feat(gh): add default GitHub repo files (#519)

Author: ruzickap

.checkov.yml

@@ -1,5 +1,3 @@
 skip-check:
-  # Base64 High Entropy String
-  - CKV_SECRET_6
   # The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty
   - CKV_GHA_7

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,10 +1,9 @@
 ---
 name: Bug report
 about: Create a report to help us improve
-title: 'Bug: This is a sample issue title'
+title: "Bug: This is a sample issue title"
 labels: bug
 assignees: ruzickap
-
 ---
 
 **Describe the bug**

.github/ISSUE_TEMPLATE/proposal.md

@@ -1,10 +1,9 @@
 ---
 name: Proposal
 about: Suggest an idea for this project
-title: 'Proposal: This is a sample title'
+title: "Proposal: This is a sample title"
 labels: proposal
 assignees: ruzickap
-
 ---
 
 **Is your feature request related to a problem? Please describe**

.github/workflows/mega-linter.yml

@@ -12,6 +12,7 @@ permissions: read-all
 jobs:
   mega-linter:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     steps:
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -27,16 +28,17 @@ jobs:
         run: |
           set -euxo pipefail
           echo '#!/usr/bin/env bash' > README.sh
-          find . -name '*.md' -print0 | while IFS= read -r -d '' FILE ; do
+          find . -name '*.md' -print0 | while IFS= read -r -d '' FILE; do
             # Extract: ```bash ... ```
             sed -n "/^\`\`\`\(bash\|shell\)$/,/^\`\`\`$/p" "${FILE}" | sed '/^```*/d' >> README.sh
             # Extract:   ```bash ... ```
             sed -n "/^  \`\`\`\(bash\|shell\)$/,/^  \`\`\`$/p" "${FILE}" | sed '/^  ```*/d; s/^  //' >> README.sh
           done
+          ls -la README.sh
           chmod a+x README.sh
 
       - name: 💡 MegaLinter
-        uses: oxsecurity/megalinter@688bc7466d7ab4faa83d614c2e6f9acf42b674dc # v7.8.0
+        uses: oxsecurity/megalinter@190cd0dad6dc52b2de5b810e3b290c3d6bdcc0f2 # v7.9.0
         env:
           GITHUB_COMMENT_REPORTER: false
           GITHUB_STATUS_REPORTER: true

.github/workflows/stale.yml

@@ -3,7 +3,7 @@ name: stale
 
 on:
   schedule:
-    - cron: "30 1 * * *"
+    - cron: "9 9 * * *"
 
 permissions:
   issues: write

.mega-linter.yml

@@ -6,7 +6,7 @@ ANSIBLE_ANSIBLE_LINT_PRE_COMMANDS:
     cwd: "workspace"
 ANSIBLE_ANSIBLE_LINT_CONFIG_FILE: ansible/.ansible-lint
 
-BASH_SHFMT_ARGUMENTS: --indent 2 --space-redirects
+BASH_SHFMT_ARGUMENTS: --case-indent --indent 2 --space-redirects
 
 DISABLE_LINTERS:
   - MARKDOWN_MARKDOWN_LINK_CHECK # Using lychee instead
@@ -31,9 +31,7 @@ PRINT_ALPACA: false
 # Disable creating report directory
 REPORT_OUTPUT_FOLDER: none
 
-# Issue: https://github.com/bridgecrewio/checkov/issues/3839
-# The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty
-REPOSITORY_CHECKOV_ARGUMENTS: --skip-check CKV_GHA_7
+REPOSITORY_CHECKOV_ARGUMENTS: --quiet
 
 # Do not leave debug code in production, Insecure URL
 REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS162092,DS137138

build.sh

@@ -82,22 +82,22 @@ cmdline() {
     export MY_NAME
 
     case ${PACKER_VAGRANT_PROVIDER} in
-    libvirt)
-      # Qemu Accelerator - use kvm for Linux and hvf for MacOS
-      if [[ $(uname) = "Darwin" ]]; then
-        PACKER_CMD_PARAMS+=("-only=qemu" "-var" "accelerator=hvf")
-      elif [[ $(uname) = "Linux" ]]; then
-        PACKER_CMD_PARAMS+=("-only=qemu" "-var" "accelerator=kvm")
-      fi
-
-      ;;
-    virtualbox)
-      PACKER_CMD_PARAMS+=("-only=virtualbox-iso")
-      ;;
-    *)
-      echo -e "\n\n*** Unsupported PACKER_VAGRANT_PROVIDER: \"${PACKER_VAGRANT_PROVIDER}\" used from \"${BUILD}\""
-      exit 1
-      ;;
+      libvirt)
+        # Qemu Accelerator - use kvm for Linux and hvf for MacOS
+        if [[ $(uname) = "Darwin" ]]; then
+          PACKER_CMD_PARAMS+=("-only=qemu" "-var" "accelerator=hvf")
+        elif [[ $(uname) = "Linux" ]]; then
+          PACKER_CMD_PARAMS+=("-only=qemu" "-var" "accelerator=kvm")
+        fi
+
+        ;;
+      virtualbox)
+        PACKER_CMD_PARAMS+=("-only=virtualbox-iso")
+        ;;
+      *)
+        echo -e "\n\n*** Unsupported PACKER_VAGRANT_PROVIDER: \"${PACKER_VAGRANT_PROVIDER}\" used from \"${BUILD}\""
+        exit 1
+        ;;
     esac
 
     test -d "${PACKER_CACHE_DIR}" || mkdir -v "${PACKER_CACHE_DIR}"
@@ -107,77 +107,77 @@ cmdline() {
     echo -e "\n\n*** ${MY_NAME} | ${NAME} | ${BUILD} - ${PACKER_VAGRANT_PROVIDER}"
 
     case ${NAME} in
-    *centos*)
-      CENTOS_VERSION=$(echo "${NAME}" | awk -F '-' '{ print $2 }')
-      export CENTOS_VERSION
-      CENTOS_TAG=$(curl -s "ftp://ftp.cvut.cz/centos/${CENTOS_VERSION}/isos/x86_64/sha256sum.txt" | sed -n 's/.*-\(..\)\(..\)\.iso/\1\2/p' | head -1)
-      export CENTOS_TAG
-      export CENTOS_TYPE="NetInstall"
-      ISO_CHECKSUM=$(curl -s "ftp://ftp.cvut.cz/centos/${CENTOS_VERSION}/isos/x86_64/sha256sum.txt" | awk "/CentOS-${CENTOS_VERSION}-x86_64-${CENTOS_TYPE}-${CENTOS_TAG}.iso/ { print \$1 }")
-      PACKER_CMD_PARAMS+=("${MY_NAME}-${CENTOS_VERSION}.json")
-      echo "* NAME: ${NAME}, CENTOS_VERSION: ${CENTOS_VERSION}, CENTOS_TAG: ${CENTOS_TAG}, CENTOS_TYPE: ${CENTOS_TYPE}"
-      ;;
-    *ubuntu*)
-      UBUNTU_TYPE=$(echo "${NAME}" | awk -F '-' '{ print $3 }')
-      export UBUNTU_TYPE
-      UBUNTU_VERSION=$(echo "${NAME}" | awk -F '-' '{ print $2 }')
-      export UBUNTU_VERSION
-      UBUNTU_CODENAME=$(curl -s http://releases.ubuntu.com/ | sed -n "s@.*<a href=\"\([a-z]*\)/\">.*Ubuntu ${UBUNTU_VERSION}.*@\1@p" | head -1)
-      if curl --fail --silent --head --output /dev/null "http://archive.ubuntu.com/ubuntu/dists/${UBUNTU_CODENAME}-updates/main/installer-amd64/current/images/SHA256SUMS"; then
-        export UBUNTU_IMAGES_URL=http://archive.ubuntu.com/ubuntu/dists/${UBUNTU_CODENAME}-updates/main/installer-amd64/current/images
-      elif curl --fail --silent --head --output /dev/null "http://archive.ubuntu.com/ubuntu/dists/${UBUNTU_CODENAME}/main/installer-amd64/current/legacy-images/SHA256SUMS"; then
-        export UBUNTU_IMAGES_URL=http://archive.ubuntu.com/ubuntu/dists/${UBUNTU_CODENAME}/main/installer-amd64/current/legacy-images
-      else
-        export UBUNTU_IMAGES_URL=http://archive.ubuntu.com/ubuntu/dists/${UBUNTU_CODENAME}/main/installer-amd64/current/images
-      fi
-      ISO_CHECKSUM=$(curl -s "${UBUNTU_IMAGES_URL}/SHA256SUMS" | awk '/.\/netboot\/mini.iso/ { print $1 }')
-      PACKER_CMD_PARAMS+=("${MY_NAME}-${UBUNTU_TYPE}.json")
-      echo "* NAME: ${NAME}, UBUNTU_TYPE: ${UBUNTU_TYPE}, UBUNTU_IMAGES_URL: ${UBUNTU_IMAGES_URL}"
-      ;;
-    *windows*)
-      export WINDOWS_ARCH="x64"
-      WINDOWS_VERSION=$(echo "${NAME}" | sed -n -e 's/.*-\([0-9][0-9][0-9][0-9]\)[_-].*/\1/p' -e 's/.*-\([0-9][0-9]\)-.*/\1/p')
-      export WINDOWS_VERSION
-      PACKER_CMD_PARAMS+=("${MY_NAME}.json")
-      WINDOWS_EDITION=$(echo "${NAME}" | awk -F - '{ print $(NF-2) }')
-      export WINDOWS_EDITION
-
-      case ${NAME} in
-      *windows-10-enterprise*)
-        export ISO_URL="https://software-static.download.prss.microsoft.com/dbazure/988969d5-f34g-4e03-ac9d-1f9786c66750/19045.2006.220908-0225.22h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso"
-        ;;
-      *windows-server-2022-*)
-        export WINDOWS_TYPE="server"
-        export ISO_URL="https://software-static.download.prss.microsoft.com/sg/download/888969d5-f34g-4e03-ac9d-1f9786c66749/SERVER_EVAL_x64FRE_en-us.iso"
+      *centos*)
+        CENTOS_VERSION=$(echo "${NAME}" | awk -F '-' '{ print $2 }')
+        export CENTOS_VERSION
+        CENTOS_TAG=$(curl -s "ftp://ftp.cvut.cz/centos/${CENTOS_VERSION}/isos/x86_64/sha256sum.txt" | sed -n 's/.*-\(..\)\(..\)\.iso/\1\2/p' | head -1)
+        export CENTOS_TAG
+        export CENTOS_TYPE="NetInstall"
+        ISO_CHECKSUM=$(curl -s "ftp://ftp.cvut.cz/centos/${CENTOS_VERSION}/isos/x86_64/sha256sum.txt" | awk "/CentOS-${CENTOS_VERSION}-x86_64-${CENTOS_TYPE}-${CENTOS_TAG}.iso/ { print \$1 }")
+        PACKER_CMD_PARAMS+=("${MY_NAME}-${CENTOS_VERSION}.json")
+        echo "* NAME: ${NAME}, CENTOS_VERSION: ${CENTOS_VERSION}, CENTOS_TAG: ${CENTOS_TAG}, CENTOS_TYPE: ${CENTOS_TYPE}"
         ;;
-      *windows-server-2019-*)
-        export WINDOWS_TYPE="server"
-        export ISO_URL="https://software-static.download.prss.microsoft.com/dbazure/988969d5-f34g-4e03-ac9d-1f9786c66749/17763.3650.221105-1748.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us.iso"
+      *ubuntu*)
+        UBUNTU_TYPE=$(echo "${NAME}" | awk -F '-' '{ print $3 }')
+        export UBUNTU_TYPE
+        UBUNTU_VERSION=$(echo "${NAME}" | awk -F '-' '{ print $2 }')
+        export UBUNTU_VERSION
+        UBUNTU_CODENAME=$(curl -s http://releases.ubuntu.com/ | sed -n "s@.*<a href=\"\([a-z]*\)/\">.*Ubuntu ${UBUNTU_VERSION}.*@\1@p" | head -1)
+        if curl --fail --silent --head --output /dev/null "http://archive.ubuntu.com/ubuntu/dists/${UBUNTU_CODENAME}-updates/main/installer-amd64/current/images/SHA256SUMS"; then
+          export UBUNTU_IMAGES_URL=http://archive.ubuntu.com/ubuntu/dists/${UBUNTU_CODENAME}-updates/main/installer-amd64/current/images
+        elif curl --fail --silent --head --output /dev/null "http://archive.ubuntu.com/ubuntu/dists/${UBUNTU_CODENAME}/main/installer-amd64/current/legacy-images/SHA256SUMS"; then
+          export UBUNTU_IMAGES_URL=http://archive.ubuntu.com/ubuntu/dists/${UBUNTU_CODENAME}/main/installer-amd64/current/legacy-images
+        else
+          export UBUNTU_IMAGES_URL=http://archive.ubuntu.com/ubuntu/dists/${UBUNTU_CODENAME}/main/installer-amd64/current/images
+        fi
+        ISO_CHECKSUM=$(curl -s "${UBUNTU_IMAGES_URL}/SHA256SUMS" | awk '/.\/netboot\/mini.iso/ { print $1 }')
+        PACKER_CMD_PARAMS+=("${MY_NAME}-${UBUNTU_TYPE}.json")
+        echo "* NAME: ${NAME}, UBUNTU_TYPE: ${UBUNTU_TYPE}, UBUNTU_IMAGES_URL: ${UBUNTU_IMAGES_URL}"
         ;;
-      *windows-server-2016-*)
-        export WINDOWS_TYPE="server"
-        export ISO_URL="https://software-download.microsoft.com/download/pr/Windows_Server_2016_Datacenter_EVAL_en-us_14393_refresh.ISO"
+      *windows*)
+        export WINDOWS_ARCH="x64"
+        WINDOWS_VERSION=$(echo "${NAME}" | sed -n -e 's/.*-\([0-9][0-9][0-9][0-9]\)[_-].*/\1/p' -e 's/.*-\([0-9][0-9]\)-.*/\1/p')
+        export WINDOWS_VERSION
+        PACKER_CMD_PARAMS+=("${MY_NAME}.json")
+        WINDOWS_EDITION=$(echo "${NAME}" | awk -F - '{ print $(NF-2) }')
+        export WINDOWS_EDITION
+
+        case ${NAME} in
+          *windows-10-enterprise*)
+            export ISO_URL="https://software-static.download.prss.microsoft.com/dbazure/988969d5-f34g-4e03-ac9d-1f9786c66750/19045.2006.220908-0225.22h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso"
+            ;;
+          *windows-server-2022-*)
+            export WINDOWS_TYPE="server"
+            export ISO_URL="https://software-static.download.prss.microsoft.com/sg/download/888969d5-f34g-4e03-ac9d-1f9786c66749/SERVER_EVAL_x64FRE_en-us.iso"
+            ;;
+          *windows-server-2019-*)
+            export WINDOWS_TYPE="server"
+            export ISO_URL="https://software-static.download.prss.microsoft.com/dbazure/988969d5-f34g-4e03-ac9d-1f9786c66749/17763.3650.221105-1748.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us.iso"
+            ;;
+          *windows-server-2016-*)
+            export WINDOWS_TYPE="server"
+            export ISO_URL="https://software-download.microsoft.com/download/pr/Windows_Server_2016_Datacenter_EVAL_en-us_14393_refresh.ISO"
+            ;;
+          *)
+            echo "*** Unsupported Windows build type: \"${NAME}\" used from \"${BUILD}\""
+            exit 1
+            ;;
+        esac
+
+        echo "* NAME: ${NAME}, WINDOWS_ARCH: ${WINDOWS_ARCH}, WINDOWS_VERSION: ${WINDOWS_VERSION}, WINDOWS_EDITION: ${WINDOWS_EDITION}"
+        ISO_CHECKSUM=$(awk "/$(basename ${ISO_URL})/ { print \$1 }" win_iso.sha256)
+        if [[ ${PACKER_VAGRANT_PROVIDER} = "libvirt" ]]; then
+          test -f "${VIRTIO_WIN_ISO}" || curl -sL "${VIRTIO_WIN_ISO_URL}" --output "${VIRTIO_WIN_ISO}"
+          if [[ ! -d "${VIRTIO_WIN_ISO_DIR}" ]]; then
+            xorriso -report_about SORRY -osirrox on -indev "${VIRTIO_WIN_ISO}" -extract / "${VIRTIO_WIN_ISO_DIR}"
+            find "${VIRTIO_WIN_ISO_DIR}" -type d -exec chmod u+rwx {} \;
+          fi
+        fi
         ;;
       *)
-        echo "*** Unsupported Windows build type: \"${NAME}\" used from \"${BUILD}\""
+        echo "*** Unsupported build type: \"${NAME}\" used from \"${BUILD}\""
         exit 1
         ;;
-      esac
-
-      echo "* NAME: ${NAME}, WINDOWS_ARCH: ${WINDOWS_ARCH}, WINDOWS_VERSION: ${WINDOWS_VERSION}, WINDOWS_EDITION: ${WINDOWS_EDITION}"
-      ISO_CHECKSUM=$(awk "/$(basename ${ISO_URL})/ { print \$1 }" win_iso.sha256)
-      if [[ ${PACKER_VAGRANT_PROVIDER} = "libvirt" ]]; then
-        test -f "${VIRTIO_WIN_ISO}" || curl -sL "${VIRTIO_WIN_ISO_URL}" --output "${VIRTIO_WIN_ISO}"
-        if [[ ! -d "${VIRTIO_WIN_ISO_DIR}" ]]; then
-          xorriso -report_about SORRY -osirrox on -indev "${VIRTIO_WIN_ISO}" -extract / "${VIRTIO_WIN_ISO_DIR}"
-          find "${VIRTIO_WIN_ISO_DIR}" -type d -exec chmod u+rwx {} \;
-        fi
-      fi
-      ;;
-    *)
-      echo "*** Unsupported build type: \"${NAME}\" used from \"${BUILD}\""
-      exit 1
-      ;;
     esac
 
     export ISO_CHECKSUM