ci: use reusable miracum workflows for ci (#123)

* ci: use reusable miracum workflows for ci

* chore(renovate): use default config and ignore deps with likely breaking changes

* ci: fix workflow and lint

.github/workflows/ci.yaml

@@ -17,95 +17,57 @@ permissions: read-all
 
 env:
   DIZBOX_NAMESPACE_NAME: bzkf-dizbox
-  DECOMPOSE_XML_IMAGE_NAME: ghcr.io/${{ github.repository }}/decompose-xmls
-  OBDS_FHIR_TO_OPAL_IMAGE_NAME: ghcr.io/${{ github.repository }}/obds-fhir-to-opal
 
 jobs:
   build-decompose-xml-image:
     name: build decompose-xmls container image
-    runs-on: ubuntu-22.04
+    uses: miracum/.github/.github/workflows/standard-build.yaml@af38234ff7a38994a6e414ba2f13a1576eed54c0 # v1.4.1
     permissions:
+      contents: read
+      id-token: write
       packages: write
-    outputs:
-      image-tags: ${{ steps.container_meta.outputs.tags }}
-      image-digest: ${{ steps.build.outputs.digest }}
-      image-name: ${{ env.DECOMPOSE_XML_IMAGE_NAME }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
-
-      - name: Container meta
-        id: container_meta
-        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5
-        with:
-          images: |
-            ${{ env.DECOMPOSE_XML_IMAGE_NAME }}
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
-        if: ${{ github.event_name != 'pull_request' }}
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push
-        id: build
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5
-        with:
-          context: src/decompose_xmls
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.container_meta.outputs.tags }}
-          labels: ${{ steps.container_meta.outputs.labels }}
-          load: ${{ github.event_name == 'pull_request' }}
+      pull-requests: write
+      actions: read
+      security-events: write
+    with:
+      image: ghcr.io/${{ github.repository }}/decompose-xmls
+      build-context: src/decompose_xmls
+      enable-build-test-layer: false
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
 
   build-obds-fhir-to-opal-image:
     name: build obds-fhir-to-opal container image
-    runs-on: ubuntu-22.04
+    uses: miracum/.github/.github/workflows/standard-build.yaml@af38234ff7a38994a6e414ba2f13a1576eed54c0 # v1.4.1
     permissions:
+      contents: read
+      id-token: write
       packages: write
-    outputs:
-      image-tags: ${{ steps.container_meta.outputs.tags }}
-      image-digest: ${{ steps.build.outputs.digest }}
-      image-name: ${{ env.OBDS_FHIR_TO_OPAL_IMAGE_NAME }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
-
-      - name: Container meta
-        id: container_meta
-        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5
-        with:
-          images: |
-            ${{ env.OBDS_FHIR_TO_OPAL_IMAGE_NAME }}
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
-        if: ${{ github.event_name != 'pull_request' }}
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build and push
-        id: build
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5
-        with:
-          context: src/obds_fhir_to_opal
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.container_meta.outputs.tags }}
-          labels: ${{ steps.container_meta.outputs.labels }}
-          load: ${{ github.event_name == 'pull_request' }}
+      pull-requests: write
+      actions: read
+      security-events: write
+    with:
+      image: ghcr.io/${{ github.repository }}/obds-fhir-to-opal
+      build-context: src/obds_fhir_to_opal
+      enable-build-test-layer: false
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+
+  lint:
+    uses: miracum/.github/.github/workflows/standard-lint.yaml@af38234ff7a38994a6e414ba2f13a1576eed54c0 # v1.4.1
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      security-events: write
+      actions: read
+    with:
+      enable-validate-gradle-wrapper: false
+      codeql-languages: '["python"]'
+      enable-codeql: false
+      enable-verify-base-image-signature: false
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
 
   test:
     runs-on: ubuntu-22.04

.github/workflows/lint-pr-title.yaml

@@ -0,0 +1,21 @@
+name: "Lint PR"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions: read-all
+
+jobs:
+  check-pr-title:
+    name: Validate PR title
+    runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/schedule.yaml

@@ -0,0 +1,19 @@
+name: scheduled
+
+on:
+  repository_dispatch: {}
+  workflow_dispatch: {}
+  schedule:
+    - cron: "00 18 * * *"
+
+permissions: read-all
+
+jobs:
+  schedule:
+    uses: miracum/.github/.github/workflows/standard-schedule.yaml@af38234ff7a38994a6e414ba2f13a1576eed54c0 # v1.4.1
+    permissions:
+      contents: read
+      issues: write
+      security-events: write
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scorecard.yaml

@@ -4,6 +4,7 @@
 
 name: Scorecards supply-chain security
 on:
+  workflow_dispatch:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
   branch_protection_rule:
@@ -32,12 +33,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -67,6 +68,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@689fdc5193eeb735ecb2e52e819e3382876f93f4 # v2.22.6
+        uses: github/codeql-action/upload-sarif@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
         with:
           sarif_file: results.sarif

.prettierignore

@@ -0,0 +1 @@
+charts/**/templates

.renovaterc.json

@@ -0,0 +1,10 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["github>miracum/.github//renovate/default"],
+  "ignoreDeps": [
+    "docker.io/bitnami/spark",
+    "docker.io/library/python",
+    "pathling",
+    "pyspark"
+  ]
+}