Merge pull request #1 from theopenlane/init

init riverboat - job queue processor

.buildkite/pipeline.yml

@@ -0,0 +1,166 @@
+env:
+  APP_NAME: ${BUILDKITE_PIPELINE_SLUG}
+  IMAGE_REPO: ghcr.io/theopenlane/${APP_NAME}
+  SONAR_HOST: "https://sonarcloud.io"
+steps:
+  - group: ":test_tube: Tests"
+    key: "tests"
+    steps:
+      - label: ":golangci-lint: lint :lint-roller:"
+        key: "lint"
+        cancel_on_build_failing: true
+        plugins:
+          - docker#v5.11.0:
+              image: "ghcr.io/theopenlane/build-image:latest"
+              always-pull: true
+              command: ["task", "go:lint"]
+              environment:
+                - "GOTOOLCHAIN=auto"
+      - label: ":golang: go test"
+        key: "go_test"
+        cancel_on_build_failing: true
+        plugins:
+          - docker#v5.11.0:
+              image: "ghcr.io/theopenlane/build-image:latest"
+              always-pull: true
+              command: ["task", "go:test:cover"]
+              environment:
+                - "GOTOOLCHAIN=auto"
+        artifact_paths: ["coverage.out"]
+  - group: ":closed_lock_with_key: Security Checks"
+    depends_on: "go_test"
+    key: "security"
+    steps:
+      - label: ":closed_lock_with_key: gosec"
+        key: "gosec"
+        plugins:
+          - docker#v5.11.0:
+              image: "securego/gosec:2.20.0"
+              command: ["-no-fail", "-exclude-generated", "-fmt sonarqube", "-out", "results.txt", "./..."]
+              environment:
+                - "GOTOOLCHAIN=auto"
+        artifact_paths: ["results.txt"]
+      - label: ":github: upload PR reports"
+        key: "scan-upload-pr"
+        if: build.pull_request.id != null
+        depends_on: ["gosec", "go_test"]
+        plugins:
+          - artifacts#v1.9.4:
+              download: "results.txt"
+          - artifacts#v1.9.4:
+              download: "coverage.out"
+              step: "go_test"
+          - docker#v5.11.0:
+              image: "sonarsource/sonar-scanner-cli:11.0"
+              environment:
+                - "SONAR_TOKEN"
+                - "SONAR_HOST_URL=$SONAR_HOST"
+                - "SONAR_SCANNER_OPTS=-Dsonar.pullrequest.branch=$BUILDKITE_BRANCH -Dsonar.pullrequest.base=$BUILDKITE_PULL_REQUEST_BASE_BRANCH -Dsonar.pullrequest.key=$BUILDKITE_PULL_REQUEST"
+      - label: ":github: upload reports"
+        key: "scan-upload"
+        if: build.branch == "main"
+        depends_on: ["gosec", "go_test"]
+        plugins:
+          - artifacts#v1.9.4:
+              download: results.txt
+          - artifacts#v1.9.4:
+              download: coverage.out
+              step: "go_test"
+          - docker#v5.11.0:
+              image: "sonarsource/sonar-scanner-cli:11.0"
+              environment:
+                - "SONAR_TOKEN"
+                - "SONAR_HOST_URL=$SONAR_HOST"
+  - group: ":golang: Builds"
+    key: "go-builds"
+    steps:
+      - label: ":golang: build"
+        key: "gobuild-server"
+        artifact_paths: "bin/${APP_NAME}"
+        plugins:
+          - docker#v5.11.0:
+              image: "ghcr.io/theopenlane/build-image:latest"
+              always_pull: true
+              environment:
+                - CGO_ENABLED=0
+                - GOOS=linux
+              command: ["task", "go:build:ci"]
+  - group: ":docker: Image Build"
+    depends_on: "go-builds"
+    key: "image-build"
+    steps:
+      - label: ":docker: docker pr build"
+        key: "docker-pr-build"
+        cancel_on_build_failing: true
+        if: build.branch != "main" && build.tag == null
+        commands: |
+          #!/bin/bash
+          ls
+        plugins:
+          - theopenlane/docker-metadata#v1.0.0:
+              images:
+                - "${IMAGE_REPO}"
+              extra_tags:
+                - "${IMAGE_TAG}"
+          - theopenlane/container-build#v1.0.0:
+              dockerfile: docker/Dockerfile
+              push: false
+              build-args:
+                - NAME=${APP_NAME}
+          - equinixmetal-buildkite/trivy#v1.18.5:
+              severity: CRITICAL,HIGH
+              ignore-unfixed: true
+              security-checks: config,secret,vuln
+              skip-files: "cosign.key,Dockerfile.dev"
+      - label: ":docker: docker build and publish"
+        key: "docker-build"
+        cancel_on_build_failing: true
+        if: build.branch == "main"
+        commands: |
+          #!/bin/bash
+          ls
+        plugins:
+          - docker-login#v3.0.0:
+              username: openlane-bender
+              password-env: SECRET_GHCR_PUBLISH_TOKEN
+              server: ghcr.io
+          - theopenlane/docker-metadata#v1.0.0:
+              images:
+                - "${IMAGE_REPO}"
+              extra_tags:
+                - "${IMAGE_TAG}"
+          - theopenlane/container-build#v1.0.0:
+              dockerfile: docker/Dockerfile
+              push: true
+              build-args:
+                - NAME=${APP_NAME}
+          - equinixmetal-buildkite/trivy#v1.18.5:
+              severity: CRITICAL,HIGH
+              ignore-unfixed: true
+              security-checks: config,secret,vuln
+              skip-files: "cosign.key,Dockerfile.dev"
+      - label: ":docker: docker build and publish"
+        key: "docker-build-and-tag"
+        if: build.tag != null
+        commands: |
+          #!/bin/bash
+        plugins:
+          - docker-login#v3.0.0:
+              username: openlane-bender
+              password-env: SECRET_GHCR_PUBLISH_TOKEN
+              server: ghcr.io
+          - theopenlane/docker-metadata#v1.0.0:
+              images:
+                - "${IMAGE_REPO}"
+              extra_tags:
+                - "${BUILDKITE_TAG}"
+          - theopenlane/container-build#v1.0.0:
+              dockerfile: docker/Dockerfile
+              push: true
+              build-args:
+                - NAME=${APP_NAME}
+          - equinixmetal-buildkite/trivy#v1.18.5:
+              severity: CRITICAL,HIGH
+              ignore-unfixed: true
+              security-checks: config,secret,vuln
+              skip-files: "cosign.key,Dockerfile.dev"

.github/CONTRIBUTING.md

@@ -0,0 +1,47 @@
+# Contributing
+
+Please read the [contributing](.github/CONTRIBUTING.md) guide as well as the
+[Developer Certificate of Origin](https://developercertificate.org/). You will
+be required to sign all commits to the openlane project, so if you're unfamiliar
+with how to set that up, see
+[github's documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification).
+
+Given external users will not have write to the branches in this repository,
+you'll need to follow the forking process to open a PR -
+[here](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork)
+is a guide from github on how to do so.
+
+## Licensing
+
+This repository contains open source software that comprises the openlane stack
+which is open source software under [Apache 2.0](LICENSE). Openlane's SaaS /
+Cloud Services are products produced from this open source software exclusively
+by theopenlane, Inc. This product is produced under our published commercial
+terms (which are subject to change). Any logos or trademarks in our repositories
+in [theopenlane](https://github.com/theopenlane) organization are not covered
+under the Apache License and are trademarks of theopenlane, Inc.
+
+Others are allowed to make their own distribution of this software or include
+this software in other commercial offerings, but cannot use any of the Openlane
+logos, trademarks, cloud services, etc.
+
+## Security
+
+We take the security of our software products and services seriously, including
+our commercial services and all of the open source code repositories managed
+through our Github Organizations, such as
+[theopenlane](https://github.com/theopenlane). If you believe you have found a
+security vulnerability in any of our repositories or in our SaaS offering(s),
+please report it to us through coordinated disclosure.
+
+**Please do NOT report security vulnerabilities through public github issues,
+discussions, or pull requests!**
+
+Instead, please send an email to `[email protected]` with as much
+information as possible to best help us understand and resolve the issues. See
+the security policy attached to this repository for more details.
+
+## Questions?
+
+You can email us at `[email protected]`, open a github issue in this
+repository, or reach out to [matoszz](https://github.com/matoszz) directly.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,16 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[Bug]"
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug or issue you're encountering**
+
+
+**What are the relevant steps to reproduce, including the version(s) of the relevant software?**
+
+
+**What is the expected behavior?**

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,14 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: "[Feature Request]"
+labels: enhancement
+assignees: matoszz
+
+---
+
+**Describe how the feature might make your life easier or solve a problem**
+
+**Describe the solution you'd like to see with any relevant context**
+
+**Describe any alternatives you've considered or if there are short-tern vs. long-term options**

.github/labeler.yml

@@ -0,0 +1,24 @@
+# Add 'bug' label to any PR where the head branch name starts with `bug` or has a `bug` section in the name
+bug:
+  - head-branch: ["^bug", "bug"]
+# Add 'enhancement' label to any PR where the head branch name starts with `enhancement` or has a `enhancement` section in the name
+enhancement:
+  - head-branch: ["^enhancement", "enhancement", "^feature", "feature", "^enhance", "enhance", "^feat", "feat"]
+# Add 'breaking-change' label to any PR where the head branch name starts with `breaking-change` or has a `breaking-change` section in the name
+breaking-change:
+  - head-branch: ["^breaking-change", "breaking-change"]
+# Add 'dependencies' label to any PR where the head branch name starts with `dependencies` or has a `dependencies` section in the name
+dependencies:
+  - head-branch: ["^dependencies", "dependencies", "^deps", "deps"]
+ci:
+  - changed-files:
+      - any-glob-to-any-file: .github/**
+      - any-glob-to-any-file: .buildkite/**
+local-development:
+  - changed-files:
+      - any-glob-to-any-file: scripts/**
+      - any-glob-to-any-file: Taskfile.yaml
+      - any-glob-to-any-file: docker/**
+jobs:
+  - changed-files:
+      - any-glob-to-any-file: pkg/jobs/**

.github/release.yml

@@ -0,0 +1,24 @@
+changelog:
+  exclude:
+    labels:
+      - ignore-for-release
+    authors: []
+  categories:
+    - title: Breaking Changes 🛠
+      labels:
+        - Semver-Major
+        - breaking-change
+    - title: New Features 🎉
+      labels:
+        - Semver-Minor
+        - enhancement
+        - feature
+    - title: Bug Fixes 🐛
+      labels:
+        - bug
+    - title: 👒 Dependencies
+      labels:
+        - dependencies
+    - title: Other Changes
+      labels:
+        - "*"

.github/workflows/labeler.yaml

@@ -0,0 +1,13 @@
+name: "Pull Request Labeler"
+on:
+  - pull_request_target
+jobs:
+  triage:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@v5
+        with:
+          sync-labels: true