Skip to content

Commit d330cdf

Browse files
committed
Add CI/CD, branch protection, and governance files
- Add CI workflow with ShellCheck, actionlint, and yamllint - Add release workflow for automated releases with major version tags - Add CODEOWNERS for code review requirements - Add PR and issue templates - Add SECURITY.md with security policy - Add CONTRIBUTING.md with development guide - Add pre-commit config for local linting - Configure branch protection for main branch
1 parent a0f5f6b commit d330cdf

9 files changed

Lines changed: 385 additions & 0 deletions

File tree

.github/CODEOWNERS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
# Default code owners for all files
2+
* @anneschuth @uittenbroekrobbert
Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
---
2+
name: Bug Report
3+
about: Report a bug in the ZAD Actions
4+
title: '[BUG] '
5+
labels: bug
6+
assignees: ''
7+
---
8+
9+
## Description
10+
11+
<!-- A clear description of what the bug is -->
12+
13+
## Action Used
14+
15+
- [ ] `deploy`
16+
- [ ] `cleanup`
17+
18+
## Version
19+
20+
<!-- Which version of the action are you using? (e.g., v1, v1.0.0) -->
21+
22+
## Steps to Reproduce
23+
24+
1.
25+
2.
26+
3.
27+
28+
## Expected Behavior
29+
30+
<!-- What you expected to happen -->
31+
32+
## Actual Behavior
33+
34+
<!-- What actually happened -->
35+
36+
## Error Output
37+
38+
```
39+
<!-- Paste any error messages here -->
40+
```
41+
42+
## Workflow File
43+
44+
```yaml
45+
<!-- Paste the relevant part of your workflow file here -->
46+
```
47+
48+
## Additional Context
49+
50+
<!-- Any other context about the problem -->
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
---
2+
name: Feature Request
3+
about: Suggest a new feature or improvement
4+
title: '[FEATURE] '
5+
labels: enhancement
6+
assignees: ''
7+
---
8+
9+
## Description
10+
11+
<!-- A clear description of the feature you'd like -->
12+
13+
## Use Case
14+
15+
<!-- Describe the problem this feature would solve -->
16+
17+
## Proposed Solution
18+
19+
<!-- Describe your proposed solution -->
20+
21+
## Alternatives Considered
22+
23+
<!-- Any alternative solutions you've considered -->
24+
25+
## Additional Context
26+
27+
<!-- Any other context, mockups, or examples -->

.github/PULL_REQUEST_TEMPLATE.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
## Description
2+
3+
<!-- Describe your changes -->
4+
5+
## Type of Change
6+
7+
- [ ] Bug fix
8+
- [ ] New feature
9+
- [ ] Breaking change (changes to action inputs/outputs)
10+
- [ ] Documentation update
11+
12+
## Checklist
13+
14+
- [ ] I have tested these changes locally
15+
- [ ] I have updated the documentation (if applicable)
16+
- [ ] My changes follow the existing code style
17+
- [ ] I have added/updated comments where necessary
18+
19+
## Testing
20+
21+
<!-- Describe how you tested your changes -->
22+
23+
## Breaking Changes
24+
25+
<!-- If this is a breaking change, describe what users need to update -->

.github/workflows/ci.yml

Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
name: CI
2+
3+
on:
4+
push:
5+
branches: [main]
6+
pull_request:
7+
branches: [main]
8+
9+
jobs:
10+
shellcheck:
11+
name: ShellCheck
12+
runs-on: ubuntu-latest
13+
steps:
14+
- uses: actions/checkout@v4
15+
16+
- name: Install ShellCheck
17+
run: sudo apt-get update && sudo apt-get install -y shellcheck
18+
19+
- name: Extract and lint bash scripts from action.yml files
20+
run: |
21+
set -e
22+
EXIT_CODE=0
23+
24+
for action_file in deploy/action.yml cleanup/action.yml; do
25+
echo "Checking $action_file..."
26+
27+
# Extract all bash run blocks from the action file
28+
# Using yq to parse YAML and extract run scripts
29+
SCRIPTS=$(yq eval '.runs.steps[].run // empty' "$action_file" 2>/dev/null || echo "")
30+
31+
if [ -n "$SCRIPTS" ]; then
32+
# Create temp file for each script block
33+
STEP_NUM=0
34+
echo "$SCRIPTS" | while IFS= read -r script; do
35+
if [ -n "$script" ]; then
36+
STEP_NUM=$((STEP_NUM + 1))
37+
TEMP_FILE=$(mktemp)
38+
echo "#!/bin/bash" > "$TEMP_FILE"
39+
echo "$script" >> "$TEMP_FILE"
40+
41+
echo " Checking step $STEP_NUM..."
42+
if ! shellcheck -x -s bash "$TEMP_FILE" 2>&1; then
43+
EXIT_CODE=1
44+
fi
45+
rm -f "$TEMP_FILE"
46+
fi
47+
done
48+
fi
49+
done
50+
51+
exit $EXIT_CODE
52+
53+
actionlint:
54+
name: Action Lint
55+
runs-on: ubuntu-latest
56+
steps:
57+
- uses: actions/checkout@v4
58+
59+
- name: Install actionlint
60+
run: |
61+
bash <(curl -s https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
62+
63+
- name: Lint action.yml files
64+
run: |
65+
./actionlint deploy/action.yml cleanup/action.yml
66+
67+
yaml-lint:
68+
name: YAML Lint
69+
runs-on: ubuntu-latest
70+
steps:
71+
- uses: actions/checkout@v4
72+
73+
- name: Install yamllint
74+
run: pip install yamllint
75+
76+
- name: Lint YAML files
77+
run: |
78+
yamllint -d "{extends: relaxed, rules: {line-length: {max: 150}}}" \
79+
deploy/action.yml \
80+
cleanup/action.yml \
81+
.github/workflows/*.yml

.github/workflows/release.yml

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
name: Release
2+
3+
on:
4+
push:
5+
tags:
6+
- 'v*.*.*'
7+
8+
permissions:
9+
contents: write
10+
11+
jobs:
12+
release:
13+
name: Create Release
14+
runs-on: ubuntu-latest
15+
steps:
16+
- uses: actions/checkout@v4
17+
18+
- name: Extract version info
19+
id: version
20+
run: |
21+
TAG=${GITHUB_REF#refs/tags/}
22+
MAJOR=$(echo "$TAG" | cut -d. -f1)
23+
echo "tag=$TAG" >> $GITHUB_OUTPUT
24+
echo "major=$MAJOR" >> $GITHUB_OUTPUT
25+
26+
- name: Create GitHub Release
27+
uses: softprops/action-gh-release@v2
28+
with:
29+
tag_name: ${{ steps.version.outputs.tag }}
30+
name: ${{ steps.version.outputs.tag }}
31+
generate_release_notes: true
32+
draft: false
33+
prerelease: false
34+
35+
- name: Update major version tag
36+
run: |
37+
MAJOR=${{ steps.version.outputs.major }}
38+
git config user.name "github-actions[bot]"
39+
git config user.email "github-actions[bot]@users.noreply.github.com"
40+
41+
# Delete the major tag if it exists (both local and remote)
42+
git tag -d "$MAJOR" 2>/dev/null || true
43+
git push origin ":refs/tags/$MAJOR" 2>/dev/null || true
44+
45+
# Create and push the new major tag pointing to this commit
46+
git tag "$MAJOR"
47+
git push origin "$MAJOR"
48+
49+
echo "Updated $MAJOR tag to point to ${{ steps.version.outputs.tag }}"

.pre-commit-config.yaml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
repos:
2+
- repo: https://github.com/koalaman/shellcheck-precommit
3+
rev: v0.10.0
4+
hooks:
5+
- id: shellcheck
6+
args: ["-x"]
7+
8+
- repo: https://github.com/rhysd/actionlint
9+
rev: v1.7.7
10+
hooks:
11+
- id: actionlint
12+
13+
- repo: https://github.com/pre-commit/pre-commit-hooks
14+
rev: v5.0.0
15+
hooks:
16+
- id: trailing-whitespace
17+
- id: end-of-file-fixer
18+
- id: check-yaml
19+
- id: check-added-large-files

CONTRIBUTING.md

Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
# Contributing to ZAD Actions
2+
3+
Thank you for your interest in contributing to ZAD Actions!
4+
5+
## Development Setup
6+
7+
### Prerequisites
8+
9+
- Git
10+
- [pre-commit](https://pre-commit.com/) (for local linting)
11+
- [ShellCheck](https://www.shellcheck.net/) (for bash script linting)
12+
- [actionlint](https://github.com/rhysd/actionlint) (for GitHub Actions validation)
13+
14+
### Setting Up Pre-commit Hooks
15+
16+
```bash
17+
# Install pre-commit
18+
pip install pre-commit
19+
20+
# Install the git hooks
21+
pre-commit install
22+
23+
# Run hooks manually on all files
24+
pre-commit run --all-files
25+
```
26+
27+
## Development Workflow
28+
29+
1. **Fork the repository** and clone your fork
30+
2. **Create a branch** for your changes: `git checkout -b feature/my-feature`
31+
3. **Make your changes** and ensure they pass linting
32+
4. **Test your changes** in a real workflow (see Testing below)
33+
5. **Commit your changes** with a clear message
34+
6. **Push and create a pull request**
35+
36+
## Testing
37+
38+
### Testing Locally
39+
40+
Run the pre-commit hooks to validate your changes:
41+
42+
```bash
43+
pre-commit run --all-files
44+
```
45+
46+
### Testing in a Workflow
47+
48+
To test action changes in a real workflow:
49+
50+
1. Push your branch to your fork
51+
2. Reference your branch in a test workflow:
52+
```yaml
53+
- uses: your-username/zad-actions/deploy@your-branch
54+
```
55+
3. Verify the action works as expected
56+
57+
## Code Style
58+
59+
- **Bash scripts**: Follow [Google's Shell Style Guide](https://google.github.io/styleguide/shellguide.html)
60+
- **YAML**: Use 2-space indentation
61+
- **Input validation**: Always validate user inputs before using them
62+
- **Error handling**: Provide clear error messages
63+
64+
## Commit Messages
65+
66+
Use clear, descriptive commit messages:
67+
68+
- `feat: Add support for multiple components`
69+
- `fix: Handle 404 response correctly`
70+
- `docs: Update authentication documentation`
71+
- `chore: Update CI workflow`
72+
73+
## Versioning
74+
75+
This project uses [Semantic Versioning](https://semver.org/):
76+
77+
- **Major** (v2.0.0): Breaking changes to action inputs/outputs
78+
- **Minor** (v1.1.0): New features, new optional inputs
79+
- **Patch** (v1.0.1): Bug fixes, documentation updates
80+
81+
## Pull Request Process
82+
83+
1. Update the README.md if you changed inputs/outputs
84+
2. Update action descriptions if applicable
85+
3. Ensure all CI checks pass
86+
4. Request review from a maintainer
87+
88+
## Questions?
89+
90+
Open an issue with the `question` label if you have questions about contributing.

SECURITY.md

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
| Version | Supported |
6+
| ------- | ------------------ |
7+
| v1.x.x | :white_check_mark: |
8+
9+
## Reporting a Vulnerability
10+
11+
If you discover a security vulnerability in ZAD Actions, please report it responsibly:
12+
13+
1. **Do not** open a public GitHub issue for security vulnerabilities
14+
2. Email the maintainers directly or use GitHub's private vulnerability reporting feature
15+
3. Include a detailed description of the vulnerability and steps to reproduce
16+
17+
## Security Considerations
18+
19+
### API Key Handling
20+
21+
- Always store your ZAD API key as a GitHub secret (`ZAD_API_KEY`)
22+
- Never commit API keys to your repository
23+
- The action uses the API key via environment variables and never logs it
24+
25+
### Input Validation
26+
27+
The actions validate all inputs to prevent injection attacks:
28+
- `project-id`, `deployment-name`, and `component` are validated to contain only alphanumeric characters, hyphens, underscores, and dots
29+
- Container-related inputs are validated to prevent command injection
30+
31+
### Token Permissions
32+
33+
Use the principle of least privilege when configuring GitHub tokens:
34+
- `github-token`: Only needs `deployments: write` and `packages: delete` (if using container cleanup)
35+
- `github-admin-token`: Required only for environment deletion; use a dedicated token with minimal scope
36+
37+
## Best Practices
38+
39+
1. **Pin to specific versions**: Use `@v1.0.0` instead of `@v1` in production workflows for reproducibility
40+
2. **Review actions before use**: Audit the action code before using it in your workflows
41+
3. **Limit secret access**: Only expose secrets to jobs that need them
42+
4. **Use environments**: Configure GitHub environments with required reviewers for production deployments

0 commit comments

Comments
 (0)