Merge branch 'main' into patch-26

.config/.markdownlint.yaml

@@ -84,7 +84,7 @@ MD022:
 MD023: true
 
 # MD024/no-duplicate-heading : Multiple headings with the same content : https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md024.md
-MD024: 
+MD024:
   siblings_only: true
 
 # MD025/single-title/single-h1 : Multiple top-level headings in the same document : https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md025.md
@@ -246,4 +246,4 @@ MD055:
   style: "consistent"
 
 # MD056/table-column-count : Table column count : https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md056.md
-MD056: true
+MD056: true

.config/.yamllint

@@ -0,0 +1,15 @@
+extends: relaxed
+
+ignore:
+  - .config
+  - .gitvote.yml
+
+rules:
+  indentation:
+    level: error
+    spaces: 2 # Enforce 2 spaces for indentation
+  line-length:
+    level: error
+    max: 120 # Allow up to 120 characters per line
+  new-lines:
+    type: unix

.github/CODEOWNERS

@@ -24,7 +24,7 @@
 ########
 #
 # Community Guidelines only need review from the Community Structure WG
-/docs/governance/community-guidelines @finos/ccc-wg-community-structure
+/docs/community-guidelines @finos/ccc-wg-community-structure
 #
 ########
 

.github/ISSUE_TEMPLATE/minutes_all-hands-comms.md

@@ -23,7 +23,7 @@ MM/DD/YYYY - 12:00 ET / 17:00 UK
 ## Meeting notices
 
 - FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
-- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
+- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/legal/antitrust-policy), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
 - FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.
 - FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
 

.github/ISSUE_TEMPLATE/minutes_community-structure.md

@@ -21,7 +21,7 @@ MM/DD/YYYY - 12:00 ET / 17:00 UK
 ## Meeting notices
 
 - FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
-- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
+- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/legal/antitrust-policy), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
 - FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.
 - FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
 

.github/ISSUE_TEMPLATE/minutes_delivery.md

@@ -21,7 +21,7 @@ MM/DD/YYYY - 11:30 ET / 16:30 UK
 ## Meeting notices
 
 - FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
-- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
+- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/legal/antitrust-policy), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
 - FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.
 - FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
 

.github/ISSUE_TEMPLATE/minutes_duplication-reduction.md

@@ -21,7 +21,7 @@ MM/DD/YYYY - 12:30 ET / 17:30 UK
 ## Meeting notices
 
 - FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
-- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
+- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/legal/antitrust-policy), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
 - FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.
 - FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
 

.github/ISSUE_TEMPLATE/minutes_security.md

@@ -21,7 +21,7 @@ MM/DD/YYYY - 11:00 ET / 16:00 UK
 ## Meeting notices
 
 - FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
-- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
+- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/legal/antitrust-policy), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
 - FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.
 - FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
 

.github/ISSUE_TEMPLATE/minutes_taxonomy.md

@@ -21,7 +21,7 @@ MM/DD/YYYY - 11:30 ET / 16:30 UK
 ## Meeting notices
 
 - FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
-- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
+- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/legal/antitrust-policy), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
 - FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact [email protected] with any questions.
 - FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
 

.github/ISSUE_TEMPLATE/release_proposal.md

@@ -23,7 +23,7 @@ assignees: "damienjburks"
 - [ ] Modify the `metadata.yaml` files to include the latest release details. This can be accomplished in an automated form by running the following command:
 
   ```text
-  cd delivery-tooling
+  cd delivery-toolkit
   go run . release-notes -t /services/storage/object
   ```
 

.github/workflows/format-check.yml

@@ -10,14 +10,14 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
-      
+
       - name: Set up Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: '16'
-  
+          node-version: "16"
+
       - name: Install Prettier
         run: npm install --save-dev prettier
-  
+
       - name: Check formatting with Prettier
-        run: npx prettier --check "**/*.md" --config ./.config/.prettierrc
+        run: npx prettier --check "**/*.md" --config ./.config/.prettierrc

.github/workflows/links.yml

@@ -13,6 +13,7 @@ jobs:
         id: lychee
         uses: lycheeverse/lychee-action@v1
         with:
-            args: --base . --verbose --no-progress './**/*.md'
-            output: lychee/results.md
-            token: ${{ secrets.GITHUB_TOKEN }}
+          args: --base . --verbose --no-progress './**/*.md'
+          output: lychee/results.md
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fail: true

.github/workflows/linting-check.yml

@@ -20,4 +20,25 @@ jobs:
         run: npm install -g markdownlint-cli
 
       - name: Run markdownlint
-        run: markdownlint '**/*.md' --config ./.config/.markdownlint.yaml
+        run: markdownlint '**/*.md' --config ./.config/.markdownlint.yaml
+
+  yaml-lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.x" # Use any compatible Python 3 version
+
+      - name: Install yamllint
+        run: |
+          python -m pip install --upgrade pip
+          pip install yamllint
+
+      - name: Run yamllint
+        run: |
+          yamllint -c ./.config/.yamllint .

.github/workflows/pr-title.yaml

@@ -0,0 +1,30 @@
+## Reference: https://github.com/amannn/action-semantic-pull-request
+---
+name: "Lint PR Title"
+on:
+  # pull_request_target event is required for autolabeler to support all PRs including forks
+  pull_request_target:
+    types: [opened, reopened, edited, synchronize]
+jobs:
+  lint_pr_title:
+    permissions:
+      contents: read
+      pull-requests: read
+      statuses: write
+    uses: jmeridth/reusable-workflows/.github/workflows/pr-title.yaml@d788c4f6994c7b37134a9f592fe5db42fd7a0957
+    with:
+      types: |
+        add
+        change
+        remove
+      scopes: |
+        ci
+        docs
+        feature
+        threat
+        control
+        category
+        family
+      requireScope: true
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pull_request.yaml

@@ -10,17 +10,18 @@ jobs:
     permissions:
       pull-requests: write
       contents: read
-      
+
   run-linting-check:
-      uses: ./.github/workflows/linting-check.yml
-      permissions:
-        pull-requests: write
+    uses: ./.github/workflows/linting-check.yml
+    permissions:
+      pull-requests: write
 
   link-checker:
-        uses: ./.github/workflows/links.yml
-        permissions:
-          pull-requests: write
-          contents: read
+    uses: ./.github/workflows/links.yml
+    permissions:
+      pull-requests: write
+      contents: read
+
   yaml-checker:
     uses: ./.github/workflows/yaml-check.yml
     permissions:
@@ -32,4 +33,3 @@ jobs:
     permissions:
       pull-requests: write
       contents: read
-

.github/workflows/release.yml

@@ -4,10 +4,10 @@ on:
   workflow_dispatch:
     inputs:
       build_target:
-        description: 'Build Target (e.g storage/object)'
+        description: "Build Target (e.g storage/object)"
         required: true
       tag:
-        description: 'Tag for this release'
+        description: "Tag for this release"
         required: true
 
 # TODO: Add in pre-release tag to distinguish whether or not we want to have an official release
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     defaults:
       run:
-        working-directory: ./delivery-tooling
+        working-directory: ./delivery-toolkit
     steps:
       - uses: actions/checkout@v4
         name: Build
@@ -27,13 +27,13 @@ jobs:
 
       - name: Install dependencies
         run: go mod download
-  
+
       - name: Get Build Target
         id: process_target
         run: |
           # Read the input for a single build target
           build_target="${{ github.event.inputs.build_target }}"
-          
+
           # Print and save the build target
           echo "Build target: $build_target"
           echo "target=$build_target" >> $GITHUB_OUTPUT
@@ -46,12 +46,12 @@ jobs:
           go run . "yaml" --build-target $build_target
           go run . "md" --build-target $build_target
           go run . "release-notes" --build-target $build_target
-          
+
           # Create PDF files from MD files
           echo "Converting MD file to PDF"
           for md_file in ./artifacts/*.md; do
             filename=$(basename "$md_file" .md)
-            
+
             # Check if the filename contains "release-notes"
             if [[ $filename != *"release_notes"* ]]; then
                 echo "Converting $md_file to $filename.pdf"
@@ -61,12 +61,11 @@ jobs:
             fi
           done
 
-      
       - name: Upload Artifacts
         uses: actions/[email protected]
         with:
           name: ccc-catalogs
-          path: ./delivery-tooling/artifacts/*
+          path: ./delivery-toolkit/artifacts/*
           if-no-files-found: error
           retention-days: 1 # Maximum Retention
 
@@ -104,4 +103,4 @@ jobs:
               -H "Content-Type: application/octet-stream" \
               --data-binary @"$file" \
               "${{ steps.create_release.outputs.upload_url }}=$filename&label=$filename"
-          done
+          done

.github/workflows/sonatype_scan.yaml

@@ -0,0 +1,45 @@
+name: Sonatype SCA Scanning
+on:
+  workflow_dispatch:
+  pull_request_target:
+    paths:
+      - "**.go"
+      - "**/go.mod"
+      - "**/go.sum"
+env:
+  SonatypeUrl: "https://finos.sonatype.app/platform/"
+  SonatypeAppId: "ccc-delivery"
+  SonatypeScanTarget: "delivery-toolkit/"
+  ExcludeDirectory: ""
+
+jobs:
+  build:
+    if: github.repository_owner == 'finos'
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Sonatype Lifecycle SCA Scan
+        id: evaluate
+        uses: sonatype/actions/evaluate@v1
+        with:
+          iq-server-url: ${{ env.SonatypeUrl }}
+          username: ${{ secrets.SONATYPE_SCANNER_USERNAME }}
+          password: ${{ secrets.SONATYPE_SCANNER_PASSWORD }}
+          application-id: ${{ env.SonatypeAppId }}
+          stage: "build"
+          scan-targets: ${{ env.SonatypeScanTarget }}
+          module-exclude: ${{ env.ExcludeDirectory }}
+
+      - name: Save Sonatype SBOM
+        uses: sonatype/actions/fetch-sbom@v1
+        if: always() && steps.evaluate.outputs.scan-id
+        with:
+          iq-server-url: ${{ env.SonatypeUrl }}
+          username: ${{ secrets.SONATYPE_SCANNER_USERNAME }}
+          password: ${{ secrets.SONATYPE_SCANNER_PASSWORD }}
+          application-id: ${{ env.SonatypeAppId }}
+          scan-id: ${{ steps.evaluate.outputs.scan-id }}
+          sbom-standard: spdx
+          sbom-version: 2.3
+          artifact-name: ${{ env.SonatypeAppId }}-sonatype-bom