chore: Updating repo config (#8)

Signed-off-by: Schubert Anselme <[email protected]>

.devcontainer/devcontainer.json

@@ -1,16 +1,15 @@
 // For format details, see https://aka.ms/devcontainer.json. For config options, see the
 // README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
 {
-  "name": "Dev Container",
+  "name": "DevOS",
   // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
   // "image": "mcr.microsoft.com/devcontainers/base:dev-ubuntu",
   // "build": {"dockerfile": "${localWorkspaceFolder}/build/package/Dockerfile"},
   "dockerComposeFile": [
     "${localWorkspaceFolder}/compose-dev.yaml"
   ],
-  "service": "devcontainer",
+  "service": "devos",
   "workspaceFolder": "/workspace",
   // Use 'postCreateCommand' to run commands after the container is created.
   "postCreateCommand": "${containerWorkspaceFolder}/scripts/setup-devcontainer.sh"
-  // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
 }

.github/ISSUE_TEMPLATE/security.md

@@ -9,13 +9,15 @@ assignees: ""
 # Vulnerability Report
 
 I identified potential security vulnerabilities in [product].
-I am committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues.
+I am committed to working with you to help resolve these issues. In this report you will find everything you need to
+effectively coordinate a resolution of these issues.
 If at any point you have concerns or questions about this process, please do not hesitate to reach out to me at [email].
 If you are _NOT_ the correct point of contact for this report, please let me know!
 
 ## Summary
 
-_Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._
+_Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization
+vulnerability allows any unauthenticated user to execute arbitrary code on the server._
 
 ## Product
 
@@ -39,15 +41,23 @@ _Complete instructions, including specific configuration details, to reproduce t
 
 ## Remediation
 
-_Propose a remediation suggestion if you have one. Make it clear that this is just a suggestion, as the maintainer might have a better idea to fix the issue._
+_Propose a remediation suggestion if you have one. Make it clear that this is just a suggestion, as the maintainer might
+have a better idea to fix the issue._
 
 ## GitHub Security Advisories
 
-If possible, please could you create a private [GitHub Security Advisory](https://help.github.com/en/github/managing-security-vulnerabilities/creating-a-security-advisory) for these findings? This allows you to invite me to collaborate and further discuss these findings in private before they are [published](https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory).
+If possible, please could you create a
+private [GitHub Security Advisory](https://help.github.com/en/github/managing-security-vulnerabilities/creating-a-security-advisory)
+for these findings? This allows you to invite me to collaborate and further discuss these findings in private before
+they
+are [published](https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory).
 
 I will be happy to collaborate with you, and review your fix to make sure that all corner cases are covered.
 
-When you use a GitHub Security Advisory, you can request a CVE identification number from GitHub. GitHub usually reviews the request within 72 hours, and the CVE details will be published after you make your security advisory public. Publishing a GitHub Security Advisory and a CVE will help notify the downstream consumers of your project, so they can update to the fixed version.
+When you use a GitHub Security Advisory, you can request a CVE identification number from GitHub. GitHub usually reviews
+the request within 72 hours, and the CVE details will be published after you make your security advisory public.
+Publishing a GitHub Security Advisory and a CVE will help notify the downstream consumers of your project, so they can
+update to the fixed version.
 
 ## Credit
 
@@ -60,11 +70,18 @@ _If you found the vulnerability with a specific tool, you can also credit this t
 
 ## Disclosure Policy
 
-The research team is dedicated to working closely with the open source community and with projects that are affected by a vulnerability, in order to protect users and ensure a coordinated disclosure.
-When we identify a vulnerability in a project, we will report it by contacting the publicly-listed security contact for the project if one exists; otherwise we will attempt to contact the project maintainers directly.
+The research team is dedicated to working closely with the open source community and with projects that are affected by
+a vulnerability, in order to protect users and ensure a coordinated disclosure.
+When we identify a vulnerability in a project, we will report it by contacting the publicly-listed security contact for
+the project if one exists; otherwise we will attempt to contact the project maintainers directly.
 
-If the project team responds and agrees the issue poses a security risk, we will work with the project security team or maintainers to communicate the vulnerability in detail, and agree on the process for public disclosure. Responsibility for developing and releasing a patch lies firmly with the project team, though we aim to facilitate this by providing detailed information about the vulnerability.
+If the project team responds and agrees the issue poses a security risk, we will work with the project security team or
+maintainers to communicate the vulnerability in detail, and agree on the process for public disclosure. Responsibility
+for developing and releasing a patch lies firmly with the project team, though we aim to facilitate this by providing
+detailed information about the vulnerability.
 
 Our disclosure deadline for publicly disclosing a vulnerability is: 90 days after the first report to the project team.
 
-We **appreciate the hard work** maintainers put into fixing vulnerabilities and understand that sometimes more time is required to properly address an issue. We want project maintainers to succeed and because of that we are always open to discuss our disclosure policy to fit your specific requirements, when warranted.
+We **appreciate the hard work** maintainers put into fixing vulnerabilities and understand that sometimes more time is
+required to properly address an issue. We want project maintainers to succeed and because of that we are always open to
+discuss our disclosure policy to fit your specific requirements, when warranted.

.github/actions/trivy/action.yml

@@ -0,0 +1,39 @@
+name: Workflow Gate
+description: Gate workflow based on Trivy scan results
+
+inputs:
+  generate-sbom:
+    default: "false"
+    description: Generate SBOM and submit results to Dependency Graph
+  upload-scan-result:
+    default: "false"
+    description: Upload scan results to GitHub Security tab
+
+runs:
+  using: composite
+  steps:
+    - name: Run Trivy vulnerability scanner in repo mode
+      uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 https://github.com/aquasecurity/trivy-action/commit/6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
+      with:
+        exit-code: 1
+        format: sarif
+        hide-progress: false
+        ignore-unfixed: true
+        output: trivy-results.sarif
+        scan-type: fs
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@b8efe4dc6ab6d31abe3ec159420d2a4916880800 # v3.26.6 https://github.com/github/codeql-action/commit/b8efe4dc6ab6d31abe3ec159420d2a4916880800
+      if: ${{ inputs.upload-scan-result == 'true' }}
+      with:
+        sarif_file: trivy-results.sarif
+
+    - name: Run Trivy SBOM and submit results to Dependency Graph
+      uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.24.0 https://github.com/aquasecurity/trivy-action/commit/6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
+      if: ${{ inputs.generate-sbom == 'true' }}
+      with:
+        format: github
+        github-pat: ${{ github.token }}
+        image-ref: .
+        output: dependency-results.sbom.json
+        scan-type: fs

.github/dependabot.yml

@@ -2,6 +2,14 @@ version: 2
 updates:
   # Maintain dependencies for GitHub Actions
   - package-ecosystem: github-actions
-    directory: /
+    directories:
+      - /.github/actions
+      - /.github/workflows
     schedule:
       interval: daily
+  # Maintain dependencies for Devcontainers
+  - package-ecosystem: devcontainers
+    directories:
+      - /.devcontainer
+    schedule:
+      interval: monthly

.github/labeler.yml

@@ -1,24 +1,61 @@
 # Add 'repo' label to any root file changes
 repo:
-  - "*"
+  - changed-files:
+      - any-glob-to-any-file: "*"
+
+# Add 'github-actions' label to any changes in the '.github' directory
+github-actions:
+  - changed-files:
+      - any-glob-to-any-file:
+          - .github/actions/*
+          - .github/actions/*/**
+          - .github/auto_assign.yml
+          - .github/auto_assign.yml/**
+          - .github/dependabot.yml
+          - .github/dependabot.yml/**
+          - .github/workflows/*
+          - .github/workflows/*/**
 
 # Add 'devcontainer' label to any changes in the '.devcontainer' directory
-# Add 'devcontainer' label to any changes in the '.docker' directory
+# Add 'devcontainer' label to any changes in the 'docker-compose.yml' file
 devcontainer:
-  - .devcontainer/*
-  - .devcontainer/*/**
-  - .devcontainer/devcontainer.json
-  - .devcontainer/devcontainer.json/**
-  - .docker/*
-  - .docker/*/**
-  - .docker/Dockerfile
-  - .docker/Dockerfile/**
-  - .docker/docker-compose.yml
-  - .docker/docker-compose.yml/**
+  - changed-files:
+      - any-glob-to-any-file:
+          - .devcontainer/*
+          - .devcontainer/*/**
+          - .devcontainer/devcontainer.json
+          - .devcontainer/devcontainer.json/**
+          - docker-compose.yml
+          - docker-compose.yml/**
 
-# Add 'github-actions' label to any changes in the '.github' directory
-github-actions:
-  - .github/workflows/*
-  - .github/workflows/*/**
-  - .github/dependabot.yml
-  - .github/dependabot.yml/**
+# Add 'config' label to any changes in the 'config' directory
+config:
+  - changed-files:
+      - any-glob-to-any-file:
+          - config/*
+          - config/**
+
+# Add 'scripting' label to any changes in the 'scripts' directory
+scripting:
+  - changed-files:
+      - any-glob-to-any-file:
+          - scripts/*
+          - scripts/*/**
+
+# Add 'tooling' label to any changes in the 'build' directory
+tooling:
+  - changed-files:
+      - any-glob-to-any-file:
+          - tools/*
+          - tools/**
+
+# Add 'container' label to Dockerfile
+container:
+  - changed-files:
+      - any-glob-to-any-file:
+          - build/**/Dockerfile
+          - build/img/**/Dockerfile
+
+# Add 'release' label to any PR opened against the 'main' branch
+release:
+  - base-branch: main

.github/workflows/cicd.yml

@@ -11,20 +11,22 @@ permissions: read-all
 
 jobs:
   bot:
-    uses: labsonline/cicd/.github/workflows/bot.yml@6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 # v0.1.4 https://github.com/labsonline/cicd/commit/6e038f38f0819ffec0ea23e23efd8a1a0a4a4537
+    uses: ./.github/workflows/ondemand/bot.yml
     permissions:
       issues: write
       pull-requests: write
       repository-projects: write
-  # Uncomment if you want to use the codeql workflow
-  # ast:
-  #   uses: labsonline/cicd/.github/workflows/ast.yml@6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 # v0.1.4 https://github.com/labsonline/cicd/commit/6e038f38f0819ffec0ea23e23efd8a1a0a4a4537
-  #   with:
-  #     codeql-language: python
-  gate:
-    uses: labsonline/cicd/.github/workflows/gate.yml@6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 # v0.1.4 https://github.com/labsonline/cicd/commit/6e038f38f0819ffec0ea23e23efd8a1a0a4a4537
+
+  sonarqube:
+    uses: ./.github/workflows/gate/sonarqube.yml
+  trivy:
+    uses: ./.github/workflows/gate/trivy.yml
+  devos:
+    uses: ./.github/workflows/gate/devos.yml
+
   scorecard:
-    uses: labsonline/cicd/.github/workflows/scorecard.yml@6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 # v0.1.4 https://github.com/labsonline/cicd/commit/6e038f38f0819ffec0ea23e23efd8a1a0a4a4537
+    uses: ./.github/workflows/ondemand/scorecard.yml
     permissions:
+      contents: write
       id-token: write
       security-events: write

.github/workflows/gate/devos.yml

@@ -0,0 +1,14 @@
+name: DevOS
+
+on:
+  - workflow_call
+
+permissions: read-all
+
+jobs:
+  airskiff:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - run: hack/run

.github/workflows/gate/sonarqube.yml

@@ -0,0 +1,28 @@
+name: SonarQube
+
+on:
+  workflow_call:
+    inputs:
+      sonarqube:
+        type: boolean
+        default: false
+        description: Run SonarQube Quality Gate
+
+permissions: read-all
+
+jobs:
+  sonarqube:
+    runs-on: ubuntu-latest
+    if: ${{ inputs.sonarqube }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7  https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: SonarQube Quality Gate
+        uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496 # v1.1.0 https://github.com/SonarSource/sonarqube-quality-gate-action/commit/d304d050d930b02a896b0f85935344f023928496
+        timeout-minutes: 5
+        env:
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/gate/trivy.yml

@@ -0,0 +1,21 @@
+name: Trivy
+
+on:
+  - workflow_call
+
+permissions: read-all
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7  https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Trivy Scan
+        uses: ./.github/actions/trivy
+        # with:
+        #   generate-sbom: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
+        #   upload-scan-result: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}

.github/workflows/ondemand/bot.yml

@@ -0,0 +1,46 @@
+name: Bot
+
+on:
+  - workflow_call
+
+permissions:
+  issues: write
+  pull-requests: write
+  repository-projects: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34 # v2.2.0 https://github.com/dependabot/fetch-metadata/commit/dbb049abf0d677abbd7f7eee0375145b417fdd34
+        with:
+          alert-lookup: true
+          compat-lookup: true
+
+      - name: Approve a PR
+        shell: bash
+        run: |
+          gh pr checkout "$PR_URL"
+
+          if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];then
+            gh pr review --approve "$PR_URL"
+          else
+            echo "PR already approved, skipping additional approvals to minimize emails/notification noise.";
+          fi
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+
+      - name: Enable auto-merge for Dependabot PRs
+        if: ${{ steps.metadata.outputs.update-type == 'version-update:semver-patch' }}
+        shell: bash
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+
+  # todo: raise issue on failure for cron job
+  # todo: update issue on job run failure