Skip to content

Commit 67156b5

Browse files
authored
Merge pull request finos#229 from finos/chore/merge-k8s-finos
chore: bring k8s/finos portion into main repo
2 parents 4a874c4 + 9236072 commit 67156b5

104 files changed

Lines changed: 9873 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

k8s/.github/CODE_OF_CONDUCT.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
# Code of Conduct for Open Resource Broker
2+
3+
Please see the [Community Code of Conduct](https://www.finos.org/code-of-conduct).
Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
---
2+
name: "\U0001F91D Open Resource Broker Meeting Minutes"
3+
about: To track Open Resource Broker meeting agenda and attendance
4+
title: DD MMM YYYY - Open Resource Broker Meeting Minutes
5+
labels: meeting
6+
assignees:
7+
8+
---
9+
10+
## Date
11+
YYYYMMDD - time
12+
13+
## Meeting Details
14+
- Meeting link :
15+
- Register for future meetings:
16+
17+
## Untracked attendees
18+
- Fullname, Affiliation, (optional) GitHub username
19+
- ...
20+
21+
## Meeting notices
22+
- FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
23+
24+
- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
25+
26+
- FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
27+
28+
- FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
29+
30+
## Agenda
31+
- [ ] Convene & roll call (5mins)
32+
- [ ] Display [FINOS Antitrust Policy summary slide](https://community.finos.org/Compliance-Slides/Antitrust-Compliance-Slide.pdf)
33+
- [ ] Review Meeting Notices (see above)
34+
- [ ] Approve past meeting minutes
35+
- [ ] Agenda item 1
36+
- [ ] Agenda item 2
37+
- [ ] ...
38+
- [ ] AOB, Q&A & Adjourn (5mins)
39+
40+
## Decisions Made
41+
- [ ] Decision 1
42+
- [ ] Decision 2
43+
- [ ] ...
44+
45+
## Action Items
46+
- [ ] Action 1
47+
- [ ] Action 2
48+
- [ ] ...

k8s/.github/conf/bandit.conf

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
exclude_dirs:
2+
- tests
3+
- alembic/versions
4+
tests: []
5+
skips:
6+
- B101 # assert statements (used intentionally for invariant checks)
7+
- B108 # hardcoded /tmp paths (intentional for test and working directories)
8+
- B311 # random module usage (not for security, just for load balancing/testing)
9+
- B603 # subprocess without shell=True (validated inputs, not user-controlled)
Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
name: License Scanning
2+
3+
permissions:
4+
contents: read
5+
6+
on:
7+
schedule:
8+
- cron: '0 8,18 * * 1-5'
9+
push:
10+
paths:
11+
- 'pyproject.toml'
12+
- 'constraints.txt'
13+
- '.github/workflows/license-scanning.yml'
14+
pull_request:
15+
paths:
16+
- 'pyproject.toml'
17+
- 'constraints.txt'
18+
- '.github/workflows/license-scanning.yml'
19+
20+
env:
21+
# FINOS-compatible permissive licenses (SPDX identifiers and common variations)
22+
ALLOW_LICENSES: >-
23+
MIT License;MIT;MIT-0;MIT No Attribution License (MIT-0);MIT AND Python-2.0;
24+
Apache Software License;Apache-2.0;Apache 2.0;Apache-2.0 AND BSD-2-Clause;
25+
BSD License;BSD-2-Clause;BSD-3-Clause;
26+
Python Software Foundation License;PSF-2.0;
27+
ISC License (ISCL);ISC;
28+
Mozilla Public License 2.0 (MPL 2.0);MPL-2.0;
29+
The Unlicense (Unlicense);Unlicense
30+
31+
# Packages manually verified as FINOS-compatible but with non-standard license metadata
32+
# wrapt: BSD-2-Clause (full license text in metadata instead of identifier)
33+
VERIFIED_PACKAGES: "open-resource-broker wrapt"
34+
35+
jobs:
36+
scan:
37+
name: Scan Python dependencies for licenses
38+
runs-on: ubuntu-latest
39+
steps:
40+
- uses: actions/checkout@v4
41+
- uses: actions/setup-python@v5
42+
with:
43+
python-version: "3.12"
44+
- name: Install dependencies and pip-licenses
45+
run: |
46+
pip install pip-licenses
47+
pip install -e .
48+
- name: Show all licenses
49+
run: |
50+
echo "=== All detected licenses ==="
51+
pip-licenses --format=markdown
52+
- name: Check allowed licenses
53+
run: |
54+
ALLOW_LICENSES_CLEAN=$(echo "${{ env.ALLOW_LICENSES }}" | tr -d '\n' | sed 's/ */ /g')
55+
pip-licenses --allow-only="${ALLOW_LICENSES_CLEAN}" --ignore-packages ${{ env.VERIFIED_PACKAGES }}
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
on:
2+
push:
3+
branches: [ "main" ]
4+
# Temporarily disabled for rename PR - nix build needs pyproject.toml fixes
5+
# pull_request:
6+
# branches: [ "main" ]
7+
8+
permissions:
9+
contents: read
10+
11+
jobs:
12+
tests:
13+
runs-on: ubuntu-latest
14+
steps:
15+
- uses: actions/checkout@v4
16+
- uses: cachix/install-nix-action@v27
17+
with:
18+
github_access_token: ${{ secrets.GITHUB_TOKEN }}
19+
- run: nix build
20+
- run: nix flake check

k8s/.github/workflows/py_scan.yml

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
name: Python Code Scanning
2+
3+
on: [push, pull_request]
4+
5+
permissions:
6+
contents: read
7+
security-events: write
8+
9+
jobs:
10+
11+
bandit:
12+
name: Bandit Scan
13+
runs-on: ubuntu-latest
14+
env:
15+
BANDIT_REPORT_FILE: bandit_report.sarif
16+
steps:
17+
- name: Checkout code
18+
uses: actions/checkout@v4
19+
- name: Install Bandit + SARIF formatter
20+
run: pip install bandit bandit-sarif-formatter
21+
- name: Run Bandit (SARIF)
22+
run: >
23+
bandit --format sarif --exit-zero --recursive
24+
--configfile .github/conf/bandit.conf
25+
--output ${{ env.BANDIT_REPORT_FILE }} .
26+
- name: Upload SARIF to GitHub Security
27+
uses: github/codeql-action/upload-sarif@v3
28+
if: always()
29+
with:
30+
sarif_file: ${{ env.BANDIT_REPORT_FILE }}
31+
- name: Upload Bandit SARIF as artifact
32+
uses: actions/upload-artifact@v4
33+
with:
34+
name: bandit_report.sarif
35+
path: ${{ env.BANDIT_REPORT_FILE }}
36+
37+
ruff:
38+
name: Ruff Scan
39+
runs-on: ubuntu-latest
40+
env:
41+
RUFF_REPORT_FILE: ruff-results.sarif
42+
steps:
43+
- name: Checkout code
44+
uses: actions/checkout@v4
45+
- name: Set up Python
46+
uses: actions/setup-python@v5
47+
with:
48+
python-version: '3.x'
49+
- name: Install Ruff
50+
run: pip install ruff
51+
- name: Run Ruff (SARIF)
52+
run: ruff check . --output-format sarif > ${{ env.RUFF_REPORT_FILE }}
53+
- name: Upload SARIF to GitHub Security
54+
uses: github/codeql-action/upload-sarif@v3
55+
if: always()
56+
with:
57+
sarif_file: ${{ env.RUFF_REPORT_FILE }}
58+
- name: Upload Ruff SARIF as artifact
59+
uses: actions/upload-artifact@v4
60+
with:
61+
name: ruff-results.sarif
62+
path: ${{ env.RUFF_REPORT_FILE }}
Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
# This workflow will install Python dependencies, run tests and lint with a single version of Python
2+
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
3+
4+
name: Python application
5+
6+
on:
7+
push:
8+
branches: [ "main" ]
9+
pull_request:
10+
branches: [ "main" ]
11+
12+
permissions:
13+
contents: read
14+
15+
jobs:
16+
build:
17+
18+
runs-on: ubuntu-latest
19+
20+
steps:
21+
- uses: actions/checkout@v4
22+
- name: Set up Python 3.12
23+
uses: actions/setup-python@v3
24+
with:
25+
python-version: "3.12"
26+
- name: Install dependencies
27+
run: |
28+
python -m pip install --upgrade pip
29+
pip install uv
30+
uv venv
31+
uv pip install -r constraints.txt
32+
uv pip install -e .
33+
- name: ruff-action
34+
uses: astral-sh/ruff-action@v3.2.1
35+
with:
36+
# Path to a pyproject.toml or requirements.txt file to read the version from.
37+
version-file: pyproject.toml
38+
- name: Test with pytest
39+
run: |
40+
source .venv/bin/activate
41+
pytest
Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
# This workflow will upload a Python Package to PyPI when a release is created
2+
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
3+
4+
5+
name: Upload Python Package
6+
7+
on:
8+
release:
9+
types: [published]
10+
11+
permissions:
12+
contents: read
13+
14+
jobs:
15+
release-build:
16+
runs-on: ubuntu-latest
17+
18+
steps:
19+
- uses: actions/checkout@v4
20+
with:
21+
fetch-depth: 0
22+
fetch-tags: true
23+
24+
- uses: actions/setup-python@v5
25+
with:
26+
python-version: "3.12"
27+
28+
- name: Build release distributions
29+
run: |
30+
python -m pip install --upgrade pip
31+
pip install uv
32+
uv venv
33+
uv pip install -r constraints.txt
34+
uv build
35+
36+
- name: Upload distributions
37+
uses: actions/upload-artifact@v4
38+
with:
39+
name: release-dists
40+
path: dist/
41+
42+
pypi-publish:
43+
runs-on: ubuntu-latest
44+
needs:
45+
- release-build
46+
permissions:
47+
# IMPORTANT: this permission is mandatory for trusted publishing
48+
id-token: write
49+
50+
# Dedicated environments with protections for publishing are strongly recommended.
51+
# For more information, see: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules
52+
environment:
53+
name: pypi
54+
url: https://github.com/morganstanley/symphony-hostfactory/${{ github.event.release.tag_name }}
55+
56+
steps:
57+
- name: Retrieve release distributions
58+
uses: actions/download-artifact@v4
59+
with:
60+
name: release-dists
61+
path: dist/
62+
63+
- name: Publish release distributions to PyPI
64+
uses: pypa/gh-action-pypi-publish@release/v1
65+
with:
66+
packages-dir: dist/
67+
password: ${{ secrets.PYPI_API_TOKEN }}

0 commit comments

Comments
 (0)