From 699959483bfe1a76b32d401b75eed03c8853853f Mon Sep 17 00:00:00 2001
From: Michael Nikitochkin <michael.nikitochkin@shopify.com>
Date: Tue, 15 Mar 2022 14:21:09 +0100
Subject: [PATCH] Automate checkings on push and tags

Update github actions workflows to check tags signed.
Validate if code is not vulnarble.
---
 .github/probots.yml                    |  2 +
 .github/workflows/analysis.yml         | 52 ++++++++++++++++++++++++++
 .github/workflows/pre_release.yml      | 45 ++++++++++++++++++++++
 .github/workflows/{ci.yml => test.yml} | 16 ++++++--
 .yamllint.yml                          | 31 +++++++++++++++
 shipit.rubygems.yml                    |  2 +
 6 files changed, 144 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/analysis.yml
 create mode 100644 .github/workflows/pre_release.yml
 rename .github/workflows/{ci.yml => test.yml} (69%)
 create mode 100644 .yamllint.yml

diff --git a/.github/probots.yml b/.github/probots.yml
index 1491d27..9b6c014 100644
--- a/.github/probots.yml
+++ b/.github/probots.yml
@@ -1,2 +1,4 @@
+---
+
 enabled:
   - cla
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
new file mode 100644
index 0000000..254763d
--- /dev/null
+++ b/.github/workflows/analysis.yml
@@ -0,0 +1,52 @@
+---
+
+name: Analysis
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  schedule:
+    - cron: 13 7 * * 6
+
+jobs:
+  linting:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: shellcheck
+        uses: azohra/shell-linter@6bbeaa868df09c34ddc008e6030cfe89c03394a1
+        with:
+          path: scripts/test-*
+          severity: error
+
+      - name: yaml-lint
+        uses: ibiqlik/action-yamllint@v3
+        with:
+          config_file: .yamllint.yml
+
+  vulnerabilities:
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: initialize
+        uses: github/codeql-action/init@v1
+        with:
+          languages: ruby
+
+      - name: codeql analyze
+        uses: github/codeql-action/analyze@v1
diff --git a/.github/workflows/pre_release.yml b/.github/workflows/pre_release.yml
new file mode 100644
index 0000000..7bfc8d8
--- /dev/null
+++ b/.github/workflows/pre_release.yml
@@ -0,0 +1,45 @@
+---
+
+name: Pre release
+
+on:
+  push:
+    tags: [ v*.*.* ]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      -
+        name: GPG config
+        run: |
+          mkdir -p ~/.gnupg
+          cat << EOF >> ~/.gnupg/options
+          keyserver keys.openpgp.org
+          keyserver-options auto-key-retrieve
+          EOF
+
+      -
+        name: Verify tag signature
+        run: |
+          # NOTE: Solve the problem with Github action checkout
+          # https://github.com/actions/checkout/issues/290
+          git fetch --tags --force
+
+          version=${GITHUB_REF#refs/tags/*}
+          git show $version
+          git tag -v $version
diff --git a/.github/workflows/ci.yml b/.github/workflows/test.yml
similarity index 69%
rename from .github/workflows/ci.yml
rename to .github/workflows/test.yml
index 51b3ba9..ac82154 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/test.yml
@@ -1,18 +1,26 @@
-name: Run tests
-on: [push]
+---
+
+name: Test
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
 jobs:
   test:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby: [ '2.6', '2.7', '3.0', '3.1' ]
+        ruby: [ "2.6", "2.7", "3.0", "3.1" ]
     name: Ruby ${{ matrix.ruby }}
     steps:
       - uses: actions/checkout@v2
       - uses: ruby/setup-ruby@v1
         with:
           ruby-version: ${{ matrix.ruby }}
-          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+          bundler-cache: true
       - name: Install and start toxiproxy
         run: ./bin/start-toxiproxy.sh
       - name: Run tests
diff --git a/.yamllint.yml b/.yamllint.yml
new file mode 100644
index 0000000..24817bc
--- /dev/null
+++ b/.yamllint.yml
@@ -0,0 +1,31 @@
+---
+
+yaml-files:
+  - "*.yaml"
+  - "*.yml"
+
+ignore: |
+  vendor/**/*
+
+rules:
+  comments:
+    require-starting-space: true
+  comments-indentation: enable
+  document-start:
+    present: true
+  indentation:
+    spaces: 2
+    indent-sequences: true
+    check-multi-line-strings: true
+  line-length:
+    max: 100
+    level: warning
+    allow-non-breakable-words: true
+    allow-non-breakable-inline-mappings: false
+  key-duplicates: enable
+  new-lines:
+    type: unix
+  trailing-spaces: enable
+  quoted-strings:
+    quote-type: double
+    required: only-when-needed
diff --git a/shipit.rubygems.yml b/shipit.rubygems.yml
index c2f1375..6b301ee 100644
--- a/shipit.rubygems.yml
+++ b/shipit.rubygems.yml
@@ -1,2 +1,4 @@
+---
+
 fetch:
   - fetch-gem-version toxiproxy Shopify/toxiproxy-ruby