Merge pull request #188 from ansible-lockdown/devel

.github standardization

Author: frederickw082922

.github/workflows/add_repo_issue_to_gh_project.yml

@@ -0,0 +1,17 @@
+---
+
+name: Add Repo Issue to ALD GH project
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+      - transferred
+jobs:
+  add-to-project:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@main
+        with:
+          project-url: https://github.com/orgs/ansible-lockdown/projects/1
+          github-token: ${{ secrets.ALD_GH_PROJECT }}

.github/workflows/benchmark_tracking_controller.yml

@@ -0,0 +1,54 @@
+---
+
+# GitHub schedules all cron jobs in UTC.
+# ──────────────────────────────────────────────────────────────────────────────
+# Schedule:
+#   - '0 13 * * *' runs at 13:00 UTC every day.
+#   - This corresponds to:
+#       • 9:00 AM Eastern **during Daylight Saving Time** (mid-Mar → early-Nov)
+#       • 8:00 AM Eastern **during Standard Time** (early-Nov → mid-Mar)
+#
+# Job routing:
+#   - call-benchmark-tracker:
+#       • Runs on manual dispatch, and on pushes to the 'latest' branch.
+#   - call-monitor-promotions:
+#       • Runs on schedule or manual dispatch **only in repos named ansible-lockdown/Private-***.
+#       • Skips automatically in public repos (e.g., Windows-2022-CIS) to avoid false failures.
+#
+# Defense-in-depth:
+#   - The called promotion workflow may still keep its own guard to ensure only Private-* repos execute it.
+
+name: Central Benchmark Orchestrator
+
+on:
+  push:
+    branches:
+      - latest
+  schedule:
+    - cron: '0 13 * * *'  # 13:00 UTC → 9 AM ET (DST) / 8 AM ET (Standard Time)
+  workflow_dispatch:
+
+jobs:
+  call-benchmark-tracker:
+    # Run on manual dispatch OR when 'latest' branch receives a push
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == 'latest')
+    name: Start Benchmark Tracker
+    uses: ansible-lockdown/github_linux_IaC/.github/workflows/benchmark_track.yml@self_hosted
+    with:
+      repo_name: ${{ github.repository }}
+    secrets:
+      TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}
+      DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
+
+  call-monitor-promotions:
+    # Run on schedule or manual dispatch, but only for Private-* repos
+    if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && startsWith(github.repository, 'ansible-lockdown/Private-')
+    name: Monitor Promotions and Auto-Promote
+    uses: ansible-lockdown/github_linux_IaC/.github/workflows/benchmark_promote.yml@self_hosted
+    with:
+      repo_name: ${{ github.repository }}
+    secrets:
+      TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}
+      DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}

.github/workflows/devel_pipeline_validation.yml

@@ -17,19 +17,17 @@
     # Allow manual running of workflow
     workflow_dispatch:
 
-  # Allow permissions for AWS auth
-  permissions:
-    id-token: write
-    contents: read
-    pull-requests: read
-
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
     # This will create messages for first time contributers and direct them to the Discord server
     welcome:
       runs-on: ubuntu-latest
 
+      permissions:
+        issues: write
+        pull-requests: write
+
       steps:
         - uses: actions/first-interaction@main
           with:
@@ -45,6 +43,13 @@
     playbook-test:
       # The type of runner that the job will run on
       runs-on: self-hosted
+
+      # Allow permissions for AWS auth
+      permissions:
+        id-token: write
+        contents: read
+        pull-requests: read
+
       env:
         ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
         # Imported as a variable by terraform

.github/workflows/export_badges_private.yml

@@ -0,0 +1,27 @@
+---
+
+name: Export Private Repo Badges
+
+# Use different minute offsets with the same hourly pattern:
+# Repo Group Suggested Cron Expression Explanation
+# Group A 0 */6 * * * Starts at top of hour
+# Group B 10 */6 * * * Starts at 10 after
+# And So On
+
+on:
+  push:
+    branches:
+      - latest
+  schedule:
+    - cron: '0 */6 * * *'
+  workflow_dispatch:
+
+jobs:
+  export-badges:
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'schedule' && startsWith(github.repository, 'ansible-lockdown/Private-')) || (github.event_name == 'push' && github.ref_name == 'latest')
+    uses: ansible-lockdown/github_linux_IaC/.github/workflows/export_badges_private.yml@self_hosted
+    with:
+      # Full org/repo path passed for GitHub API calls (e.g., ansible-lockdown/Private-Windows-2016-CIS)
+      repo_name: ${{ github.repository }}
+    secrets:
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}

.github/workflows/export_badges_public.yml

@@ -0,0 +1,19 @@
+---
+
+name: Export Public Repo Badges
+
+on:
+  push:
+    branches:
+      - main
+      - devel
+  workflow_dispatch:
+
+jobs:
+  export-badges:
+    if: github.repository_visibility == 'public' && (github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && (github.ref_name == 'devel' || github.ref_name == 'main')))
+    uses: ansible-lockdown/github_linux_IaC/.github/workflows/export_badges_public.yml@self_hosted
+    with:
+      repo_name: ${{ github.repository }}
+    secrets:
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}