.github: Init GitHub workflows (#3)

Signed-off-by: Stephen Augustus <[email protected]>

Author: justaugustus

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    groups:
+      github:
+        patterns:
+          - "actions/*"
+          - "github/*"
+    schedule:
+      interval: "weekly"

.github/settings.yml

@@ -0,0 +1,102 @@
+# These settings are synced to GitHub by https://probot.github.io/apps/settings/
+
+repository:
+  # See https://developer.github.com/v3/repos/#edit for all available settings.
+
+  # The name of the repository. Changing this will rename the repository
+  name: .github
+
+  # A short description of the repository that will show up on GitHub
+  description: Org-wide GitHub configurations
+
+  # A URL with more information about the repository
+  #homepage: https://example.github.io/
+
+  # A comma-separated list of topics to set on the repository
+  #topics: github, probot
+
+  # Either `true` to make the repository private, or `false` to make it public.
+  # private: false
+
+  # Either `true` to enable issues for this repository, `false` to disable them.
+  has_issues: true
+
+  # Either `true` to enable projects for this repository, or `false` to disable them.
+  # If projects are disabled for the organization, passing `true` will cause an API error.
+  has_projects: true
+
+  # Either `true` to enable the wiki for this repository, `false` to disable it.
+  has_wiki: false
+
+  # Either `true` to enable downloads for this repository, `false` to disable them.
+  has_downloads: true
+
+  # Updates the default branch for this repository.
+  default_branch: main
+
+  # Either `true` to allow squash-merging pull requests, or `false` to prevent
+  # squash-merging.
+  allow_squash_merge: true
+
+  # Either `true` to allow merging pull requests with a merge commit, or `false`
+  # to prevent merging pull requests with merge commits.
+  allow_merge_commit: true
+
+  # Either `true` to allow rebase-merging pull requests, or `false` to prevent
+  # rebase-merging.
+  allow_rebase_merge: true
+
+  # Either `true` to enable automatic deletion of branches on merge, or `false` to disable
+  delete_branch_on_merge: false
+
+  # Either `true` to enable automated security fixes, or `false` to disable
+  # automated security fixes.
+  enable_automated_security_fixes: true
+
+  # Either `true` to enable vulnerability alerts, or `false` to disable
+  # vulnerability alerts.
+  enable_vulnerability_alerts: true
+
+# See https://developer.github.com/v3/teams/#add-or-update-team-repository for available options
+teams:
+  # The permission to grant the team. Can be one of:
+  # * `pull` - can pull, but not push to or administer this repository.
+  # * `push` - can pull and push, but not administer this repository.
+  # * `admin` - can pull, push and administer this repository.
+  # * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
+  # * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
+  - name: org-admins
+    permission: admin
+
+branches:
+  - name: main
+    # https://developer.github.com/v3/repos/branches/#update-branch-protection
+    # Branch Protection settings. Set to null to disable
+    protection:
+      # Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
+      required_pull_request_reviews:
+        # The number of approvals required. (1-6)
+        required_approving_review_count: 1
+        # Dismiss approved reviews automatically when a new commit is pushed.
+        dismiss_stale_reviews: true
+        # Blocks merge until code owners have reviewed.
+        require_code_owner_reviews: true
+        # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
+        dismissal_restrictions:
+          users: []
+          teams: []
+      # Required. Require status checks to pass before merging. Set to null to disable
+      required_status_checks:
+        # Required. Require branches to be up to date before merging.
+        strict: true
+        # Required. The list of status checks to require in order to merge into this branch
+        contexts: []
+      # Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
+      enforce_admins: true
+      # Prevent merge commits from being pushed to matching branches
+      required_linear_history: true
+      # Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
+      restrictions:
+        apps: []
+        users: []
+        teams: []

.github/workflows/_lint.yml

@@ -0,0 +1,15 @@
+name: _lint
+
+on:
+  workflow_call:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: 🧹 lint yaml
+        uses: ibiqlik/action-yamllint@v3
+        with:
+          file_or_dir: "org/**/*.yaml"
+          config_file: ".yamllint.yml"

.github/workflows/_scorecard.yml

@@ -0,0 +1,42 @@
+name: _scorecard
+
+on:
+  workflow_call:
+    inputs:
+      publish-results:
+        description: Publish results of Scorecard analysis
+        type: boolean
+        required: false
+        default: true
+
+permissions:
+  id-token: none
+  security-events: none
+
+jobs:
+  scorecard:
+    runs-on: ubuntu-latest
+    permissions:
+        id-token: write
+        security-events: write
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+      - name: ✅ run scorecard analysis
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          publish_results: ${{ inputs.publish-results }}
+      - name: ⏫ upload sarif artifact
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      - name: 📦 upload sarif results
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
+        with:
+          sarif_file: results.sarif

.github/workflows/_stale.yml

@@ -0,0 +1,58 @@
+name: _stale
+
+on:
+  workflow_call:
+    inputs:
+      days-until-stale:
+        type: number
+        required: false
+        default: 15
+      days-until-close:
+        type: number
+        required: false
+        default: 30
+      stale-label:
+        type: string
+        required: false
+        default: "stale"
+      exempt-label:
+        type: string
+        required: false
+        default: "keep"
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 📆 mark stale activity
+        uses: actions/stale@v9
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          days-before-stale: ${{ inputs.days-until-stale }}
+          days-before-close: ${{ inputs.days-until-close }}
+          stale-issue-label: ${{ inputs.stale-label }}
+          stale-pr-label: ${{ inputs.stale-label }}
+          exempt-issue-labels: ${{ inputs.exempt-label }}
+          exempt-pr-labels: ${{ inputs.exempt-label }}
+          stale-issue-message: >
+            Thank you for your contribution! This issue has been automatically
+            marked as `stale` because it has no recent activity in the last
+            ${{ inputs.days-until-stale }} days. It will be closed in
+            ${{ inputs.days-until-close }} days, if no further activity
+            occurs. If this issue is still relevant, please leave a comment to
+            let us know, and the `stale` label will be automatically removed.
+          stale-pr-message: >
+            Thank you for your contribution! This PR has been automatically
+            marked as `stale` because it has no recent activity in the last
+            ${{ inputs.days-until-stale }} days. It will be closed in
+            ${{ inputs.days-until-close }} days, if no further activity occurs.
+            If this pull request is still relevant, please leave a comment to 
+            let us know, and the `stale` label will be automatically removed.
+          close-issue-message: >
+            This issue has been marked `stale` for ${{ inputs.days-until-close }}
+            days, and is now closed due to inactivity. If the issue is still
+            relevant, please re-open this issue or file a new one. Thank you!
+          close-pr-message: >
+            This PR has been marked `stale` for ${{ inputs.days-until-close }}
+            days, and is now closed due to inactivity. If this contribution is
+            still relevant, please re-open this PR or file a new one. Thank you!

.github/workflows/clean-owners.yml

@@ -0,0 +1,26 @@
+name: clean-owners
+
+on:
+  # Scheduled trigger
+  schedule:
+    # Run weekly on Saturdays
+    - cron: "30 1 * * 6"
+  # Manual trigger
+  workflow_dispatch:
+
+permissions:
+  issues: none
+
+jobs:
+  clean-owners:
+    runs-on: ubuntu-latest
+    permissions:
+        issues: write
+    steps:
+      - name: 🧼 clean codeowners
+        uses: github/cleanowners@c8770cb9f4560fb0434af42607e4932155181b85 # no semver release yet
+        env:
+          GH_TOKEN: ${{ secrets.OSPO_SERVICE_TOKEN }}
+          ORGANIZATION: bloomberg
+          EXEMPT_REPOS: "bloomberg/.github, bloomberg/.allstar"
+          DRY_RUN: true

.github/workflows/contributor-report.yml

@@ -0,0 +1,52 @@
+name: contributor-report
+
+on:
+  # Scheduled trigger
+  schedule:
+    # Run the first day of the month at 00:00
+    - cron: "0 0 1 * *"
+  # Manual trigger
+  workflow_dispatch:
+
+permissions:
+  issues: none
+
+jobs:
+  contributor-report:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # Define orgs to report contributor activity
+        org:
+          [
+            "bloomberg",
+          ]
+    permissions:
+        # Required to create contributor report
+        issues: write
+    steps:
+      - name: 📅 calculate date
+        shell: bash
+        run: |
+          # Calculate the first day of the previous month
+          START_DATE=$(date -d "last month" +%Y-%m-01)
+          # Calculate the last day of the previous month
+          END_DATE=$(date -d "$START_DATE +1 month -1 day" +%Y-%m-%d)
+          # Set an environment variable with the date range
+          echo "START_DATE=$START_DATE" >> "$GITHUB_ENV"
+          echo "END_DATE=$END_DATE" >> "$GITHUB_ENV"
+      - name: 📰 run contributors action
+        uses: github/contributors@135b0430e856ade27175cbd1d4e1e11b0dd8ef95 # v1.4.3
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          START_DATE: ${{ env.START_DATE }}
+          END_DATE: ${{ env.END_DATE }}
+          ORGANIZATION: ${{ matrix.org }}
+          LINK_TO_PROFILE: "True"
+      - name: 📥 create issue
+        uses: peter-evans/create-issue-from-file@24452a72d85239eacf1468b0f1982a9f3fec4c94 # v5.0.0
+        with:
+          title: "📰 Monthly Contributor Report: ${{ matrix.org }}"
+          token: ${{ secrets.GITHUB_TOKEN }}
+          content-filepath: "./contributors.md"
+          assignees: ${{ github.actor }}

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+name: dependency-review
+
+on:
+  pull_request:
+
+permissions:
+  contents: none
+  pull-requests: none
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: 🔒 harden runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+            egress-policy: audit
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: 🔂 dependency review
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
+        with:
+            deny-licenses: AGPL-3.0
+            fail-on-severity: moderate
+            comment-summary-in-pr: true

.github/workflows/evergreen-check.yml

@@ -0,0 +1,51 @@
+name: evergreen-check
+
+on:
+  # Scheduled trigger
+  schedule:
+    # Run weekly on Saturdays
+    - cron: "30 1 * * 6"
+  # Manual trigger
+  workflow_dispatch:
+
+permissions:
+  pull-requests: none
+  issues: none
+
+jobs:
+  evergreen-check:
+    runs-on: ubuntu-latest
+    permissions:
+      # Required to create pull requests
+      pull-requests: write
+      # Required to create issues
+      issues: write
+    steps:
+      # - name: 📅 calculate date
+      #   shell: bash
+      #   run: |
+      #     # Get the current date
+      #     CURRENT_DATE=$(date +'%Y-%m-%d')
+      #     # Calculate the previous month
+      #     PREVIOUS_DATE=$(date -d "$CURRENT_DATE -7 day" +'%Y-%m-%d')
+      #     echo "$PREVIOUS_DATE..$CURRENT_DATE"
+      #     # Create env variable for next step
+      #     echo "ONE_WEEK_AGO=$PREVIOUS_DATE" >> "$GITHUB_ENV"
+      - name: 🌲 evergreen check
+        uses: github/evergreen@89980256962fae821ba73ae35c9e0216e6bb674f # v1.11.1
+        env:
+          GH_TOKEN: ${{ secrets.OSPO_SERVICE_TOKEN }}
+          ORGANIZATION: bloomberg
+          EXEMPT_REPOS: "bloomberg/.github, bloomberg/.allstar"
+          TYPE: pull
+          TITLE: ".github: Add Dependabot configuration"
+          BODY: |
+            👋 This pull request was generated using GitHub's [Evergreen Action](https://github.com/github/evergreen) to enable [Dependabot](https://github.com/dependabot).
+
+            Dependabot helps open source maintainers automatically manage dependencies and security updates.
+
+            📖 Check out the official documentation for configuring Dependabot [here](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)!
+          COMMIT_MESSAGE: ".github: Add Dependabot configuration"
+          # CREATED_AFTER_DATE: ${{ env.ONE_WEEK_AGO }}
+          GROUP_DEPENDENCIES: true
+          ENABLE_SECURITY_UPDATES: false