Merge pull request #2 from step-security/release

feat: Initial release

Author: amanstep

.dockerignore

@@ -0,0 +1,9 @@
+design
+node_modules
+.env
+.env.example
+coverage
+.buildkite
+*.pem
+.git
+dist/

.eslintignore

@@ -0,0 +1,3 @@
+coverage
+dist/
+node_modules/

.eslintrc

@@ -0,0 +1,18 @@
+{
+  "extends": ["eslint:recommended", "prettier", "plugin:unicorn/recommended"],
+  "plugins": ["prettier"],
+  "parserOptions": {
+    "ecmaVersion": 12
+  },
+  "env": { "node": true, "es6": true },
+  "rules": {
+    "prettier/prettier": "warn",
+    "no-console": "off",
+    "no-unused-vars": "warn",
+    "unicorn/no-null": "off",
+    "unicorn/prefer-module": "off",
+    "unicorn/prevent-abbreviations": "off",
+    "unicorn/prefer-top-level-await": "off",
+    "unicorn/no-process-exit": "off"
+  }
+}

.github/actions/common-setup/action.yml

@@ -0,0 +1,18 @@
+name: Node & npm setup
+description: 'Common job setup for npm managed repo'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@v6
+      with:
+        node-version: 20
+
+    - name: Install npm
+      shell: bash
+      run: npm install -g npm@11.5.2
+
+    - name: Install dependencies
+      shell: bash
+      run: npm ci

.github/no-unstaged-files.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+git diff
+
+if [[ "$(git status --porcelain)" != "" ]]; then
+  git status
+  echo "::error::💥 Unstaged changes detected. Locally try running: npm run prettier && npm run lint --fix && npm run build"
+  exit 1
+fi

.github/workflows/actions_release.yml

@@ -0,0 +1,22 @@
+name: Release GitHub Actions
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag for the release"
+        required: true
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+
+    uses: step-security/reusable-workflows/.github/workflows/actions_release.yaml@v1
+    with:
+      tag: "${{ github.event.inputs.tag }}"

.github/workflows/audit_package.yml

@@ -0,0 +1,28 @@
+name: NPM Audit Fix Run
+
+on:
+  workflow_dispatch:
+    inputs:
+      force:
+        description: "Use --force flag for npm audit fix?"
+        required: true
+        type: boolean
+      base_branch:
+        description: "Specify a base branch"
+        required: false
+        default: "main"
+  schedule:
+    - cron: "0 0 * * 1"
+
+jobs:
+  audit-fix:
+    uses: step-security/reusable-workflows/.github/workflows/audit_fix.yml@v1
+    with:
+      force: ${{ inputs.force || false }}
+      base_branch: ${{ inputs.base_branch || 'main' }}
+
+permissions:
+  contents: write
+  pull-requests: write
+  packages: read
+  issues: write

.github/workflows/auto_cherry_pick.yml

@@ -0,0 +1,32 @@
+name: Auto Cherry-Pick from Upstream
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: "Base branch to create the PR against"
+        required: true
+        default: "main"
+      mode:
+        description: "Run mode: cherry-pick or verify"
+        required: false
+        default: "cherry-pick"
+
+  pull_request:
+    types: [opened, synchronize, labeled]
+
+permissions:
+  contents: write
+  pull-requests: write
+  packages: read
+  issues: write
+
+jobs:
+  cherry-pick:
+    if: github.event_name == 'workflow_dispatch' || contains(fromJson(toJson(github.event.pull_request.labels)).*.name, 'review-required')
+    uses: step-security/reusable-workflows/.github/workflows/auto_cherry_pick.yaml@v1
+    with:
+      original-owner: "release-drafter"
+      repo-name: "release-drafter"
+      base_branch: ${{ inputs.base_branch }}
+      mode: ${{ github.event_name == 'pull_request' && 'verify' || inputs.mode }}

.github/workflows/docker.yml

@@ -0,0 +1,55 @@
+name: Publish docker image
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: 'Tag to release'
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+    build:
+        runs-on: ubuntu-latest
+        if: startsWith(github.event.inputs.release_tag, 'v')
+        steps:
+        - name: Harden the runner (Audit all outbound calls)
+          uses: step-security/harden-runner@v2
+          with:
+            egress-policy: audit
+
+        - name: Checkout
+          uses: actions/checkout@v6
+        - name: Validate tag format
+          run: |
+            TAG=${{ github.event.inputs.release_tag }}
+            if ! echo "$TAG" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
+              echo "❌ Invalid tag format: $TAG"
+              exit 1
+            fi
+            echo "✅ Valid semver tag: $TAG"
+        - name: Log in to GitHub Container Registry
+          uses: step-security/docker-login-action@v3
+          with:
+            registry: ghcr.io
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+
+        - name: Set up QEMU for ARM builds
+          uses: docker/setup-qemu-action@v3
+
+        - name: Set up Docker Buildx
+          uses: step-security/setup-buildx-action@v3
+
+        - name: Build and push Docker image
+          uses: step-security/docker-build-push-action@v6
+          with:
+            context: .
+            push: true
+            platforms: linux/amd64,linux/arm64
+            tags: |
+              ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }}

.github/workflows/guarddog.yml

@@ -0,0 +1,14 @@
+name: Run GuardDog Scan on PRs
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  call-guarddog-scan:
+    uses: step-security/reusable-workflows/.github/workflows/guarddog.yml@v1