ci: prepare repo for development (#1)

Signed-off-by: behnazh-w <[email protected]>

Author: behnazh-w

.flake8

@@ -0,0 +1,36 @@
+# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+# Unfortunately, flake8 does not support pyproject.toml configuration.
+# https://github.com/PyCQA/flake8/issues/234
+[flake8]
+# Disabling the following:
+# E203: whitespace before ':'. Conflict with black.
+# E266: too many leading '#' for block comment
+# W503: line break before binary operator
+# D105: Missing docstring in magic method
+# D104: Missing docstring in public package
+# D404: First word of the docstring should not be `This`
+# PT009: use a regular assert instead of unittest-style
+ignore = E203,E266,W503,D105,D404,PT009
+# Disabling the following for tests:
+# D400: First line should end with a period
+# D200: One-line docstring should fit on one line with quotes
+# D102: Missing docstring in public method
+# D104: Missing docstring in public package
+# D107: Missing docstring in __init__
+per-file-ignores =
+    __init__.py:D104
+    tests/*:D400,D200,D102,D104,D107
+max-line-length = 120
+show-source = true
+
+# Enable Bugbear's extended opinionated checks.
+# https://github.com/PyCQA/flake8-bugbear#how-to-enable-opinionated-warnings
+extend-select = B9
+
+# Ensure that flake8 warnings are silenced correctly.
+# https://github.com/plinss/flake8-noqa#options
+noqa-require-code = true
+
+docstring-convention = numpy

.gitattributes

@@ -0,0 +1,15 @@
+# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+# Set default behavior to automatically normalize line endings.
+* text=auto
+
+# Force batch scripts to always use CRLF line endings so that if a repo is accessed
+# in Windows via a file share from Linux, the scripts will work.
+*.{cmd,[cC][mM][dD]} text eol=crlf
+*.{bat,[bB][aA][tT]} text eol=crlf
+*.{ps1,[pP][sS]1} text eol=crlf
+
+# Force bash scripts to always use LF line endings so that if a repo is accessed
+# in Unix via a file share from Windows, the scripts will work.
+*.sh text eol=lf

.github/codeql/codeql-config.yaml

@@ -0,0 +1,6 @@
+# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+name: CodeQL configuration
+paths:
+- src/macaron

.github/dependabot.yaml

@@ -0,0 +1,38 @@
+# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+# This configuration file enables Dependabot version updates.
+# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates
+# https://github.com/dependabot/feedback/issues/551
+
+version: 2
+updates:
+- package-ecosystem: pip
+  directory: /
+  schedule:
+    interval: weekly
+  commit-message:
+    prefix: chore
+    prefix-development: chore
+    include: scope
+  open-pull-requests-limit: 13
+  target-branch: staging
+  # Add additional reviewers for PRs opened by Dependabot. For more information, see:
+  # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers
+  # reviewers:
+  # -
+
+- package-ecosystem: github-actions
+  directory: /
+  schedule:
+    interval: weekly
+  commit-message:
+    prefix: chore
+    prefix-development: chore
+    include: scope
+  open-pull-requests-limit: 13
+  target-branch: staging
+  # Add additional reviewers for PRs opened by Dependabot. For more information, see:
+  # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers
+  # reviewers:
+  # -

.github/workflows/_build.yaml

@@ -0,0 +1,134 @@
+# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+# This is a trusted builder implemented as a reusable workflow that can be called by other
+# Actions workflows. It checks, tests, and builds the artifacts including SBOM and documentations,
+# and computes hash digests as output to be used by a SLSA provenance generator. The artifacts are
+# always uploaded for every job to be used for debugging purposes, but they will be removed within
+# the specified retention days.
+#
+# Even though we run the build in a matrix to check against different platforms, due to a known
+# limitation of reusable workflows that do not support setting strategy property from the caller
+# workflow, we only generate artifacts for ubuntu-latest and Python 3.11, which can be used to
+# create a release. For details see:
+#
+# https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations
+#
+# Note: if the build workflow needs to access secrets, they need to be passed by the caller using
+# `secrets: inherit`. See also
+#
+# https://docs.github.com/en/actions/using-workflows/reusing-workflows
+# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+#
+# for the security recommendations.
+
+name: Build the package
+on:
+  workflow_call:
+    outputs:
+      artifacts-sha256:
+        description: The hash of the artifacts
+        value: ${{ jobs.build.outputs.artifacts-sha256 }}
+permissions:
+  contents: read
+env:
+  ARTIFACT_OS: ubuntu-latest # The default OS for release.
+  ARTIFACT_PYTHON: '3.11' # The default Python version for release.
+
+jobs:
+  build:
+    outputs:
+      artifacts-sha256: ${{ steps.compute-hash.outputs.artifacts-sha256 }}
+    name: Build Python ${{ matrix.python }} on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        # It is recommended to pin a Runner version specifically:
+        # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners
+        os: [ubuntu-latest]
+        python: ['3.11']
+    steps:
+
+    - name: Check out repository
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+      with:
+        fetch-depth: 0
+
+    - name: Set up Python
+      uses: actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984 # v4.3.0
+      with:
+        python-version: ${{ matrix.python }}
+
+    # Using the Makefile assumes an activated virtual environment, which doesn't exist
+    # when running in an Action environment (https://github.com/actions/setup-python/issues/359).
+    # Instead we create an empty .venv folder so that the Makefile continues to function
+    # while Python operates within the runner's global environment. It is safe to ignore
+    # warnings from the Makefile about the missing virtual environment.
+    - name: Create empty virtual environment for Actions
+      run: mkdir .venv
+    - name: Install dependencies
+      run: make setup
+
+    # Audit all currently installed packages for security vulnerabilities.
+    - name: Audit installed packages
+      run: make audit
+
+    # Build the sdist and wheel distribution of the package and docs as a zip file.
+    # We don't need to check and test the package separately because `make dist` runs
+    # those targets first and only builds the package if they succeed.
+    - name: Build the package
+      run: make dist
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+
+    # Generate the requirements.txt that contains the hash digests of the dependencies and
+    # generate the SBOM using CyclonDX SBOM generator.
+    - name: Generate requirements.txt and SBOM
+      if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
+      run: make requirements sbom
+
+    # Remove the old requirements.txt file (which includes _all_ packages) and generate a
+    # new one for the package and its actual and required dependencies only.
+    - name: Prune packages and generate required requirements.txt
+      if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
+      run: |
+        rm requirements.txt
+        make prune requirements
+
+    # Find the paths to the artifact files that will be included in the release, compute
+    # the SHA digest for all the release files and encode them using Base64, and export it
+    # from this job.
+    - name: Compute package hash
+      if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
+      id: compute-hash
+      shell: bash
+      run: |
+        set -euo pipefail
+        TARBALL_PATH=$(find dist/ -type f -name "*.tar.gz")
+        WHEEL_PATH=$(find dist/ -type f -name "*.whl")
+        GO_ACTION_PARSER=$(find bin/ -type f -name "actionparser")
+        GO_BASH_PARSER=$(find bin/ -type f -name "bashparser")
+        REQUIREMENTS_PATH=$(find dist/ -type f -name "*-requirements.txt")
+        SBOM_PATH=$(find dist/ -type f -name "*-sbom.json")
+        SBOM_GO_PATH=$(find dist/ -type f -name "*-sbom-go.json")
+        HTML_DOCS_PATH=$(find dist/ -type f -name "*-docs-html.zip")
+        BUILD_EPOCH_PATH=$(find dist/ -type f -name "*-build-epoch.txt")
+        DIGEST=$(sha256sum "$TARBALL_PATH" "$WHEEL_PATH" "$REQUIREMENTS_PATH" "$SBOM_PATH" \
+          "$SBOM_GO_PATH" "$GO_ACTION_PARSER" "$GO_BASH_PARSER" "$HTML_DOCS_PATH" "$BUILD_EPOCH_PATH" | base64 -w0)
+        echo "Digest of artifacts is $DIGEST."
+        echo "artifacts-sha256=$DIGEST" >> "$GITHUB_OUTPUT"
+
+    # For now only generate artifacts for the specified OS and Python version in env variables.
+    # Currently reusable workflows do not support setting strategy property from the caller workflow.
+    - name: Upload the package artifact for debugging and release
+      if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
+      uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
+      with:
+        name: artifact-${{ matrix.os }}-python-${{ matrix.python }}
+        path: |
+          dist
+          bin/actionparser
+          bin/bashparser
+        if-no-files-found: error
+        retention-days: 7

.github/workflows/_release-notifications.yaml

@@ -0,0 +1,50 @@
+# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+# Send a Slack release notification. Instructions to set up Slack to receive
+# messages can be found here: https://github.com/slackapi/slack-github-action#setup-2
+
+name: Release Notifications
+on:
+  workflow_call:
+    inputs:
+      repo_name:
+        required: true
+        type: string
+      release_tag:
+        required: true
+        type: string
+      release_url:
+        required: true
+        type: string
+    secrets:
+      SLACK_WEBHOOK_URL:
+        required: true
+
+# Grant no permissions to this workflow.
+permissions: {}
+
+jobs:
+  slack:
+    name: Slack release notification
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Notify via Slack
+      run: |
+        curl --header "Content-Type: application/json; charset=UTF-8" --request POST --data "$SLACK_WEBHOOK_MSG" "$SLACK_WEBHOOK_URL"
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_MSG: |
+          {
+            "text": "${{ inputs.repo_name }} published a new release ${{ inputs.release_tag }}",
+            "blocks": [
+              {
+                "type": "section",
+                "text": {
+                  "type": "mrkdwn",
+                  "text": "*${{ inputs.repo_name }}* published a new release <${{ inputs.release_url }}|${{ inputs.release_tag }}>"
+                }
+              }
+            ]
+          }

.github/workflows/codeql-analysis.yaml

@@ -0,0 +1,71 @@
+# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+# Run CodeQL over the package. For more configuration options see codeql/codeql-config.yaml
+# and: https://github.com/github/codeql-action
+
+name: CodeQL
+on:
+  push:
+    branches:
+    - main
+    - staging
+  pull_request:
+    branches:
+    - main
+    - staging
+    # Avoid unnecessary scans of pull requests.
+    paths:
+    - '**/*.py'
+  schedule:
+  - cron: 20 15 * * 3
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+        language: [python]
+        python: ['3.11']
+    steps:
+
+    - name: Checkout repository
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+
+    - name: Set up Python ${{ matrix.python }}
+      uses: actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984 # v4.3.0
+      with:
+        python-version: ${{ matrix.python }}
+
+    # For more details see the comment in _build.yaml.
+    - name: Create empty virtual environment for Actions
+      run: mkdir .venv
+    - name: Install dependencies
+      run: make setup
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 # v2.1.31
+      with:
+        languages: ${{ matrix.language }}
+        config-file: .github/codeql/codeql-config.yaml
+        # Override the default behavior so that the action doesn't attempt
+        # to auto-install Python dependencies
+        setup-python-dependencies: false
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 # v2.1.31

.github/workflows/dependabot-automerge.yaml

@@ -0,0 +1,24 @@
+# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+# Automatically merge Dependabot PRs upon approval by leaving
+# a comment on Dependabot's pull-request.
+
+name: Automerge Dependabot PR
+on:
+  pull_request_review:
+    types: [submitted]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  comment:
+    if: ${{ github.event.review.state == 'approved' && github.event.pull_request.user.login == 'dependabot[bot]' }}
+    runs-on: ubuntu-latest
+    steps:
+    - name: Merge Dependabot PR
+      run: gh pr comment --body "@dependabot squash and merge" "$PR_URL"
+      env:
+        PR_URL: ${{ github.event.pull_request.html_url }}
+        GITHUB_TOKEN: ${{ secrets.DEPENDABOT_AUTOMERGE_TOKEN }}