Repo File Sync: synced file(s) with microsoft/mu_devops (#152)

2023-02-02 05:09:21 -05:00 · 2023-02-02 05:09:21 -05:00 · 06df12360d
--- a/.azurepipelines/Ubuntu-GCC5.yml
+++ b/.azurepipelines/Ubuntu-GCC5.yml
@ -23,7 +23,7 @@ resources:
      ref: refs/tags/v1.4.2
  containers:
    - container: linux-gcc
-      image: ghcr.io/tianocore/containers/fedora-35-build:2113a0e
+      image: ghcr.io/tianocore/containers/fedora-35-build:5b8a008

 variables:
 - group: architectures-arm-64-x86-64
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@ -129,6 +129,18 @@ body:
    validations:
      required: true

+  - type: dropdown
+    id: needs_maintainer_feedback
+    attributes:
+      label: Do you need maintainer feedback?
+      description: Indicate if you would like a maintainer to provide feedback on this submission.
+      multiple: false
+      options:
+        - No maintainer feedback needed
+        - Maintainer feedback requested
+    validations:
+      required: true
+
  - type: textarea
    id: anything_else
    attributes:
--- a/.github/ISSUE_TEMPLATE/documentation_request.yml
+++ b/.github/ISSUE_TEMPLATE/documentation_request.yml
@ -41,6 +41,18 @@ body:
    validations:
      required: true

+  - type: dropdown
+    id: needs_maintainer_feedback
+    attributes:
+      label: Do you need maintainer feedback?
+      description: Indicate if you would like a maintainer to provide feedback on this submission.
+      multiple: false
+      options:
+        - No maintainer feedback needed
+        - Maintainer feedback requested
+    validations:
+      required: true
+
  - type: textarea
    id: anything_else
    attributes:
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@ -84,6 +84,18 @@ body:
    validations:
      required: true

+  - type: dropdown
+    id: needs_maintainer_feedback
+    attributes:
+      label: Do you need maintainer feedback?
+      description: Indicate if you would like a maintainer to provide feedback on this submission.
+      multiple: false
+      options:
+        - No maintainer feedback needed
+        - Maintainer feedback requested
+    validations:
+      required: true
+
  - type: textarea
    id: anything_else
    attributes:
--- a/.github/advanced-issue-labeler.yml
+++ b/.github/advanced-issue-labeler.yml
@ -45,3 +45,10 @@ policy:
            'Someone else needs to make the change',
            'Someone else needs to implement the feature'
            ]
+
+    # Issue Template - Needs Maintainer Feedback Dropdown
+    - id: ['needs_maintainer_feedback']
+      block-list: []
+      label:
+        - name: 'state:needs-maintainer-feedback'
+          keys: ['Maintainer feedback requested']
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -28,6 +28,8 @@ updates:
    schedule:
      interval: "weekly"
      day: "monday"
+      timezone: "America/Los_Angeles"
+      time: "06:00"
    commit-message:
      prefix: "GitHub Action"
    labels:
@ -37,6 +39,8 @@ updates:
    directory: "/"
    schedule:
      interval: "daily"
+      timezone: "America/Los_Angeles"
+      time: "01:00"
    commit-message:
      prefix: "pip"
    labels:
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -12,10 +12,26 @@ For each item, place an "x" in between `[` and `]` if true. Example: `[x]`.
 _(you can also check items in the GitHub UI)_

 - [ ] Impacts functionality?
+  - **Functionality** - Does the change ultimately impact how firmware functions?
+  - Examples: Add a new library, publish a new PPI, update an algorithm, ...
 - [ ] Impacts security?
+  - **Security** - Does the change have a direct security impact on an application,
+    flow, or firmware?
+  - Examples: Crypto algorithm change, buffer overflow fix, parameter
+    validation improvement, ...
 - [ ] Breaking change?
+  - **Breaking change** - Will anyone consuming this change experience a break
+    in build or boot behavior?
+  - Examples: Add a new library class, move a module to a different repo, call
+    a function in a new library class in a pre-existing module, ...
 - [ ] Includes tests?
+  - **Tests** - Does the change include any explicit test code?
+  - Examples: Unit tests, integration tests, robot tests, ...
 - [ ] Includes documentation?
+  - **Documentation** - Does the change contain explicit documentation additions
+    outside direct code modifications (and comments)?
+  - Examples: Update readme file, add feature readme file, link to documentation
+    on an a separate Web page, ...

 ## How This Was Tested

--- a/.github/workflows/scheduled-maintenance.yml
+++ b/.github/workflows/scheduled-maintenance.yml
@ -0,0 +1,59 @@
+# This workflow performs scheduled maintenance tasks.
+#
+# NOTE: This file is automatically synchronized from Mu DevOps. Update the original file there
+#       instead of the file in this repo.
+#
+# NOTE: This file uses reusable workflows. Do not make changes to the file that should be made
+#       in the common/reusable workflows.
+#
+# - Mu DevOps Repo: https://github.com/microsoft/mu_devops
+# - File Sync Settings: https://github.com/microsoft/mu_devops/blob/main/.sync/Files.yml
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+
+name: Scheduled Maintenance
+
+on:
+  schedule:
+    # * is a special character in YAML so you have to quote this string
+    # Run every hour - https://crontab.guru/#0_*_*_*_*
+    - cron:  '0 * * * *'
+
+jobs:
+  repo_cleanup:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get Repository Info
+        run: echo "REPOSITORY_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV
+
+      - name: Prune Won't Fix Pull Requests
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPOSITORY: ${{ env.REPOSITORY_NAME }}
+        run: |
+          gh api \
+            -H "Accept: application/vnd.github+json" \
+            /repos/microsoft/${REPOSITORY}/pulls | jq -r '.[]' | jq -rc '.html_url,.labels' | \
+          while read -r html_url ; do
+            read -r labels
+            if [[ $labels == *"state:wont-fix"* ]]; then
+              gh pr close $html_url -c "Closed due to being marked as wont fix" --delete-branch
+            fi
+          done
+
+      - name: Prune Won't Fix Issues
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPOSITORY: ${{ env.REPOSITORY_NAME }}
+        run: |
+          gh api \
+            -H "Accept: application/vnd.github+json" \
+            /repos/microsoft/${REPOSITORY}/issues | jq -r '.[]' | jq -rc '.html_url,.labels' | \
+          while read -r html_url ; do
+            read -r labels
+            if [[ $labels == *"state:wont-fix"* ]]; then
+              gh issue close $html_url -c "Closed due to being marked as wont fix" -r "not planned"
+            fi
+          done
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -18,6 +18,11 @@ section of the relevant Project Mu GitHub repo.
 Every Project Mu repo has an `Issues` section. Bug reports, feature requests, and documentation requests can all be
 submitted in the issues section.

+## Security Vulnerabilities
+
+Please review the repos `Security Policy` but in general every Project Mu repo has `Private vulnerability reporting`
+enabled.  Please use the security tab to report a potential issue.  
+
 ### Identify Where to Report

 Project Mu is distributed across multiple repositories. Use features such as issues and discussions in the repository
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,41 @@
+# Project Mu Security Policy
+
+Project Mu is an open source firmware project that is leveraged by and combined into
+other projects to build the firmware for a given product.  We build and maintain this
+code with the intent that any consuming projects can use this code as-is.  If features
+or fixes are necessary we ask that they contribute them back to the project.  **But**, that
+said, in the firmware ecosystem there is a lot of variation and differentiation, and
+the license in this project allows flexibility for use without contribution back to
+Project Mu. Therefore, any issues found here may or may not exist in products using Project Mu.  
+
+
+## Supported Versions
+
+Due to the usage model we generally only supply fixes to the most recent release branch (or main).
+For a serious vulnerability we may patch older release branches.
+
+## Additional Notes
+
+Project Mu contains code that is available and/or originally authored in other
+repositories (see <https://github.com/tianocore/edk2> as one such example).  For any
+vulnerability found, we may be subject to their security policy and may need to work
+with those groups to resolve amicably and patch the "upstream".  This might involve 
+additional time to release and/or additional confidentiality requirements.
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead please use **Github Private vulnerability reporting**, which is enabled for each Project Mu
+repository. This process is well documented by github in their documentation [here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+
+This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.
+
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).