From 99d3fd441abd7837f475d8731db5d1a754b6a52b Mon Sep 17 00:00:00 2001 From: Luca Comellini Date: Wed, 3 Jul 2024 15:07:54 -0700 Subject: [PATCH] Add common workflows and files --- .github/dependabot.yml | 6 +++ .github/workflows/dependabot-auto-merge.yml | 23 ++++++++++++ .github/workflows/dependency-review.yml | 27 ++++++++++++++ .github/workflows/sync.yml | 2 +- .gitignore | 10 +++++ .markdownlint-cli2.yaml | 18 +++++++++ .pre-commit-config.yaml | 41 +++++++++++++++++++++ .yamllint.yaml | 22 +++++++++++ files/nap-waf-v5-debian-11.repo | 2 +- files/nap-waf-v5-debian-12.repo | 2 +- files/nap-waf-v5-ubi-8.repo | 2 +- files/nap-waf-v5-ubi-9.repo | 2 +- files/patch-os.sh | 2 +- 13 files changed, 153 insertions(+), 6 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/dependabot-auto-merge.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .gitignore create mode 100644 .markdownlint-cli2.yaml create mode 100644 .pre-commit-config.yaml create mode 100644 .yamllint.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..ca79ca5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..00cf5b0 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,23 @@ +name: Dependabot auto-merge +on: pull_request_target + +permissions: + contents: read + +jobs: + dependabot: + runs-on: ubuntu-22.04 + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + permissions: + pull-requests: write + contents: write + steps: + - name: Dependabot metadata + id: dependabot-metadata + uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.1.0 + + - name: Enable auto-merge for Dependabot PRs + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{ secrets.NGINX_PAT }} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..835c052 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +name: "Dependency Review" +on: + pull_request: + branches: + - main + +concurrency: + group: ${{ github.ref_name }}-deps-review + cancel-in-progress: true + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-22.04 + permissions: + contents: read # for actions/checkout + pull-requests: write # for actions/dependency-review-action to post comments + steps: + - name: "Checkout Repository" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: "Dependency Review" + uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 + with: + config-file: "./dependency-review-config.yml" diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml index 457b664..440c504 100644 --- a/.github/workflows/sync.yml +++ b/.github/workflows/sync.yml @@ -6,7 +6,7 @@ on: - labels.yml schedule: - cron: "8 0 * * 1" # run every Monday at 00:08 UTC - workflow_dispatch: + workflow_dispatch: # yamllint disable-line rule:empty-values concurrency: group: ${{ github.ref_name }}-sync diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..68ceaef --- /dev/null +++ b/.gitignore @@ -0,0 +1,10 @@ +# Vim +*.swp +*.swo + +# GoLand IDE and VSCode +.idea +.vscode + +# MacOS Finder +.DS_Store diff --git a/.markdownlint-cli2.yaml b/.markdownlint-cli2.yaml new file mode 100644 index 0000000..1932609 --- /dev/null +++ b/.markdownlint-cli2.yaml @@ -0,0 +1,18 @@ +# Rule configuration. +# For rule descriptions and how to fix: https://github.com/DavidAnson/markdownlint/tree/main#rules--aliases +config: + ul-style: + style: dash + no-duplicate-heading: + siblings_only: true + line-length: + line_length: 120 + code_blocks: false + tables: false + +# Define glob expressions to ignore +ignores: + - ".github/" + +# Fix any fixable errors +fix: true diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..edf1c53 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,41 @@ +# See https://pre-commit.com for more information +# See https://pre-commit.com/hooks.html for more hooks +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.6.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + args: [--allow-multiple-documents] + - id: check-ast + - id: check-added-large-files + - id: check-merge-conflict + - id: check-shebang-scripts-are-executable + - id: check-executables-have-shebangs + - id: check-symlinks + - id: check-case-conflict + - id: check-vcs-permalinks + - id: check-json + - id: pretty-format-json + args: [--autofix, --no-ensure-ascii] + - id: mixed-line-ending + args: [--fix=lf] + - id: no-commit-to-branch + - id: requirements-txt-fixer + - id: fix-byte-order-marker + + - repo: https://github.com/gitleaks/gitleaks + rev: v8.18.3 + hooks: + - id: gitleaks + + - repo: https://github.com/DavidAnson/markdownlint-cli2 + rev: v0.13.0 + hooks: + - id: markdownlint-cli2 + + - repo: https://github.com/adrienverge/yamllint.git + rev: v1.35.1 + hooks: + - id: yamllint diff --git a/.yamllint.yaml b/.yamllint.yaml new file mode 100644 index 0000000..7d0320c --- /dev/null +++ b/.yamllint.yaml @@ -0,0 +1,22 @@ +--- +yaml-files: + - "*.yaml" + - "*.yml" + +ignore-from-file: .gitignore + +extends: default + +rules: + comments: + min-spaces-from-content: 1 + comments-indentation: enable + document-start: disable + empty-values: enable + line-length: + max: 120 + ignore: | + .goreleaser.yml + .github/ + truthy: + check-keys: false diff --git a/files/nap-waf-v5-debian-11.repo b/files/nap-waf-v5-debian-11.repo index e066b2f..f833864 100644 --- a/files/nap-waf-v5-debian-11.repo +++ b/files/nap-waf-v5-debian-11.repo @@ -5,4 +5,4 @@ Types: deb URIs: https://pkgs.nginx.com/app-protect-x-plus/debian Suites: bullseye Components: nginx-plus -Signed-By: /usr/share/keyrings/nginx-archive-keyring.gpg \ No newline at end of file +Signed-By: /usr/share/keyrings/nginx-archive-keyring.gpg diff --git a/files/nap-waf-v5-debian-12.repo b/files/nap-waf-v5-debian-12.repo index 0d5a7cc..1a97820 100644 --- a/files/nap-waf-v5-debian-12.repo +++ b/files/nap-waf-v5-debian-12.repo @@ -5,4 +5,4 @@ Types: deb URIs: https://pkgs.nginx.com/app-protect-x-plus/debian Suites: bookworm Components: nginx-plus -Signed-By: /usr/share/keyrings/nginx-archive-keyring.gpg \ No newline at end of file +Signed-By: /usr/share/keyrings/nginx-archive-keyring.gpg diff --git a/files/nap-waf-v5-ubi-8.repo b/files/nap-waf-v5-ubi-8.repo index cf6c80e..10369dc 100644 --- a/files/nap-waf-v5-ubi-8.repo +++ b/files/nap-waf-v5-ubi-8.repo @@ -4,4 +4,4 @@ baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/8/$basearch/ sslclientcert=/etc/ssl/nginx/nginx-repo.crt sslclientkey=/etc/ssl/nginx/nginx-repo.key gpgcheck=0 -enabled=1 \ No newline at end of file +enabled=1 diff --git a/files/nap-waf-v5-ubi-9.repo b/files/nap-waf-v5-ubi-9.repo index 4fc2ecf..d07ec25 100644 --- a/files/nap-waf-v5-ubi-9.repo +++ b/files/nap-waf-v5-ubi-9.repo @@ -4,4 +4,4 @@ baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/9/$basearch/ sslclientcert=/etc/ssl/nginx/nginx-repo.crt sslclientkey=/etc/ssl/nginx/nginx-repo.key gpgcheck=0 -enabled=1 \ No newline at end of file +enabled=1 diff --git a/files/patch-os.sh b/files/patch-os.sh index 205ca16..0556ccd 100755 --- a/files/patch-os.sh +++ b/files/patch-os.sh @@ -3,7 +3,7 @@ patch_debian() { echo "Patching Debian" apt-get update - apt-get upgrade -y + apt-get upgrade -y rm -rf /var/lib/apt/lists/* }