feat: initial commit

Author: coderbyheart

.envrc.example

@@ -0,0 +1,7 @@
+export AWS_REGION=...                   # AWS region to use, e.g. eu-west-1
+export AWS_DEFAULT_REGION=$AWS_REGION
+export AWS_ACCESS_KEY_ID= ...           # Your AWS Access Key ID
+export AWS_SECRET_ACCESS_KEY=...        # Your AWS Secret Access Key
+# silence warnings because of using a newer Node.js version
+export JSII_SILENCE_WARNING_UNTESTED_NODE_VERSION=1
+export NODE_NO_WARNINGS=1

.github/CODEOWNERS

@@ -0,0 +1 @@
+*   @coderbyheart @pudkrong

.github/workflows/deploy.yaml

@@ -0,0 +1,45 @@
+name: Deploy
+
+permissions:
+  id-token: write
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - saga
+env:
+  CI: 1
+  FORCE_COLOR: 3
+  JSII_SILENCE_WARNING_UNTESTED_NODE_VERSION: 1
+  NODE_NO_WARNINGS: 1
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  deploy:
+    runs-on: ubuntu-22.04
+
+    environment: ci
+
+    timeout-minutes: 5
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20.x"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci --no-audit
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          # The role is set up via https://github.com/hello-nrfcloud/ci
+          role-to-assume: |
+            arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID_CI }}:role/hello-nrfcloud-ci-${{ github.event.repository.name }}
+          aws-region: ${{ vars.AWS_REGION_CI }}
+
+      - run: npx cdk deploy

.github/workflows/test-and-release.yaml

@@ -0,0 +1,38 @@
+name: Test and Release
+
+permissions:
+  contents: write
+  issues: write
+
+on:
+  push:
+
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20.x"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci --no-audit
+
+      - name: Compile TypeScript
+        run: npx tsc
+
+      - name: Check source code with eslint
+        run: npx eslint ./
+
+      - name: Check if source code is properly formatted
+        run: npx prettier -c ./
+
+      - name: Semantic release
+        run: npx semantic-release

.github/workflows/update-repo-info.yaml

@@ -0,0 +1,32 @@
+name: Sync repository info from package.json
+
+env:
+  GITHUB_TOKEN: ${{ secrets.UPDATE_REPO_INFO_PAT }}
+
+on:
+  push:
+    branches:
+      - saga
+    paths:
+      - "package.json"
+      - ".github/workflows/update-repo-info.yaml"
+  workflow_dispatch:
+
+jobs:
+  update_repo_info:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Sync repository description
+        run:
+          gh repo edit --description "`cat package.json | jq -r '.description'`"
+
+      - name: Sync repository topics
+        run:
+          cat package.json | jq '.keywords[]' | xargs -I'{}' gh repo edit
+          --add-topic {}
+
+      - name: Sync homepage
+        run: gh repo edit --homepage "`cat package.json | jq -r '.homepage'`"

.gitignore

@@ -0,0 +1,13 @@
+# This file should only cover artifacts caused by the source code in this
+# repository, not those caused by the personal choice of editor and/or
+# environment of a developer.
+# See adr/002-clean-gitignore.md
+node_modules/
+npm-debug.log
+.swc/
+cdk.out/
+dist/
+.envrc
+/certificates/
+cdk.context.json
+e2e-test-result.json

.husky/commit-msg

@@ -0,0 +1 @@
+npx commitlint --edit $1

.husky/pre-commit

@@ -0,0 +1,2 @@
+npx lint-staged
+npx tsc

.prettierignore

@@ -0,0 +1,2 @@
+dist/
+package-lock.json

CODE_OF_CONDUCT.md

@@ -0,0 +1 @@
+See <https://github.com/bifravst/.github/blob/saga/CODE_OF_CONDUCT.md>

CONTRIBUTING.md

@@ -0,0 +1 @@
+See <https://github.com/bifravst/.github/blob/saga/CONTRIBUTING.md>

LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2023-2024, Nordic Semiconductor ASA | nordicsemi.no
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1,22 @@
+# `hello.nrfcloud.com` CI
+
+[![GitHub Actions](https://github.com/hello-nrfcloud/backend/workflows/Test%20and%20Release/badge.svg)](https://github.com/hello-nrfcloud/backend/actions/workflows/test-and-release.yaml)
+[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
+[![Renovate](https://img.shields.io/badge/renovate-enabled-brightgreen.svg)](https://renovatebot.com)
+[![@commitlint/config-conventional](https://img.shields.io/badge/%40commitlint-config--conventional-brightgreen)](https://github.com/conventional-changelog/commitlint/tree/master/@commitlint/config-conventional)
+[![code style: prettier](https://img.shields.io/badge/code_style-prettier-ff69b4.svg)](https://github.com/prettier/prettier/)
+[![ESLint: TypeScript](https://img.shields.io/badge/ESLint-TypeScript-blue.svg)](https://github.com/typescript-eslint/typescript-eslint)
+
+Sets up the permissions in our AWS CI account for the repositories in this
+GitHub organization that are supposed to have access so they are be able to use
+it for CI runs.
+
+The allowed list of repositories is managed via the
+[`ci` team](https://github.com/orgs/hello-nrfcloud/teams/ci/repositories).
+
+> [!CAUTION]  
+> Do not run this against the production account, but against the CI account.
+
+```bash
+npx cdk deploy
+```

adr/001-use-saga-as-the-main-branch.md

@@ -0,0 +1,17 @@
+# ADR 001: Use saga as the name for the main branch
+
+Historically, Git and other software use terms such as `master/slave`,
+`whitelist/blacklist`, which are based on racial concepts. Their continued use
+maintains the racial stereotypes they depict. Better alternatives in meaning and
+technical correctness exist, like `leader/follower`, `blocklist/allowlist`.
+
+In the Nordic mythology, a `saga` is a long, continuous recollection of stories
+about the history of humans, legends, and Gods. The term `saga` reflects very
+well what happens in a Git repository. Changes happen in branches (some teams
+tie them to _User Stories_, which are sometimes directly or loosely coupled to
+the main branch). Once the changes are finalized, they get added to the main
+branch, or get appended in the case of a rebase. The mental model of a big book
+of stories fits this process very well.
+
+Therefore, the main branch in this project is named `saga`. `master` must not be
+used.

adr/002-clean-gitignore.md

@@ -0,0 +1,8 @@
+# ADR 002: Clean `.gitignore` file
+
+A `.gitignore` file in a project must only cover the artifacts caused by the
+contained source code and not those caused by the personal choice of editor or
+the environment of a developer.
+
+This is explained in detail
+[here](https://github.com/coderbyheart/first-principles/issues/30).

adr/003-use-of-typescript.md

@@ -0,0 +1,12 @@
+# ADR 003: use of TypeScript
+
+This project is developed using [TypeScript](https://www.typescriptlang.org/) (a
+typed superset of JavaScript).
+
+JavaScript is the most popular language according to the
+[2019 Stack Overflow survey](https://insights.stackoverflow.com/survey/2019#technology)
+and it is therefore likely that many developers using the project will be
+familiar with the language concepts and how to use and run it.
+
+Virtually all cloud providers provide their SDKs in JavaScript or TypeScript
+which this project can integrate natively.

adr/README.md

@@ -0,0 +1,8 @@
+# Architecture decision records
+
+This folder contains the architecture decision records (ADRs) for this project.
+
+To know more about ADRs, see
+[Documenting architecture decisions](http://thinkrelevance.com/blog/2011/11/15/documenting-architecture-decisions)
+and the video on
+[Communicating and documenting architectural decisions](https://www.youtube.com/watch?v=rwfXkSjFhzc).

cdk.json

@@ -0,0 +1,3 @@
+{
+  "app": "npx tsx --no-warnings cdk/ci.ts"
+}

cdk/CIApp.ts

@@ -0,0 +1,13 @@
+import { App } from 'aws-cdk-lib'
+import { CIStack } from './CIStack.js'
+
+export class CIApp extends App {
+	public constructor(
+		name: string,
+		args: ConstructorParameters<typeof CIStack>[2],
+	) {
+		super()
+
+		new CIStack(this, name, args)
+	}
+}

cdk/CIStack.ts

@@ -0,0 +1,32 @@
+import { App, CfnOutput, Stack } from 'aws-cdk-lib'
+import { RepoPermission } from './RepoPermission.js'
+import type { Repos } from './listRepos.js'
+
+export class CIStack extends Stack {
+	public constructor(
+		parent: App,
+		name: string,
+		{
+			repos,
+			gitHubOICDProviderArn,
+		}: {
+			gitHubOICDProviderArn: string
+			repos: Repos
+		},
+	) {
+		super(parent, name)
+
+		for (const { id, owner, name: repo } of repos) {
+			const perm = new RepoPermission(this, repo, {
+				repository: { id, owner, name: repo },
+				gitHubOICDProviderArn,
+			})
+
+			new CfnOutput(this, `${id}:ciRoleArn`, {
+				exportName: `${name}:${id}:ciRoleArn`,
+				description: `Role ARN to use for running continuous integration tests using GitHub Actions in the repository ${owner}/${repo} (${id})`,
+				value: perm.role.roleArn,
+			})
+		}
+	}
+}

cdk/RepoPermission.ts

@@ -0,0 +1,47 @@
+import { Duration, aws_iam as IAM, Stack } from 'aws-cdk-lib'
+import { Construct } from 'constructs'
+import type { Repository } from './listRepos.js'
+import { sanitize } from './sanitize.js'
+
+export class RepoPermission extends Construct {
+	public readonly role: IAM.IRole
+	constructor(
+		parent: Construct,
+		id: string,
+		{
+			repository,
+			gitHubOICDProviderArn,
+		}: {
+			repository: Repository
+			gitHubOICDProviderArn: string
+		},
+	) {
+		super(parent, id)
+
+		const gitHubOIDC = IAM.OpenIdConnectProvider.fromOpenIdConnectProviderArn(
+			this,
+			'gitHubOICDProvider',
+			gitHubOICDProviderArn,
+		)
+
+		this.role = new IAM.Role(this, 'ghRole', {
+			roleName: `${Stack.of(this).stackName}-${sanitize(repository.name)}`,
+			assumedBy: new IAM.WebIdentityPrincipal(
+				gitHubOIDC.openIdConnectProviderArn,
+				{
+					StringEquals: {
+						[`token.actions.githubusercontent.com:sub`]: `repo:${repository.owner}/${repository.name}:environment:ci`,
+						[`token.actions.githubusercontent.com:aud`]: 'sts.amazonaws.com',
+					},
+				},
+			),
+			description: `This role is used by GitHub Actions to run Continuous Integration Tests ${
+				Stack.of(this).stackName
+			} in the repository ${repository.owner}/${repository.name} (${repository.id}).`,
+			maxSessionDuration: Duration.hours(1),
+			managedPolicies: [
+				IAM.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'),
+			],
+		})
+	}
+}

cdk/ci.ts

@@ -0,0 +1,23 @@
+import { IAMClient } from '@aws-sdk/client-iam'
+import { ensureGitHubOIDCProvider } from './ensureGitHubOIDCProvider.js'
+import { fromEnv } from '@nordicsemiconductor/from-env'
+import { CIApp } from './CIApp.js'
+import { listRepos } from './listRepos.js'
+
+const { token } = fromEnv({
+	token: 'GITHUB_TOKEN',
+})(process.env)
+
+const repos = await listRepos(token, 'hello-nrfcloud', 'ci')
+for (const repo of repos) {
+	console.debug(`Setting up permissions for ${repo.name} (${repo.id})...`)
+}
+
+const iam = new IAMClient({})
+
+new CIApp('hello-nrfcloud-ci', {
+	gitHubOICDProviderArn: await ensureGitHubOIDCProvider({
+		iam,
+	}),
+	repos,
+})