Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Update workflows and pre-commit hooks #2

Merged
merged 6 commits into from
Oct 20, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
version: 2
updates:

# GitHub actions
- package-ecosystem: "github-actions"
directory: "/" # For GitHub Actions "/" must be used for workflow files in ".github/workflows"
schedule:
interval: "weekly"
commit-message:
prefix: "chore: "
labels:
- "release/patch"

# Terraform
- package-ecosystem: "terraform"
directory: "/"
schedule:
interval: "weekly"
commit-message:
prefix: "chore: "
labels:
- "release/patch"

- package-ecosystem: "terraform"
directory: "/examples/complete/"
schedule:
interval: "weekly"
commit-message:
prefix: "chore: "
labels:
- "release/patch"

- package-ecosystem: "terraform"
directory: "/examples/simple/"
schedule:
interval: "weekly"
commit-message:
prefix: "chore: "
labels:
- "release/patch"
17 changes: 0 additions & 17 deletions .github/workflows/documentation.yml

This file was deleted.

46 changes: 6 additions & 40 deletions .github/workflows/pr-title.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
name: 'Validate PR title'
name: Validate PR title

permissions:
pull-requests: read
statuses: write

on:
pull_request_target:
Expand All @@ -9,42 +13,4 @@ on:

jobs:
main:
name: Validate PR title
runs-on: ubuntu-latest
steps:
# Please look up the latest version from
# https://github.com/amannn/action-semantic-pull-request/releases
- uses: amannn/action-semantic-pull-request@v4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
# Configure which types are allowed.
# Default: https://github.com/commitizen/conventional-commit-types
types: |
feat
fix
improvement
docs
refactor
test
ci
chore
# Configure that a scope must always be provided.
requireScope: false
# Configure additional validation for the subject based on a regex.
# This example ensures the subject starts with an uppercase character.
subjectPattern: ^[A-Z].+$
# If `subjectPattern` is configured, you can use this property to override
# the default error message that is shown when the pattern doesn't match.
# The variables `subject` and `title` can be used within the message.
subjectPatternError: |
The subject "{subject}" found in the pull request title "{title}"
didn't match the configured pattern. Please ensure that the subject
starts with an uppercase character.
# For work-in-progress PRs you can typically use draft pull requests
# from Github. However, private repositories on the free plan don't have
# this option and therefore this action allows you to opt-in to using the
# special "[WIP]" prefix to indicate this state. This will avoid the
# validation of the PR title and the pull request checks remain pending.
# Note that a second check will be reported if this is enabled.
wip: true
uses: getindata/github-workflows/.github/workflows/gh-validate-pr-title.yml@v1
84 changes: 10 additions & 74 deletions .github/workflows/pre-commit.yml
Original file line number Diff line number Diff line change
@@ -1,82 +1,18 @@
name: Pre-Commit
name: TF Pre-Commit

permissions:
contents: read

on:
pull_request:
branches:
- main
- master

env:
TERRAFORM_DOCS_VERSION: v0.16.0

jobs:
collectInputs:
name: Collect workflow inputs
runs-on: ubuntu-latest
outputs:
directories: ${{ steps.dirs.outputs.directories }}
steps:
- name: Checkout
uses: actions/checkout@v2

- name: Get root directories
id: dirs
uses: clowdhaus/terraform-composite-actions/[email protected]

preCommitMinVersions:
name: Min TF pre-commit
needs: collectInputs
runs-on: ubuntu-latest
strategy:
matrix:
directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
steps:
- name: Checkout
uses: actions/checkout@v2

- name: Terraform min/max versions
id: minMax
uses: clowdhaus/[email protected]
with:
directory: ${{ matrix.directory }}

- name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
# Run only validate pre-commit check on min version supported
if: ${{ matrix.directory != '.' }}
uses: clowdhaus/terraform-composite-actions/[email protected]
with:
terraform-version: ${{ steps.minMax.outputs.minVersion }}
args: "terraform-validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*"

- name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
# Run only validate pre-commit check on min version supported
if: ${{ matrix.directory == '.' }}
uses: clowdhaus/terraform-composite-actions/[email protected]
with:
terraform-version: ${{ steps.minMax.outputs.minVersion }}
args: "terraform-validate --color=always --show-diff-on-failure --files $(ls *.tf)"

preCommitMaxVersion:
name: Max TF pre-commit
runs-on: ubuntu-latest
needs: collectInputs
steps:
- name: Checkout
uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{github.event.pull_request.head.repo.full_name}}

- name: Terraform min/max versions
id: minMax
uses: clowdhaus/[email protected]

# Step required as tflint pre-commit hook requires module to be initialised
- run: terraform init

- name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
uses: clowdhaus/terraform-composite-actions/[email protected]
with:
terraform-version: ${{ steps.minMax.outputs.maxVersion }}
terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
# tflint-version: ${{ env.TFLINT_VERSION }} # use this version with "Invicton-Labs/deepmerge/null" module
main:
uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v1
with:
# tflint v0.46.0 is the latest version we can use with pre-commit v0.1.20
# See .pre-commit-config.yaml for more details.
tflint-version: v0.46.0
66 changes: 6 additions & 60 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -1,67 +1,13 @@
name: Create new release with changelog

permissions:
contents: write
pull-requests: write

on:
pull_request:
pull_request_target:
types: [closed]

jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 100

- name: Check release label
id: release-label
uses: actions-ecosystem/action-release-label@v1
if: ${{ github.event.pull_request.merged == true }}

- name: Get latest tag
id: get-latest-tag
uses: actions-ecosystem/action-get-latest-tag@v1
if: ${{ steps.release-label.outputs.level != null }}

- name: Bump semantic version
id: bump-semver
uses: actions-ecosystem/action-bump-semver@v1
if: ${{ steps.release-label.outputs.level != null }}
with:
current_version: ${{ steps.get-latest-tag.outputs.tag }}
level: ${{ steps.release-label.outputs.level }}

- name: Tag release
id: tag-relese
uses: actions-ecosystem/action-push-tag@v1
if: ${{ steps.release-label.outputs.level != null }}
with:
tag: ${{ steps.bump-semver.outputs.new_version }}
message: "${{ steps.bump-semver.outputs.new_version }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}"

- name: Generate new release with changelog
id: release-with-changelog
uses: fregante/release-with-changelog@v3
if: ${{ steps.bump-semver.outputs.new_version != null }}
with:
token: "${{ secrets.GITHUB_TOKEN }}"
exclude: '^meta|^docs|^document|^lint|^ci|^refactor|readme|workflow|bump|dependencies|yml|^v?\d+\.\d+\.\d+'
tag: "${{ steps.bump-semver.outputs.new_version }}"
title: "Version ${{ steps.bump-semver.outputs.new_version }}"
commit-template: "- {title} ← {hash}"
skip-on-empty: true
template: |
### Changelog

{commits}

{range}

- name: Comment PR
id: add-comment
uses: actions-ecosystem/action-create-comment@v1
if: ${{ steps.bump-semver.outputs.new_version != null }}
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
number: ${{ steps.get-merged-pull-request.outputs.number }}
body: |
The new version [${{ steps.bump-semver.outputs.new_version }}](https://github.com/${{ github.repository }}/releases/tag/${{ steps.bump-semver.outputs.new_version }}) has been released :tada:
uses: getindata/github-workflows/.github/workflows/gh-create-release.yml@v1
21 changes: 14 additions & 7 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,28 +1,35 @@
repos:
- repo: https://github.com/gruntwork-io/pre-commit
rev: "v0.1.17" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
# Stick to v0.1.20 until this bug is fixed: https://github.com/gruntwork-io/pre-commit/issues/102
# When updating, also check if tflint version in pre-commit workflow can be updated.
rev: "v0.1.20" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
hooks:
- id: terraform-validate # It should be the first step as it runs terraform init required by tflint
- id: terraform-fmt
- id: tflint
args:
- --module
- --config=.tflint.hcl
- id: terraform-validate
- id: terraform-fmt

- repo: https://github.com/terraform-docs/terraform-docs
rev: "v0.16.0" # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
rev: "v0.16.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases
hooks:
- id: terraform-docs-go
args: ["."]

- repo: https://github.com/bridgecrewio/checkov.git
rev: "2.2.246" # Get the latest from: https://github.com/bridgecrewio/checkov/releases
rev: "2.5.13" # Get the latest from: https://github.com/bridgecrewio/checkov/releases
hooks:
- id: checkov
args: [--skip-check, "CKV2_GHA_1"] #Flase positive for top-level permissions
args: [--skip-check, "CKV_TF_1"] # Terraform module sources do not use a git url with a commit hash revision

- repo: https://github.com/pre-commit/pre-commit-hooks
rev: "v4.3.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
rev: "v4.5.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
hooks:
- id: check-merge-conflict
args: ["--assume-in-merge"]
- id: mixed-line-ending
args: ["--fix=no"]
- id: end-of-file-fixer
- id: check-case-conflict
- id: check-yaml
36 changes: 7 additions & 29 deletions .tflint.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -4,35 +4,13 @@ config {
}
}

rule "terraform_deprecated_interpolation" {
enabled = true
plugin "terraform" {
enabled = true
version = "0.5.0"
source = "github.com/terraform-linters/tflint-ruleset-terraform"
preset = "all"
}

rule "terraform_documented_outputs" {
enabled = true
}

rule "terraform_documented_variables" {
enabled = true
}

rule "terraform_typed_variables" {
enabled = true
}

rule "terraform_required_version" {
enabled = true
}

rule "terraform_required_providers" {
enabled = true
}

rule "terraform_unused_required_providers" {
enabled = true
}

rule "terraform_naming_convention" {
enabled = true
format = "snake_case"
rule "terraform_standard_module_structure" {
enabled = false # Fails on context.tf
}
Loading