Initial commit

.github/CODEOWNERS

@@ -0,0 +1,5 @@
+# The releng team is by default the owner of everything.
+*             @{{ org }}/eclipsefdn-releng
+
+# Otterdog related configurations are also owned by the security team.
+/otterdog/**  @{{ org }}/eclipsefdn-security @{{ org }}/eclipsefdn-releng

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+updates:
+- package-ecosystem: github-actions
+  directory: "/"
+  # We scan and create dependabot PRs against the develop branch only.
+  # Such a branch only exists for the template master at EclipseFdn/.eclipsefdn-template
+  # dependabot shall only update the template master, and changes will be synchronized to
+  # all repos by otterdog using the sync-template operation to avoid having many similar
+  # dependabot PRs for each individual .eclipsefdn repo which we would like to avoid at all costs.
+  target-branch: "develop"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10

.github/workflows/build-page.yml

@@ -0,0 +1,125 @@
+name: Build GH Page
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - 'otterdog/*.jsonnet'
+      - 'otterdog/*.json'
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - '.github/workflows/build-page.yml'
+
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+jobs:
+  generate-markdown:
+    # do not run the workflow in the template repo itself
+    if: ${{ !contains (github.repository, '/.eclipsefdn-template') }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout eclipse-csi/otterdog
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          repository: eclipse-csi/otterdog
+          path: otterdog
+
+      - name: Checkout EclipseFdn/otterdog-configs
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          repository: EclipseFdn/otterdog-configs
+          path: otterdog-configs
+
+      # checkout the HEAD ref
+      - name: Checkout HEAD
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          path: ${{ github.repository_owner }}
+
+      - name: Install jsonnet-bundler
+        run: |
+          go install -a github.com/jsonnet-bundler/jsonnet-bundler/cmd/[email protected]
+          echo $(go env GOPATH)/bin >> $GITHUB_PATH
+
+      - name: Install poetry
+        run: pipx install poetry
+
+      - name: Setup Python
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version: '3.10'
+          cache: 'poetry'
+
+      - name: Install dependencies with poetry
+        run: |
+          poetry install --only=main
+        working-directory: otterdog
+
+      - name: Copy configuration from HEAD ref
+        run: |
+          mkdir -p orgs/${{ github.repository_owner }}
+          cp -r ../${{ github.repository_owner }}/otterdog/* orgs/${{ github.repository_owner }}
+        working-directory: otterdog-configs
+
+      - name: Generate current configuration as markdown
+        run: ../otterdog/otterdog.sh show ${{ github.repository_owner }} -c otterdog.json --markdown --output-dir generated-site
+        working-directory: otterdog-configs
+
+      - name: Generate default configuration as markdown
+        run: ../otterdog/otterdog.sh show-default ${{ github.repository_owner }} -c otterdog.json --markdown > default.txt
+        working-directory: otterdog-configs
+
+      - name: Upload generated site content
+        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
+        with:
+          name: generated-site
+          path: |
+            otterdog-configs/default.txt
+            otterdog-configs/orgs/${{ github.repository_owner }}/vendor/otterdog-defaults/*.libsonnet
+            otterdog-configs/generated-site/
+
+  build-page:
+    runs-on: ubuntu-latest
+    needs: generate-markdown
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Download generated site content
+        uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+        with:
+          name: generated-site
+      - shell: bash
+        run: |
+          cat default.txt >> ./docs/playground.md
+          cp generated-site/*.md ./docs/
+          cp orgs/${{ github.repository_owner }}/vendor/otterdog-defaults/*.libsonnet ./docs/jsonnet/
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version: 3.x
+          cache: 'pip'
+      - run: pip install -r requirements.txt
+      - name: Build with Mkdocs
+        run: mkdocs build
+      - name: Setup Pages
+        uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@0252fc4ba7626f0298f0cf00902a25c6afc77fa8 # v3.0.0
+
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build-page
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@87c3283f01cd6fe19a0ab93a23b2f6fcba5a8e42 # v4.0.3

.github/workflows/validate.yml

@@ -0,0 +1,118 @@
+name: Validate Otterdog Configuration
+
+on:
+  workflow_dispatch:
+  pull_request_target:
+    branches: [ main ]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  validate:
+    # do not run the workflow in the template repo itself
+    if: ${{ !contains (github.repository, '/.eclipsefdn-template') }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout eclipse-csi/otterdog
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          repository: eclipse-csi/otterdog
+          path: otterdog
+
+      - name: Checkout EclipseFdn/otterdog-configs
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          repository: EclipseFdn/otterdog-configs
+          path: otterdog-configs
+
+      # checkout the head ref of the PR
+      # NOTE: in general it is bad practice to check out the pull request HEAD for PRs originating from forked repos,
+      #       however, this validation workflow produces a diff between the changes in the PR with the base ref, thus
+      #       doing this is acceptable, see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+      - name: Checkout HEAD ref of the PR
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: ${{ github.repository_owner }}
+
+      # checkout the base ref of the PR
+      - name: Checkout BASE ref of the PR (target branch)
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ github.base_ref }}
+          path: ${{ github.repository_owner }}-base
+
+      - name: Install jsonnet-bundler
+        run: |
+          go install -a github.com/jsonnet-bundler/jsonnet-bundler/cmd/[email protected]
+          echo $(go env GOPATH)/bin >> $GITHUB_PATH
+
+      - name: Install poetry
+        run: pipx install poetry
+
+      - name: Setup Python
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version: '3.10'
+          cache: 'poetry'
+
+      - name: Install dependencies with poetry
+        run: |
+          poetry install --only=main
+        working-directory: otterdog
+
+      - name: Copy configuration from HEAD and BASE ref
+        run: |
+          mkdir -p orgs/${{ github.repository_owner }}
+          cp -r ../${{ github.repository_owner }}/otterdog/* orgs/${{ github.repository_owner }}
+          cp ../${{ github.repository_owner }}-base/otterdog/${{ github.repository_owner }}.jsonnet orgs/${{ github.repository_owner }}/${{ github.repository_owner }}.jsonnet-BASE 
+        working-directory: otterdog-configs
+
+      - name: Validate Otterdog Configuration and diff HEAD <-> BASE
+        id: validate
+        run: |
+          # use script to enable ansi color output
+          script -e -q /dev/null --command "../otterdog/otterdog.sh local-plan ${{ github.repository_owner }} -c otterdog.json --suffix=-BASE" | tee "$GITHUB_WORKSPACE/diff-ansi.txt"
+          echo "VALIDATION_STATUS=${PIPESTATUS[0]}" >> $GITHUB_OUTPUT
+          # filter out ansi escape sequences again, use sed as ansi2txt is not available
+          cat "$GITHUB_WORKSPACE/diff-ansi.txt" | sed -e 's/\x1b\[[0-9;]*m//g' | sed -E 's/^([[:space:]]+)([-+!])/\2\1/g' | sed -E 's/^([[:space:]]+)([~])/!\1/g' > "$GITHUB_WORKSPACE/diff.txt"
+        working-directory: otterdog-configs
+
+      - name: Generate canonical diff
+        run: |
+          ../otterdog/otterdog.sh canonical-diff ${{ github.repository_owner }} -c otterdog.json | tee "$GITHUB_WORKSPACE/canonical-diff-ansi.txt"
+          # filter out ansi escape sequences
+          cat "$GITHUB_WORKSPACE/canonical-diff-ansi.txt" | sed -e 's/\x1b\[[0-9;]*m//g' | sed -E 's/^([[:space:]]+)([-+!])/\2\1/g' | sed -E 's/^([[:space:]]+)([~])/!\1/g' > "$GITHUB_WORKSPACE/canonical-diff.txt"
+        working-directory: otterdog-configs
+
+      # Add a comment to the pull request with the diff
+
+      - name: Generate comment
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const commentText = 'Diff for ' + process.env.GITHUB_SHA + ':';
+            const canonicalCommentText = 'Canonical Diff for ' + process.env.GITHUB_SHA + ':';
+
+            const fs = require('fs');
+            const diff = fs.readFileSync(process.env.GITHUB_WORKSPACE + '/diff.txt').toString().trimEnd();
+            const canonicalDiff = fs.readFileSync(process.env.GITHUB_WORKSPACE + '/canonical-diff.txt').toString().trimEnd();
+
+            var body = "<details>\n<summary>" + commentText + "</summary>\n\n```diff\n" + diff + "\n```\n\n</details>\n" +
+                       "<details>\n<summary>" + canonicalCommentText + "</summary>\n\n```diff\n" + canonicalDiff + "\n```\n\n</details>";
+
+            fs.writeFileSync(process.env.GITHUB_STEP_SUMMARY, body);
+            fs.writeFileSync(process.env.GITHUB_WORKSPACE + '/comment.txt', body);
+
+      - name: Attach comment to PR
+        uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0
+        with:
+          hide_and_recreate: true
+          hide_classify: "OUTDATED"
+          path: ${{ github.workspace }}/comment.txt
+
+      - name: Propagate validation exit status
+        run: |
+          exit ${{ steps.validate.outputs.VALIDATION_STATUS }}

README.md

@@ -0,0 +1,7 @@
+# Eclipse Foundation Config Repo
+
+Repository to host configurations related to the Eclipse Foundation.
+
+## Self service of your GitHub organization
+
+You can find more information at <https://{{ org }}.github.io/.eclipsefdn/>.

docs/index.md

@@ -0,0 +1,17 @@
+---
+hide:
+  - navigation
+  - toc
+---
+
+# Self-service of GitHub resources
+
+General documentation for using the self-service (stored in directory *otterdog*) can be accessed at [otterdog.readthedocs.io](https://otterdog.readthedocs.io).
+
+## Current configuration
+
+The current configuration can be reviewed [here](configuration.md).
+
+## Playground
+
+A playground for creating and testing resources in jsonnet format is available [here](playground.md).

docs/jsonnet/playground.jsonnet

@@ -0,0 +1,3 @@
+local orgs = import 'otterdog-defaults.libsonnet';
+
+orgs.newRepo('myrepo')

docs/overrides/editor.html

@@ -0,0 +1,44 @@
+{% extends "base.html" %}
+
+{% block libs %}
+  {{ super() }}
+  <script src="https://eclipsefdn.github.io/otterdog-assets/third_party/js-yaml/dist/js-yaml.min.js"></script>
+  <script src="https://eclipsefdn.github.io/otterdog-assets/third_party/CodeMirror/lib/codemirror.js"></script>
+  <script src="https://eclipsefdn.github.io/otterdog-assets/third_party/CodeMirror/mode/yaml/yaml.js"></script>
+  <script src="https://eclipsefdn.github.io/otterdog-assets/third_party/CodeMirror/addon/edit/matchbrackets.js"></script>
+  <script src="https://eclipsefdn.github.io/otterdog-assets/js/codemirror-mode-jsonnet.js"></script>
+
+  <!-- Executing Jsonnet -->
+  <script src="https://eclipsefdn.github.io/otterdog-assets/js/wasm_exec.js"></script>
+  <script>
+      if (!WebAssembly.instantiateStreaming) {
+          // This function was observed to be missing on Safari 14.
+          WebAssembly.instantiateStreaming = async (resp, importObject) => {
+             const source = await (await resp).arrayBuffer();
+             return await WebAssembly.instantiate(source, importObject);
+          };
+      }
+      const go = new Go();
+      WebAssembly.instantiateStreaming(fetch("https://eclipsefdn.github.io/otterdog-assets/js/libjsonnet.wasm"), go.importObject).then((result) => {
+          go.run(result.instance);
+      });
+  </script>
+  <script src="https://eclipsefdn.github.io/otterdog-assets/js/demo.js"></script>
+{% endblock %}
+
+{% block styles %}
+  <!-- Google Fonts -->
+  <link href="https://fonts.googleapis.com/css?family=Open+Sans:400italic,600italic,700italic,400,600,700" rel="stylesheet" type="text/css">
+
+  <!-- jsonnet.org stylesheet -->
+  <link rel="stylesheet" type="text/css" href="https://eclipsefdn.github.io/otterdog-assets/css/doc.css" />
+  <link rel="stylesheet" media="print" href="https://eclipsefdn.github.io/otterdog-assets/css/desktop.css">
+  <!-- The extra 16px is to account for the scrollbar, which is not always included. -->
+  <link rel="stylesheet" media="screen and (min-width: 1296px)" href="https://eclipsefdn.github.io/otterdog-assets/css/desktop.css">
+  <link rel="stylesheet" media="screen and (max-width: 1295px) and (min-width: 720px)" href="https://eclipsefdn.github.io/otterdog-assets/css/cellphone.css">
+  <link rel="stylesheet" media="screen and (max-width: 719px)" href="https://eclipsefdn.github.io/otterdog-assets/css/cellphone-small.css">
+  {{ super() }}
+
+  <!-- CodeMirror -->
+  <link rel="stylesheet" href="https://eclipsefdn.github.io/otterdog-assets/third_party/CodeMirror/lib/codemirror.css">
+{% endblock %}

docs/overrides/main.html

@@ -0,0 +1,11 @@
+{% extends "base.html" %}
+
+{% block site_meta %}
+  {{ super() }}
+  <!-- prevent caching -->
+  <meta http-equiv="cache-control" content="no-cache, must-revalidate, post-check=0, pre-check=0" />
+  <meta http-equiv="cache-control" content="max-age=0" />
+  <meta http-equiv="expires" content="0" />
+  <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
+  <meta http-equiv="pragma" content="no-cache" />
+{% endblock %}