diff --git a/.checkov.yml b/.checkov.yml new file mode 100644 index 0000000..f7e2b0f --- /dev/null +++ b/.checkov.yml @@ -0,0 +1,3 @@ +skip-check: + # The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty + - CKV_GHA_7 diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..dd260f1 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,6 @@ +# Users referenced in this file will automatically be requested as reviewers for +# PRs that modify the given paths +# See https://help.github.com/articles/about-code-owners/, https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +# All code +* @ruzickap diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..51505e7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,23 @@ +--- +name: Bug report +about: Create a report to help us improve +title: 'Bug: This is a sample issue title' +labels: bug +assignees: ruzickap + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behaviour. + +**Expected behaviour** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..ed5ca68 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,8 @@ +blank_issues_enabled: false +contact_links: + - name: GitHub Actions Community Forum + url: https://github.com/orgs/community/discussions/ + about: Please ask questions about GitHub Actions here. + - name: GitHub Pages help + url: https://help.github.com/en/github/working-with-github-pages + about: GitHub Pages documentation here. diff --git a/.github/ISSUE_TEMPLATE/proposal.md b/.github/ISSUE_TEMPLATE/proposal.md new file mode 100644 index 0000000..ff78390 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/proposal.md @@ -0,0 +1,21 @@ +--- +name: Proposal +about: Suggest an idea for this project +title: 'Proposal: This is a sample title' +labels: proposal +assignees: ruzickap + +--- + +**Is your feature request related to a problem? Please describe** +A clear and concise description of what the problem is. Ex. I'm always +frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index d1f0d08..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,6 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "daily" diff --git a/.github/renovate.json5 b/.github/renovate.json5 new file mode 100644 index 0000000..1117e58 --- /dev/null +++ b/.github/renovate.json5 @@ -0,0 +1,56 @@ +{ + $schema: "https://docs.renovatebot.com/renovate-schema.json", + extends: [ + "config:recommended", + "docker:pinDigests", + "helpers:pinGitHubActionDigestsToSemver", + "security:openssf-scorecard", + ":disableDependencyDashboard", + ":docker", + ":disableRateLimiting", + ":enableVulnerabilityAlertsWithLabel(security)", + ], + "git-submodules": { + enabled: true, + }, + labels: [ + "renovate", + "renovate/{{replace '.*/' '' depName}}", + "renovate/{{updateType}}", + ], + lockFileMaintenance: { + enabled: true, + schedule: ["before 6am on Sunday"], + }, + packageRules: [ + { + matchUpdateTypes: ["major"], + automerge: false, + }, + { + description: "Ignore frequent renovate updates", + enabled: false, + matchPackageNames: ["renovatebot/github-action"], + matchUpdateTypes: ["patch"], + }, + { + description: "Update renovatebot/github-action minor updates on Sundays", + matchPackageNames: ["renovatebot/github-action"], + matchUpdateTypes: ["minor"], + schedule: ["* * * * 0"], + }, + ], + prBodyTemplate: "{{{table}}}{{{notes}}}{{{changelogs}}}", + rebaseWhen: "behind-base-branch", + regexManagers: [ + { + extractVersionTemplate: "{{#if extractVersion}}{{{extractVersion}}}{{else}}^v?(?.+)${{/if}}", + fileMatch: ["\\.ya?ml$", "\\.md$", "^Dockerfile$", "^entrypoint\\.sh$"], + matchStrings: [ + '# renovate: datasource=(?.+?) depName=(?.+?)( versioning=(?.+?))?( extractVersion=(?.+?))?( registryUrl=(?.+?))?\\s.*[=:]\\s*"?(?.+?)"?\\s', + ], + versioningTemplate: "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}", + }, + ], + separateMinorPatch: true, +} diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml deleted file mode 100644 index 4e8a41a..0000000 --- a/.github/workflows/dependabot-auto-merge.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: dependabot-auto-merge - -on: - pull_request_target: - -jobs: - auto-merge: - name: Auto approve pull request, then squash and merge - runs-on: ubuntu-latest - if: github.actor == 'dependabot[bot]' - steps: - - uses: ahmadnassri/action-dependabot-auto-merge@v2 - with: - target: minor - github-token: ${{ secrets.PERSONAL_GITHUB_TOKEN_FOR_GITHUB_ACTIONS }} diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml new file mode 100644 index 0000000..e87a462 --- /dev/null +++ b/.github/workflows/links.yml @@ -0,0 +1,39 @@ +--- +name: links + +on: + workflow_dispatch: + push: + paths: + - .github/workflows/links.yml + - lychee.toml + schedule: + - cron: "0 0 * * 1" + +permissions: read-all + +jobs: + links: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Setup Pages + id: pages + uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0 + + - name: Restore lychee cache + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: .lycheecache + key: cache-lychee-${{ github.sha }} + restore-keys: cache-lychee- + + - name: Link Checker + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + uses: lycheeverse/lychee-action@c053181aa0c3d17606addfe97a9075a32723548a # v1.9.3 + with: + args: ". --exclude-path CHANGELOG.md ${{ steps.pages.outputs.base_url }}" + fail: true diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml deleted file mode 100644 index c05508a..0000000 --- a/.github/workflows/linter.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -########################### -########################### -## Linter GitHub Actions ## -########################### -########################### -name: Lint Code Base - -# -# Documentation: -# https://help.github.com/en/articles/workflow-syntax-for-github-actions -# - -############################# -# Start the job on all push # -############################# -on: - push: - branches-ignore: - - 'master' - -############### -# Set the Job # -############### -jobs: - build: - # Name the Job - name: Lint Code Base - # Set the agent to run on - runs-on: ubuntu-latest - - ################## - # Load all steps # - ################## - steps: - ########################## - # Checkout the code base # - ########################## - - name: Checkout Code - uses: actions/checkout@v2 - - ################################ - # Run Linter against code base # - ################################ - - name: Lint Code Base - uses: docker://ghcr.io/github/super-linter:slim-v4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - VALIDATE_STATES: false - FILTER_REGEX_EXCLUDE: CHANGELOG.md diff --git a/.github/workflows/markdown-check.yml b/.github/workflows/markdown-check.yml new file mode 100644 index 0000000..f737155 --- /dev/null +++ b/.github/workflows/markdown-check.yml @@ -0,0 +1,53 @@ +--- +name: markdown-check + +on: + workflow_dispatch: + push: + branches-ignore: + - main + paths: + - "**.md" + - .github/workflows/markdown-check.yml + - .markdownlint.yml + - .mlc_config.json + - .spelling + +permissions: read-all + +jobs: + markdownlint-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Markdown Lint + uses: ruzickap/action-my-markdown-linter@919d3735df9bbc094d206521a774133ec8f3c4ca # v1.1.0 + with: + exclude: | + CHANGELOG.md + + markdown-link-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Link Checker + uses: ruzickap/action-my-markdown-link-checker@e7e8635735a15a86b081f8255022bcc251cc9003 # v1.2.0 + with: + exclude: | + CHANGELOG.md + + markdown-spell-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Install Node.js LTS version + uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 + + - name: Install markdown-spellcheck + run: npm install -g markdown-spellcheck + + - name: Run mdspell + run: find . -type f \( -name "*.md" ! -name "CHANGELOG.md" \) -print0 | xargs -0 --max-args=1 --verbose mdspell --ignore-numbers --ignore-acronyms --report --en-gb diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml new file mode 100644 index 0000000..e6aab5f --- /dev/null +++ b/.github/workflows/mega-linter.yml @@ -0,0 +1,44 @@ +--- +name: mega-linter + +on: + workflow_dispatch: + push: + branches-ignore: + - main + +permissions: read-all + +jobs: + mega-linter: + runs-on: ubuntu-latest + steps: + - name: Checkout Code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Restore lychee cache + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: .lycheecache + key: cache-lychee-${{ github.sha }} + restore-keys: cache-lychee- + + - name: Extract commands from markdown files + run: | + set -euxo pipefail + echo '#!/usr/bin/env bash' > README.sh + find . -name '*.md' -print0 | while IFS= read -r -d '' FILE; do + # Extract: ```bash ... ``` + sed -n "/^\`\`\`\(bash\|shell\)$/,/^\`\`\`$/p" "${FILE}" | sed '/^```*/d' >> README.sh + # Extract: ```bash ... ``` + sed -n "/^ \`\`\`\(bash\|shell\)$/,/^ \`\`\`$/p" "${FILE}" | sed '/^ ```*/d; s/^ //' >> README.sh + done + ls -la README.sh + chmod a+x README.sh + + - name: 💡 MegaLinter + uses: oxsecurity/megalinter@688bc7466d7ab4faa83d614c2e6f9acf42b674dc # v7.8.0 + env: + GITHUB_COMMENT_REPORTER: false + GITHUB_STATUS_REPORTER: true + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/periodic-broken-link-checks.yml b/.github/workflows/periodic-broken-link-checks.yml deleted file mode 100644 index f7fe6f3..0000000 --- a/.github/workflows/periodic-broken-link-checks.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: periodic-broken-link-checks - -on: - workflow_dispatch: - schedule: - - cron: '8 8 * * 2' - -jobs: - broken-link-checker: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - ref: gh-pages - - - name: Broken link checker - env: - EXCLUDE: | - github.com/ruzickap/podinfo - mylabs.dev - run: | - if [ -s CNAME ]; then - INPUT_URL="https://$(cat CNAME)" - else - INPUT_URL="https://${GITHUB_REPOSITORY%/*}.github.io/${GITHUB_REPOSITORY##*/}" - fi - export INPUT_URL - INPUT_CMD_PARAMS="--buffer-size=8192 --max-connections=10 --color=always --exclude=($( echo "${EXCLUDE}" | tr '\n' '|' ))" - export INPUT_CMD_PARAMS - wget -qO- https://raw.githubusercontent.com/ruzickap/action-my-broken-link-checker/v2/entrypoint.sh | bash diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 0000000..89a0688 --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,20 @@ +--- +name: release-please + +on: + workflow_dispatch: + push: + branches: + - main + +permissions: + contents: write + pull-requests: write + +jobs: + release-please: + runs-on: ubuntu-latest + steps: + - uses: google-github-actions/release-please-action@cc61a07e2da466bebbc19b3a7dd01d6aecb20d1e # v4.0.2 + with: + release-type: simple diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml new file mode 100644 index 0000000..1e3f609 --- /dev/null +++ b/.github/workflows/renovate.yml @@ -0,0 +1,61 @@ +--- +name: renovate + +on: + workflow_dispatch: + inputs: + dryRun: + type: boolean + description: "Dry-Run" + logLevel: + type: choice + description: "Log-Level" + default: debug + options: + - info + - debug + - trace + push: + branches: + - main + - "!renovate/*" + schedule: + - cron: "0 0,2,4 * * 0" + +env: + # https://docs.renovatebot.com/troubleshooting/#log-debug-levels + LOG_LEVEL: "${{ inputs.logLevel || 'debug' }}" + # https://docs.renovatebot.com/self-hosted-configuration/#repositories + RENOVATE_REPOSITORIES: ${{ github.repository }} + # https://docs.renovatebot.com/self-hosted-configuration/#username + RENOVATE_USERNAME: ${{ github.repository_owner }} + # https://docs.renovatebot.com/configuration-options/#platformcommit + RENOVATE_PLATFORM_COMMIT: "true" + # https://docs.renovatebot.com/self-hosted-configuration/#dryrun + # Run renovate in dry-run mode if executed in branches other than main - prevents versions in PRs/branches from being updated + RENOVATE_DRY_RUN: "${{ inputs.dryRun || ( github.head_ref || github.ref_name ) != 'main' || false }}" + # Renovate Automerge + RENOVATE_AUTOMERGE_TYPE: "branch" + RENOVATE_AUTOMERGE: "true" + +permissions: read-all + +jobs: + renovate: + runs-on: ubuntu-latest + concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - uses: actions/create-github-app-token@f4c6bf6752984b3a29fcc135a5e70eb792c40c6b # v1.8.0 + id: app-token + with: + app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }} + private-key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}" + + - name: 💡 Self-hosted Renovate + uses: renovatebot/github-action@42c1d3cb1d1ca891765626ba71cdff5e757258de # v40.0.2 + with: + token: "${{ steps.app-token.outputs.token }}" diff --git a/.github/workflows/semantic-pull-request.yml b/.github/workflows/semantic-pull-request.yml new file mode 100644 index 0000000..fbaa8d1 --- /dev/null +++ b/.github/workflows/semantic-pull-request.yml @@ -0,0 +1,20 @@ +--- +name: semantic-pull-request + +on: + pull_request_target: + types: + - opened + - edited + - synchronize + +permissions: + pull-requests: read + +jobs: + semantic-pull-request: + runs-on: ubuntu-latest + steps: + - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml deleted file mode 100644 index 9873376..0000000 --- a/.github/workflows/shellcheck.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: shellcheck - -on: - pull_request: - types: [opened, synchronize] - paths: - - '**.sh' - - .github/workflows/shellcheck.yml - push: - branches: - - master - paths: - - '**.sh' - - .github/workflows/shellcheck.yml - -jobs: - shellcheck-check: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - - name: Lint check - uses: azohra/shell-linter@v0.4.0 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 0000000..1c370eb --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,33 @@ +--- +name: stale + +on: + schedule: + - cron: "30 1 * * *" + +permissions: + issues: write + pull-requests: write + +jobs: + stale: + runs-on: ubuntu-latest + steps: + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 + with: + close-issue-message: | + This issue has not seen any activity since it was marked stale. + Closing. + close-pr-message: | + This pull request has not seen any activity since it was marked stale. + Closing. + exempt-issue-labels: good-first-issue,need-help,no-stale,pinned,security + exempt-pr-labels: "autorelease: pending,good-first-issue,need-help,no-stale,pinned,security" + stale-issue-label: stale + stale-issue-message: | + This issue is stale because it has been open 60 days with no activity. + Remove stale label or comment or this will be closed in 7 days + stale-pr-label: stale + stale-pr-message: | + This PR is stale because it has been open 60 days with no activity. + Remove stale label or comment or this will be closed in 7 days. diff --git a/.github/workflows/vuepress-build-check-deploy.yml b/.github/workflows/vuepress-build-check-deploy.yml deleted file mode 100644 index 48026eb..0000000 --- a/.github/workflows/vuepress-build-check-deploy.yml +++ /dev/null @@ -1,86 +0,0 @@ -name: vuepress-build-check-deploy - -on: - pull_request: - types: [opened, synchronize] - paths: - - .github/workflows/vuepress-build-check-deploy.yml - - docs/** - - .markdownlint.yml - - .spelling - - package.json - - package-lock.json - push: - branches: - - master - paths: - - .github/workflows/vuepress-build-check-deploy.yml - - docs/** - - .markdownlint.yml - - .spelling - - package.json - - package-lock.json - -jobs: - markdownlint-check: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - - name: Markdown Lint - uses: ruzickap/action-my-markdown-linter@v1 - with: - exclude: | - CHANGELOG.md - - markdown-spell-check: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - - name: Install Node.js 12 - uses: actions/setup-node@v2 - with: - node-version: 12.x - - - name: Install markdown-spellcheck - run: npm install -g markdown-spellcheck - - - name: Run mdspell - run: find . -type f \( -name "*.md" ! -name "CHANGELOG.md" \) -print0 | xargs -0 --max-args=1 --verbose mdspell --ignore-numbers --ignore-acronyms --report --en-gb - - vuepress-build-check-deploy: - runs-on: ubuntu-latest - needs: - - markdownlint-check - - markdown-spell-check - steps: - - uses: actions/checkout@v2 - - - name: Install Node.js 12 - uses: actions/setup-node@v2 - with: - node-version: 12.x - - - name: Install VuePress and build the document - run: | - npm install - npm run build - cp LICENSE docs/.vuepress/dist - sed -e "s@(part-@(https://github.com/${{ github.repository }}/tree/master/docs/part-@" -e 's@.\/.vuepress\/public\/@./@' docs/README.md > docs/.vuepress/dist/README.md - ln -s docs/.vuepress/dist ${{ github.event.repository.name }} - - - name: Check broken links - uses: ruzickap/action-my-broken-link-checker@v2 - with: - url: https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }} - pages_path: . - cmd_params: '--exclude=(mylabs.dev|https://github.com/ruzickap/podinfo/|https://docs.github.com/) --max-connections-per-host=5 --color=always --rate-limit=5 --timeout=20 --header="User-Agent:curl/7.54.0" --skip-tls-verification' - - - name: Deploy - uses: peaceiris/actions-gh-pages@v3 - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - publish_dir: ./docs/.vuepress/dist - force_orphan: true diff --git a/.github/workflows/vuepress-build.yml b/.github/workflows/vuepress-build.yml new file mode 100644 index 0000000..f675737 --- /dev/null +++ b/.github/workflows/vuepress-build.yml @@ -0,0 +1,54 @@ +--- +name: vuepress-build + +on: + workflow_dispatch: + push: + paths: + - .github/workflows/vuepress-build.yml + - docs/** + - package.json + - package-lock.json + +permissions: + contents: write + +jobs: + vuepress-build: + runs-on: ubuntu-latest + concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Install Node.js + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 + with: + node-version: 16.x + + - name: Install VuePress and build the document + run: | + npm install + npm run build + cp LICENSE docs/.vuepress/dist + sed -e "s@(part-@(https://github.com/${{ github.repository }}/tree/main/docs/part-@" -e 's@.\/.vuepress\/public\/@./@' docs/README.md > docs/.vuepress/dist/README.md + ln -s docs/.vuepress/dist ${{ github.event.repository.name }} + + - name: Setup Pages + id: pages + uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0 + + - name: Check broken links + uses: ruzickap/action-my-broken-link-checker@a0895a4cda23b5c90999cb9d3c8a8f44d8a8980d # v2.5.0 + with: + url: ${{ steps.pages.outputs.base_url }} + pages_path: . + cmd_params: '--exclude=(mylabs.dev|localhost) --buffer-size=8192 --max-connections-per-host=5 --color=always --rate-limit=5 --header="User-Agent:Mozilla" --skip-tls-verification' + + - name: Deploy + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 + if: ${{ github.ref == 'refs/heads/main' }} + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + publish_dir: ./docs/.vuepress/dist + force_orphan: true diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml deleted file mode 100644 index bd82e37..0000000 --- a/.github/workflows/yamllint.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: yamllint - -on: - pull_request: - types: [opened, synchronize] - paths: - - '**.yml' - - '**.yaml' - push: - branches: - - master - paths: - - '**.yml' - - '**.yaml' - -jobs: - yamllint-check: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - - name: yamllint - uses: ibiqlik/action-yamllint@v3 diff --git a/.gitignore b/.gitignore index 5fa956e..6b47d60 100644 --- a/.gitignore +++ b/.gitignore @@ -1,17 +1,8 @@ # pre-commit configuration file .pre-commit-config.yaml -# release-it configuration file -.release-it.yml - -# demo-magic.sh script -demo-magic.sh - # Kubernetes kubeconfig file -kubeconfig.conf - -# README.sh script -README.sh +kubeconfig*.conf* # Vuepress Pages docs/.vuepress/dist @@ -21,3 +12,17 @@ tmp/ # Node modules node_modules/ + +# README.sh script +README.sh + +# demo-magic.sh script +demo-magic.sh + +# Terraform files +.terraform* +*.tfstate* +crash.log + +# nohup output +nohup.out diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 0000000..0a05081 --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,13 @@ +ignore: + # glob-parent 3.1.0 5.1.2 npm GHSA-ww39-953v-wcq6 High + - vulnerability: GHSA-ww39-953v-wcq6 + # json5 0.5.1 1.0.2 npm GHSA-9c47-m6qq-7p4h High + - vulnerability: GHSA-9c47-m6qq-7p4h + # loader-utils 0.2.17 1.4.1 npm GHSA-76p3-8jx3-jpfq Critical + - vulnerability: GHSA-76p3-8jx3-jpfq + # node-forge 0.10.0 1.3.0 npm GHSA-cfm4-qjh2-4765 High + - vulnerability: GHSA-cfm4-qjh2-4765 + # node-forge 0.10.0 1.3.0 npm GHSA-x4jg-mjrx-434g High + - vulnerability: GHSA-x4jg-mjrx-434g + # nth-check 1.0.2 2.0.1 npm GHSA-rp65-9cf3-cjxr High + - vulnerability: GHSA-rp65-9cf3-cjxr diff --git a/.lycheeignore b/.lycheeignore new file mode 100644 index 0000000..44bd86f --- /dev/null +++ b/.lycheeignore @@ -0,0 +1 @@ +mylabs.dev diff --git a/.mega-linter.yml b/.mega-linter.yml new file mode 100644 index 0000000..24bf598 --- /dev/null +++ b/.mega-linter.yml @@ -0,0 +1,43 @@ +# Configuration file for MegaLinter +# See all available variables at https://megalinter.io/latest/configuration/ and in linters documentation + +BASH_SHFMT_ARGUMENTS: --case-indent --indent 2 --space-redirects + +DISABLE_LINTERS: + - MARKDOWN_MARKDOWN_LINK_CHECK # Using lychee instead + - SPELL_CSPELL + - TERRAFORM_TERRASCAN # Hard to configure - no documentation of the config file + +# Remove: To receive reports as email, please set variable EMAIL_REPORTER_EMAIL +EMAIL_REPORTER: false + +FAIL_IF_MISSING_LINTER_IN_FLAVOR: true + +FILTER_REGEX_EXCLUDE: CHANGELOG.md + +FORMATTERS_DISABLE_ERRORS: false + +MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .markdownlint.yml +MARKDOWN_MARKDOWNLINT_FILTER_REGEX_EXCLUDE: CHANGELOG.md + +# Remove initial MegaLinter graphic +PRINT_ALPACA: false + +# Disable creating report directory +REPORT_OUTPUT_FOLDER: none + +REPOSITORY_CHECKOV_ARGUMENTS: --quiet + +# Do not leave debug code in production, Insecure URL +REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS162092,DS137138 + +REPOSITORY_KICS_ARGUMENTS: --fail-on high + +REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL + +TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES: + - GITHUB_TOKEN + +TYPESCRIPT_PRETTIER_ARGUMENTS: --html-whitespace-sensitivity=ignore + +VALIDATE_ALL_CODEBASE: true diff --git a/.mlc_config.json b/.mlc_config.json new file mode 100644 index 0000000..06247a4 --- /dev/null +++ b/.mlc_config.json @@ -0,0 +1,10 @@ +{ + "ignorePatterns": [ + { + "pattern": "(http|https)://.*mylabs.dev" + }, + { + "pattern": "(http|https)://localhost" + } + ] +} diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 0000000..f57bac4 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,15 @@ +vulnerabilities: + # │ glob-parent │ CVE-2020-28469 │ HIGH │ fixed │ 3.1.0 │ 5.1.2 │ Regular expression denial of service │ + - id: CVE-2020-28469 + # │ json5 │ CVE-2022-46175 │ HIGH │ fixed │ 0.5.1 │ 2.2.2, 1.0.2 │ json5: Prototype Pollution in JSON5 via Parse Method │ + - id: CVE-2022-46175 + # │ loader-utils │ CVE-2022-37601 │ CRITICAL │ fixed │ 0.2.17 │ 2.0.3, 1.4.1 │ loader-utils: prototype pollution in function parseQuery in │ + - id: CVE-2022-37601 + # │ node-forge │ CVE-2022-24771 │ HIGH │ fixed │ 0.10.0 │ 1.3.0 │ node-forge: Signature verification leniency in checking │ + - id: CVE-2022-24771 + # │ node-forge │ CVE-2022-24772 │ HIGH │ fixed │ 0.10.0 │ 1.3.0 │ node-forge: Signature verification failing to check tailing │ + - id: CVE-2022-24772 + # │ nth-check │ CVE-2021-3803 │ HIGH │ fixed │ 1.0.2 │ 2.0.1 │ inefficient regular expression complexity │ + - id: CVE-2021-3803 + # | ip │ CVE-2023-42282 │ HIGH │ affected │ 1.1.8 │ │ An issue in NPM IP Package v.1.1.8 and before allows an │ + - id: CVE-2023-42282 diff --git a/.yamllint.yml b/.yamllint.yml deleted file mode 100644 index 7b6077b..0000000 --- a/.yamllint.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# https://yamllint.readthedocs.io/en/stable/configuration.html -extends: default - -# https://yamllint.readthedocs.io/en/stable/rules.html -rules: - # 80 chars should be enough, but don't fail if a line is longer - line-length: - max: 80 - level: warning diff --git a/docs/README.md b/docs/README.md index 352bf20..5b83b9f 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,6 +1,6 @@ # Kubernetes + Knative + GitLab + Harbor -[![Build Status](https://github.com/ruzickap/k8s-knative-gitlab-harbor/workflows/vuepress-build-check-deploy/badge.svg)](https://github.com/ruzickap/k8s-knative-gitlab-harbor) +[![Build Status](https://github.com/ruzickap/k8s-knative-gitlab-harbor/workflows/vuepress-build/badge.svg)](https://github.com/ruzickap/k8s-knative-gitlab-harbor) * Demo GitHub repository: [https://github.com/ruzickap/k8s-knative-gitlab-harbor](https://github.com/ruzickap/k8s-knative-gitlab-harbor) * Demo Web Pages: [https://ruzickap.github.io/k8s-knative-gitlab-harbor](https://ruzickap.github.io/k8s-knative-gitlab-harbor) diff --git a/lychee.toml b/lychee.toml new file mode 100644 index 0000000..7fd4af5 --- /dev/null +++ b/lychee.toml @@ -0,0 +1,42 @@ +# https://lychee.cli.rs/#/usage/config + +############################# Cache ############################### + +# Enable link caching. This can be helpful to avoid checking the same links on +# multiple runs +cache = true + +# Discard all cached requests older than this duration +max_cache_age = "1d" + +############################# Runtime ############################# + +# Maximum number of concurrent link checks +max_concurrency = 128 + +############################# Requests ############################ + +# Comma-separated list of accepted status codes for valid links. +accept = [999] + +############################# Exclusions ########################## + +# Exclude URLs and mail addresses from checking (supports regex) +exclude = [ + # Ignore all URLs with '$' - BASH variable in URL + '\$', + # Ignore all URLs with '{ ... }' - BASH / Ansible variable in URL + '%7B.*%7D', + # Ignore all URLs which starts with 'file://' + 'file://' +] + +# Exclude these filesystem paths from getting checked +exclude_path = [ + "CHANGELOG.md", +] + +# Exclude all private IPs from checking. +# Equivalent to setting `exclude_private`, `exclude_link_local`, and +# `exclude_loopback` to true +exclude_all_private = true