init repo with otelx

Signed-off-by: Sarah Funkhouser <[email protected]>

.buildkite/pipeline.yaml

@@ -0,0 +1,73 @@
+env:
+  APP_NAME: ${BUILDKITE_PIPELINE_SLUG}
+  IMAGE_REPO: ghcr.io/theopenlane/${APP_NAME}
+  SONAR_HOST: "https://sonarcloud.io"
+steps:
+  - group: ":test_tube: tests"
+    key: "tests"
+    steps:
+      - label: ":golangci-lint: lint :lint-roller:"
+        cancel_on_build_failing: true
+        key: "lint"
+        plugins:
+          - docker#v5.11.0:
+              image: "golangci/golangci-lint:latest"
+              command: ["golangci-lint", "run", "-v", "--timeout", "10m", "--config", ".golangci.yaml", "--concurrency", "0"]
+              environment:
+                - "GOTOOLCHAIN=auto"
+      - label: ":golang: go test"
+        key: "go_test"
+        retry:
+          automatic:
+            - exit_status: "*"
+              limit: 2
+        cancel_on_build_failing: true
+        plugins:
+          - docker#v5.11.0:
+              image: golang:1.23.0
+              command: ["go", "test", "-coverprofile=coverage.out", "./..."]
+        artifact_paths: ["coverage.out"]
+  - group: ":closed_lock_with_key: Security Checks"
+    depends_on: "go_test"
+    key: "security"
+    steps:
+      - label: ":closed_lock_with_key: gosec"
+        key: "gosec"
+        plugins:
+          - docker#v5.11.0:
+              image: "securego/gosec:2.20.0"
+              command: ["-no-fail", "-exclude-generated", "-fmt sonarqube", "-out", "results.txt", "./..."]
+              environment:
+                - "GOTOOLCHAIN=auto"
+        artifact_paths: ["results.txt"]
+      - label: ":github: upload PR reports"
+        key: "scan-upload-pr"
+        if: build.pull_request.id != null
+        depends_on: ["gosec", "go_test"]
+        plugins:
+          - artifacts#v1.9.4:
+              download: "results.txt"
+          - artifacts#v1.9.4:
+              download: "coverage.out"
+              step: "go_test"
+          - docker#v5.11.0:
+              image: "sonarsource/sonar-scanner-cli:11.0"
+              environment:
+                - "SONAR_TOKEN"
+                - "SONAR_HOST_URL=$SONAR_HOST"
+                - "SONAR_SCANNER_OPTS=-Dsonar.pullrequest.branch=$BUILDKITE_BRANCH -Dsonar.pullrequest.base=$BUILDKITE_PULL_REQUEST_BASE_BRANCH -Dsonar.pullrequest.key=$BUILDKITE_PULL_REQUEST"
+      - label: ":github: upload reports"
+        key: "scan-upload"
+        if: build.branch == "main"
+        depends_on: ["gosec", "go_test"]
+        plugins:
+          - artifacts#v1.9.4:
+              download: results.txt
+          - artifacts#v1.9.4:
+              download: coverage.out
+              step: "go_test"
+          - docker#v5.11.0:
+              image: "sonarsource/sonar-scanner-cli:11.0"
+              environment:
+                - "SONAR_TOKEN"
+                - "SONAR_HOST_URL=$SONAR_HOST"

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @theopenlane/blacksmiths

.github/CONTRIBUTING.md

@@ -0,0 +1,24 @@
+# Contributing
+
+Given external users will not have write to the branches in this repository, you'll need to follow the forking process to open a PR - [here](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork) is a guide from github on how to do so.
+
+Please also read our main [contributing guide](https://github.com/theopenlane/.github/blob/main/CONTRIBUTING.md) in addition to this one; the main guide mostly says that we'd like for you to open an issue first but it's not hard-required, and that we accept all forms of proposed changes given the state of this code base (in it's infancy, still!)
+
+## Pre-requisites to a PR
+
+This repository contains a number of code generating functions / utilities which take schema modifications and scaffold out resolvers, graphql API schemas, openAPI specifications, among other things. To ensure you've generated all the necessary dependencies run `task pr`; this will run the entirety of the commands required to safely generate a PR. If for some reason one of the commands fails / encounters an error, you will need to debug the individual steps. It should be decently easy to follow the `Taskfile` in the root of this repository.
+
+### Pre-Commit Hooks
+
+We have several `pre-commit` hooks that should be run before pushing a commit. Make sure this is installed:
+
+```bash
+brew install pre-commit
+pre-commit install
+```
+
+You can optionally run against all files:
+
+```bash
+pre-commit run --all-files
+```

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,16 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[Bug]"
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug or issue you're encountering**
+
+
+**What are the relevant steps to reproduce, including the version(s) of the relevant software?**
+
+
+**What is the expected behavior?**

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,14 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: "[Feature Request]"
+labels: enhancement
+assignees: matoszz
+
+---
+
+**Describe how the feature might make your life easier or solve a problem**
+
+**Describe the solution you'd like to see with any relevant context**
+
+**Describe any alternatives you've considered or if there are short-tern vs. long-term options**

.github/labeler.yml

@@ -0,0 +1,9 @@
+# Add 'bug' label to any PR where the head branch name starts with `bug` or has a `bug` section in the name
+bug:
+  - head-branch: ["^bug", "bug"]
+# Add 'enhancement' label to any PR where the head branch name starts with `enhancement` or has a `enhancement` section in the name
+enhancement:
+  - head-branch: ["^enhancement", "enhancement", "^feature", "feature", "^enhance", "enhance", "^feat", "feat"]
+# Add 'breaking-change' label to any PR where the head branch name starts with `breaking-change` or has a `breaking-change` section in the name
+breaking-change:
+  - head-branch: ["^breaking-change", "breaking-change"]

.github/release.yml

@@ -0,0 +1,24 @@
+changelog:
+  exclude:
+    labels:
+      - ignore-for-release
+    authors: []
+  categories:
+    - title: Breaking Changes 🛠
+      labels:
+        - Semver-Major
+        - breaking-change
+    - title: New Features 🎉
+      labels:
+        - Semver-Minor
+        - enhancement
+        - feature
+    - title: Bug Fixes 🐛
+      labels:
+        - bug
+    - title: 👒 Dependencies
+      labels:
+        - dependencies
+    - title: Other Changes
+      labels:
+        - "*"

.github/workflows/labeler.yaml

@@ -0,0 +1,13 @@
+name: "Pull Request Labeler"
+on:
+  - pull_request_target
+jobs:
+  triage:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@v5
+        with:
+          sync-labels: true

.github/workflows/releaser.yml

@@ -0,0 +1,127 @@
+name: Release
+on:
+  workflow_dispatch:
+  release:
+    types: [created]
+permissions:
+  contents: write
+jobs:
+  ldflags_args:
+    runs-on: ubuntu-latest
+    outputs:
+      commit-date: ${{ steps.ldflags.outputs.commit-date }}
+      commit: ${{ steps.ldflags.outputs.commit }}
+      version: ${{ steps.ldflags.outputs.version }}
+      tree-state: ${{ steps.ldflags.outputs.tree-state }}
+    steps:
+      - id: checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - id: ldflags
+        run: |
+          echo "commit=$GITHUB_SHA" >> $GITHUB_OUTPUT
+          echo "commit-date=$(git log --date=iso8601-strict -1 --pretty=%ct)" >> $GITHUB_OUTPUT
+          echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> $GITHUB_OUTPUT
+          echo "tree-state=$(if git diff --quiet; then echo "clean"; else echo "dirty"; fi)" >> $GITHUB_OUTPUT
+  release:
+    name: Build and release
+    needs:
+      - ldflags_args
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    permissions:
+      contents: write # To add assets to a release.
+      id-token: write # To do keyless signing with cosign
+    runs-on: macos-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57 # v0.17.1
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+      - name: Run GoReleaser
+        id: run-goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+          VERSION: ${{ needs.ldflags_args.outputs.version }}
+          COMMIT: ${{ needs.ldflags_args.outputs.commit }}
+          COMMIT_DATE: ${{ needs.ldflags_args.outputs.commit-date }}
+          TREE_STATE: ${{ needs.ldflags_args.outputs.tree-state }}
+      - name: Generate subject
+        id: hash
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64)
+          if test "$hashes" = ""; then # goreleaser < v1.13.0
+            checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+            hashes=$(cat $checksum_file | base64)
+          fi
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+  provenance:
+    name: Generate provenance (SLSA3)
+    needs:
+      - release
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.release.outputs.hashes }}"
+      upload-assets: true # upload to a new release
+  verification:
+    name: Verify provenance of assets (SLSA3)
+    needs:
+      - release
+      - provenance
+    runs-on: ubuntu-latest
+    permissions: read-all
+    steps:
+      - name: Install the SLSA verifier
+        uses: slsa-framework/slsa-verifier/actions/[email protected]
+      - name: Download assets
+        env:
+          GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CHECKSUMS: "${{ needs.release.outputs.hashes }}"
+          ATT_FILE_NAME: "${{ needs.provenance.outputs.provenance-name }}"
+        run: |
+          set -euo pipefail
+          checksums=$(echo "$CHECKSUMS" | base64 -d)
+          while read -r line; do
+              fn=$(echo $line | cut -d ' ' -f2)
+              echo "Downloading $fn"
+              gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$fn"
+          done <<<"$checksums"
+          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME"
+      - name: Verify assets
+        env:
+          CHECKSUMS: "${{ needs.release.outputs.hashes }}"
+          PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
+        run: |-
+          set -euo pipefail
+          checksums=$(echo "$CHECKSUMS" | base64 -d)
+          while read -r line; do
+              fn=$(echo $line | cut -d ' ' -f2)
+              echo "Verifying SLSA provenance for $fn"
+              slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
+                                            --source-uri "github.com/$GITHUB_REPOSITORY" \
+                                            --source-tag "$GITHUB_REF_NAME" \
+                                            "$fn"
+          done <<<"$checksums"

.gitignore

@@ -0,0 +1,41 @@
+# If you prefer the allow list template instead of the deny list, see community template:
+# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+#
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Go workspace file
+go.work
+
+# Packages
+*.7z
+*.dmg
+*.gz
+*.iso
+*.jar
+*.rar
+*.tar
+
+# Logs
+*.log
+
+# Editor files
+.vscode
+
+# OS Generated Files
+.DS_Store*
+.AppleDouble
+.LSOverride
+ehthumbs.db
+Icon?
+Thumbs.db

.golangci.yaml

@@ -0,0 +1,40 @@
+run:
+  timeout: 10m
+  allow-serial-runners: true
+linters-settings:
+  goimports:
+    local-prefixes: github.com/theopenlane/beacon
+  gofumpt:
+    extra-rules: true
+  gosec:
+    exclude-generated: true
+  revive:
+    ignore-generated-header: true
+linters:
+  enable:
+    - bodyclose
+    - errcheck
+    - gocritic
+    - gocyclo
+    - err113
+    - gofmt
+    - goimports
+    - mnd
+    - gosimple
+    - govet
+    - gosec
+    - ineffassign
+    - misspell
+    - noctx
+    - revive
+    - staticcheck
+    - stylecheck
+    - typecheck
+    - unused
+    - whitespace
+    - wsl
+issues:
+  fix: true
+  exclude-use-default: true
+  exclude-dirs:
+  exclude-files: