git[hub] plumbing update

Author: alindt

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: alindt
+liberapay: alindt

.github/dependabot.yml

@@ -0,0 +1,40 @@
+version: 2
+updates:
+  # Enable version updates for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "alindt"
+    assignees:
+      - "alindt"
+
+  # Enable version updates for npm packages (for markdownlint)
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "alindt"
+    assignees:
+      - "alindt"
+
+  # Enable version updates for Python packages (for yamllint)
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "alindt"
+    assignees:
+      - "alindt"

.github/workflows/lint-test.yml

@@ -0,0 +1,60 @@
+name: Lint and Test Charts
+
+on:
+  pull_request:
+    branches: [ main, master ]
+  push:
+    branches: [ main, master ]
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Helm
+        uses: azure/[email protected]
+
+      - name: Add Bitnami repository
+        run: helm repo add bitnami https://charts.bitnami.com/bitnami
+
+      - name: Update Helm repositories
+        run: helm repo update
+
+      - name: Lint charts
+        run: |
+          for chart in */Chart.yaml; do
+            chart_dir=$(dirname "$chart")
+            echo "Linting $chart_dir..."
+            helm lint "$chart_dir"
+          done
+
+      - name: Validate chart dependencies
+        run: |
+          for chart in */Chart.yaml; do
+            chart_dir=$(dirname "$chart")
+            echo "Validating dependencies for $chart_dir..."
+            helm dependency build "$chart_dir"
+            helm dependency update "$chart_dir"
+          done
+
+      - name: Test chart rendering
+        run: |
+          for chart in */Chart.yaml; do
+            chart_dir=$(dirname "$chart")
+            echo "Testing chart rendering for $chart_dir..."
+            helm template test "$chart_dir" --values "$chart_dir/values.yaml"
+          done
+
+      - name: Check for chart version bumps
+        run: |
+          for chart in */Chart.yaml; do
+            chart_dir=$(dirname "$chart")
+            echo "Checking version for $chart_dir..."
+            if [ -f "$chart_dir/Chart.lock" ]; then
+              echo "Chart.lock exists for $chart_dir - dependencies are locked"
+            else
+              echo "Warning: No Chart.lock found for $chart_dir"
+            fi
+          done

.github/workflows/markdown-lint.yml

@@ -0,0 +1,22 @@
+name: Markdown Lint
+
+on:
+  pull_request:
+    branches: [ main, master ]
+  push:
+    branches: [ main, master ]
+
+jobs:
+  markdown-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install markdownlint
+        run: |
+          npm install -g markdownlint-cli
+
+      - name: Lint markdown files
+        run: |
+          markdownlint "**/*.md" --config .markdownlint.json

.github/workflows/release.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -31,4 +31,4 @@ jobs:
         with:
           charts_dir: '.'
         env:
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/security-scan.yml

@@ -0,0 +1,53 @@
+name: Security Scan
+
+on:
+  pull_request:
+    branches: [ main, master ]
+  push:
+    branches: [ main, master ]
+  schedule:
+    # Run weekly on Sundays
+    - cron: '0 0 * * 0'
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Check for secrets in code
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: .
+          base: HEAD~1
+          head: HEAD
+          extra_args: --only-verified --fail
+
+      - name: Check for hardcoded secrets
+        run: |
+          # Check for potential secrets in values files
+          if grep -r "password.*:" invidious/values.yaml; then
+            echo "Warning: Potential hardcoded passwords found in values.yaml"
+            exit 1
+          fi
+
+          # Check for potential secrets in templates
+          if grep -r "password.*:" invidious/templates/; then
+            echo "Warning: Potential hardcoded passwords found in templates"
+            exit 1
+          fi

.github/workflows/yaml-lint.yml

@@ -0,0 +1,31 @@
+name: YAML Lint
+
+on:
+  pull_request:
+    branches: [ main, master ]
+  push:
+    branches: [ main, master ]
+
+jobs:
+  yaml-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install yamllint
+        run: |
+          python -m pip install --upgrade pip
+          pip install yamllint
+
+      - name: Lint YAML files
+        run: |
+          yamllint -c .yamllint .
+        continue-on-error: true
+
+      - name: Check YAML syntax
+        run: |
+          find . -name "*.yml" -o -name "*.yaml" | while read -r file; do
+            echo "Checking $file..."
+            python -c "import yaml; yaml.safe_load(open('$file', 'r'))"
+          done

.gitignore

@@ -1,2 +1 @@
 .vscode/
-

.markdownlint.json

@@ -0,0 +1,27 @@
+{
+  "default": true,
+  "MD013": {
+    "line_length": 120,
+    "code_blocks": false,
+    "tables": false
+  },
+  "MD014": false,
+  "MD033": false,
+  "MD034": false,
+  "MD041": false,
+  "MD024": {
+    "siblings_only": true
+  },
+  "MD029": {
+    "style": "ordered"
+  },
+  "MD007": {
+    "indent": 2
+  },
+  "MD012": {
+    "maximum": 1
+  },
+  "MD026": {
+    "punctuation": ".,;:!"
+  }
+}

.pre-commit-config.yaml

@@ -0,0 +1,27 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+        exclude: ^invidious/templates/
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: check-case-conflict
+      - id: check-json
+      - id: check-toml
+      - id: debug-statements
+
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.35.1
+    hooks:
+      - id: yamllint
+        args: [--config-file, .yamllint]
+        exclude: ^invidious/templates/
+
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.38.0
+    hooks:
+      - id: markdownlint
+        args: [--config, .markdownlint.json]