Merge pull request #5 from bcgov/update/confluence-content

Updated content from confluence.

patterns/docs/Source Code Repositories/GitHub Repository Best Practices/GitHub Repository Best Practices.md

@@ -0,0 +1,77 @@
+---
+sidebar_position: 1
+---
+<table class="wrapped"><colgroup></colgroup><tbody><tr><th>Status</th><td><div class="content-wrapper"><p>Document</p></div></td></tr><tr><th>Stakeholders</th><td>NRIDS Architecture, Development &amp; Digital Services, NRM Product Teams</td></tr><tr><th>Description</th><td>The purpose of this page is to outline practices when using GitHub as your source code repository</td></tr><tr><th>Outcome</th><td>Consistent point of reference for onboarding new product teams into the NRM's.</td></tr><tr><th>Owner</th><td>NRIDS (DDS, Architecture)</td></tr></tbody></table>
+
+Repository Setup
+----------------
+
+The below options are found under settings
+
+### **Branch Protection**
+
+Create at least 1 branch protection rule for your "main" branch that;
+
+*   Forces an approval before merging to your "main" branch
+    *   An approver should be someone able to understand the code changes and has the authority to approve code changes and pipeline activities associated with a PR Merge (Eg. Data Custodian and Test/Prod deployments)
+
+Note: Admins can bypass this
+
+*   Enforces status checks to be passed before merging, this should include;
+    *   SonarCloud (vulnerability, code coverage)
+    *   Code scanning (Trivy, Snyk, CodeQL)
+    *   Builds
+    *   Deployments
+    *   Route verification (up/down, penetration testing)
+*   Note: checks need to have been run once to populate the drop-down
+
+(Ensure you select your options below when enabling the rule)
+
+*   Ensures branches are up to date before merging
+
+### **Manage Your Administrators**
+
+*   Have at least 1 backup administrator
+*   Have as few admins as possible, most developers will not need to be an admin
+
+### **Manage Your Team**
+
+*   Create a Team in GitHub and Manage the permission in the team. ([https://github.com/orgs/bcgov/teams](https://github.com/orgs/bcgov/teams))
+*   This way if the single team is working on multiple products, authorization will be easier to manage and tracking will be easier.
+
+### **Setup Your Pull Request Repository Settings (Very Useful to Help Ensure Guidelines are Followed)**
+
+*   Use squash merging to keep histories clean
+    *   We recommend using pull request titles
+*   Suggest updating pull requests
+    *   Being up to date is required (see above)
+    *   Selecting this will add an easy update button to PRs
+*   Automatically delete head branches, which are merged feature branches
+    *   Excessive numbers of branches can degrade performance and increase clone times
+    *   Long lived-branches are strongly discouraged
+
+For additional PR, Pipeline, and Deployment practices: See
+
+### **Create Repository Documentation**
+
+*   Create a meaningful Readme.md, see [https://github.com/bcgov/BC-Policy-Framework-For-GitHub/blob/master/BC-Gov-Org-HowTo/SAMPLE-README.md](https://github.com/bcgov/BC-Policy-Framework-For-GitHub/blob/master/BC-Gov-Org-HowTo/SAMPLE-README.md)
+*   Add a license and other required documentation, see [https://docs.developer.gov.bc.ca/required-pages-for-github-repository/](https://docs.developer.gov.bc.ca/required-pages-for-github-repository/)
+*   Make use of the GitHub Wiki
+    *   The GitHub Wiki provides version controlled documentation that multiple people can edit and does not require technical expertise
+    *   If you're going to use the Wiki make sure you add a reference to it in your Readme.md
+*   Create a reference in confluence to your repository and documentation
+
+### **GitHub Wiki - Suggestions of What to Add**
+
+*   Points of Contact
+*   How-To's:
+    *   Running Locally
+    *   Developer Practices
+    *   Coding Practices
+    *   Ticket management
+    *   Backup and restore 
+*   Application process flows
+
+### **Handle Your Secrets and Environment Variables**
+
+See

patterns/docs/Source Code Repositories/GitHub Repository Best Practices/data.json

@@ -0,0 +1 @@
+{"id":"163422029","type":"page","status":"current","title":"GitHub Repository Best Practices","body":{"storage":{"value":"<table class=\"wrapped\"><colgroup><col /><col /></colgroup><tbody><tr><th>Status</th><td><div class=\"content-wrapper\"><p>Document</p></div></td></tr><tr><th>Stakeholders</th><td>NRIDS Architecture, Development &amp; Digital Services, NRM Product Teams</td></tr><tr><th>Description</th><td>The purpose of this page is to outline practices when using GitHub as your source code repository</td></tr><tr><th>Outcome</th><td>Consistent point of reference for onboarding new product teams into the NRM's.</td></tr><tr><th>Owner</th><td>NRIDS (DDS, Architecture)</td></tr></tbody></table><h2>Repository Setup</h2><p>The below options are found under settings</p><h3><strong>Branch Protection</strong></h3><p>Create at least 1 branch protection rule for your &quot;main&quot; branch that;</p><ul><li>Forces an approval before merging to your &quot;main&quot; branch<ul><li>An approver should be someone able to understand the code changes and has the authority to approve code changes and pipeline activities associated with a PR Merge (Eg. Data Custodian and Test/Prod deployments)</li></ul></li></ul><p>Note: Admins can bypass this</p><p><ac:image ac:height=\"250\"><ri:attachment ri:filename=\"image2023-8-8_9-12-55.png\" /></ac:image></p><ul><li>Enforces status checks to be passed before merging, this should include;<br /><ul><li>SonarCloud (vulnerability, code coverage)</li><li>Code scanning (Trivy, Snyk, CodeQL)</li><li>Builds</li><li>Deployments</li><li>Route verification (up/down, penetration testing)</li></ul></li><li>Note: checks need to have been run once to populate the drop-down</li></ul><p>(Ensure you select your options below when enabling the rule)</p><p><ac:image ac:height=\"97\"><ri:attachment ri:filename=\"image2023-8-8_9-18-27.png\" /></ac:image></p><ul><li>Ensures branches are up to date before merging</li></ul><p><ac:image ac:height=\"72\"><ri:attachment ri:filename=\"image2023-8-8_9-18-42.png\" /></ac:image></p><h3><strong>Manage Your Administrators</strong></h3><ul><li>Have at least 1 backup administrator</li><li>Have as few admins as possible, most developers will not need to be an admin</li></ul><h3><strong>Manage Your Team</strong></h3><ul><li>Create a Team in GitHub and Manage the permission in the team. (<a href=\"https://github.com/orgs/bcgov/teams\">https://github.com/orgs/bcgov/teams</a>)</li><li>This way if the single team is working on multiple products, authorization will be easier to manage and tracking will be easier.</li></ul><h3><strong>Setup Your Pull Request Repository Settings (Very Useful to Help Ensure Guidelines are Followed)</strong></h3><ul><li>Use squash merging to keep histories clean<ul><li>We recommend using pull request titles</li></ul></li><li>Suggest updating pull requests<ul><li>Being up to date is required (see above)</li><li>Selecting this will add an easy update button to PRs</li></ul></li><li>Automatically delete head branches, which are merged feature branches<ul><li>Excessive numbers of branches can degrade performance and increase clone times</li><li>Long lived-branches are strongly discouraged</li></ul></li></ul><p><ac:image><ri:attachment ri:filename=\"prdeets.png\" /></ac:image></p><p>For additional PR, Pipeline, and Deployment practices: See <ac:link><ri:page ri:content-title=\"Coding Patterns &amp; Practices\" /></ac:link></p><h3><strong>Create Repository Documentation</strong></h3><ul><li>Create a meaningful Readme.md, see <a href=\"https://github.com/bcgov/BC-Policy-Framework-For-GitHub/blob/master/BC-Gov-Org-HowTo/SAMPLE-README.md\" style=\"text-align: left;\" rel=\"nofollow\">https://github.com/bcgov/BC-Policy-Framework-For-GitHub/blob/master/BC-Gov-Org-HowTo/SAMPLE-README.md</a></li><li>Add a license and other required documentation, see <a href=\"https://docs.developer.gov.bc.ca/required-pages-for-github-repository/\" style=\"text-align: left;\" rel=\"nofollow\">https://docs.developer.gov.bc.ca/required-pages-for-github-repository/</a></li><li>Make use of the GitHub Wiki<ul><li>The GitHub Wiki provides version controlled documentation that multiple people can edit and does not require technical expertise</li><li>If you're going to use the Wiki make sure you add a reference to it in your Readme.md</li></ul></li><li>Create a reference in confluence to your repository and documentation</li></ul><h3><strong>GitHub Wiki - Suggestions of What to Add</strong></h3><ul><li>Points of Contact</li><li>How-To's:<ul><li>Running Locally</li><li>Developer Practices</li><li>Coding Practices</li><li>Ticket management</li><li>Backup and restore </li></ul></li><li>Application process flows</li></ul><h3><strong>Handle Your Secrets and Environment Variables</strong></h3><p>See <ac:link><ri:page ri:content-title=\"Coding Patterns &amp; Practices\" /></ac:link></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p>","representation":"storage","_expandable":{"content":"/rest/api/content/163422029"}},"_expandable":{"editor":"","view":"","export_view":"","styled_view":"","anonymous_export_view":""}},"extensions":{"position":"none"},"_links":{"webui":"/display/AR/GitHub+Repository+Best+Practices","edit":"/pages/resumedraft.action?draftId=163422029","tinyui":"/x/TZ_9CQ","self":"https://apps.nrs.gov.bc.ca/int/confluence/rest/api/content/163422029"},"_expandable":{"container":"/rest/api/space/AR","metadata":"","operations":"","children":"/rest/api/content/163422029/child","restrictions":"/rest/api/content/163422029/restriction/byOperation","history":"/rest/api/content/163422029/history","ancestors":"","version":"","descendants":"/rest/api/content/163422029/descendant","space":"/rest/api/space/AR"}}

patterns/docs/Source Code Repositories/Migrating Existing Source Code Repositories/Migrating Existing Source Code Repositories.md

@@ -0,0 +1,33 @@
+---
+sidebar_position: 1
+---
+<table class="wrapped"><colgroup></colgroup><tbody><tr><th>Status</th><td><div class="content-wrapper"><p><ac:structured-macro ac:name="status" ac:schema-version="1" ac:macro-id="ddabb8ed-6687-4038-9868-5cdb89b54afd"><ac:parameter ac:name="colour">Green</ac:parameter><ac:parameter ac:name="title">Document</ac:parameter></ac:structured-macro></p></div></td></tr><tr><th>Stakeholders</th><td><div class="content-wrapper"><p><ac:link></ac:link><ac:link></ac:link><ac:link></ac:link>&nbsp;<ac:link></ac:link> &nbsp;</p></div></td></tr><tr><th>Description</th><td>Checklist to guide teams in the process of migrating SVN repos to Github</td></tr><tr><th>Outcome</th><td></td></tr><tr><th>Owner</th><td>NRIDS Architecture</td></tr></tbody></table>
+
+### Advantages to having code in the open:
+
+*   Lower cost
+*   Community visibility and collaboration
+*   Encourages good development practices
+*   Github has a suite of extra tools (such as GitHub actions)
+*   Aligns with the [Digital Code of Practice](https://digital.gov.bc.ca/policies-standards/dcop/)
+*   Aligns with the [BCGov Digital Principles](https://github.com/bcgov/digital-principles) - Working in the Open, Take an Ecosystem Approach
+*   An extensive number of tests and tools are only free for open source projects
+
+### General Principles:
+
+*   Code (like data) should take an "Open by Default" position and closed by exception
+*   The de-facto standard public code repository platform is Github
+*   On exception, the private code repository platform is Github Enterprise
+
+### Under what circumstances should a code repository be Private?
+
+*   There are algorithms in the code that would bring harm to individuals, industry or the Province
+*   Information is hidden with intent, like state data from ArgoCD deployments
+*   The presense of secrets, passwords, personal information or other sensitive data
+    *   Please be aware that we provide resources and assistance in preventing this situation
+
+<table class="relative-table wrapped"><colgroup></colgroup><tbody><tr><th>What do I need to do?</th><th>How do I do that?</th><th>What tools can help?</th></tr><tr><td>Obtain consent from the application/product owner to bring the code in the open; share this content to help inform the conversation</td><td>Identify the business owner of the codebase, obtain and document consent</td><td><a class="" href="https://a100.gov.bc.ca/int/irs/viewAllApps.do">https://a100.gov.bc.ca/int/irs/viewAllApps.do</a></td></tr><tr><td>Ensure there is no application data in the code repository (aside from test data)</td><td></td><td></td></tr><tr><td>Scan the code for secrets, passwords or sensitive data</td><td></td><td><p><a href="https://github.com/aquasecurity/trivy-action">Trivy</a> can perform secret scanning before and after a repo is provided publicly&nbsp;</p><p>GitHub has built-in tools to detect accidentally adding this information</p></td></tr><tr><td>Enable built in features of Github such as Dependabot to scan code and recommend remediation</td><td>Explore the "Security" tab in Github</td><td><p>Dependabot&nbsp;<a class="" href="https://docs.github.com/en/code-security/dependabot">https://docs.github.com/en/code-security/dependabot</a></p><p>Renovate <a class="" href="https://docs.renovatebot.com/">https://docs.renovatebot.com/</a> ie - <a class="" href="https://github.com/bcgov/nr-forests-access-management/blob/main/renovate.json">https://github.com/bcgov/nr-forests-access-management/blob/main/renovate.json</a></p><p>Sonarcloud - ie <a class="" href="https://sonarcloud.io/project/overview?id=forest-client-frontend">https://sonarcloud.io/project/overview?id=forest-client-frontend</a></p></td></tr><tr><td>Ensure the underlying codebase, dependent libraries and software versions contain no significant and exploitable vulnerabilities</td><td>Contact the security team about using FETT to scan the existing code repository</td><td><ac:link></ac:link></td></tr><tr><td>Ensure that the Province of BC owns the code</td><td></td><td><a href="https://github.com/bcgov/BC-Policy-Framework-For-GitHub/blob/master/BC-Open-Source-Development-Employee-Guide/COI-Priv-IP.md">https://github.com/bcgov/BC-Policy-Framework-For-GitHub/blob/master/BC-Open-Source-Development-Employee-Guide/COI-Priv-IP.md</a></td></tr><tr><td>Apply an open source license</td><td></td><td><a href="https://github.com/bcgov/BC-Policy-Framework-For-GitHub/blob/master/BC-Open-Source-Development-Employee-Guide/Licenses.md">https://github.com/bcgov/BC-Policy-Framework-For-GitHub/blob/master/BC-Open-Source-Development-Employee-Guide/Licenses.md</a></td></tr><tr><td>Choose an appropriate name for your repository</td><td>prefix each repository with "nr-"<ul><li>e.g. nr-&lt;app-name&gt;</li><li>e.g. nr-fom-api</li></ul></td><td></td></tr><tr><td>Identify at least two owners for the repository</td><td>Identify a product owner and a technical specialist</td><td></td></tr><tr><td></td><td></td><td></td></tr></tbody></table>
+
+### References:
+
+[https://github.com/bcgov/BC-Policy-Framework-For-GitHub/blob/master/BC-Open-Source-Development-Employee-Guide/Content-Approval-Checklist.md](https://github.com/bcgov/BC-Policy-Framework-For-GitHub/blob/master/BC-Open-Source-Development-Employee-Guide/Content-Approval-Checklist.md)