🚧 Scaffold image (#5)

Signed-off-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>

.devcontainer/devcontainer-lock.json

@@ -0,0 +1,22 @@
+{
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {
+      "version": "2.10.2",
+      "resolved": "ghcr.io/devcontainers/features/docker-in-docker@sha256:23ae11a86089da5f0b98a6edd603f91831802b7f2d5ef1e104e1b94a3beb546c",
+      "integrity": "sha256:23ae11a86089da5f0b98a6edd603f91831802b7f2d5ef1e104e1b94a3beb546c"
+    },
+    "ghcr.io/devcontainers/features/python:1": {
+      "version": "1.4.2",
+      "resolved": "ghcr.io/devcontainers/features/python@sha256:bf021f1800543f08bf029c449a3f25341be782b620802befa1f8e6ee51cf6cf6",
+      "integrity": "sha256:bf021f1800543f08bf029c449a3f25341be782b620802befa1f8e6ee51cf6cf6"
+    },
+    "ghcr.io/ministryofjustice/devcontainer-feature/container-structure-test:0": {
+      "version": "0.0.1",
+      "resolved": "ghcr.io/ministryofjustice/devcontainer-feature/container-structure-test@sha256:715c6924f74a1fda214480c9a4528f5bdfa69b8df9e099e053ddb8e27092616d",
+      "integrity": "sha256:715c6924f74a1fda214480c9a4528f5bdfa69b8df9e099e053ddb8e27092616d",
+      "dependsOn": [
+        "ghcr.io/devcontainers/features/docker-in-docker:2"
+      ]
+    }
+  }
+}

.devcontainer/devcontainer.json

@@ -0,0 +1,28 @@
+{
+  "name": "observability-platform-grafana-api-key-rotator",
+  "image": "ghcr.io/ministryofjustice/devcontainer-base:latest",
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+    "ghcr.io/devcontainers/features/python:1": {
+      "version": "3.12",
+      "installTools": false
+    },
+    "ghcr.io/ministryofjustice/devcontainer-feature/container-structure-test:0": {}
+  },
+  "postCreateCommand": "bash .devcontainer/post-create.sh",
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "EditorConfig.EditorConfig",
+        "GitHub.vscode-github-actions",
+        "GitHub.vscode-pull-request-github",
+        "ms-python.python",
+        "ms-python.pylint",
+        "ms-python.black-formatter",
+        "ms-python.isort",
+        "ms-python.flake8",
+        "ms-python.autopep8"
+      ]
+    }
+  }
+}

.devcontainer/post-create.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+# Upgrade Pip
+pip install --upgrade pip
+
+# Install dependencies
+pip install --requirement requirements-dev.txt

.editorconfig

@@ -0,0 +1,23 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+# This file is autogenerated
+[.devcontainer/devcontainer-lock.json]
+end_of_line = unset
+insert_final_newline = unset
+
+[*.json]
+indent_style = space
+indent_size = 2
+
+[*.sh]
+indent_style = space
+indent_size = 2
+
+[*.yml]
+indent_style = space
+indent_size = 2

.github/CODEOWNERS

@@ -1,3 +1 @@
-# Add a team or username to this file
-# Example:
-# *   @ministryofjustice/operations-engineering
+* @ministryofjustice/observability-platform

.github/actions/setup-container-structure-test/action.yml

@@ -0,0 +1,38 @@
+---
+name: Set Up Google Container Structure Test
+description: This action installs Google's Container Structure Test tool.
+
+inputs:
+  version:
+    description: The version of Container Structure Test to install.
+    required: false
+    default: "latest"
+
+runs:
+  using: "composite"
+  steps:
+    - shell: bash
+      run: |
+        if [[ "$(uname -m)" == "x86_64" ]]; then
+          export architecture="amd64"
+        elif [[ "$(uname -m)" == "aarch64" ]]; then
+          export architecture="arm64"
+        else
+          echo "Unsupported architecture: $(uname -m)"
+          exit 1
+        fi
+
+        if [[ "${{ inputs.version }}" == "latest" ]]; then
+          export version="$(curl --silent https://api.github.com/repos/GoogleContainerTools/container-structure-test/releases/latest | jq -r '.tag_name')"
+        else
+          export version="${{ inputs.version }}"
+        fi
+
+        mkdir --parents "${GITHUB_WORKSPACE}/.google-container-structure-test"
+
+        curl --fail-with-body --location --silent "https://github.com/GoogleContainerTools/container-structure-test/releases/download/${version}/container-structure-test-linux-${architecture}" \
+          --output "${GITHUB_WORKSPACE}/.google-container-structure-test/container-structure-test"
+
+        chmod +x "${GITHUB_WORKSPACE}/.google-container-structure-test/container-structure-test"
+
+        echo "${GITHUB_WORKSPACE}/.google-container-structure-test" >>"${GITHUB_PATH}"

.github/dependabot.yml

@@ -1,37 +1,36 @@
 ---
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-
 version: 2
 
 updates:
-  - package-ecosystem: "bundler"
-    directory: "/"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "terraform"
-    directory: "/terraform"
-    schedule:
-      interval: "daily"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
-  - package-ecosystem: "pip"
+    commit-message:
+      prefix: ":dependabot: github-actions"
+      include: "scope"
+  - package-ecosystem: "devcontainers"
     directory: "/"
     schedule:
       interval: "daily"
-  - package-ecosystem: "npm"
-    directory: "/"
-    schedule:
-      interval: "daily"
-  - package-ecosystem: "gomod"
+    commit-message:
+      prefix: ":dependabot: devcontainers"
+      include: "scope"
+  - package-ecosystem: "docker"
     directory: "/"
     schedule:
       interval: "daily"
-  - package-ecosystem: "docker"
+    commit-message:
+      prefix: ":dependabot: docker"
+      include: "scope"
+  - package-ecosystem: "pip"
     directory: "/"
     schedule:
       interval: "daily"
+    commit-message:
+      prefix: ":dependabot: pip"
+      include: "scope"
+    groups:
+      boto:
+        patterns:
+          - "boto*"

.github/workflows/build-test.yml

@@ -0,0 +1,30 @@
+---
+name: Build and Test
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  build-and-test:
+    name: Build and Test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
+      - name: Set Up Container Structure Test
+        id: setup_container_structure_test
+        uses: ./.github/actions/setup-container-structure-test
+
+      - name: Build and Test
+        id: build_and_test
+        shell: bash
+        run: |
+          make test

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,44 @@
+---
+name: CodeQL Analysis
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  codeql-analysis:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["python"]
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Initialise CodeQL
+        id: initialise_codeql
+        uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: CodeQL Autobuild
+        id: codeql_autobuild
+        uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+
+      - name: CodeQL Analysis
+        id: codeql_analysis
+        uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          category: "language:${{ matrix.language }}"

.github/workflows/openssf-scorecard.yml

@@ -0,0 +1,47 @@
+---
+name: OpenSSF Scorecard
+
+on:
+  branch_protection_rule:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "30 6 * * 1"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  openssf-scorecard:
+    name: OpenSSF Scorecard
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      security-events: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
+      - name: Run Analysis
+        id: run_analysis
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload SARIF
+        id: upload_sarif
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: SARIF Results
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload to CodeQL
+        id: upload_to_codeql
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          sarif_file: results.sarif

.github/workflows/release.yml

@@ -0,0 +1,60 @@
+---
+name: Release
+
+on:
+  push:
+    tags:
+      - "*"
+
+permissions: {}
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
+      - name: Install cosign
+        id: install_cosign
+        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+
+      - name: Configure AWS Credentials
+        id: configure_aws_credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          aws-region: eu-west-2
+          role-to-assume: arn:aws:iam::915524366300:role/modernisation-platform-oidc-cicd
+
+      - name: Login to Amazon ECR
+        id: login_ecr
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+        with:
+          registries: 374269020027
+
+      - name: Build and Push
+        id: build_and_push
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        with:
+          push: true
+          tags: 374269020027.dkr.ecr.eu-west-2.amazonaws.com/observability-platform-grafana-api-key-rotator:${{ github.ref_name }}
+
+      - name: Sign
+        id: sign
+        shell: bash
+        run: |
+          cosign sign --yes 374269020027.dkr.ecr.eu-west-2.amazonaws.com/observability-platform-grafana-api-key-rotator@${{ steps.build_and_push.outputs.digest }}
+
+      - name: Verify
+        id: verify
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity=https://github.com/ministryofjustice/observability-platform-grafana-api-key-rotator/.github/workflows/release.yml@refs/tags/${{ github.ref_name }} \
+            374269020027.dkr.ecr.eu-west-2.amazonaws.com/observability-platform-grafana-api-key-rotator@${{ steps.build_and_push.outputs.digest }}