chore: add project scaffolding (#1)

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,36 @@
+---
+name: Bug report
+about: Create a bug report to help us improve
+title: ""
+labels: ["bug"]
+assignees: ''
+---
+
+#### Describe the bug
+<!-- A clear and concise description of what the bug is. -->
+
+#### To Reproduce
+<!-- Steps that can be taken to reproduce the behaviour -->
+
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+#### Expected behavior
+<!-- A clear and concise description of what you expected to happen. -->
+
+#### Screenshots
+<!-- If applicable, add screenshots to help explain your problem. -->
+
+#### Logs
+<!-- If applicable, add logs to help explain your problem. -->
+
+#### Environment
+
+- Software version: <!-- e.g. 1.2.1 -->
+- Environment information: <!-- e.g. Ubuntu 24.04 -->
+
+#### Additional context
+
+<!-- Add any other context about the problem here. -->

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/pull_request_template.md

@@ -0,0 +1,12 @@
+# Description
+
+Please include a summary of the change. Please also include relevant motivation and context. List any dependencies that are required for this change.
+
+# Checklist:
+
+- [ ] My code follows the [style guidelines](/CONTRIBUTING.md) of this project
+- [ ] I have performed a self-review of my own code
+- [ ] I have made corresponding changes to the documentation
+- [ ] I have added tests that validate the behaviour of the software
+- [ ] I validated that new and existing unit tests pass locally with my changes
+- [ ] Any dependent changes have been merged and published in downstream modules

.github/workflows/build-rock.yaml

@@ -0,0 +1,17 @@
+name: Build ROCK
+
+on:
+  workflow_call:
+
+jobs:
+  build-rock:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - uses: canonical/craft-actions/rockcraft-pack@main
+        id: rockcraft
+      - uses: actions/upload-artifact@v4
+        with:
+          name: rock
+          path: ${{ steps.rockcraft.outputs.rock }}

.github/workflows/dependabot_pr.yaml

@@ -0,0 +1,26 @@
+name: "Dependabot Auto Approve and Merge"
+
+on:
+  pull_request:
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  auto-merge:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Approve a PR
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+     # This step will allow Github to auto-merge the PR if branch protection rules are satisfied.
+     # Branch protection rules should require status checks to pass before merging including all required workflows.
+      - name: Enable auto-merge
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/lint-pr.yml

@@ -0,0 +1,20 @@
+name: "Lint PR"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  pull-requests: read
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/main.yml

@@ -0,0 +1,78 @@
+name: Main workflow
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+
+      - name: Build
+        run: go build ./...
+
+  go-vet:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+
+      - name: Go vet
+        run: go vet ./...
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: v1.54
+
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+
+      - name: Unit tests
+        run: go test -cover ./...
+
+  rock-build:
+    needs: 
+      - build
+      - go-vet
+      - lint
+      - unit-tests
+    uses: ./.github/workflows/build-rock.yaml
+
+  rock-scan:
+    if: github.ref_name == 'main'
+    needs: rock-build
+    uses: ./.github/workflows/scan-rock.yaml
+
+  publish:
+    if: github.ref_name == 'main'
+    needs: [rock-build]
+    uses: ./.github/workflows/publish-rock.yaml

.github/workflows/publish-rock.yaml

@@ -0,0 +1,39 @@
+name: Publish ROCK
+
+on:
+  workflow_call:
+
+jobs:
+  publish-rock:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install skopeo
+        run: |
+          sudo snap install --devmode --channel edge skopeo
+      - uses: actions/download-artifact@v4
+        with:
+          name: rock
+
+      - name: Import and push to github package
+        run: |
+          image_name="$(yq '.name' rockcraft.yaml)"
+          version="$(yq '.version' rockcraft.yaml)"
+          rock_file=$(ls *.rock | tail -n 1)
+          sudo skopeo \
+            --insecure-policy \
+            copy \
+            oci-archive:"${rock_file}" \
+            docker-daemon:"ghcr.io/canonical/${image_name}:${version}"
+          docker tag ghcr.io/canonical/${image_name}:${version} ghcr.io/canonical/${image_name}:latest
+          docker push ghcr.io/canonical/${image_name}:${version}
+          docker push ghcr.io/canonical/${image_name}:latest

.github/workflows/scan-rock.yaml

@@ -0,0 +1,48 @@
+name: Scan
+
+on:
+  workflow_call:
+
+jobs:
+  scan:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install skopeo
+        run: |
+          sudo snap install --devmode --channel edge skopeo
+
+      - name: Install yq
+        run: |
+          sudo snap install yq
+
+      - uses: actions/download-artifact@v4
+        with:
+          name: rock
+
+      - name: Import
+        run: |
+          image_name="$(yq '.name' rockcraft.yaml)"
+          echo "image_name=${image_name}" >> $GITHUB_ENV
+          version="$(yq '.version' rockcraft.yaml)"
+          echo "version=${version}" >> $GITHUB_ENV
+          rock_file=$(ls *.rock | tail -n 1)
+          sudo skopeo \
+            --insecure-policy \
+            copy \
+            oci-archive:"${rock_file}" \
+            docker-daemon:"ghcr.io/canonical/${image_name}:${version}"
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "ghcr.io/canonical/${{env.image_name}}:${{env.version}}"
+          format: "sarif"
+          output: "trivy-results.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"

CODEOWNERS

@@ -0,0 +1 @@
+*       @canonical/tls

CONTRIBUTING.md

@@ -0,0 +1,31 @@
+# Contributing
+
+## Getting Started
+
+1. Fork the repository on GitHub
+2. Clone the forked repository to your local machine
+3. Build the project: `go build ./...`
+4. Run the project: `./gocert`
+
+## Testing
+
+### Unit Tests
+
+```bash
+go test ./...
+```
+
+### Lint
+
+```bash
+golangci-lint run ./...
+```
+
+## Container image
+
+```bash
+rockcraft pack -v
+version=$(yq '.version' rockcraft.yaml)
+sudo skopeo --insecure-policy copy oci-archive:gocert_${version}_amd64.rock docker-daemon:gocert:${version}
+docker run gocert:${version}
+```

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2024 Canonical Ltd.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -1 +1,10 @@
-# gocert
+# gocert
+
+GoCert is a certificate management tool.
+
+## Installation
+
+```bash
+docker pull ghcr.io/canonical/gocert:latest
+docker run -it ghcr.io/canonical/gocert:latest
+```

cmd/gocert/main.go

@@ -0,0 +1,5 @@
+package main
+
+func main() {
+	// ...
+}

go.mod

@@ -0,0 +1,3 @@
+module github.com/canonical/gocert
+
+go 1.22.1

rockcraft.yaml

@@ -0,0 +1,27 @@
+name: gocert
+base: bare
+build-base: [email protected]
+version: '0.0.1'
+summary: A certificate management tool
+description: |
+  A certificate management tool.
+license: Apache-2.0
+platforms:
+  amd64:
+  arm64:
+
+services:
+  gocert:
+    command: gocert
+    override: replace
+    startup: enabled
+
+parts:
+  gocert:
+    source: .
+    plugin: go
+    build-snaps:
+      - go/1.22/stable
+    stage-packages:
+      - ca-certificates_data
+      - libc6_libs