Bootstrap repository, prep for v1.0.0

[nwiltsie]

Description

As discussed in the Infrastructure Working group and in https://github.com/uclahs-cds/group-infrastructure/discussions/62, this repository is intended to be a centralized static analyzer Action for pull requests. The existing internal repository https://github.com/uclahs-cds/docker-CICD-base has a ton of history and has evolved quite a bit, so for simplicity we're starting fresh with this new repository.

Eventually this repo should absorb the Dockerfile and linting code, but as the associated package is already public that's not an immediate concern.

Action

The Action is relatively straightforward. The one wrinkle is that, at least for now, I want to provide the docker image tag as an input to the Action. Unfortunately, composite Actions explicitly have no access to the ${{ inputs }} context, so the Action has to do a little templating (inspiration) in order to work.

Versioning

GitHub's advice for versioning is to use immutable SemVer tags (e.g. v1.0.1) and mutable major version tags (e.g. v1). The major version tags always point to the latest matching SemVer tag and are what most people should use.

Once this PR is merged I will create the v1.0.0 release and the lightweight v1 tag pointing to it.

Workflow Name / Status Check

I experimented with this Action in this PR. After some back-and-forth I settled on using a workflow named CI and a job named static-analysis:

Interestingly only the job name matters for required status checks:

As we replace the existing workflows with references to this Action, so too would we replace required checks of CICD-base with static-analysis.

Checklist

• This PR does NOT contain Protected Health Information (PHI). A repo may need to be deleted if such data is uploaded.
  Disclosing PHI is a major problem¹ - Even a small leak can be costly².

• This PR does NOT contain germline genetic data³, RNA-Seq, DNA methylation, microbiome or other molecular data⁴.

• This PR does NOT contain other non-plain text files, such as: compressed files, images (e.g. .png, .jpeg), .pdf, .RData, .xlsx, .doc, .ppt, or other output files.

  To automatically exclude such files using a .gitignore file, see here for example.

• I have read the code review guidelines and the code review best practice on GitHub check-list.

• I have set up or verified the main branch protection rule following the github standards before opening this pull request.

• The name of the branch is meaningful and well formatted following the standards, using [AD_username (or 5 letters of AD if AD is too long)]-[brief_description_of_branch].

• I have added the major changes included in this pull request to the CHANGELOG.md under the next release version or unreleased, and updated the date.

Footnotes

1. UCLA Health reaches $7.5m settlement over 2015 breach of 4.5m patient records ↩

2. The average healthcare data breach costs $2.2 million, despite the majority of breaches releasing fewer than 500 records. ↩

3. Genetic information is considered PHI.
   Forensic assays can identify patients with as few as 21 SNPs ↩

4. RNA-Seq, DNA methylation, microbiome, or other molecular data can be used to predict genotypes (PHI) and reveal a patient's identity. ↩

[nwiltsie]

Well, I feel a little silly - I just found https://github.com/uclahs-cds/tool-StaticCodeAnalysis. Mine is better, though!

[yashpatel6]

Looks good! Anything else to add from @dan-knight or @aholmes ?