Merge pull request #5 from Workiva/bootstrap

CID-12231: Create Semgrep custom action

Author: rmconsole7-wk

.eslintignore

@@ -0,0 +1,5 @@
+# See: https://eslint.org/docs/latest/use/configure/ignore
+coverage/
+dist/
+lib/
+node_modules/

.eslintrc.json

@@ -0,0 +1,85 @@
+// See: https://eslint.org/docs/latest/use/configure/configuration-files
+{
+  "env": {
+    "node": true,
+    "es6": true,
+    "jest": true
+  },
+  "globals": {
+    "Atomics": "readonly",
+    "SharedArrayBuffer": "readonly"
+  },
+  "ignorePatterns": [
+    "!.*",
+    "**/coverage/.*",
+    "**/dist/.*",
+    "**/node_modules/.*",
+    "*.json"
+  ],
+  "parser": "@typescript-eslint/parser",
+  "parserOptions": {
+    "ecmaVersion": 2023,
+    "sourceType": "module",
+    "project": ["./.github/linters/tsconfig.json", "./tsconfig.json"]
+  },
+  "plugins": ["@typescript-eslint", "jest"],
+  "extends": [
+    "eslint:recommended",
+    "plugin:@typescript-eslint/eslint-recommended",
+    "plugin:@typescript-eslint/recommended",
+    "plugin:github/recommended",
+    "plugin:jest/recommended"
+  ],
+  "rules": {
+    "@typescript-eslint/array-type": "error",
+    "@typescript-eslint/await-thenable": "error",
+    "@typescript-eslint/ban-ts-comment": "error",
+    "@typescript-eslint/consistent-type-assertions": "error",
+    "@typescript-eslint/explicit-function-return-type": [
+      "error",
+      { "allowExpressions": true }
+    ],
+    "@typescript-eslint/explicit-member-accessibility": [
+      "error",
+      { "accessibility": "no-public" }
+    ],
+    "@typescript-eslint/func-call-spacing": ["error", "never"],
+    "@typescript-eslint/no-array-constructor": "error",
+    "@typescript-eslint/no-empty-interface": "error",
+    "@typescript-eslint/no-explicit-any": "error",
+    "@typescript-eslint/no-extraneous-class": "error",
+    "@typescript-eslint/no-for-in-array": "error",
+    "@typescript-eslint/no-inferrable-types": "error",
+    "@typescript-eslint/no-misused-new": "error",
+    "@typescript-eslint/no-namespace": "error",
+    "@typescript-eslint/no-non-null-assertion": "warn",
+    "@typescript-eslint/no-require-imports": "error",
+    "@typescript-eslint/no-shadow": "warn",
+    "@typescript-eslint/no-unnecessary-qualifier": "error",
+    "@typescript-eslint/no-unnecessary-type-assertion": "error",
+    "@typescript-eslint/no-unused-vars": "error",
+    "@typescript-eslint/no-useless-constructor": "error",
+    "@typescript-eslint/no-var-requires": "error",
+    "@typescript-eslint/prefer-for-of": "warn",
+    "@typescript-eslint/prefer-function-type": "warn",
+    "@typescript-eslint/prefer-includes": "error",
+    "@typescript-eslint/prefer-string-starts-ends-with": "error",
+    "@typescript-eslint/promise-function-async": "error",
+    "@typescript-eslint/require-array-sort-compare": "error",
+    "@typescript-eslint/restrict-plus-operands": "error",
+    "@typescript-eslint/semi": ["error", "never"],
+    "@typescript-eslint/space-before-function-paren": "off",
+    "@typescript-eslint/type-annotation-spacing": "error",
+    "@typescript-eslint/unbound-method": "error",
+    "camelcase": "off",
+    "eslint-comments/no-unused-disable": "off",
+    "eslint-comments/no-use": "off",
+    "i18n-text/no-en": "off",
+    "import/no-namespace": "off",
+    "no-console": "off",
+    "no-shadow": "off",
+    "no-unused-vars": "off",
+    "prettier/prettier": "error",
+    "semi": "off"
+  }
+}

.gitattributes

@@ -0,0 +1,6 @@
+# See: https://git-scm.com/docs/gitattributes
+#
+# Used in conjunction with .github/workflows/check-dist.yml.
+* text=auto eol=lf
+
+dist/** -diff linguist-generated=true

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+*   @Workiva/cid-maintainers

.github/dependabot.yml

@@ -0,0 +1,36 @@
+# See: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+version: 2
+registries:
+  artifactory:
+    type: npm-registry
+    url: https://workivaeast.jfrog.io/workivaeast/api/npm-prod/
+    username: '${{secrets.NPM_REGISTRY_WORKIVAEAST_JFROG_IO_WORKIVAEAST_API_NPM_PROD_USERNAME}}'
+    password: '${{secrets.NPM_REGISTRY_WORKIVAEAST_JFROG_IO_WORKIVAEAST_API_NPM_PROD_PASSWORD}}'
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+      day: 'monday'
+      time: '10:00'
+      timezone: 'America/Chicago'
+    groups:
+      gha-dependencies:
+        patterns:
+          - 'actions/'
+          - 'workiva/gha-*'
+  # Maintain dependencies for NPM
+  - package-ecosystem: 'npm'
+    directory: '/'
+    registries:
+      - artifactory
+    schedule:
+      interval: 'weekly'
+      day: 'monday'
+      time: '10:00'
+      timezone: 'America/Chicago'
+    groups:
+      all:
+        patterns:
+          - '*'

.github/linters/tsconfig.json

@@ -0,0 +1,13 @@
+// See: https://www.typescriptlang.org/tsconfig/
+//
+// This TSConfig file is used for linting. The TSConfig file in the root
+// directory is used for specifying the TypeScript project.
+{
+  "$schema": "https://json.schemastore.org/tsconfig",
+  "extends": "../../tsconfig.json",
+  "compilerOptions": {
+    "noEmit": true
+  },
+  "include": ["../../__tests__/**/*", "../../src/**/*"],
+  "exclude": ["../../coverage", "../../dist", "../../node_modules", "*.json"]
+}

.github/workflows/check-dist.yml

@@ -0,0 +1,44 @@
+# In TypeScript actions, `dist/` is a special directory. When you reference an
+# action with the `uses` syntax, `dist/index.js` is the code that will be run
+# (see action.yml).
+#
+# For this project, the `dist/index.js` file is transpiled from other source
+# files. This workflow ensures the `dist/` directory contains the expected
+# transpiled code.
+name: Check dist/
+
+on: [push, pull_request]
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  check-dist:
+    runs-on: [self-hosted, xs]
+    steps:
+      - uses: actions/checkout@v4
+      - name: 'Set up Node'
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .node-version
+          cache: npm
+      - name: 'Install dependencies'
+        run: npm ci
+      - name: 'Build dist/ directory'
+        run: npm run bundle
+      # The following will fail if the `dist/` directory differs from the
+      # committed `dist/` directory.
+      - name: 'Compare expected and actual dist/ directories'
+        id: diff
+        run: |
+          if [ ! -d dist/ ]; then
+            echo "Expected dist/ directory does not exist. See status below:"
+            ls -la ./
+            exit 1
+          fi
+          if [ "$(git diff --ignore-space-at-eol --text dist/ | wc -l)" -gt "0" ]; then
+            echo "Detected uncommitted changes after build. See diff below:"
+            git diff --ignore-space-at-eol --text dist/
+            exit 1
+          fi

.github/workflows/ci.yml

@@ -0,0 +1,33 @@
+name: CI
+
+on: [push, pull_request]
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  test-typescript:
+    runs-on: [self-hosted, small]
+    steps:
+      - uses: actions/checkout@v4
+      - name: 'Set up Node'
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .node-version
+          cache: npm
+      - name: 'Install dependencies'
+        run: npm ci
+      - name: 'Check formatting'
+        run: npm run format:check
+      - name: 'Lint'
+        run: npm run lint
+      - name: 'Test'
+        run: npm run test
+      - uses: Workiva/gha-upload-test-reports@v2.0.7
+  # test-action:
+  #   runs-on: [self-hosted, dev-small]
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #     - name: 'Test local action'
+  #       uses: ./

.github/workflows/codeql.yml

@@ -0,0 +1,36 @@
+name: CodeQL
+
+on:
+  push:
+    branches: ['*']
+  pull_request:
+    branches: ['*']
+  schedule:
+    # Runs at 07:00, only on Monday.
+    - cron: '0 9 * * 0'
+
+permissions:
+  actions: read
+  checks: write
+  contents: read
+  security-events: write
+
+jobs:
+  codeql:
+    runs-on: [self-hosted, small]
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - javascript-typescript
+    steps:
+      - uses: actions/checkout@v4
+      - name: 'Set up CodeQL'
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          source-root: src
+      - name: 'Attempt to automatically build code'
+        uses: github/codeql-action/autobuild@v3
+      - name: 'Perform CodeQL analysis'
+        uses: github/codeql-action/analyze@v3