Merge branch 'main' of https://github.com/philips-software/amp-devcon…

…tainer into feature/add-non-root-user
philips-software · Dec 7, 2023 · 0273533 · 0273533
2 parents 6c90e08 + 952f743
commit 0273533
Show file tree

Hide file tree

Showing 11 changed files with 139 additions and 13 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -14,6 +14,8 @@ ARG XWIN_VERSION=0.5.0
 
 ARG DEBIAN_FRONTEND=noninteractive
 
+HEALTHCHECK NONE
+
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 HEALTHCHECK NONE

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,32 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Clone repository '...' in container volume
+2. Select build preset '....'
+3. Open file '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Environment (please complete the following information):**
+- OS: [e.g. Windows, Linux, OSX]
+- Architecture [e.g. x86_64, Apple M2]
+- Docker Version [e.g. Docker Desktop 4.25.2]
+
+**Additional context**
+Add any other context about the problem here.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
diff --git a/.github/ISSUE_TEMPLATE/tool_request.md b/.github/ISSUE_TEMPLATE/tool_request.md
@@ -0,0 +1,20 @@
+---
+name: Tool request
+about: Request to include an additional tool
+title: 'Request to include <tool>'
+labels: enhancement
+assignees: ''
+
+---
+
+**What tool would you like to include**
+A clear and concise description of the tool you would want to include. Ex. I want to add tool x that does [...]
+
+**What is the use-case for the inclusion**
+Describe why the proposed tool should be added. Please note that project specific tools
+should be added to a derived container instead of adding them to amp-devcontainer.
+
+**What is the estimated size impact**
+Describe what the estimated (or absolute) size impact of the inclusion would be on the final
+image [size](https://en.wikipedia.org/wiki/Byte#Multiple-byte_units).
+Ex. The container image size will increase with 5 MiB.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -11,12 +11,10 @@ updates:
     schedule:
       interval: daily
     commit-message:
-      prefix: "deps(docker)"
-      include: "scope"
+      prefix: "feat(deps)"
   - package-ecosystem: pip
     directory: .devcontainer
     schedule:
       interval: daily
     commit-message:
-      prefix: "deps"
-      include: "scope"
+      prefix: "feat(deps)"
diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
@@ -31,7 +31,7 @@ jobs:
     steps:
       - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
         if: ${{ github.event_name != 'merge_group' }}
-      - uses: docker/metadata-action@e6428a5c4e294a61438ed7f43155db912025b6b3 # v5.2.0
+      - uses: docker/metadata-action@31cebacef4805868f9ce9a0cb03ee36c32df2ac4 # v5.3.0
         id: meta
         env:
           DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
@@ -68,7 +68,7 @@ jobs:
           provenance: true
           cache-from: type=gha
           cache-to: type=gha,mode=max
-      - uses: anchore/sbom-action@fd74a6fb98a204a1ad35bbfae0122c1a302ff88b # v0.15.0
+      - uses: anchore/sbom-action@5ecf649a417b8ae17dc8383dc32d46c03f2312df # v0.15.1
         if: ${{ steps.build-and-push.outputs.digest != '' && github.event_name != 'merge_group' }}
         with:
           image: ${{ env.REGISTRY }}/${{ github.repository }}@${{ steps.build-and-push.outputs.digest }}
@@ -84,5 +84,4 @@ jobs:
         # against the sigstore community Fulcio instance.
         env:
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
-          TAGS: ${{ steps.meta.outputs.tags }}
-        run: echo "${TAGS}" | xargs -I {} cosign sign --yes "{}@${DIGEST}"
+        run: cosign sign --yes --recursive "${{ env.REGISTRY }}/${{ github.repository }}@${DIGEST}"
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
@@ -0,0 +1,34 @@
+---
+name: Supply-chain security
+
+on:
+  workflow_dispatch:
+  branch_protection_rule:
+  schedule:
+    - cron: "16 19 * * 6"
+  push:
+    branches: [main]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: OSSF Scorecard
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+      - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          publish_results: true
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -18,5 +18,4 @@ jobs:
     steps:
       - uses: google-github-actions/release-please-action@a6d1fd9854c8c40688a72f7e4b072a1e965860a0 # v4.0.0
         with:
-          command: manifest
           token: ${{ secrets.AMP_RELEASER_TOKEN }}
diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml
@@ -25,8 +25,8 @@ jobs:
         run: ./update-dependencies.sh apt-requirements-base.json apt-requirements-clang.json
       - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
         with:
-          commit-message: "deps(apt): update dependencies"
+          commit-message: "feat(deps): update dependencies"
           branch: feature/update-apt-dependencies
-          title: "deps(apt): update dependencies"
+          title: "feat(deps): update dependencies"
           labels: dependencies
           token: ${{ secrets.AMP_RELEASER_TOKEN }}
diff --git a/README.md b/README.md
@@ -1,14 +1,16 @@
 # amp-devcontainer
 
-[![Linting & Formatting](https://github.com/philips-software/amp-devcontainer/actions/workflows/linting-formatting.yml/badge.svg)](https://github.com/philips-software/amp-devcontainer/actions/workflows/linting-formatting.yml) [![Build & Push](https://github.com/philips-software/amp-devcontainer/actions/workflows/build-push.yml/badge.svg)](https://github.com/philips-software/amp-devcontainer/actions/workflows/build-push.yml)
+<!-- markdownlint-disable -->
+[![Linting & Formatting](https://github.com/philips-software/amp-devcontainer/actions/workflows/linting-formatting.yml/badge.svg)](https://github.com/philips-software/amp-devcontainer/actions/workflows/linting-formatting.yml) [![Build & Push](https://github.com/philips-software/amp-devcontainer/actions/workflows/build-push.yml/badge.svg)](https://github.com/philips-software/amp-devcontainer/actions/workflows/build-push.yml) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/philips-software/amp-devcontainer/badge)](https://securityscorecards.dev/viewer/?uri=github.com/philips-software/amp-devcontainer)
+<!-- markdownlint enable -->
 
 ## Overview
 
 This repository contains a [devcontainer](https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/introduction-to-dev-containers) tailored towards modern (embedded) C++ development.
 
 ## State
 
-This repository is under active development; see [pulse](https://github.com/philips-software/amp-devcontainer/pulse) for more details;
+This repository is under active development; see [pulse](https://github.com/philips-software/amp-devcontainer/pulse) for more details.
 
 ## Description
 
@@ -60,6 +62,11 @@ See [CHANGELOG](./CHANGELOG.md) for more info on what's been changed.
 
 See [CONTRIBUTING](./CONTRIBUTING.md)
 
+## Reporting vulnerabilities
+
+If you find a vulnerability, please report it to us!
+See [SECURITY.md](./SECURITY.md) for more information.
+
 ## Licenses
 
 See [LICENSE](./LICENSE)
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,15 @@
+# Security Policy
+
+## Supported Versions
+
+The [latest](https://github.com/philips-software/amp-devcontainer/releases/latest) version of
+amp-devcontainer is supported with security updates.
+
+## Reporting a Vulnerability
+
+If you find a significant vulnerability, or evidence of one, please report it privately.
+
+Vulnerabilities should be reported using [GitHub's mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Under the
+[main repository's security tab](https://github.com/philips-software/amp-devcontainer/security), click "Report a vulnerability" to open the advisory form.
+
+A member of the amp-devcontainer team will triage the reported vulnerability and if the vulnerability is accepted a security advisory will be published and all further communication will be done via that security advisory.