gha config files

.editorconfig

@@ -1,20 +1,42 @@
 # see http://editorconfig.org
 root = true
 
- [*]
+[*]
 end_of_line = lf
 trim_trailing_whitespace = true
 insert_final_newline = true
 indent_style = space
 indent_size = 2
 charset = utf-8
+tab_width = 4
 
- [*.md]
+[*.md]
 trim_trailing_whitespace = false
 
- [*.py]
+[*.py]
 indent_size = 4
 
- [Makefile]
+[*.xml]
+indent_size = unset
+trim_trailing_whitespace = unset
+insert_final_newline = unset
+
+[go.mod]
+indent_style = tab
+indent_size = 1
+
+[*.go]
 indent_style = tab
 indent_size = 1
+
+[Makefile]
+indent_style = tab
+indent_size = 1
+
+[Makefile.*]
+indent_style = tab
+indent_size = 1
+
+[LICENSE]
+indent_size = none
+trim_trailing_whitespace = unset

.github/dependabot.yml

@@ -1,10 +1,20 @@
 version: 2
 updates:
-- package-ecosystem: github-actions
-  directory: "/"
-  schedule:
-    interval: monthly
-- package-ecosystem: docker
-  directory: "/scripts"
-  schedule:
-    interval: monthly
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+  # Maintain dependencies for dockerfiles
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      docker:
+        patterns:
+          - "*"

.github/workflows/lint.yml

@@ -0,0 +1,11 @@
+name: Run lint and static analyis checks
+on:
+  pull_request:
+
+concurrency:
+  group: lint-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    uses: plus3it/actions-workflows/.github/workflows/lint.yml@93a9326e07945e5441d0fadef735563290edd729

.github/workflows/test.yml

@@ -0,0 +1,42 @@
+name: Run salt tests
+on:
+  pull_request:
+
+concurrency:
+  group: test-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  linux:
+    uses: plus3it/actions-workflows/.github/workflows/test-salt-linux.yml@93a9326e07945e5441d0fadef735563290edd729
+    strategy:
+      matrix:
+        os_version:
+          - 7
+          - 8
+        salt_state:
+          - scap.scan
+        salt_pillar_root:
+          - ./tests/pillar/test-oscap
+          - ./tests/pillar/test-scc
+    with:
+      salt-os-version: ${{ matrix.os_version }}
+      salt-state: ${{ matrix.salt_state }}
+      salt-pillar-root: ${{ matrix.salt_pillar_root }}
+
+  windows:
+    uses: plus3it/actions-workflows/.github/workflows/test-salt-windows.yml@93a9326e07945e5441d0fadef735563290edd729
+    strategy:
+      matrix:
+        os_version:
+          - windows-2019
+          - windows-2022
+        salt_state:
+          - scap.scan
+        salt_pillar_root:
+          - ./tests/pillar/test-oscap
+          - ./tests/pillar/test-scc
+    with:
+      salt-os-version: ${{ matrix.os_version }}
+      salt-state: ${{ matrix.salt_state }}
+      salt-pillar-root: ${{ matrix.salt_pillar_root }}

.gitignore

@@ -13,6 +13,10 @@ $RECYCLE.BIN/
 *.msm
 *.msp
 
+# tardigrade-ci
+.tardigrade-ci
+tardigrade-ci/
+
 # =========================
 # Operating System Files
 # =========================

.mergify.yml

@@ -0,0 +1,15 @@
+pull_request_rules:
+  - name: approve dependabot pull requests
+    conditions:
+      - author=dependabot[bot]
+    actions:
+      review:
+        type: APPROVE
+
+  - name: merge dependabot pull requests
+    conditions:
+      - author=dependabot[bot]
+      - "#approved-reviews-by>=1"
+    actions:
+      merge:
+        method: merge

Dockerfile

@@ -0,0 +1 @@
+FROM plus3it/tardigrade-ci:0.24.11

Makefile

@@ -1,3 +1,5 @@
+include $(shell test -f .tardigrade-ci || curl -sSL -o .tardigrade-ci "https://raw.githubusercontent.com/plus3it/tardigrade-ci/master/bootstrap/Makefile.bootstrap"; echo .tardigrade-ci)
+
 MAKEFLAGS += --no-print-directory
 SHELL := bash
 .SHELLFLAGS := -eu -o pipefail -c

scripts/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:latest@sha256:6120be6a2b7ce665d0cbddc3ce6eae60fe94637c6a66985312d1f02f63cc0bcd
+FROM ubuntu:latest@sha256:ec050c32e4a6085b423d36ecd025c0d3ff00c38ab93a3d71a460ff1c44fa6d77
 
 ARG TMPDIR=/tmp
 ARG DEBIAN_FRONTEND=noninteractive

scripts/build_in_docker.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 set -eu -o pipefail
 
 SCRIPT_DIR="${BASH_SOURCE[0]}"

scripts/build_ssg_content.sh

@@ -21,23 +21,23 @@ exec > >(tee "${DIST_DIR}/build-content.log") 2>&1
 
 # Clone the repo and checkout the latest tag
 git clone "$REPO" "$BUILD_DIR" && pushd "$BUILD_DIR"
-TAG="${SSG_VER:-$(git describe --tags $(git rev-list --tags --max-count=1))}"
+TAG="${SSG_VER:-$(git describe --tags "$(git rev-list --tags --max-count=1)")}"
 echo
 echo "Tag to build: ${TAG}"
 echo
 git checkout "$TAG"
 echo
 
 # Update standard_profiles
-echo "Ensuring ssg content includes required profiles: ${PROFILES[@]}"
+echo "Ensuring ssg content includes required profiles: ${PROFILES[*]}"
 ssg_constants="${BUILD_DIR}/ssg/constants.py"
 for profile in "${PROFILES[@]}"
 do
-  if grep -e 'standard_profiles' "$ssg_constants" | grep -e \'$profile\'; then
+  if grep -e 'standard_profiles' "$ssg_constants" | grep -e \'"$profile"\'; then
     echo "-- Profile $profile already exists.  Will not be added."
   else
     echo "-- Profile $profile was not found. $profile will be added to standard_profiles."
-    sed -i '/standard_profiles = \[/ s/]/,\ '\'$profile\''&/' "$ssg_constants"
+    sed -i '/standard_profiles = \[/ s/]/,\ '\'"$profile"\''&/' "$ssg_constants"
   fi
 done
 echo "Done adding profiles..."
@@ -57,7 +57,7 @@ cmake -G Ninja -DSSG_TARGET_OVAL_MINOR_VERSION:STRING=11 ../
 ninja -j 4 "${MAKE_TARGETS_RHEL[@]}"
 ninja -j 4 "${MAKE_TARGETS_OTHERS[@]}"
 
-cp *-ds.xml *-xccdf.xml *-oval.xml *-cpe-dictionary.xml *-ocil.xml "$DIST_DIR"
+cp ./*-ds.xml ./*-xccdf.xml ./*-oval.xml ./*-cpe-dictionary.xml ./*-ocil.xml "$DIST_DIR"
 
 echo
 echo 'Done building content!'

tests/requirements.txt

@@ -0,0 +1 @@
+salt-minion