pleo-io · mhuzkhan-pleo · May 1, 2024 · May 1, 2024
diff --git a/.github/workflows/close-stale-prs.yaml b/.github/workflows/close-stale-prs.yaml
@@ -0,0 +1,36 @@
+# THIS CODE WAS AUTOGENERATED. DO NOT MODIFY THIS FILE DIRECTLY
+# THE SOURCE CODE LIVES IN A DIFFERENT REPOSITORY:
+#   - centralized-templates
+# FILE STEWARD: @pleo-io/team-devx,@pleo-bot-auto-approver
+
+# Warn and later close PRs that have had no activity for a specified amount of time.
+# This reminds us that code in most cases only provide value once merged.
+
+name: "Close Stale PRs"
+on:
+  schedule:
+    - cron: "0 9,16 * * *"
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
+        with:
+          stale-pr-label: stale
+          exempt-pr-labels: never-stale,dependencies
+          stale-pr-message: |
+            This PR is marked as stale since it has been open for 30 days with no activity. 
+
+            Remove the stale label or make a comment, otherwise the PR will be closed in 7 days.
+          close-pr-message: "This PR was closed because it has been stale for 7 days with no activity."
+          days-before-issue-stale: -1
+          days-before-pr-stale: 30
+          days-before-issue-close: -1
+          days-before-pr-close: 7
+          start-date: "2023-01-12"
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
@@ -0,0 +1,174 @@
+# THIS CODE WAS AUTOGENERATED. DO NOT MODIFY THIS FILE DIRECTLY
+# THE SOURCE CODE LIVES IN A DIFFERENT REPOSITORY:
+#   - centralized-templates
+# FILE STEWARD: @pleo-io/security
+
+name: CodeQL Analysis
+
+on:
+  push:
+    branches:
+      - main
+      - master
+      - develop
+  pull_request:
+    branches:
+      - main
+      - master
+      - develop
+
+env:
+  language_Kotlin: "java"
+  language_Java: "java"
+  language_Go: "go"
+  language_Python: "python"
+  language_JavaScript: "javascript"
+  language_TypeScript: "javascript"
+  WORKING_LANGUAGE: ""
+  CONFIG_FILE: ""
+  RUN_ON_DEFAULT_BRANCH: true
+  GRADLE_SCRIPT_PATH: ./gradlew
+  setWizCliDepsScanPath: .
+  setWizCliDepsPolicy: Pleo-Default-vulnerabilities-policy
+
+jobs:
+  preflight:
+    name: Determine if CodeQL should run
+    runs-on: ubuntu-latest
+    outputs:
+      should_run_analyze: ${{ steps.maybe_skip_analyze.outputs.should_run_analyze }}
+      working_language: ${{steps.working_language_step.outputs.WORKING_LANGUAGE}}
+    steps:
+      - uses: winterjung/split@a211a1c46e35fcdc4097d59dd6282d4a9859651b # v2
+        id: split
+        with:
+          msg: ${{ github.repository }}
+          separator: "/"
+      - id: get_default_branch
+        name: Determine our default branch
+        uses: octokit/[email protected]
+        with:
+          route: GET /repos/{owner}/{repo}
+          owner: ${{ github.repository_owner }}
+          repo: ${{ steps.split.outputs._1 }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - id: set_default_branch
+        name: Set our default branch
+        run: echo "DEFAULT_BRANCH=${{ fromJson(steps.get_default_branch.outputs.data).default_branch }}" >> "$GITHUB_ENV"
+      - id: maybe_skip_analyze
+        name: Check if analyze should run
+        shell: bash
+        run: |
+          if [[ "${{ env.RUN_ON_DEFAULT_BRANCH }}" == "false" && "${{ github.ref }}" == "refs/heads/${{ env.DEFAULT_BRANCH }}" && "${{ github.event_name }}" == "push" ]]; then
+            echo "Skipping CodeQL analysis on main branch due to configuration"
+            echo "should_run_analyze=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "Running CodeQL analysis"
+            echo "should_run_analyze=true" >> "$GITHUB_OUTPUT"
+          fi
+      - id: working_language_step
+        name: We check if the repository language is supported by CodeQL
+        run: echo "WORKING_LANGUAGE=${{env[format('language_{0}', github.event.repository.language)]}}" >> "$GITHUB_OUTPUT"
+
+  wiz-cli:
+    name: Scan Dependencies with Wiz CLI
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+
+      - name: Check latest version of Wiz CLI
+        id: version_check
+        run: |
+          raw_output=$(curl -sL https://wizcli.app.wiz.io/latest/wizcli-version)
+          LATEST_VERSION=$(echo "$raw_output" | grep -oP '"\K[^-]*' | head -1) 
+          COMPLETE_VERSION=$(echo "$raw_output" | grep -oP '(?<=").*?(?=")')
+          echo "version=$LATEST_VERSION" >> "$GITHUB_OUTPUT"
+          echo "complete_version=$COMPLETE_VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Cache Wiz CLI
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
+        id: cache_wizcli
+        with:
+          path: wizcli-${{ steps.version_check.outputs.version }}
+          key: wizcli-${{ steps.version_check.outputs.version }}
+
+      - name: Download Wiz CLI
+        if: steps.cache_wizcli.outputs.cache-hit != 'true'
+        run: curl -o wizcli-${{ steps.version_check.outputs.version }} https://wizcli.app.wiz.io/${{ steps.version_check.outputs.complete_version }}/wizcli && chmod +x wizcli-${{ steps.version_check.outputs.version }}
+
+      - name: Authenticate to Wiz
+        env:
+          WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }}
+          WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }}
+        run: ./wizcli-${{ steps.version_check.outputs.version }} auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"
+
+      - name: Run wiz CLI Dependency Scan
+        run: ./wizcli-${{ steps.version_check.outputs.version }} dir scan --path "${{ env.setWizCliDepsScanPath }}" --policy "${{ env.setWizCliDepsPolicy }}"
+
+  analyze-code:
+    name: Analyze code with CodeQL
+    if: ${{ (needs.preflight.outputs.should_run_analyze == 'true') && (needs.preflight.outputs.working_language != '')}}
+    needs:
+      - preflight
+      - wiz-cli
+    runs-on: codeql-runner
+    timeout-minutes: 30
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4
+      - name: Set Working Language
+        run: echo "WORKING_LANGUAGE=${{needs.preflight.outputs.working_language}}" >> "$GITHUB_ENV"
+      # Set up a JDK environment for building, testing and releasing.
+      - name: Set up JDK 17
+        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+        if: ${{ env.WORKING_LANGUAGE == 'java' }}
+        with:
+          java-version: 17
+          distribution: temurin
+
+      # Allow caching Gradle executions to further speed up CI/CD steps invoking Gradle.
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2
+        if: ${{ env.WORKING_LANGUAGE == 'java' }}
+        with:
+          gradle-version: wrapper
+          cache-read-only: true
+
+      # Set up a Node environment for JS/TS/Node client generation.
+      - name: Set up Node 20
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
+        if: ${{ env.WORKING_LANGUAGE == 'javascript' }}
+        with:
+          node-version: 20
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3
+        with:
+          languages: ${{ github.event.repository.language }}
+          ram: 4096
+          queries: security-and-quality
+          tools: latest
+          config-file: ${{ env.CONFIG_FILE }}
+
+      - name: Gradle Build
+        run: ${{ env.GRADLE_SCRIPT_PATH }} classes testClasses --stacktrace -Dorg.gradle.jvmargs=-Xmx4g -Dorg.gradle.parallel=true
+        if: ${{ env.WORKING_LANGUAGE == 'java' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }}
+          GRADLE_READ_KEY: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }}
+          JOB_RUNR_REPO_PASSWORD: ${{ secrets.JOB_RUNR_REPO_PASSWORD }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3
+        with:
+          ram: 4096
diff --git a/.github/workflows/pr-help.yaml b/.github/workflows/pr-help.yaml
@@ -0,0 +1,42 @@
+# THIS CODE WAS AUTOGENERATED. DO NOT MODIFY THIS FILE DIRECTLY
+# THE SOURCE CODE LIVES IN A DIFFERENT REPOSITORY:
+#   - centralized-templates
+# FILE STEWARD: @pleo-io/team-devx,@pleo-bot-auto-approver
+
+name: Check PR
+on:
+  pull_request:
+    types:
+      - assigned
+      - unassigned
+      - labeled
+      - unlabeled
+      - opened
+      - edited
+      - closed
+      - reopened
+      - synchronize
+      - ready_for_review
+      - locked
+      - unlocked
+      - review_requested
+      - review_request_removed
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  autoApproveEnabled: true
+
+jobs:
+  auto-approve-pr:
+    runs-on: ubuntu-latest
+    name: Auto-approve PR
+    if: ${{ contains(fromJSON('["pleo-bot-renovate", "pleo-file-distributor[bot]"]'), github.actor) && contains(github.event.pull_request.labels.*.name, 'autoapprove') }}
+    steps:
+      - uses: hmarr/auto-approve-action@v3
+        if: env.autoApproveEnabled == 'true'
+        with:
+          github-token: ${{ secrets.PLEO_BOT_AUTO_APPROVER_TOKEN }}
+          review-message: "This has been auto-approved by @pleo-bot-auto-approver. If your PR isn't being auto-merged as desired, make sure to add @pleo-bot-auto-approver to the CODEOWNERS file. More details how to use Renovate [here](https://www.notion.so/pleo/How-to-use-Renovate-781e4861200744c6b38d3efd8c6d525a?pvs=4)"