diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml new file mode 100644 index 0000000..1400fb0 --- /dev/null +++ b/.github/workflows/actionlint.yml @@ -0,0 +1,23 @@ +name: 'Actionlint' +on: + pull_request: + workflow_dispatch: + +permissions: + contents: 'read' + pull-requests: 'write' + +concurrency: + group: 'actionlint-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}' + cancel-in-progress: true + +jobs: + lint: + runs-on: 'ubuntu-latest' + steps: + - uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v6 + - name: 'Run actionlint with reviewdog' + uses: 'reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d' # ratchet:reviewdog/action-actionlint@v1.72.0 + with: + fail_level: 'error' + reporter: 'github-pr-check' diff --git a/.github/workflows/centralized-stale.yml b/.github/workflows/centralized-stale.yml new file mode 100644 index 0000000..54a727c --- /dev/null +++ b/.github/workflows/centralized-stale.yml @@ -0,0 +1,101 @@ +name: 'Centralized Organization Stale Bot' +permissions: {} +on: + schedule: + # Run daily at 01:00 UTC + - cron: '0 1 * * *' + workflow_dispatch: + +jobs: + # Stage 1: Query the organization for all active repositories + fetch-repositories: + runs-on: 'ubuntu-latest' + outputs: + matrix: '${{ steps.set-matrix.outputs.repos }}' + steps: + - id: 'auth-minty' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2 + with: + create_credentials_file: false + export_environment_variables: false + workload_identity_provider: '${{ vars.TOKEN_MINTER_WIF_PROVIDER }}' + service_account: '${{ vars.TOKEN_MINTER_WIF_SERVICE_ACCOUNT }}' + token_format: 'id_token' + id_token_audience: '${{ vars.TOKEN_MINTER_SERVICE_AUDIENCE }}' + id_token_include_email: true + + - id: 'mint-github-token' + uses: 'abcxyz/github-token-minter/.github/actions/minty@45c29ca3418ff3bb3ad5815d88a80536efeba21b' # ratchet:abcxyz/github-token-minter/.github/actions/minty@main + with: + id_token: '${{ steps.auth-minty.outputs.id_token }}' + service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}' + requested_permissions: |- + { + "scope": "stale-bot", + "repositories": ["*"], + "org_name": "google-github-actions" + } + + - name: 'List active repositories' + id: set-matrix + env: + GH_TOKEN: '${{ steps.mint-github-token.outputs.token }}' + run: | + # Query GitHub API for active, public, non-forked repositories and force single-line JSON to prevent GITHUB_OUTPUT truncation + REPOS=$(gh api --paginate /orgs/google-github-actions/repos -q '[.[] | select(.archived == false and .private == false and .fork == false) | .name]' | jq -c .) + echo "repos=${REPOS}" >> "$GITHUB_OUTPUT" + + # Stage 2: Fan out official actions/stale across all discovered repositories + apply-stale-rules: + needs: fetch-repositories + runs-on: 'ubuntu-latest' + strategy: + fail-fast: false + matrix: + repo: '${{ fromJson(needs.fetch-repositories.outputs.matrix) }}' + + steps: + - id: 'auth-minty' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2 + with: + create_credentials_file: false + export_environment_variables: false + workload_identity_provider: '${{ vars.TOKEN_MINTER_WIF_PROVIDER }}' + service_account: '${{ vars.TOKEN_MINTER_WIF_SERVICE_ACCOUNT }}' + token_format: 'id_token' + id_token_audience: '${{ vars.TOKEN_MINTER_SERVICE_AUDIENCE }}' + id_token_include_email: true + + - id: 'mint-github-token' + uses: 'abcxyz/github-token-minter/.github/actions/minty@45c29ca3418ff3bb3ad5815d88a80536efeba21b' # ratchet:abcxyz/github-token-minter/.github/actions/minty@main + with: + id_token: '${{ steps.auth-minty.outputs.id_token }}' + service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}' + requested_permissions: |- + { + "scope": "stale-bot", + "repositories": ["${{ matrix.repo }}"], + "org_name": "google-github-actions" + } + + - name: 'Run official stale bot' + uses: 'actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f' # ratchet:actions/stale@v10.2.0 + env: + GITHUB_REPOSITORY: 'google-github-actions/${{ matrix.repo }}' + with: + repo-token: '${{ steps.mint-github-token.outputs.token }}' + operations-per-run: 300 # Increased burndown limit for first execution + + # Issue configuration (60 days total: 53 inactive + 7 warning) + days-before-issue-stale: 53 + days-before-issue-close: 7 + stale-issue-message: 'This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.' + stale-issue-label: 'stale' + + # PR configuration (30 days total: 23 inactive + 7 warning) + days-before-pr-stale: 23 + days-before-pr-close: 7 + stale-pr-message: 'This pull request has been automatically marked as stale because it has not had recent activity. Please leave a comment to remove this status.' + stale-pr-label: 'stale' diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..2332f5d --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,31 @@ +name: 'Scorecard' +on: + pull_request: + workflow_dispatch: + +permissions: 'read-all' + +jobs: + analyze: + runs-on: 'ubuntu-latest' + permissions: + contents: 'read' + security-events: 'write' + id-token: 'write' + timeout-minutes: 20 + steps: + - uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v6 + with: + # Checkout the base repository ref, not the PR's head commit + ref: '${{ github.event.pull_request.base.sha }}' + persist-credentials: false + - name: 'Run Scorecard' + uses: 'ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a' # ratchet:ossf/scorecard-action@v2.4.3 + with: + results_file: 'results.sarif' + results_format: 'sarif' + publish_results: false + - name: 'Upload to GitHub Security Tab' + uses: 'github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13' # ratchet:github/codeql-action/upload-sarif@v4.35.1 + with: + sarif_file: 'results.sarif'