diff --git a/.github/PULL_REQUEST_TEMPLATE/expectations.md b/.github/PULL_REQUEST_TEMPLATE/expectations.md index dc2dbe3..4a6253e 100644 --- a/.github/PULL_REQUEST_TEMPLATE/expectations.md +++ b/.github/PULL_REQUEST_TEMPLATE/expectations.md @@ -1,36 +1,3 @@ # Script Expectations -## Authors - -### ✔ Code Quality -- Code is readable and follows established style -- Naming is meaningful and consistent -- Has enough comments to be easily understood -- No dead or commented-out code -- Anticipates where mistakes might be made and protects against it - -### ✔ Security -- Inputs are validated and sanitized -- Secrets are handled securely -- Dependencies reviewed - -### ✔ Testing -- Code has been tested and anticipates realistic real-world conditions - -### ✔ Documentation -- The README (or header comments) explaining the script are up to date -- The following are clearly stated: - - Purpose - - Requirements (Compatible OS and Jamf product versions, etc.) - - Installation - - Instructions for use - -## Reviewers - -By approving a Pull Request, you acknowledge that the work: - -- Will be owned and actively maintained by your department -- Will be removed if if becomes obsolete -- Does no exceed the acceptable scope of the OSS policy -- The Jamf Copyright and Source Available license text is included -- Does not use or expose any non-public IP +Please review the release checklist in Confluence prior to submitting a pull request. diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..c65bc2a --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,88 @@ +name: "CodeQL Scan (PR-Incremental)" + +on: + pull_request: + paths-ignore: + - '**.md' # ignore docs + +jobs: + detect-changes: + name: Detect PR Languages & Paths + runs-on: ubuntu-latest + outputs: + langs: ${{ steps.detect.outputs.langs }} + paths: ${{ steps.detect.outputs.paths }} + steps: + - name: Checkout PR + uses: actions/checkout@v4 + with: + fetch-depth: 0 # fetch full history + + - name: Detect changed languages and folders + id: detect + run: | + SUPPORTED_LANGS="python javascript cpp csharp java go ruby php" + declare -A EXTENSIONS + EXTENSIONS=( + [python]="py" + [javascript]="js ts" + [csharp]="cs" + [go]="go" + [ruby]="rb" + [php]="php" + ) + + DETECTED_LANGS="" + DETECTED_PATHS="" + + # List changed files in the PR + CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }}) + + for lang in $SUPPORTED_LANGS; do + for ext in ${EXTENSIONS[$lang]}; do + if echo "$CHANGED_FILES" | grep -E "\.${ext}$" >/dev/null; then + DETECTED_LANGS="$DETECTED_LANGS $lang" + break + fi + done + done + + # Collect directories containing changed files (for path filters) + while read -r file; do + dir=$(dirname "$file") + DETECTED_PATHS="$DETECTED_PATHS $dir" + done <<< "$CHANGED_FILES" + + DETECTED_LANGS=$(echo $DETECTED_LANGS | xargs) # trim + DETECTED_PATHS=$(echo $DETECTED_PATHS | xargs | tr ' ' ',') # comma-separated + + echo "Languages detected: $DETECTED_LANGS" + echo "Paths to analyze: $DETECTED_PATHS" + + echo "langs=$DETECTED_LANGS" >> $GITHUB_OUTPUT + echo "paths=$DETECTED_PATHS" >> $GITHUB_OUTPUT + + codeql: + name: CodeQL Analysis + runs-on: ubuntu-latest + needs: detect-changes + if: needs.detect-changes.outputs.langs != '' + steps: + - name: Checkout PR + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ needs.detect-changes.outputs.langs }} + token: ${{ secrets.GITHUB_TOKEN }} + debug: true + paths: ${{ needs.detect-changes.outputs.paths }} + + - name: Build (if necessary) + run: | + # Add build commands here for compiled languages + echo "Build step (optional)" + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 \ No newline at end of file diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml new file mode 100644 index 0000000..2c06a94 --- /dev/null +++ b/.github/workflows/license_check.yml @@ -0,0 +1,53 @@ +name: License Header Check + +on: + pull_request: + push: + branches: [ "main", "master" ] + +jobs: + check-license: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Check for License Headers + run: | + failed=0 + # Find files: .sh, .go, .swift, .py + # Exclude hidden directories/files (like inside .git) + files=$(find . -type f \( -name "*.sh" -o -name "*.go" -o -name "*.swift" -o -name "*.py" \) -not -path '*/.*') + + for file in $files; do + missing_reqs=0 + + # Requirement 1: A line with both "Copyright" and "Jamf" + # We grep for Copyright, then pipe to grep for Jamf to ensure they are on the same line. + if ! grep "Copyright" "$file" | grep -q "Jamf"; then + echo "::error file=$file::Missing 'Copyright' and 'Jamf' on the same line." + missing_reqs=1 + fi + + # Requirement 2: Specific license string + if ! grep -Fq "This work is licensed under the terms of the Jamf Source Available License" "$file"; then + echo "::error file=$file::Missing 'This work is licensed under the terms of the Jamf Source Available License'" + missing_reqs=1 + fi + + # Requirement 3: License URL + if ! grep -Fq "https://github.com/jamf/scripts/blob/main/LICENCE.md" "$file"; then + echo "::error file=$file::Missing 'https://github.com/jamf/scripts/blob/main/LICENCE.md'" + missing_reqs=1 + fi + + if [ $missing_reqs -eq 1 ]; then + failed=1 + fi + done + + if [ $failed -eq 1 ]; then + echo "One or more files are missing required license headers." + exit 1 + else + echo "All scanned files contain the required license headers." + fi diff --git a/CODEOWNERS b/CODEOWNERS index 84898fa..571dbd8 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,5 +1,5 @@ -* @BIG-RAT @seposium +* @BIG-RAT @seposium -/IT/ @emily-at-jamf -/Services/ @Penning87 -/Support_Success/ @klngbl @nickander \ No newline at end of file +/it/ @emily-at-jamf +/services/ @Penning87 +/support/ @klngbl @nickander \ No newline at end of file diff --git a/IT/place_holder.md b/IT/place_holder.md deleted file mode 100644 index e69de29..0000000 diff --git a/Sales/place_holder.md b/Sales/place_holder.md deleted file mode 100644 index e69de29..0000000 diff --git a/Services/place_holder.md b/Services/place_holder.md deleted file mode 100644 index e69de29..0000000 diff --git a/Support_Success/place_holder.md b/Support_Success/place_holder.md deleted file mode 100644 index e69de29..0000000 diff --git a/it/readme.md b/it/readme.md new file mode 100644 index 0000000..9eb00a2 --- /dev/null +++ b/it/readme.md @@ -0,0 +1 @@ +This directory contains scripts created by Jamf's IT team diff --git a/projects/README.md b/projects/README.md deleted file mode 100644 index f771914..0000000 --- a/projects/README.md +++ /dev/null @@ -1,3 +0,0 @@ -## Projects - -This folder contains a variety of projects related to Jamf's products. Please refer to the readme in each folder for more details. diff --git a/sales/readme.md b/sales/readme.md new file mode 100644 index 0000000..7081291 --- /dev/null +++ b/sales/readme.md @@ -0,0 +1 @@ +This directory contains scripts created by Jamf's Sales Engineering and Consulting Engineers department diff --git a/services/readme.md b/services/readme.md new file mode 100644 index 0000000..20d0202 --- /dev/null +++ b/services/readme.md @@ -0,0 +1 @@ +This directory contains scripts created by Jamf's Professional Services department diff --git a/support/readme.md b/support/readme.md new file mode 100644 index 0000000..003419b --- /dev/null +++ b/support/readme.md @@ -0,0 +1 @@ +This directory contains scripts created by Jamf's Support department