build: initial commit

Author: thomasleplus

.commitlintrc.js

@@ -0,0 +1,19 @@
+const Configuration = {
+  /*
+   * Inherit rules from conventional commits.
+   */
+  extends: ["@commitlint/config-conventional"],
+
+  /*
+   * Any rules defined here will override rules from parent.
+   */
+  rules: {
+    "body-leading-blank": [2, "always"], // warning -> error
+    "body-max-line-length": [1, "always", 100], // error -> warning
+    "footer-leading-blank": [2, "always"], // warning -> error
+    "footer-max-length": [1, "always", 100], // error -> warning
+    "header-max-length": [1, "always", 100], // error -> warning
+  },
+};
+
+export default Configuration;

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,74 @@
+---
+name: Bug report
+description: Create a bug report.
+title: "[Bug] "
+labels:
+  - bug
+assignees:
+  - thomasleplus
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: checkboxes
+    attributes:
+      label: Is there an existing issue for this?
+      description: Search to see if an issue already exists for the bug you encountered.
+      options:
+        - label: I have searched the existing issues
+          required: true
+  - type: textarea
+    attributes:
+      label: Current Behavior
+      description: A concise description of what you're experiencing.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Expected Behavior
+      description: A concise description of what you expected to happen.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: version
+      description: |
+        Version where you observed this issue
+      placeholder: |
+        vX.Y.Z
+      render: markdown
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: |
+        Copy and paste any relevant log output.
+        This will be automatically formatted into code, so no need for backticks.
+        Enable debug logging, either on GitHub Actions, or when running locally.
+      render: shell
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Steps To Reproduce
+      description: |
+        Steps to reproduce the issue.
+      placeholder: |
+        1. In this environment...
+        1. With this config...
+        1. Run '...'
+        1. See error...
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Anything else?
+      description: |
+        Links? References? Anything that will give us more context about the issue you are encountering!
+
+        Tip: You can attach images or log files by clicking this area to highlight it and then dragging files in.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,31 @@
+---
+name: Feature request
+description: Suggest a new feature for this project.
+title: "[Feature] "
+labels:
+  - enhancement
+assignees:
+  - thomasleplus
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this feature request!
+  - type: textarea
+    attributes:
+      label: Feature description
+      description: |
+        A clear and concise description of what the desired feature is and why it would be useful.
+      render: markdown
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Anything else?
+      description: |
+        If you think that there are some implementation details to be taken into consideration, or anything that is not obvious from the previous description, please specify it here.
+
+        Tip: You can attach images or log files by clicking this area to highlight it and then dragging files in.
+      render: markdown
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/question.yml

@@ -0,0 +1,20 @@
+---
+name: Question
+description: Ask a question.
+title: "[Question] "
+labels:
+  - question
+assignees:
+  - thomasleplus
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this feature request!
+  - type: textarea
+    attributes:
+      label: What is your question?
+      description: Please include as many details and examples as possible.
+      render: markdown
+    validations:
+      required: true

.github/dependabot.yml

@@ -0,0 +1,17 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "docker"
+    directory: "/rst"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: chore(deps)
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7
+    commit-message:
+      prefix: ci(deps)

.github/pull_request_template.md

@@ -0,0 +1,18 @@
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable-next-line MD041 -->
+## Readiness checklist
+<!-- prettier-ignore-end -->
+
+Please check the boxes below to confirm that you have followed the
+required guidelines for contributions:
+
+- [ ] All commits are [signed](https://docs.github.com/en/authentication/managing-commit-signature-verification).
+- [ ] The title for this pull request is the same as the first commit's message and it follows the [conventional commits specification](https://www.conventionalcommits.org). See commit history for examples.
+- [ ] If this pull request includes code changes, they were all properly tested. Automated tests were also included where possible.
+- [ ] If applicable, this pull request includes the relevant documentation for this change.
+- [ ] If this pull request is related to an existing issue, you can use the same description below but in any case include a [link to the issue](https://docs.github.com/en/issues/tracking-your-work-with-issues/using-issues/linking-a-pull-request-to-an-issue) like `Fixes #ISSUE_NUMBER.` or `Closes #ISSUE_NUMBER.`.
+
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable-next-line MD041 -->
+## Description
+<!-- prettier-ignore-end -->

.github/release.yml

@@ -0,0 +1,17 @@
+changelog:
+  exclude:
+    labels:
+      - no-release-notes
+  categories:
+    - title: "New Features :sparkles:"
+      labels:
+        - feat
+    - title: "Bug Fixes :bug:"
+      labels:
+        - fix
+    - title: "Dependency Upgrades :package:"
+      labels:
+        - dependencies
+    - title: "Other Changes :broom:"
+      labels:
+        - "*"

.github/workflows/apk-check-versions.yml

@@ -0,0 +1,20 @@
+---
+name: APK Check Versions
+
+on:
+  schedule:
+    - cron: "0 0 * * 0"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  apk-check-versions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check the versions
+        shell: bash
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'
+          docker run --pull always -t --user root --entrypoint /bin/sh "leplusorg/${GITHUB_REPOSITORY#*/docker-}:main" -c 'if apk update && apk -u list | tee -a /dev/stderr | grep -q -e .; then exit 1; fi'

.github/workflows/automerge.yml

@@ -0,0 +1,36 @@
+---
+name: "Dependabot auto-merge"
+on: pull_request
+
+permissions:
+  actions: write
+  contents: write
+  pull-requests: write
+
+jobs:
+  automerge:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+    steps:
+      - name: Enable auto-merge for Dependabot PRs
+        shell: bash
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'
+          # Checking the PR title is a poor substitute for the actual PR changes
+          # but as long as this is used only with dependabot PRs,
+          # it should be safe to assume that the title is not misleading.
+          regexp='[Bb]ump .* from [0-9]+\.[0-9]+(\.[0-9]+)?(\.[0-9]+)?(\-[a-z]+)? to [0-9]+\.[0-9]+(\.[0-9]+)?(\.[0-9]+)?(\-[a-z]+)?( in .*)?$'
+          if ! [[ "${PR_TITLE}" =~ ${regexp} ]] ; then
+            echo 'Non-semver upgrade, needs manual review.'
+          elif [ "${BASH_REMATCH[3]}" != "${BASH_REMATCH[6]}" ] ; then
+            echo 'Version suffixes do not match, needs manual review.'
+          else
+            echo 'Automated review approval.'
+            gh pr review --approve "${PR_URL}"
+          fi
+          gh pr merge --auto --squash "${PR_URL}"
+        env:
+          PR_TITLE: ${{github.event.pull_request.title}}
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/check-pr.yml

@@ -0,0 +1,125 @@
+---
+name: "Check PR"
+on: pull_request
+
+permissions:
+  pull-requests: write
+
+jobs:
+  check-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check commits
+        shell: bash
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'
+          # Check the commits
+          commits_json=$(curl -fsSL -H "Authorization: token ${GITHUB_TOKEN}" "${PR_COMMITS_URL}")
+          echo -n 'Commits: '
+          echo "${commits_json}" | jq '.'
+          commit_count="$(echo "${commits_json}" | jq -r 'length')"
+          # Check first commit message (except for dependabot who is inconsistent)
+          if [ "${commit_count}" -eq 1 ] && [ "${GITHUB_ACTOR}" != 'dependabot[bot]' ] ; then
+            commit_title="$(echo "${commits_json}" | jq -r '.[0].commit.message' | head -n 1)"
+            echo "Commit title: ${commit_title}"
+            if [[ "${commit_title}" != "${PR_TITLE}" ]] ; then
+              >&2 echo 'Single commit must have same title as PR.'
+              exit 1
+            fi
+          fi
+          # Check that all commits are signed
+          for ((i = 0 ; i < commit_count ; i++ )); do
+            if [[ "$(echo "${commits_json}" | jq -r ".[${i}].commit.verification.verified")" == 'false' ]] ; then
+              >&2 echo "Commit $(echo "${commits_json}" | jq -r ".[${i}].sha") must be signed."
+              exit 1
+            fi
+          done
+        env:
+          PR_TITLE: ${{github.event.pull_request.title}}
+          PR_COMMITS_URL: ${{github.event.pull_request.commits_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Update PR labels
+        shell: bash
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'
+          # Check PR title is a conventional commit message
+          regexp='^((build|chore|ci|docs|feat|fix|perf|refactor|style|test)(\([a-zA-Z0-9\-]+\))?)!?: .*$'
+          if ! [[ "${PR_TITLE}" =~ ${regexp} ]] ; then
+            >&2 echo 'Non conventional PR title.'
+            exit 1
+          fi
+          scoped_type="${BASH_REMATCH[1]}"
+          type="${BASH_REMATCH[2]}"
+          add_labels=()
+          remove_labels=()
+          # Remove the labels we manage
+          for label in build chore ci docs feat fix perf refactor test style ; do
+            if [[ "${label}" == "${type}" ]]; then
+              echo "Label to add: ${label}"
+              if [[ "${PR_LABELS}" == *"${label}"* ]] ; then
+                echo "Label ${label} already present"
+              else
+                add_labels+=("${label}")
+              fi
+            else
+              echo "Label to remove: ${label}"
+              if [[ "${PR_LABELS}" == *"${label}"* ]] ; then
+                remove_labels+=("${label}")
+              else
+                echo "Label ${label} not present"
+              fi
+            fi
+          done
+          # If scope is dependency-related, add 'dependencies' label
+          regexp2='^[a-zA-Z0-9]+\([a-zA-Z0-9\-]*deps\)$'
+          if [[ "${scoped_type}" =~ ${regexp2} ]] ; then
+            echo "Label to add: dependencies"
+            if [[ "${PR_LABELS}" == *"dependencies"* ]] ; then
+              echo "Label dependencies already present"
+            else
+              add_labels+=('dependencies')
+            fi
+            # otherwise do not remove it since we are not the only ones to manage this label (e.g. dependabot)
+          fi
+          # For certain types/scopes, add 'no-release-notes' label
+          if [[ "${type}" == 'chore' \
+                || "${type}" == 'ci' \
+                || "${type}" == 'docs' \
+                || "${type}" == 'style' \
+                || "${type}" == 'test' ]] ; then
+            echo "Label to add: no-release-notes"
+            if [[ "${PR_LABELS}" == *"no-release-notes"* ]] ; then
+              echo "Label no-release-notes already present"
+            else
+              add_labels+=('no-release-notes')
+            fi
+          else
+            echo "Label to remove: no-release-notes"
+            if [[ "${PR_LABELS}" == *"no-release-notes"* ]] ; then
+              remove_labels+=('no-release-notes')
+            else
+              echo "Label no-release-notes not present"
+            fi
+          fi
+          # Update the labels
+          function join_by { local IFS="$1"; shift; echo "$*"; }
+          if [ ${#add_labels[@]} -eq 0 ] && [ ${#remove_labels[@]} -eq 0 ]; then
+            echo 'No label to change'
+          elif [ ${#add_labels[@]} -eq 0 ]; then
+            echo "Removing labels: $(join_by , "${remove_labels[@]}")"
+            gh pr edit "${PR_URL}" --remove-label "$(join_by , "${remove_labels[@]}")"
+          elif [ ${#remove_labels[@]} -eq 0 ]; then
+            echo "Adding labels: $(join_by , "${add_labels[@]}")"
+            gh pr edit "${PR_URL}" --add-label "$(join_by , "${add_labels[@]}")"
+          else
+            echo "Adding labels: $(join_by , "${add_labels[@]}")"
+            echo "Removing labels: $(join_by , "${remove_labels[@]}")"
+            gh pr edit "${PR_URL}" --add-label "$(join_by , "${add_labels[@]}")" --remove-label "$(join_by , "${remove_labels[@]}")"
+          fi
+        env:
+          PR_TITLE: ${{github.event.pull_request.title}}
+          PR_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }}
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}