diff --git a/.github/actions/spell-check/README.md b/.github/actions/spell-check/README.md new file mode 100644 index 0000000..d82bed7 --- /dev/null +++ b/.github/actions/spell-check/README.md @@ -0,0 +1,16 @@ +# check-spelling/check-spelling configuration + +File | Purpose | Format | Info +-|-|-|- +[dictionary.txt](dictionary.txt) | Replacement dictionary (creating this file will override the default dictionary) | one word per line | [dictionary](https://github.com/check-spelling/check-spelling/wiki/Configuration#dictionary) +[allow.txt](allow.txt) | Add words to the dictionary | one word per line (only letters and `'`s allowed) | [allow](https://github.com/check-spelling/check-spelling/wiki/Configuration#allow) +[reject.txt](reject.txt) | Remove words from the dictionary (after allow) | grep pattern matching whole dictionary words | [reject](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-reject) +[excludes.txt](excludes.txt) | Files to ignore entirely | perl regular expression | [excludes](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-excludes) +[only.txt](only.txt) | Only check matching files (applied after excludes) | perl regular expression | [only](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-only) +[patterns.txt](patterns.txt) | Patterns to ignore from checked lines | perl regular expression (order matters, first match wins) | [patterns](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-patterns) +[line_forbidden.patterns](line_forbidden.patterns) | Patterns to flag in checked lines | perl regular expression (order matters, first match wins) | [patterns](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-patterns) +[expect.txt](expect.txt) | Expected words that aren't in the dictionary | one word per line (sorted, alphabetically) | [expect](https://github.com/check-spelling/check-spelling/wiki/Configuration#expect) +[advice.md](advice.md) | Supplement for GitHub comment when unrecognized words are found | GitHub Markdown | [advice](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-advice) + +Note: you can replace any of these files with a directory by the same name (minus the suffix) +and then include multiple files inside that directory (with that suffix) to merge multiple files together. diff --git a/.github/actions/spell-check/advice.md b/.github/actions/spell-check/advice.md new file mode 100644 index 0000000..54f0c9b --- /dev/null +++ b/.github/actions/spell-check/advice.md @@ -0,0 +1,25 @@ + +
If the flagged items are false positives + +If items relate to a ... +* binary file (or some other file you wouldn't want to check at all). + + Please add a file path to the `excludes.txt` file matching the containing file. + + File paths are Perl 5 Regular Expressions - you can [test]( +https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your files. + + `^` refers to the file's path from the root of the repository, so `^README\.md$` would exclude [README.md]( +../tree/HEAD/README.md) (on whichever branch you're using). + +* well-formed pattern. + + If you can write a [pattern](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns) that would match it, + try adding it to the `patterns.txt` file. + + Patterns are Perl 5 Regular Expressions - you can [test]( +https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your lines. + + Note that patterns can't match multiline strings. + +
diff --git a/.github/actions/spell-check/allow.txt b/.github/actions/spell-check/allow.txt new file mode 100644 index 0000000..494d4de --- /dev/null +++ b/.github/actions/spell-check/allow.txt @@ -0,0 +1,4 @@ +github +https +ssh +ubuntu diff --git a/.github/actions/spell-check/excludes.txt b/.github/actions/spell-check/excludes.txt index 573a76d..ade36ec 100644 --- a/.github/actions/spell-check/excludes.txt +++ b/.github/actions/spell-check/excludes.txt @@ -1,6 +1,58 @@ -^\.github/workflows/ -^\.github/actions/spell-check/ -^go\.(?:mod|sum)$ +# See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-excludes +(?:^|/)(?i)COPYRIGHT +(?:^|/)(?i)LICEN[CS]E +(?:^|/)go\.sum$ +(?:^|/)package(?:-lock|)\.json$ +(?:^|/)vendor/ ignore$ +\.a$ +\.ai$ +\.avi$ +\.bmp$ +\.bz2$ +\.crt$ +\.dll$ +\.docx?$ +\.drawio$ +\.DS_Store$ +\.eot$ +\.exe$ +\.gif$ +\.gitattributes$ +\.graffle$ +\.gz$ +\.icns$ +\.ico$ +\.jar$ +\.jpe?g$ +\.key$ +\.lib$ \.env \.lock$ +\.map$ +\.min\.. +\.mod$ +\.mp[34]$ +\.o$ +\.ocf$ +\.otf$ +\.pdf$ +\.pem$ +\.png$ +\.psd$ +\.s$ +\.svg$ +\.tar$ +\.tiff?$ +\.ttf$ +\.wav$ +\.webm$ +\.webp$ +\.woff2?$ +\.zip$ +^\.github/actions/spelling/ +^\.github/actions/spell-check/ +^go\.sum$ +^\Q.github/workflows/spelling.yml\E$ +^\Qdeploy/kubernetes/secrets.development.env\E$ +^\QGemfile\E$ diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt index e606cc5..cb109c5 100644 --- a/.github/actions/spell-check/expect.txt +++ b/.github/actions/spell-check/expect.txt @@ -1,128 +1,50 @@ -acl -acm -addons adduser -afbb AKS -amazonaws -api apparmor -args asn -attrs automount autorun -aws awslogs awsvpc -backend -blog brrrr -buf bugsnag -CGO -charset -chown -chr -ci -cidr cidrsubnet Cleanuper -cloudfront -cloudwatch coc -codebase concat -config contacttracing -CORS covidshield -CSRF -ctx datenumber -datetime dbconn -dddcd -deadbeefcafe -dependabot deregistration developerguide -dns Dockerhub -dsa -dst -eaa -eb -ecdsa -ece -ecr -ecs eip -Ej -ek -elasticloadbalancing -endian -enexposureconfiguration -ENTRYPOINT -enum enummodule esac -exposurenotification extendee fargate -fbeb -fcac -ffee -ffeec -foreach -Fprintf -fqdn -frontend -func -gc +fqdns gcflags -GCP gecos -Gemfile genmain -Getenv getopts -gh -github GKE -GNJo gnumake gochecknoglobals goerr GOFILES -golang golangci GOLDFLAGS google -gopkg gopsutil gosec -grpc -GZIP hadolint hashicorp hdr hexdigest -hmac -homepage -hostname -html -http -httptrace -iam Idxs -ioutil -ip -ipv -Itoa -javascript -jq -json +ints kcq kcr kcre @@ -132,60 +54,35 @@ kubectl kubernetes kwargs ldflags -len libprotoc libsodium -lifecycle -linux lll -localhost -lockfile logrus mcc -metadata metricstdout -mgo -microsoft -Middleware minikube -minitest -mkdir mnc mozilla -mprotoc -mrm msgclass myshopify -mysql mysqladmin -nacl -namespace namespacing natgw -nginx nixpkgs nkeys nolint nologin nosniff -omitempty opc openshift -openssl opentelemetry OPTARG OPTIND otel -passwd patsubst -pb -php -pid PKey -plugin +plugins podsecuritypolicies -Printf -Println Procfile protobuf protoc @@ -193,29 +90,15 @@ protoimpl protoreflect psps ptypes -pv qqqqwwww railgun -rb -rbac rbnacl -rds -README -Referer -regexp repudiability roundtrip rsin -rsn -rubygems -rubyzip -sbin -sdk sdktrace seccomp -secretsmanager securerandom -Serverless serviceaccounts servlet seu @@ -226,71 +109,35 @@ sirupsen SMALLINT sni sourced -Sprintf -sql -src srvutil -ssl -stderr -stdout -strconv -strftime stringio -sts -svg Syncer tcp tek tempfile terraform -tf tfplan tfstate tfvars thisisatoken timemath -TLS -TLSv -tmp -TODO tracerstdout triaging trimpath -ttl -ubuntu -uid -uint ulimits -uniq -Unmarshal unmarshall unmarshalling -uri -url usedpercent -username usr utc utf -UUID -validator VARCHAR varint vendored -vm -vpc wafregional waitpid -wiki WORKDIR -workflow wsl -www -XPOST XSalsa -yaml yarnpkg -yml -youtube -yp zipw diff --git a/.github/actions/spell-check/line_forbidden.patterns b/.github/actions/spell-check/line_forbidden.patterns new file mode 100644 index 0000000..58e9252 --- /dev/null +++ b/.github/actions/spell-check/line_forbidden.patterns @@ -0,0 +1,56 @@ +# reject `m_data` as there's a certain OS which has evil defines that break things if it's used elsewhere +# \bm_data\b + +# If you have a framework that uses `it()` for testing and `fit()` for debugging a specific test, +# you might not want to check in code where you were debugging w/ `fit()`, in which case, you might want +# to use this: +#\bfit\( + +# s.b. GitHub +\bGithub\b + +# s.b. GitLab +\bGitlab\b + +# s.b. JavaScript +\bJavascript\b + +# s.b. Microsoft +\bMicroSoft\b + +# s.b. another +\ban[- ]other\b + +# s.b. greater than +\bgreater then\b + +# s.b. into +\bin to\b + +# s.b. less than +\bless then\b + +# s.b. otherwise +\bother[- ]wise\b + +# s.b. nonexistent +\bnon existing\b +\b[Nn]o[nt][- ]existent\b + +# s.b. preexisting +[Pp]re-existing + +# s.b. preempt +[Pp]re-empt\b + +# s.b. preemptively +[Pp]re-emptively + +# s.b. reentrancy +[Rr]e-entrancy + +# s.b. reentrant +[Rr]e-entrant + +# Reject duplicate words +\s([A-Z]{3,}|[A-Z][a-z]{2,}|[a-z]{3,})\s\g{-1}\s diff --git a/.github/actions/spell-check/patterns.txt b/.github/actions/spell-check/patterns.txt index 8f1dde6..b409522 100644 --- a/.github/actions/spell-check/patterns.txt +++ b/.github/actions/spell-check/patterns.txt @@ -1,2 +1,59 @@ +# See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns + (?:0[Xx]|U\+|#)[a-f0-9A-FGgRr]{2,}[Uu]?[Ll]{0,2}\b -\b([A-Za-z])\1{3,}\b + +# Automatically suggested patterns +# hit-count: 25 file-count: 1 +# ANSI color codes +(?:\\(?:u00|x)1b|\x1b)\[\d+(?:;\d+|)m + +# hit-count: 14 file-count: 7 +# hex runs +\b[0-9a-fA-F]{16,}\b + +# hit-count: 11 file-count: 3 +# Amazon +\bamazon\.com/[-\w]+/(?:dp/[0-9A-Z]+|) + +# hit-count: 3 file-count: 3 +# curl arguments +\b(?:\\n|)curl(?:\s+-[a-zA-Z]{1,2}\b)*(?:\s+-[a-zA-Z]{3,})(?:\s+-[a-zA-Z]+)* + +# hit-count: 3 file-count: 1 +# version suffix v# +(?:(?<=[A-Z]{2})V|(?<=[a-z]{2}|[A-Z]{2})v)\d+(?:\b|(?=[a-zA-Z_])) + +# hit-count: 2 file-count: 2 +# apple +\bdeveloper\.apple\.com/[-\w?=/]+ + +# hit-count: 2 file-count: 2 +# GitHub SHAs (markdown) +(?:\[`?[0-9a-f]+`?\]\(https:/|)/(?:www\.|)github\.com(?:/[^/\s"]+){2,}(?:/[^/\s")]+)(?:[0-9a-f]+(?:[-0-9a-zA-Z/#.]*|)\b|) + +# hit-count: 1 file-count: 1 +# While you could try to match `http://` and `https://` by using `s?` in `https?://`, sometimes there +# YouTube url +\b(?:(?:www\.|)youtube\.com|youtu.be)/(?:channel/|embed/|user/|playlist\?list=|watch\?v=|v/|)[-a-zA-Z0-9?&=_]* + +# hit-count: 1 file-count: 1 +# While you could try to match `http://` and `https://` by using `s?` in `https?://`, sometimes there +# YouTube url +\b(?:(?:www\.|)youtube\.com|youtu.be)/(?:channel/|embed/|user/|playlist\?list=|watch\?v=|v/|)[-a-zA-Z0-9?&=_]* + +# acceptable duplicates +# ls directory listings +[-bcdlpsw](?:[-r][-w][-sx]){3}\s+\d+\s+(\S+)\s+\g{-1}\s+\d+\s+ +# C types +\s(long|LONG) \g{-1}\s +# javadoc / .net +(?:[\\@](?:groupname|param)|(?:public|private)(?:\s+static|\s+readonly)*)\s+(\w+)\s+\g{-1}\s + +# Commit message -- Signed-off-by and friends +^\s*(?:(?:Based-on-patch|Co-authored|Helped|Mentored|Reported|Reviewed|Signed-off)-by|Thanks-to): (?:[^<]*<[^>]*>|[^<]*)\s*$ + +# Autogenerated revert commit message +^This reverts commit [0-9a-f]{40}\.$ + +# ignore long runs of a single character: +\b([A-Za-z])\g{-1}{3,}\b diff --git a/.github/actions/spell-check/reject.txt b/.github/actions/spell-check/reject.txt new file mode 100644 index 0000000..b5a6d36 --- /dev/null +++ b/.github/actions/spell-check/reject.txt @@ -0,0 +1,10 @@ +^attache$ +benefitting +occurences? +^dependan.* +^oer$ +Sorce +^[Ss]pae.* +^untill$ +^untilling$ +^wether.* diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml index 892e411..0091f55 100644 --- a/.github/workflows/spelling.yml +++ b/.github/workflows/spelling.yml @@ -1,26 +1,83 @@ name: Spell checking + +# Updating pull request branches is managed via comment handling. +# For details, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-expect-list +# +# These elements work together to make it happen: +# +# `on.issue_comment` +# This event listens to comments by users asking to update the metadata. +# +# `jobs.update` +# This job runs in response to an issue_comment and will push a new commit +# to update the spelling metadata. +# +# `with.experimental_apply_changes_via_bot` +# Tells the action to support and generate messages that enable it +# to make a commit to update the spelling metadata. +# +# `with.ssh_key` +# In order to trigger workflows when the commit is made, you can provide a +# secret (typically, a write-enabled github deploy key). +# +# For background, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-with-deploy-key + on: - pull_request: - branches: - - "**" - tags-ignore: - - "**" push: - branches: - - "**" - tags-ignore: - - "**" + branches: ["**"] + tags-ignore: ["**"] + pull_request_target: jobs: - build: - name: Spell checking + spelling: + name: Check Spelling + permissions: + contents: read + pull-requests: read + actions: read + outputs: + followup: ${{ steps.spelling.outputs.followup }} + runs-on: ubuntu-latest + if: "contains(github.event_name, 'pull_request') || github.event_name == 'push'" + concurrency: + group: spelling-${{ github.event.pull_request.number || github.ref }} + # note: If you use only_check_changed_files, you do not want cancel-in-progress + cancel-in-progress: true + steps: + - name: check-spelling + id: spelling + uses: check-spelling/check-spelling@v0.0.20 + with: + config: .github/actions/spell-check + suppress_push_for_open_pull_request: 1 + checkout: true + post_comment: 0 + experimental_apply_changes_via_bot: 1 + dictionary_source_prefixes: '{"cspell": "https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220427/dictionaries/", "cspell1": "https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220814/dictionaries/"}' + extra_dictionaries: + cspell1:software-terms/src/software-terms.txt + cspell:aws/aws.txt + cspell:node/node.txt + cspell:php/php.txt + cspell:golang/go.txt + cspell:npm/npm.txt + cspell:ruby/ruby.txt + cspell:html/html.txt + cspell:filetypes/filetypes.txt + check_extra_dictionaries: '' + + comment: + name: Report runs-on: ubuntu-latest + needs: spelling + permissions: + contents: write + pull-requests: write + if: (success() || failure()) && needs.spelling.outputs.followup steps: - - uses: actions/checkout@v2.0.0 + - name: comment + uses: check-spelling/check-spelling@v0.0.20 with: - fetch-depth: 5 - - uses: check-spelling/check-spelling@0.0.16-alpha - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - bucket: .github/actions - project: spell-check + config: .github/actions/spell-check + checkout: true + task: ${{ needs.spelling.outputs.followup }} diff --git a/config/infrastructure/aws/README.md b/config/infrastructure/aws/README.md index a48bb0b..ec3dbef 100644 --- a/config/infrastructure/aws/README.md +++ b/config/infrastructure/aws/README.md @@ -58,7 +58,7 @@ All Terraform variables are defined in `config/terraform/aws/variables.tf` & the - `TF_VAR_ecs_task_key_submission_env_key_claim_token` - `TF_VAR_rds_backend_db_password` -If you are using Terraform in Github actions the above can be set as Github secrets, and set as environment variables in your YAML file (see `.github/workflows/terraform.yml`). +If you are using Terraform in GitHub actions the above can be set as GitHub secrets, and set as environment variables in your YAML file (see `.github/workflows/terraform.yml`). There is an optional Terraform variable that can be set to control which container to deploy. It should match a container tag that both Key Retrieval & Key Submission share. By default Terraform will deploy the latest commit on the master branch. diff --git a/config/terraform/aws/variables.auto.tfvars b/config/terraform/aws/variables.auto.tfvars index 7673ba2..8543fed 100644 --- a/config/terraform/aws/variables.auto.tfvars +++ b/config/terraform/aws/variables.auto.tfvars @@ -21,14 +21,14 @@ ecs_name = "CovidShield" # Key Retrieval ecs_key_retrieval_name = "KeyRetrieval" -# Value should come from a TF_VAR environment variable (e.g. set in a Github Secret) +# Value should come from a TF_VAR environment variable (e.g. set in a GitHub Secret) # ecs_task_key_retrieval_env_hmac_key = "" -# Value should come from a TF_VAR environment variable (e.g. set in a Github Secret) +# Value should come from a TF_VAR environment variable (e.g. set in a GitHub Secret) # ecs_task_key_retrieval_env_ecdsa_key = "" # Key Submission ecs_key_submission_name = "KeySubmission" -# Value should come from a TF_VAR environment variable (e.g. set in a Github Secret) +# Value should come from a TF_VAR environment variable (e.g. set in a GitHub Secret) # Must be a string of the form =:= - https://www.mcc-mnc.com # ecs_task_key_submission_env_key_claim_token = "" @@ -48,7 +48,7 @@ rds_db_subnet_group_name = "server" # Key Retrieval/Submission rds_server_db_name = "server" rds_server_db_user = "root" -# Value should come from a TF_VAR environment variable (e.g. set in a Github Secret) +# Value should come from a TF_VAR environment variable (e.g. set in a GitHub Secret) # rds_server_db_password = "" rds_server_allocated_storage = "5" rds_server_instance_class = "db.t3.small"