Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@scaleapi-security
scaleapi-security authored Oct 18, 2024
0 parents commit beb447e
Show file tree
Hide file tree
Showing 13 changed files with 739 additions and 0 deletions.
Empty file added .circleci/config.yml
Empty file.
230 changes: 230 additions & 0 deletions .github/workflows/setup-repository.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,230 @@
name: Setup repository from template

on:
workflow_dispatch:
inputs:
visibility:
description: 'Visibility'
required: true
default: 'private'
type: choice
options:
- private
- public
trufflehog:
description: 'Trufflehog'
required: true
default: true
type: boolean
semgrep:
description: 'Semgrep'
required: true
default: true
type: boolean
python:
description: 'Python/Jupyter Notebook'
required: true
default: false
type: boolean
javascript:
description: 'TypeScript/JavaScript'
required: true
default: false
type: boolean
terraform:
description: 'Terraform'
required: true
default: false
type: boolean
golang:
description: 'Go'
required: true
default: false
type: boolean
jobs:
common-setup:
name: Common Setup
outputs:
run_jobs: ${{ steps.check-template.outputs.run_jobs}}
runs-on: ubuntu-22.04
env:
REPO_SETUP_TOKEN: ${{ secrets.REPO_SETUP_TOKEN }}
steps:
- name: Do not run setup on template repository
id: check-template
shell: bash {0}
# Using the GitHub rest API allows us to identify if the current repository
# is a template repository or not.
run: |
not_template=$(curl --silent -X GET -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" -H "Accept: application/vnd.github+json" https://api.github.com/repos/$GITHUB_REPOSITORY | jq --exit-status '.is_template == false');
echo "run_jobs=$not_template" >> $GITHUB_OUTPUT
- uses: actions/checkout@v3
with:
# Cannot use the built-in $GITHUB_TOKEN since we need webhook permission
token: ${{ env.REPO_SETUP_TOKEN }}

### RESTRICT RUNNABLE GITHUB ACTIONS
- name: Set runnable actions to 'selected'
shell: bash
run: |
curl -X PUT -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ env.REPO_SETUP_TOKEN }}" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$GITHUB_REPOSITORY/actions/permissions -d '{"enabled":true,"allowed_actions":"selected"}'
- name: Restrict runnable actions
shell: bash
run: |
curl -X PUT -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ env.REPO_SETUP_TOKEN }}" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$GITHUB_REPOSITORY/actions/permissions/selected-actions -d '{"github_owned_allowed":true,"verified_allowed":false,"patterns_allowed":["trufflesecurity/[email protected]","returntocorp/semgrep", "tenable/terrascan-action@main"]}'
### PYTHON SETUP
- name: python-setup
if: ${{ inputs.python && steps.check-template.outputs.run_jobs == 'true' }}
shell: bash
# Copy the bandit action workflow file to the appropriate location
run: |
cp template-files/python/bandit-ci.yml .github/workflows/bandit-ci.yml
cat template-files/python/.gitignore >> .gitignore
### JS/TS SETUP
- name: javascript-setup
if: ${{ inputs.javascript && steps.check-template.outputs.run_jobs == 'true' }}
shell: bash
run: |
cat template-files/js/.gitignore >> .gitignore
### TERRAFORM SETUP
- name: terraform-setup
if: ${{ inputs.terraform && steps.check-template.outputs.run_jobs == 'true' }}
shell: bash
run: |
cat template-files/terraform/.gitignore >> .gitignore
cp template-files/terraform/atlantis.yaml atlantis.yaml
cp template-files/terraform/terrascan-ci.yml .github/workflows/terrascan-ci.yml
### TEMPLATE FILE
- name: move-template-file
if: ${{ github.event.inputs.terraform == 'true' || github.event.inputs.python == 'true' }}
id: move-output-template
shell: bash
# Copy the logging template file to the workflows folder
run: |
cp template-files/common/output-template.json .github/workflows/output-template.json
### GOLANG SETUP
- name: golang-setup
if: ${{ inputs.golang && steps.check-template.outputs.run_jobs == 'true' }}
shell: bash
run: |
cat template-files/go/.gitignore >> .gitignore
- name: commit-job-changes
shell: bash {0}
# Commit the changes we've made for this job since artifacting all of them would be difficult
run: |
git config --global user.email "github-actions[bot]@users.noreply.github.com" && \
git config --global user.name "github-actions[bot]" && \
git add --all
if ! git diff-index --quiet HEAD; then
git commit -m 'Repository Setup'
git push origin main -f
fi
cleanup:
name: Cleanup
needs: [common-setup]
if: ${{ needs.common-setup.outputs.run_jobs == 'true' }}
env:
REPO_SETUP_TOKEN: ${{ secrets.REPO_SETUP_TOKEN }}
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
with:
# Cannot use the built-in $GITHUB_TOKEN since we need webhook permission
token: ${{ env.REPO_SETUP_TOKEN }}
# include the ref to the default branch so we get the changes from the previous jobs
ref: main
- name: Clean up template files
shell: bash
run: |
rm -rf template-files
rm -f .github/workflows/setup-repository.yml
- name: Reinitialize git repository
shell: bash
# We use `git checkout --orphan` to create a branch in a git init-like state and get a clean history
run: |
git config --global user.email "github-actions[bot]@users.noreply.github.com" && \
git config --global user.name "github-actions[bot]" && \
git checkout --orphan temp-branch && \
git add . && \
git commit -m 'Repository Setup' && \
git push origin temp-branch:main -f
- name: Protect main branch
shell: bash
run: |
curl -X PUT -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ env.REPO_SETUP_TOKEN }}" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$GITHUB_REPOSITORY/branches/main/protection -d '{"required_status_checks":null,"enforce_admins":null,"required_pull_request_reviews":{"dismissal_restrictions":{"users":[],"teams":[],"apps":[]},"dismiss_stale_reviews":false,"require_code_owner_reviews":false,"required_approving_review_count":1,"require_last_push_approval":false,"bypass_pull_request_allowances":{"users":[],"teams":["security-eng","platform-eng"]}},"restrictions":null,"required_linear_history":false,"allow_force_pushes":false,"allow_deletions":false,"block_creations":false,"required_conversation_resolution":true,"lock_branch":false,"allow_fork_syncing":false}'
### This must be done at the end of the workflow after all changes have been committed due to org-wide restrictions
### SEMGREP SETUP USING REPOSITORY RULESETS
- name: install-semgrep-action
if: ${{ github.event.inputs.semgrep == 'true' }}
id: install-semgrep-action
shell: bash
# id 279250 represents semgrep ruleset
# ids_cleaned is a necessary step, since bash naturally delimits by newline, which breaks single-line read
run: |
raw=$(curl -L -X GET \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ env.REPO_SETUP_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/scaleapi/rulesets/279250)
ids=$(echo "$raw" | jq '.conditions.repository_id.repository_ids[]?')
ids_cleaned=${ids//$'\n'/ }
ids_cleaned=${ids_cleaned//$'\r'/ }
refs=$(echo "$raw" | jq '.conditions.ref_name')
names=$(echo "$raw" | jq '.conditions.repository_name.include')
read -a id_array <<< $ids_cleaned
echo 'Beginning with '${#id_array[*]}' repositories.'
id_array+=(${{ github.repository_id }})
echo 'Now there are '${#id_array[*]}' repositories.'
json_ids=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${id_array[@]}" | tr -d "\"")
body=$(echo '{"conditions": { "ref_name": '$refs', "repository_id": {"repository_ids": '"${json_ids//\" /}"'}}}')
curl -L -X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ env.REPO_SETUP_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/scaleapi/rulesets/279250 \
-d "$body"
### TRUFFLEHOG SETUP USING REPOSITORY RULESETS
- name: install-trufflehog-action
if: ${{ github.event.inputs.trufflehog == 'true' }}
id: install-trufflehog-action
shell: bash
# id 279251 represents trufflehog ruleset
# ids_cleaned is a necessary step, since bash naturally delimits by newline, which breaks single-line read
run: |
raw=$(curl -L -X GET \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ env.REPO_SETUP_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/scaleapi/rulesets/279251)
ids=$(echo "$raw" | jq '.conditions.repository_id.repository_ids[]?')
ids_cleaned=${ids//$'\n'/ }
ids_cleaned=${ids_cleaned//$'\r'/ }
refs=$(echo "$raw" | jq '.conditions.ref_name')
names=$(echo "$raw" | jq '.conditions.repository_name.include')
read -a id_array <<< $ids_cleaned
id_array+=(${{ github.repository_id }})
json_ids=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${id_array[@]}" | tr -d "\"")
body=$(echo '{"conditions": { "ref_name": '$refs', "repository_id": {"repository_ids": '"${json_ids//\" /}"'}}}')
curl -L -X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ env.REPO_SETUP_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/orgs/scaleapi/rulesets/279251 \
-d "$body"
- name: Remove secret REPO_SETUP_TOKEN
# After re-initializing the repository, we can remove the `REPO_SETUP_TOKEN` secret since it has permissions we don't want to sit around in the repository
shell: bash
if: ${{ env.REPO_SETUP_TOKEN }}
run: |
curl \
-X DELETE --fail \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: Bearer ${{ env.REPO_SETUP_TOKEN }}" \
https://api.github.com/repos/$GITHUB_REPOSITORY/actions/secrets/REPO_SETUP_TOKEN
37 changes: 37 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Logs
logs
*.log
npm-debug.log*
*.pth

# Runtime data
pids
*.pid
*.seed
*.pid.lock

# IntelliJ
**/.idea
*.iml

# VSCode
.vscode
*.code-workspace

# filesystem files
.DS_Store

# Local environment files
*.env
.env.*
*.envrc
frontend/.npmrc
local*.yaml

# filesystem databases
dump.rdb
*.sqlite
*.db

# Temp dirs
tmp
Empty file added CODEOWNERS
Empty file.
14 changes: 14 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# repository-template
A repository template for repository creation at Scale AI.

## Usage
### Automatic
Request a new repository from the slackbot `Onyx` using `/onyx` and input the appropriate information such as desired language(s)

### Manual
Requires repository creation permissions and an appropriately-permissioned REPO_SETUP_TOKEN

1. Create a new repository using this template
2. Add a secret `REPO_SETUP_TOKEN` to the new repository
3. Run the GitHub workflow `repository-setup`, inputting parameters as desired.
4. Allow the workflow to run and set up language-specific files and settings.
13 changes: 13 additions & 0 deletions template-files/common/output-template.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"source": "github",
"organization": "\($organization)",
"timestamp": "\($time)",
"action": "\($action)",
"meta": {
"repository": "\($repository)",
"commit": "\($sha)",
"branch": "\($branch)",
"link": "\($link)"
},
"results": []
}
18 changes: 18 additions & 0 deletions template-files/go/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@

### GOLANG

# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib

# Test binary, built with `go test -c`
*.test

# Output of the go coverage tool, specifically when used with LiteIDE
*.out

# Go workspace file
go.work
Loading

0 comments on commit beb447e

Please sign in to comment.