From bfc160e18169c419a172f3b35f352632a32f4c1f Mon Sep 17 00:00:00 2001 From: Peter Svensson Date: Wed, 9 Apr 2025 12:44:33 +0200 Subject: [PATCH] chore: migrate CI workflows and configuration files Remove outdated GitHub Actions workflows for conventional release labels and Terrascan. Add new release-please configuration for automated version updates and changelog generation. Introduce Checkov configuration for infrastructure as code scanning. Update commitlint action version for improved functionality and stability. --- .github/dependabot.yml | 19 ---------- .github/release-please.yml | 2 ++ .github/semantic.yml | 4 +++ .github/workflows/commitlint.yaml | 5 +-- .github/workflows/enable_pr_automerge.yaml | 16 +++++++++ .github/workflows/pre-commit.yaml | 18 ++++++++++ .github/workflows/release-please.yml | 25 +++++++++++++ .github/workflows/terrascan.yaml | 30 ---------------- .pre-commit-config.yaml | 36 +++++++++++++++++++ checkov.yaml | 17 +++++++++ release-please-config.json | 30 ++++++++++++++++ template-repo/template/.github/dependabot.yml | 19 ---------- template-repo/template/.github/release.yml | 22 ------------ .../workflows/conventional-labels.yaml | 12 ------- .../template/.github/workflows/terrascan.yaml | 1 - 15 files changed, 151 insertions(+), 105 deletions(-) delete mode 100644 .github/dependabot.yml create mode 100644 .github/release-please.yml create mode 100644 .github/semantic.yml create mode 100644 .github/workflows/enable_pr_automerge.yaml create mode 100644 .github/workflows/pre-commit.yaml create mode 100644 .github/workflows/release-please.yml delete mode 100644 .github/workflows/terrascan.yaml create mode 100644 .pre-commit-config.yaml create mode 100644 checkov.yaml create mode 100644 release-please-config.json delete mode 100644 template-repo/template/.github/dependabot.yml delete mode 100644 template-repo/template/.github/release.yml delete mode 100644 template-repo/template/.github/workflows/conventional-labels.yaml delete mode 120000 template-repo/template/.github/workflows/terrascan.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index fea9ae8..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,19 +0,0 @@ -version: 2 -updates: - - package-ecosystem: terraform - directory: "/" - schedule: - interval: "daily" - open-pull-requests-limit: 10 - - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - open-pull-requests-limit: 10 - - - package-ecosystem: "github-actions" - directory: "/template-repo/template/.github/workflows" - schedule: - interval: "daily" - open-pull-requests-limit: 10 diff --git a/.github/release-please.yml b/.github/release-please.yml new file mode 100644 index 0000000..19c4910 --- /dev/null +++ b/.github/release-please.yml @@ -0,0 +1,2 @@ +handleGHRelease: true +manifest: true diff --git a/.github/semantic.yml b/.github/semantic.yml new file mode 100644 index 0000000..0eab896 --- /dev/null +++ b/.github/semantic.yml @@ -0,0 +1,4 @@ +# Always validate the PR title AND all the commits +titleAndCommits: true +# Disallows use of Merge commits +allowMergeCommits: false diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index 447cd8f..51c8c47 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -1,4 +1,5 @@ name: Lint Commit Messages +permissions: read-all on: [pull_request] @@ -6,9 +7,9 @@ jobs: commitlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 - - uses: wagoid/commitlint-github-action@v6 + - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6 with: configFile: "./.github/commitlint.config.mjs" diff --git a/.github/workflows/enable_pr_automerge.yaml b/.github/workflows/enable_pr_automerge.yaml new file mode 100644 index 0000000..bdbbd90 --- /dev/null +++ b/.github/workflows/enable_pr_automerge.yaml @@ -0,0 +1,16 @@ +name: Enable Auto merge PR +on: pull_request + +permissions: + contents: write + pull-requests: write + +jobs: + enable_automerge: + runs-on: ubuntu-latest + steps: + - name: Enable auto-merge for PRs + run: gh pr merge --auto --squash --delete-branch "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.PR_GITHUB_TOKEN}} diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml new file mode 100644 index 0000000..f8364ad --- /dev/null +++ b/.github/workflows/pre-commit.yaml @@ -0,0 +1,18 @@ +name: pre-commit + +on: + pull_request: + push: + branches: [main] + +permissions: read-all + +jobs: + pre-commit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 + - uses: terraform-linters/setup-tflint@90f302c255ef959cbfb4bd10581afecdb7ece3e6 # v4.1.1 + - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 0000000..42f76b8 --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,25 @@ +on: + push: + branches: + - main + +permissions: + contents: write + pull-requests: write + +name: release-please + +jobs: + release-please: + runs-on: ubuntu-latest + steps: + - uses: googleapis/release-please-action@v4 + with: + # this assumes that you have created a personal access token + # (PAT) and configured it as a GitHub action secret named + # `MY_RELEASE_PLEASE_TOKEN` (this secret name is not important). + token: ${{ secrets.RELEASE_PLEASE_TOKEN }} + # optional. customize path to release-please-config.json + config-file: release-please-config.json + # optional. customize path to .release-please-manifest.json + manifest-file: .release-please-manifest.json diff --git a/.github/workflows/terrascan.yaml b/.github/workflows/terrascan.yaml deleted file mode 100644 index 7e06695..0000000 --- a/.github/workflows/terrascan.yaml +++ /dev/null @@ -1,30 +0,0 @@ -name: Terrascan -on: [ pull_request ] -# https://github.com/marketplace/actions/terrascan-iac-scanner -jobs: - terrascan: - runs-on: ubuntu-latest - name: terrascan - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - name: Run Terrascan - id: terrascan - uses: tenable/terrascan-action@main - with: - iac_type: 'terraform' - iac_version: 'v14' - policy_type: 'aws' - only_warn: true - sarif_upload: true - non_recursive: true - #iac_dir: - #policy_path: - #skip_rules: - #config_path: - #webhook_url: - #webhook_token: - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: terrascan.sarif diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..34ed172 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,36 @@ +# See https://pre-commit.com for more information +# See https://pre-commit.com/hooks.html for more hooks +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 + hooks: + - id: check-executables-have-shebangs + - id: check-shebang-scripts-are-executable + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + args: + - --allow-multiple-documents + - id: check-json + - id: check-merge-conflict + - id: check-toml + args: + - --allow-multiple-documents + - id: no-commit-to-branch + - id: + check-added-large-files + - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook + rev: v9.22.0 + hooks: + - id: commitlint + stages: [ commit-msg ] + additional_dependencies: [ '@commitlint/config-conventional' ] + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.98.1 + hooks: + - id: terraform_tflint + - id: terraform_fmt + - id: terraform_checkov + language: docker_image + entry: --tty bridgecrew/checkov:3.2.354 --config-file checkov.yaml + pass_filenames: false diff --git a/checkov.yaml b/checkov.yaml new file mode 100644 index 0000000..f6052a9 --- /dev/null +++ b/checkov.yaml @@ -0,0 +1,17 @@ +block-list-secret-scan: [ ] +branch: master +custom-tool-name: Checkov +compact: true +directory: + - . +download-external-modules: true +evaluate-variables: true +external-modules-download-path: .external_modules +framework: + - - terraform,terraform_plan,yaml,json,github_configuration,github_actions +hard-fail-on: MEDIUM +mask: [ ] +quiet: true +secrets-history-timeout: 12h +secrets-scan-file-type: [ ] +summary-position: top diff --git a/release-please-config.json b/release-please-config.json new file mode 100644 index 0000000..9f0ec9d --- /dev/null +++ b/release-please-config.json @@ -0,0 +1,30 @@ +{ + "packages": { + ".": { + "changelog-path": "CHANGELOG.md", + "release-type": "terraform-module", + "bump-minor-pre-major": false, + "bump-patch-for-minor-pre-major": false, + "draft": false, + "prerelease": false, + "changelog-sections": [ + { "type": "feat", "section": "Features" }, + { "type": "feature", "section": "Features" }, + { "type": "fix", "section": "Bug Fixes" }, + { "type": "perf", "section": "Performance Improvements" }, + { "type": "revert", "section": "Reverts" }, + { "type": "docs", "section": "Documentation" }, + { "type": "style", "section": "Styles" }, + { "type": "chore", "section": "Miscellaneous Chores" }, + { "type": "refactor", "section": "Code Refactoring" }, + { "type": "test", "section": "Tests" }, + { "type": "build", "section": "Build System" }, + { "type": "ci", "section": "Continuous Integration" } + ], + "extra-files": [ + "locals.tf" + ] + } + }, + "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json" +} diff --git a/template-repo/template/.github/dependabot.yml b/template-repo/template/.github/dependabot.yml deleted file mode 100644 index d1f94de..0000000 --- a/template-repo/template/.github/dependabot.yml +++ /dev/null @@ -1,19 +0,0 @@ -version: 2 -updates: - - package-ecosystem: terraform - directory: "/" - schedule: - interval: "daily" - open-pull-requests-limit: 10 - - - package-ecosystem: terraform - directory: "/examples" - schedule: - interval: "daily" - open-pull-requests-limit: 10 - - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - open-pull-requests-limit: 10 diff --git a/template-repo/template/.github/release.yml b/template-repo/template/.github/release.yml deleted file mode 100644 index 577c25d..0000000 --- a/template-repo/template/.github/release.yml +++ /dev/null @@ -1,22 +0,0 @@ -changelog: - exclude: - labels: - - ignore-for-release - categories: - - title: Breaking Changes - labels: - - breaking - - title: Enhancements - - enhancement - - title: Bugfixes - labels: - - bug - - title: Other Changes - exclude: - author: - - dependabot - labels: - - "*" - - title: Dependency changes - labels: - - dependencies diff --git a/template-repo/template/.github/workflows/conventional-labels.yaml b/template-repo/template/.github/workflows/conventional-labels.yaml deleted file mode 100644 index a8cd9ae..0000000 --- a/template-repo/template/.github/workflows/conventional-labels.yaml +++ /dev/null @@ -1,12 +0,0 @@ -on: - pull_request_target: - types: [ opened, edited ] -name: conventional-release-labels -jobs: - label: - runs-on: ubuntu-latest - steps: - - uses: bcoe/conventional-release-labels@v1 - with: - type_labels: '{"feat": "feature", "fix": "bug", "breaking": "breaking"}' - ignored_types: '[]' diff --git a/template-repo/template/.github/workflows/terrascan.yaml b/template-repo/template/.github/workflows/terrascan.yaml deleted file mode 120000 index f1bccb7..0000000 --- a/template-repo/template/.github/workflows/terrascan.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../../.github/workflows/terrascan.yaml \ No newline at end of file