Feature/stig

.github/FUNDING.yml

@@ -1,3 +1 @@
-# These are supported funding model platforms
-
 github: 'linuxfabrik'

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,52 @@
+name: 'Bug report'
+description: 'Submit a bug report for LFOps'
+labels:
+  - 'bug'
+body:
+  - type: 'checkboxes'
+    id: 'before-posting'
+    attributes:
+      label: 'Before submitting:'
+      options:
+        - label: 'I have searched existing issues to make sure this is not a duplicate.'
+          required: true
+        - label: 'I am using the latest release.'
+          required: true
+        - label: 'I agree to follow the [Code of Conduct](https://github.com/Linuxfabrik/lfops/blob/main/CODE_OF_CONDUCT.md).'
+          required: true
+
+  - type: 'textarea'
+    id: 'bug-description'
+    attributes:
+      label: 'Bug description'
+      description: 'Provide a clear and concise description of the bug.'
+    validations:
+      required: true
+
+  - type: 'textarea'
+    id: 'steps'
+    attributes:
+      label: 'Steps to reproduce'
+      description: 'List the steps needed to reproduce the issue.'
+    validations:
+      required: true
+
+  - type: 'textarea'
+    id: 'expected'
+    attributes:
+      label: 'Expected behavior'
+      description: 'What did you expect to happen?'
+
+  - type: 'textarea'
+    id: 'environment'
+    attributes:
+      label: 'Environment'
+      description: 'Operating system, software version, and any other relevant details.'
+    validations:
+      required: true
+
+  - type: 'textarea'
+    id: 'additional'
+    attributes:
+      label: 'Additional context'
+      description: 'Any other information, logs, or screenshots.'

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,24 @@
+name: 'Feature request'
+description: 'Suggest a new feature or improvement for LFOps'
+labels:
+  - 'enhancement'
+body:
+  - type: 'textarea'
+    id: 'solution'
+    attributes:
+      label: 'Describe the solution you would like'
+      description: 'A clear and concise description of what you want to happen.'
+    validations:
+      required: true
+
+  - type: 'textarea'
+    id: 'alternatives'
+    attributes:
+      label: 'Alternatives considered'
+      description: 'Have you considered any alternative solutions or workarounds?'
+
+  - type: 'textarea'
+    id: 'context'
+    attributes:
+      label: 'Additional context'
+      description: 'Any other context or screenshots about the feature request.'

.github/dependabot.yml

@@ -0,0 +1,9 @@
+version: 2
+updates:
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+      day: 'friday'
+      time: '05:00'
+      timezone: 'Etc/UTC'

.github/workflows/codeql.yml

@@ -0,0 +1,52 @@
+name: 'CodeQL'
+
+on:
+  push:
+    branches:
+      - 'main'
+  pull_request:
+    branches:
+      - 'main'
+  schedule:
+    - cron: '0 5 * * 5'
+
+permissions:
+  contents: 'read'
+
+jobs:
+  analyze:
+    name: 'Analyze'
+    runs-on: 'ubuntu-latest'
+    permissions:
+      actions: 'read'
+      contents: 'read'
+      security-events: 'write'
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - 'actions'
+          - 'python'
+
+    steps:
+      - name: 'Harden Runner'
+        uses: 'step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176' # v2.17.0
+        with:
+          egress-policy: 'audit'
+
+      - name: 'Checkout repository'
+        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
+
+      - name: 'Initialize CodeQL'
+        uses: 'github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13' # v4.35.1
+        with:
+          languages: '${{ matrix.language }}'
+
+      - name: 'Autobuild'
+        uses: 'github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13' # v4.35.1
+
+      - name: 'Perform CodeQL Analysis'
+        uses: 'github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13' # v4.35.1
+        with:
+          category: '/language:${{ matrix.language }}'

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,25 @@
+name: 'Linuxfabrik: Dependabot auto-merge'
+
+on:
+  pull_request: {}
+
+permissions:
+  contents: 'write'
+  pull-requests: 'write'
+
+jobs:
+  auto-merge:
+    runs-on: 'ubuntu-latest'
+    if: 'github.actor == ''dependabot[bot]'''
+    steps:
+
+      - uses: 'dependabot/fetch-metadata@v3'
+        id: 'meta'
+
+      - if: >-
+          steps.meta.outputs.update-type == 'version-update:semver-patch'
+          || steps.meta.outputs.update-type == 'version-update:semver-minor'
+        run: 'gh pr merge --auto --squash "$PR_URL"'
+        env:
+          PR_URL: '${{ github.event.pull_request.html_url }}'
+          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

.github/workflows/dependency-review.yml

@@ -0,0 +1,22 @@
+name: 'Dependency Review'
+
+on:
+  pull_request: {}
+
+permissions:
+  contents: 'read'
+
+jobs:
+  dependency-review:
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: 'Harden Runner'
+        uses: 'step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176' # v2.17.0
+        with:
+          egress-policy: 'audit'
+
+      - name: 'Checkout repository'
+        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
+
+      - name: 'Dependency Review'
+        uses: 'actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48' # v4.9.0

.github/workflows/docs.yml

@@ -0,0 +1,62 @@
+name: 'Linuxfabrik: Deploy Documentation'
+
+on:
+  push:
+    branches:
+      - 'main'
+
+permissions:
+  contents: 'read'
+  pages: 'write'
+  id-token: 'write'
+
+concurrency:
+  group: 'pages'
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: 'Harden the runner (Audit all outbound calls)'
+        uses: 'step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176' # v2.17.0
+        with:
+          egress-policy: 'audit'
+
+      - name: 'Checkout repository'
+        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
+
+      - name: 'Set up Python'
+        uses: 'actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405' # v6.2.0
+        with:
+          python-version: '3.12'
+
+      - name: 'Install dependencies'
+        run: 'pip install mkdocs==1.6.1 mkdocs-material==9.7.6'
+
+      - name: 'Generate docs structure'
+        run: 'python3 tools/build-docs'
+
+      - name: 'Build documentation'
+        run: 'mkdocs build --strict'
+
+      - name: 'Upload Pages artifact'
+        uses: 'actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9' # v5.0.0
+        with:
+          path: 'site'
+
+  deploy:
+    needs: 'build'
+    runs-on: 'ubuntu-latest'
+    environment:
+      name: 'github-pages'
+      url: '${{ steps.deployment.outputs.page_url }}'
+    steps:
+      - name: 'Harden the runner (Audit all outbound calls)'
+        uses: 'step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176' # v2.17.0
+        with:
+          egress-policy: 'audit'
+
+      - name: 'Deploy to GitHub Pages'
+        id: 'deployment'
+        uses: 'actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128' # v5.0.0

.github/workflows/lf-build.yml

@@ -15,22 +15,28 @@ on:
       - 'v*'
 
 # modify the default permissions granted to the GITHUB_TOKEN
-permissions:
-  contents: 'read' # to checkout the code
-  packages: 'write' # to push to GitHub Container Registry
+permissions: 'read-all'
 
 jobs:
 
   build:
     runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'read' # to checkout the code
+      packages: 'write' # to push to GitHub Container Registry
 
     steps:
 
+      - name: 'Harden the runner (Audit all outbound calls)'
+        uses: 'step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176' # v2.17.0
+        with:
+          egress-policy: 'audit'
+
       - name: 'git clone https://github.com/Linuxfabrik/lfops'
-        uses: 'actions/checkout@v4'
+        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
 
       - name: 'Log in to GitHub Container Registry'
-        uses: 'redhat-actions/podman-login@v1'
+        uses: 'redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603' # v1.7
         with:
           registry: 'ghcr.io'
           username: '${{ github.actor }}'
@@ -65,15 +71,18 @@ jobs:
       - name: 'Install Ansible Builder'
         run: |
           python3 -m pip install --upgrade pip
-          pip install ansible-builder
+          pip install ansible-builder==3.1.1
+
+      - name: 'Strip badges from README.md (not rendered correctly on Galaxy)'
+        run: |
+          sed --in-place '/<div align="center" id="badges">/,/<\/div>/d' README.md
 
       - name: 'Build Collection'
         run: |
           ansible-galaxy collection build
           cp --verbose linuxfabrik-lfops-${{ env.TAG1 }}.tar.gz linuxfabrik-lfops.tar.gz
 
-      - name: 'Publish to Galaxy (Prod)'
-        if: "${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }}"
+      - name: 'Publish to Galaxy'
         env:
           ANSIBLE_GALAXY_TOKEN: '${{ secrets.GALAXY_API_KEY_PROD }}'
         run: |
@@ -82,16 +91,6 @@ jobs:
             --server https://galaxy.ansible.com \
             --api-key "$ANSIBLE_GALAXY_TOKEN"
 
-      - name: 'Publish to Galaxy (Dev)'
-        if: "${{ github.event_name == 'workflow_dispatch' }}"
-        env:
-          ANSIBLE_GALAXY_TOKEN: '${{ secrets.GALAXY_API_KEY_DEV }}'
-        run: |
-          ansible-galaxy collection publish \
-            linuxfabrik-lfops-${{ env.TAG1 }}.tar.gz \
-            --server https://galaxy-dev.ansible.com \
-            --api-key "$ANSIBLE_GALAXY_TOKEN"
-
       - name: 'Build Execution Environment'
         run: |
           ansible-builder build \
@@ -106,7 +105,7 @@ jobs:
 
       - name: 'Push to GitHub Container Registry'
         id: 'push-to-ghcr'
-        uses: 'redhat-actions/push-to-registry@v2'
+        uses: 'redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c' # v2.8
         with:
           registry: 'ghcr.io'
           image: '${{ env.GITHUB_REPOSITORY_OWNER_LOWERCASE }}/lfops_ee'

.github/workflows/lf-release.yml

@@ -6,17 +6,23 @@ on:
       - 'v*'
 
 # modify the default permissions granted to the GITHUB_TOKEN
-permissions:
-  contents: 'write' # to push to the repo and create the release
+permissions: 'read-all'
 
 jobs:
   release:
     runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'write' # to push to the repo and create the release
 
     steps:
 
+      - name: 'Harden the runner (Audit all outbound calls)'
+        uses: 'step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176' # v2.17.0
+        with:
+          egress-policy: 'audit'
+
       - name: 'Create GitHub Release for ${{ github.ref_name }}'
-        uses: 'softprops/action-gh-release@v2'
+        uses: 'softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda' # v3.0.0
         with:
           tag_name: '${{ github.ref_name }}'
           body: |