From 19838e01effad97e38e915833ae240756f7dd5c6 Mon Sep 17 00:00:00 2001
From: David Grizzanti <dgrizzanti@users.noreply.github.com>
Date: Fri, 3 Feb 2023 10:09:29 -0500
Subject: [PATCH 1/6] Create build.yml

---
 .github/workflows/build.yml | 70 +++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 .github/workflows/build.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..5937316
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,70 @@
+name: Go
+
+on:
+  push:
+    branches: [ "main" ]
+    tags:
+      - '*'
+  pull_request:
+    branches: [ "main" ]
+
+env:
+  GO111MODULE: on
+  CGO_ENABLED: 0
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.19
+
+    - name: Test
+      run: |
+        go mod download
+        go test -cover -vet all
+        
+    - name: Build
+      run: |
+        go build -a -ldflags "-X main.version=${GITHUB_REF_NAME} -X main.rev=${GITHUB_SHA}"
+
+    - name: Docker meta
+      id: meta
+      uses: docker/metadata-action@v4
+      with:
+        images: nytimes/drone-gke
+        tags: |
+          type=raw,value=latest,enable={{is_default_branch}}
+          type=ref,event=tag
+        
+    - name: Login to Docker Hub
+      uses: docker/login-action@v2
+      with:
+        username: ${{ secrets.DOCKER_USERNAME }}
+        password: ${{ secrets.DOCKER_TOKEN }}
+        
+    - name: Build and push
+      uses: docker/build-push-action@v4
+      with:
+        context: .
+        platforms: linux/amd64
+        push: ${{ github.event_name != 'pull_request' }}
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        
+    - name: Send GitHub Action trigger data to Slack workflow
+      id: slack
+      uses: slackapi/slack-github-action@v1.23.0
+      if: ${{ github.event_name != 'pull_request' }}
+      with:
+        payload: |
+          {
+            "text": "GitHub Action build result: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
+          }
+      env:
+        # webhook for #dv-cdp-alerts
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

From db3e3a19f1eea5999bc2d2772ce0d575bf739417 Mon Sep 17 00:00:00 2001
From: David Grizzanti <david.grizzanti@nytimes.com>
Date: Fri, 3 Feb 2023 10:11:35 -0500
Subject: [PATCH 2/6] Removing .drone.yml

---
 .drone.yml | 89 ------------------------------------------------------
 1 file changed, 89 deletions(-)
 delete mode 100644 .drone.yml

diff --git a/.drone.yml b/.drone.yml
deleted file mode 100644
index 6947259..0000000
--- a/.drone.yml
+++ /dev/null
@@ -1,89 +0,0 @@
----
-kind: pipeline
-name: default
-
-platform:
-  os: linux
-  arch: amd64
-
-workspace:
-  base: /go
-  path: src/github.com/nytimes/drone-gke
-
-go_config: &go_config
-  image: golang:1
-  pull: if-not-exists
-  environment:
-    GO111MODULE: on
-    GOPROXY: https://proxy.golang.org
-    CGO_ENABLED: 0
-
-slack_config: &slack_config
-  image: plugins/slack
-  pull: if-not-exists
-  settings:
-    channel: dv-cdp-alerts
-  environment:
-    SLACK_WEBHOOK:
-      from_secret: slack_webhook
-
-steps:
-- <<: *go_config
-  name: test
-  commands:
-  - go mod download
-  - go test -cover -vet all
-
-- <<: *go_config
-  name: build
-  commands:
-  - go build -a -ldflags "-X main.version=n/a -X main.rev=${DRONE_COMMIT}"
-  when:
-    branch:
-    - main
-
-- <<: *go_config
-  name: build_release
-  commands:
-  - go build -a -ldflags "-X main.version=${DRONE_TAG} -X main.rev=${DRONE_COMMIT}"
-  when:
-    event:
-    - tag
-
-- name: docker_build_test
-  image: plugins/docker
-  pull: if-not-exists
-  settings:
-    dry_run: true
-    dockerfile: Dockerfile
-    repo: nytimes/drone-gke
-  when:
-    event:
-    - pull_request
-
-- name: publish_release
-  image: plugins/docker
-  pull: if-not-exists
-  settings:
-    auto_tag: true
-    dockerfile: Dockerfile
-    repo: nytimes/drone-gke
-  environment:
-    DOCKER_PASSWORD:
-      from_secret: docker_password
-    DOCKER_USERNAME:
-      from_secret: docker_username
-
-- <<: *slack_config
-  name: slack
-  when:
-    branch:
-    - main
-
-- <<: *slack_config
-  name: slack_tag
-  when:
-    event:
-    - tag
-
-...

From 0ba83de119a3ed11be0a104f6ae868031857a1cd Mon Sep 17 00:00:00 2001
From: David Grizzanti <dgrizzanti@users.noreply.github.com>
Date: Fri, 3 Feb 2023 10:47:16 -0500
Subject: [PATCH 3/6] Update Links

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a431632..ce35581 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@ Derive the API endpoints and credentials from the Google credentials and open th
 
 - Usage [documentation](DOCS.md)
 - Docker Hub [release tags](https://hub.docker.com/r/nytimes/drone-gke/tags)
-- Drone.io [builds](https://cloud.drone.io/nytimes/drone-gke)
+- GitHub Actions Workflow [runs](https://github.com/nytimes/drone-gke/actions)
 - Contributing [documentation](.github/CONTRIBUTING.md)
 
 ## Releases and versioning

From a29388d201b1a6b8ac325eeadb7e9f8dbc056cb2 Mon Sep 17 00:00:00 2001
From: David Grizzanti <dgrizzanti@users.noreply.github.com>
Date: Fri, 3 Feb 2023 11:16:39 -0500
Subject: [PATCH 4/6] Update slack message

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5937316..f6d51da 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -63,7 +63,7 @@ jobs:
       with:
         payload: |
           {
-            "text": "GitHub Action build result: ${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
+            "text": "GitHub Actions Build Result: ${{ job.status }}\n triggered_by: ${{ github.actor }}\n job url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n commit url: ${{ github.event.head_commit.url }}"
           }
       env:
         # webhook for #dv-cdp-alerts

From db7b7c7d34f973e83750193d54d609b769158139 Mon Sep 17 00:00:00 2001
From: David Grizzanti <dgrizzanti@users.noreply.github.com>
Date: Tue, 7 Feb 2023 09:25:50 -0500
Subject: [PATCH 5/6] Create CODEOWNERS

---
 CODEOWNERS | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 CODEOWNERS

diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 0000000..d098012
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1,4 @@
+# As Security-hardening-for-github-actions best practices, make sure any changes to "./github/workflows" are approved
+# by project owners.
+
+./github/workflows @nytimes/delivery-engineering

From e055e6dd30a4e77f2c68ce5a6efb813291771f10 Mon Sep 17 00:00:00 2001
From: David Grizzanti <dgrizzanti@users.noreply.github.com>
Date: Tue, 7 Feb 2023 09:54:07 -0500
Subject: [PATCH 6/6] Adjust permission scope for GITHUB_TOKEN

---
 .github/workflows/build.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f6d51da..579c4fe 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,6 +15,18 @@ env:
 jobs:
   build:
     runs-on: ubuntu-latest
+
+    permissions:
+      actions: write
+      checks: write
+      contents: write
+      deployments: write
+      id-token: write
+      issues: write
+      pull-requests: write
+      security-events: write
+      statuses: write
+      
     steps:
     - uses: actions/checkout@v3