Skip to content

Commit 36cf8df

Browse files
Amit Kothari (from Dev Box)Copilot
andcommitted
feat: add CDM Starter Kit governance docs, workflows, and configuration
- GitHub governance: CODEOWNERS, issue/PR templates, dependabot config, settings.yml - CI workflows: Bicep lint, PR validate, secret scan, changelog, docs-drift, release version - Documentation: architecture, FAQ, consumer ingestion guide, implementation checklist, branch protection - OSS compliance: LICENSE (MIT), SECURITY.md, CODE_OF_CONDUCT.md, CONTRIBUTING.md, SUPPORT.md - Configuration: bicepconfig.json, CHANGELOG.md, DEVELOPMENT.md OSPO Review: ossmsft/Reviews#54900 (Completed) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 294fb87 commit 36cf8df

26 files changed

Lines changed: 2792 additions & 2 deletions
Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
---
2+
name: Bug Report
3+
about: Report a bug in the CDM Starter Kit
4+
title: "[BUG] "
5+
labels: bug
6+
assignees: ''
7+
---
8+
9+
## Description
10+
11+
A clear and concise description of what the bug is.
12+
13+
## Environment
14+
15+
- **Azure Subscription Region**: [e.g., eastus, westeurope]
16+
- **Deployment Method**: [Starter Kit UI / Bicep CLI]
17+
- **Resource Scope**: [e.g., one resource, entire template]
18+
- **OS** (if relevant): [e.g., Windows, macOS, Linux]
19+
20+
## Steps to Reproduce
21+
22+
1. Go to '...'
23+
2. Click on '...'
24+
3. Deploy with parameters '...'
25+
4. See error '...'
26+
27+
## Expected Behavior
28+
29+
What should happen instead.
30+
31+
## Actual Behavior
32+
33+
What actually happened.
34+
35+
## Error Messages
36+
37+
If applicable, paste any error messages or logs:
38+
39+
```
40+
[Error message or stack trace]
41+
```
42+
43+
## Additional Context
44+
45+
- Which resource types are affected? (Storage, Data Explorer, Synapse, RBAC, etc.)
46+
- Are you using default parameters or custom values?
47+
- Can you reproduce this consistently?
48+
- Did this work in a previous version?
49+
50+
## Checklist
51+
52+
- [ ] I have searched existing issues for duplicates
53+
- [ ] I have included environment details
54+
- [ ] I have included clear reproduction steps
55+
- [ ] I have included relevant error messages
56+
- [ ] I have **NOT included any secrets, subscription IDs, or credentials**
Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
---
2+
name: Security Report
3+
about: Report a security vulnerability (please do NOT open a public issue)
4+
title: "[SECURITY] "
5+
labels: security
6+
---
7+
8+
## ⚠️ SECURITY REPORT - DO NOT SUBMIT PUBLICLY
9+
10+
**If you have found a security vulnerability, please do NOT open this as a public issue.**
11+
12+
Instead, report it privately via email to: **[anand.srivastava@microsoft.com](mailto:anand.srivastava@microsoft.com)**
13+
14+
See [SECURITY.md](../../SECURITY.md) for detailed reporting instructions.
15+
16+
---
17+
18+
## If You Are Opening This Anyway
19+
20+
Please include:
21+
22+
1. **Description**: Concise summary of the vulnerability
23+
2. **Affected Component**: Which file, module, or feature is affected?
24+
3. **Severity**: Critical / High / Medium / Low
25+
4. **Steps to Reproduce**: How can the vulnerability be demonstrated?
26+
5. **Potential Impact**: What could happen if this is exploited?
27+
6. **Suggested Fix** (if applicable): How might this be remediated?
28+
29+
**CRITICAL REMINDERS**:
30+
31+
- ❌ Do **NOT** include secrets, credentials, or sensitive data
32+
- ❌ Do **NOT** include working exploits or POC code
33+
- ❌ Do **NOT** disclose before maintainers have a chance to respond
34+
35+
## After Submitting
36+
37+
1. Wait for acknowledgment from maintainers
38+
2. Work with the team on a fix and timeline
39+
3. Coordinated disclosure will follow the resolution
40+
41+
**Thank you for helping keep this project secure.**

.github/PULL_REQUEST_TEMPLATE.md

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
## Description
2+
3+
Brief description of the changes in this PR.
4+
5+
## Related Issues
6+
7+
Closes #[issue number] (if applicable)
8+
9+
## Type of Change
10+
11+
- [ ] Bug fix (non-breaking)
12+
- [ ] New feature
13+
- [ ] Documentation update
14+
- [ ] Infrastructure improvement
15+
- [ ] Breaking change
16+
17+
## Changes Made
18+
19+
- Item 1
20+
- Item 2
21+
- Item 3
22+
23+
## Testing
24+
25+
How was this change tested? Include:
26+
- Environment details (region, resource types)
27+
- Steps taken to verify the fix
28+
- Any new test cases added
29+
30+
## Checklist
31+
32+
**Security & Compliance**
33+
34+
- [ ] No secrets, credentials, or API keys are included
35+
- [ ] No tenant IDs or subscription IDs are hardcoded
36+
- [ ] No certificate files or private keys are included
37+
- [ ] All values are parameterized or use examples only
38+
- [ ] Secret Scanning passed (no alerts)
39+
40+
**Code Quality**
41+
42+
- [ ] Bicep code follows project conventions
43+
- [ ] Templates are idempotent and repeatable
44+
- [ ] RBAC templates use built-in or clearly defined roles
45+
- [ ] Comments explain non-obvious logic
46+
47+
**Documentation**
48+
49+
- [ ] README.md updated (if user-facing changes)
50+
- [ ] docs/architecture.md updated (if architecture changes)
51+
- [ ] docs/faq.md updated (if new capabilities added)
52+
- [ ] Comments added to complex sections
53+
54+
**Compatibility**
55+
56+
- [ ] No breaking changes to existing templates
57+
- [ ] Backward compatible parameter names / defaults
58+
- [ ] Tested in multiple Azure regions (if applicable)
59+
60+
## Reviewers
61+
62+
@microsoft/cdm-vteam
63+
64+
---
65+
66+
## Additional Notes
67+
68+
Any additional context, concerns, or discussion points.

.github/dependabot.yml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: "github-actions"
4+
directory: "/"
5+
schedule:
6+
interval: "weekly"
7+
day: "monday"
8+
time: "03:00"
9+
open-pull-requests-limit: 5
10+
reviewers:
11+
- "cdm-vteam"
12+
labels:
13+
- "dependencies"
14+
- "github-actions"
15+
commit-message:
16+
prefix: "chore"
17+
include: "scope"
18+
19+
- package-ecosystem: "gitsubmodule"
20+
directory: "/"
21+
schedule:
22+
interval: "weekly"
23+
day: "monday"
24+
time: "03:30"
25+
open-pull-requests-limit: 5
26+
reviewers:
27+
- "cdm-vteam"
28+
labels:
29+
- "dependencies"

.github/settings.yml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
# Repository settings as code
2+
# Requires GitHub Settings app / Probot Settings to apply automatically.
3+
# If not installed, use this as documentation for manual setup.
4+
5+
repository:
6+
has_issues: true
7+
has_projects: false
8+
has_wiki: false
9+
delete_branch_on_merge: true
10+
11+
branches:
12+
- name: main
13+
protection:
14+
required_pull_request_reviews:
15+
required_approving_review_count: 1
16+
dismiss_stale_reviews: true
17+
require_code_owner_reviews: true
18+
required_status_checks:
19+
strict: true
20+
contexts:
21+
- "Bicep Lint / lint-bicep"
22+
- "Secret Scan / secret-scan"
23+
- "PR Validate / validate-repo"
24+
- "Changelog Validate / validate-changelog"
25+
- "Docs Drift Check / docs-drift-check"
26+
enforce_admins: true
27+
restrictions: null
28+
required_conversation_resolution: true
29+
allow_force_pushes: false
30+
allow_deletions: false

.github/workflows/bicep-lint.yml

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
name: Bicep Lint
2+
3+
on:
4+
pull_request:
5+
paths:
6+
- '**/*.bicep'
7+
- 'bicepconfig.json'
8+
- '.github/workflows/bicep-lint.yml'
9+
push:
10+
branches:
11+
- main
12+
paths:
13+
- '**/*.bicep'
14+
- 'bicepconfig.json'
15+
workflow_dispatch:
16+
17+
permissions:
18+
contents: read
19+
20+
jobs:
21+
lint-bicep:
22+
name: lint-bicep
23+
runs-on: ubuntu-latest
24+
container:
25+
image: mcr.microsoft.com/azure-cli:2.62.0
26+
27+
steps:
28+
- name: Checkout
29+
uses: actions/checkout@v4
30+
31+
- name: Detect Bicep files
32+
id: detect
33+
shell: bash
34+
run: |
35+
FILES=$(git ls-files '*.bicep')
36+
if [ -z "$FILES" ]; then
37+
echo "found=false" >> "$GITHUB_OUTPUT"
38+
echo "No .bicep files found. Skipping lint/build."
39+
else
40+
echo "found=true" >> "$GITHUB_OUTPUT"
41+
printf '%s\n' "$FILES" > bicep_files.txt
42+
echo "Found Bicep files:"
43+
cat bicep_files.txt
44+
fi
45+
46+
- name: Install Bicep CLI
47+
if: steps.detect.outputs.found == 'true'
48+
shell: bash
49+
run: az bicep install
50+
51+
- name: Build all Bicep files
52+
if: steps.detect.outputs.found == 'true'
53+
shell: bash
54+
run: |
55+
set -euo pipefail
56+
while IFS= read -r file; do
57+
echo "Validating $file"
58+
az bicep build --file "$file" > /dev/null
59+
done < bicep_files.txt
60+
61+
- name: No-op when no Bicep files
62+
if: steps.detect.outputs.found != 'true'
63+
run: echo "Bicep lint check passed (no .bicep files present)."

0 commit comments

Comments
 (0)