chore: add release please and checks (#31)

.github/dependabot.yml

@@ -1,13 +1,9 @@
 version: 2
 updates:
   - package-ecosystem: terraform
-    directory: "/"
-    schedule:
-      interval: "daily"
-    open-pull-requests-limit: 10
-
-  - package-ecosystem: terraform
-    directory: "/examples"
+    directories:
+      - "/"
+      - "**/*"
     schedule:
       interval: "daily"
     open-pull-requests-limit: 10

.github/release-please.yml

@@ -0,0 +1,2 @@
+handleGHRelease: true
+manifest: true

.github/semantic.yml

@@ -0,0 +1,4 @@
+# Always validate the PR title AND all the commits
+titleAndCommits: true
+# Disallows use of Merge commits
+allowMergeCommits: false

.github/workflows/build.yml

@@ -2,6 +2,8 @@ name: Build
 
 on: [ push, workflow_dispatch ]
 
+permissions: read-all
+
 jobs:
   examples:
     runs-on: ubuntu-latest
@@ -12,7 +14,7 @@ jobs:
         tf-version: [ 1.1.9, 1.2.9, 1.3.2 ]
     steps:
       - name: Start LocalStack
-        uses: LocalStack/[email protected]
+        uses: LocalStack/setup-localstack@a9b3e54ee0052a2f40a4eb4ca8b39dfd3bc2bc65 #v0.2.3
         with:
           image-tag: 'latest'
 
@@ -23,7 +25,7 @@ jobs:
           sudo mv terraform /usr/local/bin
           rm *
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Validate examples terraform v${{ matrix.tf-version }}
         run: make examples
   build:

.github/workflows/commitlint.yaml

@@ -1,14 +1,19 @@
 name: Lint Commit Messages
 
-on: [pull_request]
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions: read-all
 
 jobs:
   commitlint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@v6
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
         with:
           configFile: "./.github/commitlint.config.mjs"

.github/workflows/pre-commit.yaml

@@ -0,0 +1,18 @@
+name: pre-commit
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions: read-all
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+      - uses: terraform-linters/setup-tflint@8093687ecc9dcbfa88d07c103ad4176739a7287e # v4.1.0
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

.github/workflows/terrascan.yaml

@@ -1,16 +1,24 @@
-name: Terrascan
-on: [ pull_request ]
 # https://github.com/marketplace/actions/terrascan-iac-scanner
+name: Terrascan
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+
+permissions: read-all
+
 jobs:
   terrascan:
     runs-on: ubuntu-latest
     name: terrascan
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run Terrascan
         id: terrascan
-        uses: tenable/terrascan-action@main
+        uses: tenable/terrascan-action@a4b0f7ec5fb3c4c66b8e76d824d958002f6ce12c # main
         with:
           iac_type: 'terraform'
           iac_version: 'v14'
@@ -25,6 +33,6 @@ jobs:
           #webhook_url:
           #webhook_token:
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@ee117c905ab18f32fa0f66c2fe40ecc8013f3e04 # v3.28.4
         with:
           sarif_file: terrascan.sarif

.pre-commit-config.yaml

@@ -0,0 +1,27 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+        args:
+          - --allow-multiple-documents
+      - id: check-added-large-files
+  - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
+    rev: v9.11.0
+    hooks:
+      - id: commitlint
+        stages: [ commit-msg ]
+        additional_dependencies: [ '@commitlint/config-conventional' ]
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.86.0
+    hooks:
+      - id: terraform_tflint
+      - id: terraform_fmt
+      - id: terraform_checkov
+        language: docker_image
+        entry: --tty bridgecrew/checkov:3.2.354 --config-file checkov.yaml
+        pass_filenames: false

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "0.0.10"
+}

Makefile

@@ -12,4 +12,3 @@ example/%:
 	@terraform -chdir=$* init
 	@terraform -chdir=$* validate
 	@terraform -chdir=$* plan
-

checkov.yaml

@@ -0,0 +1,17 @@
+block-list-secret-scan: [ ]
+branch: master
+custom-tool-name: Checkov
+compact: true
+directory:
+  - .
+download-external-modules: true
+evaluate-variables: true
+external-modules-download-path: .external_modules
+framework:
+  - - terraform,terraform_plan,yaml,json,github_configuration,github_actions
+hard-fail-on: MEDIUM
+mask: [ ]
+quiet: true
+secrets-history-timeout: 12h
+secrets-scan-file-type: [ ]
+summary-position: top

examples/basic/provider.tf

@@ -33,3 +33,13 @@ provider "aws" {
     sts            = "http://localhost:4566"
   }
 }
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+  required_version = ">= 1.1.9"
+}

examples/override/provider.tf

@@ -33,3 +33,13 @@ provider "aws" {
     sts            = "http://localhost:4566"
   }
 }
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+  required_version = ">= 1.1.9"
+}

examples/public/provider.tf

@@ -33,3 +33,13 @@ provider "aws" {
     sts            = "http://localhost:4566"
   }
 }
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+  required_version = ">= 1.1.9"
+}

providers.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    null = {
+      source  = "hashicorp/null"
+      version = "3.2.3"
+    }
+
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.1"
+    }
+  }
+  required_version = ">= 1.1.9"
+}

release-please-config.json

@@ -0,0 +1,30 @@
+{
+  "packages": {
+    ".": {
+      "changelog-path": "CHANGELOG.md",
+      "release-type": "terraform-module",
+      "bump-minor-pre-major": false,
+      "bump-patch-for-minor-pre-major": false,
+      "draft": false,
+      "prerelease": false,
+      "changelog-sections": [
+        { "type": "feat", "section": "Features" },
+        { "type": "feature", "section": "Features" },
+        { "type": "fix", "section": "Bug Fixes" },
+        { "type": "perf", "section": "Performance Improvements" },
+        { "type": "revert", "section": "Reverts" },
+        { "type": "docs", "section": "Documentation" },
+        { "type": "style", "section": "Styles" },
+        { "type": "chore", "section": "Miscellaneous Chores" },
+        { "type": "refactor", "section": "Code Refactoring" },
+        { "type": "test", "section": "Tests" },
+        { "type": "build", "section": "Build System" },
+        { "type": "ci", "section": "Continuous Integration" }
+      ],
+      "extra-files": [
+          "locals.tf"
+      ]
+    }
+  },
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json"
+}