linuxfoundation · andrest50 · Jul 23, 2025 · Jul 9, 2025 · Jul 9, 2025 · Jul 9, 2025
@@ -0,0 +1,18 @@
+---
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+name: License Header Check
+
+"on": [pull_request]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  license-header-check:
+    name: License Header Check
+    uses: linuxfoundation/lfx-public-workflows/.github/workflows/license-header-check.yml@main
+    with:
+      copyright_line: "Copyright The Linux Foundation and each contributor to LFX."
+      exclude_pattern: "gen/*"
@@ -0,0 +1,42 @@
+---
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+name: MegaLinter
+
+"on":
+  pull_request: null
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  megalinter:
+    name: MegaLinter
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      # Git Checkout
+      - name: Checkout Code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
+        with:
+          fetch-depth: 0
+
+      # MegaLinter
+      - name: MegaLinter
+        id: ml
+        # Use the Go flavor.
+        uses: oxsecurity/megalinter/flavors/go@5a91fb06c83d0e69fbd23756d47438aa723b4a5a  # 8.7.0
+        env:
+          # All available variables are described in documentation
+          # https://megalinter.io/configuration/
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Allow GITHUB_TOKEN for working around rate limits (aquasecurity/trivy#7668).
+          REPOSITORY_TRIVY_UNSECURED_ENV_VARIABLES: GITHUB_TOKEN
@@ -0,0 +1,38 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+---
+name: "Project API Build"
+
+"on": [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  build-pr:
+    name: Build and Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+
+      - name: Setup go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
+        with:
+          go-version: stable
+
+      - name: Download Dependencies
+        run: make deps
+        working-directory: cmd/project-api
+
+      - name: Generate service code
+        run: make apigen
+        working-directory: cmd/project-api
+
+      - name: Build
+        run: make build
+        working-directory: cmd/project-api
+
+      - name: Test
+        run: make test
+        working-directory: cmd/project-api
@@ -0,0 +1,8 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+bin/
+.env*
+
+# Linter generated files
+megalinter-reports/
+revive.log
@@ -0,0 +1,30 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+title = "gitleaks config"
+
+[extend]
+# useDefault will extend the base configuration with the default gitleaks config:
+# https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml
+useDefault = true
+
+[allowlist]
+description = "Allowlisted files"
+paths = [
+    '''.automation/test''',
+    '''megalinter-reports''',
+    '''.github/linters''',
+    '''node_modules''',
+    '''.mypy_cache''',
+    '''./cmd/project-api/service_handler_test.go''',
+    '''./cmd/project-api/service_endpoint_test.go''',
+    '''(.*?)gitleaks\.toml$''',
+    '''(?i)(.*?)(png|jpeg|jpg|gif|doc|docx|pdf|bin|xls|xlsx|pyc|zip)$''',
+    '''(go.mod|go.sum)$''',
+    '''(.*?)(swagger\.yml|swagger\.yaml)$''',
+    '''(.*?)(serverless\.yml|serverless\.yaml)$''',
+]
+regexTarget = "match"
+regexes = [
+    '''eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.iOeNU4dAFFeBwNj6qdhdvm-IvDQrTa6R22lQVJVuWJxorJfeQww5Nwsra0PjaOYhAMj9jNMO5YLmud8U7iQ5gJK2zYyepeSuXhfSi8yjFZfRiSkelqSkU19I-Ja8aQBDbqXf2SAWA8mHF8VS3F08rgEaLCyv98fLLH4vSvsJGf6ueZSLKDVXz24rZRXGWtYYk_OYYTVgR1cg0BLCsuCvqZvHleImJKiWmtS0-CymMO4MMjCy_FIl6I56NqLE9C87tUVpo1mT-kbg5cHDD8I7MjCW5Iii5dethB4Vid3mZ6emKjVYgXrtkOQ-JyGMh6fnQxEFN1ft33GX2eRHluK9eg''',
+]
@@ -0,0 +1,2 @@
+46d11606320853a027a623c203238656cda3d36e:service_test.go:jwt:571
+874abaf0c197e135ec27253c169f6b2deead5806:service_test.go:jwt:571
@@ -0,0 +1,42 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+---
+GITHUB_COMMENT_REPORTER: false
+DISABLE_LINTERS:
+  # We are setting KUBERNETES_DIRECTORY to the helm chart so the
+  # KUBERNETES_HELM linter can find the chart, but then this linter expects to
+  # find raw Kubernetes manifests in this directory, which isn't the case.
+  # If we added a PRE_ command with a `helm template` step, and further
+  # restricted the included files for this linter, it *might* work.
+  - KUBERNETES_KUBECONFORM
+  # TBD how to use this from Megalinter with our setup.
+  - KUBERNETES_KUBESCAPE
+  # Repository-wide link checking returns mostly false positives (like internal
+  # service URLs in templates).
+  - SPELL_LYCHEE
+  - SPELL_CSPELL
+  # yamllint is sufficient for us.
+  - YAML_PRETTIER
+DISABLE_ERRORS_LINTERS:
+  # This may be informative but doesn't need to break the build.
+  - COPYPASTE_JSCPD
+  # TBD! Need to work through these.
+  - REPOSITORY_TRIVY
+  - REPOSITORY_CHECKOV
+  - REPOSITORY_DEVSKIM
+YAML_YAMLLINT_CONFIG_FILE: .yamllint
+REPOSITORY_KICS_ARGUMENTS: >-
+  scan --no-progress --exclude-severities="medium,low,info,trace" --exclude-paths="./cmd/project-api/gen/*"
+SPELL_CSPELL_ANALYZE_FILE_NAMES: false
+# Make sure Vale is setup to run with the styles it needs.
+SPELL_VALE_PRE_COMMANDS:
+  - command: mkdir -p styles
+    cwd: "workspace"
+  - command: vale sync
+    cwd: "workspace"
+API_SPECTRAL_FILTER_REGEX_EXCLUDE: "gen/"
+# Ignore YAML files with templating macros; these typically fail linting and/or
+# schema checking.
+FILTER_REGEX_EXCLUDE: '(templates/.*\.yml|templates/.*\.yaml)'
+KUBERNETES_DIRECTORY: charts/lfx-v2-project-service
+KUBERNETES_HELM_ARGUMENTS: charts/lfx-v2-project-service
@@ -0,0 +1,13 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+---
+extends: default
+ignore: |
+  .git
+  megalinter-reports
+  styles
+  gen/
+rules:
+  line-length:
+    max: 120
+    level: warning
@@ -0,0 +1,2 @@
+# Platform engineering group within LFX engineering.
+* @linuxfoundation/lfx-platform
@@ -0,0 +1,38 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+# checkov:skip=CKV_DOCKER_7:No free access to Chainguard versioned labels.
+# hadolint global ignore=DL3007
+
+FROM cgr.dev/chainguard/go:latest AS builder
+
+# Expose port 8080 for the project service API.
+EXPOSE 8080
+
+# Set necessary environment variables needed for our image. Allow building to
+# other architectures via cross-compilation build-arg.
+ARG TARGETARCH
+ENV CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH
+
+# Move to working directory /build
+WORKDIR /build
+
+# Download dependencies to go modules cache
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy the code into the container
+COPY . .
+
+# Build the packages
+RUN go build -o /go/bin/project-svc -trimpath -ldflags="-w -s" github.com/linuxfoundation/lfx-v2-project-service/cmd/project-api
+
+# Run our go binary standalone
+FROM cgr.dev/chainguard/static:latest
+
+# Implicit with base image; setting explicitly for linters.
+USER nonroot
+
+COPY --from=builder /go/bin/project-svc /cmd/project-api
+
+ENTRYPOINT ["/cmd/project-api"]
@@ -0,0 +1,18 @@
+Copyright The Linux Foundation and each contributor to LFX.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		46d11606320853a027a623c203238656cda3d36e:service_test.go:jwt:571
jordane marked this conversation as resolved. Show resolved Hide resolved
		874abaf0c197e135ec27253c169f6b2deead5806:service_test.go:jwt:571
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Platform engineering group within LFX engineering.
		* @linuxfoundation/lfx-platform