From fa27a3742fca19a83530ffc4d9f655f778f94ccb Mon Sep 17 00:00:00 2001
From: Meysam Azad <meysam@developer-friendly.blog>
Date: Thu, 24 Oct 2024 10:40:40 +0700
Subject: [PATCH] chore: initial structure

---
 .github/FUNDING.yml      |   3 +
 .github/dependabot.yml   |   7 ++
 .github/workflows/ci.yml |  79 ++++++++++++++++
 .pre-commit-config.yaml  |  71 +++++++++++++++
 action.yml               | 191 +++++++++++++++++++++++++++++++++++++++
 renovate.json            |   6 ++
 trivy.yaml               |  15 +++
 7 files changed, 372 insertions(+)
 create mode 100644 .github/FUNDING.yml
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/ci.yml
 create mode 100644 .pre-commit-config.yaml
 create mode 100644 action.yml
 create mode 100644 renovate.json
 create mode 100644 trivy.yaml

diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 0000000..17372e0
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1,3 @@
+---
+github:
+  - meysam81
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..567aeae
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+---
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..b5ac320
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,79 @@
+---
+name: ci
+
+concurrency:
+  cancel-in-progress: ${{ ! startsWith(github.ref, 'refs/tags/v') }}
+  group: ci-${{ github.ref_name }}-${{ github.event_name }}
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - main
+
+env:
+  ANSIBLE_FORCE_COLOR: "1"
+  PY_COLORS: "1"
+
+jobs:
+  trivy:
+    if: github.event_name == 'push' || github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        scan-type:
+          - fs
+          - config
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Cache trivy db
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/trivy
+            ~/work/temp
+          key: ${{ runner.os }}-trivy-db-${{ hashFiles('**/trivy.yaml') }}
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          format: sarif
+          ignore-unfixed: true
+          output: trivy-results.sarif
+          scan-ref: .
+          scan-type: ${{ matrix.scan-type }}
+          severity: CRITICAL,HIGH
+          trivy-config: trivy.yaml
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif
+
+  ansible-lint:
+    if: github.event_name == 'push' || github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint@main
+
+  release-please:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Release please
+        uses: googleapis/release-please-action@v4
+        with:
+          release-type: simple
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..99569a2
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,71 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-added-large-files
+        args: ["--maxkb=800"]
+      - id: check-ast
+      - id: check-executables-have-shebangs
+      - id: check-json
+      - id: check-shebang-scripts-are-executable
+      - id: check-yaml
+        args:
+          - --allow-multiple-documents
+      - id: detect-private-key
+        exclude: |
+          (?x)^(
+          )$
+      - id: detect-aws-credentials
+        args:
+          - --allow-missing-credentials
+      - id: end-of-file-fixer
+        exclude: |
+          (?x)^(
+          )$
+      - id: name-tests-test
+      - id: file-contents-sorter
+      - id: requirements-txt-fixer
+      - id: sort-simple-yaml
+      - id: trailing-whitespace
+      - id: fix-byte-order-marker
+      - id: check-builtin-literals
+      - id: check-case-conflict
+      - id: check-builtin-literals
+      - id: check-byte-order-marker
+      - id: check-case-conflict
+      - id: check-docstring-first
+      - id: check-merge-conflict
+      - id: check-symlinks
+      - id: check-toml
+      - id: check-vcs-permalinks
+      - id: check-xml
+      - id: debug-statements
+      - id: destroyed-symlinks
+      - id: fix-byte-order-marker
+      - id: fix-encoding-pragma
+      - id: forbid-new-submodules
+      - id: forbid-submodules
+      - id: mixed-line-ending
+      - id: pretty-format-json
+        args:
+          - --autofix
+  - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
+    rev: v9.18.0
+    hooks:
+      - id: commitlint
+        stages: [commit-msg]
+        additional_dependencies: ["@commitlint/config-conventional"]
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.6.9
+    hooks:
+      - id: ruff
+        args:
+          - --fix
+          - --select=I
+      - id: ruff-format
+  - repo: https://github.com/tofuutils/pre-commit-opentofu
+    rev: v2.0.0
+    hooks:
+      - id: tofu_fmt
+      - id: tofu_tflint
+      - id: tofu_docs
diff --git a/action.yml b/action.yml
new file mode 100644
index 0000000..22dcd7c
--- /dev/null
+++ b/action.yml
@@ -0,0 +1,191 @@
+name: "Build Docker Image"
+description: "Builds and optionally pushes a Docker image"
+
+inputs:
+  build-args:
+    default: ""
+    description: Build arguments
+    required: false
+  context:
+    default: .
+    description: Context of the Dockerfile
+    required: false
+  dockerhub-password:
+    description: Docker Hub password
+    required: false
+    default: ""
+  dockerhub-username:
+    description: Docker Hub username
+    required: false
+    default: ""
+  github-token:
+    default: ${{ github.token }}
+    description: GitHub token
+    required: true
+  image-extra-tags:
+    default: ""
+    description: Image tags
+    required: false
+  image-name:
+    description: Image name
+    required: true
+  image-target:
+    default: ""
+    description: Target stage of the Dockerfile
+    required: false
+  kubescape:
+    default: "false"
+    description: Whether or not to run Kubescape
+    required: false
+  kubescape-upload-sarif:
+    default: "false"
+    description: Whether or not to upload Kubescape SARIF results
+    required: false
+  platforms:
+    default: linux/amd64,linux/arm64
+    description: Platforms to build for
+    required: false
+  push:
+    default: "true"
+    description: Whether or not to push image to registry
+    required: false
+  ref:
+    default: ${{ github.ref }}
+    description: Ref to checkout
+    required: false
+  runner:
+    default: ubuntu-latest
+    description: Runner to use
+    required: false
+  scout-comment-pr:
+    default: "false"
+    description: Whether or not to comment on PR
+    required: false
+  scout-compare:
+    default: "false"
+    description: Whether or not to run scout compare
+    required: false
+  scout-cves:
+    default: "false"
+    description: Whether or not to run scout CVEs
+    required: false
+
+outputs:
+  digest:
+    description: Image digest
+    value: ${{ steps.build-push.outputs.digest }}
+  imageid:
+    description: Image ID
+    value: ${{ steps.build-push.outputs.image-id }}
+  metadata:
+    description: Build result metadata
+    value: ${{ steps.build-push.outputs.metadata }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ inputs.ref }}
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        password: ${{ inputs.github-token }}
+        registry: ghcr.io
+        username: ${{ github.actor }}
+
+    - if: |
+        inputs.dockerhub-username != '' &&
+        inputs.dockerhub-password != ''
+      name: Login to Docker hub
+      uses: docker/login-action@v3
+      with:
+        password: ${{ inputs.dockerhub-password }}
+        username: ${{ inputs.dockerhub-username }}
+
+    - name: Docker metadata
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: |
+          ${{ inputs.image-name }}
+
+    - name: Build and push
+      id: build-push
+      uses: docker/build-push-action@v6
+      with:
+        build-args: ${{ inputs.build-args }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        context: ${{ inputs.context }}
+        labels: ${{ steps.meta.outputs.labels }}
+        platforms: ${{ inputs.platforms }}
+        push: ${{ inputs.push }}
+        tags: |
+          ${{ steps.meta.outputs.tags }}
+          ${{ inputs.image-extra-tags }}
+        target: ${{ inputs.image-target }}
+
+    - name: Docker Scout - compare
+      if: inputs.scout-compare == 'true'
+      uses: docker/scout-action@v1
+      with:
+        command: compare
+        github-token: ${{ github.token }}
+        ignore-unchanged: true
+        image: ${{ steps.meta.outputs.tags }}
+        only-severities: critical,high,medium
+        to: ${{ inputs.image-name }}:latest
+        write-comment: ${{ inputs.scout-comment-pr }}
+
+    - name: Docker Scout - cves
+      if: inputs.scout-cves == 'true'
+      uses: docker/scout-action@v1
+      with:
+        command: cves
+        ignore-unchanged: true
+        image: ${{ steps.meta.outputs.tags }}
+        only-fixed: true
+        only-severities: medium,high,critical
+        sarif-file: sarif.output.json
+        summary: true
+
+    - name: Create unique job identifier
+      id: job-id
+      shell: bash
+      run: |
+        four_character_timestamp=$(date +%s | sha256sum | base64 | head -c 4)
+        run_id=$(echo ${{ github.run_id }} | sha256sum | base64 | head -c 4)
+        job_id="${four_character_timestamp}${run_id}"
+        echo "job-id=$job_id" >> $GITHUB_OUTPUT
+
+    - name: Upload artifact
+      if: inputs.scout-cves == 'true'
+      uses: actions/upload-artifact@v4
+      with:
+        if-no-files-found: warn
+        name: scout-results-${{ steps.job-id.outputs.job-id }}
+        path: sarif.output.json
+
+    - if: inputs.kubescape == 'true'
+      uses: kubescape/github-action@main
+      continue-on-error: true
+      with:
+        image: ${{ inputs.image-name }}@${{ steps.build-push.outputs.digest }}
+        format: sarif
+        outputFile: results.sarif
+        severityThreshold: Medium
+
+    - if: inputs.kubescape-upload-sarif == 'true'
+      name: Upload Kubescape scan results to Github Code Scanning
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: results.sarif
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..5db72dd
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}
diff --git a/trivy.yaml b/trivy.yaml
new file mode 100644
index 0000000..0b193fd
--- /dev/null
+++ b/trivy.yaml
@@ -0,0 +1,15 @@
+quiet: false
+debug: false
+insecure: false
+timeout: 1m
+cache:
+  dir: .pre-commit-trivy-cache
+scan:
+  skip-dirs:
+    - "**/.terraform*"
+misconfiguration:
+  terraform:
+    exclude-downloaded-modules: false
+severity:
+  - HIGH
+  - CRITICAL