From 62f9885529056456af64fa45cd5ffb9192be334b Mon Sep 17 00:00:00 2001 From: Chris Harrison <36608309+chris3ware@users.noreply.github.com> Date: Fri, 3 Mar 2023 12:48:37 +0000 Subject: [PATCH] test: required status checks on main for release workflow (#52) Currently semantic-release runs on pushes to main to bump the release version and update the CHANGELOG. It uses the 3ware-release app for authentication - which is permitted to bypass pull requests. However, due to the required status checks assigned to main branch's protection rule, the app requires Administrator permissions to bypass the checks. There are number of long running discussions requesting a *skip checks* feature for this type of workflow: https://github.com/community/community/discussions/13836 GitHub's documentation does provide a solution for **Handling Skipped But Required Checks**: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks > You can fix this by creating a generic workflow, with the same name, that will return true in any case similar to the workflow below This pull request removes the `[skip ci]` syntax from semantic-releases commit message. Generic workflows for the pull request title validation and lint workflows have also been added - as suggested in GitHub's docs. Admin permissions will be removed from the application for testing the new workflow. --- .cspell.json | 3 ++ .github/dependabot.yml | 6 +-- .github/workflows/dependency-review.yml | 6 +-- .github/workflows/get-terraform-dir.yaml | 14 +++---- .github/workflows/get-workflow-token.yaml | 8 ++-- .github/workflows/lint.yaml | 24 +++++------- .github/workflows/pr-title.yaml | 11 ++---- .github/workflows/scorecard.yml | 16 ++++---- .github/workflows/semantic-release.yaml | 19 +++++----- .github/workflows/terraform-docs.yaml | 21 +++++----- .github/workflows/tfsec-pr.yaml | 10 ++--- .gitignore | 38 ------------------- .releaserc.json | 29 +++++++++++--- .../configs/.markdownlint.yaml | 0 .trunk/configs/.yamllint.yaml | 10 +++++ .trunk/trunk.yaml | 1 + CHANGELOG.md | 2 +- README.md | 2 +- 18 files changed, 103 insertions(+), 117 deletions(-) delete mode 100644 .gitignore rename .markdownlint.yaml => .trunk/configs/.markdownlint.yaml (100%) create mode 100644 .trunk/configs/.yamllint.yaml diff --git a/.cspell.json b/.cspell.json index e4b086d..ffd1059 100644 --- a/.cspell.json +++ b/.cspell.json @@ -6,9 +6,12 @@ "language": "en-GB", // words - list of words to be always considered correct "words": [ + "amannn", + "analyzer", "aquasecurity", "codeql", "conventionalcommits", + "cycjimmy", "linters", "markdownlint", "noreply", diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4eb1d53..a6819e3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,7 +5,7 @@ version: 2 updates: - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / schedule: - interval: "monthly" + interval: monthly diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 880591a..29b3ea2 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -4,7 +4,7 @@ # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement -name: "Dependency Review" +name: Dependency Review on: [pull_request] permissions: @@ -14,7 +14,7 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: - - name: "Checkout Repository" + - name: Checkout Repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: "Dependency Review" + - name: Dependency Review uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/get-terraform-dir.yaml b/.github/workflows/get-terraform-dir.yaml index 975f69a..f82f29d 100644 --- a/.github/workflows/get-terraform-dir.yaml +++ b/.github/workflows/get-terraform-dir.yaml @@ -1,9 +1,9 @@ -name: "Terraform directory" +name: Terraform directory on: workflow_call: outputs: terraform-dir: - description: "The terraform directory to initialise" + description: The terraform directory to initialise value: ${{ jobs.terraform-directory.outputs.dir }} # Declare default permissions as read only. @@ -19,23 +19,23 @@ jobs: outputs: dir: ${{ steps.changed-dir.outputs.all_changed_files }} steps: - - name: "Checkout repository" + - name: Checkout repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: persist-credentials: false - - name: "Get changed files" + - name: Get changed files id: changed-files uses: tj-actions/changed-files@23e3c4300cb904a9d9c36fc2df4111a2fa9b9ff1 # v35.5.6 - - name: "List all changed files" + - name: List all changed files run: | for file in ${{ steps.changed-files.outputs.all_changed_files }}; do echo "$file was changed" done # Find the directory where files have been changed. - - name: "Get terraform directory" + - name: Get terraform directory id: changed-dir uses: tj-actions/changed-files@23e3c4300cb904a9d9c36fc2df4111a2fa9b9ff1 # v35.5.6 # Step fails if nothing found. @@ -47,7 +47,7 @@ jobs: dir_names: true dir_names_exclude_root: true - - name: "List terraform directory" + - name: List terraform directory if: ${{ steps.changed-dir.conclusion == 'success'}} run: | echo "${{ steps.changed-dir.outputs.all_changed_files }}" diff --git a/.github/workflows/get-workflow-token.yaml b/.github/workflows/get-workflow-token.yaml index 5ccceaa..ee3a2f8 100644 --- a/.github/workflows/get-workflow-token.yaml +++ b/.github/workflows/get-workflow-token.yaml @@ -1,10 +1,10 @@ # This workflow generates an installation access token for GitHub authentication -name: "Generate workflow token" +name: Generate workflow token on: workflow_call: outputs: temp-token: - description: "The temporary installation access token" + description: The temporary installation access token value: ${{ jobs.get-temp-token.outputs.token }} # Declare default permissions as read only. @@ -17,7 +17,7 @@ jobs: outputs: token: ${{ steps.encrypt-token.outputs.encrypted-token }} steps: - - name: "Get GitHub authentication token" + - name: Get GitHub authentication token id: get-workflow-token uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db # v2.1.0 with: @@ -25,7 +25,7 @@ jobs: application_private_key: ${{ secrets.THREEWARE_RELEASE_APPLICATION_PRIVATE_KEY }} organization: 3ware - - name: "Encrypt the token for reuse between jobs / workflows" + - name: Encrypt the token for reuse between jobs / workflows id: encrypt-token run: | ENCRYPTED_TOKEN=$(gpg --symmetric --batch --passphrase "$KEY" \ diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index c5c5247..cdcdf40 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,12 +1,8 @@ -name: "Lint" +name: Lint on: pull_request: - types: - - opened - - edited - - synchronize - branches: - - main + types: [opened, synchronize] + branches: [main] workflow_call: inputs: terraform-version: @@ -30,26 +26,26 @@ jobs: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - needs: ["find-terraform"] + needs: [find-terraform] steps: - - name: "Checkout repository" + - name: Checkout repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: persist-credentials: false - - name: "Setup Terraform" + - name: Setup Terraform if: ${{ needs.find-terraform.outputs.terraform-dir != '' }} uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 with: terraform_version: ${{ inputs.terraform-version }} cli_config_credentials_token: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }} - #Initialise terraform in the directory where terraform file have changed. - - name: "Initialise Terraform" + # Initialise terraform in the directory where terraform file have changed. + - name: Initialise Terraform if: ${{ needs.find-terraform.outputs.terraform-dir != ''}} working-directory: ${{ needs.find-terraform.outputs.terraform-dir }} run: terraform init - - name: "Lint with trunk" - if: ${{ always() }} #Run anyway, even if no terraform + - name: Lint with trunk + if: ${{ always() }} # Run anyway, even if no terraform uses: trunk-io/trunk-action@9cf65e08e822e9842fd9ef7ed2a2bd9092de0986 # v1.0.6 diff --git a/.github/workflows/pr-title.yaml b/.github/workflows/pr-title.yaml index 06b2fec..c98c486 100644 --- a/.github/workflows/pr-title.yaml +++ b/.github/workflows/pr-title.yaml @@ -1,12 +1,9 @@ -name: "Validate PR title" +name: Validate PR title on: pull_request_target: - types: - - opened - - edited - - synchronize - workflow_call: + types: [opened, edited] + workflow_call: {} # Declare default permissions as read only. permissions: read-all @@ -22,7 +19,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - name: "Validate pull request title is conventional" + - name: Validate pull request title is conventional uses: amannn/action-semantic-pull-request@b6bca70dcd3e56e896605356ce09b76f7e1e0d39 # v5.1.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 26c83a1..165bc91 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -2,7 +2,7 @@ # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. -name: "Scorecard supply-chain security" +name: Scorecard supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection @@ -10,16 +10,16 @@ on: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - - cron: "27 7 * * 6" + - cron: 27 7 * * 6 push: - branches: ["main"] + branches: [main] # Declare default permissions as read only. permissions: read-all jobs: analysis: - name: "Scorecard analysis" + name: Scorecard analysis runs-on: ubuntu-latest permissions: # Needed to upload the results to code-scanning dashboard. @@ -31,12 +31,12 @@ jobs: # actions: read steps: - - name: "Checkout code" + - name: Checkout code uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: persist-credentials: false - - name: "Run analysis" + - name: Run analysis uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 with: results_file: results.sarif @@ -58,7 +58,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - - name: "Upload artifact" + - name: Upload artifact uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 with: name: SARIF file @@ -66,7 +66,7 @@ jobs: retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" + - name: Upload to code-scanning uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 with: sarif_file: results.sarif diff --git a/.github/workflows/semantic-release.yaml b/.github/workflows/semantic-release.yaml index f794fe1..a135deb 100644 --- a/.github/workflows/semantic-release.yaml +++ b/.github/workflows/semantic-release.yaml @@ -1,11 +1,10 @@ -name: "Semantic Release" +name: Semantic Release on: - workflow_dispatch: - workflow_call: + workflow_dispatch: {} + workflow_call: {} push: - branches: - - main + branches: [main] # Declare default permissions as read only. permissions: read-all @@ -21,14 +20,14 @@ jobs: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - needs: ["get-temp-token"] + needs: [get-temp-token] steps: - - name: "Checkout repository" + - name: Checkout repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: persist-credentials: false - - name: "Decrypt the installation access token" + - name: Decrypt the installation access token id: decrypt-token run: | DECRYPTED_TOKEN=$(gpg --decrypt --quiet --batch --passphrase "$KEY" \ @@ -39,7 +38,7 @@ jobs: env: KEY: ${{ secrets.PGP_SECRET_SIGNING_PASSPHRASE }} - - name: "Create GitHub release and update CHANGELOG" + - name: Create GitHub release and update CHANGELOG if: ${{ ! env.ACT }} uses: cycjimmy/semantic-release-action@8f6ceb9d5aae5578b1dcda6af00008235204e7fa # v3.2.0 with: @@ -51,7 +50,7 @@ jobs: env: GITHUB_TOKEN: ${{ steps.decrypt-token.outputs.temp-token }} - - name: "Local test release" + - name: Local test release if: ${{ env.ACT }} uses: cycjimmy/semantic-release-action@8f6ceb9d5aae5578b1dcda6af00008235204e7fa # v3.2.0 with: diff --git a/.github/workflows/terraform-docs.yaml b/.github/workflows/terraform-docs.yaml index a91387f..acfe0c4 100644 --- a/.github/workflows/terraform-docs.yaml +++ b/.github/workflows/terraform-docs.yaml @@ -1,6 +1,5 @@ -name: "Generate terraform docs" -on: - workflow_call: +name: Generate terraform docs +on: workflow_call # Declare default permissions as read only. permissions: read-all @@ -28,15 +27,15 @@ jobs: env: WORKING_DIR: ${{ needs.find-terraform.outputs.terraform-dir }} TF_DOCS_FILE: README.md - needs: ["get-temp-token", "find-terraform"] + needs: [get-temp-token, find-terraform] steps: - - name: "Checkout repository" + - name: Checkout repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ github.event.pull_request.head.ref }} persist-credentials: false - - name: "Decrypt the installation access token" + - name: Decrypt the installation access token id: decrypt-token run: | DECRYPTED_TOKEN=$(gpg --decrypt --quiet --batch --passphrase "$KEY" \ @@ -47,7 +46,7 @@ jobs: env: KEY: ${{ secrets.PGP_SECRET_SIGNING_PASSPHRASE }} - - name: "Render terraform docs" + - name: Render terraform docs id: terraform-docs uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 # v1.0.0 with: @@ -55,12 +54,12 @@ jobs: output-file: ${{ env.TF_DOCS_FILE }} output-method: inject - - name: "Set file path env" + - name: Set file path env run: echo "FILE_PATH=${{ env.WORKING_DIR }}/${{ env.TF_DOCS_FILE }}" >> $GITHUB_ENV # Use the REST API to commit changes, so we get automatic commit signing # Only run this job if the file has changed to prevent empty commits - - name: "Push changes back to PR with signature" + - name: Push changes back to PR with signature id: push-with-sig if: ${{ steps.terraform-docs.outputs.num_changed != 0 }} env: @@ -78,14 +77,14 @@ jobs: --field branch="$DESTINATION_BRANCH" \ --field sha="$SHA" - - name: "Summary if skipped" + - name: Summary if skipped if: ${{ steps.push-with-sig.conclusion == 'skipped' }} run: | echo "### Push Skipped" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "Changes were not made to ${{ env.FILE_PATH }} on this run" >> $GITHUB_STEP_SUMMARY - - name: "Summary if successful" + - name: Summary if successful if: ${{ steps.push-with-sig.conclusion == 'success' }} env: BRANCH: ${{ github.head_ref }} diff --git a/.github/workflows/tfsec-pr.yaml b/.github/workflows/tfsec-pr.yaml index 8a0180d..776cf71 100644 --- a/.github/workflows/tfsec-pr.yaml +++ b/.github/workflows/tfsec-pr.yaml @@ -1,10 +1,10 @@ -name: "tfsec Code Analysis" +name: tfsec Code Analysis on: workflow_call: inputs: tfsec_args: - description: "Command line arguments to pass to tfsec." + description: Command line arguments to pass to tfsec. default: "" required: false type: string @@ -27,15 +27,15 @@ jobs: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - needs: ["find-terraform"] + needs: [find-terraform] steps: - - name: "Checkout repository" + - name: Checkout repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: persist-credentials: false - - name: "Add tfsec comments to pull request" + - name: Add tfsec comments to pull request uses: aquasecurity/tfsec-pr-commenter-action@7a44c5dcde5dfab737363e391800629e27b6376b # v1.3.1 with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore deleted file mode 100644 index b7c587c..0000000 --- a/.gitignore +++ /dev/null @@ -1,38 +0,0 @@ -# Local .terraform directories -**/.terraform/* - -# .tfstate files -*.tfstate -*.tfstate.* - -# Crash log files -crash.log -crash.*.log - -# Exclude all .tfvars files, which are likely to contain sentitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject -# to change depending on the environment. -# -# *.tfvars - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Include override files you do wish to add to version control using negated pattern -# -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* - -# Ignore CLI configuration files -.terraformrc -terraform.rc - -# Exclude pem files used for authentication -*.pem diff --git a/.releaserc.json b/.releaserc.json index 47bda2a..7874c95 100644 --- a/.releaserc.json +++ b/.releaserc.json @@ -6,8 +6,15 @@ { "preset": "conventionalcommits", "releaseRules": [ - { "type": "refactor", "release": "minor" }, - { "type": "chore", "scope": "deps", "release": "patch" } + { + "type": "refactor", + "release": "minor" + }, + { + "type": "chore", + "scope": "deps", + "release": "patch" + } ] } ], @@ -17,9 +24,21 @@ "preset": "conventionalcommits", "presetConfig": { "types": [ - { "type": "refactor", "section": "Enhancement", "hidden": false }, - { "type": "feat", "section": "Features", "hidden": false }, - { "type": "fix", "section": "Bug Fixes", "hidden": false }, + { + "type": "refactor", + "section": "Enhancement", + "hidden": false + }, + { + "type": "feat", + "section": "Features", + "hidden": false + }, + { + "type": "fix", + "section": "Bug Fixes", + "hidden": false + }, { "type": "chore", "scope": "deps", diff --git a/.markdownlint.yaml b/.trunk/configs/.markdownlint.yaml similarity index 100% rename from .markdownlint.yaml rename to .trunk/configs/.markdownlint.yaml diff --git a/.trunk/configs/.yamllint.yaml b/.trunk/configs/.yamllint.yaml new file mode 100644 index 0000000..4d44466 --- /dev/null +++ b/.trunk/configs/.yamllint.yaml @@ -0,0 +1,10 @@ +rules: + quoted-strings: + required: only-when-needed + extra-allowed: ["{|}"] + empty-values: + forbid-in-block-mappings: true + forbid-in-flow-mappings: true + key-duplicates: {} + octal-values: + forbid-implicit-octal: true diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index df954e6..9844b0e 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -8,6 +8,7 @@ plugins: uri: https://github.com/trunk-io/plugins lint: enabled: + - yamllint@1.29.0 - cspell@6.22.0 - gitleaks@8.15.3 - actionlint@1.6.23 diff --git a/CHANGELOG.md b/CHANGELOG.md index a21f91c..f2d6aa4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ All notable changes to this project will be documented in this file. ### Bug Fixes -* pin workflow dependancies to hash ([#45](https://github.com/3ware/workflows/issues/45)) ([e62a20b](https://github.com/3ware/workflows/commit/e62a20bd57926694764d3af20a81d6c5ebf4b424)) +* pin workflow dependencies to hash ([#45](https://github.com/3ware/workflows/issues/45)) ([e62a20b](https://github.com/3ware/workflows/commit/e62a20bd57926694764d3af20a81d6c5ebf4b424)) ## [1.9.2](https://github.com/3ware/workflows/compare/v1.9.1...v1.9.2) (2023-02-24) diff --git a/README.md b/README.md index 3e01554..6b60074 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # 3ware reusable workflows -[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/3ware/workflows/badge)](https://api.securityscorecards.dev/projects/github.com/3ware/workflows) [![semantic-release: conventionalcommits](https://img.shields.io/badge/semantic--release-conventionalcommits-blue?logo=semantic-release)](https://github.com/semantic-release/semantic-release) [![GitHub release](https://img.shields.io/github/release/3ware/workflows?include_prereleases=&sort=semver&color=yellow)](https://github.com/3ware/workflows/releases/) [![issues - workflows](https://img.shields.io/github/issues/3ware/workflows)](https://github.com/3ware/workflows/issues) [![CI](https://github.com/3ware/workflows/actions/workflows/lint.yaml/badge.svg)](https://github.com/3ware/workflows/actions/workflows/lint.yaml) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/3ware/workflows/badge)](https://api.securityscorecards.dev/projects/github.com/3ware/workflows) [![semantic-release: conventionalcommits](https://img.shields.io/badge/semantic--release-conventionalcommits-blue?logo=semantic-release)](https://github.com/semantic-release/semantic-release) [![GitHub release](https://img.shields.io/github/release/3ware/workflows?include_prereleases=&sort=semver&color=yellow)](https://github.com/3ware/workflows/releases/) [![issues - workflows](https://img.shields.io/github/issues/3ware/workflows)](https://github.com/3ware/workflows/issues) [![CI](https://img.shields.io/github/actions/workflow/status/3ware/workflows/lint.yaml?label=CI&logo=githubactions&logoColor=white)](https://github.com/3ware/workflows/actions/workflows/lint.yaml) The repository contains [GitHub Action](https://docs.github.com/en/actions) [reusable workflows](https://docs.github.com/en/actions/using-workflows/reusing-workflows) that can be consumed by other repositories.