Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: upstream merge template repository #5

Merged
merged 1 commit into from
Oct 21, 2023
Merged

chore: upstream merge template repository #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions .github/labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
ci:
- .dependabot/*
- .github/workflows/*

documentation:
- docs/**/*
- .github/*
- ./*.md

ci:
- .dependabot/*
- .github/workflows/*
terraform:
- examples/**/*.tf
- ./*.tf
35 changes: 35 additions & 0 deletions .github/workflows/ok-to-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# If someone with write access comments "/ok-to-test" on a pull request, emit a repository_dispatch event
name: ok-to-test

on:
issue_comment:
types: [created]

permissions:
pull-requests: write # For doing the emoji reaction on a PR comment
issues: write # For doing the emoji reaction on an issue comment
contents: write # For executing the repository_dispatch event

jobs:
ok-to-test:
runs-on: ubuntu-latest
permissions:
pull-requests: write
# Only run for PRs, not issue comments
if: ${{ github.event.issue.pull_request }}
steps:
- name: Generate token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}

- name: Slash Command Dispatch
uses: peter-evans/slash-command-dispatch@v3
with:
token: ${{ steps.app-token.outputs.token }}
reaction-token: ${{ secrets.GITHUB_TOKEN }}
issue-type: pull-request
commands: ok-to-test
permission: write
4 changes: 2 additions & 2 deletions .github/workflows/pr-labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@ on:
pull_request:

jobs:
labeler:
pr-labeler:
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v2
- uses: actions/labeler@v4
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"
6 changes: 3 additions & 3 deletions .github/workflows/pr-secrets.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
name: PR - TruffleHog Secrets
name: Secret scan

on:
pull_request:

jobs:
trufflehog:
name: Secrets
name: trufflehog
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: TruffleHog OSS
Expand Down
187 changes: 172 additions & 15 deletions .github/workflows/pr-terraform.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,34 +1,36 @@
name: PR - Terraform
name: Terraform

on:
pull_request:
paths:
- 'examples/**'
- 'tests/**'
- '**.tf'

permissions:
id-token: write
pull-requests: write
repository_dispatch:
types: [ ok-to-test-command ]

jobs:
terraform:
name: Terraform
# Branch-based pull request
terraform-pr-branch:
name: terraform-pr-branch
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: write
timeout-minutes: 15
env:
AWS_DEFAULT_REGION: eu-central-1
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TF_IN_AUTOMATION: true
TFDIR: examples
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Branch based PR checkout
uses: actions/checkout@v4

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
if: startsWith(github.repository, 'ventx/terraform-aws-')
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ env.AWS_DEFAULT_REGION }}
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
role-to-assume: ${{ secrets.AWS_GH_OIDC }}

- name: Set Versions
Expand All @@ -37,7 +39,7 @@ jobs:
echo "TFVERSION=$TFVER" >> $GITHUB_ENV

- name: Setup Terraform
uses: hashicorp/setup-terraform@v1
uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ env.TFVERSION }}

Expand All @@ -46,7 +48,16 @@ jobs:
run: terraform fmt -check -recursive
continue-on-error: true

- name: Terraform Init
- name: Terraform Init (test)
id: init-test
run: terraform init

- name: Terraform Test
id: test
run: terraform test -verbose
continue-on-error: true

- name: Terraform Init (examples)
id: init
run: terraform -chdir=${{ env.TFDIR }} init

Expand Down Expand Up @@ -88,3 +99,149 @@ jobs:
repo: context.repo.repo,
body: output
})

# User with write access has commented /ok-to-test on a (fork-based) pull request
terraform-pr-fork:
name: terraform-pr-fork
runs-on: ubuntu-latest
permissions:
checks: write
id-token: write
pull-requests: write
timeout-minutes: 15
env:
TF_IN_AUTOMATION: true
TFDIR: examples
if: |
github.event_name == 'repository_dispatch' &&
github.event.client_payload.slash_command.args.named.sha != '' &&
contains(
github.event.client_payload.pull_request.head.sha,
github.event.client_payload.slash_command.args.named.sha
)
steps:
- name: Update skipped check run to in_progress
uses: actions/github-script@v6
env:
job: ${{ github.job }}
number: ${{ github.event.client_payload.pull_request.number }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { data: pull } = await github.rest.pulls.get({
...context.repo,
pull_number: process.env.number
});
const ref = pull.head.sha;
const { data: checks } = await github.rest.checks.listForRef({
...context.repo,
ref
});

// Filter for the check run with a specific name and a 'skipped' conclusion
const check = checks.check_runs.filter(c => c.name === process.env.job && c.conclusion === "skipped");

if (check.length > 0) {
console.log(`Skipped check run found with name: ${check[0].name}`);

// Update the check run to 'in_progress'
const { data: result } = await github.rest.checks.update({
...context.repo,
check_run_id: check[0].id,
status: 'in_progress',
});

console.log(`Successfully updated check run to 'in_progress'. Name: ${result.name}`);
return result;
} else {
console.log('No skipped check runs found with the specified name.');
}

- name: Fork based /ok-to-test checkout
uses: actions/checkout@v4
with:
ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'

- name: Configure AWS credentials
if: startsWith(github.repository, 'ventx/terraform-aws-')
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
role-to-assume: ${{ secrets.AWS_GH_OIDC }}

- name: Set Versions
run: |
TFVER=$(grep .tool-versions -e "terraform" | sed "s/terraform \(.*\)/\1/")
echo "TFVERSION=$TFVER" >> $GITHUB_ENV

- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ env.TFVERSION }}

- name: Terraform Format
id: fmt
run: terraform fmt -check -recursive
continue-on-error: true

- name: Terraform Init (test)
id: init-test
run: terraform init

- name: Terraform Test
id: test
run: terraform test -verbose
continue-on-error: true

- name: Terraform Init (examples)
id: init
run: terraform -chdir=${{ env.TFDIR }} init

- name: Terraform Validate
id: validate
run: terraform -chdir=${{ env.TFDIR }} validate -no-color

- name: Terraform Plan
id: plan
run: terraform -chdir=${{ env.TFDIR }} plan -no-color -input=false
continue-on-error: true

- name: Update Pull Request
uses: actions/github-script@v6
env:
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`

<details><summary>Show Plan</summary>

\`\`\`\n
${process.env.PLAN}
\`\`\`

</details>

*Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;

github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})

- name: Update check run to completed
uses: LouisBrunner/[email protected]
id: update-check-run-completed
if: ${{ always() }}
with:
sha: ${{ github.sha }}
token: ${{ secrets.GITHUB_TOKEN }}
name: ${{ github.job }}
status: completed
conclusion: ${{ job.status }}
38 changes: 38 additions & 0 deletions .github/workflows/pr-tflint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: TFLint

on:
pull_request:
paths:
- 'examples/**'
- 'tests/**'
- '**.tf'

jobs:
tflint:
name: tflint
runs-on: ubuntu-latest
timeout-minutes: 15
env:
TF_IN_AUTOMATION: true
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Set Versions
run: |
TFLINTVER=$(grep .tool-versions -e "tflint" | sed "s/tflint \(.*\)/\1/")
echo "TFLINTVERSION=$TFLINTVER" >> $GITHUB_ENV

- uses: terraform-linters/setup-tflint@v4
id: tflintsetup
name: Setup TFLint
with:
tflint_version: v${{ env.TFLINTVERSION }}

- name: Init TFLint
id: tflintinit
run: tflint --init

- name: Run TFLint
id: tflint
run: tflint -f compact
25 changes: 25 additions & 0 deletions .github/workflows/pr-tfsec.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: tfsec

on:
pull_request:
paths:
- 'examples/**'
- 'tests/**'
- '**.tf'

jobs:
tfsec:
name: tfsec
runs-on: ubuntu-latest
timeout-minutes: 15
env:
TF_IN_AUTOMATION: true
steps:
- name: Checkout
uses: actions/checkout@v4

- name: tfsec
id: tfsec
uses: tfsec/tfsec-pr-commenter-action@main
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
Loading