: Suggest an idea for this project | ||
title: "[Feature Request]" | ||
labels: enhancement | ||
assignees: matoszz | ||
|
||
--- | ||
|
||
**Describe how the feature might make your life easier or solve a problem** | ||
|
||
**Describe the solution you'd like to see with any relevant context** | ||
|
||
**Describe any alternatives you've considered or if there are short-tern vs. long-term options** |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# Add 'bug' label to any PR where the head branch name starts with `bug` or has a `bug` section in the name | ||
bug: | ||
- head-branch: ["^bug", "bug"] | ||
# Add 'enhancement' label to any PR where the head branch name starts with `enhancement` or has a `enhancement` section in the name | ||
enhancement: | ||
- head-branch: ["^enhancement", "enhancement", "^feature", "feature", "^enhance", "enhance", "^feat", "feat"] | ||
# Add 'breaking-change' label to any PR where the head branch name starts with `breaking-change` or has a `breaking-change` section in the name | ||
breaking-change: | ||
- head-branch: ["^breaking-change", "breaking-change"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
changelog: | ||
exclude: | ||
labels: | ||
- ignore-for-release | ||
authors: [] | ||
categories: | ||
- title: Breaking Changes 🛠 | ||
labels: | ||
- Semver-Major | ||
- breaking-change | ||
- title: New Features 🎉 | ||
labels: | ||
- Semver-Minor | ||
- enhancement | ||
- feature | ||
- title: Bug Fixes 🐛 | ||
labels: | ||
- bug | ||
- title: 👒 Dependencies | ||
labels: | ||
- dependencies | ||
- title: Other Changes | ||
labels: | ||
- "*" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
name: "Pull Request Labeler" | ||
on: | ||
- pull_request_target | ||
jobs: | ||
triage: | ||
permissions: | ||
contents: read | ||
pull-requests: write | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/labeler@v5 | ||
with: | ||
sync-labels: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,127 @@ | ||
name: Release | ||
on: | ||
workflow_dispatch: | ||
release: | ||
types: [created] | ||
permissions: | ||
contents: write | ||
jobs: | ||
ldflags_args: | ||
runs-on: ubuntu-latest | ||
outputs: | ||
commit-date: ${{ steps.ldflags.outputs.commit-date }} | ||
commit: ${{ steps.ldflags.outputs.commit }} | ||
version: ${{ steps.ldflags.outputs.version }} | ||
tree-state: ${{ steps.ldflags.outputs.tree-state }} | ||
steps: | ||
- id: checkout | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
- id: ldflags | ||
run: | | ||
echo "commit=$GITHUB_SHA" >> $GITHUB_OUTPUT | ||
echo "commit-date=$(git log --date=iso8601-strict -1 --pretty=%ct)" >> $GITHUB_OUTPUT | ||
echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> $GITHUB_OUTPUT | ||
echo "tree-state=$(if git diff --quiet; then echo "clean"; else echo "dirty"; fi)" >> $GITHUB_OUTPUT | ||
release: | ||
name: Build and release | ||
needs: | ||
- ldflags_args | ||
outputs: | ||
hashes: ${{ steps.hash.outputs.hashes }} | ||
permissions: | ||
contents: write # To add assets to a release. | ||
id-token: write # To do keyless signing with cosign | ||
runs-on: macos-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
- name: Setup Go | ||
uses: actions/setup-go@v5 | ||
with: | ||
go-version-file: 'go.mod' | ||
cache: true | ||
- name: Install Syft | ||
uses: anchore/sbom-action/download-syft@ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57 # v0.17.1 | ||
- name: Install Cosign | ||
uses: sigstore/[email protected] | ||
- name: Run GoReleaser | ||
id: run-goreleaser | ||
uses: goreleaser/goreleaser-action@v6 | ||
with: | ||
distribution: goreleaser | ||
version: latest | ||
args: release --clean | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }} | ||
VERSION: ${{ needs.ldflags_args.outputs.version }} | ||
COMMIT: ${{ needs.ldflags_args.outputs.commit }} | ||
COMMIT_DATE: ${{ needs.ldflags_args.outputs.commit-date }} | ||
TREE_STATE: ${{ needs.ldflags_args.outputs.tree-state }} | ||
- name: Generate subject | ||
id: hash | ||
env: | ||
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" | ||
run: | | ||
set -euo pipefail | ||
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64) | ||
if test "$hashes" = ""; then # goreleaser < v1.13.0 | ||
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') | ||
hashes=$(cat $checksum_file | base64) | ||
fi | ||
echo "hashes=$hashes" >> $GITHUB_OUTPUT | ||
provenance: | ||
name: Generate provenance (SLSA3) | ||
needs: | ||
- release | ||
permissions: | ||
actions: read # To read the workflow path. | ||
id-token: write # To sign the provenance. | ||
contents: write # To add assets to a release. | ||
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
with: | ||
base64-subjects: "${{ needs.release.outputs.hashes }}" | ||
upload-assets: true # upload to a new release | ||
verification: | ||
name: Verify provenance of assets (SLSA3) | ||
needs: | ||
- release | ||
- provenance | ||
runs-on: ubuntu-latest | ||
permissions: read-all | ||
steps: | ||
- name: Install the SLSA verifier | ||
uses: slsa-framework/slsa-verifier/actions/[email protected] | ||
- name: Download assets | ||
env: | ||
GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||
CHECKSUMS: "${{ needs.release.outputs.hashes }}" | ||
ATT_FILE_NAME: "${{ needs.provenance.outputs.provenance-name }}" | ||
run: | | ||
set -euo pipefail | ||
checksums=$(echo "$CHECKSUMS" | base64 -d) | ||
while read -r line; do | ||
fn=$(echo $line | cut -d ' ' -f2) | ||
echo "Downloading $fn" | ||
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$fn" | ||
done <<<"$checksums" | ||
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME" | ||
- name: Verify assets | ||
env: | ||
CHECKSUMS: "${{ needs.release.outputs.hashes }}" | ||
PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}" | ||
run: |- | ||
set -euo pipefail | ||
checksums=$(echo "$CHECKSUMS" | base64 -d) | ||
while read -r line; do | ||
fn=$(echo $line | cut -d ' ' -f2) | ||
echo "Verifying SLSA provenance for $fn" | ||
slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \ | ||
--source-uri "github.com/$GITHUB_REPOSITORY" \ | ||
--source-tag "$GITHUB_REF_NAME" \ | ||
"$fn" | ||
done <<<"$checksums" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# If you prefer the allow list template instead of the deny list, see community template: | ||
# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore | ||
# | ||
# Binaries for programs and plugins | ||
*.exe | ||
*.exe~ | ||
*.dll | ||
*.so | ||
*.dylib | ||
|
||
# Test binary, built with `go test -c` | ||
*.test | ||
|
||
# Output of the go coverage tool, specifically when used with LiteIDE | ||
*.out | ||
|
||
# Go workspace file | ||
go.work | ||
|
||
# Packages | ||
*.7z | ||
*.dmg | ||
*.gz | ||
*.iso | ||
*.jar | ||
*.rar | ||
*.tar | ||
|
||
# Logs | ||
*.log | ||
|
||
# Editor files | ||
.vscode | ||
|
||
# OS Generated Files | ||
.DS_Store* | ||
.AppleDouble | ||
.LSOverride | ||
ehthumbs.db | ||
Icon? | ||
Thumbs.db | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
run: | ||
timeout: 10m | ||
allow-serial-runners: true | ||
linters-settings: | ||
goimports: | ||
local-prefixes: github.com/theopenlane/gqlgen-plugins | ||
gofumpt: | ||
extra-rules: true | ||
gosec: | ||
exclude-generated: true | ||
revive: | ||
ignore-generated-header: true | ||
linters: | ||
enable: | ||
- bodyclose | ||
- errcheck | ||
- gocritic | ||
- gocyclo | ||
- err113 | ||
- gofmt | ||
- goimports | ||
- mnd | ||
- gosimple | ||
- govet | ||
- gosec | ||
- ineffassign | ||
- misspell | ||
- noctx | ||
- revive | ||
- staticcheck | ||
- stylecheck | ||
- typecheck | ||
- unused | ||
- whitespace | ||
- wsl | ||
issues: | ||
fix: true | ||
exclude-use-default: true | ||
exclude-dirs: | ||
- totp/testing/* | ||
exclude-files: |
Oops, something went wrong.