Skip to content

Commit

Permalink
Merge pull request #1 from theopenlane/init
Browse files Browse the repository at this point in the history
Init
  • Loading branch information
golanglemonade authored Aug 26, 2024
2 parents 9988fe3 + d802047 commit ff48f36
Show file tree
Hide file tree
Showing 36 changed files with 1,209 additions and 1 deletion.
69 changes: 69 additions & 0 deletions .buildkite/pipeline.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
env:
APP_NAME: ${BUILDKITE_PIPELINE_SLUG}
IMAGE_REPO: ghcr.io/theopenlane/${APP_NAME}
SONAR_HOST: "https://sonarcloud.io"
steps:
- group: ":test_tube: tests"
key: "tests"
steps:
- label: ":golangci-lint: lint :lint-roller:"
cancel_on_build_failing: true
key: "lint"
plugins:
- docker#v5.11.0:
image: "registry.hub.docker.com/golangci/golangci-lint:latest-alpine"
command: ["golangci-lint", "run", "-v"]
always-pull: true
environment:
- "GOTOOLCHAIN=auto"
- label: ":golang: go test"
key: "go_test"
plugins:
- docker#v5.11.0:
image: golang:1.23.0
command: ["go", "test", "-coverprofile=coverage.out", "./..."]
artifact_paths: ["coverage.out"]
- group: ":closed_lock_with_key: Security Checks"
depends_on: "tests"
key: "security"
steps:
- label: ":closed_lock_with_key: gosec"
key: "gosec"
plugins:
- docker#v5.11.0:
image: "registry.hub.docker.com/securego/gosec:2.20.0"
command: ["-no-fail", "-exclude-generated", "-fmt sonarqube", "-out", "results.txt", "./..."]
environment:
- "GOTOOLCHAIN=auto"
artifact_paths: ["results.txt"]
- label: ":github: upload PR reports"
key: "scan-upload-pr"
if: build.pull_request.id != null
depends_on: ["gosec", "go_test"]
plugins:
- artifacts#v1.9.4:
download: "results.txt"
- artifacts#v1.9.4:
download: "coverage.out"
step: "go_test"
- docker#v5.11.0:
image: "sonarsource/sonar-scanner-cli:5"
environment:
- "SONAR_TOKEN"
- "SONAR_HOST_URL=$SONAR_HOST"
- "SONAR_SCANNER_OPTS=-Dsonar.pullrequest.branch=$BUILDKITE_BRANCH -Dsonar.pullrequest.base=$BUILDKITE_PULL_REQUEST_BASE_BRANCH -Dsonar.pullrequest.key=$BUILDKITE_PULL_REQUEST"
- label: ":github: upload reports"
key: "scan-upload"
if: build.branch == "main"
depends_on: ["gosec", "go_test"]
plugins:
- artifacts#v1.9.4:
download: results.txt
- artifacts#v1.9.4:
download: coverage.out
step: "go_test"
- docker#v5.11.0:
image: "sonarsource/sonar-scanner-cli:5"
environment:
- "SONAR_TOKEN"
- "SONAR_HOST_URL=$SONAR_HOST"
1 change: 1 addition & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* @theopenlane/blacksmiths
24 changes: 24 additions & 0 deletions .github/CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Contributing

Given external users will not have write to the branches in this repository, you'll need to follow the forking process to open a PR - [here](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork) is a guide from github on how to do so.

Please also read our main [contributing guide](https://github.com/theopenlane/.github/blob/main/CONTRIBUTING.md) in addition to this one; the main guide mostly says that we'd like for you to open an issue first but it's not hard-required, and that we accept all forms of proposed changes given the state of this code base (in it's infancy, still!)

## Pre-requisites to a PR

This repository contains a number of code generating functions / utilities which take schema modifications and scaffold out resolvers, graphql API schemas, openAPI specifications, among other things. To ensure you've generated all the necessary dependencies run `task pr`; this will run the entirety of the commands required to safely generate a PR. If for some reason one of the commands fails / encounters an error, you will need to debug the individual steps. It should be decently easy to follow the `Taskfile` in the root of this repository.

### Pre-Commit Hooks

We have several `pre-commit` hooks that should be run before pushing a commit. Make sure this is installed:

```bash
brew install pre-commit
pre-commit install
```

You can optionally run against all files:

```bash
pre-commit run --all-files
```
16 changes: 16 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
name: Bug report
about: Create a report to help us improve
title: "[Bug]"
labels: bug
assignees: ''

---

**Describe the bug or issue you're encountering**


**What are the relevant steps to reproduce, including the version(s) of the relevant software?**


**What is the expected behavior?**
14 changes: 14 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
name: Feature request
about: Suggest an idea for this project
title: "[Feature Request]"
labels: enhancement
assignees: matoszz

---

**Describe how the feature might make your life easier or solve a problem**

**Describe the solution you'd like to see with any relevant context**

**Describe any alternatives you've considered or if there are short-tern vs. long-term options**
9 changes: 9 additions & 0 deletions .github/labeler.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Add 'bug' label to any PR where the head branch name starts with `bug` or has a `bug` section in the name
bug:
- head-branch: ["^bug", "bug"]
# Add 'enhancement' label to any PR where the head branch name starts with `enhancement` or has a `enhancement` section in the name
enhancement:
- head-branch: ["^enhancement", "enhancement", "^feature", "feature", "^enhance", "enhance", "^feat", "feat"]
# Add 'breaking-change' label to any PR where the head branch name starts with `breaking-change` or has a `breaking-change` section in the name
breaking-change:
- head-branch: ["^breaking-change", "breaking-change"]
24 changes: 24 additions & 0 deletions .github/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
changelog:
exclude:
labels:
- ignore-for-release
authors: []
categories:
- title: Breaking Changes 🛠
labels:
- Semver-Major
- breaking-change
- title: New Features 🎉
labels:
- Semver-Minor
- enhancement
- feature
- title: Bug Fixes 🐛
labels:
- bug
- title: 👒 Dependencies
labels:
- dependencies
- title: Other Changes
labels:
- "*"
13 changes: 13 additions & 0 deletions .github/workflows/labeler.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: "Pull Request Labeler"
on:
- pull_request_target
jobs:
triage:
permissions:
contents: read
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v5
with:
sync-labels: true
127 changes: 127 additions & 0 deletions .github/workflows/releaser.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
name: Release
on:
workflow_dispatch:
release:
types: [created]
permissions:
contents: write
jobs:
ldflags_args:
runs-on: ubuntu-latest
outputs:
commit-date: ${{ steps.ldflags.outputs.commit-date }}
commit: ${{ steps.ldflags.outputs.commit }}
version: ${{ steps.ldflags.outputs.version }}
tree-state: ${{ steps.ldflags.outputs.tree-state }}
steps:
- id: checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- id: ldflags
run: |
echo "commit=$GITHUB_SHA" >> $GITHUB_OUTPUT
echo "commit-date=$(git log --date=iso8601-strict -1 --pretty=%ct)" >> $GITHUB_OUTPUT
echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> $GITHUB_OUTPUT
echo "tree-state=$(if git diff --quiet; then echo "clean"; else echo "dirty"; fi)" >> $GITHUB_OUTPUT
release:
name: Build and release
needs:
- ldflags_args
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
permissions:
contents: write # To add assets to a release.
id-token: write # To do keyless signing with cosign
runs-on: macos-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
cache: true
- name: Install Syft
uses: anchore/sbom-action/download-syft@ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57 # v0.17.1
- name: Install Cosign
uses: sigstore/[email protected]
- name: Run GoReleaser
id: run-goreleaser
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
VERSION: ${{ needs.ldflags_args.outputs.version }}
COMMIT: ${{ needs.ldflags_args.outputs.commit }}
COMMIT_DATE: ${{ needs.ldflags_args.outputs.commit-date }}
TREE_STATE: ${{ needs.ldflags_args.outputs.tree-state }}
- name: Generate subject
id: hash
env:
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
run: |
set -euo pipefail
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64)
if test "$hashes" = ""; then # goreleaser < v1.13.0
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
hashes=$(cat $checksum_file | base64)
fi
echo "hashes=$hashes" >> $GITHUB_OUTPUT
provenance:
name: Generate provenance (SLSA3)
needs:
- release
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.release.outputs.hashes }}"
upload-assets: true # upload to a new release
verification:
name: Verify provenance of assets (SLSA3)
needs:
- release
- provenance
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Install the SLSA verifier
uses: slsa-framework/slsa-verifier/actions/[email protected]
- name: Download assets
env:
GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CHECKSUMS: "${{ needs.release.outputs.hashes }}"
ATT_FILE_NAME: "${{ needs.provenance.outputs.provenance-name }}"
run: |
set -euo pipefail
checksums=$(echo "$CHECKSUMS" | base64 -d)
while read -r line; do
fn=$(echo $line | cut -d ' ' -f2)
echo "Downloading $fn"
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$fn"
done <<<"$checksums"
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME"
- name: Verify assets
env:
CHECKSUMS: "${{ needs.release.outputs.hashes }}"
PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
run: |-
set -euo pipefail
checksums=$(echo "$CHECKSUMS" | base64 -d)
while read -r line; do
fn=$(echo $line | cut -d ' ' -f2)
echo "Verifying SLSA provenance for $fn"
slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "$GITHUB_REF_NAME" \
"$fn"
done <<<"$checksums"
42 changes: 42 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# If you prefer the allow list template instead of the deny list, see community template:
# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
#
# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib

# Test binary, built with `go test -c`
*.test

# Output of the go coverage tool, specifically when used with LiteIDE
*.out

# Go workspace file
go.work

# Packages
*.7z
*.dmg
*.gz
*.iso
*.jar
*.rar
*.tar

# Logs
*.log

# Editor files
.vscode

# OS Generated Files
.DS_Store*
.AppleDouble
.LSOverride
ehthumbs.db
Icon?
Thumbs.db

41 changes: 41 additions & 0 deletions .golangci.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
run:
timeout: 10m
allow-serial-runners: true
linters-settings:
goimports:
local-prefixes: github.com/theopenlane/gqlgen-plugins
gofumpt:
extra-rules: true
gosec:
exclude-generated: true
revive:
ignore-generated-header: true
linters:
enable:
- bodyclose
- errcheck
- gocritic
- gocyclo
- err113
- gofmt
- goimports
- mnd
- gosimple
- govet
- gosec
- ineffassign
- misspell
- noctx
- revive
- staticcheck
- stylecheck
- typecheck
- unused
- whitespace
- wsl
issues:
fix: true
exclude-use-default: true
exclude-dirs:
- totp/testing/*
exclude-files:
Loading

0 comments on commit ff48f36

Please sign in to comment.