[WIP] init

Author: czepiec

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+# Code owners.
+
+* @czepiec

.github/CODE_OF_CONDUCT.md

@@ -0,0 +1,77 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to make participation in our project and our
+community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and
+expression, level of experience, education, socio-economic status, nationality,
+personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+- The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+- Trolling, insulting/derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+- Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, or to ban temporarily or permanently any
+contributor for other behaviors that they deem inappropriate, threatening,
+offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies within all project spaces, and it also applies when
+an individual is representing the project or its community in public spaces.
+Examples of representing a project or community include using an official
+project e-mail address, posting via an official social media account, or acting
+as an appointed representative at an online or offline event. Representation of
+a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at <[email protected]>. All complaints
+will be reviewed and investigated and will result in a response that is deemed
+necessary and appropriate to the circumstances. The project team is obligated to
+maintain confidentiality with regard to the reporter of an incident. Further
+details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.4, available at
+<https://www.contributor-covenant.org/version/1/4/code-of-conduct.html>.
+
+For answers to common questions about this code of conduct, see
+<https://www.contributor-covenant.org/faq>.
+
+[homepage]: https://www.contributor-covenant.org

.github/actionlint.yaml

@@ -0,0 +1,3 @@
+config-variables:
+- IMAGE_REPOSITORY
+- DOCKERHUB_USERNAME

.github/actionlint_shellcheck.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+set -e
+
+# ShellCheck wrapper for actionlint
+
+exec shellcheck --format=json "--shell=$6" --external-sources -

.github/dependabot.yaml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+- package-ecosystem: docker
+  directories:
+  - /variants/*
+  schedule:
+    interval: daily
+- package-ecosystem: github-actions
+  directories:
+  - /
+  schedule:
+    interval: daily

.github/workflows/ci-variant.yaml

@@ -0,0 +1,114 @@
+name: CI variants
+run-name: test-run-name-build-test
+on:  # yamllint disable-line rule:truthy
+  workflow_call:
+    inputs:
+      name:
+        description: Variant name
+        required: true
+        type: string
+      filter-tags:
+        description: Regex pattern to filter CloudNativePG PostgreSQL image tags
+        type: string
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+jobs:
+  get-digests:
+    name: Get digests
+    permissions:
+      contents: read
+    runs-on: ubuntu-24.04
+    outputs:
+      digests: ${{ steps.get-digests.outputs.digests }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - id: get-digests
+      name: Get digests
+      run: |
+        ./scripts/get_digests.sh
+        digests_json=$(jq -c '.' output/digests.json)
+        printf "digests=%s\n" "${digests_json}" >>"${GITHUB_OUTPUT:?}"
+      env:
+        FILTER_TAGS: ${{ inputs.filter-tags }}
+        COMPARE_REPOSITORY: czetech/cloudnativepg-postgresql
+        COMPARE_TAG_SUFFIX: ${{ inputs.name }}
+    - name: Upload digests to artifacts
+      uses:
+        # yamllint disable-line rule:line-length
+        actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882  # v4.4.3
+      with:
+        name: digests-${{ inputs.name }}
+        path: output
+        if-no-files-found: error
+  image:
+    name: Build image
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    needs: get-digests
+    if: ${{ needs.get-digests.outputs.digests != '[]' }}
+    runs-on: ubuntu-24.04
+    env:
+      IMAGE: ${{ vars.IMAGE_REPOSITORY }}:test
+      POSTGRESQL_DIGEST: ${{ matrix.digest.digest }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - name: Set up QEMU
+      uses:
+        # yamllint disable-line rule:line-length
+        docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf  # v3.2.0
+    - name: Set up Docker Buildx
+      uses:
+        # yamllint disable-line rule:line-length
+        docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349  # v3.7.1
+    - name: Build image
+      uses:
+        # yamllint disable-line rule:line-length
+        docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355  # v6.10.0
+      with:
+        build-args: POSTGRESQL_DIGEST
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        context: variants/${{ inputs.name }}
+        load: true
+        tags: ${{ env.IMAGE }}
+    - name: Lint image with Dockle
+      uses:
+        erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290  # v1.4.0
+      with:
+        image: ${{ env.IMAGE }}
+        dockle-version: 0.4.14
+        accept-keywords: key
+        accept-filenames: >-
+          usr/local/lib/python3.11/dist-packages/azure/core/settings.py,
+          usr/local/lib/python3.9/dist-packages/azure/core/settings.py
+    - name: Scan image with Trivy
+      uses:
+        # yamllint disable-line rule:line-length
+        aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0  # 0.29.0
+      with:
+        image-ref: ${{ env.IMAGE }}
+        format: sarif
+        output: trivy.sarif
+        scanners: vuln,secret,misconfig,license
+    - name: Upload Trivy results
+      uses:
+        # yamllint disable-line rule:line-length
+        github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195  # v3.27.6
+      with:
+        sarif_file: trivy.sarif
+        category: trivy
+    - name: Test image
+      run: "\"./variants/${VARIANT:?}/test_image.sh\""
+      env:
+        VARIANT: ${{ inputs.name }}
+      timeout-minutes: 1
+    strategy:
+      matrix:
+        digest: ${{ fromJSON(needs.get-digests.outputs.digests) }}
+      fail-fast: false

.github/workflows/ci.yaml

@@ -0,0 +1,92 @@
+name: CI
+# run-name: test-run-name-variants
+on:  # yamllint disable-line rule:truthy
+  pull_request: {}
+  push: {}
+  # schedule:
+  # - cron: 0 1 * * *
+  # workflow_dispatch: {}
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+jobs:
+  pre-commit:
+    name: Ensure pre-commit passes
+    permissions:
+      contents: read
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - name: Run pre-commit
+      uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  # v3.0.1
+  actions-sha:
+    name: Ensure SHA pinned actions
+    permissions:
+      contents: read
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - name: Ensure SHA pinned actions
+      uses:
+        # yamllint disable-line rule:line-length
+        zgosalvez/github-actions-ensure-sha-pinned-actions@5d6ac37a4cef8b8df67f482a8e384987766f0213  # v3.0.17
+  list-variants:
+    name: List variants
+    permissions:
+      contents: read
+    runs-on: ubuntu-24.04
+    outputs:
+      variants: ${{ steps.list-variants.outputs.variants }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - id: get-changed-files
+      name: Get changed files
+      uses:
+        # yamllint disable-line rule:line-length
+        tj-actions/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf  # v45.0.4
+      with:
+        dir_names: true
+        dir_names_exclude_current_dir: true
+        dir_names_max_depth: "1"
+        matrix: true
+        path: variants
+    - id: list-variants
+      name: List variants
+      run: |
+        ./scripts/list_variants.sh
+        variants_json=$(jq -c '.' output/variants.json)
+        printf "variants=%s\n" "${variants_json}" >>"${GITHUB_OUTPUT:?}"
+      env:
+        FILTER_VARIANTS: >-
+          ${{
+            contains(fromJSON('["pull_request", "push"]'), github.event_name)
+            && steps.get-changed-files.outputs.all_changed_and_modified_files
+          }}
+    - name: Upload variants to artifacts
+      uses:
+        # yamllint disable-line rule:line-length
+        actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882  # v4.4.3
+      with:
+        name: variants
+        path: output
+        if-no-files-found: error
+  variants:
+    name: Variants
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    needs: list-variants
+    if: ${{ needs.list-variants.outputs.variants != '[]' }}
+    uses: ./.github/workflows/ci-variant.yaml
+    with:
+      name: ${{ matrix.variant.name }}
+      filter-tags: ${{ matrix.variant.config.filter-tags }}
+    strategy:
+      matrix:
+        variant: ${{ fromJSON(needs.list-variants.outputs.variants) }}
+      fail-fast: false

.github/workflows/dockerhub-description.yaml

@@ -0,0 +1,29 @@
+name: Docker Hub description
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches:
+    - main
+    paths:
+    - .github/workflows/dockerhub-description.yaml
+    - README.md
+permissions:
+  contents: read
+jobs:
+  update-description:
+    name: Update description
+    permissions:
+      contents: read
+    runs-on: ubuntu-24.04
+    environment: dockerhub-description
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - name: Update Docker Hub description
+      uses:
+        # yamllint disable-line rule:line-length
+        peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae  # v4.0.0
+      with:
+        username: ${{ vars.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+        repository: ${{ vars.IMAGE_REPOSITORY }}
+        enable-url-completion: true

.gitignore

@@ -0,0 +1 @@
+/output/

.hadolint.yaml

@@ -0,0 +1 @@
+failure-threshold: style

.markdownlint.yaml

@@ -0,0 +1,23 @@
+MD003:
+  style: atx
+MD004:
+  style: dash
+MD009:
+  strict: true
+MD013:
+  stern: true
+MD029:
+  style: one
+MD046:
+  style: fenced
+MD048:
+  style: backtick
+MD049:
+  style: asterisk
+MD050:
+  style: asterisk
+MD054:
+  collapsed: false
+  url_inline: false
+MD055:
+  style: leading_and_trailing