From f8588983f9f2b99eda5e127fcbcc5700af31bcff Mon Sep 17 00:00:00 2001
From: Roger Barker <roger.barker@swirldslabs.com>
Date: Tue, 23 Apr 2024 11:38:22 -0500
Subject: [PATCH] ci: Update workflows & add CODEOWNERS/Dependabot (#683)

Signed-off-by: Roger Barker <roger.barker@swirldslabs.com>
---
 .github/CODEOWNERS                            | 39 +++++++++++++++++++
 .github/dependabot.yml                        |  7 ++++
 .../workflows/flow-pull-request-checks.yaml   |  3 ++
 .github/workflows/zxc-build-library.yaml      | 36 ++++++++---------
 4 files changed, 65 insertions(+), 20 deletions(-)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .github/dependabot.yml

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 00000000..06a25b67
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,39 @@
+###################################
+##### Global Protection Rule ######
+###################################
+# NOTE: This rule is overriden by the more specific rules below. This is the catch-all rule for all files not covered by the more specific rules below.
+*                                               @hashgraph/hedera-sdk @hashgraph/hedera-sdk-cpp-contributors @hashgraph/limechain-hedera
+
+#########################
+#####  Core Files  ######
+#########################
+
+# NOTE: Must be placed last to ensure enforcement over all other rules
+
+# Protection Rules for Github Configuration Files and Actions Workflows
+/.github/                                       @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# Cmake project files and inline plugins
+**/.clang*                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk
+**/.clang-format                                @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk
+**/.clang-tidy                                  @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk
+**/CMakeLists.txt                               @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk
+**/CMakePresets.json                            @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk
+
+# Codacy Tool Configurations
+/config/                                        @hashgraph/release-engineering @hashgraph/release-engineering-managers
+.remarkrc                                       @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval)
+/CODEOWNERS                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# Protect the repository root files
+/README.md                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers
+**/LICENSE                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# CodeCov configuration
+**/codecov.yml                                  @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# Git Ignore definitions
+**/.gitignore                                   @hashgraph/release-engineering @hashgraph/release-engineering-managers
+**/.gitignore.*                                 @hashgraph/release-engineering @hashgraph/release-engineering-managers
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..c8c5ac6e
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
\ No newline at end of file
diff --git a/.github/workflows/flow-pull-request-checks.yaml b/.github/workflows/flow-pull-request-checks.yaml
index 7f0a2a45..70adf7e1 100644
--- a/.github/workflows/flow-pull-request-checks.yaml
+++ b/.github/workflows/flow-pull-request-checks.yaml
@@ -8,6 +8,9 @@ on:
       - synchronize
       - closed
 
+defaults:
+  run:
+    shell: bash
 
 concurrency:
   group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/zxc-build-library.yaml b/.github/workflows/zxc-build-library.yaml
index 60150409..6e7437f8 100644
--- a/.github/workflows/zxc-build-library.yaml
+++ b/.github/workflows/zxc-build-library.yaml
@@ -12,11 +12,8 @@ permissions:
 jobs:
   build:
     name: Build
-    runs-on:
-      - self-hosted
-      - "${{ matrix.os }}"
-      - xlarge
-      - ephemeral
+    runs-on: [ self-hosted, Linux, xlarge, ephemeral ]
+
     env:
       HEDERA_NETWORK: localhost
     strategy:
@@ -24,18 +21,20 @@ jobs:
         include:
           - os: Linux
             preset: linux-x64
-          # - os: macos-12
-          #   preset: macos-x64
-          # - os: windows-latest
-          #   preset: windows-x64
+
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           submodules: true
 
       - name: Run Clang-Format
-        uses: jidicula/clang-format-action@v4.11.0
+        uses: jidicula/clang-format-action@f62da5e3d3a2d88ff364771d9d938773a618ab5e # v4.11.0
         with:
           clang-format-version: "17"
           check-path: "src"
@@ -55,19 +54,16 @@ jobs:
             $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
           sudo apt-get update
           sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-        if: ${{ runner.os == 'Linux' }}
 
       - name: Use Node.js 21
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 21
 
       - name: Install Local Node
         run: sudo npm install -g @hashgraph/hedera-local
-        if: ${{ runner.os == 'Linux' }}
 
       - name: Install Linux Prerequisites
-        if: ${{ runner.os == 'Linux' }}
         run: |
           sudo apt-get update
           sudo apt-get install -y pkg-config libc6-dbg libgtest-dev build-essential
@@ -76,10 +72,10 @@ jobs:
         run: mkdir -p "${{ github.workspace }}/b/vcpkg_cache"
 
       - name: Install CMake & Ninja
-        uses: lukka/get-cmake@v3.27.7
+        uses: lukka/get-cmake@4931ab1fc1604964c055eb330edb3f6b26ba0cfa # v3.29.2
 
       - name: Setup VCPkg
-        uses: lukka/run-vcpkg@v11
+        uses: lukka/run-vcpkg@5e0cab206a5ea620130caf672fce3e4a6b5666a1 # v11.5
         with:
           binaryCachePath: ${{ github.workspace }}/b/vcpkg_cache
 
@@ -89,7 +85,7 @@ jobs:
           git fetch --unshallow --prune
 
       - name: CMake Build (Debug)
-        uses: lukka/run-cmake@v10
+        uses: lukka/run-cmake@2ce8982be71b8e9a3c4d5e432135035afd1e76a7 # v10.7
         env:
           VCPKG_BINARY_SOURCES: clear
         with:
@@ -98,7 +94,7 @@ jobs:
 
       - name: CMake Build (Release)
         if: github.event.pull_request.merged == true
-        uses: lukka/run-cmake@v10
+        uses: lukka/run-cmake@2ce8982be71b8e9a3c4d5e432135035afd1e76a7 # v10.7
         env:
           VCPKG_BINARY_SOURCES: clear
         with:
@@ -129,7 +125,7 @@ jobs:
 
       - name: Attach Artifact
         if: github.event.pull_request.merged == true
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: hapi-library-${{ runner.os }}-${{ steps.sha.outputs.short }}
           path: package/