Merge branch 'master' into APM-6720-ecr-lifecycle-policy

Author: CLJ2006

.github/actions/scan-secrets/action.yaml

@@ -0,0 +1,10 @@
+name: "Scan secrets"
+description: "Scan secrets"
+runs:
+  using: "composite"
+  steps:
+    - name: "Scan secrets"
+      shell: bash
+      run: |
+        # Please do not change this `check=whole-history` setting, as new patterns may be added or history may be rewritten.
+        check=whole-history ./scripts/githooks/scan-secrets.sh

.gitleaksignore

@@ -0,0 +1,3 @@
+# SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore
+
+cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37

azure/build-prereqs.yml

@@ -4,14 +4,13 @@ parameters:
     default: 'utils'
 
 steps:
-  # - bash: |
-  #     echo "Setting python tool cache path"
-  #     echo "##vso[task.setvariable variable=LD_LIBRARY_PATH;]:/agent/_work/_tool/Python/3.13.7/x64/lib/"
-  #   displayName: 'Set python tool cache path'
   - bash: |
-      PATCH=$(curl -s https://api.github.com/repos/actions/python-versions/releases \
-        | jq -r '[.[] | .tag_name | select(startswith("3.13"))] | .[]' \
-        | sort -V | tail -n 1 | cut -d- -f1)
+      pyversion="3.13"
+      PATCH=$(curl -fsSL https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json \
+        | jq -r --arg pyversion "$pyversion" '[ .[] | select(.stable == true) | .version
+        | select(test("^" + ($pyversion|gsub("\\.";"\\.")) + "\\.\\d+$")) | split(".") | map(tonumber)] | max | join(".")')
+
+      echo "##vso[task.setvariable variable=PY_VER]$PATCH"
       echo "Resolved latest python version: $PATCH"
       echo "##vso[task.setvariable variable=LD_LIBRARY_PATH;]/agent/_work/_tool/Python/${PATCH}/x64/lib/"
     displayName: 'Query and set python tool cache path'  
@@ -21,13 +20,13 @@ steps:
     name: UsePy
     displayName: 'Use Python 3.13'
     inputs:
-      versionSpec: '3.13'
+      versionSpec: '$(PY_VER)'
 
-  - bash: |
-      echo "Checking the python version in use to set LD_LIBRARY_PATH"
-      echo "Python location: $(UsePy.pythonLocation)"
-      echo "##vso[task.setvariable variable=LD_LIBRARY_PATH]$(UsePy.pythonLocation)/lib"
-    displayName: 'Set LD_LIBRARY_PATH'
+  # - bash: |
+  #     echo "Checking the python version in use to set LD_LIBRARY_PATH"
+  #     echo "Python location: $(UsePy.pythonLocation)"
+  #     echo "##vso[task.setvariable variable=LD_LIBRARY_PATH]$(UsePy.pythonLocation)/lib"
+  #   displayName: 'Set LD_LIBRARY_PATH'
 
 
   - bash: |

azure/cleanup-ecs-pr-proxies.yml

@@ -61,24 +61,26 @@ jobs:
         displayName: cache utils pre-requisites 
 
       - bash: |
-          PATCH=$(curl -s https://api.github.com/repos/actions/python-versions/releases \
-            | jq -r '[.[] | .tag_name | select(startswith("3.13"))] | .[]' \
-            | sort -V | tail -n 1 | cut -d- -f1)
+          pyversion="3.13"
+          PATCH=$(curl -fsSL https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json \
+          | jq -r --arg pyversion "$pyversion" '[ .[] | select(.stable == true) | .version
+          | select(test("^" + ($pyversion|gsub("\\.";"\\.")) + "\\.\\d+$")) | split(".") | map(tonumber)] | max | join(".")')
           echo "Resolved latest python version: $PATCH"
           echo "##vso[task.setvariable variable=LD_LIBRARY_PATH;]/agent/_work/_tool/Python/${PATCH}/x64/lib/"
-        displayName: 'Query and set python tool cache path'            
+        displayName: 'Query and set python tool cache path'  
+
 
       - task: UsePythonVersion@0
         name: UsePy
-        displayName: "Use Python 3.13"
+        displayName: 'Use Python 3.13'
         inputs:
-          versionSpec: 3.13
+          versionSpec: '$(PY_VER)'
 
-      - bash: |
-          echo "Checking the python version in use to set LD_LIBRARY_PATH"
-          echo "Python location: $(UsePy.pythonLocation)"
-          echo "##vso[task.setvariable variable=LD_LIBRARY_PATH]$(UsePy.pythonLocation)/lib"
-        displayName: 'Set LD_LIBRARY_PATH'
+      # - bash: |
+      #     echo "Checking the python version in use to set LD_LIBRARY_PATH"
+      #     echo "Python location: $(UsePy.pythonLocation)"
+      #     echo "##vso[task.setvariable variable=LD_LIBRARY_PATH]$(UsePy.pythonLocation)/lib"
+      #   displayName: 'Set LD_LIBRARY_PATH'
 
       - bash: |
           make install

azure/common/apigee-build.yml

@@ -143,32 +143,29 @@ jobs:
         parameters:
           service_name: "${{ parameters.service_name }}"
 
-      # - bash: |
-      #     echo "Setting python tool cache path"
-      #     echo "##vso[task.setvariable variable=LD_LIBRARY_PATH;]:/agent/_work/_tool/Python/${{ parameters.python_version }}/x64/lib/"
-      #   displayName: 'Set python tool cache path'
-
       - bash: |
-          PATCH=$(curl -s https://api.github.com/repos/actions/python-versions/releases \
-              | jq -r '[.[] | .tag_name | select(startswith("'"${{ parameters.python_version }}"'"))] | .[]' \
-              | sort -V | tail -n 1 | cut -d- -f1)
+          pyversion=${{ parameters.python_version }}
+          PATCH=$(curl -fsSL https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json \
+          | jq -r --arg pyversion "$pyversion" '[ .[] | select(.stable == true) | .version
+          | select(test("^" + ($pyversion|gsub("\\.";"\\.")) + "\\.\\d+$")) | split(".") | map(tonumber)] | max | join(".")')
+
+          echo "##vso[task.setvariable variable=PY_VER]$PATCH"
           echo "Resolved latest python version: $PATCH"
           echo "##vso[task.setvariable variable=LD_LIBRARY_PATH;]/agent/_work/_tool/Python/${PATCH}/x64/lib/"
-        displayName: 'Query and set python tool cache path'      
+        displayName: 'Query and set python tool cache path'  
+
 
       - task: UsePythonVersion@0
         name: UsePy
-        displayName: "Use Python ${{ parameters.python_version }}"
+        displayName: 'Use Python ${{ parameters.python_version }}'
         inputs:
-          versionSpec: ${{ parameters.python_version }}
-
+          versionSpec: '$(PY_VER)'
 
-      - bash: |
-          echo "Checking the python version in use to set LD_LIBRARY_PATH"
-          echo "Python location: $(UsePy.pythonLocation)"
-          echo "##vso[task.setvariable variable=LD_LIBRARY_PATH]$(UsePy.pythonLocation)/lib"
-        displayName: 'Set LD_LIBRARY_PATH'
-
+      # - bash: |
+      #     echo "Checking the python version in use to set LD_LIBRARY_PATH"
+      #     echo "Python location: $(UsePy.pythonLocation)"
+      #     echo "##vso[task.setvariable variable=LD_LIBRARY_PATH]$(UsePy.pythonLocation)/lib"
+      #   displayName: 'Set LD_LIBRARY_PATH'
 
       - ${{ each cache_step in parameters.cache_steps }}:
           - ${{ cache_step }}

azure/common/deploy-stage.yml

@@ -125,24 +125,28 @@ stages:
                     aws_account: "${{ parameters.aws_account }}"
 
                 - bash: |
-                    PATCH=$(curl -s https://api.github.com/repos/actions/python-versions/releases \
-                      | jq -r '[.[] | .tag_name | select(startswith("3.13"))] | .[]' \
-                      | sort -V | tail -n 1 | cut -d- -f1)
+                    pyversion="3.13"
+                    PATCH=$(curl -fsSL https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json \
+                    | jq -r --arg pyversion "$pyversion" '[ .[] | select(.stable == true) | .version
+                    | select(test("^" + ($pyversion|gsub("\\.";"\\.")) + "\\.\\d+$")) | split(".") | map(tonumber)] | max | join(".")')
+
+                    echo "##vso[task.setvariable variable=PY_VER]$PATCH"
                     echo "Resolved latest python version: $PATCH"
                     echo "##vso[task.setvariable variable=LD_LIBRARY_PATH;]/agent/_work/_tool/Python/${PATCH}/x64/lib/"
-                  displayName: 'Query and set python tool cache path' 
+                  displayName: 'Query and set python tool cache path'  
+
 
                 - task: UsePythonVersion@0
                   name: UsePy
-                  displayName: "Use Python 3.13"
+                  displayName: 'Use Python 3.13'
                   inputs:
-                    versionSpec: 3.13
+                    versionSpec: '$(PY_VER)'
 
-                - bash: |
-                    echo "Checking the python version in use to set LD_LIBRARY_PATH"
-                    echo "Python location: $(UsePy.pythonLocation)"
-                    echo "##vso[task.setvariable variable=LD_LIBRARY_PATH]$(UsePy.pythonLocation)/lib"
-                  displayName: 'Set LD_LIBRARY_PATH'
+                # - bash: |
+                #     echo "Checking the python version in use to set LD_LIBRARY_PATH"
+                #     echo "Python location: $(UsePy.pythonLocation)"
+                #     echo "##vso[task.setvariable variable=LD_LIBRARY_PATH]$(UsePy.pythonLocation)/lib"
+                #   displayName: 'Set LD_LIBRARY_PATH'
 
                 - template: "../components/set-facts.yml"
                   parameters:

azure/utils-pr-pipeline.yml

@@ -29,31 +29,29 @@ jobs:
     workspace:
       clean: all
     steps:
-      # - bash: |
-      #     echo "Setting python tool cache path"
-      #     echo "##vso[task.setvariable variable=LD_LIBRARY_PATH;]:/agent/_work/_tool/Python/3.13.7/x64/lib/"
-      #   displayName: 'Set python tool cache path'
-
       - bash: |
-          PATCH=$(curl -s https://api.github.com/repos/actions/python-versions/releases \
-              | jq -r '[.[] | .tag_name | select(startswith("3.13"))] | .[]' \
-              | sort -V | tail -n 1 | cut -d- -f1)
+          pyversion="3.13"
+          PATCH=$(curl -fsSL https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json \
+          | jq -r --arg pyversion "$pyversion" '[ .[] | select(.stable == true) | .version
+          | select(test("^" + ($pyversion|gsub("\\.";"\\.")) + "\\.\\d+$")) | split(".") | map(tonumber)] | max | join(".")')
+
+          echo "##vso[task.setvariable variable=PY_VER]$PATCH"
           echo "Resolved latest python version: $PATCH"
           echo "##vso[task.setvariable variable=LD_LIBRARY_PATH;]/agent/_work/_tool/Python/${PATCH}/x64/lib/"
-        displayName: 'Query and set python tool cache path'
+        displayName: 'Query and set python tool cache path'  
 
 
       - task: UsePythonVersion@0
         name: UsePy
         displayName: 'Use Python 3.13'
         inputs:
-          versionSpec: 3.13
+          versionSpec: '$(PY_VER)'
 
-      - bash: |
-          echo "Checking the python version in use to set LD_LIBRARY_PATH"
-          echo "Python location: $(UsePy.pythonLocation)"
-          echo "##vso[task.setvariable variable=LD_LIBRARY_PATH]$(UsePy.pythonLocation)/lib"
-        displayName: 'Set LD_LIBRARY_PATH'
+      # - bash: |
+      #     echo "Checking the python version in use to set LD_LIBRARY_PATH"
+      #     echo "Python location: $(UsePy.pythonLocation)"
+      #     echo "##vso[task.setvariable variable=LD_LIBRARY_PATH]$(UsePy.pythonLocation)/lib"
+      #   displayName: 'Set LD_LIBRARY_PATH'
 
       - bash: |
           instance_id="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)"

scripts/config/gitleaks.toml

@@ -0,0 +1,19 @@
+# SEE: https://github.com/gitleaks/gitleaks/#configuration
+
+[extend]
+useDefault = true # SEE: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
+
+[[rules]]
+description = "IPv4"
+id = "ipv4"
+regex = '''[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'''
+
+[rules.allowlist]
+regexTarget = "match"
+regexes = [
+  # Exclude the private network IPv4 addresses as well as the DNS servers for Google and OpenDNS
+  '''(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3}|0\.0\.0\.0|255\.255\.255\.255|8\.8\.8\.8|8\.8\.4\.4|208\.67\.222\.222|208\.67\.220\.220)''',
+]
+
+[allowlist]
+paths = ['''.terraform.lock.hcl''', '''poetry.lock''', '''yarn.lock''']

scripts/config/pre-commit.yaml

@@ -0,0 +1,40 @@
+repos:
+- repo: local
+  hooks:
+  - id: scan-secrets
+    name: Scan secrets
+    entry: ./scripts/githooks/scan-secrets.sh
+    args: ["check=staged-changes"]
+    language: script
+    pass_filenames: false
+- repo: local
+  hooks:
+  - id: check-file-format
+    name: Check file format
+    entry: ./scripts/githooks/check-file-format.sh
+    args: ["check=staged-changes"]
+    language: script
+    pass_filenames: false
+- repo: local
+  hooks:
+  - id: check-markdown-format
+    name: Check Markdown format
+    entry: ./scripts/githooks/check-markdown-format.sh
+    args: ["check=staged-changes"]
+    language: script
+    pass_filenames: false
+- repo: local
+  hooks:
+  - id: check-english-usage
+    name: Check English usage
+    entry: ./scripts/githooks/check-english-usage.sh
+    args: ["check=staged-changes"]
+    language: script
+    pass_filenames: false
+- repo: local
+  hooks:
+  - id: lint-terraform
+    name: Lint Terraform
+    entry: ./scripts/githooks/check-terraform-format.sh
+    language: script
+    pass_filenames: false