From f6c2996cd4a8cec9dcfd91e5d85799642f4ba884 Mon Sep 17 00:00:00 2001
From: Tanishq Dubey <dubey@dws.rip>
Date: Sat, 10 May 2025 08:29:25 -0400
Subject: [PATCH] add long commit delay and scanning

---
 .gitea/workflows/datadog-sca.yml              | 18 ++++++++
 .gitea/workflows/datadog-secrets-scanning.yml | 21 ++++++++++
 .gitea/workflows/datadog-static-analysis.yml  | 41 +++++++++++++++++++
 .gitea/workflows/release.yml                  |  6 +--
 4 files changed, 83 insertions(+), 3 deletions(-)
 create mode 100644 .gitea/workflows/datadog-sca.yml
 create mode 100644 .gitea/workflows/datadog-secrets-scanning.yml
 create mode 100644 .gitea/workflows/datadog-static-analysis.yml

diff --git a/.gitea/workflows/datadog-sca.yml b/.gitea/workflows/datadog-sca.yml
new file mode 100644
index 000000000..2e4d1a781
--- /dev/null
+++ b/.gitea/workflows/datadog-sca.yml
@@ -0,0 +1,18 @@
+on: [push]
+
+name: Datadog Software Composition Analysis
+
+jobs:
+  software-composition-analysis:
+    runs-on: ubuntu-latest
+    name: Datadog SBOM Generation and Upload
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Check imported libraries are secure and compliant
+      id: datadog-software-composition-analysis
+      uses: DataDog/datadog-sca-github-action@main
+      with:
+        dd_api_key: ${{ secrets.DD_API_KEY }}
+        dd_app_key: ${{ secrets.DD_APP_KEY }}
+        dd_site: datadoghq.com
\ No newline at end of file
diff --git a/.gitea/workflows/datadog-secrets-scanning.yml b/.gitea/workflows/datadog-secrets-scanning.yml
new file mode 100644
index 000000000..0a06b6d7e
--- /dev/null
+++ b/.gitea/workflows/datadog-secrets-scanning.yml
@@ -0,0 +1,21 @@
+on: [push]
+
+name: Datadog Secrets Scanning
+
+jobs:
+  static-analysis:
+    runs-on: ubuntu-latest
+    name: Datadog Static Analyzer
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Check code for comitted secrets
+      id: datadog-static-analysis
+      uses: DataDog/datadog-static-analyzer-github-action@v1
+      with:
+        dd_api_key: ${{ secrets.DD_API_KEY }}
+        dd_app_key: ${{ secrets.DD_APP_KEY }}
+        dd_site: datadoghq.com
+        secrets_enabled: true
+        static_analysis_enabled: false
+        cpu_count: 2
diff --git a/.gitea/workflows/datadog-static-analysis.yml b/.gitea/workflows/datadog-static-analysis.yml
new file mode 100644
index 000000000..fa137845c
--- /dev/null
+++ b/.gitea/workflows/datadog-static-analysis.yml
@@ -0,0 +1,41 @@
+on: [push]
+
+name: Datadog Static Analysis
+
+jobs:
+  static-analysis:
+    runs-on: ubuntu-latest
+    name: Datadog Static Analyzer
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Check code meets quality and security standards
+      id: datadog-static-analysis
+      uses: DataDog/datadog-static-analyzer-github-action@v1
+      with:
+        dd_api_key: ${{ secrets.DD_API_KEY }}
+        dd_app_key: ${{ secrets.DD_APP_KEY }}
+        dd_site: datadoghq.com
+        cpu_count: 2
+    - name: Run Semgrep
+      run: |
+        python3 -m pip install --break-system-package semgrep
+        semgrep scan --sarif -o /tmp/semgrep.sarif 
+        cat /tmp/semgrep.sarif
+        # Download and install nvm:
+        curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.2/install.sh | bash
+        # in lieu of restarting the shell
+        \. "$HOME/.nvm/nvm.sh"
+        # Download and install Node.js:
+        nvm install 22
+        # Verify the Node.js version:
+        node -v # Should print "v22.14.0".
+        nvm current # Should print "v22.14.0".
+        # Verify npm version:
+        npm -v # Should print "10.9.2".
+        npm install -g @datadog/datadog-ci
+        datadog-ci sarif upload /tmp/semgrep.sarif
+      env:
+        DD_API_KEY: ${{ secrets.DD_API_KEY }}
+        DD_APP_KEY: ${{ secrets.DD_APP_KEY }}
+        DD_SITE: datadoghq.com
\ No newline at end of file
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 87c3f310d..dab98c8d0 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -5,7 +5,7 @@ on:
     schedule:
         # This expression means "run every 3 minutes". Useful for testing.
         # To revert to the original 8-hour schedule, change this to '0 */8 * * *'.
-        - cron: "*/3 * * * *"
+        - cron: "0 */8 * * *"
 
     # To trigger manually for testing, you can add workflow_dispatch:
     # workflow_dispatch:
@@ -60,8 +60,8 @@ jobs:
                       DWSAuthor Eight <adwsuthor8@example.com>
                       DWSAuthor Nine <autdwshor9@example.com>
                       DWSAuthor Ten <autdwshor10@example.com>
-                  COMMIT_COUNT: 2 # Number of commits to create
-                  SLEEP_SECONDS: 15 # Delay between commits in seconds
+                  COMMIT_COUNT: 12 # Number of commits to create
+                  SLEEP_SECONDS: 120 # Delay between commits in seconds
                   TARGET_BRANCH: main # The branch to commit to
 
               run: |