From 4808644e5064a29be83f9af7f2d9ec49f3d22a14 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Mon, 16 Oct 2023 13:12:32 +0200 Subject: [PATCH 1/6] chore: Add Dependabot configuration file (github-actions and terraform) --- .github/dependabot.yml | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..3ad7457 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,40 @@ +version: 2 +updates: + + # GitHub actions + - package-ecosystem: "github-actions" + directory: "/" # For GitHub Actions "/" must be used for workflow files in ".github/workflows" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" + + # Terraform + - package-ecosystem: "terraform" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" + + - package-ecosystem: "terraform" + directory: "/examples/complete/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" + + - package-ecosystem: "terraform" + directory: "/examples/simple/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore: " + labels: + - "release/patch" From f712534e68bae9b4aa8c9bf1e89c83373ee73c78 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Mon, 16 Oct 2023 13:12:41 +0200 Subject: [PATCH 2/6] chore: Update pre-commit repos to the latest versions --- .pre-commit-config.yaml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 087cdd1..7e759f2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,28 +1,35 @@ repos: - repo: https://github.com/gruntwork-io/pre-commit - rev: "v0.1.17" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases + # Stick to v0.1.20 until this bug is fixed: https://github.com/gruntwork-io/pre-commit/issues/102 + # When updating, also check if tflint version in pre-commit workflow can be updated. + rev: "v0.1.20" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases hooks: + - id: terraform-validate # It should be the first step as it runs terraform init required by tflint + - id: terraform-fmt - id: tflint args: - --module - --config=.tflint.hcl - - id: terraform-validate - - id: terraform-fmt - repo: https://github.com/terraform-docs/terraform-docs - rev: "v0.16.0" # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + rev: "v0.16.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases hooks: - id: terraform-docs-go args: ["."] - repo: https://github.com/bridgecrewio/checkov.git - rev: "2.2.246" # Get the latest from: https://github.com/bridgecrewio/checkov/releases + rev: "2.5.9" # Get the latest from: https://github.com/bridgecrewio/checkov/releases hooks: - id: checkov - args: [--skip-check, "CKV2_GHA_1"] #Flase positive for top-level permissions + args: [--skip-check, "CKV_TF_1"] # Terraform module sources do not use a git url with a commit hash revision - repo: https://github.com/pre-commit/pre-commit-hooks - rev: "v4.3.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases + rev: "v4.5.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases hooks: - id: check-merge-conflict + args: ["--assume-in-merge"] + - id: mixed-line-ending + args: ["--fix=no"] - id: end-of-file-fixer + - id: check-case-conflict + - id: check-yaml From ace7a770d203fe720becb157e7321a717dc348bb Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Mon, 16 Oct 2023 13:12:49 +0200 Subject: [PATCH 3/6] ci: Remove tf-docs workflow --- .github/workflows/documentation.yml | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 .github/workflows/documentation.yml diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml deleted file mode 100644 index 7ec13ba..0000000 --- a/.github/workflows/documentation.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Generate terraform docs -on: - - pull_request -jobs: - docs: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.ref }} - - - name: Render terraform docs inside the README.md and push changes back to PR branch - uses: terraform-docs/gh-actions@v1.0.0 - with: - working-dir: . - config-file: .terraform-docs.yml - git-push: "true" From 5ea96fba070e020d47641d48ff34ba775712ce25 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Mon, 16 Oct 2023 13:13:08 +0200 Subject: [PATCH 4/6] ci: Change all workflows to call reusable workflows from getindata/github-workflows repository --- .github/workflows/pr-title.yml | 46 +++--------------- .github/workflows/pre-commit.yml | 83 ++++---------------------------- .github/workflows/release.yml | 66 +++---------------------- 3 files changed, 21 insertions(+), 174 deletions(-) diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 23b8c9d..9963b1f 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -1,4 +1,8 @@ -name: 'Validate PR title' +name: Validate PR title + +permissions: + pull-requests: read + statuses: write on: pull_request_target: @@ -9,42 +13,4 @@ on: jobs: main: - name: Validate PR title - runs-on: ubuntu-latest - steps: - # Please look up the latest version from - # https://github.com/amannn/action-semantic-pull-request/releases - - uses: amannn/action-semantic-pull-request@v4 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - # Configure which types are allowed. - # Default: https://github.com/commitizen/conventional-commit-types - types: | - feat - fix - improvement - docs - refactor - test - ci - chore - # Configure that a scope must always be provided. - requireScope: false - # Configure additional validation for the subject based on a regex. - # This example ensures the subject starts with an uppercase character. - subjectPattern: ^[A-Z].+$ - # If `subjectPattern` is configured, you can use this property to override - # the default error message that is shown when the pattern doesn't match. - # The variables `subject` and `title` can be used within the message. - subjectPatternError: | - The subject "{subject}" found in the pull request title "{title}" - didn't match the configured pattern. Please ensure that the subject - starts with an uppercase character. - # For work-in-progress PRs you can typically use draft pull requests - # from Github. However, private repositories on the free plan don't have - # this option and therefore this action allows you to opt-in to using the - # special "[WIP]" prefix to indicate this state. This will avoid the - # validation of the PR title and the pull request checks remain pending. - # Note that a second check will be reported if this is enabled. - wip: true + uses: getindata/github-workflows/.github/workflows/gh-validate-pr-title.yml@v0.3.1 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 7db5a4a..831a570 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -1,4 +1,6 @@ -name: Pre-Commit +name: TF Pre-Commit + +permissions: {} on: pull_request: @@ -6,77 +8,10 @@ on: - main - master -env: - TERRAFORM_DOCS_VERSION: v0.16.0 - jobs: - collectInputs: - name: Collect workflow inputs - runs-on: ubuntu-latest - outputs: - directories: ${{ steps.dirs.outputs.directories }} - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Get root directories - id: dirs - uses: clowdhaus/terraform-composite-actions/directories@v1.8.3 - - preCommitMinVersions: - name: Min TF pre-commit - needs: collectInputs - runs-on: ubuntu-latest - strategy: - matrix: - directory: ${{ fromJson(needs.collectInputs.outputs.directories) }} - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@v1.0.3 - with: - directory: ${{ matrix.directory }} - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory != '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 - with: - terraform-version: ${{ steps.minMax.outputs.minVersion }} - args: "terraform-validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*" - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory == '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 - with: - terraform-version: ${{ steps.minMax.outputs.minVersion }} - args: "terraform-validate --color=always --show-diff-on-failure --files $(ls *.tf)" - - preCommitMaxVersion: - name: Max TF pre-commit - runs-on: ubuntu-latest - needs: collectInputs - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{github.event.pull_request.head.repo.full_name}} - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@v1.0.3 - - # Step required as tflint pre-commit hook requires module to be initialised - - run: terraform init - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 - with: - terraform-version: ${{ steps.minMax.outputs.maxVersion }} - terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }} - # tflint-version: ${{ env.TFLINT_VERSION }} # use this version with "Invicton-Labs/deepmerge/null" module + main: + uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v0.3.1 + with: + # tflint v0.46.0 is the latest version we can use with pre-commit v0.1.20 + # See .pre-commit-config.yaml for more details. + tflint-version: v0.46.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b533188..ae78a7f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,67 +1,13 @@ name: Create new release with changelog +permissions: + contents: write + pull-requests: write + on: - pull_request: + pull_request_target: types: [closed] jobs: release: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - fetch-depth: 100 - - - name: Check release label - id: release-label - uses: actions-ecosystem/action-release-label@v1 - if: ${{ github.event.pull_request.merged == true }} - - - name: Get latest tag - id: get-latest-tag - uses: actions-ecosystem/action-get-latest-tag@v1 - if: ${{ steps.release-label.outputs.level != null }} - - - name: Bump semantic version - id: bump-semver - uses: actions-ecosystem/action-bump-semver@v1 - if: ${{ steps.release-label.outputs.level != null }} - with: - current_version: ${{ steps.get-latest-tag.outputs.tag }} - level: ${{ steps.release-label.outputs.level }} - - - name: Tag release - id: tag-relese - uses: actions-ecosystem/action-push-tag@v1 - if: ${{ steps.release-label.outputs.level != null }} - with: - tag: ${{ steps.bump-semver.outputs.new_version }} - message: "${{ steps.bump-semver.outputs.new_version }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}" - - - name: Generate new release with changelog - id: release-with-changelog - uses: fregante/release-with-changelog@v3 - if: ${{ steps.bump-semver.outputs.new_version != null }} - with: - token: "${{ secrets.GITHUB_TOKEN }}" - exclude: '^meta|^docs|^document|^lint|^ci|^refactor|readme|workflow|bump|dependencies|yml|^v?\d+\.\d+\.\d+' - tag: "${{ steps.bump-semver.outputs.new_version }}" - title: "Version ${{ steps.bump-semver.outputs.new_version }}" - commit-template: "- {title} ← {hash}" - skip-on-empty: true - template: | - ### Changelog - - {commits} - - {range} - - - name: Comment PR - id: add-comment - uses: actions-ecosystem/action-create-comment@v1 - if: ${{ steps.bump-semver.outputs.new_version != null }} - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - number: ${{ steps.get-merged-pull-request.outputs.number }} - body: | - The new version [${{ steps.bump-semver.outputs.new_version }}](https://github.com/${{ github.repository }}/releases/tag/${{ steps.bump-semver.outputs.new_version }}) has been released :tada: + uses: getindata/github-workflows/.github/workflows/gh-create-release.yml@v0.3.1 From e6fa1db514a098ccf8b3eafd75ac54966e9fbccd Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Mon, 16 Oct 2023 13:13:16 +0200 Subject: [PATCH 5/6] ci: Update tflint config file --- .tflint.hcl | 36 +++++++----------------------------- 1 file changed, 7 insertions(+), 29 deletions(-) diff --git a/.tflint.hcl b/.tflint.hcl index b3cc62f..6a33dcb 100644 --- a/.tflint.hcl +++ b/.tflint.hcl @@ -4,35 +4,13 @@ config { } } -rule "terraform_deprecated_interpolation" { - enabled = true +plugin "terraform" { + enabled = true + version = "0.5.0" + source = "github.com/terraform-linters/tflint-ruleset-terraform" + preset = "all" } -rule "terraform_documented_outputs" { - enabled = true -} - -rule "terraform_documented_variables" { - enabled = true -} - -rule "terraform_typed_variables" { - enabled = true -} - -rule "terraform_required_version" { - enabled = true -} - -rule "terraform_required_providers" { - enabled = true -} - -rule "terraform_unused_required_providers" { - enabled = true -} - -rule "terraform_naming_convention" { - enabled = true - format = "snake_case" +rule "terraform_standard_module_structure" { + enabled = false # Fails on context.tf } From ab6e3e6b51dc2d852a7e7472e2052744a0093074 Mon Sep 17 00:00:00 2001 From: Kacper Muda Date: Thu, 19 Oct 2023 11:48:20 +0200 Subject: [PATCH 6/6] chore: Update workflows and pre-commit version --- .github/workflows/pr-title.yml | 2 +- .github/workflows/pre-commit.yml | 5 +++-- .github/workflows/release.yml | 2 +- .pre-commit-config.yaml | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 9963b1f..40f63a1 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -13,4 +13,4 @@ on: jobs: main: - uses: getindata/github-workflows/.github/workflows/gh-validate-pr-title.yml@v0.3.1 + uses: getindata/github-workflows/.github/workflows/gh-validate-pr-title.yml@v1 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 831a570..652dff0 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -1,6 +1,7 @@ name: TF Pre-Commit -permissions: {} +permissions: + contents: read on: pull_request: @@ -10,7 +11,7 @@ on: jobs: main: - uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v0.3.1 + uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v1 with: # tflint v0.46.0 is the latest version we can use with pre-commit v0.1.20 # See .pre-commit-config.yaml for more details. diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ae78a7f..fb52469 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,4 +10,4 @@ on: jobs: release: - uses: getindata/github-workflows/.github/workflows/gh-create-release.yml@v0.3.1 + uses: getindata/github-workflows/.github/workflows/gh-create-release.yml@v1 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7e759f2..2c59029 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -18,7 +18,7 @@ repos: args: ["."] - repo: https://github.com/bridgecrewio/checkov.git - rev: "2.5.9" # Get the latest from: https://github.com/bridgecrewio/checkov/releases + rev: "2.5.13" # Get the latest from: https://github.com/bridgecrewio/checkov/releases hooks: - id: checkov args: [--skip-check, "CKV_TF_1"] # Terraform module sources do not use a git url with a commit hash revision