moving stub version 1.0.5 to archived and adding new stub 1.0.7 with additional config to to generate lock file at runtime

Signed-off-by: nikhil2611 <ngupta@progress.com>

Author: nikhil2611

…/workflows/ci-main-pull-request-stub.yml …s/archived/ci-main-pull-request-stub.yml.github/workflows/ci-main-pull-request-stub.yml renamed to .github/workflows/archived/ci-main-pull-request-stub.yml .github/workflows/ci-main-pull-request-stub.yml renamed to .github/workflows/archived/ci-main-pull-request-stub.yml

@@ -29,7 +29,7 @@ jobs:
           echo "CI main pull request stub version $STUB_VERSION"
 
   call-ci-main-pr-check-pipeline:
-    uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@nikhil/create-lock-file-runtime
+    uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main
     secrets: inherit
     permissions: 
       id-token: write
@@ -40,7 +40,7 @@ jobs:
       # go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/*
 
       # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest"
-      version: '6.1.20' # ${{ github.event.repository.version }}
+      version: '6.1.13' # ${{ github.event.repository.version }}
       detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release"
       detect-version-source-parameter: '' # use for file name
       language: 'ruby'  # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting
@@ -61,25 +61,26 @@ jobs:
       perform-blackduck-polaris: true
       polaris-application-name: "Chef-Agents"  # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product
       polaris-project-name: ${{ github.event.repository.name }}
-      # polaris-blackduck-executable: 'path/to/blackduck/binary'
-      # polaris-executable-detect-path: 'path/to/detect'
+      polaris-blackduck-executable: 'path/to/blackduck/binary'
+      polaris-executable-detect-path: 'path/to/detect'
 
       # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language
-      build: true
+      build: false
       # ga-build-profile: $chef-ga-build-profile   
       # language: $chef-ga-build-language   # this will be removed from stub as autodetected in central GA
       unit-tests: false
 
       # perform SonarQube scan, with or wihout unit test coverage data
       # requires secrets SONAR_TOKEN and SONAR_HOST_URL (progress.sonar.com)
-      perform-sonarqube-scan: true
+      perform-sonarqube-scan: false
       # perform-sonar-build: true
       # build-profile: 'default' 
       # report-unit-test-coverage: true
 
       # report to central developer dashboard
       report-to-atlassian-dashboard: false
-      quality-product-name: ${{ github.event.repository.name }}   # product name for quality reporting, like Chef360, Courier, Inspec
+      quality-product-name: 'Chef-Agents'   # product name for quality reporting, like Chef360, Courier, Inspec
+      # quality-product-name: ${{ github.event.repository.name }}   # like 'Chef-360' - the product name for quality reporting, like Chef360, Courier, Inspec
       # quality-sonar-app-name: 'YourSonarAppName'
       # quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security
       # quality-service-name: 'YourServiceOrRepoName'
@@ -95,11 +96,9 @@ jobs:
       export-github-sbom: true      # SPDX JSON artifact on job instance  
       perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above
       blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product'
-      blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name - using chef-chef-cli as using 'chef-cli' a name in sbominator fails to generate the notice file with invalid group error
+      blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name
       generate-blackduck-sbom: true # obsolete, use perform-blackduck-sca-scan instead
-
-      run-bundle-install: true
-
+        
       generate-msft-sbom: false
       license_scout: false      # Run license scout for license compliance (uses .license_scout.yml)
 

.github/workflows/ci-main-pull-request-stub-1.0.7.yml

@@ -0,0 +1,161 @@
+# stub to call common GitHub Action (GA) as part of Continuous Integration (CI) Pull Request process checks for main branch
+# inputs are described in the chef/common-github-actions/<GA.yml> with same name as this stub
+#
+# secrets are inherited from the calling workflow, typically SONAR_TOKEN, SONAR_HOST_URL, GH_TOKEN, AKEYLESS_JWT_ID, POLARIS_SERVER_URL and POLARIS_ACCESS_TOKEN
+
+name: CI Pull Request on Main Branch
+
+on: 
+  pull_request:
+    branches: [ main, release/** ]
+  push:
+    branches: [ main, release/** ]
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  
+env:
+  STUB_VERSION: "1.0.7" 
+
+jobs: 
+  echo_version:
+    name: 'Echo stub version'
+    runs-on: ubuntu-latest
+    steps:
+      - name: echo version of stub and inputs
+        run: |
+          echo "CI main pull request stub version $STUB_VERSION"
+
+  detect-custom-metadata:
+    name: 'Detect custom properties'
+    runs-on: ubuntu-latest
+    outputs:
+      primaryApp: ${{ steps.set-custom-metadata.outputs.primaryApplication }}
+      appBuildLanguage: ${{ steps.set-custom-metadata.outputs.applicationBuildLanguage }}
+      appBuildProfile: ${{ steps.set-custom-metadata.outputs.applicationBuildProfile }}
+    steps:
+      - name: 'Detect app, language, and build profile environment variables from repository custom properties'
+        id: set-custom-metadata
+      # GH API returns something like [{"property_name":"GABuildLanguage","value":"go"},{"property_name":"GABuildProfile","value":"cli"},{"property_name":"primaryApplication","value":"chef-360"}]'
+        run: |
+          response=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/${{ github.repository }}/properties/values) 
+
+          primaryApplication=$(echo "$response" | jq -r '.[] | select(.property_name=="primaryApplication") | .value')
+          GABuildLanguage=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildLanguage") | .value')
+          GABuildProfile=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildProfile") | .value')
+          
+          echo "PRIMARY APP... $primaryApplication"
+          echo "BUILD LANG... $GABuildLanguage"
+          echo "BUILD PROFILE... $GABuildProfile"
+          
+          echo "PRIMARY_APPLICATION=$primaryApplication" >> $GITHUB_ENV
+          echo "GA_BUILD_LANGUAGE=$GABuildLanguage" >> $GITHUB_ENV
+          echo "GA_BUILD_PROFILE=$GABuildProfile" >> $GITHUB_ENV
+
+          # If workflow_dispatch, use inputs (left), if other trigger, use default env (right)
+          # echo "::set-output name=build-and-verify::${{ github.event.inputs.build-and-verify || 'true' }}"
+          echo "::set-output name=primaryApplication::$primaryApplication"
+          echo "::set-output name=applicationBuildLanguage::$GABuildLanguage"
+          echo "::set-output name=applicationBuildProfile::$GABuildProfile"
+        continue-on-error: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+    
+  call-ci-main-pr-check-pipeline:
+    uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main
+    needs: detect-custom-metadata
+    secrets: inherit
+    permissions: 
+      id-token: write
+      contents: read
+
+    with:   
+      application: ${{ needs.detect-custom-metadata.outputs.primaryApp }}
+      visibility: ${{ github.event.repository.visibility }}   #  private, public, or internal
+      # go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/*
+
+      # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest"
+      version: '6.1.21' # ${{ github.event.repository.version }}
+      detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release"
+      detect-version-source-parameter: '' # use for file name
+      language: ${{ needs.detect-custom-metadata.outputs.appBuildLanguage }} # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting
+      
+      # complexity-checks, linting, trufflehog and trivy
+      perform-complexity-checks: true
+      # scc-output-filename: 'scc-output.txt'
+      perform-language-linting: false    # Perform language-specific linting and pre-compilation checks
+      perform-trufflehog-scan: true
+      perform-trivy-scan: true
+             
+      # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language
+      build: true
+      build-profile: ${{ needs.detect-custom-metadata.outputs.appBuildProfile }}
+      unit-tests: false
+      unit-test-output-path: "path/to/file.out"
+      unit-test-command-override: ""
+ 
+      # BlackDuck SAST (Polaris) require a build or binary present in repo to do SAST testing
+      # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN
+      perform-blackduck-polaris: false
+      polaris-application-name: "Chef-Agents"  # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product
+      polaris-project-name: ${{ github.event.repository.name }}   # arch-sample-cli
+      polaris-working-directory: '.' # Working directory for the scan, defaults to . but usually lang-dependent like ./src
+      polaris-coverity-build-command: 'go build -o bin/chef-cli.exe' # Coverity build command, typically done in build stage by language or here as param 1-liner like "mvn clean install"
+      polaris-coverity-clean-command: 'go clean' # Coverity clean command, typically done before build stage by language or here as param 1-liner like "mvn clean"
+      polaris-detect-search-depth: '5' # Detect search depth, blank but can be set to "3" to search up to 3 levels of subdirectories for code to scan'
+      polaris-assessment-mode: 'SAST' # Assessment mode (SAST, CI or SOURCE_UPLOAD)
+      wait-for-scan: true
+      # polaris-detect-args: ''  # Additional Detect arguments, can supply extra arguments like "--detect.diagnostic=true"
+      # coverity_build_command: "go build"
+      # coverity_clean_command: "go clean"
+      # polaris-config-path: ''   # Path to Detect configuration file, typically a file supplied at root level like ./detect-config.yml
+      # polaris-coverity-config-path: ''  # Path to Coverity configuration file, typically a file supplied at root level like ./coverity.yml
+      # polaris-coverity-args: '' # Additional Coverity arguments,can supply extra arguments like "--config-override capture.build.build-command=make
+      
+      # perform SonarQube scan, with or without unit test coverage data
+      # requires secrets SONAR_TOKEN and SONAR_HOST_URL (progress.sonar.com)
+      perform-sonarqube-scan: true
+      # perform-sonar-build: true
+      # build-profile: 'default' 
+      # report-unit-test-coverage: true
+      perform-docker-scan: false  # scan Dockerfile and built images with Docker Scout or Trivy; see repo custom properties matching "container"
+
+      # report to central developer dashboard
+      report-to-atlassian-dashboard: false
+      quality-product-name: ${{ github.event.repository.name }}   # product name for quality reporting, like Chef360, Courier, Inspec
+      # quality-sonar-app-name: 'YourSonarAppName'
+      # quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security
+      # quality-service-name: 'YourServiceOrRepoName'
+      # quality-junit-report: 'path/to/junit/report''
+
+      # perform Habitat-based and native packaging, publish to package repositories
+      package-binaries: false     # Package binaries (e.g., RPM, DEB, MSI, dpkg + signing + SHA)
+      habitat-build: false        # Create Habitat packages
+      publish-habitat-packages: false   # Publish Habitat packages to Builder
+      publish-habitat-hab_package: false # Chef Habitat package to install (e.g., core/nginx)
+      publish-habitat-hab_version: "1.0.0" # Chef Habitat package version (optional)
+      publish-habitat-hab_release: "20240101010101"  # Chef Habitat package release (optional)
+      publish-habitat-hab_channel: "stable"  # Chef Habitat package channel (e.g., stable, base, base-2025); default is stable
+      publish-habitat-hab_auth_token: ""   # Chef Habitat Builder authentication token (uses secret if not provided)
+      publish-habitat-runner_os: "ubuntu-latest"   # OS runner for Habitat package publishing job, can also be windows-latest
+      habitat-grype-scan: false  # Scan built Habitat packages with Grype for vulnerabilities
+      publish-packages: false     # Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores)
+
+      # generate and export Software Bill of Materials (SBOM) in various formats
+      generate-sbom: true
+      export-github-sbom: true      # SPDX JSON artifact on job instance  
+      generate-msft-sbom: false
+      license_scout: false      # Run license scout for license compliance (uses .license_scout.yml)
+
+      # perform Blackduck software composition analysis (SCA) for 3rd party CVEs, licensing, and operational risk
+      perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above
+      blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product'
+      blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name
+
+      run-bundle-install: true
+  
+      # udf1: 'default' # user defined flag 1
+      # udf2: 'default' # user defined flag 2 
+      # udf3: 'default' # user defined flag 3