Software-Hardware-Integration-Lab · elliot-huffman · Mar 30, 2025 · Mar 29, 2025 · Mar 29, 2025 · Mar 30, 2025
diff --git a/.github/workflows/GenerateSdk.yml b/.github/workflows/GenerateSdk.yml
@@ -0,0 +1,156 @@
+# Display Name of the workflow
+name: Generate SDKs
+
+on:
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  # Generate the TypeScript SDK client code
+  TypeScript-Build:
+    # Generate each SDK client in a separate build process to speed up execution and publishing
+    strategy:
+      matrix:
+        # Spec and SDK root locations
+        specifications:
+          - SHIELD:
+            sdkPath: 'src/shield/TypeScript'
+            specPath: 'spec/SHIELD.json'
+          - DataGateway:
+            sdkPath: 'src/dataGateway/TypeScript'
+            specPath: 'spec/Data-Gateway.json'
+
+    # Display name of the job
+    name: Generate TypeScript SDK
+
+    # Operating system filter for the runners
+    runs-on: ubuntu-latest
+
+    # Sets the scopes available to the github_token injected to the GH Actions runner
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+
+    # Set of steps required to generate the API client for TypeScript
+    steps:
+      # Download all of the source code
+      - name: Clone Repo Locally
+        uses: actions/checkout@v4
+
+      # Set up NodeJS on the build host
+      - name: Setup Node.JS Runtime
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+          cache: 'npm'
+          cache-dependency-path: 'package-lock.json'
+
+      # Set up all of the supporting components for SDK generation
+      - name: Initialize Kiota Binaries
+        uses: microsoft/setup-kiota@v0.5.0
+
+      # Install the dependencies needed to build the project
+      - name: Install Build Dependencies
+        run: npm install
+        working-directory: ${{matrix.specifications.sdkPath}}
+
+      # Cryptographically attest that packages haven't been tampered where supported
+      - name: Attest Provenance
+        run: npm audit signatures
+        working-directory: ${{matrix.specifications.sdkPath}}
+
+      # Generate the TypeScript SDK
+      - name: Update kiota clients in the repository
+        run: npm run-script generate:Sdk
+        working-directory: ${{matrix.specifications.sdkPath}}
+
+      # Generate the TypeScript SDK
+      - name: Build Project
+        run: npm run-script build:Prod
+        working-directory: ${{matrix.specifications.sdkPath}}
+
+      # Ensure all the supporting files are present in the correct directory before publishing them
+      - name: Prep Files for Publish
+        run: cp LICENSE README.md package.json bin/
+        working-directory: ${{matrix.specifications.sdkPath}}
+
+      # Create a ZIP archive of the server files to speed up the upload process
+      - name: ZIP up SDK Files
+        run: zip -r sdk-${{matrix.specifications}}.zip .
+        working-directory: ${{matrix.specifications.sdkPath}}/bin
+
+      # Create an attestation for the compiled package and upload it to the internal system for health tracking
+      - name: Attest Compiled Package
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: ${{matrix.specifications.sdkPath}}/bin/sdk-${{matrix.specifications}}.zip
+
+      # Upload compiled zip file so that other execution sessions can use it
+      - name: Upload Artifact for Deployment Job
+        uses: actions/upload-artifact@v4
+        with:
+          compression-level: 9
+          if-no-files-found: error
+          name: sdk-${{matrix.specifications}}
+          path: ${{matrix.specifications.sdkPath}}/bin/sdk-${{matrix.specifications}}.zip
+          retention-days: 1
+
+  # Isolate publish privileges from the build step to reduce surface area for attack by ensuring only the publish tools have credential access
+  TypeScript-Publish:
+    # Display name of the job
+    name: Publish TypeScript SDK
+
+    # Operating system filter for the runners
+    runs-on: ubuntu-latest
+
+    # Publish the package to NPM
+    environment: NPM
+
+    # Sets the scopes available to the github_token injected to the GH Actions runner
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+
+    # Generate each SDK client in a separate build process to speed up execution and publishing
+    strategy:
+      matrix:
+        # Specification list
+        specifications: [SHIELD, DataGateway]
+
+    # Only publish the SDK if the build succeeds
+    needs:
+      - TypeScript-Build
+
+    # Set of steps required to generate the API client for TypeScript
+    steps:
+      # Set up NodeJS on the build host with caching support to optimize execution
+      - name: Set up Node.JS Runtime
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          registry-url: https://registry.npmjs.org/
+          scope: shi-corp
+
+      # Download the compiled server binary
+      - name: Download Artifact From Build Job
+        uses: actions/download-artifact@v4
+        with:
+          name: sdk-${{matrix.specifications}}
+
+      # Validate the attestation of the downloaded artifact to prevent tamper
+      - name: Validate Attestation
+        env:
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        run: gh attestation verify sdk-${{matrix.specifications}}.zip --repo Software-Hardware-Integration-Lab/OpenAPI --signer-workflow Software-Hardware-Integration-Lab/OpenAPI/.github/workflows/GenerateSdk.yml@refs/heads/main
+
+      # Extract the zip file and remove the container
+      - name: Unzip Artifact
+        run: unzip sdk-${{matrix.specifications}}.zip && rm sdk-${{matrix.specifications}}.zip
+
+      # Publish the artifact to NPM with attestation
+      - name: Upload Package to NPM Registry
+        run: npm publish --access public --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH }}
diff --git a/.github/workflows/Validate.yml b/.github/workflows/Validate.yml
@@ -28,7 +28,7 @@ jobs:
     - name: Setup Node.JS Environment
       uses: actions/setup-node@v4
       with:
-        node-version: 20.x
+        node-version: 22.x
 
     # Sets up OpenJDK on the build host
     - name: Set up Microsoft OpenJDK
@@ -44,6 +44,6 @@ jobs:
     # Run the validation of all Specification Files
     - name: Validate OpenAPI Specs
       run: |
-        for file in $(find . -path ./\.vscode -prune -name "*.json"); do
+        for file in $(find ./specs -name "*.json"); do
           openapi-generator-cli validate -i "$file"
         done
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,115 @@
+# Built Executables/Installers
+dist/
+
+# typescript compiled output
+bin/
+
+# Generated TypeScript SDKs
+src/*/TypeScript/sdk
+
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# dotenv environment variables file
+.env*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# TypeScript v1 declaration files
+typings/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Microbundle cache
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+
+# Next.js build output
+.next
+
+# Nuxt.js build / generate output
+.nuxt
+dist
+
+# Gatsby files
+.cache/
+# Comment in the public line in if your project uses Gatsby and *not* Next.js
+# https://nextjs.org/blog/next-9-1#public-directory-support
+# public
+
+# vuepress build output
+.vuepress/dist
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+# Scripts used during local development
+shi_lab_dev_*
diff --git a/OpenAPI.code-workspace b/OpenAPI.code-workspace
@@ -0,0 +1,68 @@
+{
+	"folders": [
+		{
+			"name": "API Specifications",
+			"path": "specs"
+		},
+		{
+			"name": "Data Gateway",
+			"path": "src/dataGateway"
+		},
+		{
+			"name": "SHIELD",
+			"path": "src/shield"
+		},
+		{
+			"name": "GitHub Actions",
+			"path": ".github/workflows"
+		}
+	],
+	"settings": {
+		"files.exclude": {
+			"node_modules": true
+		},
+		"cSpell.enabledFileTypes": {
+			"*": true
+		},
+		"editor.formatOnSave": true,
+		"editor.bracketPairColorization.enabled": true,
+		"typescript.format.insertSpaceAfterOpeningAndBeforeClosingTemplateStringBraces": true,
+		"typescript.format.insertSpaceAfterOpeningAndBeforeClosingNonemptyParenthesis": false,
+		"typescript.format.insertSpaceAfterOpeningAndBeforeClosingJsxExpressionBraces": true,
+		"typescript.format.insertSpaceBeforeFunctionParenthesis": false,
+		"typescript.format.semicolons": "insert",
+		"typescript.format.insertSpaceAfterOpeningAndBeforeClosingNonemptyBrackets": false,
+		"typescript.format.insertSpaceAfterTypeAssertion": true,
+		"typescript.implementationsCodeLens.enabled": true,
+		"typescript.inlayHints.enumMemberValues.enabled": true,
+		"typescript.preferences.quoteStyle": "single",
+		"javascript.preferences.quoteStyle": "single",
+		"js/ts.implicitProjectConfig.target": "ES2022",
+		"typescript.format.insertSpaceAfterFunctionKeywordForAnonymousFunctions": true,
+		"search.exclude": {
+			"**/*.js": true,
+			"**/*.js.map": true
+		},
+		"files.insertFinalNewline": true,
+		"files.trimFinalNewlines": true,
+		"yaml.format.singleQuote": true,
+		"powershell.codeFormatting.useConstantStrings": true,
+		"typescript.tsdk": "node_modules\\typescript\\lib",
+		"github.copilot.editor.enableAutoCompletions": false,
+		"cSpell.words": [
+			"Entra",
+			"kiota",
+			"typia"
+		]
+	},
+	"extensions": {
+		"recommendations": [
+			"streetsidesoftware.code-spell-checker",
+			"dbaeumer.vscode-eslint",
+			"gruntfuggly.todo-tree",
+			"PKief.material-icon-theme",
+			"SocketSecurity.vscode-socket-security",
+			"42Crunch.vscode-openapi"
+		]
+	}
+}