Merge pull request #85 : add governance pipelines

Author: jgadsden

.github/workflows/housekeeping.yaml

@@ -0,0 +1,72 @@
+name: Housekeeping
+# checks are on all directories
+
+on:
+  # Run daily at 7:00
+  schedule:
+    - cron: '0 7 * * *'
+  workflow_dispatch:
+
+# for security reasons the github actions are pinned to specific release versions
+jobs:
+  chores:
+    name: Tidy workflows
+    runs-on: ubuntu-24.04
+    permissions:
+      actions: write
+
+    steps:
+      - name: Delete stale workflow runs
+        uses: Mattraks/delete-workflow-runs@v2.0.6
+        with:
+          token: ${{ github.token }}
+          repository: ${{ github.repository }}
+          retain_days: 28
+          keep_minimum_runs: 10
+
+      - name: Delete unused workflows
+        uses: otto-de/purge-deprecated-workflow-runs@v3.0.1
+        with:
+          token: ${{ github.token }}
+
+  link_checker:
+    name: Link checker
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout markdown
+        uses: actions/checkout@v4.2.0
+
+      - name: Link Checker
+        uses: lycheeverse/lychee-action@v2.4.0
+        with:
+          # skip the jekyll files under '_includes' directory, check all other directories
+          args: >-
+            --no-progress
+            --max-retries 2
+            --exclude-path './_includes/*.html'
+            '**/*.md'
+            '*.md'
+          fail: true
+        env:
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+  stale:
+    name: Tidy pull requests
+    runs-on: ubuntu-24.04
+    permissions:
+      pull-requests: write
+      issues: write
+
+    steps:
+      - name: Tidy stale PRs and issues
+        uses: actions/stale@v9
+        with:
+          days-before-issue-stale: 182
+          days-before-issue-close: -1
+          stale-issue-message: 'This issue is stale because it has been open for 6 months with no activity.'
+          stale-issue-label: stale
+          remove-issue-stale-when-updated: true
+          days-before-pr-stale: 42
+          days-before-pr-close: 7
+          stale-pr-message: 'This PR is stale because it has been open 42 days with no activity. Remove stale label, or add a comment, otherwise it will be closed in 7 days.'
+          close-pr-message: 'This PR was closed because it has been stalled for 7 weeks with no activity.'

.github/workflows/pr.yaml

@@ -0,0 +1,82 @@
+name: Pull request pipeline
+
+on:
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+# for security reasons the github actions are pinned to specific release versions
+jobs:
+  link_checker:
+    name: Link checker
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout markdown
+        uses: actions/checkout@v4.2.0
+
+      - name: Link Checker
+        uses: lycheeverse/lychee-action@v2.3.0
+        with:
+          args: >-
+            --no-progress
+            --max-retries 2
+            './docs/**/*.md'
+          fail: true
+        env:
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+  md_linter:
+    name: Lint markdown
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout markdown
+        uses: actions/checkout@v4.2.0
+
+      - name: Lint markdown
+        uses: DavidAnson/markdownlint-cli2-action@v19.1.0
+        with:
+          config: '.markdownlint.yaml'
+          globs: 'docs/**/*.md'
+
+  spell_checker:
+    name: Check spelling
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout markdown
+        uses: actions/checkout@v4.2.0
+
+      - name: Spell check EN language
+        uses: rojopolis/spellcheck-github-actions@0.47.0
+        with:
+          config_path: .spellcheck-en.yaml
+
+  export_pdf:
+    name: Export PDF
+    runs-on: ubuntu-24.04
+    needs: [link_checker, md_linter, spell_checker]
+    steps:
+      - name: Checkout markdown
+        uses: actions/checkout@v4.2.0
+
+      - name: Install python
+        uses: actions/setup-python@v5.5.0
+        with:
+          python-version: 3.x
+
+      - name: Install python packages
+        run: |
+          python -m pip install --upgrade pip setuptools wheel
+          pip install mkdocs
+          pip install mkdocs-material 
+          pip install mkdocs-open-in-new-tab
+          pip install mkdocs-with-pdf
+
+      - name: Build
+        run: mkdocs build
+
+      - name: Upload PDF
+        uses: actions/upload-artifact@v4.6.0
+        with:
+          name: pdf-export
+          path: site/OWASP_Developer_Guide.pdf

.github/workflows/release.yaml

@@ -0,0 +1,70 @@
+name: Release docs
+# checks are only on the draft directory because the release directory will be overwritten
+
+on:
+  push:
+    # tagged x.x.x releases as well as release candidates
+    tags:
+      - ?.?.?*
+  workflow_dispatch:
+
+# for security reasons the github actions are pinned to specific release versions
+jobs:
+  export_pdf:
+    name: Export PDF
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout markdown
+        uses: actions/checkout@v4.2.0
+
+      - name: Install python
+        uses: actions/setup-python@v5.5.0
+        with:
+          python-version: 3.x
+
+      - name: Install python packages
+        run: |
+          python -m pip install --upgrade pip setuptools wheel
+          pip install mkdocs
+          pip install mkdocs-material 
+          pip install mkdocs-open-in-new-tab
+          pip install mkdocs-with-pdf
+
+      - name: Build
+        run: mkdocs build
+
+      - name: Upload PDF
+        uses: actions/upload-artifact@v4.6.0
+        with:
+          name: 'pdf-export'
+          path: 'site/OWASP_Developer_Guide.pdf'
+
+  draft_release:
+    name: Create draft release
+    runs-on: ubuntu-24.04
+    needs: [export_pdf]
+    steps:
+      - name: Check out
+        uses: actions/checkout@v4.2.0
+
+      - name: Fetch prepared SBOM artifacts
+        uses: actions/download-artifact@v4.2.1
+        with:
+          name: 'pdf-export'
+          path: 'site/OWASP_Developer_Guide.pdf'
+
+      - name: Prepare release notes
+        run: |
+          releaseVersion=${{ github.ref_name }}
+          sed -e s/x.x.x/${releaseVersion:1}/g .release-note-template.md > ./release-notes.txt
+
+      - name: Create release notes
+        uses: softprops/action-gh-release@v2.2.0
+        with:
+          draft: true
+          name: "${releaseVersion:1}"
+          append_body: true
+          body_path: ./release-notes.txt
+          generate_release_notes: true
+          files: |
+            site/OWASP_Developer_Guide.pdf

.lycheeignore

@@ -0,0 +1,33 @@
+# ignore these false positives from the link checker housekeeper
+
+# some sites that are examples only, no intention of being real
+myfriend.site.com/
+
+# Lockheed Martin has trouble with SSL certificates, temporarily ignore
+https://www.lockheedmartin.com
+
+# github gets upset if too many requests are made to create new issues
+https://github.com/OWASP/DevGuide/issues/new
+https://github.com/OWASP/DevGuide/pulls
+
+# at times github gets upset full stop
+https://github.com/OWASP/DevGuide
+
+# ignore LINDDUN site because it occasionally times out
+https://www.linddun.org/
+
+# automated access to esapi is forbidden
+https://mvnrepository.com/artifact/org.owasp.esapi/esapi
+
+# do not harass dockerhub
+https://hub.docker.com/r/bkimminich/juice-shop
+https://hub.docker.com/r/pygoat/pygoat
+https://hub.docker.com/r/owasp/threat-dragon/tags
+https://hub.docker.com/r/securityrat/securityrat
+https://hub.docker.com/r/webgoat/webgoat
+
+# Google drive tends to need permissions that the link checker does not have
+https://drive.google.com/
+
+# SAMM training site blocks automated access
+https://owaspsamm.thinkific.com/courses/samm

.release-note-template.md

@@ -0,0 +1,8 @@
+### What's Changed
+
+### PDF version
+
+The [PDF][pdf] version of the [web document][devguide] can be downloaded for version x.x.x .
+
+[devguide]: devguide.owasp.org
+[pdf]: https://github.com/OWASP/threat-dragon/releases/download/vx.x.x/OWASP_Developer_Guide.pdf