github · Djubz · Jun 12, 2025 · Jun 12, 2025 · Jun 12, 2025 · Jun 13, 2025
diff --git a/.github/workflows/generator-generic-ossf-slsa3-publish.yml b/.github/workflows/generator-generic-ossf-slsa3-publish.yml
@@ -0,0 +1,66 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you generate SLSA provenance file for your project.
+# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA generic generator
+on:
+  workflow_dispatch:
+  release:
+    types: [created]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      digests: ${{ steps.hash.outputs.digests }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      # ========================================================
+      #
+      # Step 1: Build your artifacts.
+      #
+      # ========================================================
+      - name: Build artifacts
+        run: |
+            # These are some amazing artifacts.
+            echo "artifact1" > artifact1
+            echo "artifact2" > artifact2
+
+      # ========================================================
+      #
+      # Step 2: Add a step to generate the provenance subjects
+      #         as shown below. Update the sha256 sum arguments
+      #         to include all binaries that you generate
+      #         provenance for.
+      #
+      # ========================================================
+      - name: Generate subject for provenance
+        id: hash
+        run: |
+          set -euo pipefail
+
+          # List the artifacts the provenance will refer to.
+          files=$(ls artifact*)
+          # Generate the subjects (base64 encoded).
+          echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read   # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.digests }}"
+      upload-assets: true # Optional: Upload to a new release
diff --git a/.github/workflows/moda-ci.yaml b/.github/workflows/moda-ci.yaml
@@ -1,103 +1,120 @@
-name: docs-internal Moda CI
+# moda-ci.yaml
+# CI pipeline for deploying, testing, and analyzing the docs project.
+# Contact @Djubz for workflow questions.
+# This workflow uses AWS, Docker, Azure, and various code quality/security analysis actions.
 
-# More info on CI actions setup can be found here:
-# https://github.com/github/ops/blob/master/docs/playbooks/build-systems/moving-moda-apps-from-bp-to-actions.md
+name: docs-internal Moda CI
 
 on:
-  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
   push:
     branches-ignore:
       - 'gh-readonly-queue/**'
-  merge_group:
-    types: [checks_requested]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  actions: read
+  # Add others only if required (e.g., id-token, attestations)
 
 jobs:
-  ##########################
-  # Generate Vault keys
-  ##########################
-  set-vault-keys:
+  deploy-aws-redis:
+    name: Deploy Amazon Redis DB cluster (ElastiCache)
     runs-on: ubuntu-latest
-    outputs:
-      modified_vault_keys: ${{ steps.modify_vault_keys.outputs.modified }}
     steps:
-      - name: Set vault-keys output
-        id: modify_vault_keys
-        run: |
-          if [ -z "${{ vars.VAULT_KEYS }}" ]; then
-            # We want to add the DOCS_BOT_PAT_BASE to the list of keys
-            # so that builds fetch the secret from the docs-internal vault
-            # where --environment is "ci"
-            echo "modified=DOCS_BOT_PAT_BASE" >> $GITHUB_OUTPUT
-          else
-            echo "modified=${{ vars.VAULT_KEYS }},DOCS_BOT_PAT_BASE" >> $GITHUB_OUTPUT
-          fi
-
-  #############
-  # Moda jobs
-  #############
-  moda-config-bundle:
-    if: ${{ github.repository == 'github/docs-internal' }}
-    name: ${{ matrix.ci_job.job }}
-    needs: set-vault-keys
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Deploy Redis with Bitovi Action
+        uses: bitovi/github-actions-deploy-redis-db@v0 # Pin to latest stable tag
+        with:
+          aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          # aws_default_region: us-east-1 # Uncomment to override default region
+          # aws_redis_user: redisuser # Using default, omit if not overriding
+          # aws_redis_port: 6379 # Using default, omit if not overriding
+          # aws_redis_multi_az_enabled: false # Enable for HA in production
+          # tf_stack_destroy: # Leave blank to avoid accidental deletions
+          # Add other parameters only as needed, and document why
+
+  build-and-test:
+    name: Build, Test, and Analyze (Node.js)
+    runs-on: ubuntu-latest
     strategy:
-      fail-fast: false
       matrix:
-        ci_job: [{ 'job': 'docs-internal-moda-config-bundle' }]
-    uses: github/internal-actions/.github/workflows/moda.yml@main
-    with:
-      ci-formatted-job-name: ${{ matrix.ci_job.job }}
-      vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }}
-    secrets:
-      dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }}
-      datadog-api-key: ${{ secrets.DATADOG_API_KEY }}
-
-  #############
-  # Docker Image jobs
-  #############
+        node-version: [20.x] # Extendable to multiple versions for testing
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3.9.1
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: npm
+
+      - name: Install Dependencies
+        run: npm install
+
+      - name: Run Lint & Tests
+        run: |
+          npm run lint
+          npm test
+
+      - name: Upload Build Artifact
+        uses: actions/upload-artifact@v4.6.2
+        with:
+          name: build-artifact
+          path: dist/
+          retention-days: 7
+          if-no-files-found: error
+
+      - name: Download Build Artifact (Example)
+        uses: actions/download-artifact@v4.3.0
+        with:
+          name: build-artifact
+          path: ./downloaded-artifact
+
   docker-image:
-    if: ${{ github.repository == 'github/docs-internal' }}
-    name: ${{ matrix.ci_job.job }}
-    needs: set-vault-keys
-    strategy:
-      fail-fast: false
-      matrix:
-        ci_job: [{ 'job': 'docs-internal-docker-image' }]
-    uses: github/internal-actions/.github/workflows/kube.yml@main
-    with:
-      ci-formatted-job-name: ${{ matrix.ci_job.job }}
-      vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }}
-      # Passes 'DOCS_BOT_PAT_BASE' secret from Vault to docker as --secret id=DOCS_BOT_PAT_BASE,src=<PAT value>
-      attest: true
-      docker-build-env-secrets: 'DOCS_BOT_PAT_BASE'
-    secrets:
-      dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }}
-      datadog-api-key: ${{ secrets.DATADOG_API_KEY }}
-
-  #############
-  # Docker Security jobs
-  #############
-  docker-security:
-    if: ${{ github.repository == 'github/docs-internal' }}
-    name: ${{ matrix.ci_job.job }}
-    needs: set-vault-keys
-    strategy:
-      fail-fast: false
-      matrix:
-        ci_job: [{ 'job': 'docs-internal-docker-security' }]
-    uses: github/internal-actions/.github/workflows/docker_security.yml@main
-    with:
-      ci-formatted-job-name: ${{ matrix.ci_job.job }}
-      vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }}
-      # Passes 'DOCS_BOT_PAT_BASE' secret from Vault to docker as --secret id=DOCS_BOT_PAT_BASE,src=<PAT value>
-      docker-build-env-secrets: 'DOCS_BOT_PAT_BASE'
-    secrets:
-      dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }}
-      datadog-api-key: ${{ secrets.DATADOG_API_KEY }}
+    name: Build and Push Docker Image
+    runs-on: ubuntu-latest
+    needs: build-and-test
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
 
-permissions:
-  actions: read
-  checks: read
-  contents: read
-  statuses: read
-  id-token: write
-  attestations: write
+      - name: Docker Build Tag Publish to ECR
+        uses: bitovi/github-actions-docker-ecr-publish@v0.1.0
+        with:
+          aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws_ecr_repo_name: my-ecr-repo
+          image_tag: ${{ github.sha }}
+
+  # Example: Security Analysis (with secrets and clear explanation)
+  security-analysis:
+    name: SecureStack Application Composition Analysis
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: SecureStack Analysis
+        uses: SecureStackCo/actions-code@v0.1.1
+        with:
+          securestack_api_key: ${{ secrets.SECURESTACK_API_KEY }}
+          securestack_app_id: ${{ secrets.SECURESTACK_APP_ID }}
+          severity: high
+
+  # Add more jobs as needed, using matrix strategy for repetitive tasks
+
+# Inline documentation for future maintainers:
+# - Only include parameters you wish to override from action defaults.
+# - Use GitHub secrets for sensitive fields.
+# - Expand matrix strategy on jobs (e.g., for multi-version or multi-platform testing).
+# - Use explicit names/paths for artifacts.
+# - Add or remove permissions as needed; start with least privilege.
+# - Use `workflow_dispatch` for manual runs.
+# - Add or adjust triggers as your team/process evolves.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -1,6 +1,15 @@
 {
   "version": "0.2.0",
   "configurations": [
+    {
+      "name": "Launch Program",
+      "program": "${workspaceFolder}/app.js",
+      "request": "launch",
+      "skipFiles": [
+        "<node_internals>/**"
+      ],
+      "type": "node"
+    },
     {
       "type": "node",
       "request": "attach",