[Security] Repository hardening (#10)

* Add asdf, pre-commit with cops, license checker, codeowners, issue/PR template, CI, fix linters errors

* Update CODEOWNERS and remove duplicates

* Removing npm install in CI

* Remove Python

* Reintroduce Python for pre-commit

* Reintroduce Rspec cops removed, add dev dependencies to gemspec, add rubocop-rspec

* Adding Ruby in CI setup

* Run rspec in CI

* Remove useless pre-commit step

Co-authored-by: Frantisek Rokusek <[email protected]>

---------

Co-authored-by: Frantisek Rokusek <[email protected]>

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+*                               @frantisekrokusek @jlebray @NathanBerthier
+/doc/dependency_decisions.yml   @pennylane-hq/appsec

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,38 @@
+---
+name: Bug Report 🐞
+about: Found something that's not working as intended? Use this template to report a bug.
+labels: "bug"
+---
+
+<!--
+⚠ Add warnings here.
+* Is this task still a draft?
+* Is it essential for a version?
+* Does it have any dependencies?
+-->
+
+### Summary
+
+<!-- A clear and concise description of what the bug is. -->
+
+### Steps to reproduce
+
+<!--
+List the steps one needs to take in order to reproduce the issue on their machine.
+If possible, add screenshots or videos to help explain your problem.
+-->
+
+### Expected behavior
+
+<!-- What was expected to happen when the steps mentioned above were taken?
+If possible, list any documentation related to the correct behavior. -->
+
+### Related Links
+
+<!--- Remove what doesn't apply --->
+
+[Related Issue 🔗]()
+[Slack 🧵]()
+[Video/Loom 📹]()
+[PR 🔃]()
+[Notion 📜]()

.github/workflows/pre-commit.yml

@@ -0,0 +1,60 @@
+name: Pre-commits
+
+on: [push]
+
+jobs:
+  checks:
+    name: Run pre-commit
+    runs-on: ubuntu-20.04
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Setup Environment
+        run: |
+          echo "NODE_VERSION=18.18.0" >> $GITHUB_ENV
+          echo "PYTHON_VERSION=$(cat .tool-versions | grep -Po '(?<=python ).*')" >> $GITHUB_ENV
+          echo "RUBY_VERSION=$(cat .tool-versions | grep -Po '(?<=ruby ).*')" >> $GITHUB_ENV
+          if [ $GITHUB_REF == 'refs/heads/master' ]; then echo "ENV=prod"; else echo "ENV=staging"; fi >> $GITHUB_ENV
+          echo "REPOSITORY_NAME=${GITHUB_REPOSITORY#*\/}" >> $GITHUB_ENV
+
+      - name: Install Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ env.RUBY_VERSION }}
+
+      - name: Install Ruby dependencies
+        run: bundle install
+
+      - name: Install Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Store python version details for cache
+        run: echo "PY=$(python -VV | sha256sum | cut -d' ' -f1)" >> "$GITHUB_ENV"
+
+      - name: Pre-commit installation cache
+        uses: actions/cache@v3
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit|${{ env.PY }}|${{ hashFiles('.pre-commit-config.yaml') }}
+          restore-keys: |
+            pre-commit|${{ env.PY }}|
+
+      - name: Install pre-commit
+        run: |
+          python -m pip install pre-commit
+          pre-commit install --install-hooks
+
+      - name: Run pre-commit checks
+        run: |
+          pre-commit run --all-files
+
+      - name: Run license checks
+        run: |
+          pre-commit run license_checks --files doc/dependency_decisions.yml
+
+      - name: Run specs
+        run: |
+          rspec

.pre-commit-config.yaml

@@ -0,0 +1,89 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.0.1
+    hooks:
+      - id: check-added-large-files
+      - id: fix-byte-order-marker
+      - id: check-merge-conflict
+      - id: trailing-whitespace
+        exclude: (?x)(
+          \.yarn/|
+          spec/files/)
+
+  - repo: https://github.com/tdeo/pre-commit-hooks
+    rev: v4.0.1
+    hooks:
+      - id: end-of-file-fixer
+        exclude: spec/files/
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.8.0.1
+    hooks:
+      - id: shellcheck
+
+  - repo: local
+    hooks:
+      - id: do_not_commit
+        name: Break on DO NOT COMMIT comment
+        language: pygrep
+        entry: (?i)(NOT.{,3}COMMIT)
+        exclude: (?x)(
+          .pre-commit-config.yaml|
+          README.md)
+      - id: rubocop
+        name: Rubocop
+        language: system
+        entry: bash -c 'bundle exec rubocop ${RUBOCOP_OPTIONS:---autocorrect} "$@"' --
+        require_serial: true # for proper cache behavior
+        files: (?x)(
+          \.(rb|rake|jbuilder|gemspec)$|
+          Gemfile$|
+          Rakefile|
+          .irbrc$)
+        args:
+          - --color
+          - --server
+          - --config=.rubocop.yml
+          - --fail-level=convention
+      - id: ruboclean
+        name: Ruboclean
+        language: system
+        entry: bundle exec ruboclean
+        files: ^\.rubocop.*\.yml$
+        args:
+          - --silent
+          - --preserve-comments
+      - id: ruby
+        name: Valid ruby syntax
+        language: system
+        entry: ruby -c
+        files: \.rb$
+        exclude: lib/templates/rspec/
+      - id: prettier-json
+        name: Prettier JSON
+        language: system
+        entry: npx prettier --parser json --write
+        files: \.json$
+      - id: prettier-yaml
+        name: Prettier YAML
+        language: system
+        entry: npx prettier --parser yaml --write
+        files: \.ya?ml$
+        exclude: ^\.rubocop\.yml
+      - id: prettier-mdx
+        name: Prettier MDX
+        language: system
+        entry: npx prettier --parser mdx --write
+        files: \.mdx?$
+      - id: whitespaces
+        name: No non-breaking spaces
+        language: pygrep
+        entry: \\u00A0 # Non-breaking space
+        exclude: (?x)^(
+          \.yarn/releases/|
+          \.pre-commit-config\.yaml)
+      - id: license_checks
+        name: License checks
+        language: system
+        entry: .pre-commit/check_license.sh
+        files: ^doc/dependency_decisions\.yml$
+        pass_filenames: false

.pre-commit/check_license.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -euo pipefail
+
+[ -z "${CI+1}" ] || exit 0
+
+RESULT=$(bundle exec license_finder)
+ERROR=$(cat <<-END
+Some licenses are not approved! You need to run "bundle exec license_finder" to determine the missing licenses.
+It appears the issues were the following:
+
+"$RESULT"
+
+Please check the licenses and especially commercial use terms, loop back to AppSec/Legal if needed.
+Different way to approve a license, you can either accept a license kind:
+
+bundle exec license_finder permitted_licenses add "Zlib"
+
+Or specific packages:
+
+bundle exec license_finder approvals add pako
+
+Finally, please add the proper documentation and explanation in doc/dependency_decisions.yml
+END
+)
+
+if echo "$RESULT" | grep "All dependencies are approved for use"
+then
+    exit 0
+else
+    echo "$ERROR"
+    exit 1
+fi

.rubocop.yml

@@ -1,4 +1,7 @@
 ---
+
+require: rubocop-rspec
+
 Layout/BlockAlignment:
   EnforcedStyleAlignWith: start_of_block
 

.tool-versions

@@ -0,0 +1,3 @@
+ruby 3.2.2
+nodejs 18.18.0
+python 3.9.12

Gemfile

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+git_source(:github) { |repo| "https://github.com/#{repo}.git" }
+
+ruby '3.2.2'
+
+group :development do
+  # License
+  gem 'license_finder', require: false
+
+  # Testing
+  gem 'rspec'
+
+  # Linting
+  gem 'ruboclean', require: false
+  gem 'rubocop', require: false
+  gem 'rubocop-rspec', require: false
+end

Gemfile.lock

@@ -0,0 +1,81 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.2)
+    diff-lcs (1.5.0)
+    json (2.6.3)
+    language_server-protocol (3.17.0.3)
+    license_finder (7.1.0)
+      bundler
+      rubyzip (>= 1, < 3)
+      thor (~> 1.2)
+      tomlrb (>= 1.3, < 2.1)
+      with_env (= 1.1.0)
+      xml-simple (~> 1.1.9)
+    parallel (1.23.0)
+    parser (3.2.2.4)
+      ast (~> 2.4.1)
+      racc
+    racc (1.7.1)
+    rainbow (3.1.1)
+    regexp_parser (2.8.2)
+    rexml (3.2.6)
+    rspec (3.12.0)
+      rspec-core (~> 3.12.0)
+      rspec-expectations (~> 3.12.0)
+      rspec-mocks (~> 3.12.0)
+    rspec-core (3.12.2)
+      rspec-support (~> 3.12.0)
+    rspec-expectations (3.12.3)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.12.0)
+    rspec-mocks (3.12.6)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.12.0)
+    rspec-support (3.12.1)
+    ruboclean (0.4.0)
+    rubocop (1.57.2)
+      json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
+      parallel (~> 1.10)
+      parser (>= 3.2.2.4)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.28.1, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 3.0)
+    rubocop-ast (1.29.0)
+      parser (>= 3.2.1.0)
+    rubocop-capybara (2.19.0)
+      rubocop (~> 1.41)
+    rubocop-factory_bot (2.24.0)
+      rubocop (~> 1.33)
+    rubocop-rspec (2.24.1)
+      rubocop (~> 1.33)
+      rubocop-capybara (~> 2.17)
+      rubocop-factory_bot (~> 2.22)
+    ruby-progressbar (1.13.0)
+    rubyzip (2.3.2)
+    thor (1.3.0)
+    tomlrb (2.0.3)
+    unicode-display_width (2.5.0)
+    with_env (1.1.0)
+    xml-simple (1.1.9)
+      rexml
+
+PLATFORMS
+  arm64-darwin-22
+
+DEPENDENCIES
+  license_finder
+  rspec
+  ruboclean
+  rubocop
+  rubocop-rspec
+
+RUBY VERSION
+   ruby 3.2.2p53
+
+BUNDLED WITH
+   2.4.12

cfonb.gemspec

@@ -1,14 +1,19 @@
 # frozen_string_literal: true
 
 Gem::Specification.new do |s|
-  s.name        = 'cfonb'
-  s.version     = '0.0.4'
-  s.summary     = 'CFONB parser'
-  s.description = 'An easy to use CFONB format parser'
-  s.authors     = ['Johan Le Bray', 'Frantisek Rokusek']
-  s.email       = ''
-  s.files       = Dir["{lib,spec}/**/*.rb"]
-  s.homepage    =
-    'https://github.com/pennylane-hq/cfonb'
-  s.license = 'MIT'
+  s.name                       = 'cfonb'
+  s.version                    = '0.0.4'
+  s.required_ruby_version      = '>= 3.2.2'
+  s.summary                    = 'CFONB parser'
+  s.description                = 'An easy to use CFONB format parser'
+  s.authors                    = ['Johan Le Bray', 'Frantisek Rokusek']
+  s.email                      = ''
+  s.files                      = Dir['{lib,spec}/**/*.rb']
+  s.homepage                   = 'https://github.com/pennylane-hq/cfonb'
+  s.license                    = 'MIT'
+  s.add_development_dependency('license_finder')
+  s.add_development_dependency('rspec')
+  s.add_development_dependency('ruboclean')
+  s.add_development_dependency('rubocop')
+  s.add_development_dependency('rubocop-rspec')
 end