DAConsortium · k-hal · Oct 14, 2021
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -0,0 +1,4 @@
+version: 2.1
+
+workflows:
+  version: 2
diff --git a/.circleci/policy/circleci.rego b/.circleci/policy/circleci.rego
@@ -0,0 +1,21 @@
+package main
+
+deny[msg] {
+    input.version < 2
+    msg = "Use version 2 or higher"
+}
+
+deny[msg] {
+    input.jobs[_].machine.docker_layer_caching == true
+    msg = "Don't use DLC"
+}
+
+deny[msg] {
+    input.jobs[_].steps[_].setup_remote_docker.docker_layer_caching == true
+    msg = "Don't use DLC"
+}
+
+deny[msg] {
+    not input.workflows
+    msg = "Use workflows"
+}
diff --git a/.circleci/policy/circleci_test.rego b/.circleci/policy/circleci_test.rego
@@ -0,0 +1,113 @@
+package main
+
+test_deny_under_20 {
+    deny["Use version 2 or higher"] with input as {"version": 1}
+}
+
+test_allow_version_21 {
+    not deny["Use version 2 or higher"] with input as {"version": 2.1}
+}
+
+test_deny_dlc_docker {
+    deny["Don't use DLC"] with input as 
+    {
+        "version": 2.1,
+        "jobs": {
+            "build": {
+                "steps": [
+                    "checkout",
+                    {
+                        "setup_remote_docker": {
+                            "docker_layer_caching": true,
+                        },
+                    },
+                    {
+                        "run": {
+                            "docker build .",
+                        }
+                    }
+                ],
+            }
+        }
+    }
+}
+
+test_allow_dlc_docker_not_in_use {
+    not deny["Don't use DLC"] with input as 
+    {
+        "version": 2.1,
+        "jobs": {
+            "build": {
+                "steps": [
+                    "checkout",
+                    {
+                        "run": {
+                            "foo bar",
+                        }
+                    }
+                ],
+            }
+        }
+    }
+}
+
+
+test_allow_dlc_docker_not_in_use {
+    not deny["Don't use DLC"] with input as 
+    {
+        "version": 2.1,
+        "jobs": {
+            "hogefuga": {
+                "steps": [
+                    "checkout",
+                    {
+                        "setup_remote_docker": {
+                            "docker_layer_caching": false,
+                        },
+                    },
+                    {
+                        "run": {
+                            "foo bar",
+                        }
+                    }
+                ],
+            }
+        }
+    }
+}
+
+
+test_deny_dlc_machine {
+    deny["Don't use DLC"] with input as 
+    {
+        "version": 2,
+        "jobs": {
+            "make": {
+                "machine": {
+                    "docker_layer_caching": true
+                }
+            }
+        }
+    }
+}
+
+test_allow_using_workflows {
+    not deny["Use workflows"] with input as 
+    {
+        "version": 2.1,
+        "workflows": {
+            "version": 2
+        }
+    }
+}
+
+
+test_deny_not_in_use_workflows {
+    deny["Use workflows"] with input as 
+    {
+        "version": 2.1,
+        "workflow": {
+            "version": 2
+        }
+    }
+}
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,5 @@
+# CI/CD Police
+.github/workflows/conftest.yaml         @DAConsortium/sre-admins
+.github/workflows/secretlint.yaml       @DAConsortium/sre-admins
+.github/workflows/.secretlintrc.json    @DAConsortium/sre-admins
+.circleci/policy/*                      @DAConsortium/sre-admins
diff --git a/.github/workflows/.secretlintignore b/.github/workflows/.secretlintignore
@@ -0,0 +1,161 @@
+### https://raw.github.com/github/gitignore/d2c1bb2b9c72ead618c9f6a48280ebc7a8e0dff6/Node.gitignore
+
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# TypeScript v1 declaration files
+typings/
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+.env.test
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+
+# next.js build output
+.next
+
+# nuxt.js build output
+.nuxt
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+
+### https://raw.github.com/github/gitignore/d2c1bb2b9c72ead618c9f6a48280ebc7a8e0dff6/Global/JetBrains.gitignore
+
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and WebStorm
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+# Customize
+
+**/packages/**/lib/**
+**/examples/**
+**/packages/**/test/**
+.secretlintignore
+.secretlintrc.json
+.idea/
diff --git a/.github/workflows/.secretlintrc.json b/.github/workflows/.secretlintrc.json
@@ -0,0 +1,7 @@
+{
+  "rules": [
+    {
+      "id": "@secretlint/secretlint-rule-preset-recommend"
+    }
+  ]
+}
diff --git a/.github/workflows/.yamllint b/.github/workflows/.yamllint
@@ -0,0 +1,5 @@
+extends: default
+
+rules:
+  truthy: disable
+  document-start: disable
diff --git a/.github/workflows/conftest.yaml b/.github/workflows/conftest.yaml
@@ -0,0 +1,19 @@
+name: Validate CircleCI config
+on: push
+jobs:
+  conftest:
+    name: Validate CircleCI config
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PULL_ACCESS_TOKEN }}
+      - name: checkout
+        uses: actions/checkout@master
+      - name: validate
+        uses: instrumenta/conftest-action@master
+        with:
+          files: .circleci/config.yml
+          policy: .circleci/policy/circleci.rego
diff --git a/.github/workflows/opa.yaml b/.github/workflows/opa.yaml
@@ -0,0 +1,21 @@
+name: Test opa policy
+on: push
+jobs:
+  opa:
+    name: Test opa policy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PULL_ACCESS_TOKEN }}
+      - uses: actions/checkout@master
+        name: checkout
+      - name: test open policy agent for circleci
+        run: |
+          docker run -v `pwd`:`pwd` \
+            -w `pwd` \
+            --rm \
+            openpolicyagent/opa test \
+            -v .circleci/policy/
diff --git a/.github/workflows/secretlint.yaml b/.github/workflows/secretlint.yaml
@@ -0,0 +1,25 @@
+name: Secretlint
+on: [push, pull_request]
+env:
+  CI: true
+jobs:
+  secretlint:
+    name: "Secretlint"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PULL_ACCESS_TOKEN }}
+      - name: checkout
+        uses: actions/checkout@v2
+      - name: lint with secretlint on docker
+        run: |
+           docker run -v `pwd`:`pwd` \
+             -w `pwd` \
+             --rm \
+             secretlint/secretlint secretlint \
+             --secretlintrc .github/workflows/.secretlintrc.json \
+             --secretlintignore .github/workflows/.secretlintignore \
+             "**/*"