From d84ba29440032b63ffd45bbede6eacdcdd8190ee Mon Sep 17 00:00:00 2001 From: Zack A <24322023+zack-is-cool@users.noreply.github.com> Date: Fri, 17 Nov 2023 12:08:48 -0800 Subject: [PATCH] chore: update template files and scripts (#7) --- .../pull-request-opened-by-renovate.yml | 36 ++++++++++ .pre-commit-config.yaml | 6 +- Makefile | 21 ++++++ release-please-config.json | 36 ---------- renovate.json5 | 65 +++++++------------ .../common/repo_files/renovate.json5 | 57 ++++++---------- repo_templates/common/repos.txt | 6 +- .../alt_repotxts/not_tested_repos.txt | 4 ++ .../terraform/alt_repotxts/repos copy 2.txt | 18 +++++ .../pull-request-opened-by-renovate.yml | 10 ++- .../terraform/repo_files/.golangci.yml | 15 +++++ .../repo_files/.pre-commit-config.yaml | 9 +-- .../terraform/repo_files/renovate.json5 | 57 ++++++---------- repo_templates/terraform/repos.txt | 7 +- .../scripts/remove-uds-references.sh | 36 ++++++++++ repo_templates/terraform/scripts/run.sh | 22 +++---- scripts/entrypoint.sh | 16 ++--- scripts/log.sh | 2 - 18 files changed, 237 insertions(+), 186 deletions(-) create mode 100644 .github/workflows/pull-request-opened-by-renovate.yml delete mode 100644 release-please-config.json create mode 100644 repo_templates/terraform/alt_repotxts/not_tested_repos.txt create mode 100644 repo_templates/terraform/alt_repotxts/repos copy 2.txt create mode 100755 repo_templates/terraform/scripts/remove-uds-references.sh diff --git a/.github/workflows/pull-request-opened-by-renovate.yml b/.github/workflows/pull-request-opened-by-renovate.yml new file mode 100644 index 00000000..70452602 --- /dev/null +++ b/.github/workflows/pull-request-opened-by-renovate.yml @@ -0,0 +1,36 @@ +# If Renovate is not the author of the PR that triggers this workflow, it will do nothing. +# If Renovate is the author of the PR that triggers this workflow, but the workflow event is anything but "opened", it will do nothing. +# If Renovate is the author of the PR that triggers this workflow, and the workflow event is "opened", it will: +# 1. Autoformat using pre-commit and, if necessary, push an additional commit to the PR with the autoformat fixes. +# 2. Add the "/test all" comment to the PR, so that the Slash Command Dispatch workflow is triggered automatically. +# +# See ADR #0008. +name: auto-test +on: + pull_request: + # WARNING: DO NOT ADD MORE EVENT TYPES HERE! Because this workflow will push a new commit to the PR in the Autoformat step, adding more event types may cause an infinite loop. + types: + - opened + +permissions: + id-token: write + contents: write + +defaults: + run: + # We need -e -o pipefail for consistency with GitHub Actions' default behavior + shell: bash -e -o pipefail {0} + +jobs: + renovate-test: + if: github.event.client_payload.github.actor == 'renovate[bot]' || github.actor == 'renovate[bot]' + uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/renovate-test.yml@main + secrets: + APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }} + APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }} + AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }} + AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }} + with: + # we don't want checks here + checks: |- + checks: [] diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 66a1cb44..21f8db62 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -16,11 +16,11 @@ repos: - id: check-yaml args: - "--allow-multiple-documents" - - repo: https://github.com/sirosen/fix-smartquotes - rev: 0.2.0 + - repo: https://github.com/sirosen/texthooks + rev: 0.6.2 hooks: - id: fix-smartquotes - repo: https://github.com/renovatebot/pre-commit-hooks - rev: 37.22.0 + rev: 37.59.7 hooks: - id: renovate-config-validator diff --git a/Makefile b/Makefile index a611eee2..431f4f9d 100644 --- a/Makefile +++ b/Makefile @@ -77,3 +77,24 @@ push-terraform: ## push changes to terraform repos .PHONY: debug-terraform debug-terraform: ## push changes to terraform repos ./scripts/entrypoint.sh -t terraform -b $(BRANCH_NAME) --no-skip-ci --loglevel debug --dry-run + +.PHONY: renovate-local-debug +renovate-local: ## run renovate locally to debug + @TOKEN=$$(gh auth token); \ + if [ -z "$$TOKEN" ]; then \ + echo "GitHub token not found"; \ + exit 1; \ + fi; \ + export RENOVATE_TOKEN=$$TOKEN; \ + export GITHUB_COM_TOKEN=$$TOKEN; \ + RENOVATE_CONFIG_FILE=./renovate.json5 \ + RENOVATE_DRY_RUN="" \ + npx renovate \ + --schedule="" \ + --require-config=ignored \ + --log-file=/tmp/renovate/log.json \ + --log-file-level=debug \ + --print-config=true \ + --platform=local \ + --github-token-warn; \ + code-insiders -r /tmp/renovate/log.json diff --git a/release-please-config.json b/release-please-config.json deleted file mode 100644 index c8e0d133..00000000 --- a/release-please-config.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "packages": { - ".": { - "bump-minor-pre-major": true, - "bump-patch-for-minor-pre-major": true, - "changelog-host": "https://github.com", - "changelog-path": "CHANGELOG.md", - "changelog-sections": [ - { "type": "feat", "section": "Features" }, - { "type": "feature", "section": "Features" }, - { "type": "fix", "section": "Bug Fixes" }, - { "type": "perf", "section": "Performance Improvements" }, - { "type": "revert", "section": "Reverts" }, - { "type": "docs", "section": "Documentation" }, - { "type": "style", "section": "Styles" }, - { "type": "chore", "section": "Miscellaneous Chores" }, - { "type": "refactor", "section": "Code Refactoring" }, - { "type": "test", "section": "Tests" }, - { "type": "build", "section": "Build System" }, - { "type": "ci", "section": "Continuous Integration" } - ], - "changelog-type": "default", - "draft": false, - "draft-pull-request": false, - "include-component-in-tag": false, - "include-v-in-tag": true, - "prerelease": false, - "pull-request-header": ":robot: I have created a release *beep* *boop*", - "pull-request-title-pattern": "chore${scope}: release${component} ${version}", - "release-type": "simple", - "separate-pull-requests": false, - "skip-github-release": false, - "versioning": "default" - } - } -} diff --git a/renovate.json5 b/renovate.json5 index fffb02c8..0284fcba 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -1,7 +1,6 @@ { - $schema: "https://docs.renovatebot.com/renovate-schema.json", - extends: [ - // Tells Renovate to maintain one GitHub issue as the "dependency dashboard". See https://docs.renovatebot.com/key-concepts/dashboard + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ ":dependencyDashboard", // Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use. See https://docs.renovatebot.com/presets-default/#semanticprefixfixdepschoreothers ":semanticPrefixFixDepsChoreOthers", @@ -14,34 +13,31 @@ "workarounds:all" ], // If we don't specify a timezone then Renovate will use UTC - timezone: "America/New_York", - // Giving a small window constrains when Renovate will create PRs. The objective here is to only have Renovate create PRs on weekdays in the morning. This setting only affects when PRs are created. Without other configuration Renovate will rebase any PRs that already exist whenever it wants to. - // We need an "after" and a "before" because there is other automation that happens earlier that we don't want Renovate to conflict with. - schedule: [ - "after 7am and before 9am every weekday" + "timezone": "America/New_York", + "schedule": [ + "after 7am and before 8am every weekday", + "after 7pm and before 8pm every weekday" ], - // This will prevent Renovate from automatically rebasing PRs. Without this, Renovate will rebase PRs whenever it wants to. The 'schedule' param is only for creating PRs. Because we are grouping all changes into one PR without this Renovate will be constantly rebasing that PR which we don't want since every time that happens another set of GHA status checks are kicked off. + // This will prevent Renovate from automatically rebasing PRs. + // Without this, Renovate will rebase PRs whenever it wants to. The 'schedule' param is only for creating PRs. Because we are grouping all changes into one PR without this Renovate will be constantly rebasing that PR which we don't want since every time that happens another set of GHA status checks are kicked off. // Using a value of "conflicted" means that Renovate will only rebase PRs if they are in a conflicted state. See https://docs.renovatebot.com/configuration-options/#rebasewhen - rebaseWhen: "never", + "rebaseWhen": "never", // Labels to set in Pull Request. See https://docs.renovatebot.com/configuration-options/#labels - labels: [ + "labels": [ "renovate" ], // Rate limit PRs to maximum x created per hour. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prhourlylimit - prHourlyLimit: 0, + "prHourlyLimit": 1, // Limit to a maximum of x concurrent branches/PRs. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prconcurrentlimit - prConcurrentLimit: 0, - // List of additional notes/templates to include in the Pull Request body. See https://docs.renovatebot.com/configuration-options/#prbodynotes - prBodyNotes: [ - "- :warning: The E2E tests need to be run, they have a manual trigger. To start them add a comment to this PR that says `/test all`" - ], + "prConcurrentLimit": 0, // Enable updates to the pre-commit-config.yaml file. See https://docs.renovatebot.com/modules/manager/pre-commit/ "pre-commit": { - enabled: true + "enabled": true }, - "regexManagers": [ + "customManagers": [ // Custom regex manager for the .env file that follows the pattern documented here: https://docs.renovatebot.com/modules/manager/regex/#advanced-capture { + "customType": "regex", "fileMatch": ["^.env"], "matchStrings": [ "datasource=(?.*?) depName=(?.*?)( versioning=(?.*?))?\\s.*?_VERSION=(?.*)\\s" @@ -51,6 +47,7 @@ }, // Custom regex manager for the .tool-versions file that follows the pattern documented here: https://docs.renovatebot.com/modules/manager/regex/#advanced-capture { + "customType": "regex", "fileMatch": ["^.tool-versions$"], "matchStrings": [ "datasource=(?.*?) depName=(?.*?)( versioning=(?.*?))?\\s.*? (?.*)\\s" @@ -59,30 +56,16 @@ "extractVersionTemplate": "^v?(?.*)$" } ], - packageRules: [ + "packageRules": [ { - matchPackageNames: ["k8s.io/client-go"], - allowedVersions: "<1.0.0" + "matchPackageNames": ["k8s.io/client-go"], + "allowedVersions": "<1.0.0" }, { - matchManagers: ["terraform"], - matchDepTypes: ["module"], - matchDatasources: ["github-tags", "git-tags"], - versioning: "loose" + "matchManagers": ["terraform"], + "matchDepTypes": ["module"], + "matchDatasources": ["github-tags", "git-tags"], + "versioning": "loose" } - ], - "vulnerabilityAlerts": { - "enabled": true, - "groupName": null, - "schedule": [], - "dependencyDashboardApproval": false, - "minimumReleaseAge": null, - "rangeStrategy": "update-lockfile", - "commitMessageSuffix": "[SECURITY]", - "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability", - "prCreation": "immediate", - "labels": ["security"], - "automerge": true, - "assignees": ["@defenseunicorns/delivery-aws-iac"] - } + ] } diff --git a/repo_templates/common/repo_files/renovate.json5 b/repo_templates/common/repo_files/renovate.json5 index 6b526c42..7f1649c3 100644 --- a/repo_templates/common/repo_files/renovate.json5 +++ b/repo_templates/common/repo_files/renovate.json5 @@ -1,6 +1,6 @@ { - $schema: "https://docs.renovatebot.com/renovate-schema.json", - extends: [ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ // Tells Renovate to maintain one GitHub issue as the "dependency dashboard". See https://docs.renovatebot.com/key-concepts/dashboard ":dependencyDashboard", // Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use. See https://docs.renovatebot.com/presets-default/#semanticprefixfixdepschoreothers @@ -14,30 +14,25 @@ "workarounds:all" ], // If we don't specify a timezone then Renovate will use UTC - timezone: "America/New_York", - // Giving a small window constrains when Renovate will create PRs. The objective here is to only have Renovate create PRs on weekdays in the morning. This setting only affects when PRs are created. Without other configuration Renovate will rebase any PRs that already exist whenever it wants to. - // We need an "after" and a "before" because there is other automation that happens earlier that we don't want Renovate to conflict with. - schedule: [ - "after 7am and before 9am every weekday" + "timezone": "America/New_York", + // fires between 4 am and 5 am EST on mondays + "schedule": [ + "after 4am and before 5am on Monday" ], // This will prevent Renovate from automatically rebasing PRs. Without this, Renovate will rebase PRs whenever it wants to. The 'schedule' param is only for creating PRs. Because we are grouping all changes into one PR without this Renovate will be constantly rebasing that PR which we don't want since every time that happens another set of GHA status checks are kicked off. // Using a value of "conflicted" means that Renovate will only rebase PRs if they are in a conflicted state. See https://docs.renovatebot.com/configuration-options/#rebasewhen - rebaseWhen: "conflicted", + "rebaseWhen": "never", // Labels to set in Pull Request. See https://docs.renovatebot.com/configuration-options/#labels - labels: [ + "labels": [ "renovate" ], // Rate limit PRs to maximum x created per hour. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prhourlylimit - prHourlyLimit: 0, + "prHourlyLimit": 1, // Limit to a maximum of x concurrent branches/PRs. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prconcurrentlimit - prConcurrentLimit: 0, - // List of additional notes/templates to include in the Pull Request body. See https://docs.renovatebot.com/configuration-options/#prbodynotes - prBodyNotes: [ - "- :warning: The E2E tests need to be run, they have a manual trigger. To start them add a comment to this PR that says `/test all`" - ], + "prConcurrentLimit": 0, // Enable updates to the pre-commit-config.yaml file. See https://docs.renovatebot.com/modules/manager/pre-commit/ "pre-commit": { - enabled: true + "enabled": true }, "regexManagers": [ // Custom regex manager for the .env file that follows the pattern documented here: https://docs.renovatebot.com/modules/manager/regex/#advanced-capture @@ -59,30 +54,16 @@ "extractVersionTemplate": "^v?(?.*)$" } ], - packageRules: [ + "packageRules": [ { - matchPackageNames: ["k8s.io/client-go"], - allowedVersions: "<1.0.0" + "matchPackageNames": ["k8s.io/client-go"], + "allowedVersions": "<1.0.0" }, { - matchManagers: ["terraform"], - matchDepTypes: ["module"], - matchDatasources: ["github-tags", "git-tags"], - versioning: "loose" + "matchManagers": ["terraform"], + "matchDepTypes": ["module"], + "matchDatasources": ["github-tags", "git-tags"], + "versioning": "loose" } - ], - "vulnerabilityAlerts": { - "enabled": true, - "groupName": null, - "schedule": [], - "dependencyDashboardApproval": false, - "minimumReleaseAge": null, - "rangeStrategy": "update-lockfile", - "commitMessageSuffix": "[SECURITY]", - "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability", - "prCreation": "immediate", - "labels": ["security"], - "automerge": true, - "assignees": ["@defenseunicorns/delivery-aws-iac"] - } + ] } diff --git a/repo_templates/common/repos.txt b/repo_templates/common/repos.txt index 3b1683bf..137df53f 100644 --- a/repo_templates/common/repos.txt +++ b/repo_templates/common/repos.txt @@ -1,2 +1,4 @@ -defenseunicorns/terraform-aws-rolesanywhere -defenseunicorns/terraform-aws-vpc +defenseunicorns/helm-charts +defenseunicorns/delivery-aws-iac-utils +defenseunicorns/delivery-github-actions-workflows +defenseunicorns/delivery-github-repo-management diff --git a/repo_templates/terraform/alt_repotxts/not_tested_repos.txt b/repo_templates/terraform/alt_repotxts/not_tested_repos.txt new file mode 100644 index 00000000..6807ee51 --- /dev/null +++ b/repo_templates/terraform/alt_repotxts/not_tested_repos.txt @@ -0,0 +1,4 @@ +defenseunicorns/terraform-aws-workspaces +defenseunicorns/terraform-aws-iam-saml-idp +defenseunicorns/terraform-aws-appstream +defenseunicorns/terraform-aws-uds-sops diff --git a/repo_templates/terraform/alt_repotxts/repos copy 2.txt b/repo_templates/terraform/alt_repotxts/repos copy 2.txt new file mode 100644 index 00000000..dab5acc4 --- /dev/null +++ b/repo_templates/terraform/alt_repotxts/repos copy 2.txt @@ -0,0 +1,18 @@ +#old, before uds rename + +defenseunicorns/delivery-aws-iac +defenseunicorns/terraform-aws-appstream +defenseunicorns/terraform-aws-eks +defenseunicorns/terraform-aws-iam-saml-idp +defenseunicorns/terraform-aws-rolesanywhere +defenseunicorns/terraform-aws-uds-bastion +defenseunicorns/terraform-aws-uds-cloudtrail +defenseunicorns/terraform-aws-uds-eks +defenseunicorns/terraform-aws-uds-kms +defenseunicorns/terraform-aws-uds-lambda +defenseunicorns/terraform-aws-uds-rds +defenseunicorns/terraform-aws-uds-s3 +defenseunicorns/terraform-aws-uds-s3-irsa +defenseunicorns/terraform-aws-uds-sops +defenseunicorns/terraform-aws-uds-vpc +defenseunicorns/terraform-aws-workspaces diff --git a/repo_templates/terraform/repo_files/.github/workflows/pull-request-opened-by-renovate.yml b/repo_templates/terraform/repo_files/.github/workflows/pull-request-opened-by-renovate.yml index 55f5a7a1..24f35bb2 100644 --- a/repo_templates/terraform/repo_files/.github/workflows/pull-request-opened-by-renovate.yml +++ b/repo_templates/terraform/repo_files/.github/workflows/pull-request-opened-by-renovate.yml @@ -2,7 +2,15 @@ # If Renovate is the author of the PR that triggers this workflow, but the workflow event is anything but "opened", it will do nothing. # If Renovate is the author of the PR that triggers this workflow, and the workflow event is "opened", it will: # 1. Autoformat using pre-commit and, if necessary, push an additional commit to the PR with the autoformat fixes. -# 2. Add the "/test all" comment to the PR, so that the Slash Command Dispatch workflow is triggered automatically. +# 2. Change the branch protection rules to turn off require codeowner approval due to github apps not being able to be codeowners or added to teams. +# 3. narwhal-bot approves the PR. +# 4. narwhal-bot merges the PR. +# 5. PR is added to merge queue. +# 6. tests are ran. +# a. If tests pass, PR is merged. +# i. If PR is merged, it is closed and branch is deleted. +# b. If tests fail, PR stays open and it is removed from merge queue. +# 7. Branch protection is always set back to the original state. # # See ADR #0008. name: auto-test diff --git a/repo_templates/terraform/repo_files/.golangci.yml b/repo_templates/terraform/repo_files/.golangci.yml index bb115613..2a912a65 100644 --- a/repo_templates/terraform/repo_files/.golangci.yml +++ b/repo_templates/terraform/repo_files/.golangci.yml @@ -21,6 +21,21 @@ linters: linters-settings: funlen: lines: 120 + testifylint: + enable-all: false + enable: + - bool-compare + - compares + - empty + - error-is-as + - error-nil + - expected-actual + - float-compare + - len + - suite-dont-use-pkg + - suite-extra-assert-call + - suite-thelper + # -require-error causes errors in our e2e test patterns issues: exclude: - "G304" # Potential file inclusion via variable diff --git a/repo_templates/terraform/repo_files/.pre-commit-config.yaml b/repo_templates/terraform/repo_files/.pre-commit-config.yaml index f1165bd7..31be4e2f 100644 --- a/repo_templates/terraform/repo_files/.pre-commit-config.yaml +++ b/repo_templates/terraform/repo_files/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.5.0 hooks: - id: check-added-large-files args: ["--maxkb=1024"] @@ -16,8 +16,8 @@ repos: - id: check-yaml args: - "--allow-multiple-documents" - - repo: https://github.com/sirosen/fix-smartquotes - rev: 0.2.0 + - repo: https://github.com/sirosen/texthooks + rev: 0.6.2 hooks: - id: fix-smartquotes - repo: https://github.com/tekwizely/pre-commit-golang @@ -28,6 +28,7 @@ repos: args: - "--timeout=10m" - "--verbose" + - "--allow-parallel-runners" - repo: https://github.com/antonbabenko/pre-commit-terraform rev: v1.83.5 hooks: @@ -46,6 +47,6 @@ repos: args: - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl - repo: https://github.com/renovatebot/pre-commit-hooks - rev: 36.107.1 + rev: 37.59.7 hooks: - id: renovate-config-validator diff --git a/repo_templates/terraform/repo_files/renovate.json5 b/repo_templates/terraform/repo_files/renovate.json5 index fffb02c8..7f1649c3 100644 --- a/repo_templates/terraform/repo_files/renovate.json5 +++ b/repo_templates/terraform/repo_files/renovate.json5 @@ -1,6 +1,6 @@ { - $schema: "https://docs.renovatebot.com/renovate-schema.json", - extends: [ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ // Tells Renovate to maintain one GitHub issue as the "dependency dashboard". See https://docs.renovatebot.com/key-concepts/dashboard ":dependencyDashboard", // Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use. See https://docs.renovatebot.com/presets-default/#semanticprefixfixdepschoreothers @@ -14,30 +14,25 @@ "workarounds:all" ], // If we don't specify a timezone then Renovate will use UTC - timezone: "America/New_York", - // Giving a small window constrains when Renovate will create PRs. The objective here is to only have Renovate create PRs on weekdays in the morning. This setting only affects when PRs are created. Without other configuration Renovate will rebase any PRs that already exist whenever it wants to. - // We need an "after" and a "before" because there is other automation that happens earlier that we don't want Renovate to conflict with. - schedule: [ - "after 7am and before 9am every weekday" + "timezone": "America/New_York", + // fires between 4 am and 5 am EST on mondays + "schedule": [ + "after 4am and before 5am on Monday" ], // This will prevent Renovate from automatically rebasing PRs. Without this, Renovate will rebase PRs whenever it wants to. The 'schedule' param is only for creating PRs. Because we are grouping all changes into one PR without this Renovate will be constantly rebasing that PR which we don't want since every time that happens another set of GHA status checks are kicked off. // Using a value of "conflicted" means that Renovate will only rebase PRs if they are in a conflicted state. See https://docs.renovatebot.com/configuration-options/#rebasewhen - rebaseWhen: "never", + "rebaseWhen": "never", // Labels to set in Pull Request. See https://docs.renovatebot.com/configuration-options/#labels - labels: [ + "labels": [ "renovate" ], // Rate limit PRs to maximum x created per hour. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prhourlylimit - prHourlyLimit: 0, + "prHourlyLimit": 1, // Limit to a maximum of x concurrent branches/PRs. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prconcurrentlimit - prConcurrentLimit: 0, - // List of additional notes/templates to include in the Pull Request body. See https://docs.renovatebot.com/configuration-options/#prbodynotes - prBodyNotes: [ - "- :warning: The E2E tests need to be run, they have a manual trigger. To start them add a comment to this PR that says `/test all`" - ], + "prConcurrentLimit": 0, // Enable updates to the pre-commit-config.yaml file. See https://docs.renovatebot.com/modules/manager/pre-commit/ "pre-commit": { - enabled: true + "enabled": true }, "regexManagers": [ // Custom regex manager for the .env file that follows the pattern documented here: https://docs.renovatebot.com/modules/manager/regex/#advanced-capture @@ -59,30 +54,16 @@ "extractVersionTemplate": "^v?(?.*)$" } ], - packageRules: [ + "packageRules": [ { - matchPackageNames: ["k8s.io/client-go"], - allowedVersions: "<1.0.0" + "matchPackageNames": ["k8s.io/client-go"], + "allowedVersions": "<1.0.0" }, { - matchManagers: ["terraform"], - matchDepTypes: ["module"], - matchDatasources: ["github-tags", "git-tags"], - versioning: "loose" + "matchManagers": ["terraform"], + "matchDepTypes": ["module"], + "matchDatasources": ["github-tags", "git-tags"], + "versioning": "loose" } - ], - "vulnerabilityAlerts": { - "enabled": true, - "groupName": null, - "schedule": [], - "dependencyDashboardApproval": false, - "minimumReleaseAge": null, - "rangeStrategy": "update-lockfile", - "commitMessageSuffix": "[SECURITY]", - "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability", - "prCreation": "immediate", - "labels": ["security"], - "automerge": true, - "assignees": ["@defenseunicorns/delivery-aws-iac"] - } + ] } diff --git a/repo_templates/terraform/repos.txt b/repo_templates/terraform/repos.txt index fba41b2d..e91c982f 100644 --- a/repo_templates/terraform/repos.txt +++ b/repo_templates/terraform/repos.txt @@ -1,4 +1,9 @@ +defenseunicorns/delivery-aws-iac defenseunicorns/terraform-aws-eks +defenseunicorns/terraform-aws-rolesanywhere defenseunicorns/terraform-aws-bastion +defenseunicorns/terraform-aws-cloudtrail defenseunicorns/terraform-aws-lambda -defenseunicorns/terraform-aws-rolesanywhere +defenseunicorns/terraform-aws-rds +defenseunicorns/terraform-aws-vpc +defenseunicorns/terraform-aws-s3-irsa diff --git a/repo_templates/terraform/scripts/remove-uds-references.sh b/repo_templates/terraform/scripts/remove-uds-references.sh new file mode 100755 index 00000000..8bf58242 --- /dev/null +++ b/repo_templates/terraform/scripts/remove-uds-references.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +# Get the directory of the currently executing script +current_dir=$(dirname "$0") +# Go up four levels to the root and then into the 'scripts' directory +root_dir="$(dirname "$(dirname "$(dirname "$current_dir")")")" +# Source log.sh +. "$root_dir/scripts/log.sh" + +# Use find to get all non-hidden files, then use sed to replace "-uds-" with "" +find . \( ! -regex '.*/\..*' \) -type f -exec sed -i 's/-uds-/-/g' {} + + +# Get the URL of the remote origin +repo_url=$(git config --get remote.origin.url) + +# Extract the repository name from the URL +repo_name=$(basename -s .git "${repo_url}") + +# Check if the repository name contains "-uds", if so, rename it +if [[ $repo_name == *"-uds"* ]]; then + log info "The repository name contains '-uds-': $repo_name" + + # Remove "-uds" from the repository name + new_repo_name=${repo_name//-uds/} + log info "Renaming the repository to: $new_repo_name" + + # Rename the repository + gh repo rename $new_repo_name -y +fi + +# Run go mod tidy to clean up Go dependencies +go mod tidy -v +pre-commit install +pre-commit run -a -v + +log info "Done!" diff --git a/repo_templates/terraform/scripts/run.sh b/repo_templates/terraform/scripts/run.sh index 3c545832..11ff70ab 100755 --- a/repo_templates/terraform/scripts/run.sh +++ b/repo_templates/terraform/scripts/run.sh @@ -18,16 +18,6 @@ root_dir="$(dirname "$(dirname "$(dirname "$current_dir")")")" # Source log.sh . "$root_dir/scripts/log.sh" -# Items to exclude from the initial copy -declare -a excludeItems=( - ".release-please-manifest.json" - "Makefile" - "test/e2e" - "examples/complete" -) - -log info "exluding copying: $(echo "${excludeItems[@]}")" - # Items to conditionally copy only if they don't exist in the target directory declare -a conditionalItems=( ".release-please-manifest.json" @@ -36,6 +26,14 @@ declare -a conditionalItems=( "examples/complete" ) +# Items to always exclude from the copy, relevant to have conditionalItems in here +declare -a excludeItems=( + "${conditionalItems[@]}" + # Add any additional items to exclude here +) + +log info "excluding copying: $(echo "${excludeItems[@]}")" + # Enable dotglob option in Bash to consider hidden files shopt -s dotglob @@ -50,7 +48,7 @@ log info "Running rsync from $TEMPLATE_ROOT/repo_files/ to current directory of rsync -av $exclude_flags "$TEMPLATE_ROOT/repo_files/" . # Conditionally copy specific items only if they don't exist -log info "conditionally copying if it doesn't exist in the target: $(echo "${excludeItems[@]}")" +log info "conditionally copying if it doesn't exist in the target directory: $(echo "${excludeItems[@]}")" for item in "${conditionalItems[@]}"; do target="./$item" if [ ! -e "$target" ]; then @@ -68,6 +66,6 @@ pre-commit install pre-commit run -a -v log info "running go mod tidy" -go mody tidy -v +go mod tidy -v log info "Done!" diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh index 1be72e5c..cb8a30ed 100755 --- a/scripts/entrypoint.sh +++ b/scripts/entrypoint.sh @@ -1,15 +1,17 @@ #!/usr/bin/env bash # this script is an entrypoint script to pass parameters to the run.sh scripts under the repo_template directory -. log.sh; +# get repo root path +REPO_ROOT=$(realpath "$(dirname "$(dirname "$0")")") +export REPO_ROOT + +. "${REPO_ROOT}/scripts/log.sh" set -e trap 'echo ❌ exit at ${0}:${LINENO}, command was: ${BASH_COMMAND} 1>&2' ERR echo -e "Starting script with $# arguments: $@\n" - - # Check if GITHUB_OAUTH_TOKEN is empty if [ -z "${GITHUB_OAUTH_TOKEN}" ]; then # Attempt to set GITHUB_OAUTH_TOKEN using gh auth token @@ -26,10 +28,6 @@ if [ -z "${GITHUB_OAUTH_TOKEN}" ]; then fi fi -# get repo root path -REPO_ROOT=$(realpath "$(dirname "$(dirname "$0")")") -export REPO_ROOT - # script help message function help { cat < -t|--template - (required) repo_template directory to target -b|--branch - (required) branch name to target for each repo -r|--repos-file - (optional) path to repos.txt file to determine which repos to target, defaults to the one in the repo_template directory --m|--message - (required) commit message to use for each repo +-m|--message - (optional) commit message to use for each repo -e|--executable - (optional) executable to use for git-xargs process, this needs to be the full path to the executable, defaults to the run.sh script in the repo_template relative to the template --no-skip-ci - (optional) do not skip CI for each repo --draft - (optional) create a draft PR for each repo @@ -222,6 +220,8 @@ main(){ # Call git-xargs with the constructed arguments # executable has to go last + log info "List of repos targeted: $(cat "${REPOS_FILE}")" + log info "Arguments passed to git-xargs: ${args[@]} ${EXECUTABLE}" # custom version of git-xargs for commit signing.. build here: https://github.com/zack-is-cool/git-xargs/tree/feat/add-commit-signing git-xargs "${args[@]}" "$EXECUTABLE" } diff --git a/scripts/log.sh b/scripts/log.sh index c10baf68..e28347fe 100644 --- a/scripts/log.sh +++ b/scripts/log.sh @@ -2,8 +2,6 @@ # stolen from here https://github.com/Zordrak/bashlog/blob/master/log.sh # and modified colours to colors :) -set -uo pipefail; - function _log_exception() { ( BASHLOG_FILE=0;