From 20fd068af15f695623a62d776567d5288a40cb0d Mon Sep 17 00:00:00 2001 From: Alexandre Nicolaie Date: Sun, 4 Aug 2024 20:36:10 +0000 Subject: [PATCH 1/2] :construction_worker:(gh): Add workflows to manage labels Signed-off-by: Alexandre Nicolaie --- .github/labeler.yml | 59 ++++++++++++++ .github/labels.yaml | 77 +++++++++++++++++++ .../workflows/pull_request.automations.yaml | 49 ++++++++++++ .../workflows/push,schedule.sync-labels.yaml | 42 ++++++++++ 4 files changed, 227 insertions(+) create mode 100644 .github/labeler.yml create mode 100644 .github/labels.yaml create mode 100644 .github/workflows/pull_request.automations.yaml create mode 100644 .github/workflows/push,schedule.sync-labels.yaml diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 0000000..c14e6a7 --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,59 @@ +# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------- + +# Define automatically the `kind` label based on the changed files and the head branch +kind::dependencies: + - head-branch: + - ^renovate\/.+$ + +kind:documentation: + - changed-files: + - any-glob-to-any-file: [README.md, LICENSE, docs/**] + +kind::kubevault: + - all: + - changed-files: + - any-glob-to-any-file: [Cargo.lock, Cargo.toml, src/**] + - head-branch: + - ^(?!renovate\/).+$ + +kind::tests: + - all: + - changed-files: + - any-glob-to-any-file: [tests/**] + - head-branch: + - ^(?!renovate\/).+$ + +kind::workflows: + - all: + - changed-files: + - any-glob-to-any-file: [.github/workflows/**] + - head-branch: + - ^(?!renovate\/).+$ + +kind::others: + - changed-files: + - any-glob-to-any-file: "**" + - all-globs-to-all-files: + - "!.github/workflows/**" + - "!Cargo.lock" + - "!Cargo.toml" + - "!docs/**" + - "!LICENSE" + - "!README.md" + - "!src/**" + - "!tests/**" + - head-branch: + - ^(?!renovate\/).+$ diff --git a/.github/labels.yaml b/.github/labels.yaml new file mode 100644 index 0000000..e04fea6 --- /dev/null +++ b/.github/labels.yaml @@ -0,0 +1,77 @@ +# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------- + +- name: kind::dependencies + description: Dependencies upgrade + color: 2B098D +- name: kind::documentation + description: Improvements or additions to documentation + color: 0075CA +- name: kind::kubevault + description: Changes on how `kubevault` works (enhancements, bug fixes, etc.) + color: A2EEEF +- name: kind::tests + description: Anything related to tests + color: 4D76A1 +- name: kind::workflows + description: Changes on workflows + color: 6A5ACD +- name: kind::others + description: Anything else + color: DEDB26 + +- name: size::XS + color: 008000 +- name: size::S + color: 008000 +- name: size::M + color: FFFF00 +- name: size::L + color: FF0000 +- name: size::XL + color: FF0000 + +- name: bug + description: Something isn't working + color: D73A4A +- name: duplicate + description: This doesn't seem right + color: CFD3D7 +- name: good first issue + description: Good for newcomers + color: 7057FF +- name: help wanted + description: Extra attention is needed + color: 008672 +- name: invalid + description: This doesn't seem right + color: E4E669 +- name: question + description: Further information is requested + color: D876E3 +- name: wontfix + description: This will not be worked on + color: FFFFFF + +- name: 💖 sponsor + description: This issue comes from a sponsor + color: FFDBF0 + +- name: stale + description: This issue has not had recent activity + color: 6A5ACD +- name: no-stale + description: This issue cannot be marked as stale + color: 6A5ACD diff --git a/.github/workflows/pull_request.automations.yaml b/.github/workflows/pull_request.automations.yaml new file mode 100644 index 0000000..48bf2c7 --- /dev/null +++ b/.github/workflows/pull_request.automations.yaml @@ -0,0 +1,49 @@ +# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------- +--- +name: 🤖 Issue/PR Automation +on: + pull_request: + issues: + types: [opened] + +permissions: {} + +jobs: + labeler: + name: 🏷️ Labeler + if: github.event_name == 'pull_request' + permissions: + contents: read + pull-requests: write + + runs-on: ubuntu-latest + steps: + - name: 🏷️ Apply label on PR + uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 + + sponsor: + name: 💖 Sponsor + if: github.event.action == 'opened' + permissions: + pull-requests: write + runs-on: ubuntu-latest + steps: + - name: 💖 Add sponsor label + uses: JasonEtco/is-sponsor-label-action@70b4efb770e0ea4a7e9d4eff63bb5c89732a7819 # main + with: + labels: 💖 sponsor + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/push,schedule.sync-labels.yaml b/.github/workflows/push,schedule.sync-labels.yaml new file mode 100644 index 0000000..917a712 --- /dev/null +++ b/.github/workflows/push,schedule.sync-labels.yaml @@ -0,0 +1,42 @@ +# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------- +--- +name: 🏷️ Sync Github labels + +on: + push: + branches: [master] + paths: [.github/labels.yaml, .github/workflows/sync-labels.yaml] + schedule: + - cron: 0 0 * * * + +permissions: {} + +jobs: + labeler: + name: 🏷️ Labeler + runs-on: ubuntu-latest + steps: + - name: ⬇️ Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + - name: 🏷️ Sync Github labels with the definition + uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + manifest: .github/labels.yaml + prune: true From 2ccbefdf2205443f5428f89f527ec2e4c340b379 Mon Sep 17 00:00:00 2001 From: Alexandre Nicolaie Date: Sun, 4 Aug 2024 20:53:17 +0000 Subject: [PATCH 2/2] :wrench:(gh): Update & fix Trunk configuration I had some issues with trufflehog hanging forever, so I disable it. Also, I updated clippy/rustfmt to rust 1.80.0 which should work properly now. Signed-off-by: Alexandre Nicolaie --- .github/workflows/push.trunk_merge.yaml | 56 +++++++++++++++++++++++++ .trunk/configs/svgo.config.js | 14 +++++++ .trunk/trunk.yaml | 13 +++++- docs/assets/kubevault.svg | 2 +- 4 files changed, 82 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/push.trunk_merge.yaml create mode 100644 .trunk/configs/svgo.config.js diff --git a/.github/workflows/push.trunk_merge.yaml b/.github/workflows/push.trunk_merge.yaml new file mode 100644 index 0000000..9cedc6c --- /dev/null +++ b/.github/workflows/push.trunk_merge.yaml @@ -0,0 +1,56 @@ +# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ---------------------------------------------------------------------------- +--- +name: ⛔ Trunk validation for Rust +on: + push: + branches: + - trunk-merge/** + +permissions: {} + +jobs: + trunk: + name: ✅ Validate code quality + permissions: + contents: read + checks: write + runs-on: ubuntu-latest + steps: + - name: ⬇️ Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + # - name: ✏️ Overrides Trunk configuration for Github Action + # run: mv .trunk/gha.yaml .trunk/user.yaml + - name: ⚡️ Run `trunk check` + uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16 + ci_harden_security: + name: 🔒️ Github Action security hardening + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: ⬇️ Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: 📄 Lint Github Actions + run: | + curl -O https://raw.githubusercontent.com/rhysd/actionlint/4f6274a8e0f4f4d2057aa9ae07660f61aa29c5f3/.github/actionlint-matcher.json + + echo "::add-matcher::actionlint-matcher.json" + bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/4f6274a8e0f4f4d2057aa9ae07660f61aa29c5f3/scripts/download-actionlint.bash) + ./actionlint -color + + - name: ✅ Ensure SHA pinned actions + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@40e45e738b3cad2729f599d8afc6ed02184e1dbd # v3.0.5 diff --git a/.trunk/configs/svgo.config.js b/.trunk/configs/svgo.config.js new file mode 100644 index 0000000..b257d13 --- /dev/null +++ b/.trunk/configs/svgo.config.js @@ -0,0 +1,14 @@ +module.exports = { + plugins: [ + { + name: "preset-default", + params: { + overrides: { + removeViewBox: false, // https://github.com/svg/svgo/issues/1128 + sortAttrs: true, + removeOffCanvasPaths: true, + }, + }, + }, + ], +}; diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index 0b47091..3c5a5ed 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -14,21 +14,25 @@ runtimes: enabled: - node@18.12.1 - python@3.10.8 + # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration) lint: disabled: - checkov + - trufflehog # hang unexpectedly and trivy is already enabled - vale enabled: + - actionlint@1.7.1 + - clippy@1.80.0 + - svgo@3.3.2 - git-diff-check - hadolint@2.12.0 - markdownlint@0.41.0 - osv-scanner@1.8.2 - prettier@3.3.3 - - rustfmt@1.65.0 + - rustfmt@1.80.0 - taplo@0.9.3 - trivy@0.54.1 - - trufflehog@3.80.5 - yamllint@1.35.1 ignore: - linters: [ALL] @@ -40,3 +44,8 @@ actions: - trunk-check-pre-push - trunk-fmt-pre-commit - trunk-upgrade-available + +merge: + required_statuses: + - ✅ Validate code quality + - 🔒️ Github Action security hardening diff --git a/docs/assets/kubevault.svg b/docs/assets/kubevault.svg index 86dfacd..4eb2fca 100644 --- a/docs/assets/kubevault.svg +++ b/docs/assets/kubevault.svg @@ -1 +1 @@ - \ No newline at end of file + \ No newline at end of file