Merge pull request #361 from ansible-lockdown/devel

.github standardization + .pre-commit

Author: frederickw082922

.github/workflows/add_repo_issue_to_gh_project.yml

@@ -0,0 +1,17 @@
+---
+
+name: Add Repo Issue to ALD GH project
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+      - transferred
+jobs:
+  add-to-project:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@main
+        with:
+          project-url: https://github.com/orgs/ansible-lockdown/projects/1
+          github-token: ${{ secrets.ALD_GH_PROJECT }}

.github/workflows/benchmark_tracking_controller.yml

@@ -0,0 +1,54 @@
+---
+
+# GitHub schedules all cron jobs in UTC.
+# ──────────────────────────────────────────────────────────────────────────────
+# Schedule:
+#   - '0 13 * * *' runs at 13:00 UTC every day.
+#   - This corresponds to:
+#       • 9:00 AM Eastern **during Daylight Saving Time** (mid-Mar → early-Nov)
+#       • 8:00 AM Eastern **during Standard Time** (early-Nov → mid-Mar)
+#
+# Job routing:
+#   - call-benchmark-tracker:
+#       • Runs on manual dispatch, and on pushes to the 'latest' branch.
+#   - call-monitor-promotions:
+#       • Runs on schedule or manual dispatch **only in repos named ansible-lockdown/Private-***.
+#       • Skips automatically in public repos (e.g., Windows-2022-CIS) to avoid false failures.
+#
+# Defense-in-depth:
+#   - The called promotion workflow may still keep its own guard to ensure only Private-* repos execute it.
+
+name: Central Benchmark Orchestrator
+
+on:
+  push:
+    branches:
+      - latest
+  schedule:
+    - cron: '0 13 * * *'  # 13:00 UTC → 9 AM ET (DST) / 8 AM ET (Standard Time)
+  workflow_dispatch:
+
+jobs:
+  call-benchmark-tracker:
+    # Run on manual dispatch OR when 'latest' branch receives a push
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == 'latest')
+    name: Start Benchmark Tracker
+    uses: ansible-lockdown/github_linux_IaC/.github/workflows/benchmark_track.yml@self_hosted
+    with:
+      repo_name: ${{ github.repository }}
+    secrets:
+      TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}
+      DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
+
+  call-monitor-promotions:
+    # Run on schedule or manual dispatch, but only for Private-* repos
+    if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && startsWith(github.repository, 'ansible-lockdown/Private-')
+    name: Monitor Promotions and Auto-Promote
+    uses: ansible-lockdown/github_linux_IaC/.github/workflows/benchmark_promote.yml@self_hosted
+    with:
+      repo_name: ${{ github.repository }}
+    secrets:
+      TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}
+      DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}

.github/workflows/devel_pipeline_validation.yml

@@ -4,156 +4,159 @@
 
   on: # yamllint disable-line rule:truthy
     pull_request_target:
-        types: [opened, reopened, synchronize]
-        branches:
-            - devel
-            - benchmark*
-        paths:
-            - '**.yml'
-            - '**.sh'
-            - '**.j2'
-            - '**.ps1'
-            - '**.cfg'
+      types: [opened, reopened, synchronize]
+      branches:
+        - devel
+        - benchmark*
+      paths:
+        - '**.yml'
+        - '**.sh'
+        - '**.j2'
+        - '**.ps1'
+        - '**.cfg'
     # Allow manual running of workflow
     workflow_dispatch:
 
-  # Allow permissions for AWS auth
-  permissions:
-    id-token: write
-    contents: read
-    pull-requests: read
-
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
     # This will create messages for first time contributers and direct them to the Discord server
-      welcome:
-        runs-on: ubuntu-latest
-
-        steps:
-            - uses: actions/first-interaction@main
-              with:
-                repo-token: ${{ secrets.GITHUB_TOKEN }}
-                pr-message: |-
-                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
-
-      # This workflow contains a single job that tests the playbook
-      playbook-test:
-        # The type of runner that the job will run on
-        runs-on: self-hosted
-        env:
-          ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
-          # Imported as a variable by terraform
-          TF_VAR_repository: ${{ github.event.repository.name }}
-          AWS_REGION: "us-east-1"
-          ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
-        defaults:
-          run:
-            shell: bash
-            working-directory: .github/workflows/github_linux_IaC
-            # working-directory: .github/workflows
-
-        steps:
-
-          - name: Git clone the lockdown repository to test
-            uses: actions/checkout@v4
-            with:
-              ref: ${{ github.event.pull_request.head.sha }}
-
-          - name: If a variable for IAC_BRANCH is set use that branch
-            working-directory: .github/workflows
-            run: |
-              if [ ${{ vars.IAC_BRANCH }} != '' ]; then
-                 echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
-                 echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
-              else
-                 echo IAC_BRANCH=main >> $GITHUB_ENV
-              fi
-
-          # Pull in terraform code for linux servers
-          - name: Clone GitHub IaC plan
-            uses: actions/checkout@v4
-            with:
-              repository: ansible-lockdown/github_linux_IaC
-              path: .github/workflows/github_linux_IaC
-              ref: ${{ env.IAC_BRANCH }}
-
-          # Uses dedicated restricted role and policy to enable this only for this task
-          # No credentials are part of github for AWS auth
-          - name: configure aws credentials
-            uses: aws-actions/configure-aws-credentials@main
-            with:
-              role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
-              role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
-              aws-region: ${{ env.AWS_REGION }}
-
-          - name: DEBUG - Show IaC files
-            if: env.ENABLE_DEBUG == 'true'
-            run: |
-              echo "OSVAR = $OSVAR"
-              echo "benchmark_type = $benchmark_type"
-              echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID"
-              echo "VPC_ID" = $AWS_VPC_SECGRP_ID"
-              pwd
-              ls
-            env:
-              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-              OSVAR: ${{ vars.OSVAR }}
-              benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-              PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }}
-              VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }}
-
-          - name: Tofu init
-            id: init
-            run: tofu init
-            env:
-              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-              OSVAR: ${{ vars.OSVAR }}
-              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-
-          - name: Tofu validate
-            id: validate
-            run: tofu validate
-            env:
-              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-              OSVAR: ${{ vars.OSVAR }}
-              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-
-          - name: Tofu apply
-            id: apply
-            env:
-              OSVAR: ${{ vars.OSVAR }}
-              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-              TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
-              TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
-            run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+    welcome:
+      runs-on: ubuntu-latest
+
+      permissions:
+        issues: write
+        pull-requests: write
+
+      steps:
+        - uses: actions/first-interaction@main
+          with:
+            repo_token: ${{ secrets.GITHUB_TOKEN }}
+            issue_message: |-
+                Congrats on opening your first issue and thank you for taking the time to help improve Ansible-Lockdown!
+                Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+            pr_message: |-
+                Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+                Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+
+    # This workflow contains a single job that tests the playbook
+    playbook-test:
+      # The type of runner that the job will run on
+      runs-on: self-hosted
+
+      # Allow permissions for AWS auth
+      permissions:
+        id-token: write
+        contents: read
+        pull-requests: read
+
+      env:
+        ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
+        # Imported as a variable by terraform
+        TF_VAR_repository: ${{ github.event.repository.name }}
+        AWS_REGION: "us-east-1"
+        ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
+      defaults:
+        run:
+          shell: bash
+          working-directory: .github/workflows/github_linux_IaC
+          # working-directory: .github/workflows
+
+      steps:
+
+        - name: Git clone the lockdown repository to test
+          uses: actions/checkout@v4
+          with:
+            ref: ${{ github.event.pull_request.head.sha }}
+
+        - name: If a variable for IAC_BRANCH is set use that branch
+          working-directory: .github/workflows
+          run: |
+            if [ ${{ vars.IAC_BRANCH }} != '' ]; then
+                echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
+                echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
+            else
+                echo IAC_BRANCH=main >> $GITHUB_ENV
+            fi
+
+        # Pull in terraform code for linux servers
+        - name: Clone GitHub IaC plan
+          uses: actions/checkout@v4
+          with:
+            repository: ansible-lockdown/github_linux_IaC
+            path: .github/workflows/github_linux_IaC
+            ref: ${{ env.IAC_BRANCH }}
+
+        # Uses dedicated restricted role and policy to enable this only for this task
+        # No credentials are part of github for AWS auth
+        - name: configure aws credentials
+          uses: aws-actions/configure-aws-credentials@main
+          with:
+            role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+            role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
+            aws-region: ${{ env.AWS_REGION }}
+
+        - name: DEBUG - Show IaC files
+          if: env.ENABLE_DEBUG == 'true'
+          run: |
+            echo "OSVAR = $OSVAR"
+            echo "benchmark_type = $benchmark_type"
+            pwd
+          env:
+            # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+            OSVAR: ${{ vars.OSVAR }}
+            benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+        - name: Tofu init
+          id: init
+          run: tofu init
+          env:
+            # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+            OSVAR: ${{ vars.OSVAR }}
+            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+        - name: Tofu validate
+          id: validate
+          run: tofu validate
+          env:
+            # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+            OSVAR: ${{ vars.OSVAR }}
+            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+        - name: Tofu apply
+          id: apply
+          env:
+            OSVAR: ${{ vars.OSVAR }}
+            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+            TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+            TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+          run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
 
 ## Debug Section
-          - name: DEBUG - Show Ansible hostfile
-            if: env.ENABLE_DEBUG == 'true'
-            run: cat hosts.yml
-
-    # Aws deployments taking a while to come up insert sleep or playbook fails
-
-          - name: Sleep to allow system to come up
-            run: sleep ${{ vars.BUILD_SLEEPTIME }}
-
-        # Run the Ansible playbook
-          - name: Run_Ansible_Playbook
-            env:
-              ANSIBLE_HOST_KEY_CHECKING: "false"
-              ANSIBLE_DEPRECATION_WARNINGS: "false"
-            run: |
-              /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml
-
-        # Remove test system - User secrets to keep if necessary
-
-          - name: Tofu Destroy
-            if: always() && env.ENABLE_DEBUG == 'false'
-            env:
-              OSVAR: ${{ vars.OSVAR }}
-              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-              TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
-              TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
-            run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+        - name: DEBUG - Show Ansible hostfile
+          if: env.ENABLE_DEBUG == 'true'
+          run: cat hosts.yml
+
+  # Aws deployments taking a while to come up insert sleep or playbook fails
+
+        - name: Sleep to allow system to come up
+          run: sleep ${{ vars.BUILD_SLEEPTIME }}
+
+      # Run the Ansible playbook
+        - name: Run_Ansible_Playbook
+          env:
+            ANSIBLE_HOST_KEY_CHECKING: "false"
+            ANSIBLE_DEPRECATION_WARNINGS: "false"
+          run: |
+            /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml
+
+      # Remove test system - User secrets to keep if necessary
+
+        - name: Tofu Destroy
+          if: always() && env.ENABLE_DEBUG == 'false'
+          env:
+            OSVAR: ${{ vars.OSVAR }}
+            TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+            TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+            TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+          run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false