add Renovate and custom workflow files

lf-energy-projects-renovation-state · Dec 14, 2024 · 4ac223d · 4ac223d
1 parent faece1e
commit 4ac223d
Show file tree

Hide file tree

Showing 5 changed files with 128 additions and 196 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
diff --git a/.github/workflows/sync-fork.yml b/.github/workflows/sync-fork.yml
@@ -0,0 +1,89 @@
+name: Sync fork
+
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: "15 3 * * *"   # Run every day at 3:15 UTC
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout fork's default branch
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          path: "fork"
+          token: ${{ secrets.GH_PAT }}
+      - name: Checkout fork's configuration branch
+        uses: actions/checkout@v4
+        with:
+          path: "configuration"
+          ref: "renovate-and-workflow-files"
+          token: ${{ secrets.GH_PAT }}
+      - name: Determine Upstream clone URL
+        id: upstream-repo-clone-url
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data } = await github.rest.repos.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+            });
+            if (data.fork) {
+              return data.parent.clone_url;
+            } else {
+              throw new Error('This repository is not a fork.');
+            }
+          result-encoding: string
+      - name: Determine Upstream default branch
+        id: upstream-repo-default-branch
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data } = await github.rest.repos.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+            });
+            if (data.fork) {
+              return data.parent.default_branch;
+            } else {
+              throw new Error('This repository is not a fork.');
+            }
+          result-encoding: string
+      - name: Sync fork with upstream
+        run: |
+          set -ex
+          cd fork
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git remote add upstream ${{ steps.upstream-repo-clone-url.outputs.result }}
+          git fetch upstream ${{ steps.upstream-repo-default-branch.outputs.result }}
+          UPSTREAM_MOST_RECENT_COMMIT_HASH=$(git log upstream/${{ steps.upstream-repo-default-branch.outputs.result }} -n 1 --format="%H")
+          PREVIOUS_SYNC_COMMIT_HASH=$(cat ../configuration/upstream_commit_hash)
+          if [ "$PREVIOUS_SYNC_COMMIT_HASH" = "$UPSTREAM_MOST_RECENT_COMMIT_HASH" ]; then
+            echo "No need to sync, already up-to-date"
+            exit 0
+          fi
+          
+          git reset --hard upstream/${{ steps.upstream-repo-default-branch.outputs.result }}
+          # Enforce the usage of our own config (renovate.json5)
+          git rm renovate.json* || true
+          # Avoid problems where an existing .gitignore file would prevent committing our configuration files
+          git rm .gitignore || true
+          # Delete existing workflows, we don't need to run them in our fork
+          rm -rf .github || true
+          # Instead of using "cp -r", rsync allows us to exclude the .git directory
+          rsync -av --exclude '.git' ../configuration/ .
+          rm upstream_commit_hash
+          git add .
+          git commit -m "add Renovate and custom workflow files"
+          git push --force-with-lease
+          
+          cd ../configuration
+          # git config user.name "github-actions[bot]"
+          # git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          echo $UPSTREAM_MOST_RECENT_COMMIT_HASH > upstream_commit_hash
+          git add upstream_commit_hash
+          git commit -m "update commit hash to $UPSTREAM_MOST_RECENT_COMMIT_HASH"
+          git push
diff --git a/.github/workflows/trivy-dependencies-submission.yml b/.github/workflows/trivy-dependencies-submission.yml
@@ -0,0 +1,27 @@
+name: SBOM upload from Trivy
+
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: "0 9 */5 * *"   # Run every fifth day at 9 AM UTC
+
+jobs:
+  SBOM-upload:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@0.23.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'github'
+          output: 'trivy-results.gsbom'
+          github-pat: ${{ secrets.GITHUB_TOKEN }}  # this causes a curl call to upload the snapshot
+
+      - name: Upload report file
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-results
+          path: trivy-results.gsbom
diff --git a/.gitignore b/.gitignore
diff --git a/renovate.json5 b/renovate.json5
@@ -0,0 +1,12 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":disableRateLimiting"
+  ],
+  "labels": ["dependencies", "depManager:{{{manager}}}"],
+  "vulnerabilityAlerts": {
+    "labels": ["security", "dependencies", "depManager:{{{manager}}}"],
+  },
+  "forkProcessing": "enabled"
+}