From ad9622e261367490fa90f6d99b9026a28b2304b5 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Tue, 26 Sep 2023 11:12:47 +0200 Subject: [PATCH 1/8] chore: Update pre-commit repos to the latest versions --- .pre-commit-config.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 087cdd1..c759f3d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/gruntwork-io/pre-commit - rev: "v0.1.17" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases + rev: "v0.1.22" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases hooks: - id: tflint args: @@ -10,19 +10,19 @@ repos: - id: terraform-fmt - repo: https://github.com/terraform-docs/terraform-docs - rev: "v0.16.0" # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + rev: "v0.16.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases hooks: - id: terraform-docs-go args: ["."] - repo: https://github.com/bridgecrewio/checkov.git - rev: "2.2.246" # Get the latest from: https://github.com/bridgecrewio/checkov/releases + rev: "2.4.48" # Get the latest from: https://github.com/bridgecrewio/checkov/releases hooks: - id: checkov args: [--skip-check, "CKV2_GHA_1"] #Flase positive for top-level permissions - repo: https://github.com/pre-commit/pre-commit-hooks - rev: "v4.3.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases + rev: "v4.4.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases hooks: - id: check-merge-conflict - id: end-of-file-fixer From 01e79fc74b0b3010cdd78e958377ae9c2c059585 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Tue, 26 Sep 2023 11:13:21 +0200 Subject: [PATCH 2/8] chore: Add Dependabot configuration file (github-actions and terraform) --- .github/dependabot.yml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..a40036f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,40 @@ +version: 2 +updates: + + # GitHub actions + - package-ecosystem: "github-actions" + directory: "/" # For GitHub Actions "/" must be used for workflow files in ".github/workflows" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" + + # Terraform + - package-ecosystem: "terraform" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" + + - package-ecosystem: "terraform" + directory: "/examples/complete/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" + + - package-ecosystem: "terraform" + directory: "/examples/simple/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" \ No newline at end of file From e99cfc939859675cb901312188cd6a4d72d5f36f Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Tue, 26 Sep 2023 11:14:48 +0200 Subject: [PATCH 3/8] chore: Remove tf-docs workflow --- .github/workflows/documentation.yml | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 .github/workflows/documentation.yml diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml deleted file mode 100644 index 7ec13ba..0000000 --- a/.github/workflows/documentation.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Generate terraform docs -on: - - pull_request -jobs: - docs: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.ref }} - - - name: Render terraform docs inside the README.md and push changes back to PR branch - uses: terraform-docs/gh-actions@v1.0.0 - with: - working-dir: . - config-file: .terraform-docs.yml - git-push: "true" From a20afd343cfb5d8f67d65cbf782c0f6b4b076898 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Tue, 26 Sep 2023 11:15:35 +0200 Subject: [PATCH 4/8] ci: Change all workflows to call reusable workflows from getindata/github-workflows repository --- .github/workflows/pr-title.yml | 40 +---------------- .github/workflows/pre-commit.yml | 75 +------------------------------- .github/workflows/release.yml | 62 +------------------------- 3 files changed, 5 insertions(+), 172 deletions(-) diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 23b8c9d..c3af025 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -9,42 +9,4 @@ on: jobs: main: - name: Validate PR title - runs-on: ubuntu-latest - steps: - # Please look up the latest version from - # https://github.com/amannn/action-semantic-pull-request/releases - - uses: amannn/action-semantic-pull-request@v4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - # Configure which types are allowed. - # Default: https://github.com/commitizen/conventional-commit-types - types: | - feat - fix - improvement - docs - refactor - test - ci - chore - # Configure that a scope must always be provided. - requireScope: false - # Configure additional validation for the subject based on a regex. - # This example ensures the subject starts with an uppercase character. - subjectPattern: ^[A-Z].+$ - # If `subjectPattern` is configured, you can use this property to override - # the default error message that is shown when the pattern doesn't match. - # The variables `subject` and `title` can be used within the message. - subjectPatternError: | - The subject "{subject}" found in the pull request title "{title}" - didn't match the configured pattern. Please ensure that the subject - starts with an uppercase character. - # For work-in-progress PRs you can typically use draft pull requests - # from Github. However, private repositories on the free plan don't have - # this option and therefore this action allows you to opt-in to using the - # special "[WIP]" prefix to indicate this state. This will avoid the - # validation of the PR title and the pull request checks remain pending. - # Note that a second check will be reported if this is enabled. - wip: true + uses: getindata/github-workflows/.github/workflows/gh-validate-pr-title.yml@v0.3.0 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 7db5a4a..41aaddb 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -6,77 +6,6 @@ on: - main - master -env: - TERRAFORM_DOCS_VERSION: v0.16.0 - jobs: - collectInputs: - name: Collect workflow inputs - runs-on: ubuntu-latest - outputs: - directories: ${{ steps.dirs.outputs.directories }} - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Get root directories - id: dirs - uses: clowdhaus/terraform-composite-actions/directories@v1.8.3 - - preCommitMinVersions: - name: Min TF pre-commit - needs: collectInputs - runs-on: ubuntu-latest - strategy: - matrix: - directory: ${{ fromJson(needs.collectInputs.outputs.directories) }} - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@v1.0.3 - with: - directory: ${{ matrix.directory }} - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory != '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 - with: - terraform-version: ${{ steps.minMax.outputs.minVersion }} - args: "terraform-validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*" - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory == '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 - with: - terraform-version: ${{ steps.minMax.outputs.minVersion }} - args: "terraform-validate --color=always --show-diff-on-failure --files $(ls *.tf)" - - preCommitMaxVersion: - name: Max TF pre-commit - runs-on: ubuntu-latest - needs: collectInputs - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{github.event.pull_request.head.repo.full_name}} - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@v1.0.3 - - # Step required as tflint pre-commit hook requires module to be initialised - - run: terraform init - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 - with: - terraform-version: ${{ steps.minMax.outputs.maxVersion }} - terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }} - # tflint-version: ${{ env.TFLINT_VERSION }} # use this version with "Invicton-Labs/deepmerge/null" module + main: + uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v0.3.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b533188..d047bdd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,67 +1,9 @@ name: Create new release with changelog on: - pull_request: + pull_request_target: types: [closed] jobs: release: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - fetch-depth: 100 - - - name: Check release label - id: release-label - uses: actions-ecosystem/action-release-label@v1 - if: ${{ github.event.pull_request.merged == true }} - - - name: Get latest tag - id: get-latest-tag - uses: actions-ecosystem/action-get-latest-tag@v1 - if: ${{ steps.release-label.outputs.level != null }} - - - name: Bump semantic version - id: bump-semver - uses: actions-ecosystem/action-bump-semver@v1 - if: ${{ steps.release-label.outputs.level != null }} - with: - current_version: ${{ steps.get-latest-tag.outputs.tag }} - level: ${{ steps.release-label.outputs.level }} - - - name: Tag release - id: tag-relese - uses: actions-ecosystem/action-push-tag@v1 - if: ${{ steps.release-label.outputs.level != null }} - with: - tag: ${{ steps.bump-semver.outputs.new_version }} - message: "${{ steps.bump-semver.outputs.new_version }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}" - - - name: Generate new release with changelog - id: release-with-changelog - uses: fregante/release-with-changelog@v3 - if: ${{ steps.bump-semver.outputs.new_version != null }} - with: - token: "${{ secrets.GITHUB_TOKEN }}" - exclude: '^meta|^docs|^document|^lint|^ci|^refactor|readme|workflow|bump|dependencies|yml|^v?\d+\.\d+\.\d+' - tag: "${{ steps.bump-semver.outputs.new_version }}" - title: "Version ${{ steps.bump-semver.outputs.new_version }}" - commit-template: "- {title} ← {hash}" - skip-on-empty: true - template: | - ### Changelog - - {commits} - - {range} - - - name: Comment PR - id: add-comment - uses: actions-ecosystem/action-create-comment@v1 - if: ${{ steps.bump-semver.outputs.new_version != null }} - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - number: ${{ steps.get-merged-pull-request.outputs.number }} - body: | - The new version [${{ steps.bump-semver.outputs.new_version }}](https://github.com/${{ github.repository }}/releases/tag/${{ steps.bump-semver.outputs.new_version }}) has been released :tada: + uses: getindata/github-workflows/.github/workflows/gh-create-release.yml@v0.3.0 From fa8d70d72d9cd03a143f7f978ff2686c25ff99fe Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Tue, 26 Sep 2023 11:23:40 +0200 Subject: [PATCH 5/8] chore: Format yaml file --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a40036f..3ad7457 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -37,4 +37,4 @@ updates: commit-message: prefix: "chore: " labels: - - "release/patch" \ No newline at end of file + - "release/patch" From dbc80c860c02fbf66a9b3b8a751fed6587ebbcb5 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Tue, 26 Sep 2023 11:36:24 +0200 Subject: [PATCH 6/8] chore: Skip checkov check CKV_TF_1 --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c759f3d..2e3de10 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -19,7 +19,7 @@ repos: rev: "2.4.48" # Get the latest from: https://github.com/bridgecrewio/checkov/releases hooks: - id: checkov - args: [--skip-check, "CKV2_GHA_1"] #Flase positive for top-level permissions + args: [--skip-check, "CKV2_GHA_1,CKV_TF_1"] #False positive for top-level permissions - repo: https://github.com/pre-commit/pre-commit-hooks rev: "v4.4.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases From 0b26649d49400f00b3f4ee20f5ced5555f6837df Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Tue, 26 Sep 2023 12:04:34 +0200 Subject: [PATCH 7/8] chore: Change order of pre-commit hooks --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2e3de10..c998ed4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,12 +2,12 @@ repos: - repo: https://github.com/gruntwork-io/pre-commit rev: "v0.1.22" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases hooks: + - id: terraform-validate + - id: terraform-fmt - id: tflint args: - --module - --config=.tflint.hcl - - id: terraform-validate - - id: terraform-fmt - repo: https://github.com/terraform-docs/terraform-docs rev: "v0.16.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases From bc9837b8a7066e1a45c0740a5a06ca09196240e9 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Tue, 26 Sep 2023 12:24:09 +0200 Subject: [PATCH 8/8] chore: Add comment to pre-commit hooks. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c998ed4..1df8171 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,7 +2,7 @@ repos: - repo: https://github.com/gruntwork-io/pre-commit rev: "v0.1.22" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases hooks: - - id: terraform-validate + - id: terraform-validate # It should be before tflint hook as it runs terraform init required by tflint - id: terraform-fmt - id: tflint args: