Initial commit

.github/CODEOWNERS

@@ -0,0 +1,5 @@
+# The releng team is by default the owner of everything.
+*             @{{ org }}/eclipsefdn-releng
+
+# Otterdog related configurations are also owned by the security team.
+/otterdog/**  @{{ org }}/eclipsefdn-security @{{ org }}/eclipsefdn-releng

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+updates:
+- package-ecosystem: github-actions
+  directory: "/"
+  # We scan and create dependabot PRs against the develop branch only.
+  # Such a branch only exists for the template master at EclipseFdn/.eclipsefdn-template
+  # dependabot shall only update the template master, and changes will be synchronized to
+  # all repos by otterdog using the sync-template operation to avoid having many similar
+  # dependabot PRs for each individual .eclipsefdn repo which we would like to avoid at all costs.
+  target-branch: "develop"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10

.github/workflows/build-page.yml

@@ -0,0 +1,122 @@
+name: Build GH Page
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - 'otterdog/*.jsonnet'
+      - 'otterdog/*.json'
+      - 'docs/**'
+      - 'mkdocs.yml'
+      - '.github/workflows/build-page.yml'
+
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+jobs:
+  generate-markdown:
+    # do not run the workflow in the template repo itself
+    if: ${{ !contains (github.repository, '/.eclipsefdn-template') }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout OtterDog
+        run: git clone https://gitlab.eclipse.org/eclipsefdn/security/otterdog.git
+
+      - name: Checkout EclipseFdn/otterdog-configs
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          repository: EclipseFdn/otterdog-configs
+          path: otterdog-configs
+
+      # checkout the HEAD ref
+      - name: Checkout HEAD
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          path: ${{ github.repository_owner }}
+
+      - name: Install jsonnet-bundler
+        run: |
+          go install -a github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb@v0.5.1
+          echo $(go env GOPATH)/bin >> $GITHUB_PATH
+
+      - name: Install poetry
+        run: pipx install poetry
+
+      - name: Setup Python
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+        with:
+          python-version: '3.10'
+          cache: 'poetry'
+
+      - name: Install dependencies with poetry
+        run: |
+          poetry install --only=main
+        working-directory: otterdog
+
+      - name: Copy configuration from HEAD ref
+        run: |
+          mkdir -p orgs/${{ github.repository_owner }}
+          cp -r ../${{ github.repository_owner }}/otterdog/* orgs/${{ github.repository_owner }}
+        working-directory: otterdog-configs
+
+      - name: Generate current configuration as markdown
+        run: ../otterdog/otterdog.sh show ${{ github.repository_owner }} -c otterdog.json --markdown --output-dir generated-site
+        working-directory: otterdog-configs
+
+      - name: Generate default configuration as markdown
+        run: ../otterdog/otterdog.sh show-default ${{ github.repository_owner }} -c otterdog.json --markdown > default.txt
+        working-directory: otterdog-configs
+
+      - name: Upload generated site content
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+        with:
+          name: generated-site
+          path: |
+            otterdog-configs/default.txt
+            otterdog-configs/orgs/${{ github.repository_owner }}/vendor/otterdog-defaults/*.libsonnet
+            otterdog-configs/generated-site/
+
+  build-page:
+    runs-on: ubuntu-latest
+    needs: generate-markdown
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
+      - name: Download generated site content
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
+        with:
+          name: generated-site
+      - shell: bash
+        run: |
+          cat default.txt >> ./docs/playground.md
+          cp generated-site/*.md ./docs/
+          cp orgs/${{ github.repository_owner }}/vendor/otterdog-defaults/*.libsonnet ./docs/jsonnet/
+      - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4
+        with:
+          python-version: 3.x
+          cache: 'pip'
+      - run: pip install -r requirements.txt
+      - name: Build with Mkdocs
+        run: mkdocs build
+      - name: Setup Pages
+        uses: actions/configure-pages@f156874f8191504dae5b037505266ed5dda6c382 # v3
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@84bb4cd4b733d5c320c9c9cfbc354937524f4d64 # v1
+
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build-page
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@12ab2b16cf43a7a061fe99da74b6f8f11fb77f5b # pin@v2

.github/workflows/show-config.yml

@@ -0,0 +1,69 @@
+name: Show Otterdog Configuration
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - 'otterdog/*.jsonnet'
+      - 'otterdog/*.json'
+
+permissions:
+  contents: read
+
+jobs:
+  show:
+    # do not run the workflow in the template repo itself
+    if: ${{ !contains (github.repository, '/.eclipsefdn-template') }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout OtterDog
+        run: git clone https://gitlab.eclipse.org/eclipsefdn/security/otterdog.git
+
+      - name: Checkout EclipseFdn/otterdog-configs
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          repository: EclipseFdn/otterdog-configs
+          path: otterdog-configs
+
+      # checkout the HEAD ref
+      - name: Checkout HEAD
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          path: ${{ github.repository_owner }}
+
+      - name: Install jsonnet-bundler
+        run: |
+          go install -a github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb@v0.5.1
+          echo $(go env GOPATH)/bin >> $GITHUB_PATH
+
+      - name: Install poetry
+        run: pipx install poetry
+
+      - name: Setup Python
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+        with:
+          python-version: '3.10'
+          cache: 'poetry'
+
+      - name: Install dependencies with poetry
+        run: |
+          poetry install --only=main
+        working-directory: otterdog
+
+      - name: Copy configuration from HEAD ref
+        run: |
+          mkdir -p orgs/${{ github.repository_owner }}
+          cp -r ../${{ github.repository_owner }}/otterdog/* orgs/${{ github.repository_owner }}
+        working-directory: otterdog-configs
+
+      - name: Show complete Otterdog Configuration
+        run: ../otterdog/otterdog.sh show ${{ github.repository_owner }} -c otterdog.json | tee "$GITHUB_WORKSPACE/config.txt"
+        working-directory: otterdog-configs
+
+      - name: Upload config.txt
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: Otterdog config
+          path: config.txt

.github/workflows/validate.yml

@@ -0,0 +1,103 @@
+name: Validate Otterdog Configuration
+
+on:
+  workflow_dispatch:
+  pull_request_target:
+    branches: [ main ]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  validate:
+    # do not run the workflow in the template repo itself
+    if: ${{ !contains (github.repository, '/.eclipsefdn-template') }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout OtterDog
+        run: git clone https://gitlab.eclipse.org/eclipsefdn/security/otterdog.git
+
+      - name: Checkout EclipseFdn/otterdog-configs
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          repository: EclipseFdn/otterdog-configs
+          path: otterdog-configs
+
+      # checkout the head ref of the PR
+      # NOTE: in general it is bad practice to check out the pull request HEAD for PRs originating from forked repos,
+      #       however, this validation workflow produces a diff between the changes in the PR with the base ref, thus
+      #       doing this is acceptable, see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+      - name: Checkout HEAD ref of the PR
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: ${{ github.repository_owner }}
+
+      # checkout the base ref of the PR
+      - name: Checkout BASE ref of the PR (target branch)
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          ref: ${{ github.base_ref }}
+          path: ${{ github.repository_owner }}-base
+
+      - name: Install jsonnet-bundler
+        run: |
+          go install -a github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb@v0.5.1
+          echo $(go env GOPATH)/bin >> $GITHUB_PATH
+
+      - name: Install poetry
+        run: pipx install poetry
+
+      - name: Setup Python
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+        with:
+          python-version: '3.10'
+          cache: 'poetry'
+
+      - name: Install dependencies with poetry
+        run: |
+          poetry install --only=main
+        working-directory: otterdog
+
+      - name: Copy configuration from HEAD and BASE ref
+        run: |
+          mkdir -p orgs/${{ github.repository_owner }}
+          cp -r ../${{ github.repository_owner }}/otterdog/* orgs/${{ github.repository_owner }}
+          cp ../${{ github.repository_owner }}-base/otterdog/${{ github.repository_owner }}.jsonnet orgs/${{ github.repository_owner }}/${{ github.repository_owner }}.jsonnet-BASE 
+        working-directory: otterdog-configs
+
+      - name: Validate Otterdog Configuration and diff HEAD <-> BASE
+        run: |
+          # use script to enable ansi color output
+          script -q /dev/null --command "../otterdog/otterdog.sh local-plan ${{ github.repository_owner }} -c otterdog.json --suffix=-BASE" | tee "$GITHUB_WORKSPACE/diff-ansi.txt"
+          # filter out ansi escape sequences again, use sed as ansi2txt is not available
+          cat "$GITHUB_WORKSPACE/diff-ansi.txt" | sed -e 's/\x1b\[[0-9;]*m//g' | sed -E 's/^([[:space:]]+)([-+!])/\2\1/g' | sed -E 's/^([[:space:]]+)([~])/!\1/g' > "$GITHUB_WORKSPACE/diff.txt"
+        working-directory: otterdog-configs
+
+      - name: Generate canonical diff
+        run: ../otterdog/otterdog.sh canonical-diff ${{ github.repository_owner }} -c otterdog.json | tee "$GITHUB_WORKSPACE/canonical-diff.txt"
+        working-directory: otterdog-configs
+
+      # Add a comment to the pull request with the diff
+
+      - name: Generate comment
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
+        with:
+          script: |
+            const commentText = 'Diff for ' + context.payload.pull_request.head.sha + ':';
+
+            const fs = require('fs');
+            const diff = fs.readFileSync(process.env.GITHUB_WORKSPACE + '/diff.txt').toString().trimEnd();
+            const canonicalDiff = fs.readFileSync(process.env.GITHUB_WORKSPACE + '/canonical-diff.txt').toString().trimEnd();
+
+            var body = "<details>\n<summary>" + commentText + "</summary>\n\n```diff\n" + diff + "\n```\n\n```diff\n" + canonicalDiff + "\n```\n\n</details>";
+            fs.writeFileSync(process.env.GITHUB_STEP_SUMMARY, body);
+            fs.writeFileSync(process.env.GITHUB_WORKSPACE + '/comment.txt', body);
+
+      - name: Attach comment to PR
+        uses: marocchino/sticky-pull-request-comment@f61b6cf21ef2fcc468f4345cdfcc9bda741d2343 # v2.6.2
+        with:
+          hide_and_recreate: true
+          hide_classify: "OUTDATED"
+          path: ${{ github.workspace }}/comment.txt

README.md

@@ -0,0 +1,7 @@
+# Eclipse Foundation Config Repo
+
+Repository to host configurations related to the Eclipse Foundation.
+
+## Self service of your GitHub organization
+
+You can find more information at <https://{{ org }}.github.io/.eclipsefdn/>.

docs/index.md

@@ -0,0 +1,17 @@
+---
+hide:
+  - navigation
+  - toc
+---
+
+# Self-service of GitHub resources
+
+General documentation for using the self-service (stored in directory *otterdog*) can be accessed at [otterdog.readthedocs.io](https://otterdog.readthedocs.io).
+
+## Current configuration
+
+The current configuration can be reviewed [here](configuration.md).
+
+## Playground
+
+A playground for creating and testing resources in jsonnet format is available [here](playground.md).

docs/jsonnet/playground.jsonnet

@@ -0,0 +1,3 @@
+local orgs = import 'otterdog-defaults.libsonnet';
+
+orgs.newRepo('myrepo')

docs/overrides/editor.html

@@ -0,0 +1,44 @@
+{% extends "base.html" %}
+
+{% block libs %}
+  {{ super() }}
+  <script src="https://eclipsefdn.github.io/otterdog-assets/third_party/js-yaml/dist/js-yaml.min.js"></script>
+  <script src="https://eclipsefdn.github.io/otterdog-assets/third_party/CodeMirror/lib/codemirror.js"></script>
+  <script src="https://eclipsefdn.github.io/otterdog-assets/third_party/CodeMirror/mode/yaml/yaml.js"></script>
+  <script src="https://eclipsefdn.github.io/otterdog-assets/third_party/CodeMirror/addon/edit/matchbrackets.js"></script>
+  <script src="https://eclipsefdn.github.io/otterdog-assets/js/codemirror-mode-jsonnet.js"></script>
+
+  <!-- Executing Jsonnet -->
+  <script src="https://eclipsefdn.github.io/otterdog-assets/js/wasm_exec.js"></script>
+  <script>
+      if (!WebAssembly.instantiateStreaming) {
+          // This function was observed to be missing on Safari 14.
+          WebAssembly.instantiateStreaming = async (resp, importObject) => {
+             const source = await (await resp).arrayBuffer();
+             return await WebAssembly.instantiate(source, importObject);
+          };
+      }
+      const go = new Go();
+      WebAssembly.instantiateStreaming(fetch("https://eclipsefdn.github.io/otterdog-assets/js/libjsonnet.wasm"), go.importObject).then((result) => {
+          go.run(result.instance);
+      });
+  </script>
+  <script src="https://eclipsefdn.github.io/otterdog-assets/js/demo.js"></script>
+{% endblock %}
+
+{% block styles %}
+  <!-- Google Fonts -->
+  <link href="https://fonts.googleapis.com/css?family=Open+Sans:400italic,600italic,700italic,400,600,700" rel="stylesheet" type="text/css">
+
+  <!-- jsonnet.org stylesheet -->
+  <link rel="stylesheet" type="text/css" href="https://eclipsefdn.github.io/otterdog-assets/css/doc.css" />
+  <link rel="stylesheet" media="print" href="https://eclipsefdn.github.io/otterdog-assets/css/desktop.css">
+  <!-- The extra 16px is to account for the scrollbar, which is not always included. -->
+  <link rel="stylesheet" media="screen and (min-width: 1296px)" href="https://eclipsefdn.github.io/otterdog-assets/css/desktop.css">
+  <link rel="stylesheet" media="screen and (max-width: 1295px) and (min-width: 720px)" href="https://eclipsefdn.github.io/otterdog-assets/css/cellphone.css">
+  <link rel="stylesheet" media="screen and (max-width: 719px)" href="https://eclipsefdn.github.io/otterdog-assets/css/cellphone-small.css">
+  {{ super() }}
+
+  <!-- CodeMirror -->
+  <link rel="stylesheet" href="https://eclipsefdn.github.io/otterdog-assets/third_party/CodeMirror/lib/codemirror.css">
+{% endblock %}