Initial release

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "docker" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

.github/workflows/README.md

@@ -0,0 +1,33 @@
+# Wrangle Workflows
+
+Wrangle aims to provide _both_:
+
+1. Reusable workflows that other projects can easily call to achieve their goals.
+2. Minimal _example_ workflows that other projects can adopt themselves to use Wrangle workflows and actions.
+
+Wrangle also has it's own workflows that it uses to mange itself.
+Wrangle's own workflows all have filenames that start with `local_`.
+
+## TODO:
+
+- Provide example workflows.
+- Provide reuable workflow for code change...
+
+## build_and_publish_container.yml
+
+This reusable workflow allows callers to easily, build and publish their containers with a minimum of fuss.
+
+It's goal is to follow all best practices for building and publishing container images, including:
+
+1. Publishing SLSA provenance.
+2. (TODO) Creating and publishing SBOMs.
+3. (TODO) Scanning for vulnerabilities.
+4. ...
+
+## check_source_changes.yml
+
+This reusable workflow allows callers to easily scan their source changes.
+
+It creates a summary of all the tool results in the GitHub Action.
+
+![check_source_change_summary](/assets/images/check_source_change_summary.png)

.github/workflows/build_and_publish_container.yml

@@ -0,0 +1,62 @@
+name: "Build and publish a container using best practices."
+
+on:
+  workflow_call:
+    inputs:
+      path:
+        description: "A path, within the repo, to the folder containiner a Dockerfile you want to build."
+        required: true
+        type: string
+      imagename:
+        description: "The full path, including registry, specifying where the image should be published."
+        required: true
+        type: string
+      registry:
+        required: true
+        type: string
+      publish_provenance_for_private_repo:
+        description: "Publish provenance to Sigstore for a private repo"
+        required: false
+        default: false
+        type: boolean
+    secrets:
+      gh_token:
+        description: "GitHub token with write access"
+        required: true
+
+jobs:
+  build:
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      digest: ${{ steps.build.outputs.digest }}
+      imagename: ${{ steps.build.outputs.imagename }}
+    runs-on: ubuntu-latest
+    steps:
+    - name: "build and publish"
+      id: build    
+      uses: tomhennen/wrangle/build/actions/container@main
+      with:
+        path: ${{ inputs.path }}
+        imagename: ${{ inputs.imagename }}
+        registry: ${{ inputs.registry }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+
+  provenance:
+    # Generate provenance for anything that's not a PR
+    # We should probably be more restrictive in the future?
+    if: ${{ ! startsWith(github.event_name, 'pull_') }}
+    needs: [build]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ${{ needs.build.outputs.imagename }}
+      digest: ${{ needs.build.outputs.digest }}
+      registry-username: ${{ github.actor }}
+      private-repository: ${{ inputs.publish_provenance_for_private_repo }}
+    secrets:
+      registry-password: ${{ secrets.gh_token }}

.github/workflows/check_source_change.yml

@@ -0,0 +1,29 @@
+name: Check Change
+
+on:
+  workflow_call:
+    secrets:
+      gh_token:
+        # TODO: Is this needed for public repos and if wrangle images are public?
+        description: "GitHub token with permission to read wrangle images, repo data, and write security-events."
+        required: true
+
+jobs:
+  # Whenever new source is pushed or a PR is received, scan it for any issues
+  check-change:
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      issues: read
+      pull-requests: read
+      security-events: write # So we can upload sarif
+      statuses: read
+    runs-on: ubuntu-latest
+    steps:
+    - name: "Run Scan"
+      uses: tomhennen/wrangle/source/actions/scan@main
+      # TODO: Remove once images are public?
+      with:
+        registry: 'ghcr.io'
+        github_token: ${{ secrets.gh_token }}

.github/workflows/local_build_tools.yml

@@ -0,0 +1,41 @@
+name: Build Tools
+
+on:
+  push:
+    branches: [ 'main' ]
+    tags: [ 'v*' ]
+  pull_request:
+    branches: [ "**" ]
+    paths:
+      # only rebuild if something related to our docker images changed
+      - tools/**
+      - workflows/build-tools.yml
+      - source/tools/**
+      - publish/actions/container/**
+  workflow_dispatch:
+
+# Make sure we cancel any outstanding workflows that are outdated.
+# This should save time & money.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-and-push:
+    permissions:
+      contents: read
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    strategy:
+      fail-fast: false
+      matrix:
+        tool: [source/tools/osv, source/tools/zizmor, tools/cosign, tools/osv_sbom]
+    uses: tomhennen/wrangle/.github/workflows/build_and_publish_container.yml@main
+    with:
+      path: ${{ matrix.tool }}
+      imagename: ghcr.io/${{ github.repository }}/${{ matrix.tool }}
+      registry: 'ghcr.io'
+      publish_provenance_for_private_repo: true
+    secrets:
+      gh_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/local_check_change.yml

@@ -0,0 +1,22 @@
+name: Check Change
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "**" ]
+  workflow_dispatch:
+
+jobs:
+  # Whenever new source is pushed or a PR is received, scan it for any issues
+  check-change:
+    permissions:
+      actions: read
+      contents: read
+      packages: read
+      issues: read
+      pull-requests: read
+      security-events: write # So we can upload sarif
+      statuses: read
+    uses: tomhennen/wrangle/.github/workflows/check_source_change.yml@main
+    secrets:
+      gh_token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -0,0 +1,3 @@
+.#*
+*~
+metadata/