Merge pull request #4 from cds-snc/repo-sync/site-reliability-engineering/default

chore: synced file(s) with cds-snc/site-reliability-engineering
2025-04-20 09:36:47 +00:00 · 2024-09-09 13:42:13 -04:00 · 2024-09-09 13:42:13 -04:00 · e8ef2ad86b
commit e8ef2ad86b
parent 89a44f2d65 884bf3a797
4 changed files with 148 additions and 0 deletions
--- a/.github/workflows/backstage-catalog-helper.yml
+++ b/.github/workflows/backstage-catalog-helper.yml
@ -0,0 +1,37 @@
 name: Backstage Catalog Info Helper
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 0 * * *"
 jobs:
  update-catalog-info:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Actions
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
        with:
          fetch-depth: 0
      - name: Run Backstage Catalog Info Helper
        uses: cds-snc/backstage-catalog-info-helper-action@v0.3.1
        with:
          github_app_id: ${{ secrets.SRE_BOT_RW_APP_ID }}
          github_app_private_key: ${{ secrets.SRE_BOT_RW_PRIVATE_KEY }}
          github_organization: cds-snc
      - name: impersonate Read/Write GH App
        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
        id: generate_token
        with:
          app_id: ${{ secrets.SRE_BOT_RW_APP_ID }}
          private_key: ${{ secrets.SRE_BOT_RW_PRIVATE_KEY }}
      - name: Create pull request
        uses: peter-evans/create-pull-request@v3
        with:
          token: ${{ steps.generate_token.outputs.token}}
          commit-message: 'Add catalog-info.yaml'
          branch: 'backstage/catalog-info'
          title: 'Add catalog-info.yaml'
          body: 'Adding a basic catalog-info.yaml to start populating the backstage catalog with your components.'
          labels: 'backstage'
          add-paths: |
            catalog-info.yaml
--- a/.github/workflows/export_github_data.yml
+++ b/.github/workflows/export_github_data.yml
@ -0,0 +1,25 @@
 name: GitHub repository metadata exporter
 on:
  workflow_dispatch:
  schedule:
    - cron: "20 7 * * *"
 jobs:
  export-data:
    runs-on: ubuntu-latest
    steps:
      - name: Audit DNS requests
        uses: cds-snc/dns-proxy-action@main
        env:
          DNS_PROXY_FORWARDTOSENTINEL: "true"
          DNS_PROXY_LOGANALYTICSWORKSPACEID: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
          DNS_PROXY_LOGANALYTICSSHAREDKEY: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Export Data
        uses: cds-snc/github-repository-metadata-exporter@main
        with:
          github-app-id: ${{ secrets.SRE_BOT_RO_APP_ID }}
          github-app-installation-id: ${{ secrets.SRE_BOT_RO_INSTALLATION_ID }}
          github-app-private-key: ${{ secrets.SRE_BOT_RO_PRIVATE_KEY }}
          log-analytics-workspace-id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
          log-analytics-workspace-key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}
--- a/.github/workflows/ossf-scorecard.yml
+++ b/.github/workflows/ossf-scorecard.yml
@ -0,0 +1,47 @@
 name: Scorecards supply-chain security
 on:
  workflow_dispatch:
  schedule:
    # Weekly on Saturdays.
    - cron: "30 1 * * 6"
  push:
    branches:
      - main
 permissions: read-all
 jobs:
  analysis:
    name: Scorecards analysis
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
    steps:
      - name: "Checkout code"
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          persist-credentials: false
      - name: "Run analysis"
        uses: ossf/scorecard-action@fdeb02dc9c3fb721c82a431b2708514aca13dbeb
        with:
          results_file: ossf-results.json
          results_format: json
          publish_results: false
      - name: "Add metadata"
        run: |
          full_repo="${{ github.repository }}"
          OWNER=${full_repo%/*}
          REPO=${full_repo#*/}
          jq -c '. + {"metadata_owner": "'$OWNER'", "metadata_repo": "'$REPO'", "metadata_query": "ossf"}' ossf-results.json > ossf-results-modified.json
      - name: "Post results to Sentinel"
        uses: cds-snc/sentinel-forward-data-action@main
        with:
          file_name: ossf-results-modified.json
          log_type: GitHubMetadata_OSSF_Scorecard
          log_analytics_workspace_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
          log_analytics_workspace_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}
--- a/.github/workflows/s3-backup.yml
+++ b/.github/workflows/s3-backup.yml
@ -0,0 +1,39 @@
 name: S3 backup
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 6 * * *"
 jobs:
  s3-backup:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        fetch-depth: 0 # retrieve all history
    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        aws-access-key-id: ${{ secrets.AWS_S3_BACKUP_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_S3_BACKUP_SECRET_ACCESS_KEY }}
        aws-region: ca-central-1
    - name: Create ZIP bundle
      run: |
        ZIP_FILE=`basename ${{ github.repository }}`-`date '+%Y-%m-%d'`.zip
        zip -rq "${ZIP_FILE}" .
        mkdir -p ${{ github.repository }}
        mv "${ZIP_FILE}" ${{ github.repository }}
    - name: Upload to S3 bucket
      run: |
        aws s3 sync . s3://${{ secrets.AWS_S3_BACKUP_BUCKET }} --exclude='*' --include='${{ github.repository }}/*'
    - name: Notify Slack channel if this job failed
      if: ${{ failure() }}
      run: |
        json='{"text":"S3 backup failed in <https://github.com/${{ github.repository }}>!"}'
        curl -X POST -H 'Content-type: application/json' --data "$json"  ${{ secrets.SLACK_NOTIFY_WEBHOOK }}