diff --git a/.github/workflows/ansible-lint-github-hosted.yml b/.github/workflows/ansible-lint-github-hosted.yml index d3fef91..53179a6 100644 --- a/.github/workflows/ansible-lint-github-hosted.yml +++ b/.github/workflows/ansible-lint-github-hosted.yml @@ -3,7 +3,11 @@ name: Ansible Lint on GitHub-Hosted Runner run-name: ansible-lint validation on PR-${{ github.event.pull_request.number }} on: pull_request: - branches: ["main", "devel"] + branches: ["main"] + +permissions: + contents: read + jobs: ansible-lint: name: Ansible Lint diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..fea1d11 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,22 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: 'Dependency Review' + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 7520e6e..9aae5b9 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -4,7 +4,7 @@ run-name: Deploy to GitHub Pages on: push: branches: - - devel + - main permissions: contents: read diff --git a/.github/workflows/issues-close-inactive.yml b/.github/workflows/issues-close-inactive.yml index c35062f..c1cb463 100644 --- a/.github/workflows/issues-close-inactive.yml +++ b/.github/workflows/issues-close-inactive.yml @@ -6,8 +6,14 @@ on: schedule: - cron: "0 6 * * *" +permissions: + contents: read + jobs: close-inactive-issues: + permissions: + issues: write # for actions-cool/issues-helper to update issues + pull-requests: write # for actions-cool/issues-helper to update PRs runs-on: ubuntu-latest steps: - name: close-issues diff --git a/.github/workflows/issues-find-inactive.yml b/.github/workflows/issues-find-inactive.yml index 685f5ee..94ecddf 100644 --- a/.github/workflows/issues-find-inactive.yml +++ b/.github/workflows/issues-find-inactive.yml @@ -6,8 +6,14 @@ on: schedule: - cron: "0 5 * * *" +permissions: + contents: read + jobs: check-inactive: + permissions: + issues: write # for actions-cool/issues-helper to update issues + pull-requests: write # for actions-cool/issues-helper to update PRs runs-on: ubuntu-latest steps: - name: check-inactive diff --git a/.github/workflows/issues-notify-inactive.yml b/.github/workflows/issues-notify-inactive.yml index 2fe8a06..79ecb71 100644 --- a/.github/workflows/issues-notify-inactive.yml +++ b/.github/workflows/issues-notify-inactive.yml @@ -6,8 +6,14 @@ on: issues: types: [labeled] +permissions: + contents: read + jobs: issue-labeled: + permissions: + issues: write # for actions-cool/issues-helper to update issues + pull-requests: write # for actions-cool/issues-helper to update PRs runs-on: ubuntu-latest steps: - name: Create comment diff --git a/.github/workflows/issues-remove-inactive.yml b/.github/workflows/issues-remove-inactive.yml index e882e77..1643fc3 100644 --- a/.github/workflows/issues-remove-inactive.yml +++ b/.github/workflows/issues-remove-inactive.yml @@ -8,8 +8,14 @@ on: issue_comment: types: [created, edited] +permissions: + contents: read + jobs: remove-inactive: + permissions: + issues: write # for actions-cool/issues-helper to update issues + pull-requests: write # for actions-cool/issues-helper to update PRs runs-on: ubuntu-latest steps: - name: remove inactive diff --git a/.github/workflows/token_refresh_automation_hub.yml b/.github/workflows/token_refresh_automation_hub.yml index c28f127..d99070d 100644 --- a/.github/workflows/token_refresh_automation_hub.yml +++ b/.github/workflows/token_refresh_automation_hub.yml @@ -5,10 +5,18 @@ on: schedule: - cron: "0 12 1,15 * *" # run 12pm on the 1st and 15th of the month workflow_dispatch: + +permissions: + contents: read + jobs: - refresh: - uses: ansible/team-devtools/.github/workflows/ah_token_refresh.yml@main - with: - environment: release - secrets: - ah_token: ${{ secrets.RH_AUTOMATION_HUB_TOKEN }} +refresh: + runs-on: ubuntu-latest + steps: + - name: Refresh the automation hub token + run: >- + curl https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token + -d grant_type=refresh_token + -d client_id=cloud-services + -d refresh_token="${{ secrets.RH_AUTOMATION_HUB_TOKEN }}" + --fail --silent --show-error --output /dev/null diff --git a/.github/workflows/token_refresh_rh_subscription_manager.yml b/.github/workflows/token_refresh_rh_subscription_manager.yml index 5098311..6b83b40 100644 --- a/.github/workflows/token_refresh_rh_subscription_manager.yml +++ b/.github/workflows/token_refresh_rh_subscription_manager.yml @@ -5,10 +5,18 @@ on: schedule: - cron: "0 12 1,15 * *" # run 12pm on the 1st and 15th of the month workflow_dispatch: + +permissions: + contents: read + jobs: - refresh: - uses: ansible/team-devtools/.github/workflows/ah_token_refresh.yml@main - with: - environment: release - secrets: - ah_token: ${{ secrets.RHSM_TOKEN }} +refresh: + runs-on: ubuntu-latest + steps: + - name: Refresh the automation hub token + run: >- + curl https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token + -d grant_type=refresh_token + -d client_id=rhsm-api + -d refresh_token="${{ secrets.RHSM_TOKEN }}" + --fail --silent --show-error --output /dev/null diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..db666e9 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,10 @@ +repos: + - repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/README.md b/README.md index 61de72e..ab7bfc7 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # RHIS-code -[![Ansible Lint](https://github.com/redhat-cop/rhis-code/actions/workflows/ansible-lint-github-hosted.yml/badge.svg)](https://github.com/redhat-cop/rhis-code/actions/workflows/ansible-lint-github-hosted.yml) [![Slack Channel](https://img.shields.io/badge/slack-channel-tech?logo=slack)](https://redhat.enterprise.slack.com/archives/C07TAP5PJ8K) +[![Ansible Lint](https://github.com/redhat-cop/rhis-code/actions/workflows/ansible-lint-github-hosted.yml/badge.svg)](https://github.com/redhat-cop/rhis-code/actions/workflows/ansible-lint-github-hosted.yml) [![Slack Channel](https://img.shields.io/badge/slack-channel-tech?logo=slack)](https://redhat.enterprise.slack.com/archives/C07TAP5PJ8K) [![OSSF-Scorecard Score](https://api.scorecard.dev/projects/github.com/redhat-cop/rhis-code/badge)](https://scorecard.dev/viewer/?uri=github.com/redhat-cop/rhis-code) + This repository is intended to contain ansible automation code. All documents are stored on [docs](./docs). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..f3e7f8a --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,9 @@ +# Security Policy + +## Supported Versions + +Only the latest version is supported. + +## Reporting a Vulnerability + +For any issues or concerns, please contact: [@rhis-code-admins](https://github.com/orgs/redhat-cop/teams/rhis-code-admins)