diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 0000000..b5f7b15 --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,39 @@ +name: Lint + +on: + workflow_call: + secrets: + GITHUB_TOKEN: + required: true + +permissions: {} + +jobs: + lint: + name: lint + runs-on: ubuntu-latest + permissions: + actions: read # needed by trunk-action to read workflow run context + checks: write # needed by trunk-action to write check results + contents: read # needed by trunk-action to read repository contents + steps: + - name: Check out Git repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Trunk Check + uses: trunk-io/trunk-action@75699af9e26881e564e9d832ef7dc3af25ec031b # v1.2.4 + env: + # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + conventional-title: + name: conventional title + runs-on: ubuntu-latest + permissions: + pull-requests: read # needed by action-semantic-pull-request to inspect pull request context + steps: + - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml new file mode 100644 index 0000000..936a2b7 --- /dev/null +++ b/.github/workflows/release-please.yaml @@ -0,0 +1,36 @@ +name: Release Please + +on: + workflow_call: + inputs: + release-type: + type: string + required: true + secrets: + MP_BOT_APP_ID: + required: true + MP_BOT_APP_PRIVATE_KEY: + required: true + +permissions: {} + +jobs: + release-please: + name: release please + runs-on: ubuntu-latest + permissions: + contents: write # needed by release-please-action to write repository contents + pull-requests: write # needed by release-please-action to write pull requests + issues: write # needed by release-please-action to write issues + steps: + - name: Create Token for MasterpointBot App + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 + id: generate-token + with: + app-id: ${{ secrets.MP_BOT_APP_ID }} + private-key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} + + - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3 + with: + token: ${{ steps.generate-token.outputs.token }} + release-type: ${{ inputs.release-type }} diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 0000000..317e44b --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,43 @@ +name: TF Test + +on: + workflow_call: + inputs: + aws_role_arn: + type: string + required: true + secrets: + SPACELIFT_API_KEY_ENDPOINT: + required: true + SPACELIFT_API_KEY_ID: + required: true + SPACELIFT_API_KEY_SECRET: + required: true + GITHUB_TOKEN: + required: true + +permissions: {} + +jobs: + tf-test: + name: 🧪 ${{ matrix.tf }} test + runs-on: ubuntu-latest + permissions: + actions: read # needed by github-action-tf-test to read workflow run context + checks: write # needed by github-action-tf-test to write check results + contents: read # needed by github-action-tf-test to read repository contents + id-token: write # needed by github-action-tf-test to write id token + pull-requests: read # needed by github-action-tf-test to read pull request context + env: + SPACELIFT_API_KEY_ENDPOINT: ${{ secrets.SPACELIFT_API_KEY_ENDPOINT }} + SPACELIFT_API_KEY_ID: ${{ secrets.SPACELIFT_API_KEY_ID }} + SPACELIFT_API_KEY_SECRET: ${{ secrets.SPACELIFT_API_KEY_SECRET }} + strategy: + matrix: + tf: [tofu, terraform] + steps: + - uses: masterpointio/github-action-tf-test@c1e41998f67925ac3f34e0bbcfcaa4a44d1f0cd9 # v1.0.1 + with: + tf_type: ${{ matrix.tf }} + aws_role_arn: ${{ inputs.aws_role_arn }} + github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/trunk-upgrade.yaml b/.github/workflows/trunk-upgrade.yaml new file mode 100644 index 0000000..e8f1856 --- /dev/null +++ b/.github/workflows/trunk-upgrade.yaml @@ -0,0 +1,34 @@ +name: Trunk Upgrade + +on: + workflow_call: + secrets: + MP_BOT_APP_ID: + required: true + MP_BOT_APP_PRIVATE_KEY: + required: true + MASTERPOINT_TEAM_PAT: + required: true + +permissions: {} + +jobs: + trunk-upgrade: + name: trunk upgrade + runs-on: ubuntu-latest + permissions: + contents: write # needed by github-action-trunk-upgrade to write repository contents + pull-requests: write # needed by github-action-trunk-upgrade to write pull requests + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run Trunk Upgrade + uses: masterpointio/github-action-trunk-upgrade@a79fd65d524d92031fe167daee411d2f25d4a999 # v0.1.0 + with: + app-id: ${{ secrets.MP_BOT_APP_ID }} + app-private-key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} + github-token: ${{ secrets.MASTERPOINT_TEAM_PAT }} + reviewers: "@masterpointio/masterpoint-open-source" diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000..35199ab --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,25 @@ +name: Zizmor + +on: + workflow_call: {} + +permissions: {} + +jobs: + zizmor: + name: zizmor + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + # Set to false, so zizmor will not upload results to Github Advanced Security + # and will instead print them to the Action's run log. + advanced-security: false + # Set to pedantic so that zizmor will run it's stale-action-refs audit rule + persona: pedantic