ci: Add workflows for build, test, and release actions (#699)

Co-authored-by: Ryan Kelly <[email protected]>

.github/workflows/azdev_linter.yml

@@ -0,0 +1,55 @@
+name: "[auto] CLI Command Table Linter"
+on:
+  workflow_call:
+    inputs:
+      continue-on-error:
+        type: boolean
+        required: false
+        default: false
+
+jobs:
+  linter:
+    permissions:
+      contents: read
+    continue-on-error: ${{ inputs.continue-on-error }}
+    name: Evaluate command table
+    runs-on: ubuntu-latest
+    steps:
+    # checkout source (for linter_exclusions)
+    - uses: actions/checkout@v4
+
+    # download built wheel (from ./release_build.yml)
+    - name: Download Wheel
+      uses: actions/download-artifact@v4
+      with:
+        name: azure-iot-cli-ext
+        path: ./extension
+
+    # Install python
+    - uses: actions/setup-python@v5
+      name: Setup python
+      with:
+          python-version: "3.11"
+
+    # Lint
+    - name: azdev linter
+      run: |
+        set -ev
+        pip install virtualenv
+        python -m virtualenv venv/
+        source ./venv/bin/activate
+        git clone --single-branch -b dev https://github.com/Azure/azure-cli.git ../azure-cli
+        pip install azdev
+        azdev --version
+        azdev setup -c ../azure-cli -r ./
+        AZURE_EXTENSION_DIR=~/.azure/cliextensions
+        ARTIFACTS_DIR=./extension
+        WHEELS=$(ls $ARTIFACTS_DIR/*.whl)
+        az --version
+        for i in $WHEELS; do
+          az extension add --source $i -y --debug
+        done
+        cp ./linter_exclusions.yml $AZURE_EXTENSION_DIR/azure-iot/
+        # temp fix for newest azdev v0.1.65
+        cp .pylintrc pylintrc
+        azdev linter --include-whl-extensions azure-iot --min-severity medium

.github/workflows/ci_build.yml

@@ -0,0 +1,23 @@
+name: "[auto] Simple Build"
+on:
+  workflow_call:
+jobs:
+  build:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+            python-version: "3.9"
+      - name: Build Wheel
+        run: |
+          pip install wheel
+          python -m setup bdist_wheel -d dist
+      - name: Upload Wheel Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          path: dist/*.whl
+          name: azure-iot-cli-ext

.github/workflows/ci_workflow.yml

@@ -0,0 +1,19 @@
+name: CI Build and Test
+permissions:
+  contents: read
+on:
+  pull_request:
+    branches:
+      - dev
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+jobs:
+  build:
+    uses: ./.github/workflows/ci_build.yml
+  test:
+    uses: ./.github/workflows/tox.yml
+  linter:
+    needs: [build]
+    uses: ./.github/workflows/azdev_linter.yml

.github/workflows/codeql.yml

@@ -0,0 +1,29 @@
+name: "[auto] CodeQL-Nightly"
+
+on:
+  schedule:
+    - cron: '0 6 * * *'
+  workflow_dispatch:
+
+jobs:
+  CodeQL-Build:
+    # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: python
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.github/workflows/conventional_pr.yml

@@ -0,0 +1,24 @@
+name: "[auto] Check PR title format"
+on:
+  pull_request:
+    types: [
+        opened,
+        edited,
+        ready_for_review,
+        reopened,
+    ]
+jobs:
+  verify_title:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Verify PR title matches conventional commits specification"
+        env:
+          TITLE: ${{ github.event.pull_request.title }}
+        run: |
+            conventional_regex='^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\(.*\))?: .*$'
+            if [[ "$TITLE" =~ $conventional_regex ]]; then
+                echo "Success!"
+            else
+                echo "Incorrect PR title format" >> $GITHUB_STEP_SUMMARY
+                exit 1
+            fi

.github/workflows/release_build.yml

@@ -0,0 +1,44 @@
+name: "[auto] Build Wheel for Release"
+on:
+  workflow_call:
+
+jobs:
+  build:
+      runs-on: [self-hosted, 1ES.Pool=iotupx-iot-cli-github-hosted-pool, 1ES.ImageOverride=Ubuntu20.04Compliant]
+      permissions:
+        contents: read
+      steps:
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+            python-version: "3.9"
+
+      - uses: actions/checkout@v4
+
+      - name: Build Wheel
+        run: |
+          pip install wheel==0.30.0
+          python -m setup bdist_wheel -d dist
+      - name: Determine Wheel Version
+        run: |
+          wheel=$(find ./dist/*.whl)
+          echo "wheel=$wheel" >> $GITHUB_ENV
+          pip install $wheel
+          version=$(pip show azure_iot | grep Version: | awk '{print $2}')
+          echo "version=$version" >> $GITHUB_ENV
+      - name: Generate SBOM
+        run: |
+          curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/download/v2.2.3/sbom-tool-linux-x64
+          chmod +x $RUNNER_TEMP/sbom-tool
+          $RUNNER_TEMP/sbom-tool generate -b ./dist -bc . -pn "Azure IoT CLI Extension" -pv "${{ env.version }}" -ps Microsoft
+
+      - name: Upload Wheel Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          path: ${{ env.wheel }}
+          name: azure-iot-cli-ext
+      - name: Upload SBOM Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          path: dist/_manifest/
+          name: SBOM

.github/workflows/release_workflow.yml

@@ -0,0 +1,58 @@
+name: Build and Publish Release
+run-name: Build and publish release${{ github.event.inputs.github_release == 'true' &&  ' - Stage Release' || ''}}
+on:
+  # only manual trigger
+  workflow_dispatch:
+    inputs:
+      continue-on-error:
+        description: Continue release if pre-checks fail
+        type: boolean
+        required: false
+        default: false
+      github_release:
+        description: Stage github release
+        type: boolean
+        required: false
+        default: false
+jobs:
+  security:
+    permissions:
+      # needed to write security info to repository
+      security-events: write
+      contents: read
+    uses: ./.github/workflows/security_checks.yml
+    with:
+      continue-on-error: ${{ github.event.inputs.continue-on-error == 'true' }}
+  build:
+    uses: ./.github/workflows/release_build.yml
+  unit-test:
+    uses: ./.github/workflows/tox.yml
+    with:
+      continue-on-error: ${{ github.event.inputs.continue-on-error == 'true' }}
+  azdev_linter:
+    needs: [build]
+    uses: ./.github/workflows/azdev_linter.yml
+    with:
+      continue-on-error: ${{ github.event.inputs.continue-on-error == 'true' }}
+  approval:
+    needs: [security, build, unit-test, azdev_linter]
+    # only needed if (release || wheel) - conditionals allow previous jobs to be skipped and still run
+    if:  always() && !cancelled() && !failure() && (github.event.inputs.github_release == 'true')
+    environment: production
+    runs-on: ubuntu-latest
+    steps:
+      - name: Confirm
+        run: |
+          echo "Approved" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ inputs.github_release }}" == "true" ]; then
+            echo "Github release will be drafted." >> $GITHUB_STEP_SUMMARY
+          fi
+  # github_release == 'true'
+  draft_github_release:
+    permissions:
+      # needed to create draft release
+      contents: write
+    needs: [approval]
+    if:  always() && !cancelled() && !failure() && github.event.inputs.github_release == 'true'
+    uses: ./.github/workflows/stage_release.yml
+    secrets: inherit

.github/workflows/security_checks.yml

@@ -0,0 +1,49 @@
+name: "[auto] Security Checks"
+on:
+  workflow_call:
+    inputs:
+      continue-on-error:
+        type: boolean
+        required: false
+        default: false
+
+jobs:
+  sdl:
+    continue-on-error: ${{ inputs.continue-on-error }}
+    name: SDL Compliance Checks
+    runs-on: windows-latest
+    permissions:
+      # needed to write security info to repository
+      security-events: write
+      contents: read
+    steps:
+    - uses: actions/checkout@v4
+
+      # Install dotnet, used by MSDO
+    - uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: |
+          5.0.x
+          6.0.x
+
+      # Run analyzers
+    - name: Run Microsoft Security DevOps Analysis
+      uses: microsoft/security-devops-action@v1
+      id: msdo
+      env:
+        # file path to analyze
+        GDN_BANDIT_TARGET: 'azext_iot'
+        GDN_BANDIT_RECURSIVE: true
+
+      # Upload alerts to the Security tab
+    - name: Upload alerts to Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ steps.msdo.outputs.sarifFile }}
+
+      # Upload alerts file as a workflow artifact
+    - name: Upload alerts artifact
+      uses: actions/upload-artifact@v4
+      with:  
+        name: alerts
+        path: ${{ steps.msdo.outputs.sarifFile }}

.github/workflows/stage_release.yml

@@ -0,0 +1,44 @@
+name: "[auto] Draft Github Release"
+
+on:
+  workflow_call:
+
+jobs:
+  create_draft_release:
+    runs-on: [self-hosted, 1ES.Pool=iotupx-iot-cli-github-hosted-pool, 1ES.ImageOverride=Ubuntu20.04Compliant]
+    permissions:
+      # needed to create a draft release
+      contents: write
+    steps:
+      - name: Download Wheel
+        uses: actions/download-artifact@v4
+        with:
+          name: azure-iot-cli-ext
+          path: ./release
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+            python-version: "3.9"
+      - name: Install and determine version
+        run: |
+          wheel=$(find ./release/*.whl)
+          pip install $wheel
+          version=$(pip show azure_iot | grep Version: | awk '{print $2}')
+          echo "wheel=$wheel" >> $GITHUB_ENV
+          echo "version=$version" >> $GITHUB_ENV
+          echo "tag=v$version" >> $GITHUB_ENV
+      - name: Download SBOM
+        uses: actions/download-artifact@v4
+        with:
+          name: SBOM
+          path: ./release/SBOM
+      - name: Zip SBOM
+        run: zip ./SBOM.zip ./release/SBOM -r
+      - name: Create Release
+        run: |
+          echo tag: "${{ env.tag }}"
+          echo version: "${{ env.version }}"
+          echo wheel: "${{ env.wheel }}"
+          gh release create "${{ env.tag }}" --generate-notes -d -t "azure-iot ${{ env.version }}" "${{ env.wheel }}" "./SBOM.zip#SBOM" --repo "${{ github.repository }}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}