pilot for v2 main CI and CD actions

Author: brianLoomis

.github/workflows/DEV README.md

@@ -0,0 +1,68 @@
+#TODO: items
+
+1. identify affected repos (needing common GH action)
+	- list of repos finalized for limited GA
+2. prototype each GH action	on https://github.com/chef/chef-vault
+	- sonar - public repos - the Jason way (new runner)
+		- API tokens created - done...
+		- correct project_name in properties? 
+	- blackduck	
+		- request all repos to Jason
+	- polaris
+	- truffle hog - done...?
+	- scc and any othertools from previous GA's
+	- dependabot scanning (manual) 
+	- ad hoc CD - intel cve-bin tool
+    - add OSSF scorecard? https://github.com/actions/starter-workflows/blob/main/code-scanning/scorecard.yml
+	
+3. first 10 repos
+4. have teams do next round
+
+## copy PR-v2.yml & stub to other 3 common-github-actions repos
+1. https://github.com/habitat-sh/common-github-actions
+1. https://github.com/inspec/common-github-actions
+
+## set up secrets like
+- https://github.com/chef/chef/settings/secrets/actions
+
+## set up sonar.properties from references
+- https://github.com/progress-platform-services/chef-node-management-cli/blob/main/sonar-project.properties
+- https://github.com/progress-platform-services/chef-node-management-cli
+- go-based one (Sonar Cloud) - https://github.com/chef/automate/blob/main/sonar-project.properties (goes to https://sonar.progress.com/dashboard?id=Chef_Automate&codeScope=overall, convert project name to Chef_Automate instead of automate_automate)
+- https://github.com/progress-platform-services/chef-node-management-cli/blob/main/.github/workflows/sonarqube.yml
+- https://github.com/chef/chef-server/blob/0ae871a00deb405ed068f2b8b1854b0660413a77/sonar-project.properties#L7
+
+needs work
+- https://github.com/chef/ohai/blob/main/sonar-project.properties
+- https://github.com/chef/chef/blob/main/sonar-project.properties
+
+ref- https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/ruby/
+
+## Blackduck
+SCA needs BLACKDUCK_URL and secrets.BLACKDUCK_TOKEN
+can upload SARIF to GitHub Adv Security in advanced example
+
+Polaris needs POLARIS_SERVER_URL, secrets.POLARIS_ACCESS_TOKEN
+
+Coverity needs COVERITY_URL, COVERITY_USER, secrets.COVERITY_PASSPHRASE
+
+## copy to test repos
+### chef
+- https://github.com/chef/mixlib-cli
+
+- https://github.com/inspec/train-habitat
+- https://github.com/inspec/k8s-ruby
+
+## upgrade all common stubs to progress-platform-sevices
+- look at all the junk in https://github.com/progress-platform-services/chef-state-api workflows
+
+## generate Sonar reports for limited GA
+https://www.bitegarden.com/how-to-create-sonarqube-report
+
+## add container stuff
+https://github.com/actions/starter-workflows/blob/main/code-scanning/kubesec.yml
+https://github.com/actions/starter-workflows/blob/main/code-scanning/snyk-container.yml
+
+Evaluate other tools:
+https://github.com/actions/starter-workflows/blob/main/code-scanning/sysdig-scan.yml
+https://github.com/actions/starter-workflows/blob/main/code-scanning/trivy.yml

…/workflows/ci-cli-go-main-ALLACTIONS.yml …s/archived/ci-cli-go-main-ALLACTIONS.yml.github/workflows/ci-cli-go-main-ALLACTIONS.yml renamed to .github/workflows/archived/ci-cli-go-main-ALLACTIONS.yml .github/workflows/ci-cli-go-main-ALLACTIONS.yml renamed to .github/workflows/archived/ci-cli-go-main-ALLACTIONS.yml

@@ -165,72 +165,4 @@ jobs:
   #  - name: Copy file
   #    run: cp coverage.out test/unittest/coverage.out
   #    #    - name: cat the file
-  #    #      run: cat test/unittest/coverage.out
-    
-    # - name: SonarQube Scan
-    #   uses: sonarsource/sonarqube-scan-action@master
-    #   # https://github.com/marketplace/actions/official-sonarqube-scan
-    #   env:
-    #     SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-    #     SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
-        
-    # - name: Upload test coverage artifact
-    #   uses: actions/upload-artifact@v4
-    #   with:
-    #     # Name of the artifact to upload.
-    #     name: test-coverage.out
-    #     # A file, directory or wildcard pattern that describes what to upload
-    #     path: test/unittest/coverage.out
- 
-  # Language vulnerability checks (SCA) - OWASP depcheck, gosec
-    # depcheck - https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html, https://jeremylong.github.io/DependencyCheck/ (plugin to SQ)
-    # https://github.com/marketplace/actions/gosec-security-checker
-    # https://go.googlesource.com/vuln - govulncheck
-#   language-vuln-checks:
-#     runs-on: ubuntu-latest
-#     needs: veracode-sast
-#     name: 'OWASP depcheck and gosec'
-#     steps:
-#       - name: 'OWASP depcheck and gosec'
-#         run: echo 'hello world'
-
-# srcclr
-# srcclr scan . --recursive --quick
-# srcclr scan .\automate\ --recursive --quick
-# needs SRCCLR_API_TOKEN env var...
-# srcclr scan --url https://github.com/progress-platform-services/chef-node-management-cli --json=veracode_output --no-upload --recursive --ref=main --scan-analyzers="go mod"
-
-# go install github.com/securego/gosec/v2/cmd/gosec@latest
-# GHA at https://github.com/securego/gosec
-# gosec ./... >> ./bin/gosec.out
-
-# go install golang.org/x/vuln/cmd/govulncheck@latest
-# govulncheck ./... >> ./bin/security/govuln.out
-
-# go mod graph >> ./bin/go-dep-graph.out
-
-# go install honnef.co/go/tools/cmd/staticcheck@latest
-# staticcheck ./... >> ./bin/staticcheck.out
-
-# go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.57.1
-# GHA at ?
-# golangci-lint run ./...
-
-# go get github.com/manifest-cyber/cli
-# use the GHA
-
-  # Code signing (can generate MD5 SHA, but also need signature - not GPG but provisioned by Progress EVCode)
-    # https://github.com/mtrojnar/osslsigncode?tab=readme-ov-file 
-#   code-signing:
-#     runs-on: ubuntu-latest
-#     needs: language-vuln-checks
-#     name: 'Code signing'
-#     steps:
-#       - name: 'Code signing'
-#         run: echo 'hello world'
-
-
-
-
-# msftsbom.exe generate -b ./bin -bc . -pn chef-api -pv 0.1.0 -ps "Progress Chef" -nsb "https://chef.io" -V Verbose
-# license_scout
+  #    #      run: cat test/unittest/coverage.out

.github/workflows/archived/ci-release-go-cli.yml

@@ -0,0 +1,83 @@
+name: Build, Generate Metrics and Test Go CLIs with go-releaser
+on: 
+  workflow_call:
+    inputs:
+      application-name:
+        required: true
+        type: string
+
+permissions:
+  contents: write
+
+env:
+  APPLICATION_NAME: ${{ inputs.application-name }}
+  API_VERSION: ${{ github.ref_name }}
+  BUILDTYPE: 'CLI'
+  SCCOUTPUTFILE: 'scc.out'
+  BUILDLANGUAGE: 'GoLang'
+  DOCKERFILE_PATH: './Dockerfile'
+
+jobs:
+  # Build GoLang binaries per .goreleaser.yaml with go-releaser makes these artifacts in GitHub 
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      -
+        name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '>=1.21'
+      - run: go version
+    #   - name: Configure git for private modules linux
+    #     if: ${{ matrix.os == 'ubuntu-latest' }}
+    #     env:
+    #       GOPRIVATE: github.com/progress-platform-services/*
+    #     run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
+      -
+        name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # Unit Test and Sonar (SCA and unit test coverage)
+  unit-test:
+    name: 'Unit test and run Sonar scan'
+    runs-on: ubuntu-latest-4-cores
+    needs: goreleaser
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    
+    - name: 'Unit Test: Generate coverage.out and covreport.xml file'
+      run: go test -v -coverprofile="coverage.out" ./... 
+    - name: Copy file
+      run: cp coverage.out test/unittest/coverage.out
+      #    - name: cat the file
+      #      run: cat test/unittest/coverage.out
+    
+    # - name: SonarQube Scan
+    #   uses: sonarsource/sonarqube-scan-action@master
+    #   # https://github.com/marketplace/actions/official-sonarqube-scan
+    #   env:
+    #     SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+    #     SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        
+    - name: Upload test coverage artifact
+      uses: actions/upload-artifact@v4
+      with:
+        # Name of the artifact to upload.
+        name: test-coverage.out
+        # A file, directory or wildcard pattern that describes what to upload
+        path: test/unittest/coverage.out
+ 
+ 

.github/workflows/cd-main-ruby-package-deploy-integration-test.yml

@@ -0,0 +1,62 @@
+# ad hoc continuous delivery/deployment workflow for ruby package
+name: main and release branch CD workflow for ruby package
+
+on:
+  workflow_call:
+    inputs:
+      language:
+        description: 'Primary language in the repository, for language-specific checks'
+        required: false
+        type: string
+        default: 'Go'
+      visibility:
+        description: 'Visibility of the repository'
+        required: false
+        type: string
+        default: 'public' # (private, public, or internal)
+      skip-unit-tests:
+        description: 'Skip unit tests'
+        required: false
+        type: boolean
+        default: false
+    
+env:
+  REPO_VISIBILITY: ${{ github.event.repository.visibility }}
+  PIPELINE_VERSION: '1.0.0'
+
+jobs:
+  echo_inputs:
+    name: 'Echo version of pipeline and inputs'
+    runs-on: ubuntu-latest
+    steps:
+      - name: echo version of pipeline and inputs
+        run: |
+          echo "pipeline version $PIPELINE_VERSION"
+          echo "Language set to ${{ inputs.language }} "
+          echo "SCC output filename set to ${{ inputs.outputfilename }} "
+          echo "Visibility set to $REPO_VISIBILITY [ ${{ inputs.visibility }} ]"
+          echo "Skip trufflehog set to ${{ inputs.skip-trufflehog }}"
+          echo "Skip SonarQube set to ${{ inputs.skip-sonarqube }}"
+          echo "Skip unit tests set to ${{ inputs.skip-unit-tests }}"
+         
+# build binaries and executables
+
+# package the binaries and executables
+
+  # Code signing (can generate MD5 SHA, but also need signature - not GPG but provisioned by Progress EVCode)
+    # https://github.com/mtrojnar/osslsigncode?tab=readme-ov-file 
+
+  # scan the binaries for vulnerabilities using intel CVE bin tool
+  intel-cve-scan:
+    if: ${{ inputs.skip-intel-cve-scan == false }}
+    uses: chef/common-github-actions/.github/workflows/tools/intel-cve-bin.yml@main
+    needs: echo_inputs
+    secrets: inherit
+
+
+# deploy to integration test environment
+
+# run integration tests
+
+# Documentation generation 
+#   # Publish OpenAPI specs (for docs) to   https://github.com/progress-platform-services/open-api-specifications/tree/main/chef

.github/workflows/ci-all-security-main.yml

@@ -3,7 +3,7 @@ name: TruffleHog Secret Scan
 on:
   workflow_dispatch:
   pull_request:
-    #todo - add required branches like release**, CHEF-18 etc..
+    #todo - add required branches like release**, CHEF-18 etc.. - actually add these in the repo starting event (snce inpsec is different from onfra 19)
     branches: [ main ]
 
 jobs: