feat: setup initial project (#2)

Signed-off-by: Nathan Klick <[email protected]>

.github/CODEOWNERS

@@ -0,0 +1,43 @@
+###################################
+##### Global Protection Rule ######
+###################################
+# NOTE: This rule is overriden by the more specific rules below. This is the catch-all rule for all files not covered by the more specific rules below.
+* @hashgraph/release-engineering-managers @hashgraph/product-security
+
+############################
+##### Project Files ######
+############################
+
+/legacy/ @hashgraph/release-engineering-managers @hashgraph/product-security
+
+#########################
+##### Core Files ######
+#########################
+
+# NOTE: Must be placed last to ensure enforcement over all other rules
+
+# Protection Rules for Github Configuration Files and Actions Workflows
+/.github/ @hashgraph/release-engineering-managers
+/.github/workflows/ @hashgraph/release-engineering-managers @hashgraph/product-security @hashgraph/devops-ci
+
+
+# Codacy Tool Configurations
+/config/ @hashgraph/release-engineering-managers
+.remarkrc @hashgraph/release-engineering-managers
+
+# Semantic Release Configuration
+.releaserc @hashgraph/release-engineering-managers
+
+# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval)
+/CODEOWNERS @hashgraph/release-engineering-managers
+
+# Protect the repository root files
+/README.md @hashgraph/release-engineering-managers
+**/LICENSE @hashgraph/release-engineering-managers
+
+# CodeCov configuration
+**/codecov.yml @hashgraph/release-engineering-managers
+
+# Git Ignore definitions
+**/.gitignore @hashgraph/release-engineering-managers
+**/.gitignore.* @hashgraph/release-engineering-managers

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "daily"
+ open-pull-requests-limit: 10

.github/pull_request_template.md

@@ -0,0 +1,9 @@
+## Description
+
+This pull request changes the following:
+
+* TBD
+
+### Related Issues
+
+* Closes #

.github/workflows/flow-pull-request-checks.yaml

@@ -0,0 +1,53 @@
+##
+# Copyright (C) 2024 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+name: "PR Checks"
+on:
+ pull_request:
+ types:
+ - opened
+ - reopened
+ - synchronize
+
+defaults:
+ run:
+ shell: bash
+
+concurrency:
+ group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+ cancel-in-progress: true
+
+jobs:
+ versions:
+ name: Upstream Versions
+ uses: ./.github/workflows/zxc-retrieve-upstream-versions.yaml
+ if: ${{ !github.event.pull_request.head.repo.fork }}
+
+ legacy-images:
+ name: Legacy Images
+ uses: ./.github/workflows/zxc-build-legacy-images.yaml
+ needs:
+ - versions
+ with:
+ build-default-image: true
+ build-dind-image: true
+ build-dind-rootless-image: false
+ base-os-image: ubuntu-22.04
+ runner-version: ${{ needs.versions.outputs.runner }}
+ runner-container-hooks-version: ${{ needs.versions.outputs.hooks }}
+ docker-version: 24.0.9
+ platforms: linux/amd64
+ dry-run-enabled: true

.github/workflows/flow-pull-request-formatting.yaml

@@ -0,0 +1,51 @@
+##
+# Copyright (C) 2023 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+name: "PR Formatting"
+on:
+ pull_request_target:
+ types:
+ - opened
+ - reopened
+ - edited
+ - synchronize
+
+defaults:
+ run:
+ shell: bash
+
+permissions:
+ contents: read
+ statuses: write
+
+concurrency:
+ group: pr-formatting-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+ cancel-in-progress: true
+
+jobs:
+ title-check:
+ name: Title Check
+ runs-on: [self-hosted, Linux, medium, ephemeral]
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ with:
+ egress-policy: audit
+
+ - name: Check PR Title
+ uses: step-security/conventional-pr-title-action@0eae74515f5a79f8773fa04142dd746df76666ac # v1.0.0
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/zxc-build-legacy-images.yaml

@@ -0,0 +1,190 @@
+##
+# Copyright (C) 2024 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+name: "ZXC: Build Legacy Images"
+# This reusable component is called by the following workflows:
+# - .github/workflows/flow-pull-request-checks.yaml
+# - .github/workflows/flow-build-application.yaml
+
+on:
+ workflow_call:
+ inputs:
+ ## Base Operating System Image
+ ## Options include:
+ ## - ubuntu-20.04
+ ## - ubuntu-22.04
+ base-os-image:
+ description: "Operating System Image:"
+ type: string
+ required: true
+
+ ## Upstream Github Action Runner Version
+ runner-version:
+ description: "Runner Version:"
+ type: string
+ required: true
+
+ ## Upstream Github Action Runner Container Hooks Version
+ runner-container-hooks-version:
+ description: "Container Hooks Version:"
+ type: string
+ required: false
+ default: "0.6.1"
+
+ ## Upstream Docker Version
+ docker-version:
+ description: "Docker Version:"
+ type: string
+ required: false
+ default: "24.0.9"
+
+ ## Linux Architectures for Multi-Arch Builds
+ platforms:
+ description: "Platforms:"
+ type: string
+ required: false
+ default: "linux/amd64,linux/arm64"
+
+ build-default-image:
+ description: "Build Default Image"
+ type: boolean
+ required: false
+ default: true
+
+ build-dind-image:
+ description: "Build DinD Image"
+ type: boolean
+ required: false
+ default: false
+
+ build-dind-rootless-image:
+ description: "Build DinD Rootless Image"
+ type: boolean
+ required: false
+ default: false
+
+ dry-run-enabled:
+ description: "Perform Dry Run"
+ type: boolean
+ required: false
+ default: false
+
+ custom-job-label:
+ description: "Custom Job Label:"
+ type: string
+ required: false
+ default: "Build"
+
+defaults:
+ run:
+ shell: bash
+
+env:
+ OS_IMAGE: ${{ inputs.base-os-image }}
+ RUNNER_VERSION: ${{ inputs.runner-version }}
+ RUNNER_CONTAINER_HOOKS_VERSION: ${{ inputs.runner-container-hooks-version }}
+ DOCKER_VERSION: ${{ inputs.docker-version }}
+ PLATFORMS: ${{ inputs.platforms }}
+
+permissions:
+ id-token: write
+ contents: read
+ packages: write
+
+jobs:
+ build-legacy-images:
+ name: ${{ inputs.custom-job-label || 'Build' }}
+ runs-on: [self-hosted, Linux, medium, ephemeral]
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ with:
+ egress-policy: audit
+
+ - name: Checkout Code
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+ - name: Install Make
+ run: |
+ if ! command -v make >/dev/null 2>&1; then
+ echo "::group::Updating APT Repository Indices"
+ sudo apt update
+ echo "::endgroup::"
+ echo "::group::Installing Make"
+ sudo apt install -y make
+ echo "::endgroup::"
+ fi
+
+ - name: Setup QEmu Support
+ uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+
+ - name: Setup Docker Buildx Support
+ uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+ with:
+ version: v0.16.1
+ driver-opts: network=host
+
+ - name: Show Docker Version
+ run: docker version
+
+ - name: Show Docker Info
+ run: docker info
+
+ - name: Docker Login (Github)
+ uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+ if: ${{ inputs.dry-run-enabled != true }}
+ with:
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Calculate Docker Registry
+ id: registry
+ run: |
+ DOCKER_REGISTRY_PREFIX="ghcr.io/${{ github.repository }}"
+ IMG_RESULT="push"
+ 
+ if [[ "${{ inputs.dry-run-enabled }}" == "true" ]]; then
+ DOCKER_REGISTRY_PREFIX="local"
+ IMG_RESULT="load"
+ fi
+ 
+ echo "prefix=${DOCKER_REGISTRY_PREFIX}" >>"${GITHUB_OUTPUT}"
+ echo "operation=${IMG_RESULT}" >>"${GITHUB_OUTPUT}"
+
+ - name: Build Default Image
+ env:
+ DOCKER_USER: ${{ steps.registry.outputs.prefix }}
+ IMG_RESULT: ${{ steps.registry.outputs.operation }}
+ working-directory: legacy/runner
+ if: ${{ inputs.build-default-image }}
+ run: make docker-buildx-default
+
+ - name: Build DinD Image
+ env:
+ DOCKER_USER: ${{ steps.registry.outputs.prefix }}
+ IMG_RESULT: ${{ steps.registry.outputs.operation }}
+ working-directory: legacy/runner
+ if: ${{ inputs.build-dind-image }}
+ run: make docker-buildx-dind
+
+ - name: Build DinD Rootless Image
+ env:
+ DOCKER_USER: ${{ steps.registry.outputs.prefix }}
+ IMG_RESULT: ${{ steps.registry.outputs.operation }}
+ working-directory: legacy/runner
+ if: ${{ inputs.build-dind-rootless-image }}
+ run: make docker-buildx-dind-rootless