From 6e3d988500b0189fc031f20b839d09a199d2de76 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Thu, 6 Jun 2024 10:14:34 -0500 Subject: [PATCH] ci: Updated for GHA best practices (#196) * Updated for GHA best practices Signed-off-by: Roger Barker * Updated code owners file to scope lock root level codeowners file Signed-off-by: Roger Barker --------- Signed-off-by: Roger Barker --- .github/CODEOWNERS | 34 +++++++++++++++++++++ .github/dependabot.yml | 7 +++++ .github/workflows/docker-publish.yml | 11 +++++-- .github/workflows/system-test.yml | 15 ++++++--- .github/workflows/unit-integration-test.yml | 15 ++++++--- 5 files changed, 72 insertions(+), 10 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/dependabot.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..f894a308 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,34 @@ +################################### +##### Global Protection Rule ###### +################################### +# NOTE: This rule is overriden by the more specific rules below. This is the catch-all rule for all files not covered by the more specific rules below +* @hashgraph/developer-advocates + +######################### +##### Core Files ###### +######################### + +# NOTE: Must be placed last to ensure enforcement over all other rules + +# Protection Rules for Github Configuration Files and Actions Workflows +/.github/ @hashgraph/release-engineering @hashgraph/release-engineering-managers +/.github/workflows/ @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates + +# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval) +/CODEOWNERS @hashgraph/release-engineering @hashgraph/release-engineering-managers + +# Protect the repository root files +/README.md @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates +**/LICENSE @hashgraph/release-engineering @hashgraph/release-engineering-managers + +# Gradle project files and inline plugins +/gradle/ @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates +gradlew @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates +gradlew.bat @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates +**/build-logic/ @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates +**/gradle.* @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates +**/*.gradle.* @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates + +# Git Ignore definitions +**/.gitignore @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates +**/.gitignore.* @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/developer-advocates diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..10256a12 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + open-pull-requests-limit: 10 diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index c299d789..1f9cbe86 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -11,11 +11,18 @@ on: - v* workflow_dispatch: +permissions: + contents: read + +defaults: + run: + shell: bash + jobs: # Push image to GitHub Packages. # See also https://docs.docker.com/docker-hub/builds/ build_docker_images: - runs-on: ubuntu-latest + runs-on: [self-hosted, Linux, medium, ephemeral] steps: - name: Set version run: echo "VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV @@ -33,7 +40,7 @@ jobs: run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - name: Build java node image run: docker build . --file Dockerfile --tag ghcr.io/${{ github.repository }}/hedera_nft_auction_java_node:latest --tag ghcr.io/${{ github.repository }}/hedera_nft_auction_java_node:$VERSION --tag ghcr.io/${{ github.repository }}/hedera_nft_auction_java_node:$DATETIME --label "runnumber=${GITHUB_RUN_ID}" diff --git a/.github/workflows/system-test.yml b/.github/workflows/system-test.yml index 2ad46b21..f0be4059 100644 --- a/.github/workflows/system-test.yml +++ b/.github/workflows/system-test.yml @@ -8,14 +8,21 @@ on: branches: [ master ] workflow_dispatch: +permissions: + contents: read + +defaults: + run: + shell: bash + jobs: build: - runs-on: ubuntu-latest + runs-on: [self-hosted, Linux, medium, ephemeral] steps: - - uses: actions/checkout@v2 - - uses: actions/cache@v2 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/hedera-nft-auction-demo-java-node/.gradle/caches @@ -24,7 +31,7 @@ jobs: restore-keys: | ${{ runner.os }}-gradle-` - name: Set up JDK 14 - uses: actions/setup-java@v2 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 with: java-version: '14' distribution: 'adopt' diff --git a/.github/workflows/unit-integration-test.yml b/.github/workflows/unit-integration-test.yml index 7dbc0a7e..a317b1b2 100644 --- a/.github/workflows/unit-integration-test.yml +++ b/.github/workflows/unit-integration-test.yml @@ -8,15 +8,22 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + +defaults: + run: + shell: bash + jobs: build: - runs-on: ubuntu-latest + runs-on: [self-hosted, Linux, medium, ephemeral] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 - - uses: actions/cache@v2 + - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: | ~/hedera-nft-auction-demo-java-node/.gradle/caches @@ -26,7 +33,7 @@ jobs: ${{ runner.os }}-gradle-` - name: Set up JDK 14 - uses: actions/setup-java@v2 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 with: java-version: '14' distribution: 'adopt'