ci: 53 update ci workflows for best practices and standards (#62)

Signed-off-by: Roger Barker <[email protected]>

.github/CODEOWNERS

@@ -2,21 +2,47 @@
 ##### Global Protection Rule ######
 ###################################
 # NOTE: This rule is overriden by the more specific rules below. This is the catch-all rule for all files not covered by the more specific rules below
-*                                                 @hashgraph/hedera-smart-contracts
+*                                                 @hashgraph/hedera-smart-contracts @hashgraph/release-engineering @hashgraph/release-engineering-managers
 
 #############################
 ##### Auth-Layer-Proxy ######
 #############################
-/auth-layer-proxy/                                @AlfredoG87 @Nana-EC @hashgraph/hedera-smart-contracts
-/charts/auth-layer-proxy/                         @AlfredoG87 @Nana-EC @beeradb @hashgraph/hedera-smart-contracts
+/auth-layer-proxy/                                @AlfredoG87 @Nana-EC @hashgraph/hedera-smart-contracts @hashgraph/release-engineering @hashgraph/release-engineering-managers
+/charts/auth-layer-proxy/                         @AlfredoG87 @Nana-EC @beeradb @hashgraph/hedera-smart-contracts @hashgraph/release-engineering @hashgraph/release-engineering-managers
 
 ###############################
 #####       Charts       ######
 ###############################
-/charts/                                          @AlfredoG87 @Nana-EC @beeradb @hashgraph/hedera-smart-contracts
+/charts/                                          @AlfredoG87 @Nana-EC @beeradb @hashgraph/hedera-smart-contracts @hashgraph/release-engineering @hashgraph/release-engineering-managers
 
 ###############################
 #####      Subgraphs     ######
 ###############################
-/subgraphs/                                       @AlfredoG87 @Nana-EC @hashgraph/hedera-smart-contracts
+/subgraphs/                                       @AlfredoG87 @Nana-EC @hashgraph/hedera-smart-contracts @hashgraph/release-engineering @hashgraph/release-engineering-managers
 
+#########################
+#####  Core Files  ######
+#########################
+
+# NOTE: Must be placed last to ensure enforcement over all other rules
+
+# Protection Rules for Github Configuration Files and Actions Workflows
+/.github/                                       @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# Codacy Tool Configurations
+/config/                                        @hashgraph/release-engineering @hashgraph/release-engineering-managers
+.remarkrc                                       @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval)
+/CODEOWNERS                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# Protect the repository root files
+/README.md                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers
+**/LICENSE                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# CodeCov configuration
+**/codecov.yml                                  @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# Git Ignore definitions
+**/.gitignore                                   @hashgraph/release-engineering @hashgraph/release-engineering-managers
+**/.gitignore.*                                 @hashgraph/release-engineering @hashgraph/release-engineering-managers

.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /auth-layer-proxy
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /subgraphs/
+    schedule:
+      interval: daily

.github/workflows/auth-layer-chart-install.yml

@@ -7,15 +7,39 @@ on:
     branches: [ main, release/*]
     tags: [ v* ]
 
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
 jobs:
   install:
-    runs-on: ubuntu-latest
+    name: Install
+    runs-on: [ self-hosted, Linux, medium, ephemeral ]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Setup Python
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        with:
+          python-version: "3.10"
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           fetch-depth: 0
 
+      - name: Install Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+
+      - name: Install kubectl
+        uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0
+
       - name: Install k3d
         run: curl --retry 3 -fsL https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash
 
@@ -24,10 +48,10 @@ jobs:
         timeout-minutes: 3
 
       - name: Set up Docker Qemu
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
       - name: Install ct
-        uses: helm/[email protected]
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
 
       - name: Install chart
         run: ct install --helm-extra-args="--timeout 10m" --helm-extra-set-args="--set=global.auth.clientSecret=abcd1234" --charts charts/hedera-the-graph-auth-layer --config .github/ct.yaml

.github/workflows/charts-lint.yml

@@ -7,15 +7,36 @@ on:
     branches: [ main, release/*]
     tags: [ v* ]
 
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
 jobs:
   lint:
-    runs-on: ubuntu-latest
+    name: Lint
+    runs-on: [ self-hosted, Linux, medium, ephemeral ]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Setup Python
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        with:
+          python-version: "3.10"
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+
+      - name: Install Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
 
       - name: Install ct
-        uses: helm/[email protected]
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
 
       - name: Run lint
         run: ct lint --config .github/ct.yaml --all

.github/workflows/hedera-the-graph-chart-install.yml

@@ -1,4 +1,4 @@
-name: Hedera-TheGraph Charts
+name: Charts
 
 on:
   pull_request:
@@ -7,15 +7,39 @@ on:
     branches: [ main, release/*]
     tags: [ v* ]
 
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
 jobs:
   install:
-    runs-on: ubuntu-latest
+    name: Install
+    runs-on: [self-hosted, Linux, medium, ephemeral]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Setup Python
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        with:
+          python-version: "3.10"
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           fetch-depth: 0
 
+      - name: Install Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+
+      - name: Install kubectl
+        uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0
+
       - name: Install k3d
         run: curl --retry 3 -fsL https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash
 
@@ -24,10 +48,10 @@ jobs:
         timeout-minutes: 3
 
       - name: Set up Docker Qemu
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
       - name: Install ct
-        uses: helm/[email protected]
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
 
       - name: Install chart
         run: ct install --helm-extra-args="--timeout 10m" --charts charts/hedera-the-graph --config .github/ct.yaml

.github/workflows/proxy-tests.yml

@@ -5,37 +5,67 @@ on:
       branches: [ main, release/**]
     push:
       branches: [ main, release/*]
-      tags: [ v* ]
+      tags: [ v*, v*.*.* ]
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
 
 jobs:
     proxy-tests:
-        runs-on: ubuntu-latest
+        name: Proxy Tests
+        runs-on: [self-hosted, Linux, medium, ephemeral]
         steps:
+            - name: Harden Runner
+              uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+              with:
+                egress-policy: audit
+
             - name: Checkout repository
-              uses: actions/checkout@v3
+              uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
 
-            - name: Install Lua
-              uses: leafo/gh-actions-lua@v8
-              with:
-                luaVersion: '5.3'
+            #############
+            # Note: leafo/gh-actions-lua doesn't seem to work with self-hosted runners
+            # See issue #33 https://github.com/leafo/gh-actions-lua/issues/33
+
+            #- name: Install Lua
+            #  uses: leafo/gh-actions-lua@35bcb06abec04ec87df82e08caa84d545348536e # v10.0.0
+            #  with:
+            #    luaVersion: '5.3'
+
+            #- name: Install LuaRocks
+            #  uses: leafo/gh-actions-luarocks@e65774a6386cb4f24e293dca7fc4ff89165b64c5 # v4.3.0
+            ##############
+
+            - name: Lua Install
+              run: |
+                sudo apt-get update
+                sudo apt-get install build-essential libreadline-dev lua5.3 liblua5.3-dev -y
 
-            - name: Install LuaRocks
-              uses: leafo/gh-actions-luarocks@v4
+            - name: Luarocks Install
+              run: |
+                sudo apt-get update && sudo apt-get install wget -y
+                wget https://luarocks.org/releases/luarocks-3.8.0.tar.gz
+                tar xzfp luarocks-3.8.0.tar.gz; cd luarocks-3.8.0
+                ./configure && make && sudo make install
 
             - name: Install lunatest
-              run: luarocks install lunatest
+              run: sudo luarocks install lunatest
 
             - name: Install luacov
-              run: luarocks install luacov
+              run: sudo luarocks install luacov
 
             - name: Install luacov-console
-              run: luarocks install luacov-console
+              run: sudo luarocks install luacov-console
 
             - name: Install cjson
-              run: luarocks install lua-cjson
+              run: sudo luarocks install lua-cjson
 
             - name: Install luasocket
-              run: luarocks install luasocket
+              run: sudo luarocks install luasocket
 
             - name: Run tests
               run: lua test.lua              

.github/workflows/release-integration.yml

@@ -5,35 +5,48 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
 env:
   OWNER: hashgraph
   REGISTRY: ghcr.io
 
 jobs:
   publish:
-    runs-on: ubuntu-latest
+    name: Publish
+    runs-on: [self-hosted, Linux, medium, ephemeral]
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Qemu
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0
         with:
           driver-opts: network=host
 
       - name: Build and push images
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
           context: ./auth-layer-proxy
           file: ./auth-layer-proxy/Dockerfile