From 89d186e5db306887ff61bffdc87dab8dc00c7c29 Mon Sep 17 00:00:00 2001 From: Luca Comellini Date: Tue, 23 Jul 2024 09:25:53 -0700 Subject: [PATCH] Add common workflows and files (#69) --- .editorconfig | 13 +++++ .github/labeler.yml | 16 +++--- .github/workflows/dependabot-auto-merge.yml | 23 ++++++++ .github/workflows/dependency-review.yml | 27 +++++++++ .github/workflows/fossa.yml | 30 ++++++++++ .github/workflows/lint.yml | 54 ++++++++++++++++++ .github/workflows/scorecards.yml | 61 +++++++++++++++++++++ .gitignore | 6 ++ .markdownlint-cli2.yaml | 18 ++++++ .pre-commit-config.yaml | 41 ++++++++++++++ .yamllint.yaml | 21 +++++++ CODE_OF_CONDUCT.md | 22 ++++---- README.md | 9 ++- SECURITY.md | 15 ++++- 14 files changed, 333 insertions(+), 23 deletions(-) create mode 100644 .editorconfig create mode 100644 .github/workflows/dependabot-auto-merge.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/fossa.yml create mode 100644 .github/workflows/lint.yml create mode 100644 .github/workflows/scorecards.yml create mode 100644 .gitignore create mode 100644 .markdownlint-cli2.yaml create mode 100644 .pre-commit-config.yaml create mode 100644 .yamllint.yaml diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..302cfc4 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,13 @@ +root = true + +[*] +charset = utf-8 +end_of_line = lf +insert_final_newline = true +trim_trailing_whitespace = true +indent_size = 4 +indent_style = tab + +[*.{md,yml,yaml}] +indent_size = 2 +indent_style = space diff --git a/.github/labeler.yml b/.github/labeler.yml index 71855cd..2fb913e 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -1,21 +1,21 @@ change: - - head-branch: ['^change/'] + - head-branch: ["^change/"] enhancement: - - head-branch: ['^feature/', '^feat/', '^enhancement/', '^enh/'] + - head-branch: ["^feature/", "^feat/", "^enhancement/", "^enh/"] bug: - - head-branch: ['^fix/', '^bug/'] + - head-branch: ["^fix/", "^bug/"] chore: - - head-branch: ['^chore/'] + - head-branch: ["^chore/"] documentation: - - head-branch: ['^docs/', '^doc/'] + - head-branch: ["^docs/", "^doc/"] - changed-files: - - any-glob-to-any-file: '**/*.md' + - any-glob-to-any-file: "**/*.md" dependencies: - - head-branch: ['^deps/', '^dep/', '^dependabot/'] + - head-branch: ["^deps/", "^dep/", "^dependabot/"] - changed-files: - - any-glob-to-any-file: ['go.mod', 'go.sum'] + - any-glob-to-any-file: ["go.mod", "go.sum"] diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..00cf5b0 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,23 @@ +name: Dependabot auto-merge +on: pull_request_target + +permissions: + contents: read + +jobs: + dependabot: + runs-on: ubuntu-22.04 + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + permissions: + pull-requests: write + contents: write + steps: + - name: Dependabot metadata + id: dependabot-metadata + uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.1.0 + + - name: Enable auto-merge for Dependabot PRs + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{ secrets.NGINX_PAT }} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..2c962f4 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +name: Dependency Review +on: + pull_request: + branches: + - main + +concurrency: + group: ${{ github.ref_name }}-deps-review + cancel-in-progress: true + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-22.04 + permissions: + contents: read # for actions/checkout + pull-requests: write # for actions/dependency-review-action to post comments + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Dependency Review + uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 + with: + config-file: "nginxinc/k8s-common/dependency-review-config.yml@main" diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml new file mode 100644 index 0000000..5d919de --- /dev/null +++ b/.github/workflows/fossa.yml @@ -0,0 +1,30 @@ +name: Fossa + +on: + push: + branches: + - main + paths-ignore: + - "**.md" + - "LICENSE" + +concurrency: + group: ${{ github.ref_name }}-fossa + cancel-in-progress: true + +permissions: + contents: read + +jobs: + scan: + name: Fossa + runs-on: ubuntu-22.04 + if: ${{ github.event.repository.fork == false }} + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Scan + uses: fossas/fossa-action@47ef11b1e1e3812e88dae436ccbd2d0cbd1adab0 # v1.3.3 + with: + api-key: ${{ secrets.FOSSA_TOKEN }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..cfa31a6 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,54 @@ +name: Lint + +on: + pull_request: + branches: + - main + +defaults: + run: + shell: bash + +concurrency: + group: ${{ github.ref_name }}-lint + cancel-in-progress: true + +permissions: + contents: read + +jobs: + actionlint: + name: Actionlint + runs-on: ubuntu-22.04 + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Lint Actions + uses: reviewdog/action-actionlint@afad3b6ab835e5611bda8c8193377e2d5c21413d # v1.51.0 + with: + actionlint_flags: -shellcheck "" + + markdown-lint: + name: Markdown Lint + runs-on: ubuntu-22.04 + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Lint Markdown + uses: DavidAnson/markdownlint-cli2-action@b4c9feab76d8025d1e83c653fa3990936df0e6c8 # v16.0.0 + with: + config: .markdownlint-cli2.yaml + globs: "**/*.md" + fix: false + + yaml-lint: + name: YAML lint + runs-on: ubuntu-22.04 + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Lint YAML + uses: reviewdog/action-yamllint@508148c0d959b166798f9792d1b29dddcac37348 # v1.16.0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000..dc5c04f --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,61 @@ +name: OpenSSF Scorecards +on: + branch_protection_rule: # yamllint disable-line rule:empty-values + schedule: + - cron: "18 4 * * 0" # Run every Sunday at 4:18 UTC + push: + branches: + - main + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-22.04 + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 + with: + results_file: results.sarif + results_format: sarif + repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 + with: + sarif_file: results.sarif diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fe42eba --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +# NGINX Plus license files +*.crt +*.key + +# Visual Studio Code settings +.vscode diff --git a/.markdownlint-cli2.yaml b/.markdownlint-cli2.yaml new file mode 100644 index 0000000..1932609 --- /dev/null +++ b/.markdownlint-cli2.yaml @@ -0,0 +1,18 @@ +# Rule configuration. +# For rule descriptions and how to fix: https://github.com/DavidAnson/markdownlint/tree/main#rules--aliases +config: + ul-style: + style: dash + no-duplicate-heading: + siblings_only: true + line-length: + line_length: 120 + code_blocks: false + tables: false + +# Define glob expressions to ignore +ignores: + - ".github/" + +# Fix any fixable errors +fix: true diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..518db12 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,41 @@ +# See https://pre-commit.com for more information +# See https://pre-commit.com/hooks.html for more hooks +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + args: [--allow-multiple-documents] + - id: check-ast + - id: check-added-large-files + - id: check-merge-conflict + - id: check-shebang-scripts-are-executable + - id: check-executables-have-shebangs + - id: check-symlinks + - id: check-case-conflict + - id: check-vcs-permalinks + - id: check-json + - id: pretty-format-json + args: [--autofix, --no-ensure-ascii] + - id: mixed-line-ending + args: [--fix=lf] + - id: no-commit-to-branch + - id: requirements-txt-fixer + - id: fix-byte-order-marker + + - repo: https://github.com/gitleaks/gitleaks + rev: v8.18.4 + hooks: + - id: gitleaks + + - repo: https://github.com/DavidAnson/markdownlint-cli2 + rev: v0.13.0 + hooks: + - id: markdownlint-cli2 + + - repo: https://github.com/adrienverge/yamllint.git + rev: v1.35.1 + hooks: + - id: yamllint diff --git a/.yamllint.yaml b/.yamllint.yaml new file mode 100644 index 0000000..6779621 --- /dev/null +++ b/.yamllint.yaml @@ -0,0 +1,21 @@ +--- +yaml-files: + - "*.yaml" + - "*.yml" + +ignore-from-file: .gitignore + +extends: default + +rules: + comments: + min-spaces-from-content: 1 + comments-indentation: enable + document-start: disable + empty-values: enable + line-length: + max: 120 + ignore: | + .github/ + truthy: + check-keys: false diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index bc3c7d3..4deb7b9 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -16,21 +16,21 @@ appearance, race, religion, or sexual identity and orientation. Examples of behavior that contributes to creating a positive environment include: -* Using welcoming and inclusive language -* Being respectful of differing viewpoints and experiences -* Gracefully accepting constructive criticism -* Focusing on what is best for the community -* Showing empathy towards other community members +- Using welcoming and inclusive language +- Being respectful of differing viewpoints and experiences +- Gracefully accepting constructive criticism +- Focusing on what is best for the community +- Showing empathy towards other community members Examples of unacceptable behavior by participants include: -* The use of sexualized language or imagery and unwelcome sexual attention or +- The use of sexualized language or imagery and unwelcome sexual attention or advances -* Trolling, insulting/derogatory comments, and personal or political attacks -* Public or private harassment -* Publishing others' private information, such as a physical or electronic +- Trolling, insulting/derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or electronic address, without explicit permission -* Other conduct which could reasonably be considered inappropriate in a +- Other conduct which could reasonably be considered inappropriate in a professional setting ## Our Responsibilities @@ -70,6 +70,6 @@ members of the project's leadership. ## Attribution This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, -available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html +available at [homepage]: https://www.contributor-covenant.org diff --git a/README.md b/README.md index 3dabbf6..d770dfc 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,15 @@ + +[![OpenSSFScorecard](https://api.securityscorecards.dev/projects/github.com/nginxinc/alpine-fips/badge)](https://api.securityscorecards.dev/projects/github.com/nginxinc/alpine-fips) +[![CI](https://github.com/nginxinc/alpine-fips/actions/workflows/ci.yml/badge.svg)](https://github.com/nginxinc/alpine-fips/actions/workflows/ci.yml) +[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B5618%2Fgithub.com%2Fnginxinc%2Falpine-fips.svg?type=shield)](https://app.fossa.com/projects/custom%2B5618%2Fgithub.com%2Fnginxinc%2Falpine-fips?ref=badge_shield) +[![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active) + # Alpine Linux with FIPS OpenSSL module ## Dockerfile -The Dockerfile is based on the official Alpine Linux image and adds the FIPS OpenSSL module. The FIPS module is built from source and the build process is based on the [OpenSSL FIPS support guide](https://github.com/openssl/openssl/blob/master/README-FIPS.md). +The Dockerfile is based on the official Alpine Linux image and adds the FIPS OpenSSL module. +The FIPS module is built from source and the build process is based on the [OpenSSL FIPS support guide](https://github.com/openssl/openssl/blob/master/README-FIPS.md). ## Build diff --git a/SECURITY.md b/SECURITY.md index f5a6659..5f71d72 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,9 +1,18 @@ # Security Policy +## Latest Versions + +We advise users to run or update to the most recent release of this project. +Older versions of this project may not have all enhancements and/or bug fixes applied to them. + ## Reporting a Vulnerability -The F5 Security Incident Response Team (F5 SIRT) has an email alias that makes it easy to report potential security vulnerabilities. +The F5 Security Incident Response Team (F5 SIRT) has an email alias that makes it easy to report potential security +vulnerabilities. -Please report any potential or current instances of security vulnerabilities with any F5 product to the F5 Security Incident Response Team at F5SIRT@f5.com +- If you’re an F5 customer with an active support contract, please contact [F5 Technical + Support](https://www.f5.com/services/support). +- If you aren’t an F5 customer, please report any potential or current instances of security vulnerabilities with any F5 + product to the F5 Security Incident Response Team at -For more information visit https://www.f5.com/services/support/report-a-vulnerability +For more information visit