diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..883f884
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,5 @@
+# The releng team is by default the owner of everything.
+* @{{ org }}/eclipsefdn-releng
+
+# Otterdog related configurations are also owned by the security team.
+/otterdog/** @{{ org }}/eclipsefdn-security @{{ org }}/eclipsefdn-releng
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..9be4262
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,13 @@
+version: 2
+updates:
+- package-ecosystem: github-actions
+ directory: "/"
+ # We scan and create dependabot PRs against the develop branch only.
+ # Such a branch only exists for the template master at EclipseFdn/.eclipsefdn-template
+ # dependabot shall only update the template master, and changes will be synchronized to
+ # all repos by otterdog using the sync-template operation to avoid having many similar
+ # dependabot PRs for each individual .eclipsefdn repo which we would like to avoid at all costs.
+ target-branch: "develop"
+ schedule:
+ interval: daily
+ open-pull-requests-limit: 10
diff --git a/.github/workflows/build-page.yml b/.github/workflows/build-page.yml
new file mode 100644
index 0000000..7c733cc
--- /dev/null
+++ b/.github/workflows/build-page.yml
@@ -0,0 +1,122 @@
+name: Build GH Page
+
+on:
+ workflow_dispatch:
+ push:
+ branches:
+ - 'main'
+ paths:
+ - 'otterdog/*.jsonnet'
+ - 'otterdog/*.json'
+ - 'docs/**'
+ - 'mkdocs.yml'
+ - '.github/workflows/build-page.yml'
+
+concurrency:
+ group: "pages"
+ cancel-in-progress: false
+
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+jobs:
+ generate-markdown:
+ # do not run the workflow in the template repo itself
+ if: ${{ !contains (github.repository, '/.eclipsefdn-template') }}
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout OtterDog
+ run: git clone https://gitlab.eclipse.org/eclipsefdn/security/otterdog.git
+
+ - name: Checkout EclipseFdn/otterdog-configs
+ uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+ with:
+ repository: EclipseFdn/otterdog-configs
+ path: otterdog-configs
+
+ # checkout the HEAD ref
+ - name: Checkout HEAD
+ uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+ with:
+ path: ${{ github.repository_owner }}
+
+ - name: Install jsonnet-bundler
+ run: |
+ go install -a github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb@v0.5.1
+ echo $(go env GOPATH)/bin >> $GITHUB_PATH
+
+ - name: Install poetry
+ run: pipx install poetry
+
+ - name: Setup Python
+ uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ with:
+ python-version: '3.10'
+ cache: 'poetry'
+
+ - name: Install dependencies with poetry
+ run: |
+ poetry install --only=main
+ working-directory: otterdog
+
+ - name: Copy configuration from HEAD ref
+ run: |
+ mkdir -p orgs/${{ github.repository_owner }}
+ cp -r ../${{ github.repository_owner }}/otterdog/* orgs/${{ github.repository_owner }}
+ working-directory: otterdog-configs
+
+ - name: Generate current configuration as markdown
+ run: ../otterdog/otterdog.sh show ${{ github.repository_owner }} -c otterdog.json --markdown --output-dir generated-site
+ working-directory: otterdog-configs
+
+ - name: Generate default configuration as markdown
+ run: ../otterdog/otterdog.sh show-default ${{ github.repository_owner }} -c otterdog.json --markdown > default.txt
+ working-directory: otterdog-configs
+
+ - name: Upload generated site content
+ uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
+ with:
+ name: generated-site
+ path: |
+ otterdog-configs/default.txt
+ otterdog-configs/orgs/${{ github.repository_owner }}/vendor/otterdog-defaults/*.libsonnet
+ otterdog-configs/generated-site/
+
+ build-page:
+ runs-on: ubuntu-latest
+ needs: generate-markdown
+ steps:
+ - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v3
+ - name: Download generated site content
+ uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
+ with:
+ name: generated-site
+ - shell: bash
+ run: |
+ cat default.txt >> ./docs/playground.md
+ cp generated-site/*.md ./docs/
+ cp orgs/${{ github.repository_owner }}/vendor/otterdog-defaults/*.libsonnet ./docs/jsonnet/
+ - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4
+ with:
+ python-version: 3.x
+ cache: 'pip'
+ - run: pip install -r requirements.txt
+ - name: Build with Mkdocs
+ run: mkdocs build
+ - name: Setup Pages
+ uses: actions/configure-pages@f156874f8191504dae5b037505266ed5dda6c382 # v3
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@a753861a5debcf57bf8b404356158c8e1e33150c # v1
+
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build-page
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@9dbe3824824f8a1377b8e298bafde1a50ede43e5 # pin@v2
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
new file mode 100644
index 0000000..2a1cccc
--- /dev/null
+++ b/.github/workflows/validate.yml
@@ -0,0 +1,103 @@
+name: Validate Otterdog Configuration
+
+on:
+ workflow_dispatch:
+ pull_request_target:
+ branches: [ main ]
+
+permissions:
+ contents: read
+ pull-requests: write
+
+jobs:
+ validate:
+ # do not run the workflow in the template repo itself
+ if: ${{ !contains (github.repository, '/.eclipsefdn-template') }}
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout OtterDog
+ run: git clone https://gitlab.eclipse.org/eclipsefdn/security/otterdog.git
+
+ - name: Checkout EclipseFdn/otterdog-configs
+ uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+ with:
+ repository: EclipseFdn/otterdog-configs
+ path: otterdog-configs
+
+ # checkout the head ref of the PR
+ # NOTE: in general it is bad practice to check out the pull request HEAD for PRs originating from forked repos,
+ # however, this validation workflow produces a diff between the changes in the PR with the base ref, thus
+ # doing this is acceptable, see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+ - name: Checkout HEAD ref of the PR
+ uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+ with:
+ ref: ${{ github.event.pull_request.head.sha }}
+ path: ${{ github.repository_owner }}
+
+ # checkout the base ref of the PR
+ - name: Checkout BASE ref of the PR (target branch)
+ uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+ with:
+ ref: ${{ github.base_ref }}
+ path: ${{ github.repository_owner }}-base
+
+ - name: Install jsonnet-bundler
+ run: |
+ go install -a github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb@v0.5.1
+ echo $(go env GOPATH)/bin >> $GITHUB_PATH
+
+ - name: Install poetry
+ run: pipx install poetry
+
+ - name: Setup Python
+ uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+ with:
+ python-version: '3.10'
+ cache: 'poetry'
+
+ - name: Install dependencies with poetry
+ run: |
+ poetry install --only=main
+ working-directory: otterdog
+
+ - name: Copy configuration from HEAD and BASE ref
+ run: |
+ mkdir -p orgs/${{ github.repository_owner }}
+ cp -r ../${{ github.repository_owner }}/otterdog/* orgs/${{ github.repository_owner }}
+ cp ../${{ github.repository_owner }}-base/otterdog/${{ github.repository_owner }}.jsonnet orgs/${{ github.repository_owner }}/${{ github.repository_owner }}.jsonnet-BASE
+ working-directory: otterdog-configs
+
+ - name: Validate Otterdog Configuration and diff HEAD <-> BASE
+ run: |
+ # use script to enable ansi color output
+ script -q /dev/null --command "../otterdog/otterdog.sh local-plan ${{ github.repository_owner }} -c otterdog.json --suffix=-BASE" | tee "$GITHUB_WORKSPACE/diff-ansi.txt"
+ # filter out ansi escape sequences again, use sed as ansi2txt is not available
+ cat "$GITHUB_WORKSPACE/diff-ansi.txt" | sed -e 's/\x1b\[[0-9;]*m//g' | sed -E 's/^([[:space:]]+)([-+!])/\2\1/g' | sed -E 's/^([[:space:]]+)([~])/!\1/g' > "$GITHUB_WORKSPACE/diff.txt"
+ working-directory: otterdog-configs
+
+ - name: Generate canonical diff
+ run: ../otterdog/otterdog.sh canonical-diff ${{ github.repository_owner }} -c otterdog.json | tee "$GITHUB_WORKSPACE/canonical-diff.txt"
+ working-directory: otterdog-configs
+
+ # Add a comment to the pull request with the diff
+
+ - name: Generate comment
+ uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
+ with:
+ script: |
+ const commentText = 'Diff for ' + process.env.GITHUB_SHA + ':';
+
+ const fs = require('fs');
+ const diff = fs.readFileSync(process.env.GITHUB_WORKSPACE + '/diff.txt').toString().trimEnd();
+ const canonicalDiff = fs.readFileSync(process.env.GITHUB_WORKSPACE + '/canonical-diff.txt').toString().trimEnd();
+
+ var body = "" + commentText + "
\n\n```diff\n" + diff + "\n```\n\n```diff\n" + canonicalDiff + "\n```\n\n