diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..78e77e6 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,30 @@ +name: ci.yml – Continuous Integration +on: + push: + branches: + - main + pull_request: + branches: + - main +permissions: + contents: read + +jobs: + build: + name: "Test with Jekyll ${{ matrix.jekyll }}" + runs-on: "ubuntu-latest" + strategy: + matrix: + jekyll: ["~> 4.3.4"] + env: + JEKYLL_VERSION: ${{ matrix.jekyll }} + steps: + - name: Checkout Repository + uses: actions/checkout@v4.2.2 + - name: Set Up Ruby 3.3.6 + uses: ruby/setup-ruby@v1.203.0 + with: + ruby-version: 3.3.6 + bundler-cache: true + - name: Run tests + run: script/cibuild diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..e7cd3e3 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,73 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["ruby"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v4.2.2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/autobuild@v2.19.4 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v3.27.4 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2.19.3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..287f583 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,22 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'dependency – Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v4.2.2 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4.5.0 diff --git a/.github/workflows/jekyll.yml b/.github/workflows/jekyll.yml new file mode 100644 index 0000000..baa6c2e --- /dev/null +++ b/.github/workflows/jekyll.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: jekyll.yml – Deploy Jekyll site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main", "_staging", "next"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4.2.2 + - name: Setup Ruby + uses: ruby/setup-ruby@v1.203.0 + with: + ruby-version: '3.3.6' # Not needed with a .ruby-version file + bundler-cache: true # runs 'bundle install' and caches installed gems automatically + cache-version: 1 # Increment this number if you need to re-download cached gems + - name: Setup Pages + id: pages + uses: actions/configure-pages@v5.0.0 + - name: Build with Jekyll + # Outputs to the './_site' directory by default + run: bundle exec jekyll build --trace --incremental --baseurl "${{ steps.pages.outputs.base_path }}" + env: + JEKYLL_ENV: production + JEKYLL_GITHUB_TOKEN: ${{secrets.JEKYLL_METADATA_TOKEN}} + LOG_LEVEL: debug + - name: Upload artifact + # Automatically uploads an artifact from the './_site' directory by default + uses: actions/upload-pages-artifact@v3.0.1 + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4.0.5 diff --git a/.github/workflows/permission_advisor.yml b/.github/workflows/permission_advisor.yml new file mode 100644 index 0000000..9c00c37 --- /dev/null +++ b/.github/workflows/permission_advisor.yml @@ -0,0 +1,27 @@ +# Sample workflow to run the action +name: permission_advisor.yml — Permissions Advisor + +permissions: + actions: read + +on: + workflow_dispatch: + inputs: + name: + description: 'The name of the workflow file to analyze' + required: true + type: string + count: + description: 'How many last runs to analyze' + required: false + type: number + default: 10 + +jobs: + advisor: + runs-on: ubuntu-latest + steps: + - uses: GitHubSecurityLab/actions-permissions/advisor@v1.0.2-beta4 + with: + name: ${{ inputs.name }} + count: ${{ inputs.count }} diff --git a/.github/workflows/readme-checker.yml b/.github/workflows/readme-checker.yml new file mode 100644 index 0000000..9f426c8 --- /dev/null +++ b/.github/workflows/readme-checker.yml @@ -0,0 +1,19 @@ +name: readme-checker.yml – Checks for suggested markdown +on: [push, pull_request] + +permissions: + contents: read + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4.2.2 + - name: Checking markdown + uses: DavidAnson/markdownlint-cli2-action@v18.0.0 + with: + globs: | + *.md + **/*.md + !test/*.md diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 540ef11..dd5295e 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -1,18 +1,25 @@ +name: release-please.yml – Automate releases with Conventional Commit Messages. on: push: branches: - main + +permissions: + pull-requests: write + name: release-please + jobs: release-please: runs-on: ubuntu-latest steps: - - uses: google-github-actions/release-please-action@v4 + - uses: googleapis/release-please-action@4.1.3 with: + contents: write + # this assumes that you have created a personal access token + # (PAT) and configured it as a GitHub action secret named + # `MY_RELEASE_PLEASE_TOKEN` (this secret name is not important). + token: ${{ secrets.GITHUB_TOKEN }} + # this is a built-in strategy in release-please, see "Action Inputs" + # for more options release-type: simple - package-name: release-please-action - #...(same as above) - #steps: - # - uses: google-github-actions/release-please-action@v4 - # with: - # command: manifest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..ffc8367 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,33 @@ +name: release.yml – Release +on: + push: + branches: + - main + - next + - beta + - "*.x" +permissions: + contents: read # for checkout +jobs: + release: + permissions: + contents: write # to be able to publish a GitHub release + issues: write # to be able to comment on released issues + pull-requests: write # to be able to comment on released pull requests + id-token: write # to enable use of OIDC for npm provenance + name: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4.2.2 + - uses: actions/setup-node@v4.1.0 + with: + cache: npm + node-version: lts/* + - run: npm clean-install + - run: corepack npm audit signatures + # pinned version updated automatically by Renovate. + # details at https://semantic-release.gitbook.io/semantic-release/usage/installation#global-installation + - run: npx semantic-release@v24.2.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NPM_TOKEN: ${{ secrets.SEMANTIC_RELEASE_BOT_NPM_TOKEN }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..37a8c3e --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,36 @@ +name: scorecard.yml — OpenSSF Scorecard +"on": + schedule: + - cron: 31 2 * * 1 + push: + branches: + - main +permissions: read-all +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + steps: + - name: Checkout code + uses: actions/checkout@v4.2.2 + with: + persist-credentials: false + - name: Run analysis + uses: ossf/scorecard-action@v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + - name: Upload artifact + uses: actions/upload-artifact@v4.4.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@v2.19.4 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml new file mode 100644 index 0000000..bb5c52e --- /dev/null +++ b/.github/workflows/semantic-release.yml @@ -0,0 +1,124 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + + +name: systematic-release.yml – Pull Request + +on: + pull_request: + types: + - opened + - reopened + - edited + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.number }} + cancel-in-progress: true + +permissions: + contents: read + # contents: write # to be able to publish a GitHub release + issues: write # to be able to comment on released issues + pull-requests: write # to be able to comment on released pull requests + id-token: write # to enable use of OIDC for npm provenance name: Check pull request title + +jobs: + main: + runs-on: ubuntu-latest + steps: + name: semantic release + uses: amannn/action-semantic-pull-request@v5.5.3 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + # Type abbreviation comments: + # feat -> feature + # blog, info (2023-08-07 RalphHightower) + types: | + blog + cleanup + docs + feat + fix + improve + info + refactor + revert + # Scope abbreviation comments: + # biz -> business layer (2023-08-07 RalphHightower) + # cli -> command line interface + # data -> data access layer (2023-08-07 RalphHightower) + # fn -> Pulsar Functions + # grammar -> Language corrections: grammar, spelling (RalphHightower 202308-06) + # io -> Pulsar Connectors + # md -> Markdown (2023-07-30 RalphHightower) + # offload -> tiered storage + # sec -> security + # sql -> Pulsar Trino Plugin + # trans -> transaction (2023-08-07 RalphHightower) + # txn -> transaction + # ws -> websocket + # ml -> managed ledger + # zk -> zookeeper + # bk -> bookkeeper + # ui -> user interface (2023-08-07 RalphHightower) + scopes: | + admin + biz + bk + broker + build + ci + cli + client + config + data + doc + docs + fn + grammar + io + md + meta + misc + ml + monitor + offload + proxy + schema + sec + site + sql + scss + storage + test + trans + txn + ws + ui + yml + zk + pip + # The pull request's title should be fulfilled the following pattern: + # + # [][] + # + # ... where valid types and scopes can be found above; for example: + # + # [fix][test] flaky test V1_ProxyAuthenticationTest.anonymousSocketTest + headerPattern: '^\[(\w*?)\](?:\[(.*?)\])?(?:\s*)(.*)$' + headerPatternCorrespondence: type, scope, subject diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..d1cf261 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,86 @@ +name: test.yml — Test + +on: + push: + branches: + - main + # renovate/** branches are generated by https://github.com/apps/renovate + - renovate/** + + pull_request: + types: + - opened + - synchronize + +permissions: + contents: read # to fetch code (actions/checkout) + +env: + FORCE_COLOR: 1 + NPM_CONFIG_COLOR: always + +jobs: + # verify against ranges defined as supported in engines.node + test_matrix: + strategy: + matrix: + node-version: + - 20.8.1 + - 20 + - 21 + + runs-on: ubuntu-latest + timeout-minutes: 5 + + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@v4.2.2 + - run: git config --global user.name github-actions + - run: git config --global user.email github-actions@github.com + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4.1.0 + with: + node-version: ${{ matrix.node-version }} + cache: npm + - run: npm clean-install + - run: corepack npm audit signatures + - run: npm test + + # verify against the node version defined for development in the .nvmrc + test_dev: + runs-on: ubuntu-latest + timeout-minutes: 5 + + steps: + - name: Test + - uses: actions/checkout@v4.2.2 + - run: git config --global user.name github-actions + - run: git config --global user.email github-actions@github.com + - name: Use Node.js from .nvmrc + uses: actions/setup-node@v4.1.0 + with: + node-version-file: .nvmrc + cache: npm + - run: npm clean-install + - run: corepack npm audit signatures + - run: npm test + + # separate job to set as required in branch protection, + # as the build names above change each time Node versions change + test: + runs-on: ubuntu-latest + needs: + - test_dev + - test_matrix + if: ${{ !cancelled() }} + steps: + - name: All matrix versions passed + if: ${{ !(contains(needs.*.result, 'failure')) }} + run: exit 0 + - name: Some matrix version failed + if: ${{ contains(needs.*.result, 'failure') }} + run: exit 1 diff --git a/.github/workflows/workflows.md b/.github/workflows/workflows.md new file mode 100644 index 0000000..4f5f310 --- /dev/null +++ b/.github/workflows/workflows.md @@ -0,0 +1,23 @@ +| action | date | github | +|---|---|---| +| DavidAnson/markdownlint-cli2-action@v18.0.0 | Nov 14, 2024 |[DavidAnson/markdownlint-cli2-action: A GitHub Action to run the markdownlint-cli2 tool for linting Markdown/CommonMark files with the markdownlint library](https://github.com/DavidAnson/markdownlint-cli2-action) | +| GitHubSecurityLab/actions-permissions/advisor@v1.0.2-beta4 | Nov 22, 2024 | [GitHubSecurityLab/actions-permissions: GitHub token permissions Monitor and Advisor actions](https://github.com/GitHubSecurityLab/actions-permissions) | +| actions/checkout@v4.2.2 | Oct 23, 2024 | [actions/checkout: Action for checking out a repo](https://github.com/actions/checkout) | +| actions/configure-pages@v5.0.0 | Mar 29, 2024 | [actions/configure-pages: An action to enable Pages and extract various metadata about a site. It can also be used to configure various static site generators we support as starter workflows.](https://github.com/actions/configure-pages) | +| actions/dependency-review-action@v4.5.0 | Nov 20, 2024 | [actions/dependency-review-action: A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs](https://github.com/actions/dependency-review-action) | +| actions/deploy-pages@4.0.5 | Mar 18, 2024 | [actions/deploy-pages: GitHub Action to publish artifacts to GitHub Pages for deployments](https://github.com/actions/deploy-pages) | +| actions/jekyll-build-pages@v1.0.13 | Aug 6, 2024 | [actions/jekyll-build-pages: A simple GitHub Action for producing Jekyll build artifacts compatible with GitHub Pages.](https://github.com/actions/jekyll-build-pages) | +| actions/setup-node@v4.1.0 | Oct 24, 2024 | [actions/setup-node: Set up your GitHub Actions workflow with a specific version of node.js](https://github.com/actions/setup-node) | +| actions/upload-artifact@v4.4.3 | Oct 9, 2024 14 | [actions/upload-artifact](https://github.com/actions/upload-artifact) | +| actions/upload-pages-artifact@v3.0.1 | Feb 7, 2024 | [actions/upload-pages-artifact: A composite action for packaging and uploading an artifact that can be deployed to GitHub Pages.](https://github.com/actions/upload-pages-artifact) | +| amannn/action-semantic-pull-request@v5.5.3 | Jun 28, 2024 | [amannn/action-semantic-pull-request: A GitHub Action that ensures that your PR title matches the Conventional Commits spec](https://github.com/amannn/action-semantic-pull-request) | +| github/codeql-action/analyze@v2.19.4 | Dec 2, 2024 | [github/codeql-action: Actions for running CodeQL analysis](https://github.com/github/codeql-action) | +| github/codeql-action/autobuild@v2.19.4 | Dec 2, 2024 | [github/codeql-action: Actions for running CodeQL analysis](https://github.com/github/codeql-action) | +| github/codeql-action/init@v2.19.4 | Dec 2, 2024 | [github/codeql-action: Actions for running CodeQL analysis](https://github.com/github/codeql-action) | +| github/codeql-action/upload-sarif@v2.19.4 | Dec 2, 2024 | [github/codeql-action: Actions for running CodeQL analysis](https://github.com/github/codeql-action) | +| googleapis/release-please-action@4.1.3 | Jun 10, 2024 | [googleapis/release-please-action: automated releases based on conventional commits](https://github.com/googleapis/release-please-action) +| googleapis/release-please@v16.15.0 | Dec 2, 2024 | [googleapis/release-please: generate release PRs based on the conventionalcommits.org spec](https://github.com/googleapis/release-please) | +| lowlighter/metrics@3.34 | Sep 12, 2023 | [lowlighter/metrics: 📊 An infographics generator with 30+ plugins and 300+ options to display stats about your GitHub account and render them as SVG, Markdown, PDF or JSON!](https://github.com/lowlighter/metrics) | +| ossf/scorecard-action@v2.4.0 | Jul 26, 2024 | [ossf/scorecard-action: Official GitHub Action for OpenSSF Scorecard.](https://github.com/ossf/scorecard-action) | +| ruby/setup-ruby@v1.203.0 | Dec 6, 2024 | [ruby/setup-ruby: An action to download a prebuilt Ruby and add it to the PATH in 5 seconds](https://github.com/ruby/setup-ruby) | +| step-security/harden-runner@v2.10.2 | Nov 18, 2024 | [step-security/harden-runner: Network egress filtering and runtime security for GitHub-hosted and self-hosted runners](https://github.com/step-security/harden-runner) |