From ed27afdc012c2b698a051649d9cf90ca2b68b4e2 Mon Sep 17 00:00:00 2001 From: Petr Ruzicka Date: Sat, 3 Feb 2024 14:07:38 +0100 Subject: [PATCH] feat(gha): unify GHA - renovate, megalinter, markdown, and others --- .github/CODEOWNERS | 6 ++ .github/ISSUE_TEMPLATE/bug_report.md | 23 +++++ .github/ISSUE_TEMPLATE/config.yml | 8 ++ .github/ISSUE_TEMPLATE/proposal.md | 21 +++++ .github/renovate.json5 | 89 +++++++++---------- .github/workflows/commitlint.yml | 14 --- .github/workflows/lint-pr-title.yml | 44 --------- .github/workflows/mega-linter.yml | 38 ++++---- .github/workflows/packer-templates.yml | 17 ++-- .github/workflows/renovate.yml | 48 +++++----- .github/workflows/semantic-pull-request.yml | 20 +++++ .github/workflows/stale.yml | 16 ++-- .jscpd.json | 3 + .lycheeignore | 3 + .mega-linter.yml | 49 ++++++++++ .yamllint.yml | 10 --- PSScriptAnalyzerSettings.psd1 | 3 + README.md | 63 +++++++------ build.sh | 2 +- docs/.gitlab-ci.yml | 1 - lychee.toml | 42 +++++++++ my_centos-7.json | 36 ++------ my_ubuntu-server.json | 33 ++----- my_windows.json | 55 +++--------- .../ConfigureRemotingForAnsible.ps1 | 2 +- .../build_remote_ssh_ubuntu.yml | 7 ++ ubuntu-desktop.json | 36 ++------ ubuntu-server.json | 29 ++---- upload_box_to_vagrantcloud.sh | 2 +- windows.json | 55 +++--------- 30 files changed, 364 insertions(+), 411 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/config.yml create mode 100644 .github/ISSUE_TEMPLATE/proposal.md delete mode 100644 .github/workflows/commitlint.yml delete mode 100644 .github/workflows/lint-pr-title.yml create mode 100644 .github/workflows/semantic-pull-request.yml create mode 100644 .jscpd.json create mode 100644 .lycheeignore create mode 100644 .mega-linter.yml delete mode 100644 .yamllint.yml create mode 100644 PSScriptAnalyzerSettings.psd1 create mode 100644 lychee.toml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 000000000..dd260f1b7 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,6 @@ +# Users referenced in this file will automatically be requested as reviewers for +# PRs that modify the given paths +# See https://help.github.com/articles/about-code-owners/, https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +# All code +* @ruzickap diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 000000000..51505e79b --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,23 @@ +--- +name: Bug report +about: Create a report to help us improve +title: 'Bug: This is a sample issue title' +labels: bug +assignees: ruzickap + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behaviour. + +**Expected behaviour** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 000000000..ed5ca68b1 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,8 @@ +blank_issues_enabled: false +contact_links: + - name: GitHub Actions Community Forum + url: https://github.com/orgs/community/discussions/ + about: Please ask questions about GitHub Actions here. + - name: GitHub Pages help + url: https://help.github.com/en/github/working-with-github-pages + about: GitHub Pages documentation here. diff --git a/.github/ISSUE_TEMPLATE/proposal.md b/.github/ISSUE_TEMPLATE/proposal.md new file mode 100644 index 000000000..ff78390b3 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/proposal.md @@ -0,0 +1,21 @@ +--- +name: Proposal +about: Suggest an idea for this project +title: 'Proposal: This is a sample title' +labels: proposal +assignees: ruzickap + +--- + +**Is your feature request related to a problem? Please describe** +A clear and concise description of what the problem is. Ex. I'm always +frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 289bb8b8c..936ee501d 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -1,59 +1,56 @@ { - "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "branchPrefix": "renovate/", - "labels": ["renovate", "renovate/{{replace '.*/' '' depName}}", "renovate/{{updateType}}"], - "packageRules": [ - { - "matchUpdateTypes": ["patch"], - "automergeType": "branch", - // Do not wait for tests - this will speed up the whole process - updating many branches + running many tests - "ignoreTests": true, - "automerge": true, - }, - { - "description": "Ignore frequent renovate updates", - "matchPackageNames": ["renovatebot/github-action"], - "matchUpdateTypes": ["patch"], - "enabled": false - }, + $schema: "https://docs.renovatebot.com/renovate-schema.json", + extends: [ + ":disableDependencyDashboard", + ":docker", + ":disableRateLimiting", + ":enableVulnerabilityAlertsWithLabel(security)", + "config:recommended", + "docker:pinDigests", + "helpers:pinGitHubActionDigestsToSemver", + "security:openssf-scorecard", + ], + "git-submodules": { + enabled: true, + }, + labels: [ + "renovate", + "renovate/{{replace '.*/' '' depName}}", + "renovate/{{updateType}}", + ], + lockFileMaintenance: { + enabled: true, + schedule: ["before 6am on Sunday"], + }, + packageRules: [ { - "matchPackageNames": ["renovatebot/github-action"], - "matchUpdateTypes": ["minor"], - "automergeType": "branch", - "automerge": true, - "ignoreTests": true, - "schedule": ["* 0,2,4 1-7 * 0"], + matchUpdateTypes: ["major"], + automerge: false, }, { - "description": "Update all github-actions by default", - "matchManagers": ["github-actions"], - "automergeType": "branch", - "automerge": true, + description: "Ignore frequent renovate updates", + enabled: false, + matchPackageNames: ["renovatebot/github-action"], + matchUpdateTypes: ["patch"], }, { - "matchManagers": ["git-submodules"], - "matchUpdateTypes": ["digest"], - "automerge": true, - "automergeType": "branch", + description: "Update renovatebot/github-action minor updates on Sundays", + matchPackageNames: ["renovatebot/github-action"], + matchUpdateTypes: ["minor"], + schedule: ["* * * * 0"], }, ], - "prBodyTemplate": "{{{table}}}{{{notes}}}{{{changelogs}}}", - "rebaseWhen": "behind-base-branch", - "regexManagers": [ + prBodyTemplate: "{{{table}}}{{{notes}}}{{{changelogs}}}", + rebaseWhen: "behind-base-branch", + regexManagers: [ { - "fileMatch": [ - "^\\.github/workflows/.*\\.ya?ml$", - "^ansible/win-simple\\.yml$", + extractVersionTemplate: "{{#if extractVersion}}{{{extractVersion}}}{{else}}^v?(?.+)${{/if}}", + fileMatch: ["\\.ya?ml$", "\\.md$", "^Dockerfile$", "^entrypoint\\.sh$"], + matchStrings: [ + '# renovate: datasource=(?.+?) depName=(?.+?)( versioning=(?.+?))?( extractVersion=(?.+?))?( registryUrl=(?.+?))?\\s.*[=:]\\s*"?(?.+?)"?\\s', ], - "matchStrings": [ - "# renovate: datasource=(?.+?) depName=(?.+?)( versioning=(?.+?))?( extractVersion=(?.+?))?( registryUrl=(?.+?))?\\s.*[=:]\\s*\"?(?.+?)\"?\\s", - ], - "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}", - "extractVersionTemplate": "{{#if extractVersion}}{{{extractVersion}}}{{else}}^v?(?.+)${{/if}}", + versioningTemplate: "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}", }, ], - "git-submodules": { - "enabled": true - }, - "separateMinorPatch": true, + separateMinorPatch: true, } diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml deleted file mode 100644 index 24f92a60e..000000000 --- a/.github/workflows/commitlint.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: Lint Commit Messages -on: - - pull_request - -permissions: read-all - -jobs: - commitlint: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: wagoid/commitlint-github-action@v5 diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml deleted file mode 100644 index 64de150ab..000000000 --- a/.github/workflows/lint-pr-title.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: "Lint PR" - -on: - pull_request_target: - types: - - opened - - edited - - synchronize - -permissions: read-all - -jobs: - main: - name: Validate PR title - runs-on: ubuntu-latest - steps: - - uses: amannn/action-semantic-pull-request@v5 - id: lint_pr_title - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - uses: marocchino/sticky-pull-request-comment@v2 - # When the previous steps fails, the workflow would stop. By adding this - # condition you can continue the execution with the populated error message. - if: always() && (steps.lint_pr_title.outputs.error_message != null) - with: - header: pr-title-lint-error - message: | - Hey there and thank you for opening this pull request! 👋🏼 - - We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted. - - Details: - - ``` - ${{ steps.lint_pr_title.outputs.error_message }} - ``` - - # Delete a previous comment when the issue has been resolved - - if: ${{ steps.lint_pr_title.outputs.error_message == null }} - uses: marocchino/sticky-pull-request-comment@v2 - with: - header: pr-title-lint-error - delete: true diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 55a186c35..afb3fc6ea 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -1,3 +1,4 @@ +--- name: MegaLinter on: @@ -12,40 +13,33 @@ jobs: build: name: MegaLinter runs-on: ubuntu-latest - permissions: - contents: write - statuses: write steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Restore lychee cache + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: .lycheecache + key: cache-lychee-${{ github.sha }} + restore-keys: cache-lychee- - name: Extract commands from markdown files run: | set -euxo pipefail echo '#!/usr/bin/env bash' > README.sh find . -name '*.md' -print0 | while IFS= read -r -d '' FILE ; do - sed -n "/^\`\`\`\(bash\|shell\).*/,/^\`\`\`$/p" "${FILE}" \ - | \ - sed \ - -e 's/^```\(bash\|shell\).*//' \ - -e '/^```$/d' \ - >> README.sh + # Extract: ```bash ... ``` + sed -n "/^\`\`\`\(bash\|shell\)$/,/^\`\`\`$/p" "${FILE}" | sed '/^```*/d' >> README.sh + # Extract: ```bash ... ``` + sed -n "/^ \`\`\`\(bash\|shell\)$/,/^ \`\`\`$/p" "${FILE}" | sed '/^ ```*/d; s/^ //' >> README.sh done chmod a+x README.sh - - name: MegaLinter - uses: megalinter/megalinter@v7.1.0 + - name: 💡 MegaLinter + uses: oxsecurity/megalinter@688bc7466d7ab4faa83d614c2e6f9acf42b674dc # v7.8.0 env: - ANSIBLE_ANSIBLE_LINT_PRE_COMMANDS: >- - [{"command": "ansible-galaxy collection install -v -r ansible/requirements.yml"}] - BASH_SHFMT_ARGUMENTS: --indent 2 --space-redirects - DISABLE_LINTERS: COPYPASTE_JSCPD,JSON_PRETTIER,MARKDOWN_MARKDOWN_LINK_CHECK,REPOSITORY_DEVSKIM,REPOSITORY_SEMGREP,SPELL_CSPELL,SPELL_PROSELINT,YAML_V8R - FILTER_REGEX_EXCLUDE: '(.*\.ps1|CHANGELOG.md)' - FORMATTERS_DISABLE_ERRORS: false GITHUB_COMMENT_REPORTER: false GITHUB_STATUS_REPORTER: true GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PRINT_ALPACA: false - REPOSITORY_KICS_ARGUMENTS: --exclude-paths .github/workflows/renovate.yml - # Needed for scanning generated README.sh file - VALIDATE_ALL_CODEBASE: true + LOG_LEVEL: DEBUG diff --git a/.github/workflows/packer-templates.yml b/.github/workflows/packer-templates.yml index f45343781..5fbeaf99b 100644 --- a/.github/workflows/packer-templates.yml +++ b/.github/workflows/packer-templates.yml @@ -1,12 +1,13 @@ name: packer-templates on: - push: - branches-ignore: - - main - paths: - - "*.json" - - .github/workflows/packer-templates.yml + workflow_dispatch: + # push: + # branches-ignore: + # - main + # paths: + # - "*.json" + # - .github/workflows/packer-templates.yml permissions: read-all @@ -20,9 +21,13 @@ jobs: - name: Download Packer run: | + set -euxo pipefail + PACKER_LATEST_VERSION=$(curl -s https://checkpoint-api.hashicorp.com/v1/check/packer | jq -r -M '.current_version') curl -s "https://releases.hashicorp.com/packer/${PACKER_LATEST_VERSION}/packer_${PACKER_LATEST_VERSION}_linux_amd64.zip" --output /tmp/packer_linux_amd64.zip sudo unzip -o /tmp/packer_linux_amd64.zip -d /usr/local/bin/ + packer plugins install github.com/hashicorp/qemu + packer plugins install github.com/hashicorp/ansible - name: Validate Packer templates run: | diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 86b24a08a..cc55c4690 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -1,3 +1,4 @@ +--- name: Renovate on: @@ -6,12 +7,10 @@ on: dryRun: type: boolean description: "Dry-Run" - required: false - default: false logLevel: type: choice description: "Log-Level" - default: "debug" + default: debug options: - info - debug @@ -19,18 +18,25 @@ on: push: branches: - main - paths: - - ".github/renovate.json5" + - "!renovate/*" schedule: - cron: "0 0,2,4 * * *" env: - LOG_LEVEL: debug - RENOVATE_CONFIG_FILE: .github/renovate.json5 - RENOVATE_DRY_RUN: false + # https://docs.renovatebot.com/troubleshooting/#log-debug-levels + LOG_LEVEL: "${{ inputs.logLevel || 'debug' }}" + # https://docs.renovatebot.com/self-hosted-configuration/#repositories RENOVATE_REPOSITORIES: ${{ github.repository }} + # https://docs.renovatebot.com/self-hosted-configuration/#username RENOVATE_USERNAME: ${{ github.repository_owner }} - RENOVATE_GIT_AUTHOR: "Renovate Bot " + # https://docs.renovatebot.com/configuration-options/#platformcommit + RENOVATE_PLATFORM_COMMIT: "true" + # https://docs.renovatebot.com/self-hosted-configuration/#dryrun + # Run renovate in dry-run mode if executed in branches other than main - prevents versions in PRs/branches from being updated + RENOVATE_DRY_RUN: "${{ inputs.dryRun || ( github.head_ref || github.ref_name ) != 'main' || false }}" + # Renovate Automerge + RENOVATE_AUTOMERGE_TYPE: "branch" + RENOVATE_AUTOMERGE: "true" permissions: read-all @@ -41,23 +47,15 @@ jobs: group: renovate steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Generate Token - uses: tibdex/github-app-token@v2 - id: generate-token + - uses: actions/create-github-app-token@86576b355dd19da0519e0bdb63d8edb5bcf76a25 # v1.7.0 + id: app-token with: - app_id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }} - private_key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}" + app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }} + private-key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}" - - name: Override default config from dispatch variables - run: | - echo "RENOVATE_DRY_RUN=${{ github.event.inputs.dryRun || env.RENOVATE_DRY_RUN }}" | tee -a "${GITHUB_ENV}" - echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" | tee -a "${GITHUB_ENV}" - echo "RENOVATE_BASE_BRANCHES=${GITHUB_REF##*/}" | tee -a "${GITHUB_ENV}" - - - name: Self-hosted Renovate - uses: renovatebot/github-action@v40.0.2 + - name: 💡 Self-hosted Renovate + uses: renovatebot/github-action@42c1d3cb1d1ca891765626ba71cdff5e757258de # v40.0.2 with: - configurationFile: "${{ env.RENOVATE_CONFIG_FILE }}" - token: "x-access-token:${{ steps.generate-token.outputs.token }}" + token: "${{ steps.app-token.outputs.token }}" diff --git a/.github/workflows/semantic-pull-request.yml b/.github/workflows/semantic-pull-request.yml new file mode 100644 index 000000000..90d4309c8 --- /dev/null +++ b/.github/workflows/semantic-pull-request.yml @@ -0,0 +1,20 @@ +name: Semantic Pull Request + +on: + pull_request_target: + types: + - opened + - edited + - synchronize + +permissions: + pull-requests: read + +jobs: + main: + name: Semantic Pull Request + runs-on: ubuntu-latest + steps: + - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 53f6d9b64..e872faa8a 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -12,7 +12,7 @@ jobs: mark-stale-issues-and-prs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v9 + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: close-issue-message: | This issue has not seen any activity since it was marked stale. @@ -20,17 +20,13 @@ jobs: close-pr-message: | This pull request has not seen any activity since it was marked stale. Closing. - days-before-close: 14 - days-before-stale: 30 exempt-issue-labels: good-first-issue,need-help,no-stale,pinned,security - exempt-pr-labels: good-first-issue,need-help,no-stale,pinned,security - labels-to-remove-when-unstale: stale + exempt-pr-labels: "autorelease: pending,good-first-issue,need-help,no-stale,pinned,security" stale-issue-label: stale stale-issue-message: | - This issue has been automatically marked as stale because it has not - had recent activity. It will be closed if no further activity occurs. + This issue is stale because it has been open 60 days with no activity. + Remove stale label or comment or this will be closed in 7 days stale-pr-label: stale stale-pr-message: | - This pull request has been automatically marked as stale because it - has not had recent activity. It will be closed if no further activity - occurs. Thank you for your contributions. + This PR is stale because it has been open 60 days with no activity. + Remove stale label or comment or this will be closed in 7 days. diff --git a/.jscpd.json b/.jscpd.json new file mode 100644 index 000000000..59b76a1ba --- /dev/null +++ b/.jscpd.json @@ -0,0 +1,3 @@ +{ + "ignore": ["**"] +} diff --git a/.lycheeignore b/.lycheeignore new file mode 100644 index 000000000..479ae013a --- /dev/null +++ b/.lycheeignore @@ -0,0 +1,3 @@ +https://download.bleachbit.org/BleachBit- +https://github.com/actions/runner/releases/download/v +https://github.com/PowerShell/Win32-OpenSSH/releases/download/v diff --git a/.mega-linter.yml b/.mega-linter.yml new file mode 100644 index 000000000..0630a86bf --- /dev/null +++ b/.mega-linter.yml @@ -0,0 +1,49 @@ +# Configuration file for MegaLinter +# See all available variables at https://megalinter.io/latest/configuration/ and in linters documentation + +ANSIBLE_ANSIBLE_LINT_PRE_COMMANDS: + - command: ansible-galaxy install -r ansible/requirements.yml + cwd: "workspace" +ANSIBLE_ANSIBLE_LINT_CONFIG_FILE: ansible/.ansible-lint + +BASH_SHFMT_ARGUMENTS: --indent 2 --space-redirects + +DISABLE_LINTERS: + - MARKDOWN_MARKDOWN_LINK_CHECK # Using lychee instead + - SPELL_CSPELL + +# Remove: To receive reports as email, please set variable EMAIL_REPORTER_EMAIL +EMAIL_REPORTER: false + +FAIL_IF_MISSING_LINTER_IN_FLAVOR: true + +FILTER_REGEX_EXCLUDE: CHANGELOG.md + +FORMATTERS_DISABLE_ERRORS: false + +MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .markdownlint.yml +MARKDOWN_MARKDOWNLINT_FILTER_REGEX_EXCLUDE: CHANGELOG.md + +# Remove initial MegaLinter graphic +PRINT_ALPACA: false + +# Disable creating report directory +REPORT_OUTPUT_FOLDER: none + +# Issue: https://github.com/bridgecrewio/checkov/issues/3839 +# The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty +REPOSITORY_CHECKOV_ARGUMENTS: --skip-check CKV_GHA_7 + +# Do not leave debug code in production, Insecure URL +REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS162092,DS137138 + +REPOSITORY_KICS_ARGUMENTS: --fail-on high + +REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yml --severity HIGH,CRITICAL + +TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES: + - GITHUB_TOKEN + +TYPESCRIPT_PRETTIER_ARGUMENTS: --html-whitespace-sensitivity=ignore + +VALIDATE_ALL_CODEBASE: true diff --git a/.yamllint.yml b/.yamllint.yml deleted file mode 100644 index 7b6077b44..000000000 --- a/.yamllint.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# https://yamllint.readthedocs.io/en/stable/configuration.html -extends: default - -# https://yamllint.readthedocs.io/en/stable/rules.html -rules: - # 80 chars should be enough, but don't fail if a line is longer - line-length: - max: 80 - level: warning diff --git a/PSScriptAnalyzerSettings.psd1 b/PSScriptAnalyzerSettings.psd1 new file mode 100644 index 000000000..a6c915a8a --- /dev/null +++ b/PSScriptAnalyzerSettings.psd1 @@ -0,0 +1,3 @@ +@{ + Severity=@('Error') +} diff --git a/README.md b/README.md index ef328266b..3190ead26 100644 --- a/README.md +++ b/README.md @@ -148,7 +148,9 @@ with Packer. sudo apt install --no-install-recommends -y /tmp/vagrant_x86_64.deb rm /tmp/vagrant_x86_64.deb - sudo gpasswd -a ${USER} kvm ; sudo gpasswd -a ${USER} libvirt ; sudo gpasswd -a ${USER} vboxusers + sudo gpasswd -a "${USER}" kvm + sudo gpasswd -a "${USER}" libvirt + sudo gpasswd -a "${USER}" vboxusers vagrant plugin install vagrant-libvirt ``` @@ -160,8 +162,8 @@ with Packer. ```bash echo 'deb http://deb.debian.org/debian bullseye main contrib non-free' | sudo tee /etc/apt/sources.list.d/bullseye.list - sudo sed --regexp-extended 's/^([^#].+\s+main)$/\1 contrib non-free/;' --in-place /etc/apt/sources.list ## Ensure required apt components are enabled. - cat <&1 | tee "${LOGDIR}/${BUILD}-packer.log" - ln -rfs "${PACKER_CACHE_DIR}/$(echo -n "${ISO_CHECKSUM}" | sha1sum | awk '{ print $1 }').iso" "${PACKER_CACHE_DIR}/${NAME}.iso" + ln -rfs "${PACKER_CACHE_DIR}/$(echo -n "${ISO_CHECKSUM}" | sha1sum | awk '{ print $1 }').iso" "${PACKER_CACHE_DIR}/${NAME}.iso" # DevSkim: ignore DS126858 else echo -e "\n* File ${PACKER_IMAGES_OUTPUT_DIR}/${BUILD}.box already exists. Skipping....\n" fi diff --git a/docs/.gitlab-ci.yml b/docs/.gitlab-ci.yml index 8bfd1d6db..05b1fa7b0 100644 --- a/docs/.gitlab-ci.yml +++ b/docs/.gitlab-ci.yml @@ -1,5 +1,4 @@ # This file is a template, and might need editing before it works on your project. -# see https://docs.gitlab.com/ce/ci/yaml/README.html for all available options variables: GIT_SUBMODULE_STRATEGY: recursive diff --git a/lychee.toml b/lychee.toml new file mode 100644 index 000000000..7fd4af587 --- /dev/null +++ b/lychee.toml @@ -0,0 +1,42 @@ +# https://lychee.cli.rs/#/usage/config + +############################# Cache ############################### + +# Enable link caching. This can be helpful to avoid checking the same links on +# multiple runs +cache = true + +# Discard all cached requests older than this duration +max_cache_age = "1d" + +############################# Runtime ############################# + +# Maximum number of concurrent link checks +max_concurrency = 128 + +############################# Requests ############################ + +# Comma-separated list of accepted status codes for valid links. +accept = [999] + +############################# Exclusions ########################## + +# Exclude URLs and mail addresses from checking (supports regex) +exclude = [ + # Ignore all URLs with '$' - BASH variable in URL + '\$', + # Ignore all URLs with '{ ... }' - BASH / Ansible variable in URL + '%7B.*%7D', + # Ignore all URLs which starts with 'file://' + 'file://' +] + +# Exclude these filesystem paths from getting checked +exclude_path = [ + "CHANGELOG.md", +] + +# Exclude all private IPs from checking. +# Equivalent to setting `exclude_private`, `exclude_link_local`, and +# `exclude_loopback` to true +exclude_all_private = true diff --git a/my_centos-7.json b/my_centos-7.json index b8b162147..1f4b3945f 100644 --- a/my_centos-7.json +++ b/my_centos-7.json @@ -48,36 +48,16 @@ "ssh_timeout": "1h", "type": "virtualbox-iso", "vboxmanage": [ - [ - "modifyvm", - "{{ .Name }}", - "--graphicscontroller", - "vmsvga" - ], - [ - "modifyvm", - "{{ .Name }}", - "--audiocontroller", - "ac97" - ], + ["modifyvm", "{{ .Name }}", "--graphicscontroller", "vmsvga"], + ["modifyvm", "{{ .Name }}", "--audiocontroller", "ac97"], [ "modifyvm", "{{ .Name }}", "--recordingfile", "{{ user `packer_templates_logs` }}/{{ user `name` }}-virtualbox.webm" ], - [ - "modifyvm", - "{{ .Name }}", - "--recordingscreens", - "0" - ], - [ - "modifyvm", - "{{ .Name }}", - "--recording", - "on" - ] + ["modifyvm", "{{ .Name }}", "--recordingscreens", "0"], + ["modifyvm", "{{ .Name }}", "--recording", "on"] ], "vm_name": "{{ user `name` }}" } @@ -95,15 +75,11 @@ "provisioners": [ { "execute_command": "echo 'vagrant' | sudo -S -E bash '{{ .Path }}'", - "scripts": [ - "scripts/linux-common/vagrant.sh" - ], + "scripts": ["scripts/linux-common/vagrant.sh"], "type": "shell" }, { - "ansible_env_vars": [ - "ANSIBLE_CONFIG=ansible/ansible.cfg" - ], + "ansible_env_vars": ["ANSIBLE_CONFIG=ansible/ansible.cfg"], "extra_arguments": [ "--become", "--extra-vars", diff --git a/my_ubuntu-server.json b/my_ubuntu-server.json index 8b0cadd67..f1779e716 100644 --- a/my_ubuntu-server.json +++ b/my_ubuntu-server.json @@ -19,9 +19,7 @@ "headless": "{{ user `headless` }}", "http_directory": "http", "iso_checksum": "file:{{ user `ubuntu_images_url` }}/SHA256SUMS", - "iso_urls": [ - "{{ user `ubuntu_images_url` }}/netboot/mini.iso" - ], + "iso_urls": ["{{ user `ubuntu_images_url` }}/netboot/mini.iso"], "memory": "{{ user `memory` }}", "output_directory": "{{ user `name` }}-qemu", "shutdown_command": "echo 'vagrant' | sudo -S shutdown -P now", @@ -49,9 +47,7 @@ "headless": "{{ user `headless` }}", "http_directory": "http", "iso_checksum": "file:{{ user `ubuntu_images_url` }}/SHA256SUMS", - "iso_urls": [ - "{{ user `ubuntu_images_url` }}/netboot/mini.iso" - ], + "iso_urls": ["{{ user `ubuntu_images_url` }}/netboot/mini.iso"], "memory": "{{ user `memory` }}", "output_directory": "{{ user `name` }}-virtualbox-iso", "shutdown_command": "echo 'vagrant' | sudo -S shutdown -P now", @@ -60,30 +56,15 @@ "ssh_timeout": "1h", "type": "virtualbox-iso", "vboxmanage": [ - [ - "modifyvm", - "{{ .Name }}", - "--graphicscontroller", - "vmsvga" - ], + ["modifyvm", "{{ .Name }}", "--graphicscontroller", "vmsvga"], [ "modifyvm", "{{ .Name }}", "--recordingfile", "{{ user `packer_templates_logs` }}/{{ user `name` }}-virtualbox.webm" ], - [ - "modifyvm", - "{{ .Name }}", - "--recordingscreens", - "0" - ], - [ - "modifyvm", - "{{ .Name }}", - "--recording", - "on" - ] + ["modifyvm", "{{ .Name }}", "--recordingscreens", "0"], + ["modifyvm", "{{ .Name }}", "--recording", "on"] ], "vm_name": "{{ user `name` }}" } @@ -111,9 +92,7 @@ "type": "shell" }, { - "ansible_env_vars": [ - "ANSIBLE_CONFIG=ansible/ansible.cfg" - ], + "ansible_env_vars": ["ANSIBLE_CONFIG=ansible/ansible.cfg"], "extra_arguments": [ "--become", "--extra-vars", diff --git a/my_windows.json b/my_windows.json index 7b62a3a4b..f1a0d3d36 100644 --- a/my_windows.json +++ b/my_windows.json @@ -15,12 +15,8 @@ ], "headless": "{{ user `headless` }}", "iso_checksum": "file:{{ user `iso_checksum` }}", - "iso_urls": [ - "{{ user `iso_url` }}" - ], - "cd_files": [ - "{{ user `virtio_win_iso_dir` }}" - ], + "iso_urls": ["{{ user `iso_url` }}"], + "cd_files": ["{{ user `virtio_win_iso_dir` }}"], "memory": "{{ user `memory` }}", "output_directory": "{{ user `name` }}-qemu", "shutdown_command": "A:\\sysprep.bat", @@ -50,51 +46,24 @@ "hard_drive_interface": "sata", "headless": "{{ user `headless` }}", "iso_checksum": "file:{{ user `iso_checksum` }}", - "iso_urls": [ - "{{ user `iso_url` }}" - ], + "iso_urls": ["{{ user `iso_url` }}"], "memory": "{{ user `memory` }}", "output_directory": "{{ user `name` }}-virtualbox-iso", "shutdown_command": "A:\\sysprep.bat", "shutdown_timeout": "15m", "type": "virtualbox-iso", "vboxmanage": [ - [ - "modifyvm", - "{{ .Name }}", - "--graphicscontroller", - "vboxsvga" - ], - [ - "modifyvm", - "{{ .Name }}", - "--audiocontroller", - "ac97" - ], + ["modifyvm", "{{ .Name }}", "--graphicscontroller", "vboxsvga"], + ["modifyvm", "{{ .Name }}", "--audiocontroller", "ac97"], [ "modifyvm", "{{ .Name }}", "--recordingfile", "{{ user `packer_templates_logs` }}/{{ user `name` }}-virtualbox.webm" ], - [ - "modifyvm", - "{{ .Name }}", - "--recordingvideofps", - "1" - ], - [ - "modifyvm", - "{{ .Name }}", - "--recordingscreens", - "0" - ], - [ - "modifyvm", - "{{ .Name }}", - "--recording", - "on" - ] + ["modifyvm", "{{ .Name }}", "--recordingvideofps", "1"], + ["modifyvm", "{{ .Name }}", "--recordingscreens", "0"], + ["modifyvm", "{{ .Name }}", "--recording", "on"] ], "vm_name": "{{ user `name` }}", "winrm_insecure": "true", @@ -126,9 +95,7 @@ "E:\\VBoxWindowsAdditions.exe /S", "del C:\\vbox.cer" ], - "only": [ - "virtualbox-iso" - ], + "only": ["virtualbox-iso"], "type": "powershell" }, { @@ -144,9 +111,7 @@ "ansible_winrm_connection_timeout=2000" ], "user": "{{ user `winrm_username` }}", - "ansible_env_vars": [ - "ANSIBLE_CONFIG=ansible/ansible.cfg" - ], + "ansible_env_vars": ["ANSIBLE_CONFIG=ansible/ansible.cfg"], "use_proxy": false, "playbook_file": "ansible/site.yml" }, diff --git a/scripts/win-common/ConfigureRemotingForAnsible.ps1 b/scripts/win-common/ConfigureRemotingForAnsible.ps1 index 7e039bb41..a90dcb544 100644 --- a/scripts/win-common/ConfigureRemotingForAnsible.ps1 +++ b/scripts/win-common/ConfigureRemotingForAnsible.ps1 @@ -428,7 +428,7 @@ Else } # Test a remoting connection to localhost, which should work. -$httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock {$env:COMPUTERNAME} -ErrorVariable httpError -ErrorAction SilentlyContinue +$httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock {$env:COMPUTERNAME} -ErrorVariable httpError -ErrorAction SilentlyContinue # DevSkim: ignore DS104456 $httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $httpsResult = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $httpsOptions -ErrorVariable httpsError -ErrorAction SilentlyContinue diff --git a/tools/create_remote_build_server/build_remote_ssh_ubuntu.yml b/tools/create_remote_build_server/build_remote_ssh_ubuntu.yml index fd4dc2a2e..6cf8ab9d7 100644 --- a/tools/create_remote_build_server/build_remote_ssh_ubuntu.yml +++ b/tools/create_remote_build_server/build_remote_ssh_ubuntu.yml @@ -18,6 +18,7 @@ - virtualbox - wget + # checkov:skip=CKV_SECRET_6:Base64 High Entropy String grafana_admin_passwd: grafana_admin_password builder_username: builder public_ssh_key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_ed25519.pub') }}" @@ -181,12 +182,14 @@ ansible.builtin.command: cmd: vagrant plugin list register: vagrant_plugin_list + become: true become_user: "{{ my_ansible_user }}" changed_when: false - name: Install Vagrant Plugins ansible.builtin.command: cmd: vagrant plugin install {{ item }} + become: true become_user: "{{ my_ansible_user }}" changed_when: false loop: "{{ vagrant_plugins }}" @@ -195,6 +198,7 @@ - name: List installed Vagrant Plugins ansible.builtin.command: cmd: vagrant plugin list + become: true become_user: "{{ builder_username }}" register: vagrant_plugin_list changed_when: false @@ -202,6 +206,7 @@ - name: Install Vagrant Plugins ansible.builtin.command: cmd: vagrant plugin install {{ item }} + become: true become_user: "{{ builder_username }}" changed_when: false loop: "{{ vagrant_plugins }}" @@ -227,6 +232,7 @@ src: https://github.com/actions/runner/releases/download/v{{ github_api_action_runner.json.tag_name[1:] }}/actions-runner-linux-x64-{{ github_api_action_runner.json.tag_name[1:] }}.tar.gz dest: /home/{{ builder_username }}/actions-runner-{{ item }} remote_src: yes + become: true become_user: "{{ builder_username }}" loop: "{{ range(1, action_runner_count + 1) | list }}" @@ -236,6 +242,7 @@ args: chdir: /home/{{ builder_username }}/actions-runner-{{ item }} creates: /home/{{ builder_username }}/actions-runner-{{ item }}/.runner + become: true become_user: "{{ builder_username }}" loop: "{{ range(1, action_runner_count + 1) | list }}" tags: actions-runner_registration diff --git a/ubuntu-desktop.json b/ubuntu-desktop.json index 769ad8667..cba892091 100644 --- a/ubuntu-desktop.json +++ b/ubuntu-desktop.json @@ -19,9 +19,7 @@ "headless": "{{ user `headless` }}", "http_directory": "http", "iso_checksum": "file:{{ user `ubuntu_images_url` }}/SHA256SUMS", - "iso_urls": [ - "{{ user `ubuntu_images_url` }}/netboot/mini.iso" - ], + "iso_urls": ["{{ user `ubuntu_images_url` }}/netboot/mini.iso"], "memory": "{{ user `memory` }}", "output_directory": "{{ user `name` }}-qemu", "shutdown_command": "echo 'vagrant' | sudo -S shutdown -P now", @@ -49,9 +47,7 @@ "headless": "{{ user `headless` }}", "http_directory": "http", "iso_checksum": "file:{{ user `ubuntu_images_url` }}/SHA256SUMS", - "iso_urls": [ - "{{ user `ubuntu_images_url` }}/netboot/mini.iso" - ], + "iso_urls": ["{{ user `ubuntu_images_url` }}/netboot/mini.iso"], "memory": "{{ user `memory` }}", "output_directory": "{{ user `name` }}-virtualbox-iso", "shutdown_command": "echo 'vagrant' | sudo -S shutdown -P now", @@ -60,36 +56,16 @@ "ssh_timeout": "1h", "type": "virtualbox-iso", "vboxmanage": [ - [ - "modifyvm", - "{{ .Name }}", - "--graphicscontroller", - "vmsvga" - ], - [ - "modifyvm", - "{{ .Name }}", - "--audiocontroller", - "ac97" - ], + ["modifyvm", "{{ .Name }}", "--graphicscontroller", "vmsvga"], + ["modifyvm", "{{ .Name }}", "--audiocontroller", "ac97"], [ "modifyvm", "{{ .Name }}", "--recordingfile", "{{ user `packer_templates_logs` }}/{{ user `name` }}-virtualbox.webm" ], - [ - "modifyvm", - "{{ .Name }}", - "--recordingscreens", - "0" - ], - [ - "modifyvm", - "{{ .Name }}", - "--recording", - "on" - ] + ["modifyvm", "{{ .Name }}", "--recordingscreens", "0"], + ["modifyvm", "{{ .Name }}", "--recording", "on"] ], "vm_name": "{{ user `name` }}" } diff --git a/ubuntu-server.json b/ubuntu-server.json index bdbcabbda..a6fd34368 100644 --- a/ubuntu-server.json +++ b/ubuntu-server.json @@ -19,9 +19,7 @@ "headless": "{{ user `headless` }}", "http_directory": "http", "iso_checksum": "file:{{ user `ubuntu_images_url` }}/SHA256SUMS", - "iso_urls": [ - "{{ user `ubuntu_images_url` }}/netboot/mini.iso" - ], + "iso_urls": ["{{ user `ubuntu_images_url` }}/netboot/mini.iso"], "memory": "{{ user `memory` }}", "output_directory": "{{ user `name` }}-qemu", "shutdown_command": "echo 'vagrant' | sudo -S shutdown -P now", @@ -49,9 +47,7 @@ "headless": "{{ user `headless` }}", "http_directory": "http", "iso_checksum": "file:{{ user `ubuntu_images_url` }}/SHA256SUMS", - "iso_urls": [ - "{{ user `ubuntu_images_url` }}/netboot/mini.iso" - ], + "iso_urls": ["{{ user `ubuntu_images_url` }}/netboot/mini.iso"], "memory": "{{ user `memory` }}", "output_directory": "{{ user `name` }}-virtualbox-iso", "shutdown_command": "echo 'vagrant' | sudo -S shutdown -P now", @@ -60,30 +56,15 @@ "ssh_timeout": "1h", "type": "virtualbox-iso", "vboxmanage": [ - [ - "modifyvm", - "{{ .Name }}", - "--graphicscontroller", - "vmsvga" - ], + ["modifyvm", "{{ .Name }}", "--graphicscontroller", "vmsvga"], [ "modifyvm", "{{ .Name }}", "--recordingfile", "{{ user `packer_templates_logs` }}/{{ user `name` }}-virtualbox.webm" ], - [ - "modifyvm", - "{{ .Name }}", - "--recordingscreens", - "0" - ], - [ - "modifyvm", - "{{ .Name }}", - "--recording", - "on" - ] + ["modifyvm", "{{ .Name }}", "--recordingscreens", "0"], + ["modifyvm", "{{ .Name }}", "--recording", "on"] ], "vm_name": "{{ user `name` }}" } diff --git a/upload_box_to_vagrantcloud.sh b/upload_box_to_vagrantcloud.sh index f28469ac7..49a21ba60 100755 --- a/upload_box_to_vagrantcloud.sh +++ b/upload_box_to_vagrantcloud.sh @@ -90,7 +90,7 @@ cmdline() { export UBUNTU_MAJOR_VERSION UBUNTU_ARCH=$(echo "${VAGRANT_CLOUD_BOX_NAME}" | awk -F '-' '{ print $4 }') export UBUNTU_ARCH - UBUNTU_VERSION=$(curl -s "http://releases.ubuntu.com/${UBUNTU_MAJOR_VERSION}/SHA1SUMS" | sed -n "s/.*ubuntu-\([^-]*\)-.*-${UBUNTU_ARCH}.iso/\1/p" | head -1) + UBUNTU_VERSION=$(curl -s "http://releases.ubuntu.com/${UBUNTU_MAJOR_VERSION}/SHA1SUMS" | sed -n "s/.*ubuntu-\([^-]*\)-.*-${UBUNTU_ARCH}.iso/\1/p" | head -1) # DevSkim: ignore DS126858 export UBUNTU_VERSION export NAME="${MY_NAME}-${UBUNTU_MAJOR_VERSION}-${UBUNTU_TYPE}-${UBUNTU_ARCH}" export SHORT_DESCRIPTION="Ubuntu ${UBUNTU_MAJOR_VERSION} ${UBUNTU_TYPE} (${UBUNTU_ARCH}) for libvirt and virtualbox" diff --git a/windows.json b/windows.json index f161bbf02..96312492b 100644 --- a/windows.json +++ b/windows.json @@ -18,12 +18,8 @@ ], "headless": "{{ user `headless` }}", "iso_checksum": "file:{{ user `iso_checksum` }}", - "iso_urls": [ - "{{ user `iso_url` }}" - ], - "cd_files": [ - "{{ user `virtio_win_iso_dir` }}" - ], + "iso_urls": ["{{ user `iso_url` }}"], + "cd_files": ["{{ user `virtio_win_iso_dir` }}"], "memory": "{{ user `memory` }}", "output_directory": "{{ user `name` }}-qemu", "shutdown_command": "A:\\sysprep.bat", @@ -53,51 +49,24 @@ "hard_drive_interface": "sata", "headless": "{{ user `headless` }}", "iso_checksum": "file:{{ user `iso_checksum` }}", - "iso_urls": [ - "{{ user `iso_url` }}" - ], + "iso_urls": ["{{ user `iso_url` }}"], "memory": "{{ user `memory` }}", "output_directory": "{{ user `name` }}-virtualbox-iso", "shutdown_command": "A:\\sysprep.bat", "shutdown_timeout": "15m", "type": "virtualbox-iso", "vboxmanage": [ - [ - "modifyvm", - "{{ .Name }}", - "--graphicscontroller", - "vboxsvga" - ], - [ - "modifyvm", - "{{ .Name }}", - "--audiocontroller", - "ac97" - ], + ["modifyvm", "{{ .Name }}", "--graphicscontroller", "vboxsvga"], + ["modifyvm", "{{ .Name }}", "--audiocontroller", "ac97"], [ "modifyvm", "{{ .Name }}", "--recordingfile", "{{ user `packer_templates_logs` }}/{{ user `name` }}-virtualbox.webm" ], - [ - "modifyvm", - "{{ .Name }}", - "--recordingvideofps", - "1" - ], - [ - "modifyvm", - "{{ .Name }}", - "--recordingscreens", - "0" - ], - [ - "modifyvm", - "{{ .Name }}", - "--recording", - "on" - ] + ["modifyvm", "{{ .Name }}", "--recordingvideofps", "1"], + ["modifyvm", "{{ .Name }}", "--recordingscreens", "0"], + ["modifyvm", "{{ .Name }}", "--recording", "on"] ], "vm_name": "{{ user `name` }}", "winrm_insecure": "true", @@ -129,9 +98,7 @@ "E:\\VBoxWindowsAdditions.exe /S", "del C:\\vbox.cer" ], - "only": [ - "virtualbox-iso" - ], + "only": ["virtualbox-iso"], "type": "powershell" }, { @@ -147,9 +114,7 @@ "ansible_winrm_connection_timeout=2000" ], "user": "{{ user `winrm_username` }}", - "ansible_env_vars": [ - "ANSIBLE_CONFIG=ansible/ansible.cfg" - ], + "ansible_env_vars": ["ANSIBLE_CONFIG=ansible/ansible.cfg"], "use_proxy": false, "playbook_file": "ansible/win-simple.yml" },