hashgraph · nathanklick · Jul 31, 2024 · Jul 30, 2024 · Jul 30, 2024 · Jul 30, 2024
@@ -0,0 +1,43 @@
+###################################
+##### Global Protection Rule ######
+###################################
+# NOTE: This rule is overriden by the more specific rules below. This is the catch-all rule for all files not covered by the more specific rules below.
+*                                               @hashgraph/release-engineering-managers @hashgraph/product-security
+
+############################
+#####  Project Files  ######
+############################
+
+/legacy/                                        @hashgraph/release-engineering-managers @hashgraph/product-security
+
+#########################
+#####  Core Files  ######
+#########################
+
+# NOTE: Must be placed last to ensure enforcement over all other rules
+
+# Protection Rules for Github Configuration Files and Actions Workflows
+/.github/                                       @hashgraph/release-engineering-managers
+/.github/workflows/                             @hashgraph/release-engineering-managers @hashgraph/product-security @hashgraph/devops-ci
+
+
+# Codacy Tool Configurations
+/config/                                        @hashgraph/release-engineering-managers
+.remarkrc                                       @hashgraph/release-engineering-managers
+
+# Semantic Release Configuration
+.releaserc                                      @hashgraph/release-engineering-managers
+
+# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval)
+/CODEOWNERS                                     @hashgraph/release-engineering-managers
+
+# Protect the repository root files
+/README.md                                      @hashgraph/release-engineering-managers
+**/LICENSE                                      @hashgraph/release-engineering-managers
+
+# CodeCov configuration
+**/codecov.yml                                  @hashgraph/release-engineering-managers
+
+# Git Ignore definitions
+**/.gitignore                                   @hashgraph/release-engineering-managers
+**/.gitignore.*                                 @hashgraph/release-engineering-managers
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
@@ -0,0 +1,9 @@
+## Description
+
+This pull request changes the following:
+
+* TBD
+
+### Related Issues
+
+* Closes #
@@ -0,0 +1,53 @@
+##
+# Copyright (C) 2024 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+name: "PR Checks"
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  versions:
+    name: Upstream Versions
+    uses: ./.github/workflows/zxc-retrieve-upstream-versions.yaml
+    if: ${{ !github.event.pull_request.head.repo.fork }}
+
+  legacy-images:
+    name: Legacy Images
+    uses: ./.github/workflows/zxc-build-legacy-images.yaml
+    needs:
+      - versions
+    with:
+      build-default-image: true
+      build-dind-image: true
+      build-dind-rootless-image: false
+      base-os-image: ubuntu-22.04
+      runner-version: ${{ needs.versions.outputs.runner }}
+      runner-container-hooks-version: ${{ needs.versions.outputs.hooks }}
+      docker-version: 24.0.9
+      platforms: linux/amd64
+      dry-run-enabled: true
@@ -0,0 +1,51 @@
+##
+# Copyright (C) 2023 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+name: "PR Formatting"
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - edited
+      - synchronize
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+  statuses: write
+
+concurrency:
+  group: pr-formatting-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  title-check:
+    name: Title Check
+    runs-on: [self-hosted, Linux, medium, ephemeral]
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        with:
+          egress-policy: audit
+
+      - name: Check PR Title
+        uses: step-security/conventional-pr-title-action@0eae74515f5a79f8773fa04142dd746df76666ac # v1.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,190 @@
+##
+# Copyright (C) 2024 Hedera Hashgraph, LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+name: "ZXC: Build Legacy Images"
+# This reusable component is called by the following workflows:
+# - .github/workflows/flow-pull-request-checks.yaml
+# - .github/workflows/flow-build-application.yaml
+
+on:
+  workflow_call:
+    inputs:
+      ## Base Operating System Image
+      ## Options include:
+      ## - ubuntu-20.04
+      ## - ubuntu-22.04
+      base-os-image:
+        description: "Operating System Image:"
+        type: string
+        required: true
+
+      ## Upstream Github Action Runner Version
+      runner-version:
+        description: "Runner Version:"
+        type: string
+        required: true
+
+      ## Upstream Github Action Runner Container Hooks Version
+      runner-container-hooks-version:
+        description: "Container Hooks Version:"
+        type: string
+        required: false
+        default: "0.6.1"
+
+      ## Upstream Docker Version
+      docker-version:
+        description: "Docker Version:"
+        type: string
+        required: false
+        default: "24.0.9"
+
+      ## Linux Architectures for Multi-Arch Builds
+      platforms:
+        description: "Platforms:"
+        type: string
+        required: false
+        default: "linux/amd64,linux/arm64"
+
+      build-default-image:
+        description: "Build Default Image"
+        type: boolean
+        required: false
+        default: true
+
+      build-dind-image:
+        description: "Build DinD Image"
+        type: boolean
+        required: false
+        default: false
+
+      build-dind-rootless-image:
+        description: "Build DinD Rootless Image"
+        type: boolean
+        required: false
+        default: false
+
+      dry-run-enabled:
+        description: "Perform Dry Run"
+        type: boolean
+        required: false
+        default: false
+
+      custom-job-label:
+        description: "Custom Job Label:"
+        type: string
+        required: false
+        default: "Build"
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  OS_IMAGE: ${{ inputs.base-os-image }}
+  RUNNER_VERSION: ${{ inputs.runner-version }}
+  RUNNER_CONTAINER_HOOKS_VERSION: ${{ inputs.runner-container-hooks-version }}
+  DOCKER_VERSION: ${{ inputs.docker-version }}
+  PLATFORMS: ${{ inputs.platforms }}
+
+permissions:
+  id-token: write
+  contents: read
+  packages: write
+
+jobs:
+  build-legacy-images:
+    name: ${{ inputs.custom-job-label || 'Build' }}
+    runs-on: [self-hosted, Linux, medium, ephemeral]
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout Code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Install Make
+        run: |
+          if ! command -v make >/dev/null 2>&1; then
+            echo "::group::Updating APT Repository Indices"
+              sudo apt update
+            echo "::endgroup::"
+            echo "::group::Installing Make"
+              sudo apt install -y make
+            echo "::endgroup::"
+          fi
+
+      - name: Setup QEmu Support
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+
+      - name: Setup Docker Buildx Support
+        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.5.0
+        with:
+          version: v0.16.1
+          driver-opts: network=host
+
+      - name: Show Docker Version
+        run: docker version
+
+      - name: Show Docker Info
+        run: docker info
+
+      - name: Docker Login (Github)
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        if: ${{ inputs.dry-run-enabled != true }}
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Calculate Docker Registry
+        id: registry
+        run: |
+          DOCKER_REGISTRY_PREFIX="ghcr.io/${{ github.repository }}"
+          IMG_RESULT="push"
+
+          if [[ "${{ inputs.dry-run-enabled }}" == "true" ]]; then
+            DOCKER_REGISTRY_PREFIX="local"
+            IMG_RESULT="load"
+          fi
+
+          echo "prefix=${DOCKER_REGISTRY_PREFIX}" >>"${GITHUB_OUTPUT}"
+          echo "operation=${IMG_RESULT}" >>"${GITHUB_OUTPUT}"
+
+      - name: Build Default Image
+        env:
+          DOCKER_USER: ${{ steps.registry.outputs.prefix }}
+          IMG_RESULT: ${{ steps.registry.outputs.operation }}
+        working-directory: legacy/runner
+        if: ${{ inputs.build-default-image }}
+        run: make docker-buildx-default
+
+      - name: Build DinD Image
+        env:
+          DOCKER_USER: ${{ steps.registry.outputs.prefix }}
+          IMG_RESULT: ${{ steps.registry.outputs.operation }}
+        working-directory: legacy/runner
+        if: ${{ inputs.build-dind-image }}
+        run: make docker-buildx-dind
+
+      - name: Build DinD Rootless Image
+        env:
+          DOCKER_USER: ${{ steps.registry.outputs.prefix }}
+          IMG_RESULT: ${{ steps.registry.outputs.operation }}
+        working-directory: legacy/runner
+        if: ${{ inputs.build-dind-rootless-image }}
+        run: make docker-buildx-dind-rootless