initial setup

.github/CONTRIBUTING.md

@@ -0,0 +1,3 @@
+Please review [EIP-1](https://eips.ethereum.org/EIPS/eip-1) for guidelines.
+
+<!-- RATIONALE FOR THIS FILE: IT IS DISPLAYED WHEN YOU CREATE AN ISSUE OR MAKE A PR -->

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Do you want to discuss ideas or ask questions about the process?
+    url: https://forum.openzeppelin.com/
+    about: Use the OpenZeppelin forum for related discussion!

.github/checkov.yml

@@ -0,0 +1,8 @@
+---
+# You can see all available properties here: https://github.com/bridgecrewio/checkov#configuration-using-a-config-file
+quiet: true
+skip-check:
+  # GHA7 errors on custom Action triggers that we have in our repo.
+  - CKV_GHA_7
+  # CKV2_GHA_1 errors on custom workflows that are not using write-all.
+  - CKV2_GHA_1

.github/cspell.json

@@ -0,0 +1,91 @@
+{
+  "version": "0.2",
+  "language": "en",
+  "ignorePaths": [
+    "**/node_modules/**",
+    "**/vscode-extension/**",
+    "**/.git/**",
+    "**/.github/**",
+    ".vscode",
+    "package-lock.json",
+    "**/*.docx",
+    ".gitignore"
+  ],
+  "ignoreRegExpList": [
+    "/[0-9a-f]{8}.js/gi",
+    "/[0-9a-f]{8}\\_ABI.json/gi",
+    "/0x[0-9a-f]{40}/gi",
+    "/Qm[0-9a-zA-Z]{44}/g",
+    "/bafy[0-9a-zA-Z]{40}[0-9a-zA-Z]+/g"
+  ],
+  "words": [
+    "arbitrum",
+    "autotask",
+    "autotasks",
+    "awilix",
+    "bignumber",
+    "bytecode",
+    "checksummed",
+    "collateralization",
+    "collateralized",
+    "creds",
+    "fauceteer",
+    "forta",
+    "hashrate",
+    "ierc",
+    "infile",
+    "ipfs",
+    "keyfile",
+    "kvstore",
+    "liquidatable",
+    "markdownlint",
+    "multicall",
+    "newstake",
+    "nodebuffer",
+    "nomicfoundation",
+    "openxml",
+    "pausable",
+    "permissionless",
+    "plusplus",
+    "polygonfork",
+    "proselint",
+    "proselintrc",
+    "reentrancy",
+    "secretlintrc",
+    "ssot",
+    "struct",
+    "timelock",
+    "undercollateralized",
+    "wmatic",
+    "zipfile",
+    "rollup",
+    "backoff",
+    "calldatas",
+    "volatilities",
+    "stablecoins",
+    "axios",
+    "TYPEHASH",
+    "predelay",
+    "Srcs",
+    "remappings",
+    "eusdc",
+    "Unitroller",
+    "AAVE",
+    "USDP",
+    "proxied",
+    "Clonable",
+    "CUSDC",
+    "Blacklister",
+    "SNOWTRACE",
+    "POLYGONSCAN",
+    "ARBISCAN",
+    "LINEASCAN",
+    "BASESCAN",
+    "peersky",
+    "configurator",
+    "bulker",
+    "CCTP",
+    "usdbc"
+  ],
+  "flagWords": []
+}

.github/gitleaks.toml

@@ -0,0 +1,25 @@
+
+title = "gitleaks config"
+
+[extend]
+# useDefault will extend the base configuration with the default gitleaks config:
+# https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml
+useDefault = true
+
+[allowlist]
+description = "Allowlisted files"
+paths = [
+  '''.automation/test''',
+  '''megalinter-reports''',
+  '''.github/linters''',
+  '''node_modules''',
+  '''.mypy_cache''',
+  '''(.*?)gitleaks\.toml$''',
+  '''(.*?)\.(png|jpg|gif|doc|docx|pdf|bin|xls|pyc|zip)$''',
+  '''(go.mod|go.sum)$''',
+  '''(.*?)\.spec\.js$''',
+  '''defender-components/tests/utils'''
+]
+regexes = [
+  '''0x[0-9a-fA-F]{40}''',
+]

.github/labeler.yml

@@ -0,0 +1,6 @@
+release:
+  - head-branch: ["changeset-release/main"]
+staging:
+  - base-branch: "staging"
+prod:
+  - base-branch: "main"

.github/markdown-link-check.json

@@ -0,0 +1,19 @@
+{
+  "ignorePatterns": [
+    {
+      "pattern": "^https://reqbin.com/req/"
+    },
+    {
+      "pattern": "^https://github.com/openzeppelin/compound-monitoring-v3/actions"
+    },
+    {
+      "pattern": "^https://github.com/openzeppelin/compound-monitoring-v3/workflows"
+    },
+    {
+      "pattern": "^https://faucet.polygon.technology/"
+    }
+  ],
+  "retryOn429": true,
+  "retryCount": 5,
+  "aliveStatusCodes": [200, 203]
+}

.github/markdownlint.json

@@ -0,0 +1,17 @@
+{
+  "MD004": false,
+  "MD007": {
+    "indent": 2
+  },
+  "MD013": {
+    "line_length": 400
+  },
+  "MD026": {
+    "punctuation": ".,;:!。，；:"
+  },
+  "MD029": false,
+  "MD033": false,
+  "MD036": false,
+  "MD041": false,
+  "blank_lines": false
+}

.github/proselintrc.json

@@ -0,0 +1,5 @@
+{
+  "checks": {
+    "typography.symbols": false
+  }
+}

.github/secretlintrc.json

@@ -0,0 +1,7 @@
+{
+  "rules": [
+    {
+      "id": "@secretlint/secretlint-rule-preset-recommend"
+    }
+  ]
+}

.github/setup/action.yml

@@ -0,0 +1,23 @@
+name: Setup
+description: "Set up the node environment"
+runs:
+  using: composite
+  steps:
+    - uses: actions/setup-node@v3
+      with:
+        node-version: lts/*
+    - name: Get yarn cache directory path
+      shell: bash
+      id: yarn-cache-dir-path
+      run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
+    - name: Restore yarn cache
+      uses: actions/cache@v3
+      id: cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
+      with:
+        path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+        key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+        restore-keys: |
+          ${{ runner.os }}-yarn-
+    - name: Install dependencies
+      run: yarn install --frozen-lockfile
+      shell: bash

.github/workflows/labeler.yml

@@ -0,0 +1,12 @@
+name: "Pull Request Labeler"
+on:
+  - pull_request_target
+
+jobs:
+  labeler:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@v5

.github/workflows/megalinter.yml

@@ -0,0 +1,149 @@
+---
+# MegaLinter GitHub Action configuration file
+# More info at https://megalinter.github.io
+name: MegaLinter
+
+# yamllint disable-line rule:truthy
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: [master, main, staging]
+    types: [opened, reopened, labeled, synchronize]
+  push:
+    branches:
+      - main
+
+permissions: read-all
+
+env: # Comment env block if you do not want to apply fixes
+  # Apply linter fixes configuration
+  APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool)
+  APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all)
+  APPLY_FIXES_MODE: pull_request # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR ()
+  PRINT_ALL_FILES: true
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: MegaLinter
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      statuses: write
+      pull-requests: write
+      contents: write
+
+    steps:
+      # Git Checkout
+      - name: Checkout Code
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+
+      # MegaLinter
+      - name: MegaLinter
+        id: ml
+        # More info at https://megalinter.github.io/flavors/
+        uses: oxsecurity/megalinter/flavors/javascript@v6
+        env:
+          # https://megalinter.github.io/configuration/
+          VALIDATE_ALL_CODEBASE: true
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+          # CUSTOM SETTINGS FOR MEGALINTER
+          REPORT_OUTPUT_FOLDER: megalinter-reports
+          FORMATTERS_DISABLE_ERRORS: true # Treat formatting as a warning
+          DISABLE: COPYPASTE # Disable categories of linters
+          DISABLE_LINTERS: JAVASCRIPT_STANDARD,REPOSITORY_TRIVY
+
+          SHOW_ELAPSED_TIME: true
+          FILEIO_REPORTER: false
+
+          # eslint
+          JAVASCRIPT_ES_CONFIG_FILE: ./eslintrc.js
+          # cspell settings
+          SPELL_CSPELL_CONFIG_FILE: .github/cspell.json
+          SPELL_CSPELL_DISABLE_ERRORS: true # Treat misspellings as a warning
+          # proselint settings
+          SPELL_PROSELINT_CONFIG_FILE: .github/proselintrc.json
+          SPELL_PROSELINT_DISABLE_ERRORS: true # Treat misspellings as a warning
+          # markdownlint
+          MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .github/markdownlint.json
+          # markdown link check
+          MARKDOWN_MARKDOWN_LINK_CHECK_CONFIG_FILE: .github/markdown-link-check.json
+          MARKDOWN_MARKDOWN_LINK_CHECK_DISABLE_ERRORS: true # Treat dead links as a warning
+          # checkov settings
+          REPOSITORY_CHECKOV_CONFIG_FILE: .github/checkov.yml
+          REPOSITORY_CHECKOV_DISABLE_ERRORS: true # Disable errors until we decide how to handle this one.
+          # secretlint settings
+          REPOSITORY_SECRETLINT_CONFIG_FILE: .github/secretlintrc.json
+          REPOSITORY_SECRETLINT_ARGUMENTS: --secretlintignores "**/megalinter-reports/**"
+          # Other linters
+          REPOSITORY_GIT_DIFF_DISABLE_ERRORS: true
+          COPYPASTE_JSCPD_DISABLE_ERRORS: true
+          ACTION_ACTIONLINT_FILTER_REGEX_EXCLUDE: (defender-sentinel-deployer.yml)
+          REPOSITORY_GITLEAKS_CONFIG_FILE: .github/gitleaks.toml
+          YAML_V8R_FILTER_REGEX_EXCLUDE: serverless|\.github/
+          # code style
+          JAVASCRIPT_DEFAULT_STYLE: prettier
+          TYPESCRIPT_DEFAULT_STYLE: prettier
+          JAVASCRIPT_PRETTIER_CONFIG_FILE: .prettierrc.js
+          TYPESCRIPT_PRETTIER_CONFIG_FILE: .prettierrc.js
+          YAML_PRETTIER_CONFIG_FILE: .prettierrc.js
+          JSON_PRETTIER_CONFIG_FILE: .prettierrc.js
+
+      # Upload MegaLinter artifacts
+      - name: Archive production artifacts
+        if: ${{ success() }} || ${{ failure() }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: MegaLinter reports
+          path: |
+            megalinter-reports
+
+      # Create pull request if applicable
+      # Note: This step will fail if megalinter tries to modify any file in the .github/workflow
+      # directory. Github has a protection that workflows can't modify workflows. Please fix those
+      # files manually.
+      - name: Restore Workflow and github_conf Directories
+        if: ${{ always() }}
+        run: |
+          git restore .github/workflows/*.yml
+          sudo rm -rf github_conf
+
+      - name: Create Pull Request with applied fixes
+        id: cpr
+        if: ${{ always() }}
+        # Use head_ref when PR is created and ref_name when manually run
+        env:
+          BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+        uses: peter-evans/create-pull-request@v4
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          commit-message: "[MegaLinter] Apply linter automatic fixes"
+          title: "[MegaLinter] Fixes for ${{ env.BRANCH_NAME }}"
+          labels: bot
+          base: ${{ env.BRANCH_NAME }}
+          branch: auto-fix/${{ env.BRANCH_NAME }}
+          delete-branch: true # Deletes temp branch after close or merge.
+
+      - name: Update PR status
+        if: ${{ success() }}
+        # set the merge commit status check
+        # using GitHub REST API
+        # see https://docs.github.com/en/rest/reference/repos#create-a-commit-status
+        run: |
+          curl --request POST \
+          --url https://api.github.com/repos/${{ github.repository }}/statuses/${{ github.sha }} \
+          --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
+          --header 'content-type: application/json' \
+          --data '{
+            "context": "MegaLinter",
+            "state": "success",
+            "description": "MegaLinter checks passed",
+            "target_url": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          }'