Add common workflows and files

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,23 @@
+name: Dependabot auto-merge
+on: pull_request_target
+
+permissions:
+  contents: read
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-22.04
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+    permissions:
+      pull-requests: write
+      contents: write
+    steps:
+      - name: Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.1.0
+
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+name: "Dependency Review"
+on:
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.ref_name }}-deps-review
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read # for actions/checkout
+      pull-requests: write # for actions/dependency-review-action to post comments
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
+        with:
+          config-file: "./dependency-review-config.yml"

.github/workflows/sync.yml

@@ -6,7 +6,7 @@ on:
       - labels.yml
   schedule:
     - cron: "8 0 * * 1" # run every Monday at 00:08 UTC
-  workflow_dispatch:
+  workflow_dispatch: # yamllint disable-line rule:empty-values
 
 concurrency:
   group: ${{ github.ref_name }}-sync

.gitignore

@@ -0,0 +1,10 @@
+# Vim
+*.swp
+*.swo
+
+# GoLand IDE and VSCode
+.idea
+.vscode
+
+# MacOS Finder
+.DS_Store

.markdownlint-cli2.yaml

@@ -0,0 +1,18 @@
+# Rule configuration.
+# For rule descriptions and how to fix: https://github.com/DavidAnson/markdownlint/tree/main#rules--aliases
+config:
+  ul-style:
+    style: dash
+  no-duplicate-heading:
+    siblings_only: true
+  line-length:
+    line_length: 120
+    code_blocks: false
+    tables: false
+
+# Define glob expressions to ignore
+ignores:
+  - ".github/"
+
+# Fix any fixable errors
+fix: true

.pre-commit-config.yaml

@@ -0,0 +1,41 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+        args: [--allow-multiple-documents]
+      - id: check-ast
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: check-shebang-scripts-are-executable
+      - id: check-executables-have-shebangs
+      - id: check-symlinks
+      - id: check-case-conflict
+      - id: check-vcs-permalinks
+      - id: check-json
+      - id: pretty-format-json
+        args: [--autofix, --no-ensure-ascii]
+      - id: mixed-line-ending
+        args: [--fix=lf]
+      - id: no-commit-to-branch
+      - id: requirements-txt-fixer
+      - id: fix-byte-order-marker
+
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.18.3
+    hooks:
+      - id: gitleaks
+
+  - repo: https://github.com/DavidAnson/markdownlint-cli2
+    rev: v0.13.0
+    hooks:
+      - id: markdownlint-cli2
+
+  - repo: https://github.com/adrienverge/yamllint.git
+    rev: v1.35.1
+    hooks:
+      - id: yamllint

.yamllint.yaml

@@ -0,0 +1,22 @@
+---
+yaml-files:
+  - "*.yaml"
+  - "*.yml"
+
+ignore-from-file: .gitignore
+
+extends: default
+
+rules:
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: enable
+  document-start: disable
+  empty-values: enable
+  line-length:
+    max: 120
+    ignore: |
+      .goreleaser.yml
+      .github/
+  truthy:
+    check-keys: false

files/nap-waf-v5-debian-11.repo

@@ -5,4 +5,4 @@ Types: deb
 URIs: https://pkgs.nginx.com/app-protect-x-plus/debian
 Suites: bullseye
 Components: nginx-plus
-Signed-By: /usr/share/keyrings/nginx-archive-keyring.gpg
+Signed-By: /usr/share/keyrings/nginx-archive-keyring.gpg

files/nap-waf-v5-debian-12.repo

@@ -5,4 +5,4 @@ Types: deb
 URIs: https://pkgs.nginx.com/app-protect-x-plus/debian
 Suites: bookworm
 Components: nginx-plus
-Signed-By: /usr/share/keyrings/nginx-archive-keyring.gpg
+Signed-By: /usr/share/keyrings/nginx-archive-keyring.gpg

files/nap-waf-v5-ubi-8.repo

@@ -4,4 +4,4 @@ baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/8/$basearch/
 sslclientcert=/etc/ssl/nginx/nginx-repo.crt
 sslclientkey=/etc/ssl/nginx/nginx-repo.key
 gpgcheck=0
-enabled=1
+enabled=1

files/nap-waf-v5-ubi-9.repo

@@ -4,4 +4,4 @@ baseurl=https://pkgs.nginx.com/app-protect-x-plus/centos/9/$basearch/
 sslclientcert=/etc/ssl/nginx/nginx-repo.crt
 sslclientkey=/etc/ssl/nginx/nginx-repo.key
 gpgcheck=0
-enabled=1
+enabled=1

files/patch-os.sh

@@ -3,7 +3,7 @@
 patch_debian() {
     echo "Patching Debian"
     apt-get update
-    apt-get upgrade -y 
+    apt-get upgrade -y
     rm -rf /var/lib/apt/lists/*
 }