Merge branch 'main' into renovate/automationhub

.github/workflows/ansible-lint-github-hosted.yml

@@ -3,14 +3,18 @@ name: Ansible Lint on GitHub-Hosted Runner
 run-name: ansible-lint validation on PR-${{ github.event.pull_request.number }}
 on:
   pull_request:
-    branches: ["main", "devel"]
+    branches: ["main"]
+
+permissions:
+  contents: read
+
 jobs:
   ansible-lint:
     name: Ansible Lint
     runs-on: ubuntu-latest
     steps:
       - name: Git checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Populate ansible config
         run: |

.github/workflows/dependency-review.yml

@@ -0,0 +1,22 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0

.github/workflows/gh-pages.yml

@@ -4,7 +4,7 @@ run-name: Deploy to GitHub Pages
 on:
   push:
     branches:
-      - devel
+      - main
 
 permissions:
   contents: read
@@ -19,15 +19,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - run: pip install mkdocs-material
       - run: mkdocs build
       - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
         with:
           path: './site'
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4

.github/workflows/issues-close-inactive.yml

@@ -6,12 +6,18 @@ on:
   schedule:
     - cron: "0 6 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   close-inactive-issues:
+    permissions:
+      issues: write  # for actions-cool/issues-helper to update issues
+      pull-requests: write  # for actions-cool/issues-helper to update PRs
     runs-on: ubuntu-latest
     steps:
       - name: close-issues
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@a610082f8ac0cf03e357eb8dd0d5e2ba075e017e # v3
         with:
           actions: 'close-issues'
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/issues-find-inactive.yml

@@ -6,12 +6,18 @@ on:
   schedule:
     - cron: "0 5 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   check-inactive:
+    permissions:
+      issues: write  # for actions-cool/issues-helper to update issues
+      pull-requests: write  # for actions-cool/issues-helper to update PRs
     runs-on: ubuntu-latest
     steps:
       - name: check-inactive
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@a610082f8ac0cf03e357eb8dd0d5e2ba075e017e # v3
         with:
           actions: 'check-inactive'
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/issues-notify-inactive.yml

@@ -6,12 +6,18 @@ on:
   issues:
     types: [labeled]
 
+permissions:
+  contents: read
+
 jobs:
   issue-labeled:
+    permissions:
+      issues: write  # for actions-cool/issues-helper to update issues
+      pull-requests: write  # for actions-cool/issues-helper to update PRs
     runs-on: ubuntu-latest
     steps:
       - name: Create comment
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@a610082f8ac0cf03e357eb8dd0d5e2ba075e017e # v3
         if: github.event.label.name == 'inactive'
         with:
           actions: 'create-comment'

.github/workflows/issues-remove-inactive.yml

@@ -8,13 +8,19 @@ on:
   issue_comment:
     types: [created, edited]
 
+permissions:
+  contents: read
+
 jobs:
   remove-inactive:
+    permissions:
+      issues: write  # for actions-cool/issues-helper to update issues
+      pull-requests: write  # for actions-cool/issues-helper to update PRs
     runs-on: ubuntu-latest
     steps:
       - name: remove inactive
         if: github.event.issue.state == 'open' && github.event.issue.user != 'github-actions'
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@a610082f8ac0cf03e357eb8dd0d5e2ba075e017e # v3
         with:
           actions: 'remove-labels'
           issue-number: ${{ github.event.issue.number }}

.github/workflows/scorecard.yml

@@ -37,7 +37,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -59,7 +59,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.pre.node20
         with:
           name: SARIF file
           path: results.sarif
@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3
         with:
           sarif_file: results.sarif

.github/workflows/token_refresh_automation_hub.yml

@@ -5,10 +5,18 @@ on:
   schedule:
     - cron: "0 12 1,15 * *"  # run 12pm on the 1st and 15th of the month
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
-  refresh:
-    uses: ansible/team-devtools/.github/workflows/ah_token_refresh.yml@main
-    with:
-      environment: release
-    secrets:
-      ah_token: ${{ secrets.RH_AUTOMATION_HUB_TOKEN }}
+refresh:
+  runs-on: ubuntu-latest
+  steps:
+    - name: Refresh the automation hub token
+      run: >-
+        curl https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
+        -d grant_type=refresh_token
+        -d client_id=cloud-services
+        -d refresh_token="${{ secrets.RH_AUTOMATION_HUB_TOKEN }}"
+        --fail --silent --show-error --output /dev/null

.github/workflows/token_refresh_rh_subscription_manager.yml

@@ -5,10 +5,18 @@ on:
   schedule:
     - cron: "0 12 1,15 * *"  # run 12pm on the 1st and 15th of the month
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
-  refresh:
-    uses: ansible/team-devtools/.github/workflows/ah_token_refresh.yml@main
-    with:
-      environment: release
-    secrets:
-      ah_token: ${{ secrets.RHSM_TOKEN }}
+refresh:
+  runs-on: ubuntu-latest
+  steps:
+    - name: Refresh the automation hub token
+      run: >-
+        curl https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
+        -d grant_type=refresh_token
+        -d client_id=rhsm-api
+        -d refresh_token="${{ secrets.RHSM_TOKEN }}"
+        --fail --silent --show-error --output /dev/null

.pre-commit-config.yaml

@@ -0,0 +1,10 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.3
+    hooks:
+      - id: gitleaks
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: end-of-file-fixer
+      - id: trailing-whitespace

README.md

@@ -1,6 +1,7 @@
 # RHIS-code
 
-[![Ansible Lint](https://github.com/redhat-cop/rhis-code/actions/workflows/ansible-lint-github-hosted.yml/badge.svg)](https://github.com/redhat-cop/rhis-code/actions/workflows/ansible-lint-github-hosted.yml) [![Slack Channel](https://img.shields.io/badge/slack-channel-tech?logo=slack)](https://redhat.enterprise.slack.com/archives/C07TAP5PJ8K)
+[![Ansible Lint](https://github.com/redhat-cop/rhis-code/actions/workflows/ansible-lint-github-hosted.yml/badge.svg)](https://github.com/redhat-cop/rhis-code/actions/workflows/ansible-lint-github-hosted.yml) [![Slack Channel](https://img.shields.io/badge/slack-channel-tech?logo=slack)](https://redhat.enterprise.slack.com/archives/C07TAP5PJ8K) [![OSSF-Scorecard Score](https://api.scorecard.dev/projects/github.com/redhat-cop/rhis-code/badge)](https://scorecard.dev/viewer/?uri=github.com/redhat-cop/rhis-code)
+
 
 
 This repository is intended to contain ansible automation code. All documents are stored on [docs](./docs).

SECURITY.md

@@ -0,0 +1,9 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest version is supported.
+
+## Reporting a Vulnerability
+
+For any issues or concerns, please contact: [@rhis-code-admins](https://github.com/orgs/redhat-cop/teams/rhis-code-admins)