Virus scans and super-linter added (#271)

* Virus scans and super-linter added Virus scans and super-linter added - Cpp and C scans with clang style enabled. - Python scanner enabled - Golang scanner enabled. - Markdown lint enabled. * Fully Templated Docker cached build job Fully Templated Docker cached build job - most parameters are defaulted based on git variables - all of defaulted parameters can be overwritten using inputs - fixes to existing workflows due to naming convention miss-match between action pull_request and push --------- Signed-off-by: Milosz Linkiewicz <[email protected]>
OpenVisualCloud · Nov 28, 2024 · 1c997a2 · 1c997a2
1 parent 797ef9b
commit 1c997a2
Show file tree

Hide file tree

Showing 20 changed files with 629 additions and 357 deletions.
diff --git a/.github/configs/super-linter/.clang-format b/.github/configs/super-linter/.clang-format
@@ -0,0 +1 @@
+BasedOnStyle: LLVM
diff --git a/.github/configs/super-linter/.golangci.yml b/.github/configs/super-linter/.golangci.yml
@@ -0,0 +1,37 @@
+---
+#########################
+#########################
+## Golang Linter rules ##
+#########################
+#########################
+
+# configure golangci-lint
+# see https://github.com/golangci/golangci-lint/blob/master/.golangci.example.yml
+issues:
+  exclude-rules:
+    - path: _test\.go
+      linters:
+        - dupl
+        - gosec
+        - goconst
+linters:
+  enable:
+    - gosec
+    - unconvert
+    - gocyclo
+    - goconst
+    - goimports
+    - gocritic
+    - govet
+    - revive
+linters-settings:
+  errcheck:
+    # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
+    # default is false: such cases aren't reported by default.
+    check-blank: true
+  govet:
+    enable:
+      - shadow
+  gocyclo:
+    # minimal code complexity to report, 30 by default
+    min-complexity: 15
diff --git a/.github/configs/super-linter/.markdown-lint.yml b/.github/configs/super-linter/.markdown-lint.yml
@@ -0,0 +1,35 @@
+---
+###########################
+###########################
+## Markdown Linter rules ##
+###########################
+###########################
+
+# Linter rules doc:
+# - https://github.com/DavidAnson/markdownlint
+#
+# Note:
+# To comment out a single error:
+#   <!-- markdownlint-disable -->
+#   any violations you want
+#   <!-- markdownlint-restore -->
+#
+
+###############
+# Rules by id #
+###############
+MD004: false # Unordered list style
+MD007:
+  indent: 2 # Unordered list indentation
+MD013:
+  line_length: 400 # Line length 80 is far too short
+MD026:
+  punctuation: ".,;:!。，；:" # List of not allowed
+MD029: false # Ordered list item prefix
+MD033: false # Allow inline HTML
+MD036: false # Emphasis used instead of a heading
+
+#################
+# Rules by tags #
+#################
+blank_lines: false # Error on blank lines
diff --git a/.github/configs/super-linter/.python-lint b/.github/configs/super-linter/.python-lint
@@ -0,0 +1,10 @@
+[MASTER]
+
+# Use multiple processes to speed up Pylint.
+jobs=0
+
+[MESSAGES CONTROL]
+
+# Ignoring Import Errors is desired as super-linter
+# does not support installing dependencies as it runs
+disable=import-error
diff --git a/.github/configs/super-linter/.yaml-lint.yml b/.github/configs/super-linter/.yaml-lint.yml
@@ -0,0 +1,59 @@
+---
+###########################################
+# These are the rules used for            #
+# linting all the yaml files in the stack #
+# NOTE:                                   #
+# You can disable line with:              #
+# # yamllint disable-line                 #
+###########################################
+rules:
+  braces:
+    level: warning
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: 1
+    max-spaces-inside-empty: 5
+  brackets:
+    level: warning
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: 1
+    max-spaces-inside-empty: 5
+  colons:
+    level: warning
+    max-spaces-before: 0
+    max-spaces-after: 1
+  commas:
+    level: warning
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  comments: disable
+  comments-indentation: disable
+  document-end: disable
+  document-start:
+    level: warning
+    present: true
+  empty-lines:
+    level: warning
+    max: 2
+    max-start: 0
+    max-end: 0
+  hyphens:
+    level: warning
+    max-spaces-after: 1
+  indentation:
+    level: warning
+    spaces: consistent
+    indent-sequences: true
+    check-multi-line-strings: false
+  key-duplicates: enable
+  line-length:
+    level: warning
+    max: 80
+    allow-non-breakable-words: true
+    allow-non-breakable-inline-mappings: true
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
diff --git a/.github/scripts/github_common.sh b/.github/scripts/github_common.sh
@@ -0,0 +1,191 @@
+#!/bin/bash
+
+# SPDX-License-Identifier: BSD-3-Clause
+# Copyright 2024 Intel Corporation
+
+script_dir=$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")
+repository_root=$(readlink -f "${script_dir}/../..")
+
+# shellcheck source="../../scripts/common.sh"
+. "${repository_root}/scripts/common.sh"
+
+allow_non_ascii_filenames="false"
+
+function get_main_sha()
+{
+  log_info "Getting origin/main commit SHA"
+  git_origin_main=$(git rev-parse --verify origin/main)
+  log_info "running against origin/master=${git_origin_main}"
+  echo $git_origin_main
+}
+
+function get_head_sha()
+{
+  log_info "Getting HEAD commit SHA"
+  if $(git rev-parse --verify HEAD >/dev/null 2>&1)
+  then
+    git_current_hash=$(git rev-parse --verify HEAD)
+  else
+    echo "This is first commit, nothing to check, exiting"
+    exit 0
+  fi
+  log_info "running against HEAD=${git_current_hash}"
+  echo $git_current_hash
+}
+
+function check_nonascii_files()
+{
+  local github_origin_main="$1"
+  local github_current_hash="$2"
+  local allow_non_ascii=${3:-false}
+
+  if [ "$allow_non_ascii" == "false" ]
+  then
+    if test $(git diff --diff-filter=AR --relative --name-only -z $github_origin_main $github_current_hash | LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
+    then
+      cat <<EOF
+Error: You attempted to add a non-ASCII file name.
+       This is not allowed in Cloud Native Data Services repository.
+       To be portable it is mandatory for you to rename all the file.
+EOF
+    fi
+  fi
+}
+
+function check_file_subdir_type()
+{
+  local modified_file="$1"
+  local fields_range=${2:-'1'}
+
+  if [ -z "$modified_file" ]
+  then
+    printf "Function check_file_subdir_type requires exacly 1 valid argument." 1>&2
+    exit 1
+  fi
+  printf "${modified_file}" | cut -d'/' "-f${fields_range}"
+}
+
+function files_subdir_types()
+{
+  local github_origin_main="$1"
+  local github_current_hash="$2"
+
+# diff-filter params, uppercase include, lowercase exclude:
+# Added (A), Copied (C), Deleted (D), Modified (M), Renamed (R), changed (T), Unmerged (U), Unknown (X), pairing Broken (B)
+  modified_file_list="$(git diff --diff-filter=dxb --relative --name-only -z $github_origin_main $github_current_hash | xargs -0)"
+
+  for pt in $modified_file_list
+  do
+    modified_file="$(readlink -f "${pt}")"
+
+    [ -d "$modified_file" ] && modified_dir="$modified_file" || modified_dir="$(dirname "$modified_file")";
+    case $(check_file_subdir_type "${modified_file}") in
+      deployment)
+        deployment_subdir_check "${modified_file}" "${modified_dir}"
+        ;;
+
+      config)
+        configuration_subdir_check "${modified_file}"
+        ;;
+
+      docs)
+        documentation_subdir_check "${modified_file}"
+        ;;
+
+      .github)
+        github_workflow_subdir_check "${modified_file}"
+        ;;
+
+      tests|scripts)
+        ansible_subdir_check "${modified_file}"
+        ;;
+
+      *)
+        if echo "${modified_file}" | grep --silent ".*\.sh\$"; then
+          shell_script_file_check "${modified_file}"
+        elif echo "${modified_file}" | grep --silent ".*\.py\$"; then
+          python_script_file_check "${modified_file}"
+        elif echo "${modified_file}" | grep --silent "\(\.yaml\$\)\|\(\.yml\$\)"; then
+          ansible_subdir_check "${modified_file}"
+        else
+          other_file_check "${modified_file}"
+        fi
+        ;;
+    esac
+  done
+}
+
+function images_subdir_check {
+  local filepath="$1"
+  shift
+  log_info "Dockerfiles images subdirectory. ${filepath}"
+}
+
+function deployment_subdir_check() {
+  local filepath="$1"
+  local dirpath="$2"
+  shift; shift;
+  log_info "Helm Charts deployment subdirectory. ${filepath}"
+  helm lint "$dirpath" 1>&2 || true
+}
+
+function ansible_subdir_check() {
+  local filepath="$1"
+  local dirpath="$2"
+  shift; shift;
+  echo "ansible roles and playbooks subdirectory. ${filepath}"
+  ansible-lint "$filepath" 1>&2 || true
+}
+
+function inventories_subdir_check() {
+  local filepath="$1"
+  shift
+  log_info "inventories files subdirectory. ${filepath}"
+}
+
+function configuration_subdir_check() {
+  local filepath="$1"
+  shift
+  log_info "configuration files subdirectory. ${filepath}"
+}
+
+function documentation_subdir_check() {
+  local filepath="$1"
+  shift
+  log_info "documentation files and styles subdirectory. ${filepath}"
+}
+
+function github_workflow_subdir_check() {
+  local filepath="$1"
+  shift
+  log_info "GitHub workflows subdirectory. ${filepath}"
+}
+
+function shell_script_file_check() {
+  local filepath="$1"
+  shift
+  log_info "Shell script file path. ${filepath}"
+  shellcheck -f tty "${repository_root}/$filepath" 1>&2
+}
+
+function python_script_file_check() {
+  local filepath="$1"
+  shift
+  log_info "Python script file path. ${filepath}"
+}
+
+function other_file_check() {
+  local filepath="$1"
+  shift
+  log_info "Other file path, not categorized. ${filepath}"
+}
+
+function start_git_head_parsing() {
+  cd "${repository_root}"
+  git_current_hash="$(get_head_sha)"
+  git_origin_main="$(get_main_sha)"
+  check_nonascii_files "$git_origin_main" "$git_current_hash" allow_non_ascii_filenames
+  files_subdir_types "$git_origin_main" "$git_current_hash" || true
+}
+
+start_git_head_parsing
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -20,7 +20,7 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number ||  github.sha }}
   cancel-in-progress: true
 
 jobs:

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -20,6 +20,10 @@ env:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
   coverity:
     runs-on: 'ubuntu-22.04'
@@ -89,7 +93,7 @@ jobs:
             ${{ github.workspace }}/ffmpeg-plugin/configure-ffmpeg.sh && \
             ${{ github.workspace }}/ffmpeg-plugin/build-ffmpeg.sh
 
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: coverity-reports
         path: '${{ github.workspace }}/cov-int'