workflows

Author: Mark

.github/CODEOWNERS

@@ -0,0 +1,10 @@
+# Planning service code
+/app/service/planning_svc.py   @mitre/squad-x
+/app/service/interfaces/i_planning_svc.py   @mitre/squad-x
+/app/utility/base_planning_svc.py   @mitre/squad-x
+/tests/services/test_planning_svc.py  @mitre/squad-x
+/requirements.txt @elegantmoose
+
+# UI
+/templates/   @mitre/squad-q
+/static/   @mitre/squad-q

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,29 @@
+---
+name: "\U0001F41E  Bug report"
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: elegantmoose
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. 
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Desktop (please complete the following information):**
+ - OS: [e.g. Mac, Windows, Kali]
+ - Browser [e.g. chrome, safari]
+ - Version [e.g. 2.8.0]
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,4 @@
+contact_links:
+  - name: Documentation
+    url: https://caldera.readthedocs.io/en/latest/
+    about: Your question may be answered in the documentation

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,36 @@
+---
+name: "\U0001F680 New Feature Request"
+about: Propose a new feature
+title: ''
+labels: feature
+assignees: elegantmoose
+
+---
+
+**What problem are you trying to solve? Please describe.**
+> Eg. I'm always frustrated when [...]
+
+
+**The ideal solution: What should the feature should do?**
+> a clear and concise description
+
+
+**What category of feature is this?**
+
+- [ ] UI/UX
+- [ ] API
+- [ ] Other
+
+**If you have code or pseudo-code please provide:**
+
+<!-- Put your code examples here -->
+```python
+
+```
+
+- [ ] Willing to submit a pull request to implement this feature?
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
+
+Thank you for your contribution!

.github/ISSUE_TEMPLATE/question.md

@@ -0,0 +1,17 @@
+---
+name: "\U00002753 Question"
+about: Support questions
+title: ''
+labels: question
+assignees: ''
+
+---
+
+
+
+
+<!--
+Please see our documentation here: https://caldera.readthedocs.io/en/latest/
+
+If you'd like to help us improve our documentation please open a pull request here: https://github.com/mitre/fieldmanual
+-->

.github/pull_request_template.md

@@ -0,0 +1,24 @@
+## Description
+
+(insert summary)
+
+## Type of change
+
+Please delete options that are not relevant.
+
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] This change requires a documentation update
+
+## How Has This Been Tested?
+
+Please describe the tests that you ran to verify your changes.
+
+
+## Checklist:
+
+- [ ] My code follows the style guidelines of this project
+- [ ] I have performed a self-review of my own code
+- [ ] I have made corresponding changes to the documentation
+- [ ] I have added tests that prove my fix is effective or that my feature works

.github/workflows/greetings.yml

@@ -0,0 +1,19 @@
+name: Greetings
+
+on: [pull_request, issues]
+
+permissions:
+  contents: read
+
+jobs:
+  greeting:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+    - uses: actions/first-interaction@1d8459ca65b335265f1285568221e229d45a995e
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        issue-message: 'Looks like your first issue -- we aim to respond to issues as quickly as possible. In the meantime, check out our documentation here: http://caldera.readthedocs.io/'
+        pr-message: 'Wohoo! Your first PR -- thanks for contributing!'

.github/workflows/publish_docker_image.yml

@@ -0,0 +1,69 @@
+name: Create and publish a Docker image
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        with:
+          submodules: recursive
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker (slim variant)
+        id: meta-slim
+        uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          flavor: |
+            latest=auto
+            prefix=slim-,onlatest=true
+            suffix=
+        
+      - name: Build and push Docker image (slim)
+        uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta-slim.outputs.tags }}
+          labels: ${{ steps.meta-slim.outputs.labels }}
+          build-args: |
+            VARIANT=slim
+      
+      - name: Extract metadata (tags, labels) for Docker (full variant)
+        id: meta-full
+        uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image (full)
+        uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta-full.outputs.tags }}
+          labels: ${{ steps.meta-full.outputs.labels }}
+          build-args: |
+            VARIANT=full

.github/workflows/quality.yml

@@ -0,0 +1,126 @@
+name: Code Quality
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+  pull_request_target:
+    types: [opened, synchronize, reopened, ready_for_review]  # added for fork PRs
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - python-version: 3.10.9
+            toxenv: py310,style,coverage-ci
+          - python-version: 3.11
+            toxenv: py311,style,coverage-ci
+          - python-version: 3.12
+            toxenv: py312,style,coverage-ci
+
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        with:
+          submodules: recursive
+          fetch-depth: 0  # shallow clones should be disabled for analysis
+
+      - name: Setup python
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: |
+          pip install --upgrade virtualenv
+          pip install tox
+          npm --prefix plugins/magma install
+          npm --prefix plugins/magma run build
+
+      - name: Run tests
+        env:
+          TOXENV: ${{ matrix.toxenv }}
+        run: tox
+
+      # --- Sonar scan for pushes and same-repo PRs only ---
+      - name: SonarQube Scan
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
+        uses: SonarSource/sonarqube-scan-action@v6.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # needed for PR info
+          SONAR_TOKEN:  ${{ secrets.SONAR_TOKEN }}
+        # Uncomment if your sonar-project.properties is in a subfolder:
+        # with:
+        #   args: |
+        #     -Dsonar.projectBaseDir=caldera
+
+  # --- Sonar scan for forked PRs (runs safely with pull_request_target) ---
+  sonar_fork_pr:
+    runs-on: ubuntu-latest
+    if: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.fork }}
+    permissions:
+      contents: read
+      pull-requests: write   # remove if you don't want PR comments
+    steps:
+      - name: Checkout base repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.base.sha }}
+          fetch-depth: 0
+  
+      - name: Checkout PR HEAD (fork)
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: pr
+          fetch-depth: 0
+          submodules: recursive
+  
+      # Detect where the sonar-project.properties actually is (pr/ or pr/caldera)
+      - name: Detect Sonar base dir
+        id: detect
+        run: |
+          set -euo pipefail
+          if [ -f pr/caldera/sonar-project.properties ]; then
+            echo "base=pr/caldera" >> "$GITHUB_OUTPUT"
+          elif [ -f pr/sonar-project.properties ]; then
+            echo "base=pr" >> "$GITHUB_OUTPUT"
+          else
+            echo "No sonar-project.properties found under pr/ or pr/caldera"
+            echo "base=pr" >> "$GITHUB_OUTPUT"   # fallback to repo root
+          fi
+          echo "Using base dir: $(grep '^base=' "$GITHUB_OUTPUT" | cut -d= -f2)"
+          echo "Has SONAR_TOKEN? $([ -n "${SONAR_TOKEN:-}" ] && echo yes || echo no)"
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+  
+      # If your project key/org are NOT in the properties file, uncomment and set below
+      - name: SonarQube Scan (fork PR)
+        uses: SonarSource/sonarqube-scan-action@v6.0.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # SONAR_HOST_URL: https://sonarcloud.io  # set if you’re self-hosted or non-default
+        with:
+          projectBaseDir: ${{ steps.detect.outputs.base }}
+          args: |
+            -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
+            -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }}
+            -Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }}

.github/workflows/security.yml

@@ -0,0 +1,37 @@
+name: Security Checks
+
+on: [push]
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # - python-version: 3.9
+          #   toxenv: safety
+          - python-version: 3.10.9
+            toxenv: safety
+          - python-version: 3.11
+            toxenv: safety
+
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        with:
+          submodules: recursive
+      - name: Setup python
+        uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: |
+          pip install --upgrade virtualenv
+          pip install tox
+      - name: Run tests
+        env:
+          TOXENV: ${{ matrix.toxenv }}
+        run: tox