Merge pull request #1 from canonical/IAM-567

Add initial files + rockcraft.yaml

.github/.jira_sync_config.yaml

@@ -0,0 +1,18 @@
+# From https://github.com/canonical/gh-jira-sync-bot#client-side-configuration
+settings:
+  jira_project_key: "IAM"
+  status_mapping:
+    opened: Untriaged
+    closed: done
+  components:
+    - OpenFGA
+  labels:
+    - bug
+    - enhancement
+  add_gh_comment: true
+  sync_description: true
+  sync_comments: true
+  epic_key: "IAM-471"
+  label_mapping:
+    enhancement: Story
+    bug: Bug

.github/workflows/auto-approver.yaml

@@ -0,0 +1,24 @@
+name: auto-approver
+run-name: CI for approving PRs
+
+on:
+  push:
+    branches:
+      - "renovate/**"
+
+jobs:
+  autoapprove:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      - name: Approve PR
+        run: |
+          gh pr review --approve || true
+        env:
+          GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
+      - name: Enable automerge if required
+        if: startsWith(github.ref_name, 'renovate/auto-')
+        run: |
+          gh pr merge --auto --merge || true
+        env:
+          GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}

.github/workflows/build.yaml

@@ -0,0 +1,37 @@
+# Build the rock
+name: Build
+
+on:
+  workflow_call:
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+
+      - name: Get name
+        id: name
+        run: echo "name=$(yq '.name' rockcraft.yaml)" >> "$GITHUB_OUTPUT"
+
+      - uses: canonical/craft-actions/rockcraft-pack@main
+        id: rockcraft
+
+      - name: Install Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Create SBOM
+        run: syft ${{ steps.rockcraft.outputs.rock }} -o spdx-json=${{ steps.name.outputs.name }}.sbom.json
+
+      - name: Upload SBOM
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
+        with:
+          name: ${{ steps.name.outputs.name }}-sbom
+          path: "${{ steps.name.outputs.name }}.sbom.json"
+
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
+        with:
+          name: rock
+          path: ${{ steps.rockcraft.outputs.rock }}

.github/workflows/publish.yaml

@@ -0,0 +1,43 @@
+# Publish the rock image to ghcr
+name: Publish
+
+on:
+  workflow_call:
+
+jobs:
+  publish:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@b4bedf8053341df3b5a9f9e0f2cf4e79e27360c6
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install skopeo
+        run: |
+          sudo snap install --devmode --channel edge skopeo
+
+      - name: Install yq
+        run: |
+          sudo snap install yq
+
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
+        with:
+          name: rock
+
+      - name: Import and push to github package
+        run: |
+          image_name="$(yq '.name' rockcraft.yaml)"
+          version="$(yq '.version' rockcraft.yaml)"
+          rock_file=$(ls *.rock | tail -n 1)
+          sudo skopeo \
+            --insecure-policy \
+            copy \
+            oci-archive:"${rock_file}" \
+            docker-daemon:"ghcr.io/canonical/${image_name}:${version}"
+          docker push ghcr.io/canonical/${image_name}:${version}

.github/workflows/push_any.yaml

@@ -0,0 +1,16 @@
+name: Push (any)
+
+# When pushing to any branch other than "main", we:
+# * build the rock image
+
+on:
+  push:
+    branches-ignore:
+      - "main"
+    paths:
+      - "rockcraft.yaml"
+      - ".github/workflows/**.yaml"
+
+jobs:
+  build:
+    uses: ./.github/workflows/build.yaml

.github/workflows/push_main.yaml

@@ -0,0 +1,27 @@
+name: Push (main)
+
+# When pushing to the "main" branch, we:
+# * build the rock image
+# * publish the image
+# * scan the image and upload the artifacts to the repository
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "rockcraft.yaml"
+      - ".github/workflows/**.yaml"
+  workflow_dispatch:
+
+jobs:
+  build:
+    uses: ./.github/workflows/build.yaml
+
+  publish:
+    needs: build
+    uses: ./.github/workflows/publish.yaml
+
+  scan:
+    needs: publish
+    uses: ./.github/workflows/scan.yaml

.github/workflows/scan.yaml

@@ -0,0 +1,30 @@
+# Scan the published rock image and upload the results
+name: Scan
+
+on:
+  workflow_call:
+
+jobs:
+  scan:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+
+      - name: Get name and version
+        id: image_info
+        run: |
+          echo "image_name=$(yq '.name' rockcraft.yaml)" >> "$GITHUB_OUTPUT"
+          echo "version=$(yq '.version' rockcraft.yaml)" >> "$GITHUB_OUTPUT"
+
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "ghcr.io/canonical/${{ steps.image_info.outputs.image_name }}:${{ steps.image_info.outputs.version }}"
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload scan results to GitHub
+        uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # v2
+        with:
+          sarif_file: 'trivy-results.sarif'

.gitignore

@@ -0,0 +1,21 @@
+openfga_*.rock
+
+# IntelliJ project files
+.idea
+*.iml
+out
+gen
+
+# VisualStudioCode template
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+!.vscode/*.code-snippets
+
+# Local History for Visual Studio Code
+.history/
+
+# Built Visual Studio Code Extensions
+*.vsix

CODEOWNERS

@@ -0,0 +1 @@
+*       @canonical/identity

CONTRIBUTING.md

@@ -0,0 +1,9 @@
+# Contributing
+
+## Build and deploy
+
+```bash
+rockcraft pack -v
+sudo skopeo --insecure-policy copy oci-archive:./openfga_1.3.3_amd64.rock docker-daemon:openfga:latest
+docker run openfga:latest
+```

renovate.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base",
+    ":disableDependencyDashboard",
+    ":automergeDigest",
+    ":automergePatch",
+    ":automergeMinor",
+    ":rebaseStalePrs",
+    ":semanticCommits",
+    ":semanticCommitScope(deps)",
+    "helpers:pinGitHubActionDigests"
+  ],
+  "automergeType": "pr",
+  "rebaseWhen": "behind-base-branch",
+  "automerge": true,
+  "additionalBranchPrefix": "auto-"
+}

rockcraft.yaml

@@ -0,0 +1,63 @@
+name: openfga
+base: bare
+build-base: ubuntu:22.04
+version: "1.3.3"
+summary: Openfga Authorization Server
+description: |
+  OpenFGA is a flexible Authorization system inspired by Google's Zanzibar, designed for reliability and low latency at scale.
+license: Apache-2.0
+run-user: _daemon_
+platforms:
+  amd64:
+
+services:
+  openfga:
+    override: replace
+    command: openfga run
+    startup: disabled
+checks:
+  up:
+    override: replace
+    level: alive
+    exec:
+      command: grpc_health_probe -addr localhost:8081
+
+
+parts:
+  util:
+    plugin: nil
+    stage-packages:
+      # This is needed to pipe the stdout/stderr to a file for log forwarding
+      - coreutils
+    prime:
+      - usr/bin/tee
+
+  shell:
+    plugin: nil
+    stage-packages:
+      # This is needed to pipe the stdout/stderr to a file for log forwarding
+      - dash
+
+  openfga:
+    plugin: go
+    build-snaps:
+      - go/1.21/stable
+    build-environment:
+      - CGO_ENABLED: 0
+    source: https://github.com/openfga/openfga
+    source-type: git
+    source-tag: v1.3.3
+    override-build: |
+      go build -o ${CRAFT_PART_INSTALL}/bin/openfga ./cmd/openfga
+
+  grpc_health_probe:
+    plugin: go
+    build-snaps:
+      - go/1.21/stable
+    build-environment:
+      - CGO_ENABLED: 0
+    source: https://github.com/grpc-ecosystem/grpc-health-probe
+    source-type: git
+    source-tag: v0.4.21
+    override-build: |
+      go build -a -tags netgo -ldflags=-w -o ${CRAFT_PART_INSTALL}/bin/grpc_health_probe