Merge pull request #10 from step-security/staging

first actions version
step-security · Dec 22, 2023 · a7c87df · a7c87df
2 parents 78a0da8 + 78b5191
commit a7c87df
Show file tree

Hide file tree

Showing 54 changed files with 9,114 additions and 2 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,12 @@
+/coverage
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,15 @@
+# This file is for unifying the coding style for different editors and IDEs.
+# More information at http://editorconfig.org
+
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = false
diff --git a/.eslintignore b/.eslintignore
@@ -0,0 +1,3 @@
+/dist/**
+/coverage/**
+/node_modules/**
diff --git a/.eslintrc.json b/.eslintrc.json
@@ -0,0 +1,24 @@
+{
+  "env": {
+    "node": true,
+    "es6": true,
+    "jest": true
+  },
+  "extends": [
+    "eslint:recommended",
+    "plugin:@typescript-eslint/eslint-recommended",
+    "plugin:@typescript-eslint/recommended",
+    "plugin:jest/recommended",
+    "plugin:prettier/recommended"
+  ],
+  "parser": "@typescript-eslint/parser",
+  "parserOptions": {
+    "ecmaVersion": "latest",
+    "sourceType": "module"
+  },
+  "plugins": [
+    "@typescript-eslint",
+    "jest",
+    "prettier"
+  ]
+}
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,4 @@
+/.yarn/releases/** binary
+/.yarn/plugins/** binary
+/dist/** linguist-generated=true
+/lib/** linguist-generated=true
diff --git a/.github/ISSUE_TEMPLATE/feature.yml b/.github/ISSUE_TEMPLATE/feature.yml
@@ -0,0 +1,15 @@
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema
+name: Feature request
+description: Missing functionality? Come tell us about it!
+labels:
+  - kind/enhancement
+  - status/triage
+
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What is the feature you want to see?
+    validations:
+      required: true
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,19 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    labels:
+      - "kind/dependencies"
+      - "bot"
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    versioning-strategy: "increase"
+    allow:
+      - dependency-type: "production"
+    labels:
+      - "kind/dependencies"
+      - "bot"
diff --git a/.github/ghaction-import-gpg.png b/.github/ghaction-import-gpg.png
diff --git a/.github/workflows/actions_release.yaml b/.github/workflows/actions_release.yaml
@@ -0,0 +1,21 @@
+name: Release GitHub Actions
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag for the release"
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: step-security/reusable-workflows/.github/workflows/actions_release.yaml@v1
+    with:
+      tag: "${{ github.event.inputs.tag }}"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,211 @@
+name: ci
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  schedule:
+    - cron: '0 10 * * *'
+  push:
+    branches:
+      - 'master'
+      - 'releases/v*'
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - 'master'
+      - 'releases/v*'
+
+jobs:
+  gpg:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      -
+        name: GPG conf
+        run: |
+          cat ~/.gnupg/gpg.conf || true
+
+  armored:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        key:
+          - test-key
+          - test-subkey
+        global:
+          - false
+          - true
+        os:
+          - ubuntu-latest
+          - macOS-latest
+          - windows-latest
+        include:
+          - key: test-subkey
+            fingerprint: C17D11ADF199F12A30A0910F1F80449BE0B08CB8
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: GPG conf
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const fs = require('fs');
+            const gnupgfolder = `${require('os').homedir()}/.gnupg`;
+            if (!fs.existsSync(gnupgfolder)){
+                fs.mkdirSync(gnupgfolder);
+            }
+            fs.chmodSync(gnupgfolder, '0700');
+            fs.copyFile('__tests__/fixtures/gpg.conf', `${gnupgfolder}/gpg.conf`, (err) => {
+                if (err) throw err;
+            });
+      -
+        name: Get test key and passphrase
+        uses: actions/github-script@v6
+        id: test
+        with:
+          script: |
+            const fs = require('fs');
+            core.setOutput('pgp', fs.readFileSync('__tests__/fixtures/${{ matrix.key }}.pgp', {encoding: 'utf8'}));
+            core.setOutput('passphrase', fs.readFileSync('__tests__/fixtures/${{ matrix.key }}.pass', {encoding: 'utf8'}));
+      -
+        name: Import GPG
+        uses: ./
+        with:
+          gpg_private_key: ${{ steps.test.outputs.pgp }}
+          passphrase: ${{ steps.test.outputs.passphrase }}
+          trust_level: 5
+          git_config_global: ${{ matrix.global }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+          git_tag_gpgsign: true
+          git_push_gpgsign: if-asked
+          fingerprint: ${{ matrix.fingerprint }}
+      -
+        name: List keys
+        run: |
+          gpg -K
+        shell: bash
+
+  base64:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        key:
+          - test-key
+          - test-subkey
+        os:
+          - ubuntu-latest
+          - macOS-latest
+          - windows-latest
+        include:
+          - key: test-subkey
+            fingerprint: C17D11ADF199F12A30A0910F1F80449BE0B08CB8
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Get test key and passphrase
+        uses: actions/github-script@v6
+        id: test
+        with:
+          script: |
+            const fs = require('fs');
+            core.setOutput('pgp-base64', fs.readFileSync('__tests__/fixtures/${{ matrix.key }}-base64.pgp', {encoding: 'utf8'}));
+            core.setOutput('passphrase', fs.readFileSync('__tests__/fixtures/${{ matrix.key }}.pass', {encoding: 'utf8'}));
+      -
+        name: Import GPG
+        uses: ./
+        with:
+          gpg_private_key: ${{ steps.test.outputs.pgp-base64 }}
+          passphrase: ${{ steps.test.outputs.passphrase }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+          git_tag_gpgsign: true
+          git_push_gpgsign: if-asked
+          fingerprint: ${{ matrix.fingerprint }}
+
+  trust:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        key:
+          - test-key
+        level:
+          - ''
+          - 5
+          - 4
+          - 3
+          - 2
+          - 1
+        os:
+          - ubuntu-latest
+          - macOS-latest
+          - windows-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: GPG conf
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const fs = require('fs');
+            const gnupgfolder = `${require('os').homedir()}/.gnupg`;
+            if (!fs.existsSync(gnupgfolder)){
+                fs.mkdirSync(gnupgfolder);
+            }
+            fs.chmodSync(gnupgfolder, '0700');
+            fs.copyFile('__tests__/fixtures/gpg.conf', `${gnupgfolder}/gpg.conf`, (err) => {
+                if (err) throw err;
+            });
+      -
+        name: Get test key and passphrase
+        uses: actions/github-script@v6
+        id: test
+        with:
+          script: |
+            const fs = require('fs');
+            core.setOutput('pgp', fs.readFileSync('__tests__/fixtures/${{ matrix.key }}.pgp', {encoding: 'utf8'}));
+            core.setOutput('passphrase', fs.readFileSync('__tests__/fixtures/${{ matrix.key }}.pass', {encoding: 'utf8'}));
+      -
+        name: Import GPG
+        id: import_gpg
+        uses: ./
+        with:
+          gpg_private_key: ${{ steps.test.outputs.pgp }}
+          passphrase: ${{ steps.test.outputs.passphrase }}
+          trust_level: ${{ matrix.level }}
+      -
+        name: List trust values
+        run: |
+          gpg --export-ownertrust
+        shell: bash