Merge pull request #8 from adrian207/main

New merge

Author: adrian207

EJBCA---Automated-Lab-Docker/.github/CODEOWNERS

@@ -0,0 +1,33 @@
+# Global owners - all files require review from these users
+* @adrian207
+
+# Terraform files require additional review
+/terraform/ @adrian207
+
+# Security-sensitive files require extra scrutiny
+**/*secret* @adrian207
+**/*key* @adrian207
+**/*password* @adrian207
+**/*credential* @adrian207
+**/*token* @adrian207
+**/*auth* @adrian207
+
+# Infrastructure configuration files
+/kubernetes/ @adrian207
+/helm/ @adrian207
+/argocd/ @adrian207
+
+# CI/CD configuration
+/.github/workflows/ @adrian207
+/.github/ @adrian207
+
+# Documentation
+/docs/ @adrian207
+*.md @adrian207
+
+# Configuration files
+/configs/ @adrian207
+/ansible/ @adrian207
+
+# Scripts
+/scripts/ @adrian207

EJBCA---Automated-Lab-Docker/.github/workflows/branch-protection.yml

@@ -0,0 +1,59 @@
+name: Branch Protection Check
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+
+jobs:
+  branch-protection-check:
+    name: Branch Protection Validation
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      
+      - name: Validate commit messages
+        run: |
+          if [ "${{ github.event_name }}" = "push" ]; then
+            echo "Checking commit messages..."
+            git log --oneline -1 | grep -E "^(feat|fix|docs|style|refactor|test|chore|ci|build|perf|revert)(\(.+\))?: .{1,50}" || {
+              echo "❌ Commit message doesn't follow conventional format"
+              echo "Expected format: type(scope): description"
+              echo "Types: feat, fix, docs, style, refactor, test, chore, ci, build, perf, revert"
+              exit 1
+            }
+            echo "✅ Commit message format is valid"
+          fi
+      
+      - name: Check for secrets
+        run: |
+          echo "Checking for potential secrets..."
+          if command -v detect-secrets &> /dev/null; then
+            detect-secrets scan --baseline .secrets.baseline
+          else
+            echo "⚠️ detect-secrets not available, skipping secret check"
+          fi
+      
+      - name: Validate file permissions
+        run: |
+          echo "Checking file permissions..."
+          find . -name "*.sh" -not -perm -111 | while read file; do
+            echo "❌ Shell script $file is not executable"
+            exit 1
+          done
+          echo "✅ All shell scripts have proper permissions"
+      
+      - name: Check for large files
+        run: |
+          echo "Checking for large files..."
+          find . -type f -size +10M -not -path "./.git/*" | while read file; do
+            echo "❌ Large file detected: $file"
+            echo "Consider using Git LFS for files larger than 10MB"
+            exit 1
+          done
+          echo "✅ No large files detected"

EJBCA---Automated-Lab-Docker/BRANCH-PROTECTION-SETUP.md

@@ -0,0 +1,94 @@
+# GitHub Branch Protection Setup Guide
+
+## 🛡️ Manual Branch Protection Setup
+
+Since GitHub repository rulesets are not available for your repository, follow these steps to manually configure branch protection:
+
+### Step 1: Navigate to Branch Protection Settings
+1. Go to: `https://github.com/adrian207/EJBCA---Automated-Lab/settings/branches`
+2. Click **"Add rule"**
+
+### Step 2: Configure Main Branch Protection
+**Branch name pattern:** `main`
+
+**Enable these options:**
+- ✅ **Require a pull request before merging**
+  - ✅ **Require approvals:** `2`
+  - ✅ **Dismiss stale PR approvals when new commits are pushed**
+  - ✅ **Require review from code owners**
+
+- ✅ **Require status checks to pass before merging**
+  - ✅ **Require branches to be up to date before merging**
+  - **Status checks to require:**
+    - `branch-protection-check`
+    - `terraform-validate`
+    - `security-scanning`
+    - `kubernetes-deploy`
+    - `ansible-lint`
+
+- ✅ **Require conversation resolution before merging**
+- ✅ **Require signed commits**
+- ✅ **Require linear history**
+- ✅ **Do not allow force pushes**
+- ✅ **Do not allow deletions**
+
+### Step 3: Create CODEOWNERS File
+Create a `.github/CODEOWNERS` file to define who can approve changes:
+
+```
+# Global owners
+* @adrian207
+
+# Terraform files require additional review
+/terraform/ @adrian207
+
+# Security-sensitive files
+**/*secret* @adrian207
+**/*key* @adrian207
+**/*password* @adrian207
+**/*credential* @adrian207
+
+# Documentation
+/docs/ @adrian207
+*.md @adrian207
+```
+
+### Step 4: Test the Protection
+After enabling branch protection:
+1. Try to push directly to main - it should be blocked
+2. Create a pull request instead
+3. Verify that status checks are required
+
+## 🔧 Alternative: Use GitHub CLI
+
+If you have GitHub CLI installed, you can use this command:
+
+```bash
+gh api repos/adrian207/EJBCA---Automated-Lab/branches/main/protection \
+  --method PUT \
+  --field required_status_checks='{"strict":true,"contexts":["branch-protection-check","terraform-validate","security-scanning","kubernetes-deploy","ansible-lint"]}' \
+  --field enforce_admins=true \
+  --field required_pull_request_reviews='{"required_approving_review_count":2,"dismiss_stale_reviews":true,"require_code_owner_reviews":true}' \
+  --field restrictions=null
+```
+
+## 📋 Status Check Requirements
+
+Make sure these GitHub Actions workflows are enabled:
+- `branch-protection-check` ✅ (Already created)
+- `terraform-validate` ✅ (Already exists)
+- `security-scanning` ✅ (Already exists)
+- `kubernetes-deploy` ✅ (Already exists)
+- `ansible-lint` ✅ (Already exists)
+
+## 🚨 Troubleshooting
+
+**If status checks don't appear:**
+1. Make sure the GitHub Actions workflows are enabled
+2. Run the workflows manually to generate status check names
+3. Check that workflows are in `.github/workflows/` directory
+
+**If CODEOWNERS doesn't work:**
+1. Make sure the file is in `.github/CODEOWNERS`
+2. Verify the usernames are correct
+3. Check that users have write access to the repository

EJBCA---Automated-Lab-Docker/github-branch-protection.json

@@ -0,0 +1,34 @@
+{
+  "name": "EJBCA Automated Lab Repository Rules",
+  "target": "branch",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "include": ["main", "develop"]
+    }
+  },
+  "parameters": {
+    "required_status_checks": {
+      "strict": true,
+      "contexts": [
+        "branch-protection-check",
+        "terraform-validate",
+        "security-scanning",
+        "kubernetes-deploy",
+        "ansible-lint"
+      ]
+    },
+    "dismiss_stale_reviews_on_push": true,
+    "require_code_owner_reviews": true,
+    "required_approving_review_count": 2,
+    "require_last_push_approval": true,
+    "required_linear_history": true,
+    "allow_force_pushes": false,
+    "allow_deletions": false,
+    "block_creations": false,
+    "required_conversation_resolution": true,
+    "require_signed_commits": true,
+    "lock_branch": false,
+    "allow_fork_syncing": true
+  }
+}

EJBCA---Automated-Lab-Docker/github-repository-rules.json

@@ -0,0 +1,173 @@
+{
+  "rules": [
+    {
+      "name": "Main Branch Protection",
+      "target": "branch",
+      "enforcement": "active",
+      "conditions": {
+        "ref_name": {
+          "include": ["main"]
+        }
+      },
+      "parameters": {
+        "required_status_checks": {
+          "strict": true,
+          "contexts": [
+            "branch-protection-check",
+            "terraform-validate",
+            "security-scanning",
+            "kubernetes-deploy",
+            "ansible-lint"
+          ]
+        },
+        "dismiss_stale_reviews_on_push": true,
+        "require_code_owner_reviews": true,
+        "required_approving_review_count": 2,
+        "require_last_push_approval": true,
+        "required_linear_history": true,
+        "allow_force_pushes": false,
+        "allow_deletions": false,
+        "block_creations": false,
+        "required_conversation_resolution": true,
+        "require_signed_commits": true,
+        "lock_branch": false,
+        "allow_fork_syncing": true
+      }
+    },
+    {
+      "name": "Develop Branch Protection",
+      "target": "branch",
+      "enforcement": "active",
+      "conditions": {
+        "ref_name": {
+          "include": ["develop"]
+        }
+      },
+      "parameters": {
+        "required_status_checks": {
+          "strict": true,
+          "contexts": [
+            "branch-protection-check",
+            "terraform-validate",
+            "security-scanning"
+          ]
+        },
+        "dismiss_stale_reviews_on_push": true,
+        "require_code_owner_reviews": false,
+        "required_approving_review_count": 1,
+        "require_last_push_approval": false,
+        "required_linear_history": false,
+        "allow_force_pushes": false,
+        "allow_deletions": true,
+        "block_creations": false,
+        "required_conversation_resolution": true,
+        "require_signed_commits": false,
+        "lock_branch": false,
+        "allow_fork_syncing": true
+      }
+    },
+    {
+      "name": "Feature Branch Rules",
+      "target": "branch",
+      "enforcement": "active",
+      "conditions": {
+        "ref_name": {
+          "include": ["feat/*", "feature/*", "bugfix/*", "hotfix/*"]
+        }
+      },
+      "parameters": {
+        "required_status_checks": {
+          "strict": true,
+          "contexts": [
+            "branch-protection-check",
+            "terraform-validate"
+          ]
+        },
+        "dismiss_stale_reviews_on_push": true,
+        "require_code_owner_reviews": false,
+        "required_approving_review_count": 1,
+        "require_last_push_approval": false,
+        "required_linear_history": false,
+        "allow_force_pushes": false,
+        "allow_deletions": true,
+        "block_creations": false,
+        "required_conversation_resolution": true,
+        "require_signed_commits": false,
+        "lock_branch": false,
+        "allow_fork_syncing": true
+      }
+    },
+    {
+      "name": "Pull Request Rules",
+      "target": "pull_request",
+      "enforcement": "active",
+      "conditions": {
+        "ref_name": {
+          "include": ["main", "develop"]
+        }
+      },
+      "parameters": {
+        "required_approving_review_count": 2,
+        "dismiss_stale_reviews_on_push": true,
+        "require_code_owner_reviews": true,
+        "require_last_push_approval": true,
+        "required_linear_history": true,
+        "required_conversation_resolution": true
+      }
+    },
+    {
+      "name": "Commit Message Rules",
+      "target": "tag",
+      "enforcement": "active",
+      "conditions": {},
+      "parameters": {
+        "pattern": "^(feat|fix|docs|style|refactor|test|chore|ci|build|perf|revert)(\\(.+\\))?: .{1,50}",
+        "operator": "regex"
+      }
+    },
+    {
+      "name": "Terraform Files Protection",
+      "target": "path",
+      "enforcement": "active",
+      "conditions": {
+        "ref_name": {
+          "include": ["main", "develop"]
+        }
+      },
+      "parameters": {
+        "rules": [
+          {
+            "name": "Terraform files require review",
+            "paths": {
+              "include": ["terraform/**"]
+            },
+            "required_approving_review_count": 2,
+            "require_code_owner_reviews": true
+          },
+          {
+            "name": "Security-sensitive files",
+            "paths": {
+              "include": [
+                "**/*secret*",
+                "**/*key*",
+                "**/*password*",
+                "**/*credential*",
+                "**/*token*"
+              ]
+            },
+            "required_approving_review_count": 2,
+            "require_code_owner_reviews": true
+          },
+          {
+            "name": "Documentation changes",
+            "paths": {
+              "include": ["docs/**", "*.md"]
+            },
+            "required_approving_review_count": 1,
+            "require_code_owner_reviews": false
+          }
+        ]
+      }
+    }
+  ]
+}