pagopa · lorenzo-catalano · Mar 22, 2024 · Mar 12, 2024
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -25,7 +25,8 @@
 
 - [ ] Bug fix (non-breaking change which fixes an issue)
 - [ ] New feature (non-breaking change which adds functionality)
-- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as
+  expected)
 
 #### Checklist:
 

diff --git a/.github/auto_assign.yml b/.github/auto_assign.yml
@@ -0,0 +1,3 @@
+addAssignees: author
+
+runOnDraft: true
diff --git a/.github/release.yml b/.github/release.yml
@@ -0,0 +1,18 @@
+# release.yml
+
+changelog:
+  exclude:
+    labels:
+      - ignore-for-release
+    authors:
+      - pagopa-github-bot
+  categories:
+    - title: Breaking Changes 🛠
+      labels:
+        - breaking-change
+    - title: Exciting New Features 🎉
+      labels:
+        - enhancement
+    - title: Other Changes
+      labels:
+        - "*"
diff --git a/.github/workflows/anchore.yml b/.github/workflows/anchore.yml
@@ -0,0 +1,64 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, builds an image, performs a container image
+# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
+# code scanning feature.  For more information on the Anchore scan action usage
+# and parameters, see https://github.com/anchore/scan-action. For more
+# information on Anchore's container image scanning tool Grype, see
+# https://github.com/anchore/grype
+name: Anchore Container Scan
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  schedule:
+    - cron: '00 07 * * *'
+
+permissions:
+  contents: read
+
+env:
+  DOCKERFILE: Dockerfile
+
+jobs:
+  Anchore-Build-Scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@v3
+
+#      - name: Build the Docker image
+#        run: docker build . --file ${{ env.DOCKERFILE }} --tag localbuild/testimage:latest
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          push: false
+          tags: localbuild/testimage:latest
+          secrets: |
+            GH_TOKEN=${{ secrets.READ_PACKAGES_TOKEN }}
+
+      - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
+        id: scan
+        uses: anchore/scan-action@v3
+        with:
+          image: "localbuild/testimage:latest"
+          acs-report-enable: true
+          fail-build: true
+          severity-cutoff: "high"
+
+      - name: Upload Anchore Scan Report
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/.github/workflows/check_pr.yml b/.github/workflows/check_pr.yml
@@ -0,0 +1,183 @@
+name: Check PR
+
+# Controls when the workflow will run
+on:
+  pull_request:
+    branches:
+      - main
+    types: [ opened, synchronize, labeled, unlabeled, reopened, edited ]
+
+
+permissions:
+  pull-requests: write
+
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  auto_assign:
+    name: Auto Assign
+
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      - name: Assign Me
+        # You may pin to the exact commit or the version.
+        uses: kentaro-m/auto-assign-action@v1.2.1
+        with:
+          configuration-path: '.github/auto_assign.yml'
+
+  check_format:
+    name: Check Format
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Formatting
+        id: format
+        continue-on-error: true
+        uses: findologic/intellij-format-action@main
+        with:
+          path: .
+          fail-on-changes: false
+
+      - uses: actions/github-script@v6.3.3
+        if: steps.format.outcome != 'success'
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            console.log(context);
+            var comments = await github.rest.issues.listComments({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo
+            });
+            for (const comment of comments.data) {
+              console.log(comment);
+              if (comment.body.includes('Comment this PR with')){
+                github.rest.issues.deleteComment({
+                  issue_number: context.issue.number,
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: comment.id
+                })
+              }
+            }
+            github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: 'Comment this PR with *update_code* to update `openapi.json` and format the code. Consider to use pre-commit to format the code.'
+            })
+            core.setFailed('Format your code.')
+
+  check_size:
+    runs-on: ubuntu-latest
+    name: Check Size
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Check Size
+        uses: actions/github-script@v6.3.3
+        env:
+          IGNORED_FILES: openapi.json, openapi-node.json
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const additions = context.payload.pull_request.additions || 0
+            const deletions = context.payload.pull_request.deletions || 0
+            var changes = additions + deletions
+            console.log('additions: '+additions+' + deletions: '+deletions+ ' = total changes: ' + changes);
+
+            const { IGNORED_FILES } = process.env
+            const ignored_files = IGNORED_FILES.trim().split(',').filter(word => word.length > 0);
+            if (ignored_files.length > 0){
+              var ignored = 0
+              const execSync = require('child_process').execSync;
+              for (const file of IGNORED_FILES.trim().split(',')) {
+
+                const ignored_additions_str = execSync('git --no-pager  diff --numstat origin/main..origin/${{ github.head_ref}} | grep ' + file + ' | cut -f 1', { encoding: 'utf-8' })
+                const ignored_deletions_str = execSync('git --no-pager  diff --numstat origin/main..origin/${{ github.head_ref}} | grep ' + file + ' | cut -f 2', { encoding: 'utf-8' })
+
+                const ignored_additions = ignored_additions_str.split('\n').map(elem=> parseInt(elem || 0)).reduce(
+                (accumulator, currentValue) => accumulator + currentValue,
+                0);
+                const ignored_deletions = ignored_deletions_str.split('\n').map(elem=> parseInt(elem || 0)).reduce(
+                (accumulator, currentValue) => accumulator + currentValue,
+                0);
+
+                ignored += ignored_additions + ignored_deletions;
+              }
+              changes -= ignored
+              console.log('ignored lines: ' + ignored + ' , consider changes: ' + changes);
+            }
+
+            var labels = await github.rest.issues.listLabelsOnIssue({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo
+            });
+
+            if (labels.data.find(label => label.name == 'size/large')){
+              github.rest.issues.removeLabel({
+                  issue_number: context.issue.number,
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  name: 'size/large'
+              })
+            }
+            if (labels.data.find(label => label.name == 'size/small')){
+                github.rest.issues.removeLabel({
+                    issue_number: context.issue.number,
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    name: 'size/small'
+                })
+            }
+
+            var comments = await github.rest.issues.listComments({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo
+            });
+            for (const comment of comments.data) {
+              if (comment.body.includes('This PR exceeds the recommended size')){
+                github.rest.issues.deleteComment({
+                  issue_number: context.issue.number,
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: comment.id
+                })
+              }
+            }
+
+            if (changes < 200){
+              github.rest.issues.addLabels({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                labels: ['size/small']
+              })
+            }
+
+            if (changes > 400){
+              github.rest.issues.addLabels({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                labels: ['size/large']
+              })
+
+              github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: 'This PR exceeds the recommended size of 400 lines. Please make sure you are NOT addressing multiple issues with one PR. _Note this PR might be rejected due to its size._'
+              })
+
+            }
+