diff --git a/.github/project.yml b/.github/project.yml index ecf4495..5589e2b 100644 --- a/.github/project.yml +++ b/.github/project.yml @@ -1,6 +1,13 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/cuioss/cuioss-organization/main/.github/actions/read-project-config/schema.json name: cui-jsf-test-basic -pages-reference: cui-jsf-test-basic -sonar-project-key: cuioss_cui-jsf-test-basic + release: current-version: 4.1.1 - next-version: 4.0-SNAPSHOT \ No newline at end of file + next-version: 4.0-SNAPSHOT + create-github-release: true + +sonar: + project-key: cuioss_cui-jsf-test-basic + +pages: + reference: cui-jsf-test-basic diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..874a897 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,16 @@ +# Example: Copy this to your repo as .github/workflows/dependency-review.yml +name: Dependency Review + +on: + pull_request: + branches: [main] + +permissions: + contents: read + +jobs: + dependency-review: + uses: cuioss/cuioss-organization/.github/workflows/reusable-dependency-review.yml@d38bc3643f0d0faa34ece1c2d854cf97f9a0abd4 # v0.2.8 + permissions: + contents: read + pull-requests: write diff --git a/.github/workflows/maven-release.yml b/.github/workflows/maven-release.yml deleted file mode 100644 index ad9f8f0..0000000 --- a/.github/workflows/maven-release.yml +++ /dev/null @@ -1,86 +0,0 @@ -name: Maven Release - -on: - pull_request: - types: [ closed ] - paths: - - '.github/project.yml' - workflow_dispatch: - -jobs: - release: - runs-on: ubuntu-latest - name: release - - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false # otherwise, the validation used is the PA_TOKEN, instead of your personal access token. - fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository. - - - uses: radcortez/project-metadata-action@203f7ffba8db2669b2c9b4d4c2e90b186c588fa5 # 1.1 - name: Retrieve project metadata from '.github/project.yml' - id: metadata - with: - github-token: ${{secrets.GITHUB_TOKEN}} - metadata-file-path: '.github/project.yml' - local-file: true - - - name: Set up JDK 21 - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 - with: - java-version: '21' - distribution: 'temurin' - server-id: central - server-username: MAVEN_USERNAME - server-password: MAVEN_PASSWORD - gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} - gpg-passphrase: MAVEN_GPG_PASSPHRASE - cache: maven - - - name: Configure Git author - run: | - git config --local user.email "action@github.com" - git config --local user.name "Cuioss Robot Action" - - - name: Maven release ${{steps.metadata.outputs.current-version}} - run: | - git checkout -b release - ./mvnw -B -Prelease release:clean release:prepare -DreleaseVersion=${{steps.metadata.outputs.current-version}} -DdevelopmentVersion=${{steps.metadata.outputs.next-version}} - ./mvnw -B -Prelease javadoc:aggregate site:site site:stage - git checkout ${{vars.GITHUB_BASE_REF}} - git rebase release - ./mvnw -B -Prelease release:perform -DskipTests - env: - MAVEN_USERNAME: ${{ secrets.OSS_SONATYPE_USERNAME }} - MAVEN_PASSWORD: ${{ secrets.OSS_SONATYPE_PASSWORD }} - MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - - - name: Deploy Maven Site to cuioss.github.io -> ${{steps.metadata.outputs.pages-reference}}🚀 - uses: JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 # v4.7.3 - with: - folder: target/site - repository-name: cuioss/cuioss.github.io - target-folder: ${{steps.metadata.outputs.pages-reference}} - branch: main - token: ${{ secrets.PAGES_DEPLOY_TOKEN }} - - - name: Push changes to ${{github.ref_name}} - uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - branch: ${{github.ref_name}} - force: true - - - name: Push tag ${{steps.metadata.outputs.current-version}} - uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0 - with: - branch: ${{github.ref_name}} - github_token: ${{ secrets.GITHUB_TOKEN }} - tags: true - force: true \ No newline at end of file diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index dbc95ac..575c3c1 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -1,110 +1,26 @@ -name: Master Build +# Example: Copy this to your repo as .github/workflows/maven.yml +# Configuration is read from .github/project.yml - no inputs needed! +name: Maven Build on: push: - branches: [ "main", "feature/*" ] + branches: [main, "feature/*", "fix/*", "chore/*", "release/*", "dependabot/**"] pull_request: - branches: [ "main" ] + branches: [main] + workflow_dispatch: + +permissions: + contents: read jobs: build: - - runs-on: ubuntu-latest - strategy: - matrix: - version: [ 21,24 ] - - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set up JDK ${{ matrix.version }} - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 - with: - java-version: ${{ matrix.version }} - distribution: 'temurin' - cache: maven - - name: Build with Maven, Java ${{ matrix.version }} - run: ./mvnw --no-transfer-progress verify -Dmaven.compiler.release=${{ matrix.version }} - - sonar-build: - needs: build - runs-on: ubuntu-latest - - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: 0 - - - name: Set up JDK 17 for Sonar-build - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 - with: - java-version: '21' - distribution: 'temurin' - cache: maven - - - name: Cache SonarCloud packages - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 - with: - path: ~/.sonar/cache - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - - uses: radcortez/project-metadata-action@203f7ffba8db2669b2c9b4d4c2e90b186c588fa5 # 1.1 - name: Retrieve project metadata from '.github/project.yml' - id: metadata - with: - github-token: ${{secrets.GITHUB_TOKEN}} - metadata-file-path: '.github/project.yml' - local-file: true - - - name: Build and analyze - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - run: ./mvnw -B verify -Psonar -Dsonar.projectKey=${{steps.metadata.outputs.sonar-project-key}} sonar:sonar - - deploy-snapshot: - needs: sonar-build - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Set up JDK 17 for snapshot release - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 - with: - java-version: '21' - distribution: 'temurin' - server-id: central - server-username: MAVEN_USERNAME - server-password: MAVEN_PASSWORD - gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} - gpg-passphrase: MAVEN_GPG_PASSPHRASE - cache: maven - - - name: Extract project version - id: project - run: echo ::set-output name=version::$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout) - - - name: Deploy Snapshot with Maven, version ${{ steps.project.outputs.version }} - if: ${{endsWith(steps.project.outputs.version, '-SNAPSHOT')}} - run: | - ./mvnw -B -Prelease-snapshot javadoc:aggregate - ./mvnw -B -Prelease-snapshot deploy -Dmaven.test.skip=true - env: - MAVEN_USERNAME: ${{ secrets.OSS_SONATYPE_USERNAME }} - MAVEN_PASSWORD: ${{ secrets.OSS_SONATYPE_PASSWORD }} - MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} \ No newline at end of file + # Run on push events, OR on pull_request only if from a fork + # This prevents duplicate runs: push handles internal branches, PR handles forks + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name + uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-build.yml@d38bc3643f0d0faa34ece1c2d854cf97f9a0abd4 # v0.2.8 + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + OSS_SONATYPE_USERNAME: ${{ secrets.OSS_SONATYPE_USERNAME }} + OSS_SONATYPE_PASSWORD: ${{ secrets.OSS_SONATYPE_PASSWORD }} + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..d56e21a --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,27 @@ +# Example: Copy this to your repo as .github/workflows/release.yml +# Configuration is read from .github/project.yml - no inputs needed! +name: Release + +on: + pull_request: + types: [closed] + paths: + - '.github/project.yml' + workflow_dispatch: + +permissions: + contents: read + +jobs: + release: + permissions: + contents: write + if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' + uses: cuioss/cuioss-organization/.github/workflows/reusable-maven-release.yml@d38bc3643f0d0faa34ece1c2d854cf97f9a0abd4 # v0.2.8 + secrets: + RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }} + RELEASE_APP_PRIVATE_KEY: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} + OSS_SONATYPE_USERNAME: ${{ secrets.OSS_SONATYPE_USERNAME }} + OSS_SONATYPE_PASSWORD: ${{ secrets.OSS_SONATYPE_PASSWORD }} + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000..f653877 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,24 @@ +# Example: Copy this to your repo as .github/workflows/scorecards.yml +name: Scorecard supply-chain security + +on: + branch_protection_rule: + schedule: + - cron: '20 7 * * 2' + push: + branches: [main] + +permissions: + contents: read + +jobs: + analysis: + uses: cuioss/cuioss-organization/.github/workflows/reusable-scorecards.yml@d38bc3643f0d0faa34ece1c2d854cf97f9a0abd4 # v0.2.8 + permissions: + security-events: write + id-token: write + contents: read + actions: read + issues: read + pull-requests: read + checks: read diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md deleted file mode 100644 index 65cf5ff..0000000 --- a/CODE_OF_CONDUCT.md +++ /dev/null @@ -1,76 +0,0 @@ -# Contributor Covenant Code of Conduct - -## Our Pledge - -In the interest of fostering an open and welcoming environment, we as -contributors and maintainers pledge to making participation in our project and -our community a harassment-free experience for everyone, regardless of age, body -size, disability, ethnicity, sex characteristics, gender identity and expression, -level of experience, education, socio-economic status, nationality, personal -appearance, race, religion, or sexual identity and orientation. - -## Our Standards - -Examples of behavior that contributes to creating a positive environment -include: - -* Using welcoming and inclusive language -* Being respectful of differing viewpoints and experiences -* Gracefully accepting constructive criticism -* Focusing on what is best for the community -* Showing empathy towards other community members - -Examples of unacceptable behavior by participants include: - -* The use of sexualized language or imagery and unwelcome sexual attention or - advances -* Trolling, insulting/derogatory comments, and personal or political attacks -* Public or private harassment -* Publishing others' private information, such as a physical or electronic - address, without explicit permission -* Other conduct which could reasonably be considered inappropriate in a - professional setting - -## Our Responsibilities - -Project maintainers are responsible for clarifying the standards of acceptable -behavior and are expected to take appropriate and fair corrective action in -response to any instances of unacceptable behavior. - -Project maintainers have the right and responsibility to remove, edit, or -reject comments, commits, code, wiki edits, issues, and other contributions -that are not aligned to this Code of Conduct, or to ban temporarily or -permanently any contributor for other behaviors that they deem inappropriate, -threatening, offensive, or harmful. - -## Scope - -This Code of Conduct applies both within project spaces and in public spaces -when an individual is representing the project or its community. Examples of -representing a project or community include using an official project e-mail -address, posting via an official social media account, or acting as an appointed -representative at an online or offline event. Representation of a project may be -further defined and clarified by project maintainers. - -## Enforcement - -Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project team. All -complaints will be reviewed and investigated and will result in a response that -is deemed necessary and appropriate to the circumstances. The project team is -obligated to maintain confidentiality with regard to the reporter of an incident. -Further details of specific enforcement policies may be posted separately. - -Project maintainers who do not follow or enforce the Code of Conduct in good -faith may face temporary or permanent repercussions as determined by other -members of the project's leadership. - -## Attribution - -This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, -available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html - -[homepage]: https://www.contributor-covenant.org - -For answers to common questions about this code of conduct, see -https://www.contributor-covenant.org/faq diff --git a/SECURITY.md b/SECURITY.md deleted file mode 100644 index 9aa508d..0000000 --- a/SECURITY.md +++ /dev/null @@ -1,39 +0,0 @@ -# CUI Open Source Security Policies and Procedures - -This document outlines security procedures and general policies for the -CUI Open Source projects as found on [https://github.com/cuioss/cui-jsf-test-basic](https://github.com/cuioss/cui-jsf-test-basic). - - * [Reporting a Vulnerability](#reporting-a-vulnerability) - * [Disclosure Policy](#disclosure-policy) - -## Reporting a Vulnerability - -The CUI Open Source team and community take all security vulnerabilities -seriously. Thank you for improving the security of our open source -software. We appreciate your efforts and responsible disclosure and will -make every effort to acknowledge your contributions. - -Report security vulnerabilities by using the github security reporting mechanism: -* https://github.com/cuioss/cui-jsf-test-basic/security -* -> "Private vulnerability reporting" -* -> "Report a vulnerability" - -The lead maintainer will acknowledge your report within 24 hours, and will -send a more detailed response within 48 hours indicating the next steps in -handling your report. After the initial reply to your report, the security -team will endeavor to keep you informed of the progress towards a fix and -full announcement, and may ask for additional information or guidance. - -Report security vulnerabilities in third-party modules to the person or -team maintaining the module. - -## Disclosure Policy - -When the security team receives a security bug report, they will assign it -to a primary handler. This person will coordinate the fix and release -process, involving the following steps: - - * Confirm the problem and determine the affected versions. - * Audit code to find any potential similar problems. - * Prepare fixes for all releases still under maintenance. These fixes - will be released as fast as possible to NPM.