diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index e6d7d1c..08f6421 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -2,21 +2,47 @@ ##### Global Protection Rule ###### ################################### # NOTE: This rule is overriden by the more specific rules below. This is the catch-all rule for all files not covered by the more specific rules below -* @hashgraph/hedera-smart-contracts +* @hashgraph/hedera-smart-contracts @hashgraph/release-engineering @hashgraph/release-engineering-managers ############################# ##### Auth-Layer-Proxy ###### ############################# -/auth-layer-proxy/ @AlfredoG87 @Nana-EC @hashgraph/hedera-smart-contracts -/charts/auth-layer-proxy/ @AlfredoG87 @Nana-EC @beeradb @hashgraph/hedera-smart-contracts +/auth-layer-proxy/ @AlfredoG87 @Nana-EC @hashgraph/hedera-smart-contracts @hashgraph/release-engineering @hashgraph/release-engineering-managers +/charts/auth-layer-proxy/ @AlfredoG87 @Nana-EC @beeradb @hashgraph/hedera-smart-contracts @hashgraph/release-engineering @hashgraph/release-engineering-managers ############################### ##### Charts ###### ############################### -/charts/ @AlfredoG87 @Nana-EC @beeradb @hashgraph/hedera-smart-contracts +/charts/ @AlfredoG87 @Nana-EC @beeradb @hashgraph/hedera-smart-contracts @hashgraph/release-engineering @hashgraph/release-engineering-managers ############################### ##### Subgraphs ###### ############################### -/subgraphs/ @AlfredoG87 @Nana-EC @hashgraph/hedera-smart-contracts +/subgraphs/ @AlfredoG87 @Nana-EC @hashgraph/hedera-smart-contracts @hashgraph/release-engineering @hashgraph/release-engineering-managers +######################### +##### Core Files ###### +######################### + +# NOTE: Must be placed last to ensure enforcement over all other rules + +# Protection Rules for Github Configuration Files and Actions Workflows +/.github/ @hashgraph/release-engineering @hashgraph/release-engineering-managers + +# Codacy Tool Configurations +/config/ @hashgraph/release-engineering @hashgraph/release-engineering-managers +.remarkrc @hashgraph/release-engineering @hashgraph/release-engineering-managers + +# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval) +/CODEOWNERS @hashgraph/release-engineering @hashgraph/release-engineering-managers + +# Protect the repository root files +/README.md @hashgraph/release-engineering @hashgraph/release-engineering-managers +**/LICENSE @hashgraph/release-engineering @hashgraph/release-engineering-managers + +# CodeCov configuration +**/codecov.yml @hashgraph/release-engineering @hashgraph/release-engineering-managers + +# Git Ignore definitions +**/.gitignore @hashgraph/release-engineering @hashgraph/release-engineering-managers +**/.gitignore.* @hashgraph/release-engineering @hashgraph/release-engineering-managers \ No newline at end of file diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f32cb12 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,16 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + - package-ecosystem: docker + directory: /auth-layer-proxy + schedule: + interval: daily + + - package-ecosystem: npm + directory: /subgraphs/ + schedule: + interval: daily diff --git a/.github/workflows/auth-layer-chart-install.yml b/.github/workflows/auth-layer-chart-install.yml index 68c052c..9abb806 100644 --- a/.github/workflows/auth-layer-chart-install.yml +++ b/.github/workflows/auth-layer-chart-install.yml @@ -7,15 +7,39 @@ on: branches: [ main, release/*] tags: [ v* ] +defaults: + run: + shell: bash + +permissions: + contents: read + jobs: install: - runs-on: ubuntu-latest + name: Install + runs-on: [ self-hosted, Linux, medium, ephemeral ] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Setup Python + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + with: + python-version: "3.10" + - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 with: fetch-depth: 0 + - name: Install Helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + + - name: Install kubectl + uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0 + - name: Install k3d run: curl --retry 3 -fsL https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash @@ -24,10 +48,10 @@ jobs: timeout-minutes: 3 - name: Set up Docker Qemu - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Install ct - uses: helm/chart-testing-action@v2.6.1 + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: Install chart run: ct install --helm-extra-args="--timeout 10m" --helm-extra-set-args="--set=global.auth.clientSecret=abcd1234" --charts charts/hedera-the-graph-auth-layer --config .github/ct.yaml diff --git a/.github/workflows/charts-lint.yml b/.github/workflows/charts-lint.yml index 0a9db13..9139bd4 100644 --- a/.github/workflows/charts-lint.yml +++ b/.github/workflows/charts-lint.yml @@ -7,15 +7,36 @@ on: branches: [ main, release/*] tags: [ v* ] +defaults: + run: + shell: bash + +permissions: + contents: read + jobs: lint: - runs-on: ubuntu-latest + name: Lint + runs-on: [ self-hosted, Linux, medium, ephemeral ] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Setup Python + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + with: + python-version: "3.10" + - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + + - name: Install Helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - name: Install ct - uses: helm/chart-testing-action@v2.6.1 + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: Run lint run: ct lint --config .github/ct.yaml --all diff --git a/.github/workflows/hedera-the-graph-chart-install.yml b/.github/workflows/hedera-the-graph-chart-install.yml index 868c685..aa00660 100644 --- a/.github/workflows/hedera-the-graph-chart-install.yml +++ b/.github/workflows/hedera-the-graph-chart-install.yml @@ -1,4 +1,4 @@ -name: Hedera-TheGraph Charts +name: Charts on: pull_request: @@ -7,15 +7,39 @@ on: branches: [ main, release/*] tags: [ v* ] +defaults: + run: + shell: bash + +permissions: + contents: read + jobs: install: - runs-on: ubuntu-latest + name: Install + runs-on: [self-hosted, Linux, medium, ephemeral] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Setup Python + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + with: + python-version: "3.10" + - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 with: fetch-depth: 0 + - name: Install Helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + + - name: Install kubectl + uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0 + - name: Install k3d run: curl --retry 3 -fsL https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash @@ -24,10 +48,10 @@ jobs: timeout-minutes: 3 - name: Set up Docker Qemu - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Install ct - uses: helm/chart-testing-action@v2.6.1 + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: Install chart run: ct install --helm-extra-args="--timeout 10m" --charts charts/hedera-the-graph --config .github/ct.yaml diff --git a/.github/workflows/proxy-tests.yml b/.github/workflows/proxy-tests.yml index d27c9db..e2d03c8 100644 --- a/.github/workflows/proxy-tests.yml +++ b/.github/workflows/proxy-tests.yml @@ -5,37 +5,67 @@ on: branches: [ main, release/**] push: branches: [ main, release/*] - tags: [ v* ] + tags: [ v*, v*.*.* ] + +defaults: + run: + shell: bash + +permissions: + contents: read jobs: proxy-tests: - runs-on: ubuntu-latest + name: Proxy Tests + runs-on: [self-hosted, Linux, medium, ephemeral] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 - - name: Install Lua - uses: leafo/gh-actions-lua@v8 - with: - luaVersion: '5.3' + ############# + # Note: leafo/gh-actions-lua doesn't seem to work with self-hosted runners + # See issue #33 https://github.com/leafo/gh-actions-lua/issues/33 + + #- name: Install Lua + # uses: leafo/gh-actions-lua@35bcb06abec04ec87df82e08caa84d545348536e # v10.0.0 + # with: + # luaVersion: '5.3' + + #- name: Install LuaRocks + # uses: leafo/gh-actions-luarocks@e65774a6386cb4f24e293dca7fc4ff89165b64c5 # v4.3.0 + ############## + + - name: Lua Install + run: | + sudo apt-get update + sudo apt-get install build-essential libreadline-dev lua5.3 liblua5.3-dev -y - - name: Install LuaRocks - uses: leafo/gh-actions-luarocks@v4 + - name: Luarocks Install + run: | + sudo apt-get update && sudo apt-get install wget -y + wget https://luarocks.org/releases/luarocks-3.8.0.tar.gz + tar xzfp luarocks-3.8.0.tar.gz; cd luarocks-3.8.0 + ./configure && make && sudo make install - name: Install lunatest - run: luarocks install lunatest + run: sudo luarocks install lunatest - name: Install luacov - run: luarocks install luacov + run: sudo luarocks install luacov - name: Install luacov-console - run: luarocks install luacov-console + run: sudo luarocks install luacov-console - name: Install cjson - run: luarocks install lua-cjson + run: sudo luarocks install lua-cjson - name: Install luasocket - run: luarocks install luasocket + run: sudo luarocks install luasocket - name: Run tests run: lua test.lua diff --git a/.github/workflows/release-integration.yml b/.github/workflows/release-integration.yml index 7641396..d7671f5 100644 --- a/.github/workflows/release-integration.yml +++ b/.github/workflows/release-integration.yml @@ -5,35 +5,48 @@ on: branches: [ main ] workflow_dispatch: +defaults: + run: + shell: bash + +permissions: + contents: read + env: OWNER: hashgraph REGISTRY: ghcr.io jobs: publish: - runs-on: ubuntu-latest + name: Publish + runs-on: [self-hosted, Linux, medium, ephemeral] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Qemu - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0 with: driver-opts: network=host - name: Build and push images - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: ./auth-layer-proxy file: ./auth-layer-proxy/Dockerfile diff --git a/.github/workflows/release-production.yml b/.github/workflows/release-production.yml index e818e57..fbcdacb 100644 --- a/.github/workflows/release-production.yml +++ b/.github/workflows/release-production.yml @@ -2,7 +2,14 @@ name: Release Production Environment on: push: - tags: [ v* ] + tags: [ v*, v*.*.* ] + +defaults: + run: + shell: bash + +permissions: + contents: read env: OWNER: hashgraph @@ -11,32 +18,38 @@ env: jobs: docker-image-publish: - runs-on: ubuntu-latest + name: Publish Docker Image + runs-on: [self-hosted, Linux, medium, ephemeral] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 - name: Get tag run: echo "TAG=${GITHUB_REF#refs/*/v}" >> $GITHUB_ENV - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Qemu - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0 with: driver-opts: network=host - name: Build and push auth-layer-proxy image - uses: docker/build-push-action@v2 + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: ./auth-layer-proxy file: ./auth-layer-proxy/Dockerfile diff --git a/.gitignore b/.gitignore index 283d45e..1fe52c5 100644 --- a/.gitignore +++ b/.gitignore @@ -151,4 +151,7 @@ auth-layer-proxy/tests/luacov.stats.out # subgraphs buid files subgraphs/saucerswap/*/build/* subgraphs/saucerswap/*/generated/* -subgraphs/saucerswap/*/src/types/* \ No newline at end of file +subgraphs/saucerswap/*/src/types/* + +### Ignore all Jetbrains IDE files +.idea/