diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..5fa2d92 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,36 @@ +--- +name: Bug report +about: Create a bug report to help us improve +title: "" +labels: ["bug"] +assignees: '' +--- + +#### Describe the bug + + +#### To Reproduce + + +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +#### Expected behavior + + +#### Screenshots + + +#### Logs + + +#### Environment + +- Software version: +- Environment information: + +#### Additional context + + diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..85291cf --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +version: 2 +updates: + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "daily" diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..e6cf2e4 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,12 @@ +# Description + +Please include a summary of the change. Please also include relevant motivation and context. List any dependencies that are required for this change. + +# Checklist: + +- [ ] My code follows the [style guidelines](/CONTRIBUTING.md) of this project +- [ ] I have performed a self-review of my own code +- [ ] I have made corresponding changes to the documentation +- [ ] I have added tests that validate the behaviour of the software +- [ ] I validated that new and existing unit tests pass locally with my changes +- [ ] Any dependent changes have been merged and published in downstream modules diff --git a/.github/workflows/build-rock.yaml b/.github/workflows/build-rock.yaml new file mode 100644 index 0000000..a7eda9f --- /dev/null +++ b/.github/workflows/build-rock.yaml @@ -0,0 +1,17 @@ +name: Build ROCK + +on: + workflow_call: + +jobs: + build-rock: + runs-on: ubuntu-22.04 + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - uses: canonical/craft-actions/rockcraft-pack@main + id: rockcraft + - uses: actions/upload-artifact@v4 + with: + name: rock + path: ${{ steps.rockcraft.outputs.rock }} diff --git a/.github/workflows/dependabot_pr.yaml b/.github/workflows/dependabot_pr.yaml new file mode 100644 index 0000000..845ef0d --- /dev/null +++ b/.github/workflows/dependabot_pr.yaml @@ -0,0 +1,26 @@ +name: "Dependabot Auto Approve and Merge" + +on: + pull_request: + +permissions: + pull-requests: write + contents: write + +jobs: + auto-merge: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - name: Approve a PR + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} + # This step will allow Github to auto-merge the PR if branch protection rules are satisfied. + # Branch protection rules should require status checks to pass before merging including all required workflows. + - name: Enable auto-merge + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml new file mode 100644 index 0000000..d54e174 --- /dev/null +++ b/.github/workflows/lint-pr.yml @@ -0,0 +1,20 @@ +name: "Lint PR" + +on: + pull_request_target: + types: + - opened + - edited + - synchronize + +permissions: + pull-requests: read + +jobs: + main: + name: Validate PR title + runs-on: ubuntu-latest + steps: + - uses: amannn/action-semantic-pull-request@v5 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..ed4ca69 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,78 @@ +name: Main workflow + +on: + pull_request: + branches: + - main + push: + branches: + - main + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-go@v5 + with: + go-version-file: "go.mod" + + - name: Build + run: go build ./... + + go-vet: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-go@v5 + with: + go-version-file: "go.mod" + + - name: Go vet + run: go vet ./... + + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-go@v5 + with: + go-version-file: "go.mod" + + - name: golangci-lint + uses: golangci/golangci-lint-action@v3 + with: + version: v1.54 + + unit-tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-go@v5 + with: + go-version-file: "go.mod" + + - name: Unit tests + run: go test -cover ./... + + rock-build: + needs: + - build + - go-vet + - lint + - unit-tests + uses: ./.github/workflows/build-rock.yaml + + rock-scan: + if: github.ref_name == 'main' + needs: rock-build + uses: ./.github/workflows/scan-rock.yaml + + publish: + if: github.ref_name == 'main' + needs: [rock-build] + uses: ./.github/workflows/publish-rock.yaml diff --git a/.github/workflows/publish-rock.yaml b/.github/workflows/publish-rock.yaml new file mode 100644 index 0000000..0de6fa6 --- /dev/null +++ b/.github/workflows/publish-rock.yaml @@ -0,0 +1,39 @@ +name: Publish ROCK + +on: + workflow_call: + +jobs: + publish-rock: + runs-on: ubuntu-22.04 + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Log in to the Container registry + uses: docker/login-action@v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Install skopeo + run: | + sudo snap install --devmode --channel edge skopeo + - uses: actions/download-artifact@v4 + with: + name: rock + + - name: Import and push to github package + run: | + image_name="$(yq '.name' rockcraft.yaml)" + version="$(yq '.version' rockcraft.yaml)" + rock_file=$(ls *.rock | tail -n 1) + sudo skopeo \ + --insecure-policy \ + copy \ + oci-archive:"${rock_file}" \ + docker-daemon:"ghcr.io/canonical/${image_name}:${version}" + docker tag ghcr.io/canonical/${image_name}:${version} ghcr.io/canonical/${image_name}:latest + docker push ghcr.io/canonical/${image_name}:${version} + docker push ghcr.io/canonical/${image_name}:latest diff --git a/.github/workflows/scan-rock.yaml b/.github/workflows/scan-rock.yaml new file mode 100644 index 0000000..3cb0efc --- /dev/null +++ b/.github/workflows/scan-rock.yaml @@ -0,0 +1,48 @@ +name: Scan + +on: + workflow_call: + +jobs: + scan: + runs-on: ubuntu-22.04 + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install skopeo + run: | + sudo snap install --devmode --channel edge skopeo + + - name: Install yq + run: | + sudo snap install yq + + - uses: actions/download-artifact@v4 + with: + name: rock + + - name: Import + run: | + image_name="$(yq '.name' rockcraft.yaml)" + echo "image_name=${image_name}" >> $GITHUB_ENV + version="$(yq '.version' rockcraft.yaml)" + echo "version=${version}" >> $GITHUB_ENV + rock_file=$(ls *.rock | tail -n 1) + sudo skopeo \ + --insecure-policy \ + copy \ + oci-archive:"${rock_file}" \ + docker-daemon:"ghcr.io/canonical/${image_name}:${version}" + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: "ghcr.io/canonical/${{env.image_name}}:${{env.version}}" + format: "sarif" + output: "trivy-results.sarif" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "trivy-results.sarif" diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..fa6c4c4 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @canonical/tls diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..bb22e2b --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,31 @@ +# Contributing + +## Getting Started + +1. Fork the repository on GitHub +2. Clone the forked repository to your local machine +3. Build the project: `go build ./...` +4. Run the project: `./gocert` + +## Testing + +### Unit Tests + +```bash +go test ./... +``` + +### Lint + +```bash +golangci-lint run ./... +``` + +## Container image + +```bash +rockcraft pack -v +version=$(yq '.version' rockcraft.yaml) +sudo skopeo --insecure-policy copy oci-archive:gocert_${version}_amd64.rock docker-daemon:gocert:${version} +docker run gocert:${version} +``` diff --git a/LICENSE b/LICENSE index 261eeb9..8339295 100644 --- a/LICENSE +++ b/LICENSE @@ -186,7 +186,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright [yyyy] [name of copyright owner] + Copyright 2024 Canonical Ltd. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/README.md b/README.md index 364c6f0..a235bce 100644 --- a/README.md +++ b/README.md @@ -1 +1,10 @@ -# gocert \ No newline at end of file +# gocert + +GoCert is a certificate management tool. + +## Installation + +```bash +docker pull ghcr.io/canonical/gocert:latest +docker run -it ghcr.io/canonical/gocert:latest +``` diff --git a/cmd/gocert/main.go b/cmd/gocert/main.go new file mode 100644 index 0000000..ed53fd7 --- /dev/null +++ b/cmd/gocert/main.go @@ -0,0 +1,5 @@ +package main + +func main() { + // ... +} diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..50e6ec0 --- /dev/null +++ b/go.mod @@ -0,0 +1,3 @@ +module github.com/canonical/gocert + +go 1.22.1 diff --git a/rockcraft.yaml b/rockcraft.yaml new file mode 100644 index 0000000..3f9756c --- /dev/null +++ b/rockcraft.yaml @@ -0,0 +1,27 @@ +name: gocert +base: bare +build-base: ubuntu@22.04 +version: '0.0.1' +summary: A certificate management tool +description: | + A certificate management tool. +license: Apache-2.0 +platforms: + amd64: + arm64: + +services: + gocert: + command: gocert + override: replace + startup: enabled + +parts: + gocert: + source: . + plugin: go + build-snaps: + - go/1.22/stable + stage-packages: + - ca-certificates_data + - libc6_libs