Merge pull request #49 from Dstack-TEE/devex

Enhanced developer experience

Author: kvinwang

.github/workflows/security-scan.yml

@@ -0,0 +1,112 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Run security scan weekly
+    - cron: '0 2 * * 1'
+
+jobs:
+  basic-checks:
+    runs-on: ubuntu-latest
+    name: Basic Checks (dev.sh)
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: |
+          # Install shellcheck
+          sudo apt-get update
+          sudo apt-get install -y shellcheck
+          
+          # Install yamllint
+          pip install yamllint
+
+      - name: Run all checks
+        run: ./dev.sh check-all
+
+  advanced-security:
+    runs-on: ubuntu-latest
+    name: Advanced Security Scans
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run TruffleHog OSS
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: main
+          head: HEAD
+          extra_args: --debug --only-verified
+
+      - name: Find and scan Dockerfiles
+        run: |
+          # Find all Dockerfiles and run hadolint on each
+          dockerfiles=$(find . -name "Dockerfile*" -type f | grep -v node_modules | grep -v .git)
+          if [ -n "$dockerfiles" ]; then
+            echo "Found Dockerfiles:"
+            echo "$dockerfiles"
+            # Run hadolint on all found Dockerfiles
+            docker run --rm -i hadolint/hadolint:latest-debian hadolint --format sarif - < <(cat $dockerfiles) > hadolint-results.sarif || true
+          else
+            echo "No Dockerfiles found"
+            echo '{"version": "2.1.0", "runs": []}' > hadolint-results.sarif
+          fi
+
+      - name: Upload Hadolint results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: hadolint-results.sarif
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+          queries: security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:python"
+
+  security-summary:
+    runs-on: ubuntu-latest
+    needs: [basic-checks, advanced-security]
+    if: always()
+    name: Security Summary
+
+    steps:
+      - name: Security Scan Summary
+        run: |
+          echo "## Security Scan Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          # Check job results
+          basic_result="${{ needs.basic-checks.result }}"
+          advanced_result="${{ needs.advanced-security.result }}"
+
+          echo "| Security Check | Status |" >> $GITHUB_STEP_SUMMARY
+          echo "|----------------|--------|" >> $GITHUB_STEP_SUMMARY
+          echo "| Basic Checks (dev.sh) | $basic_result |" >> $GITHUB_STEP_SUMMARY
+          echo "| Advanced Security | $advanced_result |" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          # Overall status
+          if [[ "$basic_result $advanced_result" == *"failure"* ]]; then
+            echo "🔴 **Security issues detected!** Please review the scan results." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "🟢 **All security scans passed successfully.**" >> $GITHUB_STEP_SUMMARY
+          fi

.github/workflows/validate-examples.yml

@@ -0,0 +1,40 @@
+name: Validate Examples
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+  schedule:
+    # Run weekly to catch dependency issues
+    - cron: '0 0 * * 0'
+
+jobs:
+  check-all:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: |
+          # Install shellcheck
+          sudo apt-get update
+          sudo apt-get install -y shellcheck
+          
+          # Install yamllint
+          pip install yamllint
+
+      - name: Run all checks
+        run: ./dev.sh check-all
+
+      - name: Create summary
+        if: always()
+        run: |
+          echo "## Validation Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "✅ Ran comprehensive checks including:" >> $GITHUB_STEP_SUMMARY
+          echo "- Structure validation for all examples" >> $GITHUB_STEP_SUMMARY
+          echo "- Docker Compose syntax validation" >> $GITHUB_STEP_SUMMARY
+          echo "- Security scanning" >> $GITHUB_STEP_SUMMARY
+          echo "- Shell script linting" >> $GITHUB_STEP_SUMMARY
+          echo "- YAML linting" >> $GITHUB_STEP_SUMMARY

.yamlfmt

@@ -0,0 +1,8 @@
+formatter:
+  type: basic
+  retain_line_breaks: true
+  trim_trailing_whitespace: true
+  scan_folded_as_literal: true
+  include_document_start: false
+  line_ending: lf
+  indent: 2

.yamllint

@@ -0,0 +1,29 @@
+---
+# yamllint configuration for dstack-examples
+
+extends: default
+
+rules:
+  # Don't require document start marker (---)
+  document-start: disable
+  
+  # Reasonable line length for docker-compose files
+  line-length:
+    max: 160
+    level: warning
+  
+  # Allow both styles of bracketed lists
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+  
+  # Be flexible with truthy values (yes, true, on, etc.)
+  truthy:
+    allowed-values: ['true', 'false', 'yes', 'no', 'on', 'off']
+  
+  # Don't be too strict about comments
+  comments:
+    min-spaces-from-content: 1
+  
+  # Allow empty values which are common in docker-compose
+  empty-values: enable

CODE_OF_CONDUCT.md

@@ -0,0 +1,128 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+[email protected].
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.