-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update chore/update-configs branch from delivery-github-repo-management
- Loading branch information
1 parent
c7c0135
commit f935d9f
Showing
15 changed files
with
262 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
BUILD_HARNESS_REPO=ghcr.io/defenseunicorns/build-harness/build-harness | ||
# renovate: datasource=github-tags depName=defenseunicorns/build-harness | ||
BUILD_HARNESS_VERSION=1.11.2 | ||
BUILD_HARNESS_VERSION=1.14.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# triggers on merge_group and pull_request events | ||
# only use this if merge queue is enabled, otherwise stick to test-command for e2e testing | ||
|
||
name: pr-merge-group | ||
on: | ||
merge_group: | ||
types: [checks_requested] | ||
pull_request: | ||
|
||
defaults: | ||
run: | ||
shell: bash -eo pipefail {0} | ||
|
||
permissions: | ||
id-token: write # needed for oidc auth for AWS creds | ||
contents: read | ||
|
||
jobs: | ||
pr-merge-group-test: | ||
uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/pr-merge-group-test.yml@main | ||
secrets: | ||
APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }} | ||
APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }} | ||
AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }} | ||
AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# If the workflow trigger is "pull_request", run pre-commit checks. | ||
name: pre-commit | ||
|
||
on: | ||
pull_request: | ||
merge_group: | ||
workflow_dispatch: | ||
|
||
|
||
permissions: | ||
pull-requests: write | ||
id-token: write | ||
contents: read | ||
|
||
jobs: | ||
pre-commit: | ||
uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/pre-commit.yml@main | ||
secrets: | ||
APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }} | ||
APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# If Renovate is not the author of the PR that triggers this workflow, it will do nothing. | ||
# If Renovate is the author of the PR that triggers this workflow, but the workflow event is anything but "opened", it will do nothing. | ||
# If Renovate is the author of the PR that triggers this workflow, and the workflow event is "opened", it will: | ||
# 1. Autoformat using pre-commit and, if necessary, push an additional commit to the PR with the autoformat fixes. | ||
# 2. Add the "/test all" comment to the PR, so that the Slash Command Dispatch workflow is triggered automatically. | ||
# | ||
# See ADR #0008. | ||
name: auto-test | ||
on: | ||
pull_request: | ||
# WARNING: DO NOT ADD MORE EVENT TYPES HERE! Because this workflow will push a new commit to the PR in the Autoformat step, adding more event types may cause an infinite loop. | ||
types: | ||
- opened | ||
|
||
permissions: | ||
id-token: write | ||
contents: write | ||
|
||
defaults: | ||
run: | ||
# We need -e -o pipefail for consistency with GitHub Actions' default behavior | ||
shell: bash -e -o pipefail {0} | ||
|
||
jobs: | ||
renovate-test: | ||
if: github.event.client_payload.github.actor == 'renovate[bot]' || github.actor == 'renovate[bot]' | ||
uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/renovate-test.yml@main | ||
secrets: | ||
APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }} | ||
APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }} | ||
AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }} | ||
AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
name: repo-config | ||
|
||
on: | ||
schedule: | ||
# daily at 11:00 UTC | ||
- cron: '0 11 * * *' | ||
|
||
jobs: | ||
repo-config: | ||
uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/repo-config.yml@main | ||
secrets: | ||
APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }} | ||
APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }} | ||
with: | ||
branch: main | ||
checks: |- | ||
checks: | ||
- context: 'e2e-tests' | ||
- context: 'pre-commit-checks' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# usage: | ||
# A user with write status to the repo can from a PR comment: | ||
|
||
# run a single test | ||
# /test make=<make-target> region=<region> | ||
|
||
# run ping test | ||
# /test ping | ||
|
||
# run all tests in the makefile | ||
# /test | ||
|
||
name: test | ||
on: | ||
repository_dispatch: | ||
types: [test-command] | ||
|
||
|
||
permissions: | ||
id-token: write | ||
contents: read | ||
|
||
defaults: | ||
run: | ||
# We need -e -o pipefail for consistency with GitHub Actions' default behavior | ||
shell: bash -e -o pipefail {0} | ||
|
||
jobs: | ||
e2e-test: | ||
uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/e2e-test.yml@main | ||
secrets: | ||
APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }} | ||
APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }} | ||
AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }} | ||
AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }} | ||
with: | ||
# check if the required slash command args are present, if so populate the json matrix, else pass in null and relevant e2e tests that would require a make target and region will be skipped | ||
e2e-test-matrix: ${{ (contains(github.event.client_payload.slash_command_args.named, 'make') && contains(github.event.client_payload.slash_command_args.named, 'region')) && format('[{{"make-target":"{0}", "region":"{1}"}}]', github.event.client_payload.slash_command_args.named.make, github.event.client_payload.slash_command_args.named.region) || null }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,5 @@ | ||
* @defenseunicorns/delivery-aws-iac | ||
|
||
# Privileged Files | ||
/CODEOWNERS @defenseunicorns/delivery-aws-iac-admin | ||
/LICENSE @defenseunicorns/delivery-aws-iac-admin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
# Contributor Guide | ||
|
||
Thanks so much for wanting to help out! :tada: | ||
|
||
Most of what you'll see in this document is our attempt at documenting the lightweight development process that works for our team. We're always open to feedback and suggestions for improvement. The intention is not to force people to follow this process step by step, rather to document it as a norm and provide a baseline for discussion. | ||
|
||
## Developer Experience | ||
|
||
Continuous Delivery is core to our development philosophy. Check out [https://minimumcd.org](https://minimumcd.org/) for a good baseline agreement on what that means. | ||
|
||
Specifically: | ||
|
||
- We do trunk-based development (`main`) with short-lived feature branches that originate from the trunk, get merged to the trunk, and are deleted after the merge. | ||
- We don't merge work into `main` that isn't releasable. | ||
- We perform automated testing on all pushes to `main`. Fixing failing pipelines in `main` are prioritized over all other work. | ||
- We create immutable release artifacts. | ||
|
||
### Developer Workflow | ||
|
||
:key: == Required by automation | ||
|
||
1. Pick an issue to work on, assign it to yourself, and drop a comment in the issue to let everyone know you're working on it. | ||
2. Create a Draft Pull Request targeting the `main` branch as soon as you are able to, even if it is just 5 minutes after you started working on it. We lean towards working in the open as much as we can. If you're not sure what to put in the PR description, just put a link to the issue you're working on. If you're not sure what to put in the PR title, just put "WIP" (Work In Progress) and we'll help you out with the rest. | ||
3. :key: The automated tests have to pass for the PR to be able to be merged. To run the tests in the PR add a comment to the PR that says `/test`. **NOTE** tests still have to pass in the merge queue, **you do not need to have tests pass in the PR, status checks are automatically reported as success in the PR**. If you want to run a specific test manually in the PR, you can use `/test make=<make-target> region=<region>`. The available CI tests are found in the [Makefile](./Makefile) and start with the string "test-ci-" | ||
4. If your PR is still set as a Draft transition it to "Ready for Review" | ||
5. Get it reviewed by a [CODEOWNER](./CODEOWNERS) | ||
6. Add the PR to the merge queue | ||
7. The merge queue will run different tests based on if it's a `release-please` pull request or just a regular pull request. If it's a `release-please` pull request, it will run all make targets starting with `test-ci-` and `test-release-` by default. If it's a regular pull request, it will run all make targets starting with `test-ci-` test by default. If the tests fail, the PR will be removed from the merge queue and the PR stays open. If the tests pass, the PR will be merged to `main` and the PR will be closed. | ||
8. If the issue is fully resolved, close it. _Hint: You can add "Closes #XXX" to the PR description to automatically close the issue when the PR is merged._ | ||
|
||
### Pre-Commit Hooks | ||
|
||
This project uses [pre-commit](https://pre-commit.com/) to run a set of checks on your code before you commit it. You have the option to either install pre-commit and all other needed tools locally or use our docker-based build harness. To use the build harness, run | ||
|
||
```shell | ||
make run-pre-commit-hooks | ||
``` | ||
> NOTE: Sometimes file ownership of stuff in the `.cache` folder can get messed up. You can optionally add the `fix-cache-permissions` target to the above command to fix that. It is idempotent so it is safe to run it every time. | ||
### Commit Messages | ||
|
||
Because we use the [release-please](https://github.com/googleapis/release-please) bot, commit messages to main must follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification. This is enforced by the [commitlint](https://commitlint.js.org/#/) tool. This requirement is only enforced on the `main` branch. Commit messages in PRs can be whatever you want them to be. "Squash" mode must be used when merging a PR, with a commit message that follows the Conventional Commits specification. | ||
|
||
### Release Process | ||
|
||
This repo uses the [release-please](https://github.com/googleapis/release-please) bot. Release-please will automatically open a PR to update the version of the repo when a commit is merged to `main` that follows the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification. The bot will automatically keep the PR up to date until a human merges it. When that happens the bot will automatically create a new release. | ||
|
||
### Backlog Management | ||
|
||
- We use [GitHub Issues](https://github.com/defenseunicorns/delivery-aws-iac/issues) to manage our backlog. | ||
- Issues need to meet our Definition of Ready (see below). If it does not meet the Definition of Ready, we may close it and ask the requester to re-open it once it does. | ||
|
||
#### Definition of Ready for a Backlog Item | ||
|
||
To meet the Definition of Ready the issue needs to answer the following questions: | ||
- Who is requesting it? | ||
- What is being requested? | ||
- Why is it needed? | ||
- What is the impact? What will happen if the request is not fulfilled? | ||
- How do we know that we are done? | ||
|
||
This can take various forms, and we don't care which form the issue takes as long as it answers the questions above. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters