diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..883f884 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,5 @@ +# The releng team is by default the owner of everything. +* @{{ org }}/eclipsefdn-releng + +# Otterdog related configurations are also owned by the security team. +/otterdog/** @{{ org }}/eclipsefdn-security @{{ org }}/eclipsefdn-releng diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..9be4262 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: +- package-ecosystem: github-actions + directory: "/" + # We scan and create dependabot PRs against the develop branch only. + # Such a branch only exists for the template master at EclipseFdn/.eclipsefdn-template + # dependabot shall only update the template master, and changes will be synchronized to + # all repos by otterdog using the sync-template operation to avoid having many similar + # dependabot PRs for each individual .eclipsefdn repo which we would like to avoid at all costs. + target-branch: "develop" + schedule: + interval: daily + open-pull-requests-limit: 10 diff --git a/.github/workflows/build-page.yml b/.github/workflows/build-page.yml new file mode 100644 index 0000000..7c733cc --- /dev/null +++ b/.github/workflows/build-page.yml @@ -0,0 +1,122 @@ +name: Build GH Page + +on: + workflow_dispatch: + push: + branches: + - 'main' + paths: + - 'otterdog/*.jsonnet' + - 'otterdog/*.json' + - 'docs/**' + - 'mkdocs.yml' + - '.github/workflows/build-page.yml' + +concurrency: + group: "pages" + cancel-in-progress: false + +permissions: + contents: read + pages: write + id-token: write + +jobs: + generate-markdown: + # do not run the workflow in the template repo itself + if: ${{ !contains (github.repository, '/.eclipsefdn-template') }} + runs-on: ubuntu-latest + steps: + - name: Checkout OtterDog + run: git clone https://gitlab.eclipse.org/eclipsefdn/security/otterdog.git + + - name: Checkout EclipseFdn/otterdog-configs + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + with: + repository: EclipseFdn/otterdog-configs + path: otterdog-configs + + # checkout the HEAD ref + - name: Checkout HEAD + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + with: + path: ${{ github.repository_owner }} + + - name: Install jsonnet-bundler + run: | + go install -a github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb@v0.5.1 + echo $(go env GOPATH)/bin >> $GITHUB_PATH + + - name: Install poetry + run: pipx install poetry + + - name: Setup Python + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + with: + python-version: '3.10' + cache: 'poetry' + + - name: Install dependencies with poetry + run: | + poetry install --only=main + working-directory: otterdog + + - name: Copy configuration from HEAD ref + run: | + mkdir -p orgs/${{ github.repository_owner }} + cp -r ../${{ github.repository_owner }}/otterdog/* orgs/${{ github.repository_owner }} + working-directory: otterdog-configs + + - name: Generate current configuration as markdown + run: ../otterdog/otterdog.sh show ${{ github.repository_owner }} -c otterdog.json --markdown --output-dir generated-site + working-directory: otterdog-configs + + - name: Generate default configuration as markdown + run: ../otterdog/otterdog.sh show-default ${{ github.repository_owner }} -c otterdog.json --markdown > default.txt + working-directory: otterdog-configs + + - name: Upload generated site content + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3 + with: + name: generated-site + path: | + otterdog-configs/default.txt + otterdog-configs/orgs/${{ github.repository_owner }}/vendor/otterdog-defaults/*.libsonnet + otterdog-configs/generated-site/ + + build-page: + runs-on: ubuntu-latest + needs: generate-markdown + steps: + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v3 + - name: Download generated site content + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 + with: + name: generated-site + - shell: bash + run: | + cat default.txt >> ./docs/playground.md + cp generated-site/*.md ./docs/ + cp orgs/${{ github.repository_owner }}/vendor/otterdog-defaults/*.libsonnet ./docs/jsonnet/ + - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4 + with: + python-version: 3.x + cache: 'pip' + - run: pip install -r requirements.txt + - name: Build with Mkdocs + run: mkdocs build + - name: Setup Pages + uses: actions/configure-pages@f156874f8191504dae5b037505266ed5dda6c382 # v3 + - name: Upload artifact + uses: actions/upload-pages-artifact@a753861a5debcf57bf8b404356158c8e1e33150c # v1 + + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build-page + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@9dbe3824824f8a1377b8e298bafde1a50ede43e5 # pin@v2 diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml new file mode 100644 index 0000000..2a1cccc --- /dev/null +++ b/.github/workflows/validate.yml @@ -0,0 +1,103 @@ +name: Validate Otterdog Configuration + +on: + workflow_dispatch: + pull_request_target: + branches: [ main ] + +permissions: + contents: read + pull-requests: write + +jobs: + validate: + # do not run the workflow in the template repo itself + if: ${{ !contains (github.repository, '/.eclipsefdn-template') }} + runs-on: ubuntu-latest + steps: + - name: Checkout OtterDog + run: git clone https://gitlab.eclipse.org/eclipsefdn/security/otterdog.git + + - name: Checkout EclipseFdn/otterdog-configs + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + with: + repository: EclipseFdn/otterdog-configs + path: otterdog-configs + + # checkout the head ref of the PR + # NOTE: in general it is bad practice to check out the pull request HEAD for PRs originating from forked repos, + # however, this validation workflow produces a diff between the changes in the PR with the base ref, thus + # doing this is acceptable, see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + - name: Checkout HEAD ref of the PR + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + with: + ref: ${{ github.event.pull_request.head.sha }} + path: ${{ github.repository_owner }} + + # checkout the base ref of the PR + - name: Checkout BASE ref of the PR (target branch) + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + with: + ref: ${{ github.base_ref }} + path: ${{ github.repository_owner }}-base + + - name: Install jsonnet-bundler + run: | + go install -a github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb@v0.5.1 + echo $(go env GOPATH)/bin >> $GITHUB_PATH + + - name: Install poetry + run: pipx install poetry + + - name: Setup Python + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + with: + python-version: '3.10' + cache: 'poetry' + + - name: Install dependencies with poetry + run: | + poetry install --only=main + working-directory: otterdog + + - name: Copy configuration from HEAD and BASE ref + run: | + mkdir -p orgs/${{ github.repository_owner }} + cp -r ../${{ github.repository_owner }}/otterdog/* orgs/${{ github.repository_owner }} + cp ../${{ github.repository_owner }}-base/otterdog/${{ github.repository_owner }}.jsonnet orgs/${{ github.repository_owner }}/${{ github.repository_owner }}.jsonnet-BASE + working-directory: otterdog-configs + + - name: Validate Otterdog Configuration and diff HEAD <-> BASE + run: | + # use script to enable ansi color output + script -q /dev/null --command "../otterdog/otterdog.sh local-plan ${{ github.repository_owner }} -c otterdog.json --suffix=-BASE" | tee "$GITHUB_WORKSPACE/diff-ansi.txt" + # filter out ansi escape sequences again, use sed as ansi2txt is not available + cat "$GITHUB_WORKSPACE/diff-ansi.txt" | sed -e 's/\x1b\[[0-9;]*m//g' | sed -E 's/^([[:space:]]+)([-+!])/\2\1/g' | sed -E 's/^([[:space:]]+)([~])/!\1/g' > "$GITHUB_WORKSPACE/diff.txt" + working-directory: otterdog-configs + + - name: Generate canonical diff + run: ../otterdog/otterdog.sh canonical-diff ${{ github.repository_owner }} -c otterdog.json | tee "$GITHUB_WORKSPACE/canonical-diff.txt" + working-directory: otterdog-configs + + # Add a comment to the pull request with the diff + + - name: Generate comment + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 + with: + script: | + const commentText = 'Diff for ' + process.env.GITHUB_SHA + ':'; + + const fs = require('fs'); + const diff = fs.readFileSync(process.env.GITHUB_WORKSPACE + '/diff.txt').toString().trimEnd(); + const canonicalDiff = fs.readFileSync(process.env.GITHUB_WORKSPACE + '/canonical-diff.txt').toString().trimEnd(); + + var body = "
\n" + commentText + "\n\n```diff\n" + diff + "\n```\n\n```diff\n" + canonicalDiff + "\n```\n\n
"; + fs.writeFileSync(process.env.GITHUB_STEP_SUMMARY, body); + fs.writeFileSync(process.env.GITHUB_WORKSPACE + '/comment.txt', body); + + - name: Attach comment to PR + uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0 + with: + hide_and_recreate: true + hide_classify: "OUTDATED" + path: ${{ github.workspace }}/comment.txt diff --git a/README.md b/README.md new file mode 100644 index 0000000..9fa84c6 --- /dev/null +++ b/README.md @@ -0,0 +1,7 @@ +# Eclipse Foundation Config Repo + +Repository to host configurations related to the Eclipse Foundation. + +## Self service of your GitHub organization + +You can find more information at . diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 0000000..07729ff --- /dev/null +++ b/docs/index.md @@ -0,0 +1,17 @@ +--- +hide: + - navigation + - toc +--- + +# Self-service of GitHub resources + +General documentation for using the self-service (stored in directory *otterdog*) can be accessed at [otterdog.readthedocs.io](https://otterdog.readthedocs.io). + +## Current configuration + +The current configuration can be reviewed [here](configuration.md). + +## Playground + +A playground for creating and testing resources in jsonnet format is available [here](playground.md). diff --git a/docs/jsonnet/playground.jsonnet b/docs/jsonnet/playground.jsonnet new file mode 100644 index 0000000..10902f3 --- /dev/null +++ b/docs/jsonnet/playground.jsonnet @@ -0,0 +1,3 @@ +local orgs = import 'otterdog-defaults.libsonnet'; + +orgs.newRepo('myrepo') diff --git a/docs/overrides/editor.html b/docs/overrides/editor.html new file mode 100644 index 0000000..d9dab5a --- /dev/null +++ b/docs/overrides/editor.html @@ -0,0 +1,44 @@ +{% extends "base.html" %} + +{% block libs %} + {{ super() }} + + + + + + + + + + +{% endblock %} + +{% block styles %} + + + + + + + + + + + {{ super() }} + + + +{% endblock %} diff --git a/docs/overrides/main.html b/docs/overrides/main.html new file mode 100644 index 0000000..7c254cb --- /dev/null +++ b/docs/overrides/main.html @@ -0,0 +1,11 @@ +{% extends "base.html" %} + +{% block site_meta %} + {{ super() }} + + + + + + +{% endblock %} diff --git a/docs/playground.md b/docs/playground.md new file mode 100644 index 0000000..3d3381e --- /dev/null +++ b/docs/playground.md @@ -0,0 +1,56 @@ +--- +template: editor.html +hide: + - navigation + - toc +--- + +# Playground + +You can use the playground below to create and evaluate resource snippets to include in your jsonnet configuration: + +
+
+
+
+
+ + + +
+
+
+
+
output.json
+
+ +
+ +
+
+
+ +## Resource functions and default values + +The following snippets illustrate the functions to create the supported resources with default values as defined in the +[default configuration](https://github.com/EclipseFdn/otterdog-defaults/blob/main/otterdog-defaults.libsonnet) used at the Eclipse Foundation. diff --git a/docs/stylesheets/extra.css b/docs/stylesheets/extra.css new file mode 100644 index 0000000..ca42bca --- /dev/null +++ b/docs/stylesheets/extra.css @@ -0,0 +1,3 @@ +.md-grid { + max-width: 1440px; +} diff --git a/mkdocs.yml b/mkdocs.yml new file mode 100644 index 0000000..674557e --- /dev/null +++ b/mkdocs.yml @@ -0,0 +1,42 @@ +site_name: Otterdog configuration @ {{ org }} +site_description: Otterdog configuration @ {{ org }} +strict: false + +site_url: https://{{ org }}.github.io/.eclipsefdn/ + +repo_name: {{ org }}/.eclipsefdn +repo_url: https://github.com/{{ org }}/.eclipsefdn/ + +docs_dir: ./docs +site_dir: ./_site + +theme: + name: 'material' + custom_dir: docs/overrides + features: + - navigation.tabs + +markdown_extensions: + - pymdownx.superfences + - pymdownx.tabbed: + alternate_style: true + - attr_list + - pymdownx.emoji: + emoji_index: !!python/name:materialx.emoji.twemoji + emoji_generator: !!python/name:materialx.emoji.to_svg + +plugins: + - macros + +nav: + - Overview: index.md + - configuration.md + - playground.md + +not_in_nav: | + repo-*.md + +watch: [] + +extra_css: + - stylesheets/extra.css diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..99ae6c8 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,3 @@ +mkdocs ~= 1.5 +mkdocs-material ~= 9.4 +mkdocs-macros-plugin ~= 1.0