diff --git a/.checkov.yml b/.checkov.yml index 441696d..2c67e16 100644 --- a/.checkov.yml +++ b/.checkov.yml @@ -9,4 +9,3 @@ summary-position: bottom skip-check: - CKV_TF_1 # Ensure Terraform module sources use a commit hash // pending https://github.com/hashicorp/terraform/issues/29867 - - CKV2_AWS_65 diff --git a/.env b/.env index 6fdd427..3ef6c32 100644 --- a/.env +++ b/.env @@ -1,3 +1,3 @@ BUILD_HARNESS_REPO=ghcr.io/defenseunicorns/build-harness/build-harness # renovate: datasource=github-tags depName=defenseunicorns/build-harness -BUILD_HARNESS_VERSION=1.14.1 +BUILD_HARNESS_VERSION=1.14.0 diff --git a/.github/workflows/pull-request-opened-by-renovate.yml b/.github/workflows/pull-request-opened-by-renovate.yml index 55f5a7a..24f35bb 100644 --- a/.github/workflows/pull-request-opened-by-renovate.yml +++ b/.github/workflows/pull-request-opened-by-renovate.yml @@ -2,7 +2,15 @@ # If Renovate is the author of the PR that triggers this workflow, but the workflow event is anything but "opened", it will do nothing. # If Renovate is the author of the PR that triggers this workflow, and the workflow event is "opened", it will: # 1. Autoformat using pre-commit and, if necessary, push an additional commit to the PR with the autoformat fixes. -# 2. Add the "/test all" comment to the PR, so that the Slash Command Dispatch workflow is triggered automatically. +# 2. Change the branch protection rules to turn off require codeowner approval due to github apps not being able to be codeowners or added to teams. +# 3. narwhal-bot approves the PR. +# 4. narwhal-bot merges the PR. +# 5. PR is added to merge queue. +# 6. tests are ran. +# a. If tests pass, PR is merged. +# i. If PR is merged, it is closed and branch is deleted. +# b. If tests fail, PR stays open and it is removed from merge queue. +# 7. Branch protection is always set back to the original state. # # See ADR #0008. name: auto-test diff --git a/.golangci.yml b/.golangci.yml index bb11561..2a912a6 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -21,6 +21,21 @@ linters: linters-settings: funlen: lines: 120 + testifylint: + enable-all: false + enable: + - bool-compare + - compares + - empty + - error-is-as + - error-nil + - expected-actual + - float-compare + - len + - suite-dont-use-pkg + - suite-extra-assert-call + - suite-thelper + # -require-error causes errors in our e2e test patterns issues: exclude: - "G304" # Potential file inclusion via variable diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3a9a142..31be4e2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -16,8 +16,8 @@ repos: - id: check-yaml args: - "--allow-multiple-documents" - - repo: https://github.com/sirosen/fix-smartquotes - rev: 0.2.0 + - repo: https://github.com/sirosen/texthooks + rev: 0.6.2 hooks: - id: fix-smartquotes - repo: https://github.com/tekwizely/pre-commit-golang @@ -28,6 +28,7 @@ repos: args: - "--timeout=10m" - "--verbose" + - "--allow-parallel-runners" - repo: https://github.com/antonbabenko/pre-commit-terraform rev: v1.83.5 hooks: @@ -46,6 +47,6 @@ repos: args: - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl - repo: https://github.com/renovatebot/pre-commit-hooks - rev: 37.47.0 + rev: 37.59.7 hooks: - id: renovate-config-validator diff --git a/go.sum b/go.sum index 9c09e50..596b6d7 100644 --- a/go.sum +++ b/go.sum @@ -384,8 +384,6 @@ github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro= github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= -github.com/gruntwork-io/terratest v0.46.1 h1:dJ/y2/Li6yCDIc8KXY8PfydtrMRiXFb3UZm4LoPShPI= -github.com/gruntwork-io/terratest v0.46.1/go.mod h1:gl//tb5cLnbpQs1FTSNwhsrbhsoG00goCJPfOnyliiU= github.com/gruntwork-io/terratest v0.46.5 h1:cmsIAKjM1Hqwy5tlZPb6EJQvaMCD4xRX1DN9fnTptBM= github.com/gruntwork-io/terratest v0.46.5/go.mod h1:6gI5MlLeyF+SLwqocA5GBzcTix+XiuxCy1BPwKuT+WM= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= diff --git a/renovate.json5 b/renovate.json5 index 6b526c4..7f1649c 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -1,6 +1,6 @@ { - $schema: "https://docs.renovatebot.com/renovate-schema.json", - extends: [ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ // Tells Renovate to maintain one GitHub issue as the "dependency dashboard". See https://docs.renovatebot.com/key-concepts/dashboard ":dependencyDashboard", // Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use. See https://docs.renovatebot.com/presets-default/#semanticprefixfixdepschoreothers @@ -14,30 +14,25 @@ "workarounds:all" ], // If we don't specify a timezone then Renovate will use UTC - timezone: "America/New_York", - // Giving a small window constrains when Renovate will create PRs. The objective here is to only have Renovate create PRs on weekdays in the morning. This setting only affects when PRs are created. Without other configuration Renovate will rebase any PRs that already exist whenever it wants to. - // We need an "after" and a "before" because there is other automation that happens earlier that we don't want Renovate to conflict with. - schedule: [ - "after 7am and before 9am every weekday" + "timezone": "America/New_York", + // fires between 4 am and 5 am EST on mondays + "schedule": [ + "after 4am and before 5am on Monday" ], // This will prevent Renovate from automatically rebasing PRs. Without this, Renovate will rebase PRs whenever it wants to. The 'schedule' param is only for creating PRs. Because we are grouping all changes into one PR without this Renovate will be constantly rebasing that PR which we don't want since every time that happens another set of GHA status checks are kicked off. // Using a value of "conflicted" means that Renovate will only rebase PRs if they are in a conflicted state. See https://docs.renovatebot.com/configuration-options/#rebasewhen - rebaseWhen: "conflicted", + "rebaseWhen": "never", // Labels to set in Pull Request. See https://docs.renovatebot.com/configuration-options/#labels - labels: [ + "labels": [ "renovate" ], // Rate limit PRs to maximum x created per hour. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prhourlylimit - prHourlyLimit: 0, + "prHourlyLimit": 1, // Limit to a maximum of x concurrent branches/PRs. 0 means no limit. See https://docs.renovatebot.com/configuration-options/#prconcurrentlimit - prConcurrentLimit: 0, - // List of additional notes/templates to include in the Pull Request body. See https://docs.renovatebot.com/configuration-options/#prbodynotes - prBodyNotes: [ - "- :warning: The E2E tests need to be run, they have a manual trigger. To start them add a comment to this PR that says `/test all`" - ], + "prConcurrentLimit": 0, // Enable updates to the pre-commit-config.yaml file. See https://docs.renovatebot.com/modules/manager/pre-commit/ "pre-commit": { - enabled: true + "enabled": true }, "regexManagers": [ // Custom regex manager for the .env file that follows the pattern documented here: https://docs.renovatebot.com/modules/manager/regex/#advanced-capture @@ -59,30 +54,16 @@ "extractVersionTemplate": "^v?(?.*)$" } ], - packageRules: [ + "packageRules": [ { - matchPackageNames: ["k8s.io/client-go"], - allowedVersions: "<1.0.0" + "matchPackageNames": ["k8s.io/client-go"], + "allowedVersions": "<1.0.0" }, { - matchManagers: ["terraform"], - matchDepTypes: ["module"], - matchDatasources: ["github-tags", "git-tags"], - versioning: "loose" + "matchManagers": ["terraform"], + "matchDepTypes": ["module"], + "matchDatasources": ["github-tags", "git-tags"], + "versioning": "loose" } - ], - "vulnerabilityAlerts": { - "enabled": true, - "groupName": null, - "schedule": [], - "dependencyDashboardApproval": false, - "minimumReleaseAge": null, - "rangeStrategy": "update-lockfile", - "commitMessageSuffix": "[SECURITY]", - "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability", - "prCreation": "immediate", - "labels": ["security"], - "automerge": true, - "assignees": ["@defenseunicorns/delivery-aws-iac"] - } + ] }