swirldslabs · nathanklick · Sep 11, 2024 · Sep 9, 2024 · Sep 11, 2024 · Sep 11, 2024
@@ -0,0 +1,43 @@
+###################################
+##### Global Protection Rule ######
+###################################
+# NOTE: This rule is overriden by the more specific rules below. This is the catch-all rule for all files not covered by the more specific rules below.
+*                                               @swirldslabs/release-engineering-managers @swirldslabs/product-security
+
+############################
+#####  Project Files  ######
+############################
+
+/apache-httpd-oidc/                             @swirldslabs/release-engineering-managers @swirldslabs/product-security
+
+#########################
+#####  Core Files  ######
+#########################
+
+# NOTE: Must be placed last to ensure enforcement over all other rules
+
+# Protection Rules for Github Configuration Files and Actions Workflows
+/.github/                                       @swirldslabs/release-engineering-managers
+/.github/workflows/                             @swirldslabs/release-engineering-managers @swirldslabs/product-security @swirldslabs/devops-ci
+
+
+# Codacy Tool Configurations
+/config/                                        @swirldslabs/release-engineering-managers
+.remarkrc                                       @swirldslabs/release-engineering-managers
+
+# Semantic Release Configuration
+.releaserc                                      @swirldslabs/release-engineering-managers
+
+# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval)
+/CODEOWNERS                                     @swirldslabs/release-engineering-managers
+
+# Protect the repository root files
+/README.md                                      @swirldslabs/release-engineering-managers
+**/LICENSE                                      @swirldslabs/release-engineering-managers
+
+# CodeCov configuration
+**/codecov.yml                                  @swirldslabs/release-engineering-managers
+
+# Git Ignore definitions
+**/.gitignore                                   @swirldslabs/release-engineering-managers
+**/.gitignore.*                                 @swirldslabs/release-engineering-managers
@@ -0,0 +1,39 @@
+##
+# Copyright (C) 2024 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+name: "PR Checks"
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  httpd-oidc-images:
+    name: HTTPD OpenIDC Images
+    uses: ./.github/workflows/zxc-build-httpd-oidc-images.yaml
+    with:
+      tag-version: v0.0.0-${{ github.sha }}
+      dry-run-enabled: true
@@ -0,0 +1,51 @@
+##
+# Copyright (C) 2023 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+name: "PR Formatting"
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - edited
+      - synchronize
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+  statuses: write
+
+concurrency:
+  group: pr-formatting-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  title-check:
+    name: Title Check
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - name: Check PR Title
+        uses: step-security/conventional-pr-title-action@19fb561b33015fd2184055a05ce5a3bcf2ba3f54 # v3.2.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,136 @@
+##
+# Copyright (C) 2024 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+name: "Release HTTPD OIDC Images"
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Release Version (semver):"
+        type: string
+        required: true
+
+      ## Linux Architectures for Multi-Arch Builds
+      platforms:
+        description: "Platforms:"
+        type: string
+        required: false
+        default: "linux/amd64,linux/arm64"
+
+      dry-run-enabled:
+        description: "Perform Dry Run"
+        type: boolean
+        required: false
+        default: true
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  id-token: write
+  contents: read
+  packages: write
+
+jobs:
+  safety-checks:
+    name: Safety Checks
+    runs-on: swirldslabs-infrastructure-linux-medium
+    outputs:
+      version: ${{ steps.tag.outputs.version }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout Code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Install GH CLI
+        uses: sersoft-gmbh/setup-gh-cli-action@2d02c06e284b7d55e954d6d6406e7a886f45a818 # v2.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Authorize GH CLI
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token
+
+      - name: Tag Version Information
+        id: tag
+        run: |
+          RELEASE="$(semver get release "${{ github.event.inputs.version }}")"
+          PREREL="$(semver get prerel "${{ github.event.inputs.version }}")"
+          BUILD="$(semver get build "${{ github.event.inputs.version }}")"
+
+          VERSION="${RELEASE}"
+          [[ -n "${PREREL}" ]] && VERSION="${VERSION}-${PREREL}"
+          [[ -n "${BUILD}" ]] && VERSION="${VERSION}+${BUILD}"
+
+          echo "version=${VERSION}" >>"${GITHUB_OUTPUT}"
+
+      - name: Check for Existing Releases
+        run: |
+          if gh release view httpd-oidc-v${{ steps.tag.outputs.version }} --json id >/dev/null 2>&1; then
+            echo "::error title=Release Version::Release httpd-oidc-v${{ steps.tag.outputs.version }} already exists and may not be redeployed."
+            exit 1
+          fi
+
+  httpd-oidc-images:
+    name: HTTPD OpenIDC Images
+    uses: ./.github/workflows/zxc-build-httpd-oidc-images.yaml
+    needs:
+      - safety-checks
+    with:
+      custom-job-label: "Release"
+      tag-version: ${{ needs.safety-checks.outputs.version }}
+      platforms: ${{ github.event.inputs.platforms || 'linux/amd64,linux/arm64' }}
+      dry-run-enabled: ${{ github.event.inputs.dry-run-enabled == 'true' || github.ref_name != 'main' }}
+
+  finalize-release:
+    name: Finalize Release
+    runs-on: swirldslabs-infrastructure-linux-medium
+    needs:
+      - safety-checks
+    if: ${{ github.event.inputs.dry-run-enabled != 'true' && github.ref_name == 'main' }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout Code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          token: ${{ secrets.GH_ACCESS_TOKEN }}
+          fetch-depth: 0
+
+      - name: Import GPG key
+        id: gpg_key
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+        with:
+          gpg_private_key: ${{ secrets.GPG_KEY_CONTENTS }}
+          passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }}
+          git_config_global: true
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+          git_tag_gpgsign: true
+
+      - name: Create Release
+        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
+        with:
+          token: ${{ secrets.GH_ACCESS_TOKEN }}
+          tag: httpd-oidc-v${{ needs.safety-checks.outputs.version }}
+          generateReleaseNotes: 'true'