diff --git a/.cspell.json b/.cspell.json index e4b086d..ffd1059 100644 --- a/.cspell.json +++ b/.cspell.json @@ -6,9 +6,12 @@ "language": "en-GB", // words - list of words to be always considered correct "words": [ + "amannn", + "analyzer", "aquasecurity", "codeql", "conventionalcommits", + "cycjimmy", "linters", "markdownlint", "noreply", diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4eb1d53..a6819e3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,7 +5,7 @@ version: 2 updates: - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / schedule: - interval: "monthly" + interval: monthly diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 880591a..29b3ea2 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -4,7 +4,7 @@ # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement -name: "Dependency Review" +name: Dependency Review on: [pull_request] permissions: @@ -14,7 +14,7 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: - - name: "Checkout Repository" + - name: Checkout Repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: "Dependency Review" + - name: Dependency Review uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/get-terraform-dir.yaml b/.github/workflows/get-terraform-dir.yaml index 975f69a..f82f29d 100644 --- a/.github/workflows/get-terraform-dir.yaml +++ b/.github/workflows/get-terraform-dir.yaml @@ -1,9 +1,9 @@ -name: "Terraform directory" +name: Terraform directory on: workflow_call: outputs: terraform-dir: - description: "The terraform directory to initialise" + description: The terraform directory to initialise value: ${{ jobs.terraform-directory.outputs.dir }} # Declare default permissions as read only. @@ -19,23 +19,23 @@ jobs: outputs: dir: ${{ steps.changed-dir.outputs.all_changed_files }} steps: - - name: "Checkout repository" + - name: Checkout repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: persist-credentials: false - - name: "Get changed files" + - name: Get changed files id: changed-files uses: tj-actions/changed-files@23e3c4300cb904a9d9c36fc2df4111a2fa9b9ff1 # v35.5.6 - - name: "List all changed files" + - name: List all changed files run: | for file in ${{ steps.changed-files.outputs.all_changed_files }}; do echo "$file was changed" done # Find the directory where files have been changed. - - name: "Get terraform directory" + - name: Get terraform directory id: changed-dir uses: tj-actions/changed-files@23e3c4300cb904a9d9c36fc2df4111a2fa9b9ff1 # v35.5.6 # Step fails if nothing found. @@ -47,7 +47,7 @@ jobs: dir_names: true dir_names_exclude_root: true - - name: "List terraform directory" + - name: List terraform directory if: ${{ steps.changed-dir.conclusion == 'success'}} run: | echo "${{ steps.changed-dir.outputs.all_changed_files }}" diff --git a/.github/workflows/get-workflow-token.yaml b/.github/workflows/get-workflow-token.yaml index 5ccceaa..ee3a2f8 100644 --- a/.github/workflows/get-workflow-token.yaml +++ b/.github/workflows/get-workflow-token.yaml @@ -1,10 +1,10 @@ # This workflow generates an installation access token for GitHub authentication -name: "Generate workflow token" +name: Generate workflow token on: workflow_call: outputs: temp-token: - description: "The temporary installation access token" + description: The temporary installation access token value: ${{ jobs.get-temp-token.outputs.token }} # Declare default permissions as read only. @@ -17,7 +17,7 @@ jobs: outputs: token: ${{ steps.encrypt-token.outputs.encrypted-token }} steps: - - name: "Get GitHub authentication token" + - name: Get GitHub authentication token id: get-workflow-token uses: peter-murray/workflow-application-token-action@8e1ba3bf1619726336414f1014e37f17fbadf1db # v2.1.0 with: @@ -25,7 +25,7 @@ jobs: application_private_key: ${{ secrets.THREEWARE_RELEASE_APPLICATION_PRIVATE_KEY }} organization: 3ware - - name: "Encrypt the token for reuse between jobs / workflows" + - name: Encrypt the token for reuse between jobs / workflows id: encrypt-token run: | ENCRYPTED_TOKEN=$(gpg --symmetric --batch --passphrase "$KEY" \ diff --git a/.github/workflows/lint-main.yaml b/.github/workflows/lint-main.yaml new file mode 100644 index 0000000..2b0e78b --- /dev/null +++ b/.github/workflows/lint-main.yaml @@ -0,0 +1,24 @@ +# Generic workflow, that runs on main, so required_status_checks pass +# https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks + +name: Lint + +on: + push: + branches: [main] + workflow_call: {} + +# Declare default permissions as read only. +permissions: read-all + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + lint: + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - name: Lint with trunk + run: echo "No linting required" diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index c5c5247..6790cca 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,12 +1,10 @@ -name: "Lint" +name: Lint on: + push: + branches: [main] pull_request: - types: - - opened - - edited - - synchronize - branches: - - main + types: [opened, synchronize] + branches: [main] workflow_call: inputs: terraform-version: @@ -30,26 +28,26 @@ jobs: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - needs: ["find-terraform"] + needs: [find-terraform] steps: - - name: "Checkout repository" + - name: Checkout repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: persist-credentials: false - - name: "Setup Terraform" + - name: Setup Terraform if: ${{ needs.find-terraform.outputs.terraform-dir != '' }} uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 with: terraform_version: ${{ inputs.terraform-version }} cli_config_credentials_token: ${{ secrets.TF_TOKEN_APP_TERRAFORM_IO }} - #Initialise terraform in the directory where terraform file have changed. - - name: "Initialise Terraform" + # Initialise terraform in the directory where terraform file have changed. + - name: Initialise Terraform if: ${{ needs.find-terraform.outputs.terraform-dir != ''}} working-directory: ${{ needs.find-terraform.outputs.terraform-dir }} run: terraform init - - name: "Lint with trunk" - if: ${{ always() }} #Run anyway, even if no terraform + - name: Lint with trunk + if: ${{ always() }} # Run anyway, even if no terraform uses: trunk-io/trunk-action@9cf65e08e822e9842fd9ef7ed2a2bd9092de0986 # v1.0.6 diff --git a/.github/workflows/pr-title-main.yaml b/.github/workflows/pr-title-main.yaml new file mode 100644 index 0000000..78ad5c9 --- /dev/null +++ b/.github/workflows/pr-title-main.yaml @@ -0,0 +1,24 @@ +# Generic workflow, that runs on main, so required_status_checks pass +# https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks + +name: Validate PR title + +on: + push: + branches: [main] + workflow_call: {} + +# Declare default permissions as read only. +permissions: read-all + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + conventional-pr-title: + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - name: Validate pull request title is conventional + run: echo "No pull request title to check" diff --git a/.github/workflows/pr-title.yaml b/.github/workflows/pr-title.yaml index 06b2fec..c98c486 100644 --- a/.github/workflows/pr-title.yaml +++ b/.github/workflows/pr-title.yaml @@ -1,12 +1,9 @@ -name: "Validate PR title" +name: Validate PR title on: pull_request_target: - types: - - opened - - edited - - synchronize - workflow_call: + types: [opened, edited] + workflow_call: {} # Declare default permissions as read only. permissions: read-all @@ -22,7 +19,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - name: "Validate pull request title is conventional" + - name: Validate pull request title is conventional uses: amannn/action-semantic-pull-request@b6bca70dcd3e56e896605356ce09b76f7e1e0d39 # v5.1.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 26c83a1..165bc91 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -2,7 +2,7 @@ # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. -name: "Scorecard supply-chain security" +name: Scorecard supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection @@ -10,16 +10,16 @@ on: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - - cron: "27 7 * * 6" + - cron: 27 7 * * 6 push: - branches: ["main"] + branches: [main] # Declare default permissions as read only. permissions: read-all jobs: analysis: - name: "Scorecard analysis" + name: Scorecard analysis runs-on: ubuntu-latest permissions: # Needed to upload the results to code-scanning dashboard. @@ -31,12 +31,12 @@ jobs: # actions: read steps: - - name: "Checkout code" + - name: Checkout code uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: persist-credentials: false - - name: "Run analysis" + - name: Run analysis uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 with: results_file: results.sarif @@ -58,7 +58,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - - name: "Upload artifact" + - name: Upload artifact uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 with: name: SARIF file @@ -66,7 +66,7 @@ jobs: retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" + - name: Upload to code-scanning uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 with: sarif_file: results.sarif diff --git a/.github/workflows/semantic-release.yaml b/.github/workflows/semantic-release.yaml index f794fe1..a135deb 100644 --- a/.github/workflows/semantic-release.yaml +++ b/.github/workflows/semantic-release.yaml @@ -1,11 +1,10 @@ -name: "Semantic Release" +name: Semantic Release on: - workflow_dispatch: - workflow_call: + workflow_dispatch: {} + workflow_call: {} push: - branches: - - main + branches: [main] # Declare default permissions as read only. permissions: read-all @@ -21,14 +20,14 @@ jobs: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - needs: ["get-temp-token"] + needs: [get-temp-token] steps: - - name: "Checkout repository" + - name: Checkout repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: persist-credentials: false - - name: "Decrypt the installation access token" + - name: Decrypt the installation access token id: decrypt-token run: | DECRYPTED_TOKEN=$(gpg --decrypt --quiet --batch --passphrase "$KEY" \ @@ -39,7 +38,7 @@ jobs: env: KEY: ${{ secrets.PGP_SECRET_SIGNING_PASSPHRASE }} - - name: "Create GitHub release and update CHANGELOG" + - name: Create GitHub release and update CHANGELOG if: ${{ ! env.ACT }} uses: cycjimmy/semantic-release-action@8f6ceb9d5aae5578b1dcda6af00008235204e7fa # v3.2.0 with: @@ -51,7 +50,7 @@ jobs: env: GITHUB_TOKEN: ${{ steps.decrypt-token.outputs.temp-token }} - - name: "Local test release" + - name: Local test release if: ${{ env.ACT }} uses: cycjimmy/semantic-release-action@8f6ceb9d5aae5578b1dcda6af00008235204e7fa # v3.2.0 with: diff --git a/.github/workflows/terraform-docs.yaml b/.github/workflows/terraform-docs.yaml index a91387f..acfe0c4 100644 --- a/.github/workflows/terraform-docs.yaml +++ b/.github/workflows/terraform-docs.yaml @@ -1,6 +1,5 @@ -name: "Generate terraform docs" -on: - workflow_call: +name: Generate terraform docs +on: workflow_call # Declare default permissions as read only. permissions: read-all @@ -28,15 +27,15 @@ jobs: env: WORKING_DIR: ${{ needs.find-terraform.outputs.terraform-dir }} TF_DOCS_FILE: README.md - needs: ["get-temp-token", "find-terraform"] + needs: [get-temp-token, find-terraform] steps: - - name: "Checkout repository" + - name: Checkout repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ github.event.pull_request.head.ref }} persist-credentials: false - - name: "Decrypt the installation access token" + - name: Decrypt the installation access token id: decrypt-token run: | DECRYPTED_TOKEN=$(gpg --decrypt --quiet --batch --passphrase "$KEY" \ @@ -47,7 +46,7 @@ jobs: env: KEY: ${{ secrets.PGP_SECRET_SIGNING_PASSPHRASE }} - - name: "Render terraform docs" + - name: Render terraform docs id: terraform-docs uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 # v1.0.0 with: @@ -55,12 +54,12 @@ jobs: output-file: ${{ env.TF_DOCS_FILE }} output-method: inject - - name: "Set file path env" + - name: Set file path env run: echo "FILE_PATH=${{ env.WORKING_DIR }}/${{ env.TF_DOCS_FILE }}" >> $GITHUB_ENV # Use the REST API to commit changes, so we get automatic commit signing # Only run this job if the file has changed to prevent empty commits - - name: "Push changes back to PR with signature" + - name: Push changes back to PR with signature id: push-with-sig if: ${{ steps.terraform-docs.outputs.num_changed != 0 }} env: @@ -78,14 +77,14 @@ jobs: --field branch="$DESTINATION_BRANCH" \ --field sha="$SHA" - - name: "Summary if skipped" + - name: Summary if skipped if: ${{ steps.push-with-sig.conclusion == 'skipped' }} run: | echo "### Push Skipped" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "Changes were not made to ${{ env.FILE_PATH }} on this run" >> $GITHUB_STEP_SUMMARY - - name: "Summary if successful" + - name: Summary if successful if: ${{ steps.push-with-sig.conclusion == 'success' }} env: BRANCH: ${{ github.head_ref }} diff --git a/.github/workflows/tfsec-pr.yaml b/.github/workflows/tfsec-pr.yaml index 8a0180d..776cf71 100644 --- a/.github/workflows/tfsec-pr.yaml +++ b/.github/workflows/tfsec-pr.yaml @@ -1,10 +1,10 @@ -name: "tfsec Code Analysis" +name: tfsec Code Analysis on: workflow_call: inputs: tfsec_args: - description: "Command line arguments to pass to tfsec." + description: Command line arguments to pass to tfsec. default: "" required: false type: string @@ -27,15 +27,15 @@ jobs: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true - needs: ["find-terraform"] + needs: [find-terraform] steps: - - name: "Checkout repository" + - name: Checkout repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: persist-credentials: false - - name: "Add tfsec comments to pull request" + - name: Add tfsec comments to pull request uses: aquasecurity/tfsec-pr-commenter-action@7a44c5dcde5dfab737363e391800629e27b6376b # v1.3.1 with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore deleted file mode 100644 index b7c587c..0000000 --- a/.gitignore +++ /dev/null @@ -1,38 +0,0 @@ -# Local .terraform directories -**/.terraform/* - -# .tfstate files -*.tfstate -*.tfstate.* - -# Crash log files -crash.log -crash.*.log - -# Exclude all .tfvars files, which are likely to contain sentitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject -# to change depending on the environment. -# -# *.tfvars - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Include override files you do wish to add to version control using negated pattern -# -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* - -# Ignore CLI configuration files -.terraformrc -terraform.rc - -# Exclude pem files used for authentication -*.pem diff --git a/.releaserc.json b/.releaserc.json index 47bda2a..bc5e1e3 100644 --- a/.releaserc.json +++ b/.releaserc.json @@ -6,8 +6,15 @@ { "preset": "conventionalcommits", "releaseRules": [ - { "type": "refactor", "release": "minor" }, - { "type": "chore", "scope": "deps", "release": "patch" } + { + "type": "refactor", + "release": "minor" + }, + { + "type": "chore", + "scope": "deps", + "release": "patch" + } ] } ], @@ -17,9 +24,21 @@ "preset": "conventionalcommits", "presetConfig": { "types": [ - { "type": "refactor", "section": "Enhancement", "hidden": false }, - { "type": "feat", "section": "Features", "hidden": false }, - { "type": "fix", "section": "Bug Fixes", "hidden": false }, + { + "type": "refactor", + "section": "Enhancement", + "hidden": false + }, + { + "type": "feat", + "section": "Features", + "hidden": false + }, + { + "type": "fix", + "section": "Bug Fixes", + "hidden": false + }, { "type": "chore", "scope": "deps", @@ -49,7 +68,7 @@ "@semantic-release/git", { "assets": ["CHANGELOG.md"], - "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" + "message": "chore(release): version ${nextRelease.version}\n\n${nextRelease.notes}" } ] ] diff --git a/.markdownlint.yaml b/.trunk/configs/.markdownlint.yaml similarity index 100% rename from .markdownlint.yaml rename to .trunk/configs/.markdownlint.yaml diff --git a/.trunk/configs/.yamllint.yaml b/.trunk/configs/.yamllint.yaml new file mode 100644 index 0000000..4d44466 --- /dev/null +++ b/.trunk/configs/.yamllint.yaml @@ -0,0 +1,10 @@ +rules: + quoted-strings: + required: only-when-needed + extra-allowed: ["{|}"] + empty-values: + forbid-in-block-mappings: true + forbid-in-flow-mappings: true + key-duplicates: {} + octal-values: + forbid-implicit-octal: true diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index df954e6..9844b0e 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -8,6 +8,7 @@ plugins: uri: https://github.com/trunk-io/plugins lint: enabled: + - yamllint@1.29.0 - cspell@6.22.0 - gitleaks@8.15.3 - actionlint@1.6.23 diff --git a/CHANGELOG.md b/CHANGELOG.md index a21f91c..f2d6aa4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ All notable changes to this project will be documented in this file. ### Bug Fixes -* pin workflow dependancies to hash ([#45](https://github.com/3ware/workflows/issues/45)) ([e62a20b](https://github.com/3ware/workflows/commit/e62a20bd57926694764d3af20a81d6c5ebf4b424)) +* pin workflow dependencies to hash ([#45](https://github.com/3ware/workflows/issues/45)) ([e62a20b](https://github.com/3ware/workflows/commit/e62a20bd57926694764d3af20a81d6c5ebf4b424)) ## [1.9.2](https://github.com/3ware/workflows/compare/v1.9.1...v1.9.2) (2023-02-24) diff --git a/README.md b/README.md index 3e01554..6b60074 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # 3ware reusable workflows -[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/3ware/workflows/badge)](https://api.securityscorecards.dev/projects/github.com/3ware/workflows) [![semantic-release: conventionalcommits](https://img.shields.io/badge/semantic--release-conventionalcommits-blue?logo=semantic-release)](https://github.com/semantic-release/semantic-release) [![GitHub release](https://img.shields.io/github/release/3ware/workflows?include_prereleases=&sort=semver&color=yellow)](https://github.com/3ware/workflows/releases/) [![issues - workflows](https://img.shields.io/github/issues/3ware/workflows)](https://github.com/3ware/workflows/issues) [![CI](https://github.com/3ware/workflows/actions/workflows/lint.yaml/badge.svg)](https://github.com/3ware/workflows/actions/workflows/lint.yaml) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/3ware/workflows/badge)](https://api.securityscorecards.dev/projects/github.com/3ware/workflows) [![semantic-release: conventionalcommits](https://img.shields.io/badge/semantic--release-conventionalcommits-blue?logo=semantic-release)](https://github.com/semantic-release/semantic-release) [![GitHub release](https://img.shields.io/github/release/3ware/workflows?include_prereleases=&sort=semver&color=yellow)](https://github.com/3ware/workflows/releases/) [![issues - workflows](https://img.shields.io/github/issues/3ware/workflows)](https://github.com/3ware/workflows/issues) [![CI](https://img.shields.io/github/actions/workflow/status/3ware/workflows/lint.yaml?label=CI&logo=githubactions&logoColor=white)](https://github.com/3ware/workflows/actions/workflows/lint.yaml) The repository contains [GitHub Action](https://docs.github.com/en/actions) [reusable workflows](https://docs.github.com/en/actions/using-workflows/reusing-workflows) that can be consumed by other repositories.