Add Zizmor support and GitSign verification

.chainguard/source.yaml

@@ -0,0 +1,15 @@
+# Copyright 2022 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+spec:
+  authorities:
+    - keyless:
+        url: https://fulcio.sigstore.dev
+        identities:
+          - subjectRegExp: .+@gmail.com$ # Allow commits signed with Gmail accounts, not ideal, for testing purposes only.
+            issuer: https://github.com/login/oauth
+      ctlog:
+        url: https://rekor.sigstore.dev
+    - key:
+        # Allow commits signed by GitHub.
+        kms: https://github.com/web-flow.gpg

.devcontainer/devcontainer.json

@@ -0,0 +1,71 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/dotnet
+{
+    "name": ".NET Aspire",
+    // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+    "image": "mcr.microsoft.com/devcontainers/dotnet:dev-10.0-noble@sha256:3920807c7304921773b67d3a76bbff5c5d0f3727bea2f014c29d395c41977a08",
+    // From https://containers.dev/features
+    "features": {
+        "ghcr.io/devcontainers/features/powershell:1": {},
+        // Testing
+        "ghcr.io/devcontainers-extra/features/k6:1": {},
+        // Tunneling
+        "ghcr.io/stuartleeks/dev-container-features/dev-tunnels:0": {},
+        // Signing
+        "ghcr.io/devcontainers-extra/features/cosign:1": {},
+        "ghcr.io/devcontainers-extra/features/gitsign:1": {},
+        "ghcr.io/devcontainers-extra/features/gitsign-credential-cache:1": {},
+        // Git hooks
+        "ghcr.io/devcontainers-extra/features/pre-commit:2": {},
+        "ghcr.io/dhoeric/features/trivy:1": {},
+        "ghcr.io/devcontainers-extra/features/upx:1": {},
+        // Containers and Orchestration
+        "ghcr.io/devcontainers/features/kubectl-helm-minikube:1": {},
+        "ghcr.io/devcontainers-extra/features/argo-cd:1": {},
+        "ghcr.io/prom3theu5/aspirational-manifests/aspirate:latest": {},
+        "ghcr.io/devcontainers-extra/features/dive:1": {},
+        "ghcr.io/devcontainers/features/docker-in-docker:2": {
+            "version": "latest",
+            "enableNonRootDocker": true,
+            "moby": true
+        },
+        // Package managers
+        "ghcr.io/devcontainers-extra/features/mise:1": {},
+        "ghcr.io/devcontainers/features/node:1": {
+            "version": "lts"
+        }
+    },
+
+    "hostRequirements": {
+        "cpus": 4,
+        "memory": "16gb",
+        "storage": "64gb"
+    },
+
+    // Use 'forwardPorts' to make a list of ports inside the container available locally.
+    // "forwardPorts": [5000, 5001],
+    // "portsAttributes": {
+    //		"5001": {
+    //			"protocol": "https"
+    //		}
+    // }
+
+    // Use 'postCreateCommand' to run commands after the container is created.
+    // "postCreateCommand": "dotnet restore",
+    // This is somewhat dangerous
+    "onCreateCommand": "curl -sSL https://aspire.dev/install.sh | bash",
+    "postStartCommand": "dotnet dev-certs https --trust",
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "redhat.vscode-yaml",
+                "GitHub.copilot-chat",
+                "GitHub.copilot"
+            ]
+        }
+    },
+    // Configure tool-specific properties.
+    // "customizations": {},
+    // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+    // "remoteUser": "root"
+}

.github/workflows/gitsign-verify.yml

@@ -0,0 +1,23 @@
+name: Verify Commit
+description: This action verifies the PR commit using Gitsign.
+on: [pull_request]
+
+concurrency:
+  group: gitsign-verify
+  cancel-in-progress: false
+
+permissions: {}
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    name: Verify commit
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
+      - uses: chainguard-dev/actions/setup-gitsign@0cda751b114eb55c388e88f7479292668165602a # v1.0.2
+      - shell: bash
+        run: |
+          gitsign verify --certificate-identity-regexp="^.*@gmail.com$" --certificate-oidc-issuer="https://github.com/login/oauth"

.github/workflows/markdownlint.yml

@@ -14,11 +14,11 @@
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
     - name: Use Node.js
       uses: actions/setup-node@v4
       with:
-        node-version: 16.x
+        node-version: 22.20.0
     - name: Run Markdownlint
       run: |
         echo "::add-matcher::.github/workflows/markdownlint-problem-matcher.json"

.github/workflows/playwright.yml

@@ -19,7 +19,7 @@
     timeout-minutes: 60
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
     - uses: actions/setup-dotnet@v4
       with:
         dotnet-version: '10.0.x'

.github/workflows/pr-validation-maui.yml

@@ -20,7 +20,7 @@
   test:
     runs-on: windows-latest    
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Setup .NET (global.json)
         uses: actions/setup-dotnet@v3
 

.github/workflows/pr-validation.yml

@@ -20,7 +20,7 @@
   test:
     runs-on: ubuntu-latest    
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Setup .NET (global.json)
         uses: actions/setup-dotnet@v3
       - name: Build 

.github/workflows/zizmor.yml

@@ -0,0 +1,30 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+concurrency:
+  group: zizmor-security-scan
+  cancel-in-progress: true
+
+jobs:
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # write permission to create security alerts
+      # contents: read # only needed for private repos
+      # actions: read # only needed for private repos
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0

.github/zizmor.yml

@@ -0,0 +1,5 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "*": hash-pin

.pre-commit-config.yaml

@@ -0,0 +1,64 @@
+default_stages:
+  - "pre-commit"
+default_install_hook_types:
+  - "pre-commit"
+  - "commit-msg"
+  - "pre-push"
+  - "post-checkout"
+  - "post-merge"
+
+fail_fast: true
+
+repos:
+  ############################################################################
+  #                         COMMIT MESSAGE TOOLS
+  ############################################################################
+  - repo: local
+    hooks:
+      - id: cocogitto-commit-msg
+        name: Cocogitto verify
+        language: system
+        entry: "cog"
+        args: ["verify", "--file"]
+        stages: [commit-msg]
+        pass_filenames: true
+  ############################################################################
+  #                         SAST & SCA SCANNING TOOLS
+  ############################################################################
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.28.0
+    hooks:
+      - id: gitleaks
+        name: Gitleaks secret detection
+        description: Scan for secrets using gitleaks.
+        args: ["--staged","--redact", "--no-banner", "--platform", "github", "--verbose"]
+        stages: ["pre-commit"]
+  - repo: local
+    hooks:
+      - id: trivy
+        name: Trivy
+        description: Vulnerability and license scan with Trivy
+        language: system
+        entry: trivy
+        args: ["repo", "--scanners", "vuln,license", "--severity", "CRITICAL", "--quiet", "--exit-code", "1", "--disable-telemetry", "."]
+        pass_filenames: false
+        stages: ["pre-commit"]
+  - repo: https://github.com/renovatebot/pre-commit-hooks
+    rev: 41.158.2
+    hooks:
+      - id: renovate-config-validator
+        args: [--strict]
+        stages: ["pre-push"]    
+  ############################################################################
+  #                         IMAGE COMPRESSION TOOLS
+  ############################################################################
+  - repo: https://github.com/oxipng/oxipng
+    rev: v9.1.5
+    hooks:
+      - id: oxipng
+        name: Oxipng compression
+        description: Visually lossless optimization of PNG files.
+        args: ["-o", "4", "--strip", "safe", "--alpha"]
+        pass_filenames: true
+        types: [png]
+        stages: ["pre-push"]

Directory.Build.props

@@ -9,6 +9,8 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <!-- Temporarily disable security warnings for transitive packages. -->
     <NoWarn>NU1901;NU1902;NU1903;NU1904</NoWarn>
+    <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
+
   </PropertyGroup>
 
   <!-- Enable OpenAI OpenTelemetry so OpenAI calls participate in tracing and metrics. -->

global.json

@@ -1,6 +1,6 @@
 {
   "sdk": {
-    "version": "10.0.100-rc.1.25451.107",
+    "version": "10.0.0-rc.2.25502.107",
     "rollForward": "latestFeature",
     "allowPrerelease": true
   }

playwright.config.ts

@@ -86,7 +86,8 @@ export default defineConfig({
   /* Run your local dev server before starting the tests */
   webServer: {
     command: 'dotnet run --project src/eShop.AppHost/eShop.AppHost.csproj',
-    url: 'http://localhost:5045',
+    // url: 'http://localhost:5045',
+    port: 5045,
     reuseExistingServer: !process.env.CI,
     stderr: 'pipe',
     stdout: 'pipe',

renovate.json

@@ -1,11 +1,11 @@
 {
   "extends": [
     "config:recommended",
-    ":semanticCommitScope(deps)"
+    ":semanticCommitScope(deps)",
+    "mergeConfidence:all-badges"
   ],
   "timezone": "Europe/Madrid",
-  "baseBranches": [
-    "main",
+  "baseBranchPatterns": [
     "develop"
   ],
   "labels": [
@@ -14,12 +14,15 @@
   "dependencyDashboard": true,
   "prConcurrentLimit": 6,
   "prHourlyLimit": 2,
+  "minimumReleaseAge": "3 days",
+  "internalChecksFilter": "strict",
   "rangeStrategy": "bump",
   "separateMinorPatch": false,
   "schedule": [
     "before 03:00"
   ],
   "forkProcessing": "enabled",
+  "lockFileMaintenance": { "enabled": true },
   "packageRules": [
     {
       "matchManagers": [
@@ -45,7 +48,7 @@
       "matchDatasources": [
         "github-tags"
       ],
-      "matchPackagePatterns": [
+      "matchPackageNames": [
         "^dotnet/aspire",
         "^dotnet/"
       ],