diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..7039468 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,23 @@ +### Summary + +SUMMARY_GOES_HERE + +### Full changelog + +* [Implement ...] +* [Fix ...] + +### Issues resolved + +Fix #XXX + +### Documentation + +- [ ] Link to the website [documentation PR](https://github.com/Kong/docs.konghq.com/pull/XXX) + +### Testing + +- [ ] Unit tests +- [ ] E2E tests +- [ ] Manual testing on Universal +- [ ] Manual testing on Kubernetes diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..a95e890 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +--- +# File is synced from Kong/template-generic and will be overwritten +version: 2 +updates: +- package-ecosystem: docker + directory: / + schedule: + interval: daily + +- package-ecosystem: github-actions + directory: / + schedule: + interval: daily diff --git a/.github/settings.yml b/.github/settings.yml new file mode 100644 index 0000000..4c09f80 --- /dev/null +++ b/.github/settings.yml @@ -0,0 +1,71 @@ +--- +# These settings are synced to GitHub by https://probot.github.io/apps/settings/ + +repository: + # See https://docs.github.com/en/rest/reference/repos#update-a-repository for all available settings. + + # The name of the repository. Changing this will rename the repository + # name: repo-name + + # A short description of the repository that will show up on GitHub + # description: description of repo + + # A URL with more information about the repository + # homepage: https://example.github.io/ + + # A comma-separated list of topics to set on the repository + # topics: github, probot + + # Either `true` to make the repository private, or `false` to make it public. + private: false + + # Either `true` to enable issues for this repository, `false` to disable them. + has_issues: false + + # Either `true` to enable projects for this repository, or `false` to disable them. + # If projects are disabled for the organization, passing `true` will cause an API error. + has_projects: false + + # Either `true` to enable the wiki for this repository, `false` to disable it. + has_wiki: false + + # Either `true` to enable downloads for this repository, `false` to disable them. + has_downloads: true + + # Updates the default branch for this repository. + default_branch: main + + # Either `true` to allow squash-merging pull requests, or `false` to prevent + # squash-merging. + allow_squash_merge: true + + # Either `true` to allow merging pull requests with a merge commit, or `false` + # to prevent merging pull requests with merge commits. + allow_merge_commit: false + + # Either `true` to allow rebase-merging pull requests, or `false` to prevent + # rebase-merging. + allow_rebase_merge: true + + # Either `true` to enable automatic deletion of branches on merge, or `false` to disable + delete_branch_on_merge: true + + # Either `true` to enable automated security fixes, or `false` to disable + # automated security fixes. + enable_automated_security_fixes: true + + # Either `true` to enable vulnerability alerts, or `false` to disable + # vulnerability alerts. + enable_vulnerability_alerts: true + +branches: +- name: main + protection: + required_pull_request_reviews: + required_status_checks: + strict: true + contexts: [pre-commit, Create Release, 'Create Release Artifacts (aarch64, linux-gnu)', 'Create Release Artifacts (aarch64, linux-musl)', 'Create + Release Artifacts (x86_64, linux-gnu)', 'Create Release Artifacts (x86_64, linux-musl)'] + enforce_admins: + required_linear_history: true + restrictions: diff --git a/.github/template-sync.yml b/.github/template-sync.yml new file mode 100644 index 0000000..5063a49 --- /dev/null +++ b/.github/template-sync.yml @@ -0,0 +1,19 @@ +--- +additional: +- kong-openssl + +files: +- '!README.md' +- '!.pre-commit-config.yaml' +- '!.secrets.baseline' +- '!**/template-sync.yml' +- '!.github/workflows/sync.yml' +- '!.github/PULL_REQUEST_TEMPLATE.md' +- '!**/CODEOWNERS' +- '!.yamllint' +- '!Dockerfile' +- '!build.sh' +- '!test.sh' +- '!.github/workflows/release.yaml' +- '!.releaserc' +- '!Makefile' diff --git a/.github/workflows/automerge-dependabot.yml b/.github/workflows/automerge-dependabot.yml new file mode 100644 index 0000000..8143353 --- /dev/null +++ b/.github/workflows/automerge-dependabot.yml @@ -0,0 +1,31 @@ +--- +# File is synced from Kong/template-generic and will be overwritten +name: Auto Actions + +on: pull_request_target # yamllint disable-line rule:truthy + +permissions: + contents: write + pull-requests: write + + +jobs: + dependabot-automerge: + runs-on: ubuntu-latest + if: ${{ github.actor == 'dependabot[bot]' }} + steps: + - name: Gather Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v1.3.5 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + - name: Approve PR + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + - name: Enable auto-merge + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml new file mode 100644 index 0000000..b4fcd51 --- /dev/null +++ b/.github/workflows/pre-commit.yml @@ -0,0 +1,31 @@ +--- +# File is synced from Kong/template-generic and will be overwritten +name: pre-commit + +on: # yamllint disable-line rule:truthy + pull_request: + +jobs: + pre-commit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - uses: actions/setup-python@v4.3.0 + - name: install shfmt + run: | + mkdir -p $GITHUB_WORKSPACE/bin + curl -L -s -o $GITHUB_WORKSPACE/bin/shfmt https://github.com/mvdan/sh/releases/download/v3.1.2/shfmt_v3.1.2_linux_amd64 + chmod +x $GITHUB_WORKSPACE/bin/shfmt + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + - name: pre-commit github auth + env: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + git version + git config --global url."https://${TOKEN}:x-oauth-basic@github.com/".insteadOf "git@github.com:" + - uses: pre-commit/action@v3.0.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + extra_args: --from-ref origin/${{ github.base_ref }} --to-ref ${{github.event.pull_request.head.sha}} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..3125636 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,86 @@ +--- +name: Release + +on: # yamllint disable-line rule:truthy + pull_request: + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + release: + name: Create Release + runs-on: ubuntu-latest + outputs: + published: ${{ steps.release.outputs.published }} + release-git-tag: ${{ steps.release.outputs.release-git-tag }} + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Release + id: release + uses: ahmadnassri/action-semantic-release@v2.1.10 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + artifacts: + needs: release + name: Create Release Artifacts + strategy: + matrix: + architecture: [aarch64, x86_64] + ostype: [linux-gnu, linux-musl] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: docker/setup-qemu-action@v2 + - uses: docker/setup-buildx-action@v2 + - name: Set environment variables + run: | + echo "ARCHITECTURE=${{ matrix.architecture }}" >> $GITHUB_ENV + echo "OSTYPE=${{ matrix.ostype }}" >> $GITHUB_ENV + echo "REGISTRY=ghcr.io" + - name: Build, and Package + run: make build/package + - name: Log in to the Container registry + if: ${{ needs.release.outputs.published == 'true' }} + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Docker meta + if: ${{ needs.release.outputs.published == 'true' }} + id: meta + uses: docker/metadata-action@v4 + with: + images: ghcr.io/kong/template-github-release + sep-tags: ' ' + flavor: | + suffix=-${{ matrix.architecture }}-${{ matrix.ostype }} + tags: | + type=sha + type=ref,event=branch + type=semver,pattern={{version}},value=${{ needs.release.outputs.release-git-tag }} + type=semver,pattern={{major}},value=${{ needs.release.outputs.release-git-tag }} + - name: Retag and Push + if: ${{ needs.release.outputs.published == 'true' }} + run: | + for tag in ${{ steps.meta.outputs.tags }}; do \ + docker tag ghcr.io/template-github-release:build-$ARCHITECTURE-$OSTYPE $tag && \ + docker push $tag; \ + done + - name: Archive the package + if: ${{ needs.release.outputs.published == 'true' }} + run: | + tar -C package -czvf ${{ matrix.architecture }}-${{ matrix.ostype }}.tar.gz . + - name: Add Release Artifact to the Github Release + if: ${{ needs.release.outputs.published == 'true' }} + uses: softprops/action-gh-release@v1 + with: + tag_name: ${{ needs.release.outputs.release-git-tag }} + files: ${{ matrix.architecture }}-${{ matrix.ostype }}.tar.gz diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml new file mode 100644 index 0000000..e66e634 --- /dev/null +++ b/.github/workflows/sync.yml @@ -0,0 +1,21 @@ +--- +name: Sync the template repository + +on: # yamllint disable-line rule:truthy + pull_request: + push: + branches: + - main + +jobs: + sync: + runs-on: ubuntu-latest + steps: + - name: Queue + uses: ahmadnassri/action-workflow-queue@v1.1 + - name: Checkout + uses: actions/checkout@v3 + - name: Sync + uses: ahmadnassri/action-template-repository-sync@v2.2.0 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ba3bd78 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +package diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..fa81517 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,40 @@ +--- +# File is synced from Kong/template-generic and will be overwritten +repos: +- repo: meta + hooks: + - id: check-hooks-apply + - id: check-useless-excludes +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.0.1 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace + - id: mixed-line-ending + - id: check-yaml + - id: check-byte-order-marker + - id: check-merge-conflict + - id: end-of-file-fixer + - id: check-added-large-files +- repo: https://github.com/Lucas-C/pre-commit-hooks + rev: v1.1.10 + hooks: + - id: forbid-crlf + - id: remove-crlf + - id: forbid-tabs + - id: remove-tabs +- repo: https://github.com/Yelp/detect-secrets + rev: v1.1.0 + hooks: + - id: detect-secrets + args: [--baseline, .secrets.baseline] +- repo: https://github.com/jumanjihouse/pre-commit-hook-yamlfmt + rev: 0.1.1 + hooks: + - id: yamlfmt + args: [--mapping, '2', --sequence, '2', --offset, '0', --width, '150'] +- repo: https://github.com/adrienverge/yamllint + rev: v1.26.1 + hooks: + - id: yamllint + args: [--format, parsable, --strict] diff --git a/.releaserc b/.releaserc new file mode 100644 index 0000000..2372c57 --- /dev/null +++ b/.releaserc @@ -0,0 +1,45 @@ +{ + "branches": ["main"], + "tagFormat": "${version}", + "repositoryUrl": "https://github.com/kong/template-github-release.git", + "plugins": [ + [ + "@semantic-release/commit-analyzer", + { + "preset": "conventionalcommits", + "releaseRules": [ + { "breaking": true, "release": "major" }, + { "revert": true, "release": "patch" }, + { "type": "build", "release": "patch" }, + { "type": "docs", "release": "patch" }, + { "type": "feat", "release": "minor" }, + { "type": "fix", "release": "patch" }, + { "type": "perf", "release": "patch" }, + { "type": "refactor", "release": "patch" }, + { "type": "chore", "release": "patch" } + ] + } + ], + [ + "@semantic-release/release-notes-generator", + { + "preset": "conventionalcommits", + "presetConfig": { + "types": [ + { "type": "build", "section": "Build", "hidden": false }, + { "type": "chore", "section": "Chores", "hidden": false }, + { "type": "ci", "section": "CI/CD", "hidden": false }, + { "type": "docs", "section": "Docs", "hidden": false }, + { "type": "feat", "section": "Features", "hidden": false }, + { "type": "fix", "section": "Bug Fixes", "hidden": false }, + { "type": "perf", "section": "Performance", "hidden": false }, + { "type": "refactor", "section": "Refactor", "hidden": false }, + { "type": "style", "section": "Code Style", "hidden": false }, + { "type": "test", "section": "Tests", "hidden": false } + ] + } + } + ], + "@semantic-release/github" + ] +} diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 0000000..badb637 --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,103 @@ +{ + "version": "1.1.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + } + ], + "results": {}, + "generated_at": "2022-01-17T17:08:21Z" +} diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..1ceaf66 --- /dev/null +++ b/.yamllint @@ -0,0 +1,9 @@ +--- +# File is synced from Kong/template-generic and will be overwritten +extends: default +rules: + line-length: disable + comments: disable + indentation: + spaces: 2 + indent-sequences: consistent diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..f8ffeff --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,4 @@ +# Default to review by + + +# Add additional directory-specific reviewers later in the file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..f84308e --- /dev/null +++ b/Dockerfile @@ -0,0 +1,23 @@ +ARG OSTYPE=linux-gnu +ARG ARCHITECTURE=x86_64 +ARG DOCKER_REGISTRY=ghcr.io +ARG DOCKER_IMAGE_NAME + +# List out all image permutations to trick dependabot +FROM --platform=linux/amd64 kong/kong-build-tools:apk-1.8.1 as x86_64-linux-musl +FROM --platform=linux/amd64 kong/kong-build-tools:rpm-1.8.1 as x86_64-linux-gnu +FROM --platform=linux/arm64 kong/kong-build-tools:apk-1.8.1 as aarch64-linux-musl +FROM --platform=linux/arm64 kong/kong-build-tools:rpm-1.8.1 as aarch64-linux-gnu + + +# Run the build script +FROM $ARCHITECTURE-$OSTYPE as build + +COPY . /src +RUN /src/build.sh && /src/test.sh + + +# Copy the build result to scratch so we can export the result +FROM scratch as package + +COPY --from=build /tmp/build / diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..159617d --- /dev/null +++ b/Makefile @@ -0,0 +1,30 @@ +ARCHITECTURE ?= x86_64 +OSTYPE ?= linux-gnu +DOCKER_TARGET ?= build +DOCKER_REGISTRY ?= ghcr.io +DOCKER_IMAGE_NAME ?= template-github-release +DOCKER_IMAGE_TAG ?= $(DOCKER_TARGET)-$(ARCHITECTURE)-$(OSTYPE) +DOCKER_NAME ?= $(DOCKER_REGISTRY)/$(DOCKER_IMAGE_NAME):$(DOCKER_IMAGE_TAG) +DOCKER_RESULT ?= --load + +clean: + rm -rf package + docker rmi $(DOCKER_NAME) + +docker: + docker buildx build \ + --build-arg DOCKER_REGISTRY=$(DOCKER_REGISTRY) \ + --build-arg DOCKER_IMAGE_NAME=$(DOCKER_IMAGE_NAME) \ + --build-arg DOCKER_IMAGE_TAG=$(DOCKER_IMAGE_TAG) \ + --build-arg ARCHITECTURE=$(ARCHITECTURE) \ + --build-arg OSTYPE=$(OSTYPE) \ + --target=$(DOCKER_TARGET) \ + -t $(DOCKER_NAME) \ + $(DOCKER_RESULT) . + +build/docker: + docker inspect --format='{{.Config.Image}}' $(DOCKER_NAME) || \ + $(MAKE) DOCKER_TARGET=build docker + +build/package: build/docker + $(MAKE) DOCKER_TARGET=package DOCKER_RESULT="-o package" docker diff --git a/README.md b/README.md new file mode 100644 index 0000000..8d99bfa --- /dev/null +++ b/README.md @@ -0,0 +1,19 @@ +# Generic Github Repository Template + +Generic github repository template that keeps child repositories sync'd + +Use this template as a sensible baseline for new github repositories. + +## Instructions + +- Create template from repository +- Install the [settings app](https://github.com/apps/settings) on the new repository +- Remove and re-add the `.github/settings.yml` file so the settings app gets enabled +- From the new repository settings page enable "Allow auto-merge" +- Following the [CODEOWNERS SYNTAX](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-syntax) guidelines, update the new repository CODEOWNERS file +- Following our [Github bot guidline documentation](https://konghq.atlassian.net/wiki/spaces/ENGEN/pages/2720268304/How+To+-+Github+Automation+Guidelines) add a github and dependabot secret for AUTO_MERGE_TOKEN +- **Update** the .github/template-sync.yml file in [kong/template-github-release](https://github.com/Kong/template-github-release) repository with the **cloned repository name** to enable template sync changes +- Update .releaserc to have the correct repository name +- Correct the image name in `.github/workflows/release.yaml` +- Correct the image name in `Makefile` +- Remove the sync workflow at `.github/template-sync.yml` and `.github/workflows/sync.yml` diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..8de0308 --- /dev/null +++ b/build.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +set -euo pipefail +IFS=$'\n\t' + +if [ -n "${DEBUG:-}" ]; then + set -x +fi + +function main() { + rm -rf /tmp/build/* && uname -a >> /tmp/build/out +} + +main diff --git a/test.sh b/test.sh new file mode 100755 index 0000000..3babf61 --- /dev/null +++ b/test.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +set -euo pipefail +IFS=$'\n\t' + +if [ -n "${DEBUG:-}" ]; then + set -x +fi + +function test() { + ls -lah /tmp/build/out +} + +test