feat(ci): Add Codacy

.devcontainer/Dockerfile

@@ -7,12 +7,19 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 ENV PATH="$PATH:~/.local/bin"
 
 # Install golangci-lint
-RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates curl git xz-utils && rm -rf /var/lib/apt/lists/* \
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates curl git xz-utils pre-commit gitleaks codespell shellcheck nodejs npm && rm -rf /var/lib/apt/lists/* \
     && GOLANGCI_LINT_VERSION=2.6.2 \
     && curl -sSLO "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" \
-    && tar -xzf golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz -C /tmp \
-    && mv /tmp/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint /usr/local/bin/golangci-lint \
-    && rm -rf /tmp/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64* golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz
+    && tar -xzf "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" -C /tmp \
+    && mv "/tmp/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint" /usr/local/bin/golangci-lint \
+    && rm -rf "/tmp/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64*" "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz"
+
+# Install OpenShift CLI (oc)
+RUN OC_VERSION=latest \
+    && curl -sSL -o /tmp/openshift-client-linux.tar.gz "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz" \
+    && tar -xzf /tmp/openshift-client-linux.tar.gz -C /usr/local/bin oc kubectl \
+    && rm /tmp/openshift-client-linux.tar.gz \
+    && chmod +x /usr/local/bin/oc /usr/local/bin/kubectl
 
 CMD sleep infinity
 

.devcontainer/devcontainer.json

@@ -3,6 +3,11 @@
   "build": {
     "dockerfile": "Dockerfile"
   },
+  "features": {
+    "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
+      "moby": false
+    }
+  },
   "postAttachCommand": [
     "/bin/bash",
     ".devcontainer/post-install.sh"

.devcontainer/post-install.sh

@@ -9,7 +9,7 @@ if ! command -v golangci-lint >/dev/null 2>&1; then
 	echo "golangci-lint not found, installing v2 via github release tarball"
 	# We separate update and install to avoid shellcheck SC2015 warnings
 	apt-get update || true
-	apt-get install -y --no-install-recommends ca-certificates curl xz-utils || true
+	apt-get install -y --no-install-recommends ca-certificates curl xz-utils pre-commit gitleaks codespell shellcheck nodejs npm || true
 	GOLANGCI_LINT_VERSION=2.6.2
 	curl -sSLO "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" || true
 	tar -xzf golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz -C /tmp || true

.github/renovate.json5

@@ -5,7 +5,9 @@
         ':dependencyDashboard',
         ':semanticCommits',
         ':maintainLockFilesWeekly',
+        ':pinDigestsDisabled',
     ],
+    pinDigests: true,
     commitMessageTopic: '{{depName}}',
     commitMessageExtra: 'to {{newVersion}}',
     commitMessageSuffix: '',

.github/workflows/codacy.yml

@@ -0,0 +1,48 @@
+name: Codacy Security Scan
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  schedule:
+    - cron: '34 21 * * 0'
+
+permissions:
+  contents: read
+
+jobs:
+  codacy-security-scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Codacy Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout the repository to the GitHub Actions runner
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
+      - name: Run Codacy Analysis CLI
+        uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b
+        with:
+          # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository
+          # You can also omit the token and run the tools that support default configurations
+          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+          verbose: true
+          output: results.sarif
+          format: sarif
+          # Adjust severity of non-security issues
+          gh-code-scanning-compat: true
+          # Force 0 exit code to allow SARIF file generation
+          # This will handover control about PR rejection to the GitHub side
+          max-allowed-issues: 2147483647
+
+      # Upload the SARIF file generated in the previous step
+      - name: Upload SARIF results file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

.github/workflows/test-controller.yml

@@ -59,3 +59,11 @@ jobs:
         uses: codecov/test-results-action@v1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
+
+      - name: Upload coverage to Codacy
+        uses: codacy/codacy-coverage-reporter-action@v1.3.0
+        with:
+          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+          coverage-reports: coverage.out
+          language: go
+          force-coverage-parser: go

.gitignore

@@ -32,3 +32,11 @@ tmp/**
 object-lease-operator/bundle/
 object-lease-operator/catalog/
 object-lease-operator/Dockerfile.catalog
+
+
+#Ignore vscode AI rules
+.github/instructions/codacy.instructions.md
+
+
+#Ignore vscode AI rules
+.github\instructions\codacy.instructions.md

object-lease-console-plugin/.gitignore

@@ -0,0 +1 @@
+node_modules/