diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..634d855 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +@ONSdigital/ons-template-admins \ No newline at end of file diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..c891307 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +--- +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..296336e --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,17 @@ +# Change Description + +- what changes have been made and why + +## Type of change + +- [ ] New service +- [ ] New feature +- [ ] Breaking change +- [ ] Bugfix +- [ ] Quality of life changes + +## Checklist + +- [ ] I have followed the [Contributing](https://github.com/ONSdigital/ons-template/CONTRIBUTING.md) guide. +- [ ] I have merged the latest commits from the main branch +- [ ] All the GitHub Checks are :white_check_mark: diff --git a/.github/rename_project.sh b/.github/rename_project.sh new file mode 100755 index 0000000..464ed7e --- /dev/null +++ b/.github/rename_project.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash +escape_for_sed() { + echo "$1" | sed -e 's/[\/&]/\\&/g' +} + +while getopts ":a:n:u:d:" flag; do + case "${flag}" in + a) author=${OPTARG} ;; + n) name=${OPTARG} ;; + u) urlname=${OPTARG} ;; + d) description=$(escape_for_sed "${OPTARG}") ;; + *) + echo "Invalid option: -${OPTARG}" >&2 + exit 1 + ;; + esac +done + +echo "Author: $author" +echo "Project Name: $name" +echo "Project URL name: $urlname" +echo "Description: $description" + +echo "Renaming project..." + +original_author="author_name" +original_name="project_name" +original_urlname="project_urlname" +original_description="project_description" + +for filename in $(git ls-files); do + sed -i "s/$original_author/$author/g" "$filename" + sed -i "s/$original_name/$name/g" "$filename" + sed -i "s/$original_urlname/$urlname/g" "$filename" + sed -i "s/$original_description/$description/g" "$filename" + echo "Renamed $filename" +done + +mv project_name "$name" diff --git a/.github/slim-README.md b/.github/slim-README.md new file mode 100644 index 0000000..1cf420f --- /dev/null +++ b/.github/slim-README.md @@ -0,0 +1,25 @@ +# ons-template + +This repository attempts to demonstrate how colleagues can implement the [GitHub Policy](https://officenationalstatistics.sharepoint.com/sites/ONS_DDaT_Communities/Software%20Engineering%20Policies/Draft_Sub_Policies/GitHub%20Usage%20Policy.docx) (Link to internal site, not accessible externally) created by ONS' Software Engineering Community. + +## Contents +* [How to use this template](#post-clone-steps) + +## Post-Clone Steps +### Repository Settings +Familiarise yourself with the [ONS GitHub Policy](../../wiki) and ensure your repository is compliant with the policy. + +Few key points to note are: + +- **[Branch Protection](https://github.com/ONSdigital/ons-template/wiki/5.7-Branch-Protection-rules)**: Ensure + the `main` or any other primary branch + is protected. +- **[Signed Commits](https://github.com/ONSdigital/ons-template/wiki/5.8-Signed-Commits)**: Use GPG keys to sign your + commits. +- **[Security Alerts](https://github.com/ONSdigital/ons-template/wiki/6.2-Security)**: Make use of Secret scanning and + Dependabot alerts. +- **[PIRR](https://github.com/ONSdigital/ons-template/wiki/4.2-Private-Internal-Repository-Information)**: If not + public then ensure a PIRR.md is documented. + +## Contributing +Please see [CONTRIBUTING.md](CONTRIBUTING.md) diff --git a/.github/workflows/post-creation-tidy.yml b/.github/workflows/post-creation-tidy.yml new file mode 100644 index 0000000..e73011b --- /dev/null +++ b/.github/workflows/post-creation-tidy.yml @@ -0,0 +1,123 @@ +--- +# This workflow is triggered on push events and renames the project from template +# This should be the first workflow to run after the project is created from the 'Use this template' feature + +name: Post Creation Tidy + +on: # yamllint disable-line rule:truthy + push: + branches: [main] + +permissions: + contents: write + actions: write + +concurrency: + group: "${{ github.head_ref || github.ref }}-${{ github.workflow }}" + cancel-in-progress: true + +jobs: + post-creation-tidy: + name: Rename Project + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + with: + # by default, it uses a depth of 1 + # this fetches all history so that we can read each commit + fetch-depth: 0 + ref: ${{ github.head_ref }} + + - name: Check Repository is not a Template + uses: actions/github-script@v7 + with: + script: | + const repo = await github.rest.repos.get({ + owner: context.repo.owner, + repo: context.repo.repo, + }); + core.exportVariable("is_template", repo.data.is_template); + + - name: Set Environment Variables and Check Visibility + if: env.is_template == 'false' + uses: actions/github-script@v7 + with: + script: | + const repoName = context.repo.repo.replace(/-/g, '_').toLowerCase(); + const repoUrlName = context.repo.repo; + const repoOwner = context.repo.owner; + core.exportVariable('REPOSITORY_NAME', repoName); + core.exportVariable('REPOSITORY_URLNAME', repoUrlName); + core.exportVariable('REPOSITORY_OWNER', repoOwner); + + const repo = await github.rest.repos.get({ + owner: context.repo.owner, + repo: context.repo.repo, + }); + const description = repo.data.description; + const visibility = repo.data.visibility; + const isPublic = visibility === 'public'; + + core.exportVariable('REPOSITORY_DESCRIPTION', description); + core.exportVariable('is_public', isPublic); + + # - name: Rename Repository Check + # if: env.is_template == 'false' + # run: | + # echo "needs_renaming=$(ls .github/template.yml &> /dev/null && echo true || echo false)" >> "$GITHUB_ENV" + + - name: Update readme + if: env.is_template == 'false' + run: | + mv ./.github/slim-README.md README.md + + # - name: Add markdown-link-check Config File + # if: env.is_template == 'false' && env.needs_renaming == 'true' + # run: | + # # file=".github/linters/.markdown-link-check.json" + # # mv -f .github/linters/.project-markdown-link-check.json "$file" + + # if [ "$is_public" = false ]; then + # new_pattern='{ + # "pattern": "author_name/project_urlname", + # "reason": "Private repository" + # }' + # existing_patterns=$(jq '.ignorePatterns' "$file") + # if [ "$existing_patterns" = "null" ]; then + # jq '.ignorePatterns = [] | .ignorePatterns += [ '"$new_pattern"' ]' "$file" > tmpfile && mv tmpfile "$file" + # else + # jq '.ignorePatterns += [ '"$new_pattern"' ]' "$file" > tmpfile && mv tmpfile "$file" + # fi + # fi + + - name: Rename the Project + if: env.is_template == 'false' && env.needs_renaming == 'true' + run: | + echo "Renaming the project with -a(author) ${{ env.REPOSITORY_OWNER }} -n(name) ${{ env.REPOSITORY_NAME }} \ + -u(urlname) ${{ env.REPOSITORY_URLNAME }} \ + -d(description) ${{ env.REPOSITORY_DESCRIPTION || env.REPOSITORY_URLNAME }}" + + .github/rename_project.sh -a ${{ env.REPOSITORY_OWNER }} -n ${{ env.REPOSITORY_NAME }} \ + -u ${{ env.REPOSITORY_URLNAME }} -d "${{ env.REPOSITORY_DESCRIPTION || env.REPOSITORY_URLNAME }}" + + - name: Check if PIRR is needed + if: env.is_template == 'false' + run: | + if [ "$is_public" = true ]; then + echo "Removing PIRR.md" + rm PIRR.md + fi + + - name: Cleanup + if: env.is_template == 'false' + run: | + rm .github/rename_project.sh + rm .github/workflows/post-creation-tidy.yml + rm .github/workflows/super-linter.yml + rm -rf .assets + + - uses: stefanzweifel/git-auto-commit-action@v5 + if: env.is_template == 'false' + with: + commit_message: ✅ Ready to clone and use + push_options: --force diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml new file mode 100644 index 0000000..42884f5 --- /dev/null +++ b/.github/workflows/super-linter.yml @@ -0,0 +1,31 @@ +--- +name: github-superlinter +run-name: ${{ github.actor }} pushed a change to ${{github.ref_name}} +on: # yamllint disable-line rule:truthy + push: null + pull_request: null +jobs: + superlint: + runs-on: ubuntu-latest + + permissions: + contents: read + packages: read + statuses: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + # super-linter needs the full git history to get the + # list of files that changed across commits + fetch-depth: 0 + + - name: Super-linter + uses: super-linter/super-linter/slim@v6.0.0 + env: + # To report GitHub Actions status checks + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DEFAULT_BRANCH: main + LINTER_RULES_PATH: "./configs" + VALIDATE_GITHUB_ACTIONS: false \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1eb4569 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +# VS Code +.vscode +.DS_Store \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..dd6e547 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,9 @@ +# How to Contribute to this project +## What Should a good CONTRIBUTING.md contains +* An introduction to the key stakeholders for the code not the resultant use cases +* Comprehensive testing documentation +* Any specific environment set-up e.g. non standard precommits +* How to submit changes +* How to raise Bugs +* Any specific style advice +[Source 1](https://mozillascience.github.io/working-open-workshop/contributing/) \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..3a961b6 --- /dev/null +++ b/LICENSE @@ -0,0 +1,16 @@ +The MIT License (MIT) +Copyright (c) 2024, ONS Digital + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated +documentation files (the "Software"), to deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit +persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or +substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, +INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR +THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/PIRR.md b/PIRR.md new file mode 100644 index 0000000..1f10fb7 --- /dev/null +++ b/PIRR.md @@ -0,0 +1,13 @@ +# Private/Internal Reasoning Record +## What visibility is the repository set to? +Private or Internal +## What decision led to this? +### Good reasons +There must general be a risk being mitigated +* Infrastructure As Code +* This is a temporary repository +* Awaiting security risk adviser guidance +* Code that won't be released e.g. training or PoC code +### Bad reasons +* No use to the public +* idk.. \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..9d779e5 --- /dev/null +++ b/README.md @@ -0,0 +1,61 @@ +# ons-template + +[![Super-Linter](https://github.com/ONSdigital/ons-template/actions/workflows/super-linter.yml/badge.svg?branch=main)](https://github.com/ONSdigital/ons-template/actions/workflows/super-linter.yml) + +This repository attempts to demonstrate how colleagues can implement the [GitHub Policy](https://officenationalstatistics.sharepoint.com/sites/ONS_DDaT_Communities/Software%20Engineering%20Policies/Draft_Sub_Policies/GitHub%20Usage%20Policy.docx) (Link to internal site, not accessible externally) created by ONS' Software Engineering Community. + +## Contents +* [The Wiki](#the-wiki) +* [Contributing](#contributing) +* [How to use this template](#how-to-use-this-template) +* [What should a good README.md contain](#what-should-a-good-readmemd-contain) + +## The Wiki +[The wiki](../../wiki) explains how you could implement the GitHub Repository policy. + +## How to use this template + +> **DO NOT FORK** this repository. Instead, use the +> **[Use this template](https://github.com/ONSdigital/ons-template/generate)** feature. + +To get started with this template: + +1. Click on **[Use this template](https://github.com/ONSdigital/ons-template/generate)**. +2. Select the correct visibility, default is public or internal over private. The default is internal as per [GitHubs Documentation](https://docs.github.com/en/enterprise-cloud@latest/repositories/creating-and-managing-repositories/about-repositories#about-internal-repositories) +3. Name your new repository and provide a description, then click **Create repository**. Note: the repository name + should be lowercase and use + hyphens (`-`) instead of spaces. +4. GitHub Actions will process the template and commit to your new repository shortly after you click **Create + repository**.. **Wait until the first + run of GitHub Actions CI to finish!** +5. Once the **Rename Project** CI action has run, clone the repository and start working on your project. + +> **NOTE**: **WAIT** until first CI run of **Rename Project** job before cloning your new project. + +## Post-Clone Steps +### Repository Settings +Familiarise yourself with the [ONS GitHub Policy](../../wiki) and ensure your repository is compliant with the policy. + +Few key points to note are: + +- **[Branch Protection](https://github.com/ONSdigital/ons-template/wiki/5.7-Branch-Protection-rules)**: Ensure + the `main` or any other primary branch + is protected. +- **[Signed Commits](https://github.com/ONSdigital/ons-template/wiki/5.8-Signed-Commits)**: Use GPG keys to sign your + commits. +- **[Security Alerts](https://github.com/ONSdigital/ons-template/wiki/6.2-Security)**: Make use of Secret scanning and + Dependabot alerts. +- **[PIRR](https://github.com/ONSdigital/ons-template/wiki/4.2-Private-Internal-Repository-Information)**: If not + public then ensure a PIRR.md is documented. + +## Contributing +Please see [CONTRIBUTING.md](CONTRIBUTING.md) + +## What should a good README.md contain +* Title formatted as heading one. +* Brief Description of the Repository under said title. +* As many badges as possible. +* A link to a contributions page commonly called CONTRIBUTING.md. +* Table of contents. +* The basics, how to install or run the code within. +* At least one diagrams or video to show how the project works. diff --git a/assets/branch-protection-1-of-3.png b/assets/branch-protection-1-of-3.png new file mode 100644 index 0000000..a086aeb Binary files /dev/null and b/assets/branch-protection-1-of-3.png differ diff --git a/assets/branch-protection-2-of-3.png b/assets/branch-protection-2-of-3.png new file mode 100644 index 0000000..8b2d2c3 Binary files /dev/null and b/assets/branch-protection-2-of-3.png differ diff --git a/assets/branch-protection-3-of-3.png b/assets/branch-protection-3-of-3.png new file mode 100644 index 0000000..e7a4d8a Binary files /dev/null and b/assets/branch-protection-3-of-3.png differ diff --git a/assets/branch-protection-merge-require-pull-requests.png b/assets/branch-protection-merge-require-pull-requests.png new file mode 100644 index 0000000..58fa45f Binary files /dev/null and b/assets/branch-protection-merge-require-pull-requests.png differ diff --git a/assets/dependabot.png b/assets/dependabot.png new file mode 100644 index 0000000..6eae237 Binary files /dev/null and b/assets/dependabot.png differ diff --git a/assets/issue-templates.png b/assets/issue-templates.png new file mode 100644 index 0000000..101823a Binary files /dev/null and b/assets/issue-templates.png differ diff --git a/assets/security.png b/assets/security.png new file mode 100644 index 0000000..2a1019b Binary files /dev/null and b/assets/security.png differ diff --git a/assets/template.yml b/assets/template.yml new file mode 100644 index 0000000..ddea41c --- /dev/null +++ b/assets/template.yml @@ -0,0 +1,2 @@ +--- +author: ONSdigital diff --git a/configs/.checkov.yaml b/configs/.checkov.yaml new file mode 100644 index 0000000..21a85bd --- /dev/null +++ b/configs/.checkov.yaml @@ -0,0 +1,10 @@ +--- +compact: true +download-external-modules: false +evaluate-variables: true +output: cli +quiet: true +soft-fail: false +skip-check: + - CKV2_GHA_1 # Not needed +summary-position: bottom \ No newline at end of file diff --git a/configs/.yaml-lint.yml b/configs/.yaml-lint.yml new file mode 100644 index 0000000..e8d5d5e --- /dev/null +++ b/configs/.yaml-lint.yml @@ -0,0 +1,59 @@ +--- +########################################### +# These are the rules used for # +# linting all the yaml files in the stack # +# NOTE: # +# You can disable line with: # +# # yamllint disable-line # +########################################### +rules: + braces: + level: warning + min-spaces-inside: 0 + max-spaces-inside: 0 + min-spaces-inside-empty: 1 + max-spaces-inside-empty: 5 + brackets: + level: warning + min-spaces-inside: 0 + max-spaces-inside: 0 + min-spaces-inside-empty: 1 + max-spaces-inside-empty: 5 + colons: + level: warning + max-spaces-before: 0 + max-spaces-after: 1 + commas: + level: warning + max-spaces-before: 0 + min-spaces-after: 1 + max-spaces-after: 1 + comments: disable + comments-indentation: disable + document-end: disable + document-start: + level: warning + present: true + empty-lines: + level: warning + max: 2 + max-start: 0 + max-end: 0 + hyphens: + level: warning + max-spaces-after: 1 + indentation: + level: warning + spaces: consistent + indent-sequences: true + check-multi-line-strings: false + key-duplicates: enable + line-length: + level: warning + max: 125 + allow-non-breakable-words: true + allow-non-breakable-inline-mappings: true + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable \ No newline at end of file diff --git a/configs/actionlint.yaml b/configs/actionlint.yaml new file mode 100644 index 0000000..bfa10b3 --- /dev/null +++ b/configs/actionlint.yaml @@ -0,0 +1,3 @@ + +config-variables: + \ No newline at end of file