Merge pull request #2 from DFE-Digital/composite-deploy-action

Composite deploy action

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @dfe-digital/security-engineering

.github/CONTRIBUTING.md

@@ -0,0 +1,13 @@
+# Contribution guidelines
+
+If you’ve got an idea or suggestion you can [create a GitHub issue](https://github.com/DFE-Digital/splunk-app-packager/issues), or feel free to [raise a pull request](https://github.com/DFE-Digital/splunk-app-packager/compare).
+
+## Raising bugs
+
+When raising bugs please explain the issue in good detail and provide a guide to how to replicate it.
+
+When describing the bug it's useful to follow the format:
+
+- what you did
+- what you expected to happen
+- what actually happened

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,11 @@
+## Checklist
+Please tick off where applicable. Have you:
+- [ ] updated the version number in [pyproject.toml](pyproject.toml)?
+- [ ] updated the version number in [action.yml](https://github.com/DFE-Digital/splunk-app-packager/blob/composite-deploy-action/action.yml#L41)?
+- [ ] explained the change?
+- [ ] confirmed the PR checks have passed?
+
+## Explanation of change
+
+
+## Link to bug report or github issue

.github/codeql-config.yaml

@@ -0,0 +1,13 @@
+--
+paths-ignore:
+  - .github
+query-filters:
+  - exclude:
+      problems.severity:
+        - Note  # ignore notes when there's too much noise
+queries:
+  - uses: security-experimental
+  - uses: security-extended
+  - uses: security-and-quality
+  - uses: advanced-security/codeql-queries/python/suites/codeql-python.qls@main
+  - uses: advanced-security/codeql-queries/javascript/suites/codeql-javascript.qls@main

.github/dependabot.yml

@@ -0,0 +1,32 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message: 
+      prefix: "Dependabot (python): "
+    groups: 
+      pip:
+        applies-to: version-updates
+        patterns:
+          - "*"
+      pip-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message: 
+      prefix: "Dependabot (github actions): "
+    groups: 
+      gh-actions:
+        applies-to: version-updates
+        patterns:
+          - "*"
+      gh-actions-security:
+        applies-to: security-updates
+        patterns:
+          - "*"

.github/workflows/codeql.yml

@@ -0,0 +1,29 @@
+---
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - '*.py'
+  pull_request:
+    # The branches below must be a subset of the branches above
+    types: [opened, reopened]
+    paths:
+        - '**.py'
+  schedule:
+    - cron: '0 8 * * *'
+  workflow_dispatch:
+
+jobs:
+
+  run-codeql:
+    uses: DFE-Digital/github-actions/.github/workflows/reusable-workflow-sast.yml@master
+    with:
+        language: 'python'
+        policy_action: 'break'
+        queries: 'security-extended'
+        config_file: '.github/codeql-config.yaml'
+    secrets:
+        CODEQL_APP_ID: ${{ secrets.CODEQL_APP_ID }}
+        CODEQL_AUTHENTICATION_PRIVATE_KEY: ${{ secrets.CODEQL_AUTHENTICATION_PRIVATE_KEY }}

.github/workflows/flake8.yml

@@ -0,0 +1,33 @@
+name: Flake8 
+
+on:
+  push:
+    branches: 
+      - 'main'
+    paths: 
+      - '*.py'
+  workflow_call:
+
+jobs:
+
+  run-flake8:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: flake8 Lint
+        uses: py-actions/flake8@v2
+        with:
+          path: "src/splunk_app_packager"
+          ignore: "E501,W503"
+          plugins: "flake8-black"

.github/workflows/release.yml

@@ -0,0 +1,115 @@
+name: Publish Python 🐍 distribution 📦 to PyPI and TestPyPI
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'src/**'
+      - 'pyproject.toml'
+      - 'action.yml'
+
+jobs:
+  tag-release-on-push:
+    runs-on: ubuntu-latest
+    permissions: 
+      contents: write
+    outputs:
+      new_tag: ${{ steps.bump-version.outputs.new_tag }}
+
+    steps:
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
+
+      - name: Bump version and push tag
+        id: bump-version
+        uses: anothrNick/github-tag-action@1.70.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          WITH_V: false
+          DEFAULT_BUMP: patch
+
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12.3'
+          architecture: 'x64'
+          cache: 'pip'
+
+      - name: Install pypa/build
+        run: python3 -m pip install build --user
+
+      - name: Build binary wheel and source tarball
+        run: python3 -m build
+
+      - name: Store the packages
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+
+  publish-to-pypi:
+    needs: [build]
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/splunk-app-packager
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - name: Download dists
+        uses: actions/download-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Publish distribution 📦 to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  github-release:
+    needs: [tag-release-on-push, publish-to-pypi]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+
+      - name: Download all the dists
+        uses: actions/download-artifact@v4
+        with:
+          name: python-package-distributions
+          path: dist/
+
+      - name: Sign the dists with Sigstore
+        uses: sigstore/gh-action-sigstore-python@v2.1.1
+        with:
+          inputs: >-
+            ./dist/*.tar.gz
+            ./dist/*.whl
+
+      - name: Create GitHub Release
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: gh release create '${{ needs.tag-release-on-push.outputs.new_tag }}' --repo '${{ github.repository }}' --notes ""
+
+      - name: Upload artifact signatures to GitHub Release
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        # Upload to GitHub Release using the `gh` CLI.
+        # `dist/` contains the built packages, and the
+        # sigstore-produced signatures and certificates.
+        run: gh release upload '${{ github.ref_name }}' dist/** --repo '${{ github.repository }}'
+

.github/workflows/verify_tags.yml

@@ -0,0 +1,57 @@
+name: Verify tags are the same
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'src/**'
+      - 'pyproject.toml'
+      - 'action.yml'
+
+jobs:
+  verify-tags:
+    runs-on: ubuntu-latest
+    permissions: 
+      contents: read
+
+    steps:
+
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
+
+      - name: Check next git tag
+        id: git-tag
+        uses: anothrNick/github-tag-action@1.70.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          WITH_V: false
+          DEFAULT_BUMP: patch
+          DRY_RUN: true
+
+      - name: Check pyproject tag
+        id: pyproject-tag
+        run: |
+          echo py_version=$(grep version pyproject.toml | cut -d'"' -f2) >> $GITHUB_OUTPUT
+    
+      - name: Check action.yml tag
+        id: action-tag
+        run: |
+          echo action_version=$(grep '==' action.yml | cut -d'=' -f3) >> $GITHUB_OUTPUT
+    
+      - name: Verify tags
+        run: |
+          if [ ${{ steps.git-tag.outputs.new_tag }} == ${{ steps.pyproject-tag.outputs.py_version }} ] && [ ${{ steps.pyproject-tag.outputs.py_version }} == ${{ steps.action-tag.outputs.action_version }} ]
+          then
+            echo "All tags are equal. Good to release."
+            echo "Git Tag: ${{ steps.git-tag.outputs.new_tag }}"
+            echo "pyproject.toml tag: ${{ steps.pyproject-tag.outputs.py_version }}"
+            echo "action.yml tag: ${{ steps.action-tag.outputs.action_version }}"
+          else
+            echo "Tags aren't equal."
+            echo "Git Tag: ${{ steps.git-tag.outputs.new_tag }}"
+            echo "pyproject.toml tag: ${{ steps.pyproject-tag.outputs.py_version }}"
+            echo "action.yml tag: ${{ steps.action-tag.outputs.action_version }}"
+            exit 1
+          fi

.gitignore

@@ -3,3 +3,4 @@ DCAP_*.json
 target/
 venv/
 __pycache__/
+dist/

LICENCE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Crown Copyright (Department for Education)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.