opencadc · at88mph · Nov 26, 2024 · Nov 25, 2024 · Nov 25, 2024 · Nov 25, 2024
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /skaha
+    schedule:
+      interval: daily
diff --git a/.github/workflows/cd.edge.build.yml b/.github/workflows/cd.edge.build.yml
@@ -4,6 +4,9 @@ on:
   repository_dispatch:
     types: [edge-build]
 
+permissions:
+  contents: read
+
 env:
   REGISTRY: images.opencadc.org
   IMAGE: platform/skaha
@@ -17,32 +20,31 @@ jobs:
       attestations: write
       id-token: write
     steps:
-      -
-        name: Client Payload
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+      - name: Client Payload
         id: client-payload
         run: |
           echo "Client Payload: ${{ toJson(github.event.client_payload) }}"
-      -
-        name: Checkout
-        uses: actions/checkout@v3
-      -
-        name: Setup Docker Buildx
-        uses: docker/[email protected]
+      - name: Checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
         with:
           install: true
-      -
-        name: Perform Container Registry Login
-        uses: docker/[email protected]
+      - name: Perform Container Registry Login
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: images.opencadc.org
           username: ${{ secrets.SKAHA_REGISTRY_USERNAME }}
           password: ${{ secrets.SKAHA_REGISTRY_TOKEN }}
-      -
-        name: Build and Push Docker Image
+      - name: Build and Push Docker Image
         id: build
-        uses: docker/[email protected]
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
-          context: skaha/
+          context: .
           target: production
           file: skaha/Dockerfile
           platforms: linux/amd64
@@ -56,26 +58,23 @@ jobs:
             org.opencontainers.image.title=Science Platform
             org.opencontainers.image.licenses=AGPL-3.0
             org.opencontainers.image.url=https://github.com/opencadc/science-platform
-      -
+      - name: Attest Container Image
         # See https://github.com/marketplace/actions/attest-build-provenance#container-image
         # for more information on the attest-build-provenance action
-        name: Attest Container Image
         id: attest
-        uses: actions/[email protected]
+        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE }}
           subject-digest: ${{ steps.build.outputs.digest }}
           # push-to-registry: true
           show-summary: true
-      -
-        name: Install Cosign
+      - name: Install Cosign
         id: install-cosign
-        uses: sigstore/[email protected]
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
         with:
           cosign-release: 'v2.4.1'
-      -
-        name: Cosign Container Image
+      - name: Cosign Container Image
         id: cosign
         run: |
           cosign version
-          cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ steps.build.outputs.digest }} --upload
+          cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE }}@${{ steps.build.outputs.digest }} --upload
diff --git a/.github/workflows/cd.release.build.yml b/.github/workflows/cd.release.build.yml
@@ -4,6 +4,9 @@ on:
   repository_dispatch:
     types: [release-build]
 
+permissions:
+  contents: read
+
 env:
   REGISTRY: images.opencadc.org
   IMAGE: platform/skaha
@@ -18,32 +21,32 @@ jobs:
       attestations: write
       id-token: write
     steps:
-      -
-        name: Client Payload
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+      - name: Client Payload
         id: client-payload
         run: |
           echo "Client Payload: ${{ toJson(github.event.client_payload) }}"
       -
         name: Checkout
-        uses: actions/checkout@v3
-      -
-        name: Setup Docker Buildx
-        uses: docker/[email protected]
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
         with:
           install: true
-      -
-        name: Perform Container Registry Login
-        uses: docker/[email protected]
+      - name: Perform Container Registry Login
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: images.opencadc.org
           username: ${{ secrets.SKAHA_REGISTRY_USERNAME }}
           password: ${{ secrets.SKAHA_REGISTRY_TOKEN }}
-      -
-        name: Build and Push Docker Image
+      - name: Build and Push Docker Image
         id: build
-        uses: docker/[email protected]
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
-          context: skaha/
+          context: .
           target: production
           file: skaha/Dockerfile
           platforms: linux/amd64
@@ -62,27 +65,24 @@ jobs:
             org.opencontainers.image.description="Science Platform Backend"
             org.opencontainers.image.licenses=AGPL-3.0
             org.opencontainers.image.url=https://github.com/opencadc/science-platform
-      -
+      - name: Attest Container Image
         # See https://github.com/marketplace/actions/attest-build-provenance#container-image
         # for more information on the attest-build-provenance action
-        name: Attest Container Image
         id: attest
-        uses: actions/[email protected]
+        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE }}
           subject-digest: ${{ steps.build.outputs.digest }}
           # Currently not pushing attestations to Harbor Registry
           # push-to-registry: true
           show-summary: true
-      -
-        name: Install Cosign
+      - name: Install Cosign
         id: install-cosign
-        uses: sigstore/[email protected]
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
         with:
           cosign-release: 'v2.4.1'
-      -
-        name: Cosign Container Image
+      - name: Cosign Container Image
         id: cosign
         run: |
           cosign version
-          cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ steps.build.outputs.digest }} --upload
+          cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE }}@${{ steps.build.outputs.digest }} --upload
diff --git a/.github/workflows/cd.release.yml b/.github/workflows/cd.release.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   release-please:
     runs-on: ubuntu-latest
@@ -14,21 +17,22 @@ jobs:
       pull-requests: write
     if: github.repository == 'opencadc/science-platform'
     steps:
-      -
-        name: Create release
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+      - name: Create release
         id: release-please
-        uses: googleapis/[email protected]
-      -
-        name: Dispatch Edge Build
+        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
+      - name: Dispatch Edge Build
         # Run this step only if the release-please completes successfully
         if: steps.release-please.outcome == 'success' && github.event_name == 'push'
-        uses: peter-evans/[email protected]
+        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
         with:
           repository: opencadc/science-platform
           event-type: edge-build
           token: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Skaha Release Info
+      - name: Skaha Release Info
         # Run this step only if the release-please completes successfully
         if: ${{ steps.release-please.outputs.release_created == 'true' }}
         run: |
@@ -38,9 +42,8 @@ jobs:
           echo "major: ${{ steps.release-please.outputs.major }}"
           echo "minor: ${{ steps.release-please.outputs.minor }}"
           echo "patch: ${{ steps.release-please.outputs.patch }}"
-      -
-        name: Dispatch Skaha Release Build
-        uses: peter-evans/[email protected]
+      - name: Dispatch Skaha Release Build
+        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
         if: ${{ steps.release-please.outputs.release_created == 'true' }}
         with:
           repository: opencadc/science-platform

diff --git a/.github/workflows/ci.commit.check.yml b/.github/workflows/ci.commit.check.yml
@@ -0,0 +1,43 @@
+name: "CI: Commit Check"
+
+on:
+  pull_request:
+    branches: [main]
+  # This check runs on every push to repository
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  commit-check:
+    runs-on: ubuntu-latest
+    permissions:  # use permissions because of use pr-comments
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}  # checkout PR HEAD commit
+          fetch-depth: 0  # required for merge-base check
+      - name: Run Commit Check
+        uses: commit-check/commit-check-action@8d507e12899a9feb405c3ed546252ff9508724e0 # v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # use GITHUB_TOKEN because of use pr-comments
+        with:
+          # Conventional Commits Check
+          message: true
+          # Convention Branch Check
+          branch: false
+          author-name: true
+          author-email: true
+          commit-signoff: false
+          merge-base: true
+          job-summary: true
+          pr-comments: ${{ github.event_name == 'pull_request' }}
diff --git a/.github/workflows/ci.linting.yml b/.github/workflows/ci.linting.yml
@@ -8,21 +8,43 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+            fetch-depth: 0
+      - name: Setup Python
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      -
+        name: Run Pre-Commit
+        uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
   spotless:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
       - name: Checkout code
-        uses: actions/[email protected]
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
             fetch-depth: 0
       - name: Setup Java
-        uses: actions/[email protected]
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
         with:
           distribution: 'temurin'
           java-version: '11'
           cache: 'gradle'
-
       - name: Run Spotless
         run: |
             cd skaha