Merge branch 'main' into apim_PG-feedback

Azure · Oct 21, 2024 · 8ab4220 · 8ab4220
2 parents 62078ef + eae55de
commit 8ab4220
Show file tree

Hide file tree

Showing 49 changed files with 489 additions and 189 deletions.
diff --git a/.github/actions-config/gh-ado-sync-config.json b/.github/actions-config/gh-ado-sync-config.json
@@ -0,0 +1,18 @@
+{
+  "log_level": "info",
+  "ado": {
+    "organization": "CSUSolEng",
+    "project": "Well-Architected Framework",
+    "wit": "GitHub Issue",
+    "states": {
+      "new": "New",
+      "closed": "Closed",
+      "reopened": "New",
+      "deleted": "Removed",
+      "active": "In Progress"
+    },
+    "bypassRules": true,
+    "autoCreate": true,
+    "areaPath": "Well-Architected Framework"
+  }
+}
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -12,3 +12,4 @@ updates:
     labels:
       - "Type: Hygiene :broom:"
       - "Needs: Attention from aprl-maintainers :wave:"
+      - "Auto-Merge :heavy_check_mark:"
diff --git a/.github/workflows/ado-sync-workitems.yml b/.github/workflows/ado-sync-workitems.yml
@@ -0,0 +1,31 @@
+name: Sync Issues to Azure DevOps Work Items
+
+permissions:
+  contents: read
+
+on:
+  issues:
+    types: [opened, closed, deleted, reopened, edited, labeled, unlabeled, assigned, unassigned]
+  issue_comment:
+    types: [created]
+
+jobs:
+  alert:
+    runs-on: ubuntu-latest
+    name: Sync workflow
+    if: github.repository == 'Azure/Azure-Proactive-Resiliency-Library-v2'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: GitHub/ADO Sync
+        uses: a11smiles/GitSync@v1.2.3
+        env:
+          ado_token: '${{ secrets.ADO_PERSONAL_ACCESS_TOKEN }}'
+          github_token: '${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}'
+          config_file: './.github/actions-config/gh-ado-sync-config.json'
+        with:
+          ado: ${{ secrets.ADO_MAPPINGS_HANDLES }}
diff --git a/.github/workflows/build-recommendation-object.yml b/.github/workflows/build-recommendation-object.yml
@@ -3,28 +3,60 @@ name: Nightly Recommendation Object Build
 on:
   schedule:
     - cron: "0 0 * * *"
+  workflow_dispatch: {}
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   build:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           ref: main
 
+      - name: Configure Git
+        run: |
+          git config --global user.name 'github-actions[bot]'
+          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+        shell: bash
+
+      - name: Create and Switch to New Branch
+        run: |
+          git checkout -b json-object-update
+        shell: bash
+
       - name: Run Recommendation Object Builder
         run: |
           pwsh .github/scripts/build-recommendation-object.ps1
 
       - name: Commit and push changes
         run: |
-          git config --global user.name 'github-actions[bot]'
-          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
           git add ./tools/data/recommendations.json
           git commit -m "Update recommendations.json"
-          git push
+          git push --set-upstream origin json-object-update
+
+      - name: Create PR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr create --title "chore: Update APRL JSON Object" --body "This PR updates the single JSON object for all APRL recommendations." --base main --head json-object-update
+        shell: bash
+
+      - name: Merge PR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pr_number=$(gh pr list --state open --limit 1 --json number --jq '.[0].number')
+          gh pr merge $pr_number --merge
+        shell: bash
diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml
@@ -11,22 +11,26 @@ on:
 permissions:
   contents: read
   packages: read
-      # To report GitHub Actions status checks
-  statuses: write
 
 jobs:
   lint:
+    permissions:
+      statuses: write
     name: Lint code base
     runs-on: ubuntu-latest
-
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           fetch-depth: 0
 
       - name: Run github/super-linter
-        uses: github/super-linter@v7
+        uses: github/super-linter@b807e99ddd37e444d189cfd2c2ca1274d8ae8ef1 # v7
         env:
           VALIDATE_ALL_CODEBASE: false
           # Need to define main branch as default is set to master in super-linter
@@ -46,15 +50,19 @@ jobs:
   markdown_link_check:
     name: Markdown Link Check
     runs-on: ubuntu-latest
-
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@main
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # main
         with:
           fetch-depth: 0
 
       - name: Check links in markdown files
-        uses: gaurav-nelson/github-action-markdown-link-check@1.0.15
+        uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
         with:
           config-file: ".github/linters/mlc_config.json"
           use-verbose-mode: "yes"

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,28 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
diff --git a/.github/workflows/hugo-build-pr-check.yml b/.github/workflows/hugo-build-pr-check.yml
@@ -17,21 +17,25 @@ on:
 # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
   contents: read
-  pages: write
-  id-token: write
-
 # Default to bash
 defaults:
   run:
     shell: bash
 
 jobs:
-  # Build PR job
   buildpr:
+    permissions:
+      pages: write
+      id-token: write
     runs-on: ubuntu-latest
     env:
       HUGO_VERSION: 0.124.1
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Install Hugo CLI
         run: |
           wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
@@ -41,14 +45,14 @@ jobs:
         run: sudo snap install dart-sass-embedded
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           submodules: recursive
           fetch-depth: 0
 
       - name: Setup Pages
         id: pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
 
       - name: Install Node.js dependencies
         run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"

diff --git a/.github/workflows/hugo-site-build.yml b/.github/workflows/hugo-site-build.yml
@@ -20,11 +20,8 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch: {}
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 # Allow one concurrent deployment
 concurrency:
@@ -43,6 +40,11 @@ jobs:
     env:
       HUGO_VERSION: 0.124.1
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Install Hugo CLI
         run: |
           wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
@@ -52,19 +54,19 @@ jobs:
         run: sudo snap install dart-sass-embedded
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           submodules: recursive
           fetch-depth: 0
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: "3.12" # install the python version needed
 
       - name: Setup Pages
         id: pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
 
       - name: Install Node.js dependencies
         run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
@@ -82,19 +84,27 @@ jobs:
         working-directory: .
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: ./public
 
   # Deployment job
   deploy:
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     needs: build
     if: github.ref == 'refs/heads/main'
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
diff --git a/.github/workflows/pr-title-check.yml b/.github/workflows/pr-title-check.yml
@@ -7,11 +7,22 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   main:
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
     name: Validate PR Title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}