Merge branch 'main' into add-container-image

* main:
  chore: Update repo config (#9)
  chore: Updating repo config (#8)
  devcontainer: Updating devcontainer config (#7)
  chore: Moving to anselmes/devos (#6)

.devcontainer/devcontainer.json

@@ -1,17 +1,8 @@
-// For format details, see https://aka.ms/devcontainer.json. For config options, see the
-// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
 {
   "name": "DevOS",
-  // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
-  // "image": "mcr.microsoft.com/devcontainers/base:dev-ubuntu",
-  // "build": {"dockerfile": "${localWorkspaceFolder}/build/package/Dockerfile"},
-  "dockerComposeFile": [
-    "${localWorkspaceFolder}/compose-dev.yaml"
-  ],
+  "dockerComposeFile": ["${localWorkspaceFolder}/compose-dev.yaml"],
   "service": "devos",
-  "workspaceFolder": "/workspace",
-  // Use 'postCreateCommand' to run commands after the container is created.
+  "workspaceFolder": "/home/devos/workspace",
   "postCreateCommand": "${containerWorkspaceFolder}/scripts/config-devos.sh",
-  // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
   "remoteUser": "devos"
 }

.github/dependabot.yml

@@ -13,3 +13,9 @@ updates:
       - /.devcontainer
     schedule:
       interval: monthly
+  # Maintain dependencies for Container Images
+  - package-ecosystem: docker
+    directories:
+      - /build/img
+    schedule:
+      interval: weekly

.github/workflows/ondemand/bot.yml → .github/workflows/bot.yml

@@ -1,4 +1,4 @@
-name: Bot
+name: Bot Workflow
 
 on:
   - workflow_call

.github/workflows/build.yml

@@ -1,4 +1,4 @@
-name: Build
+name: Build Pipeline
 
 on:
   push:
@@ -25,8 +25,9 @@ jobs:
         uses: ./.github/actions/build
         with:
           build-container-image: true
-          container-image-file: build/img/devos/Dockerfile
+          container-image-file: build/img/Dockerfile
           container-image-name: devos
+          container-image-platforms: linux/amd64,linux/arm64,linux/riscv64
           container-image-repo-password: ${{ secrets.GHCR_TOKEN }}
           container-image-repo-username: ${{ github.repository_owner }}
           push-container-image: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}

.github/workflows/cicd.yml

@@ -11,21 +11,21 @@ permissions: read-all
 
 jobs:
   bot:
-    uses: ./.github/workflows/ondemand/bot.yml
+    uses: ./.github/workflows/bot.yml
     permissions:
       issues: write
       pull-requests: write
       repository-projects: write
 
   sonarqube:
-    uses: ./.github/workflows/gate/sonarqube.yml
+    uses: ./.github/workflows/sonarqube.yml
   trivy:
-    uses: ./.github/workflows/gate/trivy.yml
-  devos:
-    uses: ./.github/workflows/gate/devos.yml
+    uses: ./.github/workflows/trivy.yml
+  # devos:
+  #   uses: ./.github/workflows/devos.yml
 
   scorecard:
-    uses: ./.github/workflows/ondemand/scorecard.yml
+    uses: ./.github/workflows/scorecard.yml
     permissions:
       contents: write
       id-token: write

.github/workflows/ondemand/cleanup.yml → .github/workflows/cleanup.yml

@@ -1,4 +1,4 @@
-name: Cleanup
+name: Cleanup OnDemand
 
 on:
   pull_request:

.github/workflows/gate/devos.yml → .github/workflows/devos.yml

@@ -1,14 +1,16 @@
-name: DevOS
+name: DevOS Gate
 
 on:
   - workflow_call
 
 permissions: read-all
 
 jobs:
-  airskiff:
+  devos:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - run: hack/run
+      # - run: |
+      #     cd hack
+      #     ./run

.github/workflows/review.yml

@@ -36,10 +36,10 @@ jobs:
           VALIDATE_DOCKERFILE_HADOLINT: false # fixme: superlinter not using .hadolint.yaml
           VALIDATE_KUBERNETES_KUBECONFORM: false # fixme: enable kubeconform
           VALIDATE_YAML_PRETTIER: false # fixme: ignore symlink
-      - name: Trunk Check
-        uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16 https://github.com/trunk-io/trunk-action/commit/86b68ffae610a05105e90b1f52ad8c549ef482c2
-        with:
-          post-annotations: true
+      # - name: Trunk Check
+      #   uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16 https://github.com/trunk-io/trunk-action/commit/86b68ffae610a05105e90b1f52ad8c549ef482c2
+      #   with:
+      #     post-annotations: true
 
   scanning:
     runs-on: ubuntu-latest
@@ -49,14 +49,14 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: false
-      - name: GitGuardian Scan
-        uses: GitGuardian/ggshield-action@ed817b2930f8dbf32995b6d8bbf65499e6a4e3be # v1.31.0 https://github.com/GitGuardian/ggshield-action/commit/ed817b2930f8dbf32995b6d8bbf65499e6a4e3be
-        env:
-          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
-          GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
-          GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          GITHUB_PUSH_BASE_SHA: ${{ github.event.before }}
-          GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
+      # - name: GitGuardian Scan
+      #   uses: GitGuardian/ggshield-action@ed817b2930f8dbf32995b6d8bbf65499e6a4e3be # v1.31.0 https://github.com/GitGuardian/ggshield-action/commit/ed817b2930f8dbf32995b6d8bbf65499e6a4e3be
+      #   env:
+      #     GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+      #     GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+      #     GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+      #     GITHUB_PUSH_BASE_SHA: ${{ github.event.before }}
+      #     GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
       # - name: SonarQube Scan
       #   uses: sonarsource/sonarqube-scan-action@aecaf43ae57e412bd97d70ef9ce6076e672fe0a9 # v3.0.0 https://github.com/SonarSource/sonarqube-scan-action/commit/aecaf43ae57e412bd97d70ef9ce6076e672fe0a9
       #   env:
@@ -83,11 +83,11 @@ jobs:
         uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 https://github.com/actions/dependency-review-action/commit/5a2ce3f5b92ee19cbb1541a4984c76d921601d7c
         with:
           allow-ghsas: none
-          allow-licenses: Apache-2.0,BSD-2-Clause,BSD-3-Clause,CC0-1.0,GPL-2.0,GPL-3.0,ISC,MIT
-          deny-packages: empty
+          allow-licenses: Apache-2.0,BSD-2-Clause,BSD-3-Clause,CC0-1.0,GPL-2.0,GPL-3.0,ISC,MIT,LGPL-3.0
+          # deny-packages: empty
           fail-on-severity: low
-          retry-on-snapshot-warnings-timeout: 120
-          retry-on-snapshot-warnings: true
+          # retry-on-snapshot-warnings-timeout: 120
+          # retry-on-snapshot-warnings: true
 
   assign:
     runs-on: ubuntu-latest

.github/workflows/gate/trivy.yml → .github/workflows/trivy.yml

@@ -16,6 +16,6 @@ jobs:
           persist-credentials: false
       - name: Trivy Scan
         uses: ./.github/actions/trivy
-        # with:
-        #   generate-sbom: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
-        #   upload-scan-result: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
+        with:
+          generate-sbom: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
+          upload-scan-result: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}

.trunk/.gitignore

@@ -6,3 +6,4 @@
 plugins
 user_trunk.yaml
 user.yaml
+tmp

.trunk/configs/.shellcheckrc

@@ -9,7 +9,5 @@ disable=SC2181
 disable=SC2312
 
 # If you're having issues with shellcheck following source, disable the errors via:
-
 # disable=SC1090
-
 # disable=SC1091

.trunk/trunk.yaml

@@ -19,18 +19,18 @@ runtimes:
 lint:
   enabled:
     - [email protected]
-    - [email protected].0
+    - [email protected].1
     - [email protected]
-    - trivy@0.55.2
+    - trivy@0.56.1
     - [email protected]
-    - [email protected].256
+    - [email protected].257
     - git-diff-check
     - [email protected]
     - [email protected]
     - [email protected]
     - [email protected]
     - [email protected]
-    - [email protected].6
+    - [email protected].7
     - [email protected]
 actions:
   disabled:

CONTRIBUTING.md

@@ -2,4 +2,4 @@
 
 ## To Contribute
 
-Open a PR https://github.com/labsonline/devcontainer/compare.
+Open a PR https://github.com/anselmes/devos/compare.

README.md

@@ -1,20 +1,17 @@
-# Readme
+# devOS
 
 ---
 
 [![OpenSSF Scorecard][ossf-score-badge]][ossf-score-link]
 [![Contiuos Integration][ci-badge]][ci-link]
 [![Review][review-badge]][review-link]
-[![Releases][releases-badge]][releases-link]
-
-[ossf-score-badge]: https://api.securityscorecards.dev/projects/github.com/labsonline/devcontainer/badge
-[ossf-score-link]: https://securityscorecards.dev/viewer/?uri=github.com/labsonline/devcontainer
-[ci-badge]: https://github.com/labsonline/devcontainer/actions/workflows/cicd.yml/badge.svg
-[ci-link]: https://github.com/labsonline/devcontainer/actions/workflows/cicd.yml
-[review-badge]: https://github.com/labsonline/devcontainer/actions/workflows/review.yml/badge.svg
-[review-link]: https://github.com/labsonline/devcontainer/actions/workflows/review.yml
-[releases-badge]: https://github.com/labsonline/devcontainer/actions/workflows/release.yml/badge.svg
-[releases-link]: https://github.com/labsonline/devcontainer/actions/workflows/release.yml
+
+[ossf-score-badge]: https://api.securityscorecards.dev/projects/github.com/anselmes/devos/badge
+[ossf-score-link]: https://securityscorecards.dev/viewer/?uri=github.com/anselmes/devos
+[ci-badge]: https://github.com/anselmes/devos/actions/workflows/cicd.yml/badge.svg
+[ci-link]: https://github.com/anselmes/devos/actions/workflows/cicd.yml
+[review-badge]: https://github.com/anselmes/devos/actions/workflows/review.yml/badge.svg
+[review-link]: https://github.com/anselmes/devos/actions/workflows/review.yml
 
 ---
 

SECURITY.md

@@ -2,4 +2,4 @@
 
 ## Reporting a Vulnerability
 
-[Open an Issue](https://github.com/labsonline/devcontainer/issues/new?assignees=&labels=&template=security.md&title=) to report vulnerability.
+[Open an Issue](https://github.com/anselmes/devos/issues/new?assignees=&labels=&template=security.md&title=) to report vulnerability.

build/img/Dockerfile

@@ -0,0 +1,37 @@
+FROM ubuntu:24.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV X11VNC_SKIP_DISPLAY==""
+
+COPY config/systemd/journal-to-tty.service /lib/systemd/system/journal-to-tty.service
+RUN apt-get update -y && \
+  apt-get install --no-install-recommends -y \
+  ca-certificates \
+  cron \
+  curl \
+  dbus \
+  file \
+  iproute2 \
+  libvirt-daemon \
+  libvirt-daemon-system \
+  openssl \
+  software-properties-common \
+  ssh \
+  systemd && \
+  apt-get clean && \
+  rm -rf /var/lib/apt/lists/*
+
+# todo: checksum downloaded binaries
+# COPY scripts/init-devos.sh /tmp/init-devos.sh
+# COPY scripts/install-docker.sh /tmp/install-docker.sh
+# RUN chmod +x \
+#   /tmp/init-devos.sh \
+#   /tmp/install-docker.sh && \
+#   /tmp/init-devos.sh && \
+#   echo "devos ALL=(ALL) NOPASSWD: ALL" >/etc/sudoers.d/devos && \
+#   systemctl enable journal-to-tty.service && \
+#   useradd -m devos
+
+CMD ["/sbin/init"]
+USER devos
+HEALTHCHECK NONE

compose-dev.yaml

@@ -1,18 +1,28 @@
 ---
 services:
   devos:
-    image: ubuntu:22.04
+    image: ghcr.io/anselmes/devos:main
     # platform: linux/amd64
     # entrypoint: /sbin/init
-    # privileged: true
+    # network_mode: host
+    privileged: true
     stdin_open: true
     tty: true
-    working_dir: /root/workspace
-    env_file:
-      - .env
+    user: root # note: required for /sbin/init
+    working_dir: /home/devos/workspace
+    # env_file:
+    #   - .env
     volumes:
-      - .:/root/workspace
-      - ~/.gitconfig:/root/.gitconfig:ro
-      - ~/.gnupg:/root/.gnupg # fixme: investigate mounting as read-only
-      - ~/.ssh:/root/.ssh:ro
-      - ~/.zshrc:/root/.zshrc:ro
+      - .:/home/devos/workspace
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+      - /var/lib/libvirt:/var/lib/libvirt
+      - ~/.gitconfig:/home/devos/.gitconfig:ro
+      - ~/.gnupg:/home/devos/.gnupg:ro
+      - ~/.ssh:/home/devos/.ssh:ro
+      - ~/.zshrc:/home/devos/.zshrc:ro
+    ports:
+      - 10022:22
+      - 10080:80
+      - 10443:443
+      - 15900:5900
+      - 16443:6443

config/systemd/journal-to-tty.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Journald console log streamer
+Requires=systemd-journald.service
+After=systemd-journald.service
+
+[Service]
+Restart=always
+RestartSec=0
+ExecStart=/bin/journalctl -f
+StandardOutput=tty
+
+[Install]
+WantedBy=basic.target