From 231d7826f296952cb26537bdbd99f932939f0c9e Mon Sep 17 00:00:00 2001
From: Cecilia Liu <cecilia.liu@icf.com>
Date: Tue, 6 Aug 2024 15:02:11 -0500
Subject: [PATCH] MAT-7052 add github workflow

---
 .github/CODEOWNERS               |  2 ++
 .github/pull_request_template.md | 26 ++++++++++++++++++
 .github/workflows/gitleaks.yml   | 29 ++++++++++++++++++++
 .github/workflows/maven-ci.yml   | 46 ++++++++++++++++++++++++++++++++
 4 files changed, 103 insertions(+)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .github/pull_request_template.md
 create mode 100644 .github/workflows/gitleaks.yml
 create mode 100644 .github/workflows/maven-ci.yml

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..076ee47
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,2 @@
+# Code owners:
+* @MeasureAuthoringTool/madie-developers
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 0000000..cd6eefc
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,26 @@
+## CQL to ELM Translation Service PR
+
+Jira Ticket: [MAT-0000](https://jira.cms.gov/browse/MAT-0000)
+(Optional) Related Tickets:
+
+### Summary
+
+### All Submissions
+* [ ] This PR has the JIRA linked.
+* [ ] Required tests are included.
+* [ ] No extemporaneous files are included (i.e Complied files or testing results).
+* [ ] This PR is merging into the **correct branch**.
+* [ ] All Documentation needed for this PR is Complete (or noted in a TODO or other Ticket).
+* [ ] Any breaking changes or failing automations are noted by placing a comment on this PR.
+
+### DevSecOps
+If there is a question if this PR has a security or infrastructure impact, please contact the Security or DevOps engineer assigned to this project to discuss it further.
+
+* [ ] This PR has NO significant security impact (i.e Changing auth methods, Adding a new user type, Adding a required but vulnerable package).
+
+### Reviewers
+By Approving this PR you are attesting to the following:
+
+*  Code is maintainable and reusable, reuses existing code and infrastructure where appropriate, and accomplishes the task’s purpose.
+*  The tests appropriately test the new code, including edge cases.
+*  If you have any concerns they are brought up either to the developer assigned, security engineer, or leads.
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
new file mode 100644
index 0000000..c9ffe33
--- /dev/null
+++ b/.github/workflows/gitleaks.yml
@@ -0,0 +1,29 @@
+# @format
+
+name: Github Secrets Scanner
+
+on: [push]
+
+jobs:
+  gitleaks_scan:
+    runs-on: ubuntu-latest
+    env:
+      REPO: https://github.com/MeasureAuthoringTool/madie-fhir-elm-translator
+      REMOTE_EXCLUDES_URL: https://raw.githubusercontent.com/semanticbits/bmat-gitleaks-automation/master/madie-fhir-elm-translator/gitleaks.toml
+      GITLEAKS_VERSION: v7.5.0
+    steps:
+      - name: Execute Gitleaks
+        run: |
+          wget ${REMOTE_EXCLUDES_URL} -O gitleaks.toml
+          wget https://github.com/zricethezav/gitleaks/releases/download/${GITLEAKS_VERSION}/gitleaks-linux-amd64 -O gitleaks
+          chmod +x gitleaks
+          echo ${GITHUB_SHA}
+          echo "gitleaks --repo-url=${REPO} -v --redact --commit=${GITHUB_SHA} --config-path=gitleaks.toml"
+          ./gitleaks --repo-url=${REPO} -v --redact --commit=${GITHUB_SHA} --config-path=gitleaks.toml
+      - name: Slack notification
+        if: failure()
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+        uses: Ilshidur/action-slack@master
+        with:
+          args: "Potential Secrets found in: https://github.com/{{ GITHUB_REPOSITORY }}/commit/{{ GITHUB_SHA }} Link to build with full gitleaks output: https://github.com/{{ GITHUB_REPOSITORY }}/commit/{{ GITHUB_SHA }}/checks"
diff --git a/.github/workflows/maven-ci.yml b/.github/workflows/maven-ci.yml
new file mode 100644
index 0000000..ba9fa43
--- /dev/null
+++ b/.github/workflows/maven-ci.yml
@@ -0,0 +1,46 @@
+name: Java CI
+
+on:
+  push:
+    branches: [master, develop]
+  pull_request:
+    branches: [master, develop]
+
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'corretto'
+          java-version: '17'
+
+#      Github Authentication is required to download artifacts from github packages
+#      A secret is created for this repo, so that github actions can fetch it, the secret is named after GH_PAT_FOR_ACTIONS_TOKEN
+      - name: maven-settings
+        uses: s4u/maven-settings-action@v2
+        with:
+          servers: '[{"id": "github", "username": "madieUser", "password": "${GITHUB_TOKEN_REF}"}]'
+          githubServer: false
+
+      - name: Build with Maven
+        run: mvn clean install --file pom.xml
+        env:
+          GITHUB_TOKEN_REF: ${{ secrets.GH_PAT_FOR_ACTIONS_TOKEN }}
+          
+          
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@v3
+
+      - name: Cache local Maven repository
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-