feat(ci): latest ci and linter config (#14)

* feat(ci) add lint and test during PR

* feat(ci): check PR title

* fix(docker) update docker action

* fix(pkg) linter findings

* add CODEOWNERS file

* Update .golangci.yaml

Co-authored-by: Sandro <[email protected]>

* fix(makefile) github repo link in fmt

* feat(gh) add pull request template

* fix pull request template

---------

Co-authored-by: Sandro <[email protected]>

.github/CODEOWNERS

@@ -0,0 +1,19 @@
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence,
+*                       @cloudoperators/Administrators
+
+/.github/               @cloudoperators/Administrators
+/.github/workflows/     @cloudoperators/greenhouse-core
+/.github/licenserc.yaml @cloudoperators/greenhouse-core
+/.github/renovate.json  @cloudoperators/greenhouse-core
+
+.gitignore              @cloudoperators/greenhouse-core
+/README.md              @cloudoperators/greenhouse-core
+
+/cmd/                   @cloudoperators/greenhouse-backend
+/pkg/                   @cloudoperators/greenhouse-backend
+/test/                  @cloudoperators/greenhouse-backend
+/Dockerfile             @cloudoperators/greenhouse-backend
+/Makefile               @cloudoperators/greenhouse-core
+/.golangci.yaml         @cloudoperators/greenhouse-backend
+/go.*                   @cloudoperators/greenhouse-backend

.github/pull_request_template.md

@@ -0,0 +1,65 @@
+<!--
+Please ensure the PR title follows the conventional commit format:
+<type>(<scope>): description
+
+For a list of accepted types and scopes see the workflow documentation: https://github.com/cloudoperators/concourse-oci-helm-chart-resource/blob/main/.github/workflows/ci-pr-title.yaml
+
+-->
+
+## Description
+<!--
+Please do not leave this blank 
+This PR [adds/removes/fixes/replaces] the [feature/bug/etc]. 
+
+Please include a summary of the changes and the related issue. Please also include relevant motivation and context. List any dependencies that are required for this change.
+-->
+
+## What type of PR is this? (check all applicable)
+
+- [ ] 🍕 Feature
+- [ ] 🐛 Bug Fix
+- [ ] 📝 Documentation Update
+- [ ] 🎨 Style
+- [ ] 🧑‍💻 Code Refactor
+- [ ] 🔥 Performance Improvements
+- [ ] ✅ Test
+- [ ] 🤖 Build
+- [ ] 🔁 CI
+- [ ] 📦 Chore (Release)
+- [ ] ⏩ Revert
+
+## Related Tickets & Documents
+
+<!-- 
+Please use this format link issue numbers: Fixes #123
+https://docs.github.com/en/free-pro-team@latest/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword 
+
+- Related Issue # (issue)
+- Closes # (issue)
+- Fixes # (issue)
+
+-->
+
+## Added tests?
+
+- [ ] 👍 yes
+- [ ] 🙅 no, because they aren't needed
+- [ ] 🙋 no, because I need help
+- [ ] Separate ticket for tests # (issue/pr)
+
+Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
+
+## Added to documentation?
+
+- [ ] 📜 README.md
+- [ ] 🤝 Documentation pages updated
+- [ ] 🙅 no documentation needed
+- [ ] (if applicable) generated OpenAPI docs for CRD changes
+
+## Checklist
+
+- [ ] My code follows the style guidelines of this project
+- [ ] I have performed a self-review of my code
+- [ ] I have commented my code, particularly in hard-to-understand areas
+- [ ] My changes generate no new warnings
+- [ ] New and existing unit tests pass locally with my changes

.github/renovate.json

@@ -7,6 +7,34 @@
   "constraints": {
     "go": "1.22"
   },
+  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Bump golangci-lint version in the Makefile",
+      "fileMatch": [
+        "^Makefile$"
+      ],
+      "matchStrings": [
+        "GOLINT_VERSION\\s*\\?=\\s*(?<currentValue>.?(?:\\d+\\.){0,2}\\d+)"
+      ],
+      "datasourceTemplate": "github-tags",
+      "depNameTemplate": "golangci/golangci-lint",
+      "extractVersionTemplate": "^v(?<version>.*)$"
+    },
+    {
+      "customType": "regex",
+      "description": "Bump ginkolinter version in the Makefile",
+      "fileMatch": [
+        "^Makefile$"
+      ],
+      "matchStrings": [
+        "GINKGOLINTER_VERSION\\s*\\?=\\s*(?<currentValue>.?(?:\\d+\\.){0,2}\\d+)"
+      ],
+      "datasourceTemplate": "github-tags",
+      "depNameTemplate": "nunnatsa/ginkgolinter",
+      "extractVersionTemplate": "^v(?<version>.*)$"
+    }
+  ],
   "packageRules": [
     {
       "groupName": "github actions",
@@ -86,17 +114,5 @@
     "gomodTidy",
     "gomodUpdateImportPaths"
   ],
-  "separateMinorPatch": true,
-  "customManagers": [
-    {
-      "customType": "regex",
-      "fileMatch": [
-        "Makefile$",
-        "\\.sh$"
-      ],
-      "matchStrings": [
-        "# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?(?: extractVersion=(?<extractVersion>[^\\s]+?))?(?: registryUrl=(?<registryUrl>[^\\s]+?))?\\s.+?_(VERSION|version) *[?:]?= *\"?(?<currentValue>.+?)\"?\\s"
-      ]
-    }
-  ]
+  "separateMinorPatch": true
 }

.github/workflows/ci-pr-title.yaml

@@ -0,0 +1,83 @@
+name: CI Check Title
+
+on:
+  pull_request:
+    types: [opened, edited, synchronize, reopened]
+
+jobs:
+  title-lint:
+    name: Validate PR title
+    runs-on: [default]
+    steps:
+      - name: CI Check Title
+        uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          wip: true
+          # Configure which types are allowed (newline-delimited).
+          # Default: https://github.com/commitizen/conventional-commit-types
+          types: |
+            build
+            chore
+            fix
+            feat
+            merge
+            publish
+            release
+            refactor
+            research
+            style
+            test
+            docs
+          # Configure which scopes are allowed (newline-delimited).
+          # These are regex patterns auto-wrapped in `^ $`.
+          scopes: |
+            build
+            config
+            charts
+            ci
+            core
+            deps
+            docs
+            actions
+            template
+            tests
+            ui
+            utils
+            version
+            webhook
+            ISSUE-\d+
+          # Configure that a scope must always be provided.
+          requireScope: true
+          # Configure which scopes are disallowed in PR titles (newline-delimited).
+          # For instance by setting the value below, `chore(release): ...` (lowercase)
+          # and `ci(e2e,release): ...` (unknown scope) will be rejected.
+          # These are regex patterns auto-wrapped in `^ $`.
+          disallowScopes: |
+            release
+            [A-Z]+
+          # Configure additional validation for the subject based on a regex.
+          # This example ensures the subject doesn't start with an uppercase character.
+          subjectPattern: ^(?![A-Z]).+$
+          # If `subjectPattern` is configured, you can use this property to override
+          # the default error message that is shown when the pattern doesn't match.
+          # The variables `subject` and `title` can be used within the message.
+          subjectPatternError: |
+            The subject "{subject}" found in the pull request title "{title}"
+            didn't match the configured pattern. Please ensure that the subject
+            doesn't start with an uppercase character.
+          # If the PR contains one of these newline-delimited labels, the
+          # validation is skipped. If you want to rerun the validation when
+          # labels change, you might want to use the `labeled` and `unlabeled`
+          # event triggers in your workflow.
+          ignoreLabels: |
+            bot
+            ignore-semantic-pull-request
+          # If you're using a format for the PR title that differs from the traditional Conventional
+          # Commits spec, you can use these options to customize the parsing of the type, scope and
+          # subject. The `headerPattern` should contain a regex where the capturing groups in parentheses
+          # correspond to the parts listed in `headerPatternCorrespondence`.
+          # See: https://github.com/conventional-changelog/conventional-changelog/tree/master/packages/conventional-commits-parser#headerpattern
+          headerPattern: '^(\w*)(?:\(([\w$.\-*/ ]*)\))?: (.*)$'
+          headerPatternCorrespondence: type, scope, subject

.github/workflows/docker-build.yaml

@@ -1,34 +1,59 @@
-name: Docker Image CI
+name: Build Docker images and push to registry
 
 on:
   push:
     branches:
-      - main
-
+        - main
+    paths:
+        - cmd/**
+        - pkg/**
+        - Dockerfile
+        - go.mod
+        - go.sum
+    tags:
+      - v*.*.*
+
 env:
   REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
-  # Comma separated list of platforms to build the image for.
-  PLATFORMS: linux/amd64,linux/arm64
 
 jobs:
   build:
+    name: Build
     runs-on: [ default ]
+    continue-on-error: true
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
     steps:
-      - name: checkout
+      - name: Checkout repository
         uses: actions/checkout@v4
+
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: 'v2.2.3'
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: Login to GitHub Container Registry
+        with:
+          driver-opts: |
+            image=moby/buildkit:latest
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{github.actor}}
-          password: ${{secrets.GITHUB_TOKEN}}
-      - name: Extract image metadata
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
         id: meta
         uses: docker/metadata-action@v5
         with:
@@ -41,16 +66,27 @@ jobs:
             org.opencontainers.image.url=https://github.com/cloudoperators/concourse-oci-helm-chart-resource
             org.opencontainers.image.source=https://github.com/cloudoperators/concourse-oci-helm-chart-resource
             org.opencontainers.image.documentation=https://github.com/cloudoperators/concourse-oci-helm-chart-resource/tree/main/README.md
-      - name: Build and push
+
+      - name: Build and push Docker image
+        id: build-and-push
         uses: docker/build-push-action@v6
         with:
           context: .
-          platforms: ${{ env.PLATFORMS }}
-          push: true
+          push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           provenance: false
-
+          platforms: |
+            linux/amd64
+            linux/arm64
+
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
   vulnerability-scan:
     permissions:
       contents: read
@@ -68,14 +104,14 @@ jobs:
         id: vars
         run: echo "sha_short=sha-$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.29.0
         if: success()
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.vars.outputs.sha_short }}
           ignore-unfixed: true
           format: 'sarif'
           output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
+          severity: 'CRITICAL,HIGH,MEDIUM'
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3

.github/workflows/test.yaml

@@ -0,0 +1,41 @@
+name: "Unit tests"
+on:
+  pull_request:
+    paths:
+      - 'pkg/**'
+      - 'cmd/**'
+      - 'Dockerfile*'
+      - 'go.mod'
+      - 'go.sum'
+      - '.golangci.yaml'
+
+jobs:
+  lint:
+    runs-on: [ default ]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: golangci-lint
+        run: make lint
+
+  build:
+    runs-on: [ default ]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: build
+        run: make build