├── .checkov.yaml ├── .cspell.json ├── .editorconfig ├── .envrc ├── .envrc-python ├── .gitallowed ├── .github ├── CODEOWNERS └── workflows │ ├── README.md │ ├── ansible-playbook-syntax.yaml │ ├── autoinstall-user-data.yaml │ ├── aws-codecommit-mirror.yaml │ ├── aws-eks-collect-logs.yaml │ ├── buildkite.yaml │ ├── checkov.yaml │ ├── close-stale.yaml │ ├── codeartifact_python_publish.yaml │ ├── codeartifact_secret.yaml │ ├── codeowners.yaml │ ├── datree-kustomize-all.yaml │ ├── datree.yaml │ ├── docker_build.yaml │ ├── docker_build_aws_ecr.yaml │ ├── docker_build_ghcr.yaml.disabled │ ├── dockerfiles.yaml │ ├── dockerhub_build.yaml │ ├── dump_contexts.yaml │ ├── eslint.yaml │ ├── flake8.yaml │ ├── fork-sync.yaml │ ├── fork-update-pr.yaml │ ├── gcp-source-repos-mirror.yaml │ ├── gitlab-mirror.yaml │ ├── groovyc.yaml │ ├── grype.yaml │ ├── infracost.yaml │ ├── jenkinsfile.yaml │ ├── jfrog_artifactory_auth_test.yaml │ ├── json.yaml │ ├── kickstart.yaml │ ├── kics.yaml │ ├── lock_branch.yaml │ ├── make.yaml │ ├── markdown.yaml │ ├── mega-linter.yaml │ ├── merge-branch.yaml │ ├── mobile-android-fastlane-build.yaml │ ├── mobile-ios-fastlane-build.yaml │ ├── mobile-ios-xcode-build.yaml │ ├── packer.yaml │ ├── packer_mac.yaml │ ├── pluto.yaml │ ├── polaris.yaml │ ├── preseed.yaml │ ├── pylint.yaml │ ├── reviewdog-pr.yaml │ ├── reviewdog.yaml │ ├── semgrep-cloud.yaml │ ├── semgrep.yaml │ ├── shellcheck.yaml │ ├── sonarcloud.yaml │ ├── sqlfluff.yaml │ ├── systemd-analyze.yaml │ ├── terraform-fmt-write.yaml │ ├── terraform-fmt.yaml │ ├── terraform-validate.yaml │ ├── terraform.yaml │ ├── tflint.yaml │ ├── tfsec-pr-commenter.yaml │ ├── tfsec.yaml │ ├── trivy.yaml │ ├── trivy_aws_ecr.yaml │ ├── trivy_image.yaml │ ├── unlock_branch.yaml │ ├── url_links.yaml │ ├── validate.yaml │ ├── xml.yaml │ └── yaml.yaml ├── .jscpd.json ├── .mdl.rb ├── .mdlrc ├── .mega-linter.yml ├── .pre-commit-config.yaml ├── .sonarlint └── connectedMode.json ├── .yamllint ├── LICENSE ├── Makefile ├── README.md ├── action.yaml ├── generate-docker-tags └── action.yaml ├── main.yaml └── sonar-project.properties /.checkov.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-02-21 16:53:29 +0000 (Mon, 21 Feb 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # License: see accompanying Hari Sekhon LICENSE file 10 | # 11 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | # ============================================================================ # 17 | # C h e c k o v c o n f i g 18 | # ============================================================================ # 19 | 20 | # https://github.com/bridgecrewio/checkov#configuration-using-a-config-file 21 | # 22 | # This is not well documented but the fields seem to be the same as: 23 | # 24 | # checkov --help 25 | # 26 | # See master template at: 27 | # 28 | # https://github.com/HariSekhon/Templates/blob/master/.checkov.yaml 29 | 30 | --- 31 | compact: true 32 | directory: 33 | - . 34 | download-external-modules: true # without this gets lots of annoying warning lines such as '2022-02-22 16:14:40,180 [MainThread ] [WARNI] Failed to download module x/y/z:n.n.n' 35 | framework: 36 | - all 37 | no-guide: true 38 | output: cli 39 | quiet: true 40 | repo-id: HariSekhon/GitHub-Actions # what to report to Bridgecrew Cloud - without this gets annoying duplicate repos such as 'harisekhon_cli_repo/github-actions' 41 | skip-suppressions: true 42 | soft-fail: true 43 | -------------------------------------------------------------------------------- /.cspell.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "0.1", 3 | "language": "en", 4 | "ignorePaths": [ 5 | "**/node_modules/**", 6 | "**/vscode-extension/**", 7 | "**/.git/**", 8 | ".vscode", 9 | "megalinter", 10 | "package-lock.json", 11 | "report" 12 | ], 13 | "words": [] 14 | } 15 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # vim:ts=4:sts=4:sw=4:et 2 | # 3 | # Author: Hari Sekhon 4 | # Date: 2015-10-31 19:04:34 +0000 (Sat, 31 Oct 2015) 5 | # 6 | # https://github.com/HariSekhon/GitHub-Actions 7 | # 8 | # License: see accompanying Hari Sekhon LICENSE file 9 | # 10 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 11 | # to help improve or steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | # http://EditorConfig.org 17 | 18 | # stop recursing upwards for other .editorconfig files 19 | root = true 20 | 21 | # Unix-style newlines with a newline ending every file 22 | [*] 23 | indent_size = 4 24 | indent_style = space 25 | end_of_line = lf 26 | trim_trailing_whitespace = true 27 | insert_final_newline = true 28 | 29 | [*.go] 30 | indent_size = 4 31 | indent_style = tab 32 | end_of_line = lf 33 | trim_trailing_whitespace = true 34 | insert_final_newline = true 35 | 36 | [Makefile] 37 | indent_size = 4 38 | indent_style = tab 39 | end_of_line = lf 40 | trim_trailing_whitespace = true 41 | insert_final_newline = true 42 | 43 | [{*.md,*.hcl,*.tf,*.tfvars}] 44 | indent_size = 2 45 | indent_style = space 46 | end_of_line = lf 47 | trim_trailing_whitespace = true 48 | insert_final_newline = true 49 | 50 | [*.yml,*.yaml] 51 | indent_size = 2 52 | indent_style = space 53 | end_of_line = lf 54 | trim_trailing_whitespace = true 55 | insert_final_newline = true 56 | 57 | [.*] 58 | indent_size = 4 59 | indent_style = space 60 | end_of_line = lf 61 | trim_trailing_whitespace = true 62 | insert_final_newline = true 63 | 64 | # ============================================================================ # 65 | # Older Stuff, don't think I use this any more 66 | # ============================================================================ # 67 | 68 | # Matches multiple files with brace expansion notation 69 | # Set default charset 70 | #[*.{js,py}] 71 | #charset = utf-8 72 | 73 | # Indentation override for all JS under lib directory 74 | #[lib/**.js] 75 | #indent_style = space 76 | #indent_size = 2 77 | 78 | # Matches the exact files either package.json or .travis.yml 79 | #[{package.json,.travis.yml}] 80 | #indent_style = space 81 | #indent_size = 2 82 | 83 | #[*.xml] 84 | #indent_style = space 85 | #indent_size = 2 86 | -------------------------------------------------------------------------------- /.envrc-python: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # vim:ts=4:sts=4:sw=4:et 3 | # 4 | # Author: Hari Sekhon 5 | # Date: Mon Feb 22 17:42:01 2021 +0000 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # License: see accompanying Hari Sekhon LICENSE file 10 | # 11 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | # ============================================================================ # 17 | # P y t h o n D i r E n v 18 | # ============================================================================ # 19 | 20 | # .envrc to auto-load the virtualenv inside the 'venv' directory if present 21 | 22 | # https://direnv.net/man/direnv-stdlib.1.html 23 | 24 | set -euo pipefail 25 | [ -n "${DEBUG:-}" ] && set -x 26 | #srcdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" 27 | 28 | # this is necessary because newer versions of pip no longer allow you to install PyPI packages in system-packages by default 29 | for venv in "$PWD/venv" "$HOME/venv"; do 30 | if [ -f "$venv/bin/activate" ]; then 31 | echo 32 | echo "Virtualenv directory found in: $venv" 33 | echo 34 | echo "Activating Virtualenv inside the directory: $venv" 35 | 36 | # shellcheck disable=SC1091 37 | source "$venv/bin/activate" 38 | break 39 | fi 40 | done 41 | 42 | # read .env too 43 | #dotenv 44 | -------------------------------------------------------------------------------- /.gitallowed: -------------------------------------------------------------------------------- 1 | AWS_ACCOUNT_ID 2 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2021-11-09 15:14:59 +0000 (Tue, 09 Nov 2021) 4 | # 5 | # vim:ts=4:sts=4:sw=4:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # License: see accompanying Hari Sekhon LICENSE file 10 | # 11 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners 17 | 18 | # Good in theory, to alert on PR changes to these code paths, but for public repos which may be forked and run .github/workflows/fork-update.yaml, this will result in a lot of spam 19 | 20 | # Tips: 21 | # 22 | # * includes changes under .github/ 23 | # dir/* only matches first level file changes but doesn't recurse 24 | # dir/ recurses 25 | # 26 | # - CODEOWNERS in base branch of PR determines review request 27 | # - paths are case sensitive 28 | # - last match wins, use * at top for overall owner then override with more specific teams 29 | 30 | #* @harisekhon # username or email address 31 | #* @myorg/platform-engineering # team based is the way to go - team must have Write access to the repo regardless of if individuals have access 32 | #* @myorg/devops 33 | #k8s @myorg/devops @myorg/sre-team 34 | #apps/ @myorg/developers 35 | #apps/dir2 # ignores dir2 as no owner/team specified on this line 36 | #src/ @myorg/developers 37 | #docs/ docs@example.com 38 | #.github/workflows @ci-cd-team 39 | -------------------------------------------------------------------------------- /.github/workflows/ansible-playbook-syntax.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2024-10-09 04:59:31 +0300 (Wed, 09 Oct 2024) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # A n s i b l e P l a y b o o k S y n t a x C h e c k 16 | # ============================================================================ # 17 | 18 | --- 19 | name: Ansible Playbook Syntax Check 20 | 21 | on: # yamllint disable-line rule:truthy 22 | workflow_call: 23 | inputs: 24 | debug: 25 | type: string 26 | required: false 27 | default: false 28 | workflow_dispatch: 29 | inputs: 30 | debug: 31 | type: boolean 32 | required: false 33 | default: false 34 | #schedule: 35 | # - cron: '0 0 * * 1' 36 | 37 | permissions: 38 | contents: read 39 | 40 | defaults: 41 | run: 42 | shell: bash -euxo pipefail {0} 43 | 44 | env: 45 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 46 | 47 | jobs: 48 | ansible_playbook_syntax_check: 49 | name: Ansible Playbook Syntax Check 50 | runs-on: ubuntu-latest 51 | steps: 52 | - name: Linux Release 53 | if: runner.os == 'Linux' 54 | run: | 55 | [ -e /.dockerenv ] && ls -l /.dockerenv 56 | echo 57 | cat /etc/*-release 58 | 59 | - name: Linux Hardware 60 | if: runner.os == 'Linux' 61 | run: | 62 | set +x 63 | echo -n "CPUs: " 64 | nproc 65 | echo 66 | free -g 67 | echo 68 | df -h 69 | 70 | - name: Environment 71 | run: env | sort 72 | 73 | - name: Git version 74 | run: git --version 75 | 76 | - uses: actions/checkout@v3 77 | with: 78 | submodules: recursive # requires Git 2.18+ to be installed first 79 | 80 | - name: Install Ansible 81 | run: pip3 install ansible 82 | 83 | - name: Ansible Playbook Syntax Check 84 | run: | 85 | find . -name 'playbook.y*ml' -type f | 86 | xargs -I {} sh -c 'ansible-playbook {} --syntax-check || exit 1' 87 | -------------------------------------------------------------------------------- /.github/workflows/autoinstall-user-data.yaml: -------------------------------------------------------------------------------- 1 | # vim:ts=2:sts=2:sw=2:et 2 | # 3 | # Author: Hari Sekhon 4 | # Date: 2023-05-31 01:49:54 +0100 (Wed, 31 May 2023) 5 | # 6 | # https://github.com/HariSekhon/Templates 7 | # 8 | # License: see accompanying Hari Sekhon LICENSE file 9 | # 10 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 11 | # 12 | # https://www.linkedin.com/in/HariSekhon 13 | # 14 | 15 | # ============================================================================ # 16 | # U b u n t u A u t o I n s t a l l e r / C l o u d - I n i t 17 | # ============================================================================ # 18 | 19 | --- 20 | name: Ubuntu AutoInstaller Cloud-Init 21 | 22 | on: # yamllint disable-line rule:truthy 23 | workflow_call: 24 | inputs: 25 | files: 26 | description: The Ubuntu AutoInstaller Cloud-Init user-data file paths to validate, separate by spaces 27 | type: string 28 | required: false 29 | default: autoinstall-user-data 30 | 31 | permissions: 32 | contents: read 33 | 34 | concurrency: 35 | group: ${{ github.workflow }}-${{ github.ref }} 36 | cancel-in-progress: true 37 | 38 | defaults: 39 | run: 40 | shell: bash -euxo pipefail {0} 41 | 42 | env: 43 | DEBIAN_FRONTEND: noninteractive 44 | 45 | jobs: 46 | cloudinit: 47 | name: Cloud-Init 48 | timeout-minutes: 10 49 | runs-on: ubuntu-latest 50 | container: ubuntu 51 | steps: 52 | - name: Linux Release 53 | if: runner.os == 'Linux' 54 | run: | 55 | [ -e /.dockerenv ] && ls -l /.dockerenv 56 | echo 57 | cat /etc/*-release 58 | 59 | - name: Linux Hardware 60 | if: runner.os == 'Linux' 61 | run: | 62 | set +x 63 | echo -n "CPUs: " 64 | nproc 65 | echo 66 | free -g 67 | echo 68 | df -h 69 | 70 | - name: Environment 71 | run: env | sort 72 | 73 | - name: Git version 74 | run: git --version 75 | 76 | - uses: actions/checkout@v3 77 | #name: Git Checkout # better to show the action@version 78 | 79 | - name: Install Cloud-Init 80 | run: | 81 | apt-get update 82 | apt-get install cloud-init -y 83 | 84 | - name: Validate AutoInstall User Data 85 | run: | 86 | for file in ${{ inputs.files }}; do 87 | echo "Validating $file" 88 | echo 89 | cloud-init schema --config-file "$file" 90 | echo 91 | done 92 | -------------------------------------------------------------------------------- /.github/workflows/aws-codecommit-mirror.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-03-30 13:01:09 +0100 (Wed, 30 Mar 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # A W S C o d e C o m m i t M i r r o r 16 | # ============================================================================ # 17 | 18 | --- 19 | name: AWS CodeCommit Mirror 20 | 21 | on: # yamllint disable-line rule:truthy 22 | workflow_call: 23 | inputs: 24 | organization: 25 | description: The GitHub Organization that owns the repos (defaults to the user of the given GITHUB_TOKEN) 26 | type: string 27 | required: false 28 | repos: 29 | description: List of repos to mirror, space separated (otherwise iterates and mirrors all repos belonging to the GITHUB_ORGANIZATION or GITHUB_USER) 30 | type: string 31 | required: false 32 | default: "" 33 | clear_cache: 34 | type: string 35 | required: false 36 | default: false 37 | force_mirror: 38 | type: string 39 | required: false 40 | default: false 41 | debug: 42 | type: string 43 | required: false 44 | default: false 45 | secrets: 46 | GH_TOKEN: 47 | description: GitHub Token with permissions 'repo' and 'read:org' to list GitHub repos 48 | required: true 49 | AWS_ACCESS_KEY_ID: 50 | description: AWS access key ID with permissions to create new repos to mirror to 51 | required: true 52 | AWS_SECRET_ACCESS_KEY: 53 | description: AWS secret access key with permissions to create new repos to mirror to 54 | required: true 55 | # the reason this is a secret and not an input is because you can set this secret Organization wide on GitHub and just inherit it 56 | AWS_DEFAULT_REGION: 57 | description: AWS region where the repos should exist 58 | required: true 59 | AWS_GIT_USER: 60 | description: AWS Git username (optional), falls back to using git-remote-codecommit python module to use IAM integration otherwise 61 | required: false 62 | AWS_GIT_PASSWORD: 63 | description: AWS Git password (optional), falls back to using git-remote-codecommit python module to use IAM integration otherwise 64 | required: false 65 | 66 | permissions: 67 | contents: read 68 | 69 | defaults: 70 | run: 71 | shell: bash -euxo pipefail {0} 72 | 73 | env: 74 | REPOS: ${{ inputs.repos }} 75 | GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} 76 | GITHUB_ORGANIZATION: ${{ inputs.organization }} 77 | AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} 78 | AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} 79 | AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} 80 | AWS_GIT_USER: ${{ secrets.AWS_GIT_USER }} 81 | AWS_GIT_PASSWORD: ${{ secrets.AWS_GIT_PASSWORD }} 82 | DEBIAN_FRONTEND: noninteractive 83 | CLEAR_CACHE: ${{ inputs.clear_cache == 'true' || github.event.inputs.clear_cache == 'true' }} 84 | FORCE_MIRROR: ${{ inputs.force_mirror == 'true' || github.event.inputs.force_mirror == 'true' }} 85 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 86 | 87 | concurrency: 88 | group: ${{ github.workflow }} 89 | cancel-in-progress: false # killing this part way through may leave inconsistencies 90 | 91 | jobs: 92 | codecommit_mirror: 93 | name: Mirror Repos to AWS CodeCommit 94 | # the schedule event doesn't have github.event.repository.* to compare branches so needs to just check for event_name instead 95 | #if: | 96 | # github.event.repository.fork == false && 97 | # ( 98 | # github.event_name == 'schedule' || 99 | # ( github.ref_type == 'branch' && github.ref_name == github.event.repository.default_branch ) 100 | # ) 101 | runs-on: ubuntu-latest 102 | container: harisekhon/bash-tools 103 | steps: 104 | - name: Linux Release 105 | if: runner.os == 'Linux' 106 | run: | 107 | [ -e /.dockerenv ] && ls -l /.dockerenv 108 | echo 109 | cat /etc/*-release 110 | 111 | - name: Linux Hardware 112 | if: runner.os == 'Linux' 113 | run: | 114 | set +x 115 | echo -n "CPUs: " 116 | nproc 117 | echo 118 | free -g 119 | echo 120 | df -h 121 | 122 | - name: Environment 123 | run: env | sort 124 | 125 | - name: Git version 126 | run: git --version 127 | 128 | # not needed since everything is done via the GitHub and GitLab APIs and iterated checkouts 129 | #- uses: actions/checkout@v3 130 | 131 | - uses: actions/cache@v4 132 | with: 133 | path: /tmp/github_mirror_to_aws_codecommit 134 | key: github-mirror-to-aws-codecommit 135 | restore-keys: | 136 | github-mirror-to-aws-codecommit 137 | 138 | - name: Mirror Repos 139 | run: github_mirror_repos_to_aws_codecommit.sh $REPOS 140 | -------------------------------------------------------------------------------- /.github/workflows/buildkite.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2025-03-15 01:17:46 +0800 (Sat, 15 Mar 2025) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # B u i l d K i t e A g e n t R u n n e r 16 | # ============================================================================ # 17 | 18 | # Runs BuildKite Builds 19 | 20 | --- 21 | name: BuildKite Agent 22 | 23 | on: # yamllint disable-line rule:truthy 24 | push: 25 | paths: 26 | - .github/workflows/buildkite.yaml # this workflow 27 | workflow_call: 28 | inputs: 29 | debug: 30 | type: string 31 | required: false 32 | default: false 33 | secrets: 34 | BUILDKITE_AGENT_TOKEN: 35 | required: true 36 | workflow_dispatch: 37 | inputs: 38 | debug: 39 | type: string 40 | required: false 41 | default: false 42 | secrets: 43 | BUILDKITE_AGENT_TOKEN: 44 | required: true 45 | schedule: 46 | # - min interval is 5 mins 47 | # - scheduling may be delayed during periods of high load on GitHub Actions infra, such as at the top of every hour 48 | # - '*' is a special character in YAML so you have to quote this string 49 | #- cron: '*/5 * * * *' 50 | - cron: '* */4 * * *' 51 | 52 | permissions: 53 | contents: read 54 | 55 | defaults: 56 | run: 57 | shell: bash -euxo pipefail {0} 58 | 59 | env: 60 | BUILDKITE_AGENT_TOKEN: ${{ secrets.BUILDKITE_AGENT_TOKEN }} 61 | #BUILDKITE_AGENT_SPAWN: 1 62 | BUILDKITE_AGENT_SPAWN_PER_CPU: 2 # mutually exclusive with BUILDKITE_AGENT_SPAWN 63 | #BUILDKITE_AGENT_DISCONNECT_AFTER_JOB: 1 64 | BUILDKITE_AGENT_DISCONNECT_AFTER_IDLE_TIMEOUT: 30 # seconds 65 | BUILDKITE_CANCEL_GRACE_PERIOD: 10 66 | BUILDKITE_WRITE_JOB_LOGS_TO_STDOUT: 1 67 | #BUILDKITE_AGENT_QUEUE: 68 | #BUILDKITE_AGENT_TAGS: 69 | BUILDKITE_AGENT_TAGS_FROM_HOST: 1 70 | #BUILDKITE_NO_PTY: 1 71 | #BUILDKITE_AGENT_LOG_LEVEL: # debug, info, error, warn, fatal 72 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 73 | 74 | jobs: 75 | buildkite: 76 | name: BuildKite Agent 77 | runs-on: ubuntu-latest 78 | container: buildkite/agent:ubuntu 79 | steps: 80 | - name: Linux Release 81 | if: runner.os == 'Linux' 82 | run: | 83 | [ -e /.dockerenv ] && ls -l /.dockerenv 84 | echo 85 | cat /etc/*-release 86 | 87 | - name: Linux Hardware 88 | if: runner.os == 'Linux' 89 | run: | 90 | set +x 91 | echo -n "CPUs: " 92 | nproc 93 | echo 94 | free -g 95 | echo 96 | df -h 97 | 98 | - name: Environment 99 | run: env | sort 100 | 101 | - name: Git version 102 | run: git --version 103 | 104 | #- uses: actions/checkout@v3 105 | 106 | - name: Run BuildKite Agent 107 | run: buildkite-agent start 108 | -------------------------------------------------------------------------------- /.github/workflows/checkov.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Wed Jan 19 18:22:02 2022 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # C h e c k o v G i t H u b W o r k f l o w 16 | # ============================================================================ # 17 | 18 | # Static analysis of Terraform code - publishes report to GitHub Security tab 19 | 20 | # https://github.com/bridgecrewio/checkov-action 21 | 22 | --- 23 | name: Checkov 24 | 25 | on: # yamllint disable-line rule:truthy 26 | push: 27 | branches: 28 | - master 29 | - main 30 | paths-ignore: 31 | - '**/README.md' 32 | pull_request: 33 | branches: 34 | - master 35 | - main 36 | paths-ignore: 37 | - '**/README.md' 38 | workflow_call: 39 | inputs: 40 | framework: 41 | type: string 42 | default: all 43 | required: false 44 | debug: 45 | type: string 46 | required: false 47 | default: false 48 | workflow_dispatch: 49 | inputs: 50 | debug: 51 | type: boolean 52 | required: false 53 | default: false 54 | schedule: 55 | - cron: '0 0 * * 1' 56 | 57 | permissions: 58 | actions: read 59 | contents: read 60 | security-events: write 61 | 62 | defaults: 63 | run: 64 | shell: bash -euxo pipefail {0} 65 | 66 | env: 67 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 68 | 69 | jobs: 70 | checkov: 71 | name: Checkov Scan 72 | runs-on: ubuntu-latest 73 | 74 | # Skip any PR created by dependabot to avoid permission issues 75 | # github.event.repository.fork isn't available in scheduled workflows 76 | # can't prevent forks of this repo, because also prevents caller workflows 77 | if: github.actor != 'dependabot[bot]' 78 | 79 | steps: 80 | - name: Linux Release 81 | if: runner.os == 'Linux' 82 | run: | 83 | [ -e /.dockerenv ] && ls -l /.dockerenv 84 | echo 85 | cat /etc/*-release 86 | 87 | - name: Linux Hardware 88 | if: runner.os == 'Linux' 89 | run: | 90 | set +x 91 | echo -n "CPUs: " 92 | nproc 93 | echo 94 | free -g 95 | echo 96 | df -h 97 | 98 | - name: Environment 99 | run: env | sort 100 | 101 | - name: Git version 102 | run: git --version 103 | 104 | - name: Generate LOG_LEVEL environment variable 105 | run: | 106 | if [ -n "$DEBUG" ]; then 107 | echo "LOG_LEVEL=DEBUG" >> "$GITHUB_ENV" 108 | else 109 | echo "LOG_LEVEL=WARNING" >> "$GITHUB_ENV" 110 | fi 111 | 112 | - name: Set up Python 3.13 113 | uses: actions/setup-python@v1 114 | with: 115 | python-version: 3.13.2 116 | 117 | - name: Git version 118 | run: git --version 119 | 120 | - uses: actions/checkout@v3 121 | with: 122 | submodules: recursive # requires Git 2.18+ to be installed first 123 | 124 | - name: Checkov 125 | id: checkov 126 | uses: bridgecrewio/checkov-action@master 127 | with: 128 | directory: . 129 | #check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list 130 | #skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list 131 | quiet: true # optional: display only failed checks 132 | soft_fail: true # optional: do not return an error code if there are failed checks 133 | #framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all} 134 | framework: ${{ inputs.framework }} 135 | output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif 136 | compact: true # avoids output length related errors like "An error occurred trying to start process '/home/runner/runners/2.294.0/externals/node12/bin/node' with working directory '/home/runner/work/terraform/terraform'. Argument list too long" 137 | download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry 138 | #log_level: DEBUG # optional: set log level. Default WARNING 139 | log_level: ${{ env.LOG_LEVEL }} 140 | #config_file: path/this_file # using .checkov.yaml at root of each repo by default 141 | #baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline. 142 | #container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues 143 | 144 | - name: Upload SARIF file 145 | uses: github/codeql-action/upload-sarif@v2 146 | with: 147 | # Path to SARIF file relative to the root of the repository 148 | sarif_file: results.sarif 149 | -------------------------------------------------------------------------------- /.github/workflows/close-stale.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-02-16 12:36:04 +0000 (Wed, 16 Feb 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # License: see accompanying Hari Sekhon LICENSE file 10 | # 11 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | # ============================================================================ # 17 | # C l o s e S t a l e I s s u e s a n d P R s 18 | # ============================================================================ # 19 | 20 | --- 21 | name: Close Stale Issues and PRs 22 | on: # yamllint disable-line rule:truthy 23 | workflow_call: 24 | inputs: 25 | debug: 26 | type: string 27 | required: false 28 | default: false 29 | 30 | permissions: 31 | issues: write 32 | pull-requests: write 33 | 34 | defaults: 35 | run: 36 | shell: bash -euxo pipefail {0} 37 | 38 | env: 39 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 40 | 41 | jobs: 42 | stale: 43 | runs-on: ubuntu-latest 44 | steps: 45 | - uses: actions/stale@v4 46 | with: 47 | exempt-issue-labels: pinned 48 | stale-pr-label: stale 49 | stale-issue-label: stale 50 | -------------------------------------------------------------------------------- /.github/workflows/codeartifact_secret.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-05-20 09:14:27 +0100 (Fri, 20 May 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # License: see accompanying Hari Sekhon LICENSE file 10 | # 11 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | # ============================================================================ # 17 | # A W S C o d e A r t i f a c t S e c r e t 18 | # ============================================================================ # 19 | 20 | # Generates an AWS CodeArtifact auth token valid for 12 hours and uploads it into the given GitHub repos secrets or 21 | # if no repos are specified the calling GitHub repo's secrets for use in other workflows to minimize Docker cache misses 22 | # 23 | # This prevents constant cache invalidations in Dockerfile 'ARG CODEARTIFACT_AUTH_TOKEN' within the same 12 hour period 24 | # 25 | # The other option is to generate CODEARTIFACT_AUTH_TOKEN inside a RUN step, but this requires AWS CLI or similar and may be too heavy for light images bases 26 | 27 | --- 28 | name: CodeArtifact Secret 29 | 30 | on: # yamllint disable-line rule:truthy 31 | workflow_call: 32 | inputs: 33 | repos: 34 | description: The GitHub repos to upload CODEARTIFACT_AUTH_TOKEN secret to. Defaults to the local caller repo 35 | type: string 36 | required: false 37 | secrets: 38 | AWS_ACCESS_KEY_ID: 39 | required: true 40 | AWS_SECRET_ACCESS_KEY: 41 | required: true 42 | AWS_DEFAULT_REGION: 43 | required: true 44 | AWS_CODEARTIFACT_DOMAIN: 45 | required: true 46 | # PAT token needed to be able to read public key and write a secret to the repo 47 | # Token permissions must be: 48 | # 49 | # repo (full) 50 | # read:org 51 | # 52 | GH_TOKEN: 53 | required: true 54 | 55 | defaults: 56 | run: 57 | shell: bash -euxo pipefail {0} 58 | 59 | jobs: 60 | codeartifact_token: 61 | name: Generate CODEARTIFACT_AUTH_TOKEN Secret 62 | runs-on: ubuntu-latest 63 | steps: 64 | - name: Linux Release 65 | if: runner.os == 'Linux' 66 | run: | 67 | [ -e /.dockerenv ] && ls -l /.dockerenv 68 | echo 69 | cat /etc/*-release 70 | 71 | - name: Linux Hardware 72 | if: runner.os == 'Linux' 73 | run: | 74 | set +x 75 | echo -n "CPUs: " 76 | nproc 77 | echo 78 | free -g 79 | echo 80 | df -h 81 | 82 | - name: Environment 83 | run: env | sort 84 | 85 | - name: Git version 86 | run: git --version 87 | 88 | - name: Configure AWS credentials 89 | id: configure-aws-credentials 90 | uses: aws-actions/configure-aws-credentials@v2 91 | with: 92 | aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} 93 | aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} 94 | aws-region: ${{ secrets.AWS_DEFAULT_REGION }} 95 | 96 | - name: Generate CODEARTIFACT_AUTH_TOKEN environment variable 97 | env: 98 | AWS_CODEARTIFACT_DOMAIN: ${{ secrets.AWS_CODEARTIFACT_DOMAIN }} 99 | run: | 100 | # don't shell trace this step because it will expose the token in the logs before we can mask it 101 | set +x 102 | CODEARTIFACT_AUTH_TOKEN="$(aws codeartifact get-authorization-token \ 103 | --domain "$AWS_CODEARTIFACT_DOMAIN" \ 104 | --domain-owner "${{ steps.configure-aws-credentials.outputs.aws-account-id }}" \ 105 | --query authorizationToken \ 106 | --output text \ 107 | --duration-seconds 43200)" 108 | # duration = 12 hours - this is the max allowed by AWS 109 | # https://docs.aws.amazon.com/codeartifact/latest/ug/tokens-authentication.html 110 | echo "CODEARTIFACT_AUTH_TOKEN=$CODEARTIFACT_AUTH_TOKEN" >> "$GITHUB_ENV" 111 | echo "::add-mask::$CODEARTIFACT_AUTH_TOKEN" 112 | 113 | - name: Authenticate GitHub CLI 114 | env: 115 | TOKEN: ${{ secrets.GH_TOKEN }} 116 | run: | 117 | gh auth login --with-token <<< "$TOKEN" 118 | gh auth status 119 | 120 | - name: Upload CODEARTIFACT_AUTH_TOKEN to GitHub Repo(s) Secret 121 | env: 122 | REPOS: ${{ inputs.repos || env.GITHUB_REPOSITORY }} 123 | run: | 124 | exitcode=0 125 | for repo in $(tr '\n' ' ' <<< "$REPOS"); do 126 | if ! gh secret set -R "$repo" 'CODEARTIFACT_AUTH_TOKEN' --body "$CODEARTIFACT_AUTH_TOKEN"; then 127 | exitcode=1 128 | fi 129 | echo 130 | done 131 | exit "$exitcode" 132 | -------------------------------------------------------------------------------- /.github/workflows/codeowners.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-02-24 14:04:44 +0000 (Thu, 24 Feb 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # License: see accompanying Hari Sekhon LICENSE file 10 | # 11 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | # ============================================================================ # 17 | # C o d e O w n e r s 18 | # ============================================================================ # 19 | 20 | # Validates .github/CODEOWNERS file syntax 21 | 22 | --- 23 | name: Codeowners 24 | 25 | on: # yamllint disable-line rule:truthy 26 | push: 27 | branches: 28 | - master 29 | - main 30 | paths: 31 | - CODEOWNERS 32 | - .github/CODEOWNERS 33 | pull_request: 34 | branches: 35 | - master 36 | - main 37 | paths: 38 | - CODEOWNERS 39 | - .github/CODEOWNERS 40 | workflow_call: 41 | inputs: 42 | debug: 43 | type: string 44 | required: false 45 | default: false 46 | workflow_dispatch: 47 | inputs: 48 | debug: 49 | type: boolean 50 | required: false 51 | default: false 52 | #schedule: 53 | # - cron: '0 0 * * 1' 54 | 55 | permissions: 56 | contents: read 57 | 58 | defaults: 59 | run: 60 | shell: bash -euxo pipefail {0} 61 | 62 | env: 63 | GH_TOKEN: ${{ github.token }} 64 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 65 | 66 | jobs: 67 | validate: 68 | name: Validate CODEOWNERS 69 | runs-on: ubuntu-latest 70 | container: harisekhon/bash-tools:latest 71 | steps: 72 | - name: Linux Release 73 | if: runner.os == 'Linux' 74 | run: | 75 | [ -e /.dockerenv ] && ls -l /.dockerenv 76 | echo 77 | cat /etc/*-release 78 | 79 | - name: Linux Hardware 80 | if: runner.os == 'Linux' 81 | run: | 82 | set +x 83 | echo -n "CPUs: " 84 | nproc 85 | echo 86 | free -g 87 | echo 88 | df -h 89 | 90 | - name: Environment 91 | run: env | sort 92 | 93 | - name: Git version 94 | run: git --version 95 | 96 | - name: GH CLI auth status 97 | run: | 98 | gh config set prompt disabled 99 | gh auth status 100 | 101 | - name: Check Codeowners Errors 102 | run: | 103 | check_github_codeowners.sh "$GITHUB_REPOSITORY" "$GITHUB_REF_NAME" 104 | -------------------------------------------------------------------------------- /.github/workflows/datree-kustomize-all.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-05-12 16:37:55 +0100 (Thu, 12 May 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # D a t r e e K u s t o m i z a t i o n T e s t A l l 16 | # ============================================================================ # 17 | 18 | # https://github.com/datreeio/action-datree 19 | 20 | # Logs results to https://app.datree.io 21 | 22 | --- 23 | name: Datree Kustomize All 24 | 25 | on: # yamllint disable-line rule:truthy 26 | workflow_call: 27 | inputs: 28 | path: 29 | type: string 30 | default: '.' 31 | required: false 32 | # https://hub.datree.io/setup/cli-arguments 33 | cliArguments: 34 | type: string 35 | default: --only-k8s-files 36 | required: false 37 | secrets: 38 | DATREE_TOKEN: 39 | required: true 40 | 41 | permissions: 42 | contents: read 43 | 44 | defaults: 45 | run: 46 | shell: bash -euxo pipefail {0} 47 | 48 | env: 49 | DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} 50 | DIR: ${{ inputs.path }} 51 | ARGS: ${{ inputs.cliArguments }} 52 | 53 | jobs: 54 | k8sPolicyCheck: 55 | runs-on: ubuntu-latest 56 | 57 | steps: 58 | - name: Linux Release 59 | if: runner.os == 'Linux' 60 | run: | 61 | [ -e /.dockerenv ] && ls -l /.dockerenv 62 | echo 63 | cat /etc/*-release 64 | 65 | - name: Linux Hardware 66 | if: runner.os == 'Linux' 67 | run: | 68 | set +x 69 | echo -n "CPUs: " 70 | nproc 71 | echo 72 | free -g 73 | echo 74 | df -h 75 | 76 | - name: Environment 77 | run: env | sort 78 | 79 | - name: Git version 80 | run: git --version 81 | 82 | - name: Checkout 83 | uses: actions/checkout@v3 84 | 85 | - uses: actions/checkout@v3 86 | with: 87 | repository: HariSekhon/DevOps-Bash-tools 88 | submodules: 'true' # requires Git 2.18+ to be installed first 89 | path: bash-tools 90 | 91 | - name: Environment 92 | run: env | sort 93 | 94 | # because recursive glob will fail on Bash < 4 as per: 95 | # 96 | # https://github.com/datreeio/datree/issues/618 97 | # 98 | - name: Bash version 99 | run: bash --version 100 | 101 | - name: Install Datree 102 | run: bash-tools/install/install_datree.sh 103 | 104 | - name: Datree version 105 | run: datree version 106 | 107 | - name: Datree Kustomize All Policy Check 108 | run: | 109 | set -euxo pipefail 110 | find "$DIR" -type f -name 'kustomization.y*ml' | 111 | while read -r kustomization; do 112 | echo "Materializing $kustomization -> $kustomization.materialized" 113 | dir="$(dirname "$kustomization")" 114 | pushd "$dir" >/dev/null 115 | kustomize build --enable-helm > kustomization.yaml.materialized 116 | popd >/dev/null 117 | done 118 | # XXX: doesn't support --enable-helm yet needed for my Kubernetes-configs repo 119 | datree test "$DIR"/**.yaml ${ARGS:-} 120 | -------------------------------------------------------------------------------- /.github/workflows/datree.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-05-12 16:37:55 +0100 (Thu, 12 May 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # D a t r e e 16 | # ============================================================================ # 17 | 18 | # https://github.com/datreeio/action-datree 19 | 20 | # Logs results to https://app.datree.io 21 | 22 | --- 23 | name: Datree 24 | 25 | on: # yamllint disable-line rule:truthy 26 | workflow_call: 27 | inputs: 28 | path: 29 | type: string 30 | # recursive glob doesn't work: 31 | # 32 | # https://github.com/datreeio/action-datree/issues/3 33 | # https://github.com/datreeio/datree/issues/618 34 | # 35 | # should be fixed now 36 | default: '**/*.y*ml' 37 | #default: '*.y*ml' 38 | required: false 39 | # https://hub.datree.io/setup/cli-arguments 40 | cliArguments: 41 | type: string 42 | default: --only-k8s-files 43 | required: false 44 | isHelmChart: 45 | #type: boolean 46 | type: string 47 | required: false 48 | helmArguments: 49 | # eg. '--values values.yaml' 50 | type: string 51 | required: false 52 | isKustomization: 53 | #type: boolean 54 | type: string 55 | required: false 56 | kustomizeArguments: 57 | type: string 58 | required: false 59 | secrets: 60 | DATREE_TOKEN: 61 | required: true 62 | 63 | permissions: 64 | contents: read 65 | 66 | defaults: 67 | run: 68 | shell: bash -euxo pipefail {0} 69 | 70 | env: 71 | DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} 72 | 73 | jobs: 74 | k8sPolicyCheck: 75 | runs-on: ubuntu-latest 76 | 77 | steps: 78 | - name: Linux Release 79 | if: runner.os == 'Linux' 80 | run: | 81 | [ -e /.dockerenv ] && ls -l /.dockerenv 82 | echo 83 | cat /etc/*-release 84 | 85 | - name: Linux Hardware 86 | if: runner.os == 'Linux' 87 | run: | 88 | set +x 89 | echo -n "CPUs: " 90 | nproc 91 | echo 92 | free -g 93 | echo 94 | df -h 95 | 96 | - name: Environment 97 | run: env | sort 98 | 99 | - name: Git version 100 | run: git --version 101 | 102 | - name: Checkout 103 | uses: actions/checkout@v3 104 | 105 | # because recursive glob will fail on Bash < 4 as per: 106 | # 107 | # https://github.com/datreeio/datree/issues/618 108 | # 109 | - name: Bash version 110 | run: bash --version 111 | 112 | - name: Datree Policy Check 113 | uses: datreeio/action-datree@main 114 | with: 115 | path: ${{ inputs.path }} 116 | cliArguments: --output simple ${{ inputs.cliArguments }} 117 | isHelmChart: ${{ inputs.isHelmChart == 'true' }} 118 | helmArguments: ${{ inputs.helmArguments }} 119 | isKustomization: ${{ inputs.isKustomization == 'true' }} 120 | kustomizeArguments: ${{ inputs.kustomizeArguments }} 121 | -------------------------------------------------------------------------------- /.github/workflows/dockerfiles.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-05-26 14:09:11 +0100 (Thu, 26 May 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # C h e c k D o c k e r f i l e s 16 | # ============================================================================ # 17 | 18 | --- 19 | name: Dockerfiles 20 | 21 | on: # yamllint disable-line rule:truthy 22 | push: 23 | branches: 24 | - master 25 | - main 26 | paths: 27 | - '**Dockerfile**' 28 | pull_request: 29 | branches: 30 | - master 31 | - main 32 | paths: 33 | - '**Dockerfile**' 34 | workflow_call: 35 | inputs: 36 | debug: 37 | type: string 38 | required: false 39 | default: false 40 | workflow_dispatch: 41 | inputs: 42 | debug: 43 | type: boolean 44 | required: false 45 | default: false 46 | #schedule: 47 | # - cron: '0 0 * * 1' 48 | 49 | permissions: 50 | contents: read 51 | 52 | defaults: 53 | run: 54 | shell: bash -euxo pipefail {0} 55 | 56 | env: 57 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 58 | 59 | jobs: 60 | check_dockerfiles: 61 | name: Lint Dockerfiles 62 | runs-on: ubuntu-latest 63 | container: harisekhon/bash-tools 64 | 65 | steps: 66 | - name: Linux Release 67 | if: runner.os == 'Linux' 68 | run: | 69 | [ -e /.dockerenv ] && ls -l /.dockerenv 70 | echo 71 | cat /etc/*-release 72 | 73 | - name: Linux Hardware 74 | if: runner.os == 'Linux' 75 | run: | 76 | set +x 77 | echo -n "CPUs: " 78 | nproc 79 | echo 80 | free -g 81 | echo 82 | df -h 83 | 84 | - name: Environment 85 | run: env | sort 86 | 87 | - name: Git version 88 | run: git --version 89 | 90 | - uses: actions/checkout@v3 91 | with: 92 | submodules: recursive # requires Git 2.18+ to be installed first 93 | 94 | - name: Check Dockerfiles 95 | run: check_dockerfiles.sh 96 | -------------------------------------------------------------------------------- /.github/workflows/dump_contexts.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-02-18 18:29:44 +0000 (Fri, 18 Feb 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # G i t H u b D u m p C o n t e x t s 16 | # ============================================================================ # 17 | 18 | # Dumps all GitHub contexts for debugging - not recommended for public repositories in case sensitive information is dumped to public logs 19 | 20 | --- 21 | name: Dump Contexts 22 | 23 | on: # yamllint disable-line rule:truthy 24 | workflow_call: 25 | inputs: 26 | os: 27 | type: string 28 | required: false 29 | description: OS to run on (defaults to both Ubuntu Linux and macOS) 30 | debug: 31 | type: string 32 | required: false 33 | default: false 34 | # in calling workflow, you may want to do 35 | #schedule: 36 | # # 1st of every month, see if anything has changed 37 | # - cron: '0 0 1 * *' 38 | 39 | permissions: 40 | contents: read 41 | 42 | concurrency: 43 | group: ${{ github.workflow }}-${{ github.ref }} 44 | cancel-in-progress: true 45 | 46 | env: 47 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 48 | 49 | jobs: 50 | dump_contexts: 51 | name: Dump Contexts 52 | #runs-on: ubuntu-latest 53 | #container: ubuntu:latest 54 | runs-on: ${{ inputs.runs-on || github.event.inputs.runs-on || matrix.os }} 55 | strategy: 56 | matrix: 57 | os: 58 | - ubuntu-latest 59 | - macos-latest 60 | # run inside a Docker container when on Ubuntu Linux 61 | # so we can get a little more environment and context output 62 | container: ${{ matrix.os == 'ubuntu-latest' && 'ubuntu:latest' || '' }} 63 | timeout-minutes: 10 64 | steps: 65 | - name: Linux Release 66 | if: runner.os == 'Linux' 67 | run: | 68 | [ -e /.dockerenv ] && ls -l /.dockerenv 69 | echo 70 | cat /etc/*-release 71 | 72 | - name: Linux Hardware 73 | if: runner.os == 'Linux' 74 | run: | 75 | set +x 76 | echo -n "CPUs: " 77 | nproc 78 | echo 79 | free -g 80 | echo 81 | df -h 82 | 83 | - name: macOS System Version 84 | if: runner.os == "macOS" 85 | run: sw_vers 86 | 87 | - name: macOS Hardware 88 | if: runner.os == "macOS" 89 | run: | 90 | sysctl -n machdep.cpu.brand_string 91 | system_profiler SPHardwareDataType 92 | 93 | - name: Environment 94 | run: env | sort 95 | 96 | - name: Git version 97 | run: git --version 98 | 99 | - name: Dump GitHub context 100 | env: 101 | GITHUB_CONTEXT: ${{ toJson(github) }} 102 | run: echo "$GITHUB_CONTEXT" 103 | 104 | - name: Dump job context 105 | env: 106 | JOB_CONTEXT: ${{ toJson(job) }} 107 | run: echo "$JOB_CONTEXT" 108 | 109 | - name: Dump steps context 110 | env: 111 | STEPS_CONTEXT: ${{ toJson(steps) }} 112 | run: echo "$STEP_CONTEXT" 113 | 114 | - name: Dump runner context 115 | env: 116 | RUNNER_CONTEXT: ${{ toJson(runner) }} 117 | run: echo "$RUNNER_CONTEXT" 118 | 119 | - name: Dump strategy context 120 | env: 121 | STRATEGY_CONTEXT: ${{ toJson(strategy) }} 122 | run: echo "$STRATEGY_CONTEXT" 123 | 124 | - name: Dump matrix context 125 | env: 126 | MATRIX_CONTEXT: ${{ toJson(matrix) }} 127 | run: echo "$MATRIX_CONTEXT" 128 | -------------------------------------------------------------------------------- /.github/workflows/eslint.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2024-11-19 21:30:39 +0400 (Tue, 19 Nov 2024) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # E s L i n t 16 | # ============================================================================ # 17 | 18 | # Should have a eslint.config.mjs committed in the local repo working directory for customizing the checks 19 | # 20 | # Run this and follow the prompts: 21 | # 22 | # eslint --init 23 | 24 | --- 25 | name: EsLint 26 | 27 | on: # yamllint disable-line rule:truthy 28 | push: 29 | branches: 30 | - master 31 | - main 32 | paths: 33 | - '**/*.js' 34 | - package.json 35 | - package-lock.json 36 | - .github/workflows/eslint.yaml 37 | pull_request: 38 | branches: 39 | - master 40 | - main 41 | paths: 42 | - '**/*.js' 43 | - package.json 44 | - package-lock.json 45 | - .github/workflows/eslint.yaml 46 | workflow_call: 47 | inputs: 48 | node-version: 49 | type: string 50 | required: false 51 | default: '' 52 | working-directory: 53 | type: string 54 | required: false 55 | default: . 56 | submodules: 57 | type: string 58 | required: false 59 | default: recursive 60 | debug: 61 | type: string 62 | required: false 63 | default: false 64 | workflow_dispatch: 65 | inputs: 66 | node-version: 67 | type: string 68 | required: false 69 | default: '' 70 | working-directory: 71 | type: string 72 | required: false 73 | default: . 74 | submodules: 75 | type: string 76 | required: false 77 | default: recursive 78 | debug: 79 | type: boolean 80 | required: false 81 | default: false 82 | #schedule: 83 | # - cron: '0 0 * * 1' 84 | 85 | permissions: 86 | contents: read 87 | 88 | defaults: 89 | run: 90 | shell: bash -euxo pipefail {0} 91 | 92 | env: 93 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 94 | 95 | jobs: 96 | eslint: 97 | name: eslint 98 | # github.event.repository.fork isn't available in scheduled workflows 99 | # can't prevent forks of this repo, because also prevents caller workflows 100 | #if: github.repository == 'HariSekhon/Github-Actions' 101 | runs-on: ubuntu-latest 102 | steps: 103 | - name: Linux Release 104 | if: runner.os == 'Linux' 105 | run: | 106 | [ -e /.dockerenv ] && ls -l /.dockerenv 107 | echo 108 | cat /etc/*-release 109 | 110 | - name: Linux Hardware 111 | if: runner.os == 'Linux' 112 | run: | 113 | set +x 114 | echo -n "CPUs: " 115 | nproc 116 | echo 117 | free -g 118 | echo 119 | df -h 120 | 121 | - name: Environment 122 | run: env | sort 123 | 124 | - name: Git version 125 | run: git --version 126 | 127 | - uses: actions/checkout@v3 128 | with: 129 | submodules: ${{ inputs.submodules }} # 'recursive' default requires Git 2.18+ to be installed first 130 | 131 | - uses: actions/setup-node@v4 132 | with: 133 | node-version: ${{ inputs.node-version }} 134 | 135 | - name: Install NPM dependencies 136 | run: npm install 137 | 138 | - name: Install EsLint 139 | run: npm install -g eslint 140 | 141 | - name: EsLint 142 | working-directory: ${{ inputs.working-directory }} 143 | run: eslint . # should have a eslint.config.mjs committed in the local repo working directory for customizing the checks 144 | -------------------------------------------------------------------------------- /.github/workflows/flake8.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2024-07-02 17:28:49 +0200 (Tue, 02 Jul 2024) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # F l a k e 8 16 | # ============================================================================ # 17 | 18 | # Should have a .flake8 committed in the local repo working directory for customizing the checks 19 | # 20 | # See templates here: 21 | # 22 | # https://github.com/HariSekhon/Templates/blob/master/.flake8 23 | # 24 | # https://github.com/HariSekhon/DevOps-Python-tools/blob/master/.flake8 25 | # 26 | # https://github.com/HariSekhon/pylib/blob/master/.flake8 27 | 28 | --- 29 | name: Flake8 30 | 31 | on: # yamllint disable-line rule:truthy 32 | push: 33 | branches: 34 | - master 35 | - main 36 | paths: 37 | - '**/*.py' 38 | pull_request: 39 | branches: 40 | - master 41 | - main 42 | paths: 43 | - '**/*.py' 44 | workflow_call: 45 | inputs: 46 | python-version: 47 | type: string 48 | required: false 49 | # XXX: Python version 3.10 will need to be passed by the calling workflow as quoted '3.10' otherwise will evaluate to '3.1' and break with this error: 50 | # 51 | # Error: The version '3.1' with architecture 'x64' was not found for Ubuntu 22.04. 52 | # 53 | default: '3.10' 54 | working-directory: 55 | type: string 56 | required: false 57 | default: . 58 | #no-pip-install: 59 | # type: string 60 | # required: false 61 | # default: false 62 | submodules: 63 | type: string 64 | required: false 65 | default: recursive 66 | debug: 67 | type: string 68 | required: false 69 | default: false 70 | workflow_dispatch: 71 | inputs: 72 | python-version: 73 | type: string 74 | required: false 75 | default: '3.10' 76 | working-directory: 77 | type: string 78 | required: false 79 | default: . 80 | submodules: 81 | type: string 82 | required: false 83 | default: recursive 84 | #no-pip-install: 85 | # type: boolean 86 | # required: false 87 | # default: false 88 | debug: 89 | type: boolean 90 | required: false 91 | default: false 92 | #schedule: 93 | # - cron: '0 0 * * 1' 94 | 95 | permissions: 96 | contents: read 97 | 98 | defaults: 99 | run: 100 | shell: bash -euxo pipefail {0} 101 | 102 | env: 103 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 104 | 105 | jobs: 106 | pylint: 107 | name: Flake8 108 | # github.event.repository.fork isn't available in scheduled workflows 109 | # can't prevent forks of this repo, because also prevents caller workflows 110 | #if: github.repository == 'HariSekhon/Github-Actions' 111 | runs-on: ubuntu-latest 112 | steps: 113 | - name: Linux Release 114 | if: runner.os == 'Linux' 115 | run: | 116 | [ -e /.dockerenv ] && ls -l /.dockerenv 117 | echo 118 | cat /etc/*-release 119 | 120 | - name: Linux Hardware 121 | if: runner.os == 'Linux' 122 | run: | 123 | set +x 124 | echo -n "CPUs: " 125 | nproc 126 | echo 127 | free -g 128 | echo 129 | df -h 130 | 131 | - name: Environment 132 | run: env | sort 133 | 134 | - name: Git version 135 | run: git --version 136 | 137 | - uses: actions/checkout@v3 138 | with: 139 | submodules: ${{ inputs.submodules }} # 'recursive' default requires Git 2.18+ to be installed first 140 | 141 | - uses: actions/setup-python@v5 142 | with: 143 | python-version: ${{ inputs.python-version }} 144 | 145 | - name: Install Flake8 146 | run: pip install flake8 147 | 148 | - name: Install PyPI modules 149 | working-directory: ${{ inputs.working-directory }} 150 | #if: ${{ hashFiles('${{ inputs.working-directory }}/requirements.txt') != '' }} 151 | #if: ! ${{ inputs.no-pip-install ! = 'true' }} 152 | run: pip install -r requirements.txt 153 | 154 | - name: Flake8 155 | working-directory: ${{ inputs.working-directory }} 156 | run: flake8 ./*.py # should have a .flake8 committed in the local repo working directory for customizing the checks 157 | -------------------------------------------------------------------------------- /.github/workflows/fork-sync.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Tue Feb 4 09:53:28 2020 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # G i t H u b F o r k R e p o S y n c 16 | # ============================================================================ # 17 | 18 | # This has the advantage of not triggering GitHub Actions workflows upon updates, and is fast 19 | # 20 | # The disadvantage is that updates to the default branch happened without much auditing such as happens with PRs 21 | # 22 | # Run just before fork-update-pr.yaml if you only want environment branch updates audited via PRs 23 | 24 | --- 25 | name: Fork Sync 26 | 27 | on: # yamllint disable-line rule:truthy 28 | workflow_call: 29 | inputs: 30 | debug: 31 | type: string 32 | required: false 33 | default: false 34 | workflow_dispatch: 35 | inputs: 36 | debug: 37 | type: boolean 38 | required: false 39 | default: false 40 | schedule: 41 | - cron: '0 */3 * * *' 42 | 43 | permissions: 44 | contents: write 45 | 46 | defaults: 47 | run: 48 | shell: bash -euxo pipefail {0} 49 | 50 | env: 51 | GH_TOKEN: ${{ github.token }} 52 | GH_NO_UPDATE_NOTIFIER: 1 53 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 54 | 55 | concurrency: 56 | group: ${{ github.workflow }} 57 | cancel-in-progress: false # killing this part way through may leave PRs without auto-merging 58 | 59 | jobs: 60 | sync: 61 | name: Sync 62 | # github.event.repository.fork isn't available in scheduled workflows 63 | if: | 64 | github.repository_owner != 'HariSekhon' && 65 | ( 66 | github.event_name == 'schedule' || 67 | ( github.ref_type == 'branch' && github.ref_name == github.event.repository.default_branch ) 68 | ) 69 | runs-on: ubuntu-latest 70 | steps: 71 | - name: Linux Release 72 | if: runner.os == 'Linux' 73 | run: | 74 | [ -e /.dockerenv ] && ls -l /.dockerenv 75 | echo 76 | cat /etc/*-release 77 | 78 | - name: Linux Hardware 79 | if: runner.os == 'Linux' 80 | run: | 81 | set +x 82 | echo -n "CPUs: " 83 | nproc 84 | echo 85 | free -g 86 | echo 87 | df -h 88 | 89 | - name: Environment 90 | run: env | sort 91 | 92 | - name: Git version 93 | run: git --version 94 | 95 | # not needed since everything is done via the GitHub API 96 | #- uses: actions/checkout@v3 97 | 98 | - name: GH CLI auth status 99 | run: | 100 | gh config set prompt disabled 101 | gh auth status 102 | 103 | # because github.event.repository context is missing from scheduled workflows: 104 | # 105 | # https://github.com/github/feedback/discussions/12269 106 | # 107 | - name: Generate environment variable IS_FORK 108 | run: | 109 | IS_FORK="$(gh api "/repos/$GITHUB_REPOSITORY" -q '.fork')" 110 | echo "IS_FORK=$IS_FORK" >> "$GITHUB_ENV" 111 | 112 | - name: Sync Fork 113 | if: github.event.repository.fork == true || env.IS_FORK == 'true' 114 | run: | 115 | gh repo sync "$GITHUB_REPOSITORY" 116 | -------------------------------------------------------------------------------- /.github/workflows/fork-update-pr.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Tue Feb 4 09:53:28 2020 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # G i t H u b F o r k R e p o U p d a t e v i a P R 16 | # ============================================================================ # 17 | 18 | # for improved traceability of updates 19 | 20 | --- 21 | name: Fork Update PR 22 | 23 | on: # yamllint disable-line rule:truthy 24 | workflow_call: 25 | secrets: 26 | TOKEN: 27 | description: Token with permissions 'repo' and 'read:org' to create and merge Pull Requests (uses default temporary repo token otherwise) 28 | required: false 29 | inputs: 30 | branches-to-pr: 31 | type: string 32 | required: false 33 | default: | 34 | master 35 | main 36 | develop 37 | dev 38 | staging 39 | production 40 | branches-to-automerge: 41 | type: string 42 | required: false 43 | default: | 44 | master 45 | main 46 | develop 47 | dev 48 | staging 49 | debug: 50 | type: string 51 | required: false 52 | default: false 53 | workflow_dispatch: 54 | inputs: 55 | debug: 56 | type: boolean 57 | required: false 58 | default: false 59 | schedule: 60 | - cron: '0 10 * * 1' 61 | 62 | permissions: 63 | contents: write 64 | pull-requests: write 65 | 66 | defaults: 67 | run: 68 | shell: bash -euxo pipefail {0} 69 | 70 | env: 71 | #GITHUB_TOKEN: ${{ secrets.TOKEN || github.token }} 72 | # GH_TOKEN has higher precedence than GITHUB_TOKEN 73 | GH_TOKEN: ${{ secrets.TOKEN || github.token }} 74 | GH_NO_UPDATE_NOTIFIER: 1 75 | BRANCHES_TO_PR: ${{ inputs.branches-to-pr || github.event.inputs.branches-to-pr }} 76 | BRANCHES_TO_AUTOMERGE: ${{ inputs.branches-to-automerge || github.event.inputs.branches-to-automerge }} 77 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 78 | 79 | concurrency: 80 | group: ${{ github.workflow }} 81 | cancel-in-progress: false # killing this part way through may leave PRs without auto-merging 82 | 83 | jobs: 84 | fork_update_pr: 85 | name: Create Fork Update PRs 86 | # github.event.repository.fork isn't available in scheduled workflows 87 | if: | 88 | github.repository_owner != 'HariSekhon' && 89 | ( 90 | github.event_name == 'schedule' || 91 | ( github.ref_type == 'branch' && github.ref_name == github.event.repository.default_branch ) 92 | ) 93 | # without 'contents: write' permission the PR merge fails with the error: 94 | # Message: Resource not accessible by integration, Locations: [{Line:1 Column:58}] 95 | runs-on: ubuntu-latest 96 | container: harisekhon/bash-tools 97 | steps: 98 | - name: Linux Release 99 | if: runner.os == 'Linux' 100 | run: | 101 | [ -e /.dockerenv ] && ls -l /.dockerenv 102 | echo 103 | cat /etc/*-release 104 | 105 | - name: Linux Hardware 106 | if: runner.os == 'Linux' 107 | run: | 108 | set +x 109 | echo -n "CPUs: " 110 | nproc 111 | echo 112 | free -g 113 | echo 114 | df -h 115 | 116 | - name: Environment 117 | run: env | sort 118 | 119 | - name: Git version 120 | run: git --version 121 | 122 | # checkout is needed for gh command, otherwise the 'gh pr create' command gets this error:: 123 | # 124 | # [git remote -v] 125 | # fatal: not a git repository (or any parent up to mount point /) 126 | # Stopping at filesystem boundary (GIT_DISCOVERY_ACROSS_FILESYSTEM not set). 127 | # /usr/bin/git: exit status 128 128 | # 129 | - uses: actions/checkout@v3 130 | 131 | - name: GH CLI auth status 132 | run: | 133 | gh config set prompt disabled 134 | 135 | #gh auth login --with-token <<< "${{github.token}}" # errors out if GITHUB_TOKEN is set and refused to write local credential because it wouldn't take effect on subsequent commands with GITHUB_TOKEN overriding it 136 | 137 | # what you get by default 138 | #GH_TOKEN="${{ github.token }}" gh auth status 139 | # Logged in to github.com as github-actions[bot] (GH_TOKEN) 140 | 141 | gh auth status 142 | # if you use a PAT with the right permissions - full repo and org:read 143 | # Logged in to github.com as myorg-ci-user (GH_TOKEN) 144 | 145 | #gh api /user | jq # implicit pipe collapses format, force through jq to avoid this 146 | 147 | # default token 148 | # 149 | # gh: Resource not accessible by integration (HTTP 403) 150 | # {"message":"Resource not accessible by integration","documentation_url":"https://docs.github.com/rest/reference/users#get-the-authenticated-user"} 151 | #- name: GH API User 152 | # run: gh api /user 153 | 154 | # because github.event.repository context is missing from scheduled workflows: 155 | # 156 | # https://github.com/github/feedback/discussions/12269 157 | # 158 | - name: Generate environment variable IS_FORK 159 | run: | 160 | IS_FORK="$(gh api "/repos/$GITHUB_REPOSITORY" -q .fork)" 161 | echo "IS_FORK=$IS_FORK" >> "$GITHUB_ENV" 162 | 163 | - name: Create PRs & Automerge 164 | if: github.event.repository.fork == true || env.IS_FORK == 'true' 165 | run: | 166 | git config --global --add safe.directory "$PWD" 167 | 168 | github_repo_fork_update.sh "$GITHUB_REPOSITORY" 169 | -------------------------------------------------------------------------------- /.github/workflows/gcp-source-repos-mirror.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-03-31 16:48:18 +0100 (Thu, 31 Mar 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # G C P S o u r c e R e p o s M i r r o r 16 | # ============================================================================ # 17 | 18 | --- 19 | name: GCP Source Repos Mirror 20 | 21 | on: # yamllint disable-line rule:truthy 22 | workflow_call: 23 | secrets: 24 | GH_TOKEN: 25 | description: GitHub Token with permissions 'repo' and 'read:org' to list GitHub repos 26 | required: true 27 | GCP_SERVICEACCOUNT_KEY: 28 | description: GCP serviceaccount JSON key credential, base64 encoded 29 | required: true 30 | # the reason this is a secret and not an input is because you can set this secret Organization wide on GitHub and just inherit it 31 | CLOUDSDK_CORE_PROJECT: 32 | description: GCP Project where the repos should exist 33 | required: true 34 | inputs: 35 | organization: 36 | description: The GitHub Organization that owns the repos (defaults to the user of the given GITHUB_TOKEN) 37 | type: string 38 | required: false 39 | repos: 40 | description: List of repos to mirror, space separated (otherwise iterates and mirrors all repos belonging to the GITHUB_ORGANIZATION or GITHUB_USER) 41 | type: string 42 | required: false 43 | default: "" 44 | clear_cache: 45 | type: string 46 | required: false 47 | default: false 48 | force_mirror: 49 | type: string 50 | required: false 51 | default: false 52 | debug: 53 | type: string 54 | required: false 55 | default: false 56 | 57 | permissions: 58 | contents: read 59 | 60 | defaults: 61 | run: 62 | shell: bash -euxo pipefail {0} 63 | 64 | env: 65 | REPOS: ${{ inputs.repos }} 66 | GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} 67 | GITHUB_ORGANIZATION: ${{ inputs.organization }} 68 | GCP_SERVICEACCOUNT_KEY: ${{ secrets.GCP_SERVICEACCOUNT_KEY }} 69 | CLOUDSDK_CORE_PROJECT: ${{ secrets.CLOUDSDK_CORE_PROJECT }} 70 | DEBIAN_FRONTEND: noninteractive 71 | CLEAR_CACHE: ${{ inputs.clear_cache == 'true' || github.event.inputs.clear_cache == 'true' }} 72 | FORCE_MIRROR: ${{ inputs.force_mirror == 'true' || github.event.inputs.force_mirror == 'true' }} 73 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 74 | 75 | concurrency: 76 | group: ${{ github.workflow }} 77 | cancel-in-progress: false # killing this part way through may leave inconsistencies 78 | 79 | jobs: 80 | gcp_source_repos_mirror: 81 | name: Mirror Repos to GCP Source Repos 82 | # the schedule event doesn't have github.event.repository.* to compare branches so needs to just check for event_name instead 83 | #if: | 84 | # github.event.repository.fork == false && 85 | # ( 86 | # github.event_name == 'schedule' || 87 | # ( github.ref_type == 'branch' && github.ref_name == github.event.repository.default_branch ) 88 | # ) 89 | runs-on: ubuntu-latest 90 | container: harisekhon/bash-tools 91 | steps: 92 | - name: Linux Release 93 | if: runner.os == 'Linux' 94 | run: | 95 | [ -e /.dockerenv ] && ls -l /.dockerenv 96 | echo 97 | cat /etc/*-release 98 | 99 | - name: Linux Hardware 100 | if: runner.os == 'Linux' 101 | run: | 102 | set +x 103 | echo -n "CPUs: " 104 | nproc 105 | echo 106 | free -g 107 | echo 108 | df -h 109 | 110 | - name: Environment 111 | run: env | sort 112 | 113 | - name: Git version 114 | run: git --version 115 | 116 | # not needed since everything is done via the GitHub and GitLab APIs and iterated checkouts 117 | #- uses: actions/checkout@v3 118 | 119 | - uses: actions/cache@v4 120 | with: 121 | path: /tmp/github_mirror_to_gcp_source_repos 122 | key: github-mirror-to-gcp-source-repos 123 | restore-keys: | 124 | github-mirror-to-gcp-source-repos 125 | 126 | - name: GCP Login 127 | run: | 128 | base64 --decode <<< "$GCP_SERVICEACCOUNT_KEY" > /tmp/credentials.json 129 | gcloud auth activate-service-account --key-file /tmp/credentials.json 130 | rm -f /tmp/credentials.json 131 | gcloud auth list 132 | 133 | - name: Mirror Repos 134 | run: github_mirror_repos_to_gcp_source_repos.sh $REPOS 135 | -------------------------------------------------------------------------------- /.github/workflows/gitlab-mirror.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-03-22 18:23:10 +0000 (Tue, 22 Mar 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # G i t L a b M i r r o r 16 | # ============================================================================ # 17 | 18 | # Mirror GitHub repos to GitLab - because repo sync was moved to GitLab Enterprise only 19 | 20 | --- 21 | name: GitLab Mirror 22 | 23 | on: # yamllint disable-line rule:truthy 24 | workflow_call: 25 | secrets: 26 | GH_TOKEN: 27 | description: GitHub Token with permissions 'repo' and 'read:org' to list GitHub repos 28 | required: true 29 | GITLAB_TOKEN: 30 | description: GitLab Token with permissions to create new repos to mirror to 31 | required: true 32 | inputs: 33 | organization: 34 | description: The GitHub Organization that owns the repos (defaults to the user of the given GITHUB_TOKEN) 35 | type: string 36 | required: false 37 | repos: 38 | description: List of repos to mirror, space separated (otherwise iterates and mirrors all repos belonging to the GITHUB_ORGANIZATION or GITHUB_USER) 39 | type: string 40 | required: false 41 | default: "" 42 | clear_cache: 43 | type: string 44 | required: false 45 | default: false 46 | force_mirror: 47 | type: string 48 | required: false 49 | default: false 50 | debug: 51 | type: string 52 | required: false 53 | default: false 54 | 55 | permissions: 56 | contents: read 57 | 58 | defaults: 59 | run: 60 | shell: bash -euxo pipefail {0} 61 | 62 | env: 63 | REPOS: ${{ inputs.repos }} 64 | GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} 65 | GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }} 66 | GITHUB_ORGANIZATION: ${{ inputs.organization }} 67 | DEBIAN_FRONTEND: noninteractive 68 | CLEAR_CACHE: ${{ inputs.clear_cache == 'true' || github.event.inputs.clear_cache == 'true' }} 69 | FORCE_MIRROR: ${{ inputs.force_mirror == 'true' || github.event.inputs.force_mirror == 'true' }} 70 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 71 | 72 | concurrency: 73 | group: ${{ github.workflow }} 74 | cancel-in-progress: false # killing this part way through may leave inconsistencies 75 | 76 | jobs: 77 | gitlab_mirror: 78 | name: Mirror Repos to GitLab 79 | # the schedule event doesn't have github.event.repository.* to compare branches so needs to just check for event_name instead 80 | #if: | 81 | # github.event.repository.fork == false && 82 | # ( 83 | # github.event_name == 'schedule' || 84 | # ( github.ref_type == 'branch' && github.ref_name == github.event.repository.default_branch ) 85 | # ) 86 | runs-on: ubuntu-latest 87 | container: harisekhon/bash-tools 88 | steps: 89 | - name: Linux Release 90 | if: runner.os == 'Linux' 91 | run: | 92 | [ -e /.dockerenv ] && ls -l /.dockerenv 93 | echo 94 | cat /etc/*-release 95 | 96 | - name: Linux Hardware 97 | if: runner.os == 'Linux' 98 | run: | 99 | set +x 100 | echo -n "CPUs: " 101 | nproc 102 | echo 103 | free -g 104 | echo 105 | df -h 106 | 107 | - name: Environment 108 | run: env | sort 109 | 110 | - name: Git version 111 | run: git --version 112 | 113 | # not needed since everything is done via the GitHub and GitLab APIs and iterated checkouts 114 | #- uses: actions/checkout@v3 115 | 116 | - uses: actions/cache@v4 117 | with: 118 | path: /tmp/github_mirror_to_gitlab 119 | key: github-mirror-to-gitlab 120 | restore-keys: | 121 | github-mirror-to-gitlab 122 | 123 | - name: Mirror Repos 124 | run: github_mirror_repos_to_gitlab.sh $REPOS 125 | -------------------------------------------------------------------------------- /.github/workflows/groovyc.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-01-21 13:34:47 +0000 (Fri, 21 Jan 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # G r o o v y C o m p i l e 16 | # ============================================================================ # 17 | 18 | # groovyc compile linting 19 | 20 | --- 21 | name: Groovy Compile 22 | 23 | on: # yamllint disable-line rule:truthy 24 | workflow_call: 25 | inputs: 26 | submodules: 27 | type: string 28 | required: false 29 | default: recursive 30 | debug: 31 | type: string 32 | required: false 33 | default: false 34 | 35 | permissions: 36 | contents: read 37 | 38 | defaults: 39 | run: 40 | shell: bash -euxo pipefail {0} 41 | 42 | env: 43 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 44 | 45 | jobs: 46 | groovyc: 47 | #name: Groovy Compile 48 | runs-on: ubuntu-latest 49 | #container: groovy # doesn't contain git and no sudo access 50 | container: harisekhon/bash-tools:ubuntu 51 | steps: 52 | - name: Linux Release 53 | if: runner.os == 'Linux' 54 | run: | 55 | [ -e /.dockerenv ] && ls -l /.dockerenv 56 | echo 57 | cat /etc/*-release 58 | 59 | - name: Linux Hardware 60 | if: runner.os == 'Linux' 61 | run: | 62 | set +x 63 | echo -n "CPUs: " 64 | nproc 65 | echo 66 | free -g 67 | echo 68 | df -h 69 | 70 | - name: Environment 71 | run: env | sort 72 | 73 | - name: Git version 74 | run: git --version 75 | 76 | # allows us to use check_groovyc.sh from the harisekhon/github docker image or the local HariSekhon/DevOps-Bash-tools git checkout further down 77 | - name: Setup PATH 78 | run: echo "PATH=$PWD/bash-tools:$PATH" >> "$GITHUB_ENV" 79 | 80 | - name: Install Groovy 81 | # on ubuntu latest we have to sudo, but not in bash-tools 82 | #run: sudo apt-get update && sudo apt-get install -y groovy --no-install-recommends 83 | run: | 84 | sudo= 85 | if [ "${EUID:-${UID:-$(id -u)}}" != 0 ]; then 86 | sudo=sudo 87 | fi 88 | $sudo apt-get update 89 | $sudo apt-get install -y groovy 90 | 91 | - uses: actions/checkout@v3 92 | with: 93 | submodules: ${{ inputs.submodules }} # 'recursive' default requires Git 2.18+ to be installed first 94 | 95 | # Uncomment if you need latest version from master before it is built into docker image harisekhon/bash-tools 96 | #- uses: actions/checkout@v3 97 | # with: 98 | # repository: HariSekhon/DevOps-Bash-tools 99 | # #ref: master # unset for default branch in case it changes in future 100 | # submodules: recursive 101 | # path: bash-tools 102 | 103 | - name: Groovy Compile 104 | run: check_groovyc.sh 105 | -------------------------------------------------------------------------------- /.github/workflows/grype.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-01-31 16:49:05 +0000 (Mon, 31 Jan 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # G r y p e 16 | # ============================================================================ # 17 | 18 | --- 19 | name: Grype 20 | 21 | on: # yamllint disable-line rule:truthy 22 | push: 23 | branches: 24 | - master 25 | - main 26 | paths: 27 | - .github/workflows/grype.yaml 28 | #ignore-paths: 29 | # - '**/README.md' 30 | pull_request: 31 | branches: 32 | - master 33 | - main 34 | paths: 35 | - .github/workflows/grype.yaml 36 | #ignore-paths: 37 | # - '**/README.md' 38 | workflow_call: 39 | inputs: 40 | path: 41 | description: The filesystem path for Grype to analyze 42 | type: string 43 | default: . 44 | required: false 45 | severity: 46 | description: Set a severity to trigger CI workflow failure 47 | type: string 48 | default: high 49 | required: false 50 | debug: 51 | type: string 52 | required: false 53 | default: false 54 | workflow_dispatch: 55 | inputs: 56 | path: 57 | description: The filesystem path for Grype to analyze 58 | type: string 59 | default: . 60 | required: false 61 | severity: 62 | description: Set a severity to trigger CI workflow failure 63 | type: string 64 | default: high 65 | required: false 66 | debug: 67 | type: boolean 68 | required: false 69 | default: false 70 | 71 | permissions: 72 | contents: read 73 | security-events: write 74 | 75 | defaults: 76 | run: 77 | shell: sh -eux {0} 78 | 79 | env: 80 | # ${{ inputs.* }} is set by workflow_call 81 | # ${{ github.events.inputs.* }} is set by workflow_dispatch 82 | SCAN_PATH: ${{ inputs.path || github.event.inputs.path || '.' }} 83 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 84 | 85 | jobs: 86 | grype: 87 | name: Filesystem Scan 88 | runs-on: ubuntu-latest 89 | steps: 90 | - name: Linux Release 91 | if: runner.os == 'Linux' 92 | run: | 93 | [ -e /.dockerenv ] && ls -l /.dockerenv 94 | echo 95 | cat /etc/*-release 96 | 97 | - name: Linux Hardware 98 | if: runner.os == 'Linux' 99 | run: | 100 | set +x 101 | echo -n "CPUs: " 102 | nproc 103 | echo 104 | free -g 105 | echo 106 | df -h 107 | 108 | - name: Environment 109 | run: env | sort 110 | 111 | - name: Git version 112 | run: git --version 113 | 114 | - uses: actions/checkout@v3 115 | 116 | - name: Grype Filsystem Scan 117 | if: ${{ inputs.severity || github.event.inputs.severity }} 118 | # https://github.com/anchore/scan-action 119 | uses: anchore/scan-action@v3 120 | with: 121 | path: ${{ env.SCAN_PATH }} 122 | fail-build: true 123 | severity-cutoff: ${{ inputs.severity || github.event.inputs.severity }} 124 | output-format: table 125 | 126 | # ============================================================================ # 127 | 128 | grype_github: 129 | name: Filesystem Scan GitHub Security tab 130 | runs-on: ubuntu-latest 131 | steps: 132 | - name: Linux Release 133 | if: runner.os == 'Linux' 134 | run: | 135 | [ -e /.dockerenv ] && ls -l /.dockerenv 136 | echo 137 | cat /etc/*-release 138 | 139 | - name: Linux Hardware 140 | if: runner.os == 'Linux' 141 | run: | 142 | set +x 143 | echo -n "CPUs: " 144 | nproc 145 | echo 146 | free -g 147 | echo 148 | df -h 149 | 150 | - name: Environment 151 | run: env | sort 152 | 153 | - name: Git version 154 | run: git --version 155 | 156 | - uses: actions/checkout@v3 157 | 158 | - name: Grype Generate Sarif 159 | #if: ${{ inputs.severity || github.event.inputs.severity }} 160 | id: scan 161 | # https://github.com/anchore/scan-action 162 | uses: anchore/scan-action@v3 163 | with: 164 | path: ${{ env.SCAN_PATH }} 165 | fail-build: false 166 | output-format: sarif 167 | 168 | - name: Upload Grype sarif to GitHub Security tab 169 | #if: ${{ ! ( inputs.no_sarif || github.event.inputs.sarif ) }} 170 | uses: github/codeql-action/upload-sarif@v2 171 | with: 172 | sarif_file: ${{ steps.scan.outputs.sarif }} 173 | -------------------------------------------------------------------------------- /.github/workflows/infracost.yaml: -------------------------------------------------------------------------------- 1 | # vim:ts=2:sts=2:sw=2:et 2 | # 3 | # Author: Hari Sekhon 4 | # Date: 2023-01-16 14:18:50 +0000 (Mon, 16 Jan 2023) 5 | # 6 | # https://github.com/HariSekhon/GitHub-Actions 7 | # 8 | # License: see accompanying Hari Sekhon LICENSE file 9 | # 10 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 11 | # 12 | # https://www.linkedin.com/in/HariSekhon 13 | # 14 | 15 | # ============================================================================ # 16 | # I n f r a C o s t 17 | # ============================================================================ # 18 | 19 | # Runs Infracost to show Cloud cost estimates for changes in Pull Requests 20 | 21 | # https://dashboard.infracost.io/ 22 | 23 | # https://www.infracost.io/docs/ 24 | 25 | # https://github.com/infracost/actions 26 | 27 | # If you've got the paid version of InfraCost cloud you should use this instead: 28 | # 29 | # https://www.infracost.io/docs/integrations/github_app/ 30 | 31 | --- 32 | name: Infrastructure Cost Estimation 33 | 34 | on: # yamllint disable-line rule:truthy 35 | # calling workflows should use something like this pull_request: 36 | #pull_request: 37 | # branches: 38 | # - main 39 | # paths: 40 | # - 'terraform/**' 41 | # - '**/*.tf' 42 | workflow_call: 43 | inputs: 44 | tf_root: 45 | description: Terraform root where an infracost.yml config file should be found 46 | type: string 47 | default: . 48 | required: false 49 | # running set -x for all runs 50 | #debug: 51 | # description: Enable Debug Mode 52 | # type: boolean 53 | # required: false 54 | # default: false 55 | secrets: 56 | INFRACOST_API_KEY: 57 | required: true 58 | 59 | permissions: 60 | contents: read 61 | pull-requests: write 62 | 63 | concurrency: 64 | group: ${{ github.workflow }}-${{ github.ref }} 65 | cancel-in-progress: true 66 | 67 | defaults: 68 | run: 69 | shell: bash -euxo pipefail {0} 70 | 71 | env: 72 | CONFIG: ${{ inputs.config }} 73 | TF_ROOT: ${{ inputs.tf_root }} 74 | 75 | jobs: 76 | infracost: 77 | name: Infracost 78 | runs-on: ubuntu-latest 79 | steps: 80 | - name: Linux Release 81 | if: runner.os == 'Linux' 82 | run: | 83 | [ -e /.dockerenv ] && ls -l /.dockerenv 84 | echo 85 | cat /etc/*-release 86 | 87 | - name: Linux Hardware 88 | if: runner.os == 'Linux' 89 | run: | 90 | set +x 91 | echo -n "CPUs: " 92 | nproc 93 | echo 94 | free -g 95 | echo 96 | df -h 97 | 98 | - name: Environment 99 | run: env | sort 100 | 101 | - name: Git version 102 | run: git --version 103 | 104 | #- name: Install Infracost 105 | # run: curl -fsSL https://raw.githubusercontent.com/infracost/infracost/master/scripts/install.sh | sh -x 106 | 107 | #- name: Configure Infracost 108 | # run: infracost configure set api_key "${{ secrets.INFRACOST_API_KEY }}" 109 | 110 | - name: Setup Infracost 111 | uses: infracost/actions/setup@v2 112 | # See https://github.com/infracost/actions/tree/master/setup for other inputs 113 | # If you can't use this action, see Docker images in https://infracost.io/cicd 114 | with: 115 | api-key: ${{ secrets.INFRACOST_API_KEY }} 116 | 117 | # check out the base branch to generate a baseline to compare the pull request to 118 | - name: Checkout base branch 119 | uses: actions/checkout@v3 120 | with: 121 | ref: ${{ github.event.pull_request.base.ref }} 122 | 123 | # generate Infracost JSON file as the baseline 124 | - name: Generate Infracost cost estimate baseline 125 | run: | 126 | infracost breakdown --path="$TF_ROOT" \ 127 | --format=json \ 128 | --out-file=/tmp/infracost-base.json 129 | 130 | # check out the current PR branch so we can create a diff 131 | - name: Checkout PR branch 132 | uses: actions/checkout@v3 133 | 134 | # generate an Infracost diff and save it to a JSON file 135 | - name: Generate Infracost diff 136 | run: | 137 | infracost diff --path="$TF_ROOT" \ 138 | --format=json \ 139 | --compare-to=/tmp/infracost-base.json \ 140 | --out-file=/tmp/infracost.json 141 | 142 | - name: Post Infracost comment to the calling GitHub Pull Request 143 | if: github.event.pull_request.number 144 | run: | 145 | infracost comment github --path=/tmp/infracost.json \ 146 | --repo="$GITHUB_REPOSITORY" \ 147 | --github-token="${{ github.token }}" \ 148 | --pull-request="${{ github.event.pull_request.number }}" \ 149 | --behavior=update 150 | # 'update' behaviour updates the comment upon any change, see https://www.infracost.io/docs/features/cli_commands/#comment-on-pull-requests 151 | -------------------------------------------------------------------------------- /.github/workflows/jenkinsfile.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Thu Jan 20 16:01:19 2022 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # J e n k i n s f i l e V a l i d a t i o n 16 | # ============================================================================ # 17 | 18 | # Designed to validate the master Jenkinsfile in my Jenkins repo: 19 | # 20 | # https://github.com/HariSekhon/Jenkins 21 | 22 | --- 23 | name: Jenkinsfile Validation 24 | 25 | on: # yamllint disable-line rule:truthy 26 | workflow_call: 27 | inputs: 28 | plugins: 29 | description: List of Jenkins plugins that need to be installed to validate the Jenkinsfile 30 | type: string 31 | default: '' # kubernetes:1.31.2 32 | required: false 33 | debug: 34 | type: string 35 | required: false 36 | default: false 37 | 38 | permissions: 39 | contents: read 40 | 41 | defaults: 42 | run: 43 | shell: bash -euxo pipefail {0} 44 | 45 | env: 46 | PLUGINS_TO_INSTALL: ${{ inputs.plugins }} 47 | # doesn't get set, as GITHUB_ prefix not being allowed 48 | # GITHUB_WORKSPACE: /var/jenkins_home 49 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 50 | 51 | jobs: 52 | validate: 53 | name: Validate 54 | runs-on: ubuntu-latest 55 | #container: harisekhon/jenkins:latest 56 | container: jenkins/jenkins:lts 57 | steps: 58 | - name: Linux Release 59 | if: runner.os == 'Linux' 60 | run: | 61 | [ -e /.dockerenv ] && ls -l /.dockerenv 62 | echo 63 | cat /etc/*-release 64 | 65 | - name: Linux Hardware 66 | if: runner.os == 'Linux' 67 | run: | 68 | set +x 69 | echo -n "CPUs: " 70 | nproc 71 | echo 72 | free -g 73 | echo 74 | df -h 75 | 76 | - name: Environment 77 | run: env | sort 78 | 79 | - name: Git version 80 | run: git --version 81 | 82 | # Workaround for actions/checkout not being able to checkout outside of $GITHUB_WORKSPACE and not being able to set GITHUB_WORKSPACE 83 | # 84 | # https://github.com/actions/checkout/issues/197 85 | # 86 | # can't set GITHUB_WORKSPACE to path: /var/_jenkins_home outside of it due to actions/checkout validation 87 | # 88 | #- uses: actions/checkout@v3 89 | # with: 90 | # submodules: recursive # requires Git 2.18+ to be installed first 91 | # 92 | #- uses: actions/checkout@v3 93 | # with: 94 | # repository: HariSekhon/DevOps-Bash-tools 95 | # #ref: master # unset for default branch in case it changes in future 96 | # #submodules: recursive # don't need the submodules for just this script, save time 97 | # path: bash-tools 98 | 99 | - name: Git Checkout 100 | run: | 101 | git --version 102 | cd "$JENKINS_HOME" 103 | git clone "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY" repo 104 | cd repo 105 | git checkout -f "$GITHUB_SHA" 106 | 107 | - name: Git Checkout Bash Tools 108 | run: | 109 | cd "$JENKINS_HOME" 110 | git clone "$GITHUB_SERVER_URL/HariSekhon/DevOps-Bash-tools" bash-tools 111 | 112 | # Whatever constructs you want to validate in Jenkinsfile must have the corresponding plugins installed 113 | - name: Jenkins Install Plugins 114 | run: | 115 | /bin/jenkins-plugin-cli --plugins \ 116 | $(cat <<-EOF 117 | ansicolor:1.0.1 118 | lockable-resources:2.13 119 | ssh-agent:1.23 120 | timestamper:1.16 121 | workflow-aggregator:2.6 122 | $(tr '\n' ' ' <<< "${{ env.PLUGINS_TO_INSTALL }}") 123 | EOF 124 | ) 125 | timeout-minutes: 10 126 | 127 | - name: Start Jenkins 128 | run: /usr/local/bin/jenkins.sh & 129 | timeout-minutes: 1 130 | 131 | - name: Wait for Jenkins Initial Password 132 | run: while ! [ -f "$JENKINS_HOME/secrets/initialAdminPassword" ]; do sleep 1; done 133 | timeout-minutes: 10 134 | 135 | - name: Wait for Jenkins to initialize 136 | run: while ! curl -sSf http://localhost:8080/login | grep -qi jenkins; do sleep 1; done 137 | timeout-minutes: 10 138 | 139 | - name: Validate Jenkinsfiles 140 | run: | 141 | cd "$JENKINS_HOME/repo" 142 | ../bash-tools/checks/check_jenkinsfiles.sh 143 | -------------------------------------------------------------------------------- /.github/workflows/jfrog_artifactory_auth_test.yaml: -------------------------------------------------------------------------------- 1 | # vim:ts=2:sts=2:sw=2:et 2 | # 3 | # Author: Hari Sekhon 4 | # Date: 2023-02-24 01:57:17 +0000 (Fri, 24 Feb 2023) 5 | # 6 | # https://github.com/HariSekhon/GitHub-Actions 7 | # 8 | # License: see accompanying Hari Sekhon LICENSE file 9 | # 10 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 11 | # 12 | # https://www.linkedin.com/in/HariSekhon 13 | # 14 | 15 | # ============================================================================ # 16 | # J F r o g C l o u d A r t i f a c t o r y A u t h T e s t 17 | # ============================================================================ # 18 | 19 | # JFrog CLI - GitHub Action 20 | # 21 | # https://github.com/marketplace/actions/setup-jfrog-cli 22 | 23 | # Generate a token on JFrog Cloud access token here: 24 | # 25 | # https://firstmode.jfrog.io/ui/admin/artifactory/user_profile 26 | 27 | --- 28 | name: JFrog Cloud Artifactory Auth Test 29 | 30 | on: # yamllint disable-line rule:truthy 31 | workflow_call: 32 | # https://github.com/marketplace/actions/setup-jfrog-cli 33 | inputs: 34 | JF_URL: 35 | description: 'JFrog platform url (for example: https://acme.jfrog.io)' 36 | type: string 37 | required: false 38 | secrets: 39 | JF_URL: 40 | required: false 41 | # 42 | # Either 43 | # 44 | JF_USER: 45 | required: false 46 | JF_PASSWORD: 47 | required: false 48 | # 49 | # or 50 | # 51 | JF_ACCESS_TOKEN: 52 | required: false 53 | 54 | permissions: 55 | contents: read 56 | 57 | concurrency: 58 | group: ${{ github.workflow }}-${{ github.ref }} 59 | cancel-in-progress: true 60 | 61 | defaults: 62 | run: 63 | shell: bash -euxo pipefail {0} 64 | 65 | env: 66 | # https://github.com/marketplace/actions/setup-jfrog-cli 67 | JF_URL: ${{ inputs.JF_URL || secrets.JF_URL }} 68 | JF_USER: ${{ secrets.JF_USER }} 69 | JF_PASSWORD: ${{ secrets.JF_PASSWORD }} 70 | JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} 71 | 72 | jobs: 73 | jfrog_cli_test: 74 | name: JFrog CLI Authentication Test 75 | runs-on: ubuntu-latest 76 | steps: 77 | - name: Linux Release 78 | if: runner.os == 'Linux' 79 | run: | 80 | [ -e /.dockerenv ] && ls -l /.dockerenv 81 | echo 82 | cat /etc/*-release 83 | 84 | - name: Linux Hardware 85 | if: runner.os == 'Linux' 86 | run: | 87 | set +x 88 | echo -n "CPUs: " 89 | nproc 90 | echo 91 | free -g 92 | echo 93 | df -h 94 | 95 | - name: Environment 96 | run: env | sort 97 | 98 | - name: Git version 99 | run: git --version 100 | 101 | # https://github.com/marketplace/actions/setup-jfrog-cli 102 | - uses: jfrog/setup-jfrog-cli@v3 103 | 104 | - name: JFrog CLI version 105 | run: jf --version 106 | 107 | # this tests the authentication token works, otherwise you'll get this error from the CLI: 108 | # 109 | # 02:45:14 [🚨Error] server response: 401 Unauthorized 110 | # { 111 | # "errors": [ 112 | # { 113 | # "status": 401, 114 | # "message": "Props Authentication Token not found" 115 | # } 116 | # ] 117 | # } 118 | # { 119 | # "errors": [ 120 | # { 121 | # "status": 401, 122 | # "message": "Props Authentication Token not found" 123 | # } 124 | # ] 125 | # } 126 | - name: JFrog CLI artifactory ping 127 | run: jf rt ping 128 | -------------------------------------------------------------------------------- /.github/workflows/json.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Sat Jan 15 09:35:18 2022 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # J S O N 16 | # ============================================================================ # 17 | 18 | --- 19 | name: JSON 20 | 21 | on: # yamllint disable-line rule:truthy 22 | push: 23 | branches: 24 | - master 25 | - main 26 | paths: 27 | - '**/*.json' 28 | pull_request: 29 | branches: 30 | - master 31 | - main 32 | paths: 33 | - '**/*.json' 34 | workflow_call: 35 | inputs: 36 | submodules: 37 | type: string 38 | required: false 39 | default: recursive 40 | debug: 41 | type: string 42 | required: false 43 | default: false 44 | workflow_dispatch: 45 | inputs: 46 | submodules: 47 | type: string 48 | required: false 49 | default: recursive 50 | debug: 51 | type: boolean 52 | required: false 53 | default: false 54 | #schedule: 55 | # - cron: '0 0 * * 1' 56 | 57 | permissions: 58 | contents: read 59 | 60 | defaults: 61 | run: 62 | shell: bash -euxo pipefail {0} 63 | 64 | env: 65 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 66 | 67 | jobs: 68 | check_json: 69 | name: Check JSON 70 | # github.event.repository.fork isn't available in scheduled workflows 71 | # can't prevent forks of this repo, because also prevents caller workflows 72 | #if: github.repository == 'HariSekhon/Github-Actions' 73 | runs-on: ubuntu-latest 74 | container: harisekhon/bash-tools:latest 75 | steps: 76 | - name: Linux Release 77 | if: runner.os == 'Linux' 78 | run: | 79 | [ -e /.dockerenv ] && ls -l /.dockerenv 80 | echo 81 | cat /etc/*-release 82 | 83 | - name: Linux Hardware 84 | if: runner.os == 'Linux' 85 | run: | 86 | set +x 87 | echo -n "CPUs: " 88 | nproc 89 | echo 90 | free -g 91 | echo 92 | df -h 93 | 94 | - name: Environment 95 | run: env | sort 96 | 97 | - name: Git version 98 | run: git --version 99 | 100 | - uses: actions/checkout@v3 101 | with: 102 | submodules: ${{ inputs.recursive }} # 'recursive' default requires Git 2.18+ to be installed first 103 | 104 | - name: Check JSON 105 | run: | 106 | check_json.sh 107 | -------------------------------------------------------------------------------- /.github/workflows/kickstart.yaml: -------------------------------------------------------------------------------- 1 | # vim:ts=2:sts=2:sw=2:et 2 | # 3 | # Author: Hari Sekhon 4 | # Date: 2023-05-31 01:49:54 +0100 (Wed, 31 May 2023) 5 | # 6 | # https://github.com/HariSekhon/Templates 7 | # 8 | # License: see accompanying Hari Sekhon LICENSE file 9 | # 10 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 11 | # 12 | # https://www.linkedin.com/in/HariSekhon 13 | # 14 | 15 | # ============================================================================ # 16 | # R e d h a t K i c k s t a r t 17 | # ============================================================================ # 18 | 19 | --- 20 | name: Redhat Kickstart 21 | 22 | on: # yamllint disable-line rule:truthy 23 | workflow_call: 24 | inputs: 25 | files: 26 | description: The Redhat Kickstart file paths to validate, separated by spaces 27 | type: string 28 | required: false 29 | default: anaconda-ks.cfg 30 | 31 | permissions: 32 | contents: read 33 | 34 | concurrency: 35 | group: ${{ github.workflow }}-${{ github.ref }} 36 | cancel-in-progress: true 37 | 38 | defaults: 39 | run: 40 | shell: bash -euxo pipefail {0} 41 | 42 | jobs: 43 | kickstart: 44 | name: Kickstart 45 | timeout-minutes: 10 46 | runs-on: ubuntu-latest 47 | container: fedora 48 | steps: 49 | - name: Linux Release 50 | if: runner.os == 'Linux' 51 | run: | 52 | [ -e /.dockerenv ] && ls -l /.dockerenv 53 | echo 54 | cat /etc/*-release 55 | 56 | - name: Linux Hardware 57 | if: runner.os == 'Linux' 58 | run: | 59 | set +x 60 | echo -n "CPUs: " 61 | nproc 62 | echo 63 | free -g 64 | echo 65 | df -h 66 | 67 | - name: Environment 68 | run: env | sort 69 | 70 | - name: Git version 71 | run: git --version 72 | 73 | - uses: actions/checkout@v3 74 | #name: Git Checkout # better to show the action@version 75 | 76 | - name: Install pykickstart 77 | run: dnf install pykickstart -y 78 | 79 | - name: Validate Kickstart 80 | run: | 81 | for file in ${{ inputs.files }}; do 82 | echo "Validating $file" 83 | echo 84 | ksvalidator "$file" 85 | echo 86 | done 87 | -------------------------------------------------------------------------------- /.github/workflows/kics.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-02-01 13:56:31 +0000 (Tue, 01 Feb 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # K i c s 16 | # ============================================================================ # 17 | 18 | # https://github.com/Checkmarx/kics/blob/master/docs/integrations_ghactions.md 19 | 20 | --- 21 | name: Kics 22 | 23 | on: # yamllint disable-line rule:truthy 24 | push: 25 | branches: 26 | - master 27 | - main 28 | ignore-paths: 29 | - '**/README.md' 30 | pull_request: 31 | branches: 32 | - master 33 | - main 34 | ignore-paths: 35 | - '**/README.md' 36 | workflow_call: 37 | # https://github.com/Checkmarx/kics-github-action#inputs 38 | inputs: 39 | path: 40 | type: string 41 | required: false 42 | default: . 43 | # https://github.com/Checkmarx/kics/blob/master/docs/configuration-file.md 44 | config: 45 | type: string 46 | required: false 47 | queries: 48 | type: string 49 | required: false 50 | fail_on: 51 | type: string 52 | required: false 53 | #default: high,medium 54 | ignore_on: 55 | type: string 56 | required: false 57 | default: results 58 | debug: 59 | type: string 60 | required: false 61 | default: false 62 | workflow_dispatch: 63 | schedule: 64 | - cron: '0 0 * * 1' 65 | 66 | permissions: 67 | actions: read 68 | contents: read 69 | security-events: write 70 | 71 | defaults: 72 | run: 73 | shell: bash -euxo pipefail {0} 74 | 75 | env: 76 | CONFIG: ${{ inputs.config }} 77 | CONFIG_FILE: '' 78 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 79 | 80 | jobs: 81 | kics: 82 | name: Kics Scan 83 | # github.event.repository.fork isn't available in scheduled workflows 84 | # can't prevent forks of this repo, because also prevents caller workflows 85 | #if: github.repository == 'HariSekhon/Github-Actions' 86 | runs-on: ubuntu-latest 87 | steps: 88 | - name: Linux Release 89 | if: runner.os == 'Linux' 90 | run: | 91 | [ -e /.dockerenv ] && ls -l /.dockerenv 92 | echo 93 | cat /etc/*-release 94 | 95 | - name: Linux Hardware 96 | if: runner.os == 'Linux' 97 | run: | 98 | set +x 99 | echo -n "CPUs: " 100 | nproc 101 | echo 102 | free -g 103 | echo 104 | df -h 105 | 106 | - name: Environment 107 | run: env | sort 108 | 109 | - name: Git version 110 | run: git --version 111 | 112 | - uses: actions/checkout@v3 113 | with: 114 | submodules: recursive # requires Git 2.18+ to be installed first 115 | 116 | - name: Set environment variable SCAN_PATH 117 | run: | 118 | if [ -n "${{inputs.path}}" ]; then 119 | echo "SCAN_PATH=${{ inputs.path }}" 120 | else 121 | echo "SCAN_PATH=." 122 | fi >> "$GITHUB_ENV" 123 | 124 | - name: Make results dir 125 | run: mkdir -pv results 126 | 127 | - name: Create Config file 128 | if: ${{ env.CONFIG }} 129 | run: | 130 | cat <>kics.config 131 | ${{ env.CONFIG }} 132 | EOF 133 | echo "CONFIG_FILE=kics.config" >> "$GITHUB_ENV" 134 | 135 | # https://github.com/Checkmarx/kics-github-action 136 | - name: Kics Scan 137 | uses: checkmarx/kics-action@master 138 | with: 139 | path: ${{ env.SCAN_PATH }} 140 | fail_on: ${{ inputs.fail_on }} 141 | ignore_on_exit: ${{ inputs.ignore_on_exit }} 142 | output_path: results 143 | output_formats: 'json,sarif' 144 | #config_path: ${{ env.CONFIG_FILE }} 145 | queries: ${{ inputs.queries }} 146 | 147 | - name: Upload SARIF file 148 | if: always() 149 | uses: github/codeql-action/upload-sarif@v2 150 | with: 151 | sarif_file: results/results.sarif 152 | 153 | # summary stats, available in the Scan output already, use this only for post-processing 154 | #- name: Display Results 155 | # run: jq . < results/results.json 156 | -------------------------------------------------------------------------------- /.github/workflows/lock_branch.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2023-07-30 01:26:06 +0100 (Sun, 30 Jul 2023) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # L o c k B r a n c h 16 | # ============================================================================ # 17 | 18 | # Useful to implement code freezes on branches - call ad-hoc or on a recurring 'schedule' in the calling workflow 19 | # 20 | # See adjacent counterpart workflow unlock_branch.yaml 21 | 22 | # XXX: Requires a PAT token to avoid this error: 23 | # 24 | # { 25 | # "message": "Resource not accessible by integration", 26 | # "documentation_url": "https://docs.github.com/rest/branches/branch-protection#update-branch-protection" 27 | # } 28 | 29 | --- 30 | name: Lock Branch 31 | 32 | on: # yamllint disable-line rule:truthy 33 | workflow_call: 34 | inputs: 35 | branch: 36 | type: string 37 | required: true 38 | workflow_dispatch: 39 | inputs: 40 | branch: 41 | type: string 42 | required: true 43 | 44 | permissions: 45 | contents: read 46 | 47 | defaults: 48 | run: 49 | shell: bash -euxo pipefail {0} 50 | 51 | env: 52 | BRANCH: ${{ inputs.branch || github.event.inputs.branch }} 53 | REPO: ${{ github.repository }} 54 | 55 | # XXX: Requires PAT loaded to Secrets for permission 56 | GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} 57 | 58 | # XXX: API requires these fields but this is bad - could wipe out existing values 59 | # 60 | # { 61 | # "message": "Invalid request.\n\n\"enforce_admins\", \"required_pull_request_reviews\", \"required_status_checks\", \"restrictions\" weren't supplied.", 62 | # "documentation_url": "https://docs.github.com/rest/branches/branch-protection#update-branch-protection" 63 | # } 64 | # 65 | #PAYLOAD: '{"lock_branch": true}' 66 | PAYLOAD: '{"required_status_checks": null, "enforce_admins": false, "required_pull_request_reviews": null, "restrictions": null, "lock_branch": true}' 67 | 68 | jobs: 69 | lock_branch: 70 | name: Lock Branch 71 | runs-on: ubuntu-latest 72 | steps: 73 | - name: Linux Release 74 | if: runner.os == 'Linux' 75 | run: | 76 | [ -e /.dockerenv ] && ls -l /.dockerenv 77 | echo 78 | cat /etc/*-release 79 | 80 | - name: Linux Hardware 81 | if: runner.os == 'Linux' 82 | run: | 83 | set +x 84 | echo -n "CPUs: " 85 | nproc 86 | echo 87 | free -g 88 | echo 89 | df -h 90 | 91 | - name: Environment 92 | run: env | sort 93 | 94 | - name: Git version 95 | run: git --version 96 | 97 | - name: Lock Branch 98 | run: | 99 | if ! \ 100 | curl -sSL --fail \ 101 | -X PUT \ 102 | -H "Accept: application/vnd.github+json" \ 103 | -H "Authorization: Bearer $GITHUB_TOKEN" \ 104 | -d "$PAYLOAD" \ 105 | "https://api.github.com/repos/$REPO/branches/$BRANCH/protection"; then 106 | 107 | # re-run it without --fail hiding the content output containing the error message details, so we can debug it at a glance 108 | curl -sSL \ 109 | -X PUT \ 110 | -H "Accept: application/vnd.github+json" \ 111 | -H "Authorization: Bearer $GITHUB_TOKEN" \ 112 | -d "$PAYLOAD" \ 113 | "https://api.github.com/repos/$REPO/branches/$BRANCH/protection" 114 | 115 | exit 1 116 | 117 | fi 118 | -------------------------------------------------------------------------------- /.github/workflows/markdown.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2023-07-27 01:04:53 +0100 (Thu, 27 Jul 2023) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # M a r k d o w n L i n t 16 | # ============================================================================ # 17 | 18 | --- 19 | name: Markdown Lint 20 | 21 | on: # yamllint disable-line rule:truthy 22 | push: 23 | branches: 24 | - master 25 | - main 26 | paths: 27 | - '**.md' 28 | - .mdlrc 29 | - .mdl.rb 30 | - .markdownlint.rb 31 | - .github/workflows/markdown.yaml 32 | pull_request: 33 | branches: 34 | - master 35 | - main 36 | paths: 37 | - '**.md' 38 | - .mdlrc 39 | - .mdl.rb 40 | - .markdownlint.rb 41 | - .github/workflows/markdown.yaml 42 | workflow_call: 43 | workflow_dispatch: 44 | schedule: 45 | - cron: '0 0 * * 1' 46 | 47 | permissions: 48 | contents: read 49 | 50 | defaults: 51 | run: 52 | shell: bash -euxo pipefail {0} 53 | 54 | jobs: 55 | readme_lint: 56 | name: Readme lint 57 | runs-on: ubuntu-latest 58 | steps: 59 | - name: Linux Release 60 | if: runner.os == 'Linux' 61 | run: | 62 | [ -e /.dockerenv ] && ls -l /.dockerenv 63 | echo 64 | cat /etc/*-release 65 | 66 | - name: Linux Hardware 67 | if: runner.os == 'Linux' 68 | run: | 69 | set +x 70 | echo -n "CPUs: " 71 | nproc 72 | echo 73 | free -g 74 | echo 75 | df -h 76 | 77 | - name: Environment 78 | run: env | sort 79 | 80 | - name: Git version 81 | run: git --version 82 | 83 | - uses: actions/checkout@v3 84 | #name: Git Checkout # better to show the action@version 85 | with: 86 | submodules: 'false' # requires Git 2.18+ to be installed first 87 | 88 | # create .mdlrc at the root of your repo to ignore some things like long lines, 89 | # see https://github.com/HariSekhon/DevOps-Bash-tools/blob/master/.mdlrc 90 | - name: Run mdl 91 | uses: actionshub/markdownlint@main 92 | -------------------------------------------------------------------------------- /.github/workflows/merge-branch.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Tue Feb 4 09:53:28 2020 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # M e r g e B r a n c h 16 | # ============================================================================ # 17 | 18 | --- 19 | name: Merge Branch 20 | 21 | on: # yamllint disable-line rule:truthy 22 | workflow_call: 23 | inputs: 24 | head: 25 | description: Branch to merge from (defaults to triggered branch if not specified) 26 | type: string 27 | required: false 28 | base: 29 | description: Branch to merge into 30 | type: string 31 | required: true 32 | debug: 33 | type: string 34 | required: false 35 | default: false 36 | workflow_dispatch: 37 | inputs: 38 | head: 39 | description: Branch to merge from (defaults to triggered branch if not specified) 40 | type: string 41 | required: false 42 | base: 43 | description: Branch to merge into 44 | type: string 45 | required: true 46 | debug: 47 | type: boolean 48 | required: false 49 | default: false 50 | 51 | # without 'contents: write' permission the PR merge fails with the error: 52 | # Message: Resource not accessible by integration, Locations: [{Line:1 Column:58}] 53 | permissions: 54 | contents: write 55 | pull-requests: write 56 | 57 | defaults: 58 | run: 59 | shell: bash -euxo pipefail {0} 60 | 61 | env: 62 | GH_TOKEN: ${{ github.token }} 63 | GH_NO_UPDATE_NOTIFIER: 1 64 | HEAD: ${{ inputs.head || github.event.inputs.head }} 65 | BASE: ${{ inputs.base || github.event.inputs.base }} 66 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 67 | 68 | concurrency: 69 | group: ${{ github.workflow }} 70 | cancel-in-progress: false # killing this part way through may leave PRs without auto-merging 71 | 72 | jobs: 73 | merge_branch: 74 | name: Merge Branch 75 | runs-on: ubuntu-latest 76 | container: harisekhon/bash-tools 77 | steps: 78 | - name: Linux Release 79 | if: runner.os == 'Linux' 80 | run: | 81 | [ -e /.dockerenv ] && ls -l /.dockerenv 82 | echo 83 | cat /etc/*-release 84 | 85 | - name: Linux Hardware 86 | if: runner.os == 'Linux' 87 | run: | 88 | set +x 89 | echo -n "CPUs: " 90 | nproc 91 | echo 92 | free -g 93 | echo 94 | df -h 95 | 96 | - name: Environment 97 | run: env | sort 98 | 99 | - name: Git version 100 | run: git --version 101 | 102 | - uses: actions/checkout@v3 103 | 104 | - name: GH CLI auth status 105 | run: | 106 | gh config set prompt disabled 107 | gh auth status 108 | 109 | - name: check/generate HEAD environment variable 110 | run: | 111 | if [ -z "$HEAD" ]; then 112 | if [ "$GITHUB_REF_TYPE" != "branch" ]; then 113 | echo "HEAD branch not specified and cannot infer from trigger branch as triggered from '$GITHUB_REF_TYPE' instead of branch" 114 | exit 1 115 | fi 116 | echo "HEAD branch not specified, assuming trigger branch '$GITHUB_REF_NAME'" 117 | echo "HEAD=$GITHUB_REF_NAME" >> "$GITHUB_ENV" 118 | fi 119 | 120 | - name: Merge Branch ${{ env.HEAD }} into ${{ env.BASE }} 121 | run: | 122 | github_merge_branch.sh "$HEAD" "$BASE" 123 | -------------------------------------------------------------------------------- /.github/workflows/packer.yaml: -------------------------------------------------------------------------------- 1 | # vim:ts=2:sts=2:sw=2:et 2 | # 3 | # Author: Hari Sekhon 4 | # Date: 2023-05-31 01:49:54 +0100 (Wed, 31 May 2023) 5 | # 6 | # https://github.com/HariSekhon/Templates 7 | # 8 | # License: see accompanying Hari Sekhon LICENSE file 9 | # 10 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 11 | # 12 | # https://www.linkedin.com/in/HariSekhon 13 | # 14 | 15 | # ============================================================================ # 16 | # H a s h i C o r p P a c k e r 17 | # ============================================================================ # 18 | 19 | --- 20 | name: HashiCorp Packer 21 | 22 | on: # yamllint disable-line rule:truthy 23 | workflow_call: 24 | inputs: 25 | files: 26 | description: The Packer .pkr.hcl file paths to validate, separated by spaces 27 | type: string 28 | required: false 29 | default: '*.pkr.hcl' 30 | 31 | permissions: 32 | contents: read 33 | 34 | concurrency: 35 | group: ${{ github.workflow }}-${{ github.ref }} 36 | cancel-in-progress: true 37 | 38 | defaults: 39 | run: 40 | shell: bash -euxo pipefail {0} 41 | 42 | jobs: 43 | packer: 44 | name: Packer 45 | timeout-minutes: 10 46 | runs-on: ubuntu-latest 47 | container: hashicorp/packer:light 48 | steps: 49 | - name: Linux Release 50 | if: runner.os == 'Linux' 51 | run: | 52 | [ -e /.dockerenv ] && ls -l /.dockerenv 53 | echo 54 | cat /etc/*-release 55 | 56 | - name: Linux Hardware 57 | if: runner.os == 'Linux' 58 | run: | 59 | set +x 60 | echo -n "CPUs: " 61 | nproc 62 | echo 63 | free -g 64 | echo 65 | df -h 66 | 67 | - name: Environment 68 | run: env | sort 69 | 70 | - name: Git version 71 | run: git --version 72 | 73 | - uses: actions/checkout@v3 74 | #name: Git Checkout # better to show the action@version 75 | 76 | - name: Packer Version 77 | run: packer --version 78 | 79 | - name: Validate Packer HCL 80 | run: | 81 | for file in ${{ inputs.files }}; do 82 | # Tart is only for Apple Silicon chips and assumes to install an arm64 darwin plugin which fails on GitHub's runners which are x86_64 83 | #if [[ "$file" =~ \.tart\. ]]; then 84 | if [[ "$file" =~ arm64|aarch64 ]]; then 85 | # ignoring invalid remote binary packer-plugin-tart_v1.3.1_x5.0_darwin_arm64.zip: wrong system, expected linux_amd64 86 | continue 87 | fi 88 | echo "Validating $file" 89 | echo 90 | packer init "$file" 91 | packer validate "$file" 92 | echo 93 | done 94 | -------------------------------------------------------------------------------- /.github/workflows/packer_mac.yaml: -------------------------------------------------------------------------------- 1 | # vim:ts=2:sts=2:sw=2:et 2 | # 3 | # Author: Hari Sekhon 4 | # Date: 2023-05-31 01:49:54 +0100 (Wed, 31 May 2023) 5 | # 6 | # https://github.com/HariSekhon/Templates 7 | # 8 | # License: see accompanying Hari Sekhon LICENSE file 9 | # 10 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 11 | # 12 | # https://www.linkedin.com/in/HariSekhon 13 | # 14 | 15 | # ============================================================================ # 16 | # H a s h i C o r p P a c k e r o n M a c 17 | # ============================================================================ # 18 | 19 | # There are not M1/M2 Mac runners yet, have to wait before we can use this 20 | 21 | --- 22 | name: HashiCorp Packer Mac 23 | 24 | on: # yamllint disable-line rule:truthy 25 | workflow_call: 26 | inputs: 27 | files: 28 | description: The Packer .pkr.hcl file paths to validate, separated by spaces 29 | type: string 30 | required: false 31 | default: '*.pkr.hcl' 32 | 33 | permissions: 34 | contents: read 35 | 36 | concurrency: 37 | group: ${{ github.workflow }}-${{ github.ref }} 38 | cancel-in-progress: true 39 | 40 | defaults: 41 | run: 42 | shell: bash -euxo pipefail {0} 43 | 44 | jobs: 45 | packer: 46 | name: Packer 47 | runs-on: macos-13 48 | steps: 49 | - name: Linux Release 50 | if: runner.os == 'Linux' 51 | run: | 52 | [ -e /.dockerenv ] && ls -l /.dockerenv 53 | echo 54 | cat /etc/*-release 55 | 56 | - name: Linux Hardware 57 | if: runner.os == 'Linux' 58 | run: | 59 | set +x 60 | echo -n "CPUs: " 61 | nproc 62 | echo 63 | free -g 64 | echo 65 | df -h 66 | 67 | - name: Environment 68 | run: env | sort 69 | 70 | - name: Git version 71 | run: git --version 72 | 73 | - uses: actions/checkout@v3 74 | #name: Git Checkout # better to show the action@version 75 | 76 | - name: Validate Packer HCL 77 | run: | 78 | for file in ${{ inputs.files }}; do 79 | if ! [[ "$file" =~ arm64|aarch64 ]]; then 80 | continue 81 | fi 82 | echo "Validating $file" 83 | echo 84 | packer init "$file" 85 | packer validate "$file" 86 | echo 87 | done 88 | -------------------------------------------------------------------------------- /.github/workflows/pluto.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2021-11-30 18:44:49 +0000 (Tue, 30 Nov 2021) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # License: see accompanying Hari Sekhon LICENSE file 10 | # 11 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | # ============================================================================ # 17 | # P l u t o 18 | # ============================================================================ # 19 | 20 | --- 21 | name: Pluto 22 | 23 | on: # yamllint disable-line rule:truthy 24 | workflow_call: 25 | inputs: 26 | debug: 27 | type: string 28 | required: false 29 | default: false 30 | 31 | permissions: 32 | contents: read 33 | 34 | defaults: 35 | run: 36 | shell: bash -euxo pipefail {0} 37 | 38 | env: 39 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 40 | 41 | jobs: 42 | pluto: 43 | runs-on: ubuntu-latest 44 | steps: 45 | - name: Linux Release 46 | if: runner.os == 'Linux' 47 | run: | 48 | [ -e /.dockerenv ] && ls -l /.dockerenv 49 | echo 50 | cat /etc/*-release 51 | 52 | - name: Linux Hardware 53 | if: runner.os == 'Linux' 54 | run: | 55 | set +x 56 | echo -n "CPUs: " 57 | nproc 58 | echo 59 | free -g 60 | echo 61 | df -h 62 | 63 | - name: Environment 64 | run: env | sort 65 | 66 | - name: Git version 67 | run: git --version 68 | 69 | - uses: actions/checkout@v3 70 | with: 71 | submodules: recursive # requires Git 2.18+ to be installed first 72 | 73 | - name: Download Pluto 74 | uses: FairwindsOps/pluto/github-action@master 75 | 76 | - name: Pluto version 77 | run: pluto version 78 | 79 | - name: Pluto detect-files 80 | run: pluto detect-files -d . 81 | -------------------------------------------------------------------------------- /.github/workflows/polaris.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2021-11-30 18:55:57 +0000 (Tue, 30 Nov 2021) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # License: see accompanying Hari Sekhon LICENSE file 10 | # 11 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | # ============================================================================ # 17 | # P o l a r i s 18 | # ============================================================================ # 19 | 20 | # Audit may fail on repos with JSON patches such as https://github.com/HariSekhon/Kubernetes-configs: 21 | # 22 | # https://github.com/FairwindsOps/polaris/issues/667 23 | # 24 | # and can't exclude files: 25 | # 26 | # https://github.com/FairwindsOps/polaris/issues/670 27 | # 28 | # the better solution is to run Polaris inside Kubernetes, see polaris*.yaml in: 29 | # 30 | # https://github.com/HariSekhon/Kubernetes-configs 31 | 32 | --- 33 | name: Polaris 34 | 35 | on: # yamllint disable-line rule:truthy 36 | workflow_call: 37 | inputs: 38 | debug: 39 | type: string 40 | required: false 41 | default: false 42 | 43 | permissions: 44 | contents: read 45 | 46 | defaults: 47 | run: 48 | shell: bash -euxo pipefail {0} 49 | 50 | env: 51 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 52 | 53 | jobs: 54 | polaris: 55 | runs-on: ubuntu-latest 56 | #container: quay.io/fairwinds/polaris:4.0.7 57 | steps: 58 | - name: Linux Release 59 | if: runner.os == 'Linux' 60 | run: | 61 | [ -e /.dockerenv ] && ls -l /.dockerenv 62 | echo 63 | cat /etc/*-release 64 | 65 | - name: Linux Hardware 66 | if: runner.os == 'Linux' 67 | run: | 68 | set +x 69 | echo -n "CPUs: " 70 | nproc 71 | echo 72 | free -g 73 | echo 74 | df -h 75 | 76 | - name: Environment 77 | run: env | sort 78 | 79 | - name: Git version 80 | run: git --version 81 | 82 | - uses: actions/checkout@v3 83 | 84 | #- name: Polaris Audit 85 | # uses: fairwindsops/polaris@master 86 | # with: 87 | # #version: 4.0.7 88 | # args: polaris audit --audit-path . -f pretty --only-show-failed-tests 89 | 90 | - name: Download Polaris 91 | uses: fairwindsops/polaris/.github/actions/setup-polaris@master 92 | with: 93 | version: 5.0.0 # omitting this fails to download from latest 94 | 95 | - name: Polaris version 96 | run: polaris version 97 | 98 | - name: Polaris Audit 99 | run: polaris audit --audit-path . -f pretty --only-show-failed-tests 100 | -------------------------------------------------------------------------------- /.github/workflows/preseed.yaml: -------------------------------------------------------------------------------- 1 | # vim:ts=2:sts=2:sw=2:et 2 | # 3 | # Author: Hari Sekhon 4 | # Date: 2023-05-31 01:49:54 +0100 (Wed, 31 May 2023) 5 | # 6 | # https://github.com/HariSekhon/Templates 7 | # 8 | # License: see accompanying Hari Sekhon LICENSE file 9 | # 10 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 11 | # 12 | # https://www.linkedin.com/in/HariSekhon 13 | # 14 | 15 | # ============================================================================ # 16 | # D e b i a n P r e s e e d 17 | # ============================================================================ # 18 | 19 | --- 20 | name: Debian Preseed 21 | 22 | on: # yamllint disable-line rule:truthy 23 | workflow_call: 24 | inputs: 25 | files: 26 | description: The preseed.cfg file paths to validate, separated by spaces 27 | type: string 28 | required: false 29 | default: preseed.cfg 30 | 31 | permissions: 32 | contents: read 33 | 34 | concurrency: 35 | group: ${{ github.workflow }}-${{ github.ref }} 36 | cancel-in-progress: true 37 | 38 | defaults: 39 | run: 40 | shell: bash -euxo pipefail {0} 41 | 42 | env: 43 | DEBIAN_FRONTEND: noninteractive 44 | 45 | jobs: 46 | preseed: 47 | name: Preseed 48 | timeout-minutes: 10 49 | runs-on: ubuntu-latest 50 | container: debian 51 | steps: 52 | - name: Linux Release 53 | if: runner.os == 'Linux' 54 | run: | 55 | [ -e /.dockerenv ] && ls -l /.dockerenv 56 | echo 57 | cat /etc/*-release 58 | 59 | - name: Linux Hardware 60 | if: runner.os == 'Linux' 61 | run: | 62 | set +x 63 | echo -n "CPUs: " 64 | nproc 65 | echo 66 | free -g 67 | echo 68 | df -h 69 | 70 | - name: Environment 71 | run: env | sort 72 | 73 | - name: Git version 74 | run: git --version 75 | 76 | - uses: actions/checkout@v3 77 | #name: Git Checkout # better to show the action@version 78 | 79 | - name: Install Debconf 80 | run: | 81 | apt-get update 82 | apt-get install debconf -y 83 | 84 | - name: Validate Preseed 85 | run: | 86 | for file in ${{ inputs.files }}; do 87 | echo "Validating $file" 88 | echo 89 | debconf-set-selections -c "$file" 90 | echo 91 | done 92 | -------------------------------------------------------------------------------- /.github/workflows/pylint.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2024-07-02 17:28:49 +0200 (Tue, 02 Jul 2024) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # P y L i n t 16 | # ============================================================================ # 17 | 18 | # Should have a .pylintrc committed in the local repo working directory for customizing the checks 19 | # 20 | # See templates here: 21 | # 22 | # https://github.com/HariSekhon/Templates/blob/master/.pylintrc 23 | # 24 | # https://github.com/HariSekhon/DevOps-Python-tools/blob/master/.pylintrc 25 | # 26 | # https://github.com/HariSekhon/pylib/blob/master/.pylintrc 27 | 28 | --- 29 | name: Pylint 30 | 31 | on: # yamllint disable-line rule:truthy 32 | push: 33 | branches: 34 | - master 35 | - main 36 | paths: 37 | - '**/*.py' 38 | pull_request: 39 | branches: 40 | - master 41 | - main 42 | paths: 43 | - '**/*.py' 44 | workflow_call: 45 | inputs: 46 | python-version: 47 | type: string 48 | required: false 49 | # XXX: Python version 3.10 will need to be passed by the calling workflow as quoted '3.10' otherwise will evaluate to '3.1' and break with this error: 50 | # 51 | # Error: The version '3.1' with architecture 'x64' was not found for Ubuntu 22.04. 52 | # 53 | default: '3.10' 54 | working-directory: 55 | type: string 56 | required: false 57 | default: . 58 | #no-pip-install: 59 | # type: string 60 | # required: false 61 | # default: false 62 | submodules: 63 | type: string 64 | required: false 65 | default: recursive 66 | debug: 67 | type: string 68 | required: false 69 | default: false 70 | workflow_dispatch: 71 | inputs: 72 | python-version: 73 | type: string 74 | required: false 75 | default: '3.10' 76 | working-directory: 77 | type: string 78 | required: false 79 | default: . 80 | submodules: 81 | type: string 82 | required: false 83 | default: recursive 84 | #no-pip-install: 85 | # type: boolean 86 | # required: false 87 | # default: false 88 | debug: 89 | type: boolean 90 | required: false 91 | default: false 92 | #schedule: 93 | # - cron: '0 0 * * 1' 94 | 95 | permissions: 96 | contents: read 97 | 98 | defaults: 99 | run: 100 | shell: bash -euxo pipefail {0} 101 | 102 | env: 103 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 104 | 105 | jobs: 106 | pylint: 107 | name: Pylint 108 | # github.event.repository.fork isn't available in scheduled workflows 109 | # can't prevent forks of this repo, because also prevents caller workflows 110 | #if: github.repository == 'HariSekhon/Github-Actions' 111 | runs-on: ubuntu-latest 112 | steps: 113 | - name: Linux Release 114 | if: runner.os == 'Linux' 115 | run: | 116 | [ -e /.dockerenv ] && ls -l /.dockerenv 117 | echo 118 | cat /etc/*-release 119 | 120 | - name: Linux Hardware 121 | if: runner.os == 'Linux' 122 | run: | 123 | set +x 124 | echo -n "CPUs: " 125 | nproc 126 | echo 127 | free -g 128 | echo 129 | df -h 130 | 131 | - name: Environment 132 | run: env | sort 133 | 134 | - name: Git version 135 | run: git --version 136 | 137 | - uses: actions/checkout@v3 138 | with: 139 | submodules: ${{ inputs.submodules }} # 'recursive' default requires Git 2.18+ to be installed first 140 | 141 | - uses: actions/setup-python@v5 142 | with: 143 | python-version: ${{ inputs.python-version }} 144 | 145 | - name: Install Pylint 146 | run: pip install pylint 147 | 148 | - name: Install PyPI modules 149 | working-directory: ${{ inputs.working-directory }} 150 | #if: ${{ hashFiles('${{ inputs.working-directory }}/requirements.txt') != '' }} 151 | #if: ! ${{ inputs.no-pip-install ! = 'true' }} 152 | run: pip install -r requirements.txt 153 | 154 | - name: Pylint 155 | working-directory: ${{ inputs.working-directory }} 156 | run: pylint ./*.py # should have a .pylintrc committed in the local repo working directory for customizing the checks 157 | -------------------------------------------------------------------------------- /.github/workflows/reviewdog-pr.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-01-11 10:38:01 +0000 (Tue, 11 Jan 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # License: see accompanying Hari Sekhon LICENSE file 10 | # 11 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | # ============================================================================ # 17 | # R e v i e w D o g P R R e v i e w 18 | # ============================================================================ # 19 | 20 | --- 21 | name: reviewdog PR review 22 | 23 | on: # yamllint disable-line rule:truthy 24 | workflow_call: 25 | inputs: 26 | debug: 27 | type: string 28 | required: false 29 | default: false 30 | 31 | permissions: 32 | contents: read 33 | #pull-requests: write 34 | 35 | defaults: 36 | run: 37 | shell: bash -euxo pipefail {0} 38 | 39 | env: 40 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 41 | 42 | jobs: 43 | reviewdog: 44 | name: reviewdog 45 | runs-on: ubuntu-latest 46 | steps: 47 | - name: Linux Release 48 | if: runner.os == 'Linux' 49 | run: | 50 | [ -e /.dockerenv ] && ls -l /.dockerenv 51 | echo 52 | cat /etc/*-release 53 | 54 | - name: Linux Hardware 55 | if: runner.os == 'Linux' 56 | run: | 57 | set +x 58 | echo -n "CPUs: " 59 | nproc 60 | echo 61 | free -g 62 | echo 63 | df -h 64 | 65 | - name: Environment 66 | run: env | sort 67 | 68 | - name: Git version 69 | run: git --version 70 | 71 | - uses: actions/checkout@v3 72 | with: 73 | submodules: recursive # requires Git 2.18+ to be installed first 74 | 75 | - uses: reviewdog/action-setup@v1 76 | with: 77 | reviewdog_version: latest # Optional. [latest,nightly,v.X.Y.Z] 78 | 79 | - name: Run reviewdog 80 | env: 81 | REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} 82 | run: | 83 | reviewdog -reporter=github-pr-check -runners=golint,govet 84 | # or 85 | reviewdog -reporter=github-pr-review -runners=golint,govet 86 | -------------------------------------------------------------------------------- /.github/workflows/reviewdog.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-01-11 10:38:17 +0000 (Tue, 11 Jan 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # License: see accompanying Hari Sekhon LICENSE file 10 | # 11 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | # ============================================================================ # 17 | # R e v i e w D o g C h e c k 18 | # ============================================================================ # 19 | 20 | --- 21 | name: reviewdog check 22 | 23 | on: # yamllint disable-line rule:truthy 24 | workflow_call: 25 | inputs: 26 | debug: 27 | type: string 28 | required: false 29 | default: false 30 | 31 | permissions: 32 | contents: read 33 | 34 | defaults: 35 | run: 36 | shell: bash -euxo pipefail {0} 37 | 38 | env: 39 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 40 | 41 | jobs: 42 | reviewdog: 43 | name: reviewdog 44 | runs-on: ubuntu-latest 45 | steps: 46 | - name: Linux Release 47 | if: runner.os == 'Linux' 48 | run: | 49 | [ -e /.dockerenv ] && ls -l /.dockerenv 50 | echo 51 | cat /etc/*-release 52 | 53 | - name: Linux Hardware 54 | if: runner.os == 'Linux' 55 | run: | 56 | set +x 57 | echo -n "CPUs: " 58 | nproc 59 | echo 60 | free -g 61 | echo 62 | df -h 63 | 64 | - name: Environment 65 | run: env | sort 66 | 67 | - name: Git version 68 | run: git --version 69 | 70 | - uses: actions/checkout@v3 71 | with: 72 | submodules: recursive # requires Git 2.18+ to be installed first 73 | 74 | - name: Run reviewdog 75 | env: 76 | REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} 77 | run: | 78 | reviewdog -reporter=github-check -runners=golint,govet 79 | -------------------------------------------------------------------------------- /.github/workflows/semgrep-cloud.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-01-21 18:25:55 +0000 (Fri, 21 Jan 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # S e m g r e p C l o u d W o r k f l o w 16 | # ============================================================================ # 17 | 18 | # Logs results to https://semgrep.dev/ 19 | 20 | --- 21 | name: Semgrep Cloud 22 | 23 | on: # yamllint disable-line rule:truthy 24 | push: 25 | branches: 26 | - master 27 | - main 28 | ignore-paths: 29 | - '**/README.md' 30 | pull_request: 31 | branches: 32 | - master 33 | - main 34 | ignore-paths: 35 | - '**/README.md' 36 | workflow_call: 37 | inputs: 38 | debug: 39 | type: string 40 | required: false 41 | default: false 42 | secrets: 43 | SEMGREP_APP_TOKEN: 44 | required: true 45 | workflow_dispatch: 46 | inputs: 47 | debug: 48 | type: boolean 49 | required: false 50 | default: false 51 | schedule: 52 | - cron: '0 0 * * 1' 53 | 54 | permissions: 55 | contents: read 56 | 57 | defaults: 58 | run: 59 | shell: bash -euxo pipefail {0} 60 | 61 | env: 62 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 63 | 64 | jobs: 65 | semgrep: 66 | name: Semgrep Scan, report -> semgrep.dev 67 | 68 | # github.event.repository.fork isn't available in scheduled workflows 69 | # can't prevent forks of this repo, because also prevents caller workflows 70 | #if: github.repository == 'HariSekhon/Github-Actions' 71 | 72 | runs-on: ubuntu-latest 73 | container: 74 | image: returntocorp/semgrep 75 | steps: 76 | - name: Linux Release 77 | if: runner.os == 'Linux' 78 | run: | 79 | [ -e /.dockerenv ] && ls -l /.dockerenv 80 | echo 81 | cat /etc/*-release 82 | 83 | - name: Linux Hardware 84 | if: runner.os == 'Linux' 85 | run: | 86 | set +x 87 | echo -n "CPUs: " 88 | nproc 89 | echo 90 | free -g 91 | echo 92 | df -h 93 | 94 | - name: Environment 95 | run: env | sort 96 | 97 | - name: Git version 98 | run: git --version 99 | 100 | - uses: actions/checkout@v3 101 | with: 102 | submodules: recursive # requires Git 2.18+ to be installed first 103 | 104 | # Removed 105 | #- uses: returntocorp/semgrep-action@v1 106 | # with: 107 | # publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} 108 | # # does not accept config key - must use semgrep.dev to configure rules to run 109 | # config: >- # more at semgrep.dev/explore 110 | # # Change job timeout (default is 1800 seconds; set to 0 to disable) 111 | # #env: 112 | # #SEMGREP_AGENT_DEBUG: 1 113 | # #SEMGREP_TIMEOUT: 300 114 | 115 | - run: semgrep ci 116 | env: 117 | # Connect to Semgrep Cloud Platform through your SEMGREP_APP_TOKEN. 118 | # Generate a token from Semgrep Cloud Platform > Settings 119 | # and add it to your GitHub secrets. 120 | SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} 121 | -------------------------------------------------------------------------------- /.github/workflows/semgrep.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Wed Jan 19 19:11:31 2022 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # S e m g r e p W o r k f l o w 16 | # ============================================================================ # 17 | 18 | # Generates code scanning alerts in GitHub's Security tab -> Code scanning alerts 19 | 20 | # https://semgrep.dev/docs/semgrep-ci/sample-ci-configs/#github-actions 21 | 22 | --- 23 | name: Semgrep 24 | 25 | on: # yamllint disable-line rule:truthy 26 | push: 27 | branches: 28 | - master 29 | - main 30 | ignore-paths: 31 | - '**/README.md' 32 | pull_request: 33 | branches: 34 | - master 35 | - main 36 | ignore-paths: 37 | - '**/README.md' 38 | workflow_call: 39 | inputs: 40 | # # https://semgrep.dev/explore 41 | # # https://semgrep.dev/r # full rule list 42 | # config: 43 | # type: string 44 | # required: false 45 | # default: | 46 | # p/r2c-ci 47 | # p/r2c-best-practices 48 | # p/docker-compose 49 | # p/dockerfile 50 | # p/kubernetes 51 | # p/nginx 52 | # p/terraform 53 | # p/python 54 | # p/golang 55 | # #p/kotlin 56 | # #p/insecure-transport 57 | # #p/jwt 58 | # #p/xss 59 | # #p/django 60 | # #p/scala 61 | # #p/ruby 62 | # #p/javascript 63 | # #p/flask 64 | # #p/react 65 | # #p/nodejsscan 66 | # #p/eslint-plugin-security 67 | # #p/phpcs-security-audit 68 | debug: 69 | type: string 70 | required: false 71 | default: false 72 | workflow_dispatch: 73 | inputs: 74 | #config: 75 | # type: string 76 | # required: false 77 | debug: 78 | type: boolean 79 | required: false 80 | default: false 81 | schedule: 82 | - cron: '0 0 * * 1' 83 | 84 | permissions: 85 | actions: read 86 | contents: read 87 | security-events: write 88 | 89 | defaults: 90 | run: 91 | shell: bash -euxo pipefail {0} 92 | 93 | env: 94 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 95 | 96 | jobs: 97 | semgrep: 98 | name: Semgrep Scan, GitHub security report 99 | runs-on: ubuntu-latest 100 | container: 101 | image: returntocorp/semgrep 102 | 103 | # Skip any PR created by dependabot to avoid permission issues 104 | if: github.actor != 'dependabot[bot]' 105 | # github.event.repository.fork isn't available in scheduled workflows 106 | # can't prevent forks of this repo, because also prevents caller workflows 107 | 108 | steps: 109 | - name: Linux Release 110 | if: runner.os == 'Linux' 111 | run: | 112 | [ -e /.dockerenv ] && ls -l /.dockerenv 113 | echo 114 | cat /etc/*-release 115 | 116 | - name: Linux Hardware 117 | if: runner.os == 'Linux' 118 | run: | 119 | set +x 120 | echo -n "CPUs: " 121 | nproc 122 | echo 123 | free -g 124 | echo 125 | df -h 126 | 127 | - name: Environment 128 | run: env | sort 129 | 130 | # ubuntu-latest already has this installed and a newer version 131 | #- name: Install Git 132 | # run: sudo apt-get update && sudo apt-get install -y git --no-install-recommends 133 | 134 | - name: Git version 135 | run: git --version 136 | 137 | - uses: actions/checkout@v3 138 | with: 139 | submodules: recursive # requires Git 2.18+ to be installed first 140 | 141 | # XXX: workaround for: https://github.com/returntocorp/semgrep/issues/5316 142 | - name: configure .semgrepignore 143 | run: | 144 | if ! [ -f .semgrepignore ]; then 145 | wget -O .semgrepignore https://raw.githubusercontent.com/returntocorp/semgrep/develop/cli/src/semgrep/templates/.semgrepignore 146 | fi 147 | echo semgrep.sarif >> .semgrepignore 148 | 149 | # Removed 150 | #- uses: returntocorp/semgrep-action@v1 151 | # with: 152 | # config: >- # more at semgrep.dev/explore 153 | # ${{ inputs.config }} 154 | # ${{ github.event.inputs.config }} 155 | # 156 | # p/security-audit 157 | # p/secrets 158 | # p/semgrep-misconfigurations 159 | # p/semgrep-rule-lints 160 | # p/github-actions 161 | # p/ci 162 | # p/owasp-top-ten 163 | # p/command-injection 164 | # p/sql-injection 165 | # 166 | # # == Optional settings in the `with:` block 167 | # 168 | # # Instead of `config:`, use rules set in Semgrep App. 169 | # # Get your token from semgrep.dev/manage/settings. 170 | # # publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} 171 | # 172 | # # XXX: both of these are not obsolete cause breakage 173 | # # 174 | # # Never fail the build due to findings on pushes. 175 | # # Instead, just collect findings for semgrep.dev/manage/findings 176 | # #auditOn: push 177 | # #auditOn: push workflow_dispatch cron 178 | # generateSarif: "1" 179 | # 180 | # # Change job timeout (default is 1800 seconds; set to 0 to disable) 181 | # #env: 182 | # #SEMGREP_AGENT_DEBUG: 1 183 | # #SEMGREP_TIMEOUT: 300 184 | 185 | - run: semgrep ci --config auto --sarif > semgrep.sarif 186 | env: 187 | # Connect to Semgrep Cloud Platform through your SEMGREP_APP_TOKEN. 188 | # Generate a token from Semgrep Cloud Platform > Settings 189 | # and add it to your GitHub secrets. 190 | SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} 191 | 192 | # Upload findings to GitHub Advanced Security Dashboard [step 2/2] 193 | - name: Upload SARIF file for GitHub Advanced Security Dashboard 194 | uses: github/codeql-action/upload-sarif@v2 195 | with: 196 | sarif_file: semgrep.sarif 197 | if: always() 198 | -------------------------------------------------------------------------------- /.github/workflows/shellcheck.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Sat Jan 15 09:35:18 2022 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # S h e l l c h e c k 16 | # ============================================================================ # 17 | 18 | --- 19 | name: Shellcheck 20 | 21 | on: # yamllint disable-line rule:truthy 22 | push: 23 | branches: 24 | - master 25 | - main 26 | paths: 27 | - '**/*.sh' 28 | - .github/workflows/shellcheck.yaml 29 | pull_request: 30 | branches: 31 | - master 32 | - main 33 | paths: 34 | - '**/*.sh' 35 | - .github/workflows/shellcheck.yaml 36 | workflow_call: 37 | inputs: 38 | submodules: 39 | type: string 40 | required: false 41 | default: recursive 42 | debug: 43 | type: string 44 | required: false 45 | default: false 46 | workflow_dispatch: 47 | inputs: 48 | submodules: 49 | type: string 50 | required: false 51 | default: recursive 52 | debug: 53 | type: boolean 54 | required: false 55 | default: false 56 | 57 | permissions: 58 | contents: read 59 | 60 | defaults: 61 | run: 62 | shell: bash -euxo pipefail {0} 63 | 64 | env: 65 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 66 | 67 | jobs: 68 | shellcheck: 69 | name: ShellCheck 70 | # github.event.repository.fork isn't available in scheduled workflows 71 | # can't prevent forks of this repo, because also prevents caller workflows 72 | #if: github.repository == 'HariSekhon/Github-Actions' 73 | runs-on: ubuntu-latest 74 | container: harisekhon/bash-tools:latest 75 | steps: 76 | - name: Linux Release 77 | if: runner.os == 'Linux' 78 | run: | 79 | [ -e /.dockerenv ] && ls -l /.dockerenv 80 | echo 81 | cat /etc/*-release 82 | 83 | - name: Linux Hardware 84 | if: runner.os == 'Linux' 85 | run: | 86 | set +x 87 | echo -n "CPUs: " 88 | nproc 89 | echo 90 | free -g 91 | echo 92 | df -h 93 | 94 | - name: Environment 95 | run: env | sort 96 | 97 | - name: Git version 98 | run: git --version 99 | 100 | - uses: actions/checkout@v3 101 | with: 102 | submodules: ${{ inputs.submodules }} # 'recursive' default requires Git 2.18+ to be installed first 103 | 104 | - name: ShellCheck 105 | run: | 106 | if [ -f .envrc.shellcheck ]; then 107 | . .envrc.shellcheck 108 | fi 109 | check_shellcheck.sh 110 | -------------------------------------------------------------------------------- /.github/workflows/sonarcloud.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2023-04-14 23:53:43 +0100 (Fri, 14 Apr 2023) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # License: see accompanying Hari Sekhon LICENSE file 10 | # 11 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | # ============================================================================ # 17 | # S o n a r C l o u d 18 | # ============================================================================ # 19 | 20 | --- 21 | name: SonarCloud 22 | on: # yamllint disable-line rule:truthy 23 | push: 24 | branches: 25 | - master 26 | - main 27 | paths-ignore: 28 | - '**/*.md' 29 | pull_request: 30 | branches: 31 | - master 32 | - main 33 | paths-ignore: 34 | - '**/*.md' 35 | # types: 36 | # - opened 37 | # - synchronize 38 | # - reopened 39 | workflow_call: 40 | secrets: 41 | # not needed, would clash with system reserved name 42 | #GITHUB_TOKEN: 43 | # required: false 44 | SONAR_TOKEN: 45 | required: true 46 | workflow_dispatch: 47 | 48 | permissions: 49 | contents: read 50 | pull-requests: read 51 | 52 | concurrency: 53 | group: ${{ github.workflow }}-${{ github.ref }} 54 | cancel-in-progress: true 55 | 56 | jobs: 57 | SonarCloud: 58 | name: SonarCloud 59 | runs-on: ubuntu-latest 60 | steps: 61 | - name: Linux Release 62 | if: runner.os == 'Linux' 63 | run: | 64 | [ -e /.dockerenv ] && ls -l /.dockerenv 65 | echo 66 | cat /etc/*-release 67 | 68 | - name: Linux Hardware 69 | if: runner.os == 'Linux' 70 | run: | 71 | set +x 72 | echo -n "CPUs: " 73 | nproc 74 | echo 75 | free -g 76 | echo 77 | df -h 78 | 79 | - name: Environment 80 | run: env | sort 81 | 82 | - name: Git version 83 | run: git --version 84 | 85 | - uses: actions/checkout@v3 86 | with: 87 | fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis 88 | 89 | - name: SonarCloud Scan 90 | uses: SonarSource/sonarcloud-github-action@master 91 | env: 92 | #GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any 93 | SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} 94 | -------------------------------------------------------------------------------- /.github/workflows/sqlfluff.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Sat Jan 15 09:35:18 2022 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # S Q L F L u f f 16 | # ============================================================================ # 17 | 18 | --- 19 | name: SQLFluff 20 | 21 | on: # yamllint disable-line rule:truthy 22 | push: 23 | branches: 24 | - master 25 | - main 26 | paths: 27 | - '**/*.sql' 28 | - .github/workflows/sqlfluff.yaml 29 | pull_request: 30 | branches: 31 | - master 32 | - main 33 | paths: 34 | - '**/*.sql' 35 | - .github/workflows/sqlfluff.yaml 36 | workflow_call: 37 | inputs: 38 | submodules: 39 | type: string 40 | required: false 41 | default: recursive 42 | debug: 43 | type: string 44 | required: false 45 | default: false 46 | workflow_dispatch: 47 | inputs: 48 | submodules: 49 | type: string 50 | required: false 51 | default: recursive 52 | debug: 53 | type: boolean 54 | required: false 55 | default: false 56 | #schedule: 57 | # - cron: '0 0 * * 1' 58 | 59 | permissions: 60 | contents: read 61 | 62 | defaults: 63 | run: 64 | shell: bash -euxo pipefail {0} 65 | 66 | env: 67 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 68 | 69 | jobs: 70 | sqlfluff: 71 | name: SQLFluff 72 | # github.event.repository.fork isn't available in scheduled workflows 73 | # can't prevent forks of this repo, because also prevents caller workflows 74 | #if: github.repository == 'HariSekhon/Github-Actions' 75 | runs-on: ubuntu-latest 76 | container: harisekhon/bash-tools:latest 77 | steps: 78 | - name: Linux Release 79 | if: runner.os == 'Linux' 80 | run: | 81 | [ -e /.dockerenv ] && ls -l /.dockerenv 82 | echo 83 | cat /etc/*-release 84 | 85 | - name: Linux Hardware 86 | if: runner.os == 'Linux' 87 | run: | 88 | set +x 89 | echo -n "CPUs: " 90 | nproc 91 | echo 92 | free -g 93 | echo 94 | df -h 95 | 96 | - name: Environment 97 | run: env | sort 98 | 99 | - name: Git version 100 | run: git --version 101 | 102 | - uses: actions/checkout@v3 103 | with: 104 | submodules: ${{ inputs.submodules }} # 'recursive' default requires Git 2.18+ to be installed first 105 | 106 | - name: SQLFluff 107 | run: | 108 | check_sqlfluff.sh 109 | -------------------------------------------------------------------------------- /.github/workflows/systemd-analyze.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2024-10-09 06:32:44 +0300 (Wed, 09 Oct 2024) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # S y s t e m d A n a l y z e 16 | # ============================================================================ # 17 | 18 | --- 19 | name: Systemd-Analyze Verify 20 | 21 | on: # yamllint disable-line rule:truthy 22 | workflow_call: 23 | inputs: 24 | debug: 25 | type: string 26 | required: false 27 | default: false 28 | workflow_dispatch: 29 | inputs: 30 | debug: 31 | type: boolean 32 | required: false 33 | default: false 34 | #schedule: 35 | # - cron: '0 0 * * 1' 36 | 37 | permissions: 38 | contents: read 39 | 40 | defaults: 41 | run: 42 | shell: bash -euxo pipefail {0} 43 | 44 | env: 45 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 46 | 47 | jobs: 48 | systemd_analyze_verify: 49 | name: Systemd-Analyze Verify 50 | runs-on: ubuntu-latest 51 | container: fedora:latest 52 | steps: 53 | - name: Linux Release 54 | if: runner.os == 'Linux' 55 | run: | 56 | [ -e /.dockerenv ] && ls -l /.dockerenv 57 | echo 58 | cat /etc/*-release 59 | 60 | - name: Linux Hardware 61 | if: runner.os == 'Linux' 62 | run: | 63 | set +x 64 | echo -n "CPUs: " 65 | nproc 66 | echo 67 | free -g 68 | echo 69 | df -h 70 | 71 | - name: Environment 72 | run: env | sort 73 | 74 | - name: Install Git 75 | run: dnf install -y git 76 | 77 | - name: Install Systemd 78 | run: dnf install -y systemd 79 | 80 | - name: Git version 81 | run: git --version 82 | 83 | - uses: actions/checkout@v3 84 | with: 85 | submodules: recursive # requires Git 2.18+ to be installed first 86 | 87 | # to avoid this error: 88 | # 89 | # Command /usr/local/bin/prometheus is not executable: No such file or directory 90 | # 91 | - name: Replace ExecStart binaries in Systemd unit files with /bin/true to avoid executable not found errors 92 | run: | 93 | find . -name '*.service' -type f | 94 | xargs sed -i 's|ExecStart=.*|ExecStart=/bin/true|' 95 | 96 | - name: Systemd Analyze 97 | run: | 98 | find . -name '*.service' -type f | 99 | xargs -I {} sh -c 'systemd-analyze verify {} || exit 1' 100 | -------------------------------------------------------------------------------- /.github/workflows/terraform-fmt-write.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-02-11 15:50:21 +0000 (Fri, 11 Feb 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # T e r r a f o r m F m t W r i t e 16 | # ============================================================================ # 17 | 18 | # Lints and fixes Terraform code formatting, git commits and pushes back into local repo to self-fix 19 | 20 | --- 21 | name: Terraform Fmt Write 22 | 23 | on: # yamllint disable-line rule:truthy 24 | workflow_call: 25 | inputs: 26 | debug: 27 | type: string 28 | required: false 29 | default: false 30 | workflow_dispatch: 31 | inputs: 32 | debug: 33 | type: boolean 34 | required: false 35 | default: false 36 | #schedule: 37 | # - cron: '0 0 * * 1' 38 | 39 | permissions: 40 | contents: write 41 | pull-requests: write 42 | 43 | defaults: 44 | run: 45 | # hashicorp/terraform doesn't have bash 46 | #shell: bash -euxo pipefail {0} 47 | shell: sh -eux {0} 48 | 49 | env: 50 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 51 | 52 | jobs: 53 | format-write: 54 | name: Terraform Fmt Write 55 | runs-on: ubuntu-latest 56 | container: hashicorp/terraform:latest 57 | steps: 58 | - name: Linux Release 59 | if: runner.os == 'Linux' 60 | run: | 61 | [ -e /.dockerenv ] && ls -l /.dockerenv 62 | echo 63 | cat /etc/*-release 64 | 65 | - name: Linux Hardware 66 | if: runner.os == 'Linux' 67 | run: | 68 | set +x 69 | echo -n "CPUs: " 70 | nproc 71 | echo 72 | free -g 73 | echo 74 | df -h 75 | 76 | - name: Environment 77 | run: env | sort 78 | 79 | # hashicorp/terraform does have git 80 | - name: Git version 81 | run: git --version 82 | 83 | - uses: actions/checkout@v3 84 | with: 85 | submodules: recursive # requires Git 2.18+ to be installed first 86 | 87 | - name: Terraform Fmt 88 | run: terraform fmt -diff -write -recursive 89 | 90 | - name: Git Commit 91 | id: commit 92 | # must use | otherwise the semi-colon triggers a yaml parsing error even within quotes 93 | run: | 94 | git config --global --add safe.directory "$PWD" 95 | 96 | #git commit --author "$(git log -n 1 --format='%an <%ae>')" --message "Terraform Fmt fixes - GitHub Actions Workflow: $GITHUB_WORKFLOW" . 97 | # --author override doesn't work, still gets: 98 | # 99 | # Committer identity unknown 100 | # 101 | # ... 102 | # 103 | # fatal: unable to auto-detect email address (got 'root@39c481e28c3c.(none)' 104 | # Error: Process completed with exit code 128.' 105 | 106 | if git diff-index --quiet HEAD --; then 107 | echo "No changes to commit" 108 | exit 0 109 | fi 110 | 111 | git config user.name "$(git log -n 1 --format='%an')" 112 | git config user.email "$(git log -n 1 --format='%ae')" 113 | 114 | git commit --message "Terraform Fmt fixes - GitHub Actions Workflow: $GITHUB_WORKFLOW" . 115 | 116 | echo "new_commits=true" >> $GITHUB_OUTPUT 117 | 118 | - name: Git Push 119 | if: steps.commit.outputs.new_commits == 'true' 120 | run: | 121 | git fetch 122 | 123 | ref="${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" 124 | 125 | git log origin/"$ref"..HEAD 126 | 127 | git diff origin/"$ref"..HEAD 128 | 129 | # fatal: origin/UN-xxxxx-mybranch...HEAD: no merge base 130 | #git diff origin/"$ref"...HEAD 131 | 132 | git push origin HEAD:"$ref" 133 | -------------------------------------------------------------------------------- /.github/workflows/terraform-fmt.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-02-11 15:50:21 +0000 (Fri, 11 Feb 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # T e r r a f o r m F m t 16 | # ============================================================================ # 17 | 18 | # Lints Tarrbcorm code (see adjacent terraform-fmt-write.yaml to auto-fix the code) 19 | 20 | --- 21 | name: Terraform Fmt 22 | 23 | on: # yamllint disable-line rule:truthy 24 | workflow_call: 25 | inputs: 26 | debug: 27 | type: string 28 | required: false 29 | default: false 30 | workflow_dispatch: 31 | inputs: 32 | debug: 33 | type: boolean 34 | required: false 35 | default: false 36 | #schedule: 37 | # - cron: '0 0 * * 1' 38 | 39 | permissions: 40 | contents: read 41 | 42 | defaults: 43 | run: 44 | # hashicorp/terraform doesn't have bash 45 | #shell: bash -euxo pipefail {0} 46 | shell: sh -eux {0} 47 | 48 | env: 49 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 50 | 51 | jobs: 52 | format: 53 | name: Terraform Fmt 54 | runs-on: ubuntu-latest 55 | container: hashicorp/terraform:latest 56 | steps: 57 | - name: Linux Release 58 | if: runner.os == 'Linux' 59 | run: | 60 | [ -e /.dockerenv ] && ls -l /.dockerenv 61 | echo 62 | cat /etc/*-release 63 | 64 | - name: Linux Hardware 65 | if: runner.os == 'Linux' 66 | run: | 67 | set +x 68 | echo -n "CPUs: " 69 | nproc 70 | echo 71 | free -g 72 | echo 73 | df -h 74 | 75 | - name: Environment 76 | run: env | sort 77 | 78 | # hashicorp/terraform does have git 79 | - name: Git version 80 | run: git --version 81 | 82 | - uses: actions/checkout@v3 83 | with: 84 | submodules: recursive # requires Git 2.18+ to be installed first 85 | 86 | - name: Terraform Fmt 87 | run: terraform fmt -diff -check -recursive 88 | -------------------------------------------------------------------------------- /.github/workflows/terraform-validate.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-02-11 15:50:21 +0000 (Fri, 11 Feb 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # T e r r a f o r m V a l i d a t e 16 | # ============================================================================ # 17 | 18 | --- 19 | name: Terraform Validate 20 | 21 | on: # yamllint disable-line rule:truthy 22 | workflow_call: 23 | inputs: 24 | debug: 25 | type: string 26 | required: false 27 | default: false 28 | workflow_dispatch: 29 | inputs: 30 | debug: 31 | type: boolean 32 | required: false 33 | default: false 34 | #schedule: 35 | # - cron: '0 0 * * 1' 36 | 37 | permissions: 38 | contents: read 39 | 40 | defaults: 41 | run: 42 | # hashicorp/terraform doesn't have bash 43 | #shell: bash -euxo pipefail {0} 44 | shell: sh -eux {0} 45 | 46 | env: 47 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 48 | 49 | jobs: 50 | validate: 51 | name: Terraform Validate 52 | runs-on: ubuntu-latest 53 | container: hashicorp/terraform:latest 54 | steps: 55 | - name: Linux Release 56 | if: runner.os == 'Linux' 57 | run: | 58 | [ -e /.dockerenv ] && ls -l /.dockerenv 59 | echo 60 | cat /etc/*-release 61 | 62 | - name: Linux Hardware 63 | if: runner.os == 'Linux' 64 | run: | 65 | set +x 66 | echo -n "CPUs: " 67 | nproc 68 | echo 69 | free -g 70 | echo 71 | df -h 72 | 73 | - name: Environment 74 | run: env | sort 75 | 76 | # hashicorp/terraform does have git 77 | - name: Git version 78 | run: git --version 79 | 80 | - uses: actions/checkout@v3 81 | with: 82 | submodules: recursive # requires Git 2.18+ to be installed first 83 | 84 | - name: Terraform Init 85 | run: terraform init 86 | 87 | - name: Terraform Validate 88 | run: terraform validate 89 | -------------------------------------------------------------------------------- /.github/workflows/tflint.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2024-06-21 17:39:15 +0200 (Fri, 21 Jun 2024) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # T F l i n t G i t H u b W o r k f l o w 16 | # ============================================================================ # 17 | 18 | --- 19 | name: tfsec 20 | 21 | on: # yamllint disable-line rule:truthy 22 | workflow_call: 23 | inputs: 24 | debug: 25 | type: string 26 | required: false 27 | default: false 28 | 29 | defaults: 30 | run: 31 | shell: bash -euxo pipefail {0} 32 | 33 | env: 34 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 35 | 36 | jobs: 37 | tflint: 38 | name: tflint 39 | runs-on: ubuntu-latest 40 | steps: 41 | - name: Linux Release 42 | if: runner.os == 'Linux' 43 | run: | 44 | [ -e /.dockerenv ] && ls -l /.dockerenv 45 | echo 46 | cat /etc/*-release 47 | 48 | - name: Linux Hardware 49 | if: runner.os == 'Linux' 50 | run: | 51 | set +x 52 | echo -n "CPUs: " 53 | nproc 54 | echo 55 | free -g 56 | echo 57 | df -h 58 | 59 | - name: Environment 60 | run: env | sort 61 | 62 | - name: Git version 63 | run: git --version 64 | 65 | - uses: actions/checkout@v3 66 | 67 | - name: install tflint 68 | run: curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash 69 | 70 | - name: tflint 71 | run: tflint 72 | -------------------------------------------------------------------------------- /.github/workflows/tfsec-pr-commenter.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Tue Jan 11 10:39:02 2022 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # T F s e c G i t H u b W o r k f l o w 16 | # ============================================================================ # 17 | 18 | # Comments on any PR that adds transgressions 19 | 20 | # https://aquasecurity.github.io/tfsec/v0.63.1/getting-started/configuration/github-actions/pr-commenter/ 21 | 22 | --- 23 | name: tfsec-pr-commenter 24 | 25 | on: # yamllint disable-line rule:truthy 26 | workflow_call: 27 | inputs: 28 | debug: 29 | type: string 30 | required: false 31 | default: false 32 | 33 | permissions: 34 | contents: read 35 | pull-requests: write 36 | 37 | defaults: 38 | run: 39 | shell: bash -euxo pipefail {0} 40 | 41 | env: 42 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 43 | 44 | jobs: 45 | tfsec: 46 | name: tfsec PR commenter 47 | runs-on: ubuntu-latest 48 | steps: 49 | - name: Linux Release 50 | if: runner.os == 'Linux' 51 | run: | 52 | [ -e /.dockerenv ] && ls -l /.dockerenv 53 | echo 54 | cat /etc/*-release 55 | 56 | - name: Linux Hardware 57 | if: runner.os == 'Linux' 58 | run: | 59 | set +x 60 | echo -n "CPUs: " 61 | nproc 62 | echo 63 | free -g 64 | echo 65 | df -h 66 | 67 | - name: Environment 68 | run: env | sort 69 | 70 | - name: Git version 71 | run: git --version 72 | 73 | - uses: actions/checkout@v3 74 | 75 | - name: tfsec 76 | #uses: aquasecurity/tfsec-pr-commenter-action@5e9f770638057da497182661aacbf640ca94f4e9 77 | uses: aquasecurity/tfsec-pr-commenter-action@main 78 | with: 79 | github_token: ${{ github.token }} 80 | # or 81 | #github_token: ${{ secrets.GITHUB_TOKEN }} 82 | -------------------------------------------------------------------------------- /.github/workflows/tfsec.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Tue Jan 11 10:39:02 2022 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # T F s e c G i t H u b W o r k f l o w 16 | # ============================================================================ # 17 | 18 | # Static analysis of Terraform code - publishes report to GitHub Security tab 19 | 20 | # https://aquasecurity.github.io/tfsec/v0.63.1/getting-started/configuration/github-actions/github-action/ 21 | 22 | --- 23 | name: tfsec 24 | 25 | on: # yamllint disable-line rule:truthy 26 | workflow_call: 27 | inputs: 28 | debug: 29 | type: string 30 | required: false 31 | default: false 32 | 33 | permissions: 34 | actions: read 35 | contents: read 36 | security-events: write 37 | 38 | defaults: 39 | run: 40 | shell: bash -euxo pipefail {0} 41 | 42 | env: 43 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 44 | 45 | jobs: 46 | tfsec: 47 | name: tfsec scan & sarif report 48 | runs-on: ubuntu-latest 49 | steps: 50 | - name: Linux Release 51 | if: runner.os == 'Linux' 52 | run: | 53 | [ -e /.dockerenv ] && ls -l /.dockerenv 54 | echo 55 | cat /etc/*-release 56 | 57 | - name: Linux Hardware 58 | if: runner.os == 'Linux' 59 | run: | 60 | set +x 61 | echo -n "CPUs: " 62 | nproc 63 | echo 64 | free -g 65 | echo 66 | df -h 67 | 68 | - name: Environment 69 | run: env | sort 70 | 71 | - name: Git version 72 | run: git --version 73 | 74 | - uses: actions/checkout@v3 75 | 76 | - name: tfsec 77 | #uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f 78 | uses: aquasecurity/tfsec-sarif-action@master 79 | with: 80 | sarif_file: tfsec.sarif 81 | #config_file: tfsec.yaml # default: .tfsec/config.yaml 82 | #working_directory: terraform/ 83 | #github_token: ${{ secrets.GITHUB_TOKEN }} 84 | 85 | - name: Upload SARIF file 86 | uses: github/codeql-action/upload-sarif@v2 87 | with: 88 | # Path to SARIF file relative to the root of the repository 89 | sarif_file: tfsec.sarif 90 | -------------------------------------------------------------------------------- /.github/workflows/trivy_aws_ecr.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-01-31 16:49:05 +0000 (Mon, 31 Jan 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # T r i v y S c a n D o c k e r I a m g e i n A W S E C R 16 | # ============================================================================ # 17 | 18 | --- 19 | name: Trivy AWS ECR 20 | 21 | on: # yamllint disable-line rule:truthy 22 | workflow_call: 23 | inputs: 24 | repo: 25 | description: The ECR repository, without the 'xxx.dkr.ecr..amazonaws.com' prefix 26 | type: string 27 | required: true 28 | severity: 29 | description: Set a severity to trigger CI workflow failure 30 | type: string 31 | default: HIGH,CRITICAL 32 | required: false 33 | no_sarif: 34 | description: Disable GitHub Security tab integration to avoid spamming it with tonnes of OS CVEs in docker images 35 | type: boolean 36 | default: false 37 | required: false 38 | debug: 39 | type: string 40 | required: false 41 | default: false 42 | secrets: 43 | AWS_ACCESS_KEY_ID: 44 | required: true 45 | AWS_SECRET_ACCESS_KEY: 46 | required: true 47 | AWS_DEFAULT_REGION: 48 | required: true 49 | workflow_dispatch: 50 | inputs: 51 | repo: 52 | description: The ECR repository, without the 'xxx.dkr.ecr..amazonaws.com' prefix 53 | type: string 54 | required: true 55 | severity: 56 | description: Set a severity to trigger CI workflow failure 57 | type: string 58 | default: HIGH,CRITICAL 59 | required: false 60 | no_sarif: 61 | description: Disable GitHub Security tab integration to avoid spamming it with tonnes of OS CVEs in docker images 62 | type: boolean 63 | default: false 64 | required: false 65 | debug: 66 | type: boolean 67 | required: false 68 | default: false 69 | secrets: 70 | AWS_ACCESS_KEY_ID: 71 | required: true 72 | AWS_SECRET_ACCESS_KEY: 73 | required: true 74 | AWS_DEFAULT_REGION: 75 | required: true 76 | schedule: 77 | - cron: '0 0 * * 1' 78 | 79 | permissions: 80 | actions: read 81 | contents: read 82 | security-events: write 83 | 84 | defaults: 85 | run: 86 | shell: bash -euxo pipefail {0} 87 | 88 | env: 89 | REPO: ${{ inputs.repo || github.events.inputs.repo }} 90 | AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} 91 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 92 | 93 | jobs: 94 | trivy: 95 | name: Trivy AWS ECR 96 | runs-on: ubuntu-latest 97 | steps: 98 | - name: Linux Release 99 | if: runner.os == 'Linux' 100 | run: | 101 | [ -e /.dockerenv ] && ls -l /.dockerenv 102 | echo 103 | cat /etc/*-release 104 | 105 | - name: Linux Hardware 106 | if: runner.os == 'Linux' 107 | run: | 108 | set +x 109 | echo -n "CPUs: " 110 | nproc 111 | echo 112 | free -g 113 | echo 114 | df -h 115 | 116 | - name: Environment 117 | run: env | sort 118 | 119 | - name: Git version 120 | run: git --version 121 | 122 | - uses: actions/checkout@v3 123 | 124 | - name: Configure AWS credentials 125 | id: configure-aws-credentials 126 | uses: aws-actions/configure-aws-credentials@v2 127 | with: 128 | aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} 129 | aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} 130 | aws-region: ${{ secrets.AWS_DEFAULT_REGION }} 131 | 132 | - name: Generate environment variable AWS_ACCOUNT_ID 133 | run: | 134 | #AWS_ACCOUNT_ID="$(aws sts get-caller-identity | jq -r .Account)" 135 | #echo "AWS_ACCOUNT_ID=$AWS_ACCOUNT_ID" >> "$GITHUB_ENV" 136 | echo "AWS_ACCOUNT_ID=${{ steps.configure-aws-credentials.outputs.aws-account-id }}" >> "$GITHUB_ENV" 137 | - name: Generate environment variable AWS_ECR_REGISTRY 138 | run: echo "AWS_ECR_REGISTRY=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com" >> "$GITHUB_ENV" 139 | - name: Generate environment variable DOCKER_IMAGE 140 | run: echo "DOCKER_IMAGE=$AWS_ECR_REGISTRY/$REPO" >> "$GITHUB_ENV" 141 | 142 | - name: Login to ECR 143 | uses: docker/login-action@v1 144 | with: 145 | registry: ${{ env.AWS_ECR_REGISTRY }} 146 | username: ${{ secrets.AWS_ACCESS_KEY_ID }} 147 | password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} 148 | 149 | - name: Trivy (Full Informational) 150 | run: | 151 | # informational to see all issues 152 | trivy image --no-progress "$TARGET" 153 | 154 | - name: Run Trivy vulnerability scanner to generate sarif 155 | if: ${{ ! ( inputs.no_sarif || github.event.inputs.sarif ) }} 156 | uses: aquasecurity/trivy-action@master 157 | with: 158 | image-ref: ${{ env.DOCKER_IMAGE }}:${{ github.sha }} 159 | format: template 160 | template: '@/contrib/sarif.tpl' 161 | output: trivy-results.sarif 162 | env: 163 | AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} 164 | AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} 165 | AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} 166 | 167 | - name: Upload Trivy sarif scan results to GitHub Security tab 168 | if: ${{ ! ( inputs.no_sarif || github.event.inputs.sarif ) }} 169 | uses: github/codeql-action/upload-sarif@v2 170 | with: 171 | sarif_file: trivy-results.sarif 172 | 173 | - name: Trivy (with Severity Error Out) 174 | if: ${{ inputs.severity || github.event.inputs.severity }} 175 | env: 176 | SEVERITY: ${{ inputs.severity | github.event.inputs.severity }} 177 | run: | 178 | # fail the pipeline if any of the issues are in $SEVERITY eg. HIGH,CRITICAL 179 | trivy image --no-progress --exit-code 1 --severity "$SEVERITY" "$TARGET" 180 | -------------------------------------------------------------------------------- /.github/workflows/trivy_image.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-01-31 16:49:05 +0000 (Mon, 31 Jan 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # Trivy Container Image Scan with GitHub Security Alerts Integration 16 | # ============================================================================ # 17 | 18 | # Split from trivy.yaml because differing versions between aquasec/trivy:latest docker image and aquasecurity/trivy-action@master github action cause breakage: 19 | # 20 | # 2022-02-02T11:58:59.840Z ERROR Trivy version (0.22.0) is old. Update to the latest version. 21 | # 2022-02-02T11:58:59.840Z FATAL DB error: database error: the version of DB schema doesn't match. Local DB: 2, Expected: 1 22 | 23 | --- 24 | name: Trivy Image Scan GitHub Security Alerts 25 | 26 | on: # yamllint disable-line rule:truthy 27 | workflow_call: 28 | inputs: 29 | image: 30 | description: The container image to scan 31 | type: string 32 | required: true 33 | severity: 34 | description: Set a severity to trigger CI workflow failure 35 | type: string 36 | default: HIGH,CRITICAL 37 | required: false 38 | debug: 39 | type: string 40 | default: true 41 | workflow_dispatch: 42 | inputs: 43 | image: 44 | description: The container image to scan 45 | type: string 46 | required: true 47 | severity: 48 | description: Set a severity to trigger CI workflow failure 49 | type: string 50 | default: HIGH,CRITICAL 51 | required: false 52 | debug: 53 | type: boolean 54 | required: false 55 | default: false 56 | 57 | permissions: 58 | actions: read 59 | contents: read 60 | security-events: write 61 | 62 | defaults: 63 | run: 64 | shell: sh -eux {0} 65 | 66 | env: 67 | # ${{ inputs.* }} is set by workflow_call 68 | # ${{ github.events.inputs.* }} is set by workflow_dispatch 69 | IMAGE: ${{ inputs.image || github.event.inputs.image }} 70 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 71 | 72 | jobs: 73 | environment: 74 | name: Environment 75 | runs-on: ubuntu-latest 76 | container: aquasec/trivy:latest 77 | steps: 78 | - name: Linux Release 79 | if: runner.os == 'Linux' 80 | run: | 81 | [ -e /.dockerenv ] && ls -l /.dockerenv 82 | echo 83 | cat /etc/*-release 84 | 85 | - name: Linux Hardware 86 | if: runner.os == 'Linux' 87 | run: | 88 | set +x 89 | echo -n "CPUs: " 90 | nproc 91 | echo 92 | free -g 93 | echo 94 | df -h 95 | 96 | - name: Environment 97 | run: env | sort 98 | 99 | - name: Git version 100 | run: git --version 101 | 102 | trivy: 103 | name: Scan Image 104 | runs-on: ubuntu-latest 105 | container: aquasec/trivy:latest 106 | steps: 107 | - name: Trivy Image Scan 108 | run: | 109 | # informational to see all issues 110 | trivy image --no-progress "$IMAGE" 111 | 112 | trivy_severity: 113 | name: Scan Image Action 114 | runs-on: ubuntu-latest 115 | container: aquasec/trivy:latest 116 | steps: 117 | - name: Trivy Image Scan severity exit 1 118 | if: ${{ inputs.severity || github.event.inputs.severity }} 119 | env: 120 | SEVERITY: ${{ inputs.severity || github.event.inputs.severity }} 121 | run: | 122 | # fail the pipeline if any of the issues are in $SEVERITY eg. HIGH,CRITICAL 123 | trivy image --no-progress --exit-code 1 --severity "$SEVERITY" "$IMAGE" 124 | 125 | trivy_github: 126 | name: Trivy Image GitHub Security tab 127 | runs-on: ubuntu-latest 128 | steps: 129 | - name: Run Trivy vulnerability scanner to generate sarif 130 | #if: ${{ ! ( inputs.no_sarif || github.event.inputs.sarif ) }} 131 | uses: aquasecurity/trivy-action@master 132 | with: 133 | image-ref: ${{ env.IMAGE }} 134 | #format: template 135 | #template: '@/contrib/sarif.tpl' 136 | format: sarif 137 | output: trivy-results.sarif 138 | 139 | - name: Upload Trivy sarif scan results to GitHub Security tab 140 | #if: ${{ ! ( inputs.no_sarif || github.event.inputs.sarif ) }} 141 | uses: github/codeql-action/upload-sarif@v2 142 | with: 143 | sarif_file: trivy-results.sarif 144 | -------------------------------------------------------------------------------- /.github/workflows/unlock_branch.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2023-07-30 01:26:06 +0100 (Sun, 30 Jul 2023) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # U n l o c k B r a n c h 16 | # ============================================================================ # 17 | 18 | # Useful to implement code freezes on branches - call ad-hoc or on a recurring 'schedule' in the calling workflow 19 | # 20 | # See adjacent counterpart workflow lock_branch.yaml 21 | 22 | # XXX: Requires a PAT token to avoid this error: 23 | # 24 | # { 25 | # "message": "Resource not accessible by integration", 26 | # "documentation_url": "https://docs.github.com/rest/branches/branch-protection#update-branch-protection" 27 | # } 28 | 29 | --- 30 | name: Unlock Branch 31 | 32 | on: # yamllint disable-line rule:truthy 33 | workflow_call: 34 | inputs: 35 | branch: 36 | type: string 37 | required: true 38 | workflow_dispatch: 39 | inputs: 40 | branch: 41 | type: string 42 | required: true 43 | 44 | permissions: 45 | contents: read 46 | 47 | defaults: 48 | run: 49 | shell: bash -euxo pipefail {0} 50 | 51 | env: 52 | BRANCH: ${{ inputs.branch || github.event.inputs.branch }} 53 | REPO: ${{ github.repository }} 54 | 55 | # XXX: Requires PAT loaded to Secrets for permission 56 | GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} 57 | 58 | # XXX: API requires these fields but this is bad - could wipe out existing values 59 | # 60 | # { 61 | # "message": "Invalid request.\n\n\"enforce_admins\", \"required_pull_request_reviews\", \"required_status_checks\", \"restrictions\" weren't supplied.", 62 | # "documentation_url": "https://docs.github.com/rest/branches/branch-protection#update-branch-protection" 63 | # } 64 | # 65 | #PAYLOAD: '{"lock_branch": true}' 66 | PAYLOAD: '{"required_status_checks": null, "enforce_admins": false, "required_pull_request_reviews": null, "restrictions": null, "lock_branch": false}' 67 | 68 | jobs: 69 | unlock_branch: 70 | name: Unlock Branch 71 | runs-on: ubuntu-latest 72 | steps: 73 | - name: Linux Release 74 | if: runner.os == 'Linux' 75 | run: | 76 | [ -e /.dockerenv ] && ls -l /.dockerenv 77 | echo 78 | cat /etc/*-release 79 | 80 | - name: Linux Hardware 81 | if: runner.os == 'Linux' 82 | run: | 83 | set +x 84 | echo -n "CPUs: " 85 | nproc 86 | echo 87 | free -g 88 | echo 89 | df -h 90 | 91 | - name: Environment 92 | run: env | sort 93 | 94 | - name: Git version 95 | run: git --version 96 | 97 | - name: Unlock Branch 98 | run: | 99 | if ! \ 100 | curl -sSL --fail \ 101 | -X PUT \ 102 | -H "Accept: application/vnd.github+json" \ 103 | -H "Authorization: Bearer $GITHUB_TOKEN" \ 104 | -d "$PAYLOAD" \ 105 | "https://api.github.com/repos/$REPO/branches/$BRANCH/protection"; then 106 | 107 | # re-run it without --fail hiding the content output containing the error message details, so we can debug it at a glance 108 | curl -sSL \ 109 | -X PUT \ 110 | -H "Accept: application/vnd.github+json" \ 111 | -H "Authorization: Bearer $GITHUB_TOKEN" \ 112 | -d "$PAYLOAD" \ 113 | "https://api.github.com/repos/$REPO/branches/$BRANCH/protection" 114 | 115 | exit 1 116 | 117 | fi 118 | -------------------------------------------------------------------------------- /.github/workflows/url_links.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Tue Jan 18 23:31:42 2022 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # U R L L i n k s 16 | # ============================================================================ # 17 | 18 | --- 19 | name: URL Links 20 | 21 | on: # yamllint disable-line rule:truthy 22 | push: 23 | branches: 24 | - master 25 | - main 26 | pull_request: 27 | branches: 28 | - master 29 | - main 30 | workflow_call: 31 | inputs: 32 | url_links_ignored: 33 | type: string 34 | required: false 35 | ignore_urls_without_dots: 36 | type: string 37 | required: false 38 | # env: 39 | # type: string # pass in string in export shell format eg. export MYVAR=myvalue MYVAR2=myvalue2 40 | # required: false 41 | submodules: 42 | type: string 43 | required: false 44 | default: false 45 | debug: 46 | type: string 47 | required: false 48 | default: false 49 | schedule: 50 | - cron: '0 0 * * 1' 51 | 52 | permissions: 53 | contents: read 54 | 55 | defaults: 56 | run: 57 | shell: bash -euxo pipefail {0} 58 | 59 | env: 60 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 61 | 62 | jobs: 63 | check_url_links: 64 | name: Check URL Links 65 | # github.event.repository.fork isn't available in scheduled workflows 66 | # can't prevent forks of this repo, because also prevents caller workflows 67 | #if: github.repository == 'HariSekhon/Github-Actions' 68 | runs-on: ubuntu-latest 69 | container: harisekhon/bash-tools 70 | steps: 71 | - name: Linux Release 72 | if: runner.os == 'Linux' 73 | run: | 74 | [ -e /.dockerenv ] && ls -l /.dockerenv 75 | echo 76 | cat /etc/*-release 77 | 78 | - name: Linux Hardware 79 | if: runner.os == 'Linux' 80 | run: | 81 | set +x 82 | echo -n "CPUs: " 83 | nproc 84 | echo 85 | free -g 86 | echo 87 | df -h 88 | 89 | - name: Environment 90 | run: env | sort 91 | 92 | - name: Git version 93 | run: git --version 94 | 95 | - uses: actions/checkout@v3 96 | with: 97 | submodules: ${{ inputs.submodules }} # 'recursive' default requires Git 2.18+ to be installed first 98 | 99 | #- uses: actions/checkout@v3 100 | # with: 101 | # repository: HariSekhon/DevOps-Bash-tools 102 | # #ref: master # unset for default branch in case it changes in future 103 | # #submodules: recursive # don't need the submodules for just this script, save time 104 | # path: bash-tools 105 | 106 | - name: Check URL Links 107 | env: 108 | #DEBUG: 1 109 | VERBOSE: 1 110 | URL_LINKS_IGNORED: ${{ inputs.url_links_ignored }} 111 | IGNORE_URLS_WITHOUT_DOTS: ${{ inputs.ignore_urls_without_dots }} 112 | run: | 113 | # extended PATH gives option of using bash tools checkout or version from container 114 | export PATH="$PWD/bash-tools:$PATH" 115 | 116 | git config --global --add safe.directory "$PWD" 117 | 118 | # this is just to account for the examples in the .github/workflows/README.md in this own repo 119 | if [ -z "$URL_LINKS_IGNORED" ]; then 120 | export URL_LINKS_IGNORED=" 121 | https://semgrep.dev 122 | http://krb5server 123 | https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv 124 | https://megalinter.github.io 125 | " 126 | fi 127 | 128 | check_url_links.sh 129 | -------------------------------------------------------------------------------- /.github/workflows/validate.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Sat Jan 15 09:35:18 2022 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # V a l i d a t i o n 16 | # ============================================================================ # 17 | 18 | --- 19 | name: Validation 20 | 21 | on: # yamllint disable-line rule:truthy 22 | push: 23 | branches: 24 | - master 25 | - main 26 | ignore-paths: 27 | - '**/README.md' 28 | pull_request: 29 | branches: 30 | - master 31 | - main 32 | ignore-paths: 33 | - '**/README.md' 34 | workflow_call: 35 | inputs: 36 | # doesn't evaluate in time for container 37 | #docker_image_tag: 38 | # type: string 39 | # required: true 40 | # default: latest 41 | # workflow calls only permit string/boolean/number - https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_callinputsinput_idtype 42 | env: 43 | description: Environment variables in key=value pairs 44 | type: string # pass in string in export shell format eg. MYVAR=myvalue MYVAR2=myvalue2 45 | default: '' 46 | required: false 47 | submodules: 48 | type: string 49 | required: false 50 | default: recursive 51 | debug: 52 | description: Debug Mode, true or false 53 | type: string 54 | required: false 55 | default: false 56 | workflow_dispatch: 57 | inputs: 58 | submodules: 59 | type: string 60 | required: false 61 | default: recursive 62 | debug: 63 | type: boolean 64 | required: false 65 | default: false 66 | schedule: 67 | - cron: '0 0 * * 1' 68 | 69 | permissions: 70 | contents: read 71 | 72 | defaults: 73 | run: 74 | shell: bash -euxo pipefail {0} 75 | 76 | env: 77 | INPUTS: ${{ inputs.env }} 78 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 79 | 80 | jobs: 81 | validate: 82 | name: Validate 83 | # github.event.repository.fork isn't available in scheduled workflows 84 | # can't prevent forks of this repo, because also prevents caller workflows 85 | #if: github.repository == 'HariSekhon/Github-Actions' 86 | runs-on: ubuntu-latest 87 | # PyTools contains some extra tools, eg. use validate_yaml.py if check_yaml.sh yamllint dependencies aren't available 88 | # inputs evaluates to blank and fails to pull - not available at this stage 89 | #container: harisekhon/pytools:${{ inputs.docker_image_tag }} 90 | #container: harisekhon/pytools:debian 91 | #container: harisekhon/pytools:centos 92 | container: harisekhon/pytools:ubuntu 93 | #container: harisekhon/bash-tools:latest 94 | steps: 95 | - name: Linux Release 96 | if: runner.os == 'Linux' 97 | run: | 98 | [ -e /.dockerenv ] && ls -l /.dockerenv 99 | echo 100 | cat /etc/*-release 101 | 102 | - name: Linux Hardware 103 | if: runner.os == 'Linux' 104 | run: | 105 | set +x 106 | echo -n "CPUs: " 107 | nproc 108 | echo 109 | free -g 110 | echo 111 | df -h 112 | 113 | - name: Environment 114 | run: env | sort 115 | 116 | - name: Git version 117 | run: git --version 118 | 119 | - uses: actions/checkout@v3 120 | with: 121 | submodules: ${{ inputs.submodules }} # 'recursive' default requires Git 2.18+ to be installed first 122 | 123 | - name: Setup environment variables 124 | run: | 125 | echo "$INPUTS" >> "$GITHUB_ENV" 126 | 127 | - name: Environment 128 | run: env | sort 129 | 130 | # to work around this error: 131 | # 132 | # fatal: detected dubious ownership in repository at '/__w/DevOps-Bash-tools/DevOps-Bash-tools' 133 | # 134 | - name: Set Git Dir Safe 135 | run: git config --global --add safe.directory "$PWD" 136 | 137 | - name: Validate 138 | run: | 139 | if [ -f .validate.env ]; then 140 | source .validate.env 141 | fi 142 | check_all.sh 143 | -------------------------------------------------------------------------------- /.github/workflows/xml.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Sat Jan 15 09:35:18 2022 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # X M L 16 | # ============================================================================ # 17 | 18 | --- 19 | name: XML 20 | 21 | on: # yamllint disable-line rule:truthy 22 | push: 23 | branches: 24 | - master 25 | - main 26 | paths: 27 | - '**/*.xml' 28 | pull_request: 29 | branches: 30 | - master 31 | - main 32 | paths: 33 | - '**/*.xml' 34 | workflow_call: 35 | inputs: 36 | submodules: 37 | type: string 38 | required: false 39 | default: recursive 40 | debug: 41 | type: string 42 | required: false 43 | default: false 44 | workflow_dispatch: 45 | inputs: 46 | submodules: 47 | type: string 48 | required: false 49 | default: recursive 50 | debug: 51 | type: boolean 52 | required: false 53 | default: false 54 | #schedule: 55 | # - cron: '0 0 * * 1' 56 | 57 | permissions: 58 | contents: read 59 | 60 | defaults: 61 | run: 62 | shell: bash -euxo pipefail {0} 63 | 64 | env: 65 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 66 | 67 | jobs: 68 | check_xml: 69 | name: Check XML 70 | # github.event.repository.fork isn't available in scheduled workflows 71 | # can't prevent forks of this repo, because also prevents caller workflows 72 | #if: github.repository == 'HariSekhon/Github-Actions' 73 | runs-on: ubuntu-latest 74 | container: harisekhon/bash-tools:latest 75 | steps: 76 | - name: Linux Release 77 | if: runner.os == 'Linux' 78 | run: | 79 | [ -e /.dockerenv ] && ls -l /.dockerenv 80 | echo 81 | cat /etc/*-release 82 | 83 | - name: Linux Hardware 84 | if: runner.os == 'Linux' 85 | run: | 86 | set +x 87 | echo -n "CPUs: " 88 | nproc 89 | echo 90 | free -g 91 | echo 92 | df -h 93 | 94 | - name: Environment 95 | run: env | sort 96 | 97 | - name: Git version 98 | run: git --version 99 | 100 | - uses: actions/checkout@v3 101 | with: 102 | submodules: ${{ inputs.submodules }} # 'recursive' default requires Git 2.18+ to be installed first 103 | 104 | - name: Check XML 105 | run: | 106 | check_xml.sh 107 | -------------------------------------------------------------------------------- /.github/workflows/yaml.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: Sat Jan 15 09:35:18 2022 +0000 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # ============================================================================ # 15 | # Y A M L 16 | # ============================================================================ # 17 | 18 | --- 19 | name: YAML 20 | 21 | on: # yamllint disable-line rule:truthy 22 | push: 23 | branches: 24 | - master 25 | - main 26 | paths: 27 | - '**/*.yml' 28 | - '**/*.yaml' 29 | pull_request: 30 | branches: 31 | - master 32 | - main 33 | paths: 34 | - '**/*.yml' 35 | - '**/*.yaml' 36 | workflow_call: 37 | inputs: 38 | submodules: 39 | type: string 40 | required: false 41 | default: recursive 42 | debug: 43 | type: string 44 | required: false 45 | default: false 46 | workflow_dispatch: 47 | inputs: 48 | submodules: 49 | type: string 50 | required: false 51 | default: recursive 52 | debug: 53 | type: boolean 54 | required: false 55 | default: false 56 | #schedule: 57 | # - cron: '0 0 * * 1' 58 | 59 | permissions: 60 | contents: read 61 | 62 | defaults: 63 | run: 64 | shell: bash -euxo pipefail {0} 65 | 66 | env: 67 | DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} 68 | 69 | jobs: 70 | check_yaml: 71 | name: Check YAML 72 | # github.event.repository.fork isn't available in scheduled workflows 73 | # can't prevent forks of this repo, because also prevents caller workflows 74 | #if: github.repository == 'HariSekhon/Github-Actions' 75 | runs-on: ubuntu-latest 76 | container: harisekhon/bash-tools:latest 77 | steps: 78 | - name: Linux Release 79 | if: runner.os == 'Linux' 80 | run: | 81 | [ -e /.dockerenv ] && ls -l /.dockerenv 82 | echo 83 | cat /etc/*-release 84 | 85 | - name: Linux Hardware 86 | if: runner.os == 'Linux' 87 | run: | 88 | set +x 89 | echo -n "CPUs: " 90 | nproc 91 | echo 92 | free -g 93 | echo 94 | df -h 95 | 96 | - name: Environment 97 | run: env | sort 98 | 99 | - name: Git version 100 | run: git --version 101 | 102 | - uses: actions/checkout@v3 103 | with: 104 | submodules: ${{ inputs.submodules }} # 'recursive' default requires Git 2.18+ to be installed first 105 | 106 | - name: Check YAML 107 | run: | 108 | check_yaml.sh 109 | -------------------------------------------------------------------------------- /.jscpd.json: -------------------------------------------------------------------------------- 1 | { 2 | "threshold": 0, 3 | "reporters": ["html", "markdown"], 4 | "ignore": [ 5 | "**/node_modules/**", 6 | "**/.git/**", 7 | "**/.rbenv/**", 8 | "**/.venv/**", 9 | "**/*cache*/**", 10 | "**/.github/**", 11 | "**/.idea/**", 12 | "**/report/**", 13 | "**/*.svg" 14 | ] 15 | } 16 | -------------------------------------------------------------------------------- /.mdl.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | # vim:ts=4:sts=4:sw=4:et:filetype=ruby 3 | # 4 | # Author: Hari Sekhon 5 | # Date: 2024-08-22 01:58:12 +0200 (Thu, 22 Aug 2024) 6 | # 7 | # https///github.com/HariSekhon/GitHub-Actions 8 | # 9 | # License: see accompanying Hari Sekhon LICENSE file 10 | # 11 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | all 17 | #exclude_rule 'MD001' 18 | #exclude_rule 'MD003' 19 | #exclude_rule 'MD005' 20 | exclude_rule 'MD007' # leave 2 space indentation for lists, 3 space is ugly af 21 | #exclude_rule 'MD012' 22 | exclude_rule 'MD013' # long lines cannot be split if they are URLs 23 | #exclude_rule 'MD022' 24 | #exclude_rule 'MD025' 25 | #exclude_rule 'MD031' 26 | #exclude_rule 'MD032' 27 | exclude_rule 'MD033' # inline HTML is important for formatting 28 | exclude_rule 'MD036' # emphasis used instead of header for footer Ported from lines 29 | #exclude_rule 'MD039' 30 | #exclude_rule 'MD056' 31 | -------------------------------------------------------------------------------- /.mdlrc: -------------------------------------------------------------------------------- 1 | mdlrc_dir = File.expand_path('..', __FILE__) 2 | 3 | style_file = File.join(mdlrc_dir, '.mdl.rb') 4 | 5 | style style_file 6 | -------------------------------------------------------------------------------- /.mega-linter.yml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-02-02 10:44:47 +0000 (Wed, 02 Feb 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | --- 15 | # Configuration file for MegaLinter 16 | # See all available variables at https://megalinter.github.io/configuration/ and in linters documentation 17 | 18 | APPLY_FIXES: none # all, none, or list of linter keys 19 | 20 | # ENABLE: # If you use ENABLE variable, all other languages/formats/tooling-formats will be disabled by default 21 | # ENABLE_LINTERS: # If you use ENABLE_LINTERS variable, all other linters will be disabled by default 22 | 23 | DISABLE: 24 | - SPELL_CSPELL # too many false positives on yaml files like GitHub Actions 25 | #- COPYPASTE # Uncomment to disable checks of excessive copy-pastes 26 | #- SPELL # Uncomment to disable checks of spelling mistakes 27 | 28 | SHOW_ELAPSED_TIME: true 29 | FILEIO_REPORTER: false 30 | 31 | DISABLE_ERRORS: true # Uncomment if you want MegaLinter to detect errors but not block CI to pass 32 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2024-08-08 17:34:56 +0300 (Thu, 08 Aug 2024) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https///github.com/HariSekhon/GitHub-Actions 8 | # 9 | # License: see accompanying Hari Sekhon LICENSE file 10 | # 11 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | # ============================================================================ # 17 | # P r e - C o m m i t 18 | # ============================================================================ # 19 | 20 | --- 21 | fail_fast: false 22 | #exclude: *.tmp$ 23 | 24 | repos: 25 | 26 | # will accept anything that 'git clone' understands 27 | # this means you can set this to a local git repo to develop your own hook repos interactively 28 | - repo: https://github.com/pre-commit/pre-commit-hooks 29 | rev: v4.6.0 30 | hooks: 31 | - id: check-yaml 32 | # Common errors 33 | #- id: end-of-file-fixer # ruins .gitignore Icon\r 34 | - id: trailing-whitespace 35 | args: [--markdown-linebreak-ext=md] 36 | # Git style 37 | - id: check-added-large-files 38 | - id: check-merge-conflict 39 | - id: check-vcs-permalinks 40 | #- id: forbid-new-submodules 41 | # Cross platform 42 | - id: check-case-conflict 43 | - id: mixed-line-ending 44 | args: [--fix=lf] 45 | # Security 46 | - id: detect-aws-credentials 47 | args: ['--allow-missing-credentials'] 48 | 49 | # rewrites python files with useless changes like changing single quotes to double quotes 50 | #- repo: https://github.com/psf/black 51 | # rev: 24.8.0 52 | # hooks: 53 | # - id: black 54 | 55 | # Git secrets Leaks 56 | - repo: https://github.com/awslabs/git-secrets.git 57 | # the release tags for 1.2.0, 1.2.1 and 1.3.0 are broken with this error: 58 | # 59 | # /Users/hari/.cache/pre-commit/repo......./.pre-commit-hooks.yaml is not a file 60 | # 61 | rev: 5357e18 62 | hooks: 63 | - id: git-secrets 64 | 65 | - repo: https://github.com/markdownlint/markdownlint 66 | rev: v0.12.0 67 | hooks: 68 | - id: markdownlint 69 | name: Markdownlint 70 | description: Run markdownlint on your Markdown files 71 | entry: mdl 72 | args: [-s, .mdl.rb] 73 | language: ruby 74 | files: \.(md|mdown|markdown)$ 75 | -------------------------------------------------------------------------------- /.sonarlint/connectedMode.json: -------------------------------------------------------------------------------- 1 | { 2 | "sonarCloudOrganization": "harisekhon", 3 | "projectKey": "HariSekhon_GitHub-Actions" 4 | } 5 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2024-09-22 18:28:35 +0100 (Sun, 22 Sep 2024) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https///github.com/HariSekhon/GitHub-Actions 8 | # 9 | # License: see accompanying Hari Sekhon LICENSE file 10 | # 11 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 12 | # 13 | # https://www.linkedin.com/in/HariSekhon 14 | # 15 | 16 | extends: default 17 | 18 | rules: 19 | # false positive 20 | comments-indentation: disable 21 | # don't care for 'missing starting space in comment' 22 | comments: disable 23 | # don't care 24 | line-length: disable 25 | # false positive - disabled inline now 26 | #truthy: disable 27 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2021 Hari Sekhon 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 4 | 5 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 6 | 7 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 8 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-06-14 11:11:23 +0100 (Tue, 14 Jun 2022) 4 | # 5 | # vim:ts=4:sts=4:sw=4:noet 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | # For serious Makefiles see the DevOps Bash tools repo: 15 | # 16 | # https://github.com/HariSekhon/DevOps-Bash-tools 17 | # 18 | # Makefile 19 | # Makefile.in - generic include file with lots of Make targets 20 | 21 | 22 | # only works in GNU make - is ignored by Mac's built-in make - not portable, should avoid and call bash scripts instead 23 | #.ONESHELL: 24 | # make oneshell exit on first error 25 | #.SHELLFLAGS = -e 26 | 27 | SHELL = /usr/bin/env bash 28 | 29 | PATH := $(PATH):$(PWD)/bash-tools 30 | 31 | #RELEASE := v1 32 | 33 | .PHONY: default 34 | default: 35 | @echo "running default build:" 36 | $(MAKE) test wc 37 | 38 | #.PHONY: build 39 | #build: init 40 | # @echo "running build:" 41 | # 42 | #.PHONY: init 43 | #init: 44 | # @echo "running init:" 45 | # if type -P git; then git submodule update --init --recursive; fi 46 | # @echo 47 | 48 | .PHONY: bash-tools 49 | bash-tools: 50 | @if ! command -v check_pytools.sh; then \ 51 | curl -L https://git.io/bash-bootstrap | sh; \ 52 | fi 53 | 54 | .PHONY: test 55 | test: bash-tools 56 | @echo "running tests:" 57 | @#check_pytools.sh 58 | check_yaml.sh 59 | 60 | .PHONY: tests 61 | tests: test 62 | @: 63 | 64 | .PHONY: wc 65 | wc: 66 | git ls-files main.yaml action.yaml '.github/workflows/*.y*ml' | xargs wc 67 | 68 | #.PHONY: clean 69 | #clean: 70 | # find . -name '*.class' -exec rm {} \; 71 | 72 | #release: 73 | # @echo "Releasing $(RELEASE)" 74 | # git tag --force $(RELEASE) 75 | # git push --tags --force 76 | 77 | sync: 78 | . .envrc; github_repo_fork_sync.sh 79 | -------------------------------------------------------------------------------- /action.yaml: -------------------------------------------------------------------------------- 1 | # vim:ts=2:sts=2:sw=2:et 2 | # 3 | # Author: Hari Sekhon 4 | # Date: [% DATE # 2022-06-07 12:38:18 +0100 (Tue, 07 Jun 2022) %] 5 | # 6 | # [% URL # https://github.com/HariSekhon/GitHub-Actions %] 7 | # 8 | # License: see accompanying Hari Sekhon LICENSE file 9 | # 10 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 11 | # 12 | # https://www.linkedin.com/in/HariSekhon 13 | # 14 | 15 | --- 16 | name: NAME 17 | description: DESCRIPTION 18 | 19 | # ================== 20 | inputs: 21 | debug: 22 | description: Enable Debug Mode 23 | type: boolean 24 | required: false 25 | default: false 26 | 27 | # ================== 28 | outputs: 29 | random-number: 30 | description: "Random number" 31 | value: ${{ steps.random-number-generator.outputs.random-number }} 32 | 33 | # ================== 34 | # not supported yet: 35 | # 36 | # https://github.com/github-community/community/discussions/18597 37 | # 38 | #defaults: 39 | # run: 40 | # shell: bash -euxo pipefail {0} 41 | 42 | # ================== 43 | # pick one of: 44 | # 45 | # - Composite (shell steps) 46 | # - Docker (entrypoint) 47 | # - JavaScript action (main.js) 48 | runs: 49 | 50 | # Docker Action 51 | # 52 | # Dockerfile contain something like: 53 | # 54 | # FROM alpine:3.10 55 | # COPY entrypoint.sh / 56 | # ENTRYPOINT ["/entrypoint.sh"] 57 | # XXX: Do not set USER - won't be able to access $GITHUB_WORKSPACE 58 | # XXX: Do not set WORKSPACE - will be overridden by $GITHUB_WORKSPACE 59 | # https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions 60 | # 61 | #using: docker 62 | #image: Dockerfile 63 | #entrypoint: /entrypoint.sh # entrypoint overrides Dockerfile's ENTRYPOINT - prefer Dockerfile 64 | #args: # args override Dockerfile's CMD - leave sensible defaults so args aren't needed 65 | # - ${{ inputs.debug }} 66 | 67 | # Composite Action 68 | using: composite 69 | steps: 70 | # has to use | format to avoid syntax error for having a colon in the message body 71 | - run: | 72 | echo "Debug mode enabled: $DEBUG" 73 | env: 74 | DEBUG: ${{ inputs.debug }} 75 | # XXX: shell is a mandatory required parameter for now: 76 | # 77 | # https://github.com/github-community/community/discussions/18597 78 | # 79 | shell: bash 80 | 81 | - id: random-number-generator 82 | run: echo "::set-output name=random-number::$(echo $RANDOM)" 83 | shell: bash 84 | 85 | - run: echo "${{ github.action_path }}" >> $GITHUB_PATH 86 | shell: bash 87 | 88 | - run: ./script.sh # in the actions repo 89 | 90 | # JavaScript Action 91 | # 92 | #using: node16 93 | #main: index.js 94 | -------------------------------------------------------------------------------- /generate-docker-tags/action.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # Author: Hari Sekhon 3 | # Date: 2022-01-27 18:38:27 +0000 (Thu, 27 Jan 2022) 4 | # 5 | # vim:ts=2:sts=2:sw=2:et 6 | # 7 | # https://github.com/HariSekhon/GitHub-Actions 8 | # 9 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback 10 | # 11 | # https://www.linkedin.com/in/HariSekhon 12 | # 13 | 14 | --- 15 | name: Generate Docker Tags 16 | description: Generates environment variables useful to use as Docker tags eg. BRANCH_TAG, EPOCH, DATESTAMP, TIMESTAMP 17 | 18 | #inputs: 19 | # debug: 20 | # description: Enable Debug Mode 21 | # type: boolean 22 | # required: false 23 | # default: false 24 | 25 | runs: 26 | using: "composite" 27 | steps: 28 | # branches called things like feature/dockerize need to be sanitized to pass as docker tags -> feature_dockerize 29 | - name: Generate environment variable BRANCH_TAG 30 | shell: bash 31 | env: 32 | REF_NAME: ${{ github.ref_name }} 33 | run: | 34 | BRANCH_TAG="${GITHUB_HEAD_REF:-}" 35 | BRANCH_TAG="${BRANCH_TAG:-${GITHUB_REF_NAME:-}}" 36 | BRANCH_TAG="${BRANCH_TAG:-$REF_NAME}" 37 | BRANCH_TAG="$(sed 's/[^[:alnum:]_-]/_/g' <<< "$BRANCH_TAG")" 38 | echo "BRANCH_TAG=$BRANCH_TAG" >> "$GITHUB_ENV" 39 | 40 | - name: Generate environment variable EPOCH 41 | shell: bash 42 | run: | 43 | EPOCH="$(date --utc '+%s')" 44 | echo "EPOCH=$EPOCH" >> "$GITHUB_ENV" 45 | 46 | - name: Generate environment variable DATESTAMP 47 | shell: bash 48 | run: | 49 | DATESTAMP="$(date --utc --date="@$EPOCH" '+%FT%H%M%SZ')" 50 | echo "DATESTAMP=$DATESTAMP" >> "$GITHUB_ENV" 51 | 52 | - name: Generate environment variable TIMESTAMP 53 | shell: bash 54 | run: | 55 | TIMESTAMP="$(date --utc --date="@$EPOCH" '+%F')" 56 | echo "TIMESTAMP=$TIMESTAMP" >> "$GITHUB_ENV" 57 | -------------------------------------------------------------------------------- /sonar-project.properties: -------------------------------------------------------------------------------- 1 | # vim:ts=4:sts=4:sw=4:et 2 | # 3 | # Author: Hari Sekhon 4 | # Date: 2025-02-01 23:32:57 +0700 (Sat, 01 Feb 2025) 5 | # 6 | # https///github.com/HariSekhon/GitHub-Actions 7 | # 8 | # License: see accompanying Hari Sekhon LICENSE file 9 | # 10 | # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish 11 | # 12 | # https://www.linkedin.com/in/HariSekhon 13 | # 14 | 15 | # ============================================================================ # 16 | # S o n a r S c a n n e r P r o p e r t i e s 17 | # ============================================================================ # 18 | 19 | # https://docs.sonarqube.org/10.0/analyzing-source-code/scanners/sonarscanner/ 20 | 21 | # Generate a SONAR_TOKEN: 22 | # 23 | # https://docs.sonarqube.org/latest/user-guide/user-account/generating-and-using-tokens/ 24 | 25 | # Settings for below: 26 | # 27 | # https://docs.sonarqube.org/latest/analyzing-source-code/analysis-parameters/ 28 | 29 | # for self-hosted SonarQube, eg. on Kubernetes: 30 | # 31 | # https://github.com/HariSekhon/Kubernetes-configs 32 | # 33 | #sonar.host.url=https://sonar.domain.com 34 | 35 | # Required metadata 36 | sonar.organization=harisekhon 37 | sonar.projectName=GitHub-Actions 38 | sonar.projectKey=HariSekhon_GitHub-Actions 39 | sonar.projectVersion=1.0 40 | 41 | sonar.projectDescription=GitHub-Actions 42 | 43 | sonar.links.homepage=https://github.com/HariSekhon/GitHub-Actions 44 | sonar.links.scm=https://github.com/HariSekhon/GitHub-Actions 45 | sonar.links.issue=https://github.com/HariSekhon/GitHub-Actions/issues 46 | sonar.links.ci=https://github.com/HariSekhon/GitHub-Actions/actions 47 | 48 | # if projects have svn history you may get this error otherwise: 49 | # 50 | # ERROR: Error during SonarScanner execution 51 | # ERROR: SCM provider autodetection failed. Both git and svn claim to support this project. Please use "sonar.scm.provider" to define SCM of your project. 52 | # 53 | sonar.scm.provider=git 54 | 55 | # directories to scan (defaults to sonar-project.properties dir otherwise) 56 | sonar.sources=. 57 | 58 | #sonar.language=py 59 | 60 | sonar.sourceEncoding=UTF-8 61 | --------------------------------------------------------------------------------