Merge branch 'main' into cira

Author: rsdmike

.devcontainer/devcontainer.json

@@ -3,15 +3,15 @@
 {
 	"name": "Go",
 	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
-	"image": "mcr.microsoft.com/devcontainers/go:1-1.23-bullseye",
+	"image": "mcr.microsoft.com/devcontainers/go:dev-1-bullseye",
 	// Features to add to the dev container. More info: https://containers.dev/features.
 	// "features": {},
 	// Use 'forwardPorts' to make a list of ports inside the container available locally.
 	"forwardPorts": [
 		8181
 	],
 	// Use 'postCreateCommand' to run commands after the container is created.
-	"postCreateCommand": "go install github.com/cosmtrek/air@latest"
+	"postCreateCommand": "go install github.com/air-verse/air@v1.62.0"
 	// Configure tool-specific properties.
 	// "customizations": {},
 	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.

.env.example

@@ -1,7 +1,46 @@
-DISABLE_SWAGGER_HTTP_HANDLER=true
-GIN_MODE=release
+# Application
+APP_NAME=console
+APP_REPO=device-management-toolkit/console
+APP_ENCRYPTION_KEY=
+APP_ALLOW_INSECURE_CIPHERS=false
+
+# HTTP Server
+HTTP_HOST=localhost
+HTTP_PORT=8181
+WS_COMPRESSION=false
+HTTP_ALLOWED_ORIGINS=*
+HTTP_ALLOWED_HEADERS=*
+
+# TLS
+# Enable TLS in release if the app terminates TLS itself. If behind an API gateway or LB that provides TLS, set to false.
+HTTP_TLS_ENABLED=true
+# If both are empty and HTTP_TLS_ENABLED=true, the server will generate a self-signed certificate at startup.
+HTTP_TLS_CERT_FILE=
+HTTP_TLS_KEY_FILE=
+
+# Logger
+LOG_LEVEL=info
+
+# Database
+DB_POOL_MAX=2
+DB_URL=
+
+# EA
+EA_URL=http://localhost:8000
+EA_USERNAME=
+EA_PASSWORD=
+
+# Auth
+AUTH_DISABLED=false
+AUTH_ADMIN_USERNAME=standalone
+AUTH_ADMIN_PASSWORD=G@ppm0ym
+AUTH_JWT_KEY=your_secret_jwt_key
+AUTH_JWT_EXPIRATION=24h
+AUTH_REDIRECTION_JWT_EXPIRATION=5m
+AUTH_CLIENT_ID=
+AUTH_ISSUER=GIN_MODE=release
 # DB_URL=postgres://postgresadmin:admin123@localhost:5432/rpsdb
 # OAUTH CONFIGURATION
-AUTH_CLIENT_ID=""
+AUTH_CLIENT_ID=
 # ex. "https://login.microsoftonline.com/<tenant-id>/v2.0 for Azure Entra -- used for discovery
-AUTH_ISSUER="" 
+AUTH_ISSUER=

.github/.golangci.yml

@@ -0,0 +1,5 @@
+# This file defines the code owners for the console repository
+# See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Default owners for the entire repository
+* @device-management-toolkit/owner-open-amt-cloud-toolkit

.github/CODEOWNERS

@@ -35,11 +35,10 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: golangci-lint
-        uses: reviewdog/action-golangci-lint@3dfdce20f5ca12d264c214abb993dbb40834da90 # v2.7.2
+        uses: reviewdog/action-golangci-lint@f9bba13753278f6a73b27a56a3ffb1bfda90ed71 # v2.7.2
         with:
           fail_level: error
-          golangci_lint_version: v1.64.8 # pin golangci-lint version
-          golangci_lint_flags: "--config=.github/.golangci.yml ./..."
+          golangci_lint_flags: "--config=./.golangci.yml ./..."
 
   yamllint:
     name: runner / yamllint
@@ -93,14 +92,43 @@ jobs:
           base-ref: ${{ github.event.pull_request.base.sha || 'main' }}
           head-ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
+  devcontainer:
+    name: runner / devcontainer
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - name: Install Dev Container CLI
+        run: npm install -g @devcontainers/cli@0.67.0
+      - name: Build dev container definition
+        run: devcontainer build --workspace-folder .
+      - name: Start dev container
+        run: devcontainer up --workspace-folder . --remove-existing-container
+      - name: Verify dev container command execution
+        run: devcontainer exec --workspace-folder . -- bash -lc "go version && air -v"
+      - name: Cleanup dev container
+        if: always()
+        run: |
+          CONTAINER_IDS=$(docker ps -aq --filter "label=devcontainer.local_folder=$(pwd)")
+          if [ -n "$CONTAINER_IDS" ]; then
+            docker rm -f $CONTAINER_IDS
+          fi
+          VOLUME_IDS=$(docker volume ls -q --filter "label=devcontainer.local_folder=$(pwd)")
+          if [ -n "$VOLUME_IDS" ]; then
+            docker volume rm $VOLUME_IDS
+          fi
+
   tests:
     name: runner / build and tests
     runs-on: ubuntu-latest
     strategy:
       matrix:
         go-version: [1.23.x, 1.24.x]
-        os:
-          [windows-2019, windows-2022, ubuntu-22.04, ubuntu-24.04]
+        os: [windows-2019, windows-2022, ubuntu-22.04, ubuntu-24.04]
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2

.github/workflows/ci.yml

@@ -173,7 +173,54 @@ jobs:
           path: dist/windows
           key: windows-${{ env.sha_short }}
           enableCrossOsArchive: true
+      
+      # Generate licenses.zip
+      - name: Use Node.js 22.x
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: 22.x
+
+      # Pin Go only for license generation
+      - name: Use Go 1.25.1 for license scan
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+        with:
+          go-version: "1.25.1"
+          check-latest: true
+      - name: Pin toolchain for this step
+        run: |
+          go version
+          go env -w GOTOOLCHAIN=local
+
+      - name: Checkout Sample Web UI for license scan
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: device-management-toolkit/sample-web-ui
+          ref: main
+          path: ./temp
 
+      - name: Generate Go Licenses
+        run: |
+          go install github.com/google/go-licenses/v2@v2.0.1
+          mkdir -p licenses
+          if ! "$(go env GOPATH)"/bin/go-licenses save ./... --save_path=./licenses/consoledependencies; then
+            echo "Failed to generate Go licenses"
+            exit 1
+          fi
+
+      - name: Generate Web UI Licenses
+        working-directory: ./temp
+        run: |
+          npm ci
+          npm install -g license-checker-rseidelsohn@4.4.2
+          mkdir -p ../licenses/webuidependencies
+          if ! license-checker-rseidelsohn --plainVertical --out ../licenses/webuidependencies/webui_dependencies.txt; then
+            echo "Failed to generate Web UI licenses"
+            exit 1
+          fi
+
+      - name: Create licenses.zip
+        run: zip -r licenses.zip licenses
+      
       - name: Docker Login
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
@@ -183,6 +230,7 @@ jobs:
           logout: true
 
       - name: Semantic Release
+        id: semantic-release
         uses: cycjimmy/semantic-release-action@b1b432f13acb7768e0c8efdec416d363a57546f2 # v4.1.1
         if: steps.cache.outputs.cache-hit != 'true' # do not run if cache hit
         with:
@@ -194,3 +242,40 @@ jobs:
             @semantic-release/exec@6.0.3
         env:
           GITHUB_TOKEN: ${{ secrets.ROSIE_TOKEN }}
+
+      - name: Check if OpenAPI files changed
+        id: check-openapi-changes
+        run: |
+          git fetch origin main:main
+          if git diff --name-only main HEAD | grep -q '^internal/controller/openapi/'; then
+            echo "changed=true" >> $GITHUB_OUTPUT
+          else
+            echo "changed=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Generate OpenAPI specification
+        if: steps.semantic-release.outputs.new_release_published == 'true' && steps.check-openapi-changes.outputs.changed == 'true'
+        run: |
+          GIN_MODE=debug go run ./cmd/app/main.go
+
+      - name: Verify OpenAPI spec was generated
+        run: |
+          if [ ! -f "doc/openapi.json" ]; then
+            exit 1
+          fi
+          head -20 doc/openapi.json
+
+      - name: Push to SwaggerHub
+        if: vars.SWAGGERHUB_OWNER != '' && vars.SWAGGERHUB_API_NAME != ''
+        env:
+          SWAGGERHUB_API_KEY: ${{ secrets.SWAGGERHUB_API_KEY }}
+          SWAGGERHUB_OWNER: ${{ vars.SWAGGERHUB_OWNER }}
+          API_NAME: ${{ vars.SWAGGERHUB_API_NAME }}
+          API_VERSION: ${{ steps.semantic-release.outputs.new_release_version }}
+        run: |
+          echo "Pushing OpenAPI spec to SwaggerHub with version ${{ steps.semantic-release.outputs.new_release_version }}..."
+          curl -X POST "https://api.swaggerhub.com/apis/${SWAGGERHUB_OWNER}/${API_NAME}/${API_VERSION}" \
+            -H "Authorization: ${SWAGGERHUB_API_KEY}" \
+            -H "Content-Type: application/json" \
+            --data-binary @doc/openapi.json \
+            --fail

.github/workflows/release.yml

@@ -34,4 +34,6 @@ vendor/
 # ...ignore the ui folder
 **/ui/*
 # ...but keep the folder
-!**/ui/.gitkeep
+!**/ui/.gitkeep
+# Documentation files
+doc/openapi.json