feat: introduce a lightweight workflow which utilizes composite actions

.github/actions/appinspect-api/action.yml

@@ -0,0 +1,40 @@
+name: AppInspect
+
+description: >
+  Performs validation checks on your Splunk app package against a set of standardized criteria to evaluate
+  the app structure, features, security, and adherence to Splunk Cloud Platform requirements.
+  Uses AppInspect API.
+
+inputs:
+  matrix_tags:
+    required: true
+  SPL_COM_USER:
+    required: true
+  SPL_COM_PASSWORD:
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Download artifact
+      uses: actions/download-artifact@v3
+      with:
+        name: package-splunkbase
+        path: build/package/
+
+    - name: AppInspect API
+      uses: splunk/[email protected]
+      with:
+        username: ${{ inputs.SPL_COM_USER }}
+        password: ${{ inputs.SPL_COM_PASSWORD }}
+        app_path: build/package/
+        included_tags: ${{ inputs.matrix_tags }}
+
+    - uses: actions/upload-artifact@v3
+      if: always()
+      with:
+        name: appinspect-api-html-report-${{ inputs.matrix_tags }}
+        path: AppInspect_response.html

.github/actions/appinspect-cli/action.yml

@@ -0,0 +1,44 @@
+name: AppInspect
+
+description: >
+  Performs validation checks on your Splunk app package against a set of standardized criteria to evaluate
+  the app structure, features, security, and adherence to Splunk Cloud Platform requirements.
+  Uses AppInspect CLI.
+
+inputs:
+  matrix_tags:
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Download artifact
+      uses: actions/download-artifact@v3
+      with:
+        name: package-splunkbase
+        path: build/package/
+
+    - name: Scan
+      uses: splunk/[email protected]
+      with:
+        app_path: build/package/
+        included_tags: ${{ inputs.matrix_tags }}
+        result_file: appinspect_result_${{ inputs.matrix_tags }}.json
+
+    - name: Upload AppInspect report
+      if: ${{ !cancelled() }}
+      uses: actions/upload-artifact@v3
+      with:
+        name: appinspect_${{ inputs.matrix_tags }}_checks.json
+        path: appinspect_result_${{ inputs.matrix_tags }}.json
+
+    - name: Upload Markdown
+      if: inputs.matrix_tags == 'manual'
+      uses: actions/upload-artifact@v3
+      with:
+        name: check_markdown
+        path: |
+          *_markdown.txt

.github/actions/artifact-registry/action.yml

@@ -0,0 +1,94 @@
+name: Artifact registry
+
+description: Uploads the generated addon build to ghcr.io
+
+inputs:
+  sc4s:
+    required: true
+
+outputs:
+  artifact:
+    value: ${{ steps.artifactid.outputs.result }}
+
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Download artifact
+      uses: actions/download-artifact@v3
+      with:
+        name: package-splunkbase
+        path: build/package/splunkbase
+
+    - name: Get app ID
+      id: getappid
+      shell: bash
+      run: |
+        appid=$(jq -r '.info.id.name' package/app.manifest)
+        echo appid="$appid"
+        echo "result=$appid" >> "$GITHUB_OUTPUT"
+
+    - name: Download ORAS
+      shell: bash
+      run: |
+        curl -LO https://github.com/oras-project/oras/releases/download/v0.12.0/oras_0.12.0_linux_amd64.tar.gz
+        mkdir -p oras-install/
+        tar -zxf oras_0.12.0_*.tar.gz -C oras-install/
+        mv oras-install/oras /usr/local/bin/
+        rm -rf oras_0.12.0_*.tar.gz oras-install/
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v2
+
+    - name: Login to GitHub Packages Docker Registry
+      uses: docker/[email protected]
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
+
+    - name: Docker meta
+      id: meta
+      uses: docker/[email protected]
+      with:
+        images: ghcr.io/${{ github.repository }}
+        tags: |
+          type=semver,pattern=v{{major}}.{{minor}},prefix=${{ steps.getappid.outputs.result }}-
+          type=semver,pattern=v{{major}},prefix=${{ steps.getappid.outputs.result }}-
+          type=semver,pattern=v{{version}},prefix=${{ steps.getappid.outputs.result }}-
+          type=semver,pattern={{major}}.{{minor}},prefix=${{ steps.getappid.outputs.result }}-
+          type=semver,pattern={{major}},prefix=${{ steps.getappid.outputs.result }}-
+          type=semver,pattern={{version}},prefix=${{ steps.getappid.outputs.result }}-
+          type=ref,event=branch,prefix=${{ steps.getappid.outputs.result }}-
+          type=ref,event=pr,prefix=${{ steps.getappid.outputs.result }}-
+          type=sha,prefix=${{ steps.getappid.outputs.result }}-
+          type=sha,format=long,prefix=${{ steps.getappid.outputs.result }}-
+
+    - name: Upload artifacts
+      shell: bash
+      run: |
+        tee /tmp/tags &>/dev/null <<EOF
+        ${{ steps.meta.outputs.tags }}
+        EOF
+        pushd build/package/splunkbase/
+        PACKAGE=$(ls ./*)
+        echo "$PACKAGE"
+        mv "$PACKAGE" "${{ steps.getappid.outputs.result }}".spl
+        while IFS= read -r line
+        do
+          echo ">>$line<<"
+          oras push \
+              --manifest-config /dev/null:application/vnd.splunk.ent.package.v1.tar+gzip \
+              "$line" \
+              "${{ steps.getappid.outputs.result }}".spl
+          echo "  complete"
+        done < /tmp/tags
+        popd
+
+    - name: Output artifact locator
+      id: artifactid
+      shell: bash
+      run: |
+        echo "result= ${{ inputs.sc4s }}" >> "$GITHUB_OUTPUT"

.github/actions/build/action.yml

@@ -0,0 +1,179 @@
+name: Build
+
+description: >
+  Creates the UCC build for the addon, generates the SPL file using slim
+  and uploads it to the Github registry
+
+inputs:
+  python_version:
+    required: true
+  SA_GH_USER_NAME:
+    required: true
+  SA_GH_USER_EMAIL:
+    required: true
+  SA_GPG_PRIVATE_KEY:
+    required: true
+  SA_GPG_PASSPHRASE:
+    required: true
+  AWS_ACCESS_KEY_ID:
+    required: true
+  AWS_DEFAULT_REGION:
+    required: true
+  AWS_SECRET_ACCESS_KEY:
+    required: true
+  ucc_modinput_functional:
+    required: true
+  modinput_functional:
+    required: true
+
+outputs:
+  buildname:
+    value: ${{ steps.buildupload.outputs.name }}
+
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+      with:
+        # Very Important: semantic-release won't trigger a tagged
+        # build if this is not set to false
+        persist-credentials: false
+
+    - name: Setup python
+      uses: actions/setup-python@v4
+      with:
+        python-version: 3.7
+
+    - name: Create requirements file for pip
+      shell: bash
+      run: |
+        if [ -f "poetry.lock" ]
+        then
+          echo " poetry.lock found "
+          sudo pip3 install poetry==1.5.1 poetry-plugin-export==1.4.0
+          poetry lock --check
+          poetry export --without-hashes -o requirements.txt
+          if [ "$(grep -cve '^\s*$' requirements.txt)" -ne 0 ]
+          then
+              echo "Prod dependencies were found, creating package/lib folder"
+              mkdir -p package/lib || true
+              mv requirements.txt package/lib
+          else
+              echo "No prod dependencies were found"
+              rm requirements.txt
+          fi
+          poetry export --without-hashes --dev -o requirements_dev.txt
+          cat requirements_dev.txt
+        fi
+
+    - name: Get pip cache dir
+      id: pip-cache
+      shell: bash
+      run: |
+        echo "dir=$(pip cache dir)" >> "$GITHUB_OUTPUT"
+
+    - name: Run Check there are libraries to scan
+      id: checklibs
+      shell: bash
+      run: if [ -f requirements_dev.txt ]; then echo "ENABLED=true" >> "$GITHUB_OUTPUT"; fi
+
+    - name: Run pip cache
+      if: ${{ steps.checklibs.outputs.ENABLED == 'true' }}
+      uses: actions/cache@v3
+      with:
+        path: ${{ steps.pip-cache.outputs.dir }}
+        key: ${{ runner.os }}-pip-${{ hashFiles('requirements_dev.txt') }}
+        restore-keys: |
+          ${{ runner.os }}-pip-
+
+    - name: Install deps
+      if: ${{ steps.checklibs.outputs.ENABLED == 'true' }}
+      shell: bash
+      run: pip install -r requirements_dev.txt
+
+    - name: Semantic Release Get Next
+      id: semantic
+      if: github.event_name != 'pull_request'
+      uses: splunk/[email protected]
+      with:
+        dry_run: true
+        git_committer_name: ${{ inputs.SA_GH_USER_NAME }}
+        git_committer_email: ${{ inputs.SA_GH_USER_EMAIL }}
+        gpg_private_key: ${{ inputs.SA_GPG_PRIVATE_KEY }}
+        passphrase: ${{ inputs.SA_GPG_PASSPHRASE }}
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+
+    - name: Determine the version to build
+      id: BuildVersion
+      uses: splunk/addonfactory-get-splunk-package-version-action@v1
+      with:
+        SemVer: ${{ steps.semantic.outputs.new_release_version }}
+        PrNumber: ${{ github.event.number }}
+
+    - name: Download THIRDPARTY
+      if: ${{ inputs.python_version }} == '3.7' && github.event_name != 'pull_request' && github.event_name != 'schedule'
+      uses: actions/download-artifact@v3
+      with:
+        name: THIRDPARTY
+
+    - name: Download THIRDPARTY (Optional for PR and schedule)
+      if: ${{ inputs.python_version }} == '3.7' && github.event_name == 'pull_request' || github.event_name == 'schedule'
+      continue-on-error: true
+      uses: actions/download-artifact@v3
+      with:
+        name: THIRDPARTY
+
+    - name: Update Notices
+      if: ${{ inputs.python_version }} == '3.7'
+      shell: bash
+      run: |
+        cp -f THIRDPARTY package/THIRDPARTY || echo "THIRDPARTY file not found (allowed for PR and schedule)"
+
+    - name: Build Package
+      id: uccgen
+      uses: splunk/addonfactory-ucc-generator-action@v2
+      with:
+        version: ${{ steps.BuildVersion.outputs.VERSION }}
+
+    - name: Slim Package
+      if: always() && ${{ inputs.python_version }} == '3.7'
+      id: slim
+      uses: splunk/addonfactory-packaging-toolkit-action@v1
+      with:
+        source: ${{ steps.uccgen.outputs.OUTPUT }}
+
+    - name: Artifact OpenAPI
+      if: ${{ inputs.python_version }} == '3.7' && ${{ !cancelled() && inputs.ucc_modinput_functional == 'true' && inputs.modinput_functional == 'true' }}
+      uses: actions/upload-artifact@v3
+      with:
+        name: artifact-openapi
+        path: ${{ github.workspace }}/${{ steps.uccgen.outputs.OUTPUT }}/static/openapi.json
+
+    - name: Artifact Splunkbase
+      if: ${{ !cancelled() }} && ${{ inputs.python_version }} == '3.7'
+      uses: actions/upload-artifact@v3
+      with:
+        name: package-splunkbase
+        path: ${{ steps.slim.outputs.OUTPUT }}
+
+    - name: Upload build to S3
+      if: ${{ inputs.python_version }} == '3.7'
+      id: buildupload
+      shell: bash
+      env:
+        AWS_ACCESS_KEY_ID: ${{ inputs.AWS_ACCESS_KEY_ID }}
+        AWS_DEFAULT_REGION: ${{ inputs.AWS_DEFAULT_REGION }}
+        AWS_SECRET_ACCESS_KEY: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
+      run: |
+        echo "name=$(basename "${{ steps.slim.outputs.OUTPUT }}")" >> "$GITHUB_OUTPUT"
+        basename "${{ steps.slim.outputs.OUTPUT }}"
+        aws s3 cp "${{ steps.slim.outputs.OUTPUT }}" s3://ta-production-artifacts/ta-apps/
+
+    - name: Artifact Splunk parts
+      if: ${{ !cancelled() }} && ${{ inputs.python_version }} == '3.7'
+      uses: actions/upload-artifact@v3
+      with:
+        name: package-deployment
+        path: build/package/deployment**

.github/actions/compliance-copyrights/action.yml

@@ -0,0 +1,14 @@
+name: Compliance copyrights
+
+description: >
+  Reuse compliance check. Analyze third-party dependencies, generate a report,
+  and upload the report as an artifact for further inspection or use.
+
+runs:
+  using: composite
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: REUSE Compliance Check
+      uses: fsfe/[email protected]