Modularize and standardize GitHub Actions workflows

.github/dependabot.yml

@@ -0,0 +1,47 @@
+
+version: 2
+updates:
+
+  - package-ecosystem: "gitsubmodule"
+    directory: "/build/metaschema"
+    schedule:
+      interval: "daily"
+    target-branch: "develop"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    # GitHub Actions workflow updates should target main as the repo default branch, not develop
+    target-branch: "main"
+
+  - package-ecosystem: "docker"
+    directory: "/build"
+    schedule:
+      interval: "daily"
+    target-branch: "develop"
+
+  - package-ecosystem: "gomod"
+    directory: "/build"
+    schedule:
+      interval: "daily"
+    # Golang changes for hugo are really for GitHub Actions workflows.
+    # They should target main, not develop.
+    target-branch: "main"
+
+  - package-ecosystem: "npm"
+    directory: "/build"
+    schedule:
+      interval: "daily"
+    # NPM changes for the NodeJS markdown-link-check tool executed in GitHub
+    # Actions workflows. They should target main, not develop.
+    target-branch: "main"
+
+  - package-ecosystem: "pip"
+    directory: "/build/python"
+    schedule:
+      interval: "daily"
+    # PyPI changes for Python scripts that run OSCAL content post-processing
+    # executed within GitHub Actions workflows. They should target main, not
+    # develop.
+    target-branch: "main"

.github/workflows/issue-triage.yml

@@ -7,19 +7,19 @@ on:
       - closed
 jobs:
   createCard:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     if: github.event.action == 'opened'
     steps:
       - name: Add New Issues to Issue Triage Board
-        uses: peter-evans/create-or-update-project-card@866533e2ae61f13c35fd1d374049713fab43c729 # current tag: v2
+        uses: peter-evans/create-or-update-project-card@866533e2ae61f13c35fd1d374049713fab43c729
         with:
           project-name: Issue Triage
           column-name: Needs Triage
   removeCard:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     if: github.event.action == 'closed'
     steps:
-      - uses: alex-page/github-project-automation-plus@bb266ff4dde9242060e2d5418e120a133586d488 #current tag: v0.8.1
+      - uses: alex-page/github-project-automation-plus@bb266ff4dde9242060e2d5418e120a133586d488
         with:
           project: Issue Triage
           column: Done

.github/workflows/package-release.yml

@@ -6,9 +6,6 @@ name: Package Release
 env:
   # the name of the repo
   HOME_REPO: usnistgov/OSCAL
-  # dependency versions
-  SAXON_VERSION: 10.6
-  HUGO_VERSION: 0.83.1
   # build-specific environment
   CONTENT_CONFIG_PATH: src/config
   SCHEMATRON_HOME: git-content/schematron
@@ -20,10 +17,10 @@ env:
 jobs:
   tagged-release:
     name: Package GitHub Release
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
     steps:
       # use this for main repo master builds
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
         with:
           path: ${{ env.OSCAL_HOME }}
           submodules: recursive
@@ -41,14 +38,14 @@ jobs:
           bash "${OSCAL_CICD_PATH}/package-release.sh" "${OSCAL_WORKING_PATH}"
           tar -jcvf "${OSCAL_WORKING_PATH}/${RELEASE_NAME}.tar.bz2" -C "${OSCAL_WORKING_PATH}/archive" .
           (cd "${OSCAL_WORKING_PATH}/archive" && zip -r "../${RELEASE_NAME}.zip" .)
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
         with:
           name: release-artifacts
           path: |
             ${{ env.OSCAL_WORKING_PATH }}/${{ env.RELEASE_NAME }}.tar.bz2
             ${{ env.OSCAL_WORKING_PATH }}/${{ env.RELEASE_NAME }}.zip
           retention-days: 5
-      - uses: ncipollo/release-action@58ae73b360456532aafd58ee170c045abbeaee37 # v1.10.0
+      - uses: ncipollo/release-action@58ae73b360456532aafd58ee170c045abbeaee37
         with:
           name: OSCAL ${{ env.RELEASE_VERSION }} Release
           allowUpdates: false

.github/workflows/status-ci-cd.yml

@@ -18,31 +18,23 @@ jobs:
     if: github.event_name == 'pull_request'
     uses: ./.github/workflows/workflow-generate-metaschema-resources.yml
     with:
-      saxon_version: 10.6
       commit_resources: false
   push-metaschema-artifacts:
     if: github.event_name == 'push'
     uses: ./.github/workflows/workflow-generate-metaschema-resources.yml
     with:
-      saxon_version: 10.6
       commit_resources: true
     secrets:
       access_token: ${{ secrets.COMMIT_TOKEN }}
   validate-website-reference:
     if: github.event_name == 'pull_request'
     uses: ./.github/workflows/workflow-generate-website-reference.yml
     with:
-      saxon_version: 10.6
-      hugo_version: 0.83.1
-      calabash_version: 1.2.5-100
       commit_resources: false
   push-website-reference:
     if: github.event_name == 'push'
     uses: ./.github/workflows/workflow-generate-website-reference.yml
     with:
-      saxon_version: 10.6
-      hugo_version: 0.83.1
-      calabash_version: 1.2.5-100
       commit_resources: true
     secrets:
       access_token: ${{ secrets.COMMIT_TOKEN }}
@@ -51,18 +43,12 @@ jobs:
     needs: validate-website-reference
     uses: ./.github/workflows/workflow-generate-website.yml
     with:
-      saxon_version: 10.6
-      hugo_version: 0.83.1
-      calabash_version: 1.2.5-100
       commit_resources: false
   push-website:
     if: github.event_name == 'push'
     needs: push-website-reference
     uses: ./.github/workflows/workflow-generate-website.yml
     with:
-      saxon_version: 10.6
-      hugo_version: 0.83.1
-      calabash_version: 1.2.5-100
       commit_resources: true
     secrets:
       access_token: ${{ secrets.COMMIT_TOKEN }}

.github/workflows/workflow-generate-metaschema-resources.yml

@@ -2,11 +2,6 @@ name: Generate Model Resources
 on:
   workflow_call:
     inputs:
-      saxon_version:
-        description: 'the version of Saxon to use'
-        required: false
-        default: '10.6'
-        type: string
       commit_resources:
         description: 'commit the resources after generating them. Requires the access_token to be passed'
         required: false
@@ -22,11 +17,6 @@ on:
     - develop
     - "release-*"
     inputs:
-      saxon_version:
-        description: 'the version of Saxon to use'
-        required: true
-        default: '10.6'
-        type: string
       commit_resources:
         description: 'commit the resources after generating them. Requires a PAT defined as secrets.COMMIT_TOKEN'
         required: true
@@ -35,17 +25,17 @@ on:
 jobs:
   metaschema-artifacts:
     name: Generate Metaschema-Based Model Resources
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     env:
       CHECKOUT_PATH: git/content
       CICD_PATH: build/ci-cd # relative to the CHECKOUT_PATH
-      SAXON_VERSION: ${{ github.event.inputs.saxon_version }}${{ inputs.saxon_version }}
+      JAVA_CLASSPATH: ${{ github.workspace}}/lib
       NODE_ENV: production
     steps:
     # use this for builds triggered from the UI on protected branches
     - name: Checkout Latest (using COMMIT_TOKEN)
       if: github.event_name == 'workflow_dispatch' && github.event.inputs.commit_resources == 'true'
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
       with:
         path: ${{ env.CHECKOUT_PATH }}
         token: ${{ secrets.COMMIT_TOKEN }}
@@ -54,7 +44,7 @@ jobs:
     # use this for builds triggered from other workflows on protected branches
     - name: Checkout Latest (using access_token)
       if: github.event_name == 'push' && inputs.commit_resources == true
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
       with:
         path: ${{ env.CHECKOUT_PATH }}
         token: ${{ secrets.access_token }}
@@ -63,21 +53,30 @@ jobs:
     # use this for overything else (i.e., pull requests) where publication is not needed
     - name: Checkout Latest
       if: steps.checkout_latest_workflow.conclusion == 'skipped' && steps.checkout_latest_push.conclusion == 'skipped'
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
       with:
         path: ${{ env.CHECKOUT_PATH }}
         submodules: recursive
+    - name: Set env
+      run: |
+        echo "SAXON_HOME=${JAVA_CLASSPATH}" >> $GITHUB_ENV
+        echo "CALABASH_HOME=${JAVA_CLASSPATH}" >> $GITHUB_ENV
     # Setup runtime environment
     # -------------------------
     # Java JDK 11
     - name: Set up JDK
-      uses: actions/setup-java@v2
+      uses: actions/setup-java@f0bb91606209742fe3ea40199be2f3ef195ecabf
       with:
         java-version: 11
         distribution: 'temurin'
         cache: 'maven'
+    - name: Install JDK Deps Saxon and XML Calabash
+      run: |
+        cd "${CHECKOUT_PATH}/build"
+        mkdir -p "${JAVA_CLASSPATH}"
+        mvn dependency:copy-dependencies -DoutputDirectory="${JAVA_CLASSPATH}"
     - name: Set up NodeJS
-      uses: actions/setup-node@v2
+      uses: actions/setup-node@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561
       with:
         node-version-file: '${{ env.CHECKOUT_PATH }}/build/.nvmrc'
         cache: 'npm'
@@ -88,8 +87,6 @@ jobs:
         cd "${CHECKOUT_PATH}/build"
         npm install --loglevel verbose
         echo "$PWD/node_modules/.bin/" >> $GITHUB_PATH
-        # Saxon
-        mvn org.apache.maven.plugins:maven-dependency-plugin:2.10:get -DartifactId=Saxon-HE -DgroupId=net.sf.saxon -Dversion=${SAXON_VERSION}
         # Operating System packages
         sudo rm -rf /var/lib/apt/lists/* && sudo apt-get update
         sudo apt-get install libxml2-utils
@@ -121,7 +118,7 @@ jobs:
       run: |
         zip ${{ runner.temp }}/metaschema-artifacts.zip -r xml/schema/*.xsd json/schema/*.json xml/convert/*.xsl json/convert/*.xsl
       working-directory: ${{ env.CHECKOUT_PATH }}
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
       with:
         name: schemas-and-converters
         path: |
@@ -132,13 +129,9 @@ jobs:
     - name: Publish Schemas and Converters
       # only do this on master
       if: github.event.inputs.commit_resources == 'true' || inputs.commit_resources == true
-      uses: stefanzweifel/git-auto-commit-action@v4.9.2
+      uses: stefanzweifel/git-auto-commit-action@be7095c202abcf573b09f20541e0ee2f6a3a9d9b
       with:
         repository: ${{ env.CHECKOUT_PATH }}
         file_pattern: xml json
-        # push_options: --force-with-lease
         skip_dirty_check: false
         commit_message: Publishing generated metaschema resources [ci skip]
-#          commit_user_name: OSCAL GitHub Actions Bot
-#          commit_user_email: [email protected]
-#          commit_author: OSCAL GitHub Actions Bot <[email protected]>