Skip to content

Commit

Permalink
Update chore/update-configs branch from delivery-github-repo-management
Browse files Browse the repository at this point in the history
  • Loading branch information
zack-is-cool committed Oct 27, 2023
1 parent c7c0135 commit f935d9f
Show file tree
Hide file tree
Showing 15 changed files with 262 additions and 17 deletions.
3 changes: 3 additions & 0 deletions .checkov.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,6 @@ framework: terraform
compact: true
quiet: false
summary-position: bottom

skip-check:
- CKV_TF_1 # Ensure Terraform module sources use a commit hash // pending https://github.com/hashicorp/terraform/issues/29867
2 changes: 1 addition & 1 deletion .env
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
BUILD_HARNESS_REPO=ghcr.io/defenseunicorns/build-harness/build-harness
# renovate: datasource=github-tags depName=defenseunicorns/build-harness
BUILD_HARNESS_VERSION=1.11.2
BUILD_HARNESS_VERSION=1.14.0
2 changes: 1 addition & 1 deletion .github/ISSUE_TEMPLATE/general_issue.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ assignees: ''

---

<!-- Thank you for submitting an issue! Please answer the following questions. This template is intended to guide the issue author toward meeting our Definition of Ready. You don't have to use this exact format if you don't want to, but whatever you submit must meet the DoR or the issue may be closed, and you will be asked to resubmit. -->
<!-- Thank you for submitting an issue! Please answer the following questions. This template is intended to guide the issue author toward meeting our [Definition of Ready](https://github.com/defenseunicorns/delivery-aws-iac/blob/main/CONTRIBUTING.md#definition-of-ready-for-a-backlog-item). You don't have to use this exact format if you don't want to, but whatever you submit must meet the DoR or the issue may be closed, and you will be asked to resubmit. -->

### Persona

Expand Down
25 changes: 25 additions & 0 deletions .github/workflows/pr-merge-group.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# triggers on merge_group and pull_request events
# only use this if merge queue is enabled, otherwise stick to test-command for e2e testing

name: pr-merge-group
on:
merge_group:
types: [checks_requested]
pull_request:

defaults:
run:
shell: bash -eo pipefail {0}

permissions:
id-token: write # needed for oidc auth for AWS creds
contents: read

jobs:
pr-merge-group-test:
uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/pr-merge-group-test.yml@main
secrets:
APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }}
AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }}
20 changes: 20 additions & 0 deletions .github/workflows/pre-commit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# If the workflow trigger is "pull_request", run pre-commit checks.
name: pre-commit

on:
pull_request:
merge_group:
workflow_dispatch:


permissions:
pull-requests: write
id-token: write
contents: read

jobs:
pre-commit:
uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/pre-commit.yml@main
secrets:
APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
32 changes: 32 additions & 0 deletions .github/workflows/pull-request-opened-by-renovate.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# If Renovate is not the author of the PR that triggers this workflow, it will do nothing.
# If Renovate is the author of the PR that triggers this workflow, but the workflow event is anything but "opened", it will do nothing.
# If Renovate is the author of the PR that triggers this workflow, and the workflow event is "opened", it will:
# 1. Autoformat using pre-commit and, if necessary, push an additional commit to the PR with the autoformat fixes.
# 2. Add the "/test all" comment to the PR, so that the Slash Command Dispatch workflow is triggered automatically.
#
# See ADR #0008.
name: auto-test
on:
pull_request:
# WARNING: DO NOT ADD MORE EVENT TYPES HERE! Because this workflow will push a new commit to the PR in the Autoformat step, adding more event types may cause an infinite loop.
types:
- opened

permissions:
id-token: write
contents: write

defaults:
run:
# We need -e -o pipefail for consistency with GitHub Actions' default behavior
shell: bash -e -o pipefail {0}

jobs:
renovate-test:
if: github.event.client_payload.github.actor == 'renovate[bot]' || github.actor == 'renovate[bot]'
uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/renovate-test.yml@main
secrets:
APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }}
AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }}
10 changes: 4 additions & 6 deletions .github/workflows/release-please.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,7 @@ permissions:

jobs:
release-please:
runs-on: ubuntu-latest
steps:
- uses: google-github-actions/release-please-action@v3
with:
token: ${{ secrets.PAT }}
command: manifest
uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/release-please.yml@main
secrets:
APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
19 changes: 19 additions & 0 deletions .github/workflows/repo-config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: repo-config

on:
schedule:
# daily at 11:00 UTC
- cron: '0 11 * * *'

jobs:
repo-config:
uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/repo-config.yml@main
secrets:
APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
with:
branch: main
checks: |-
checks:
- context: 'e2e-tests'
- context: 'pre-commit-checks'
27 changes: 23 additions & 4 deletions .github/workflows/slash-command-dispatch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,10 @@ on:

jobs:

slashCommandDispatchUpdate:
if: github.event.issue.pull_request && contains(github.event.comment.body, '/update')
slashCommandDispatchTest:
if: github.event.issue.pull_request && contains(github.event.comment.body, '/test')
runs-on: ubuntu-latest
steps:

- name: Get token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v2
Expand All @@ -26,6 +25,26 @@ jobs:
with:
token: ${{ steps.get_workflow_token.outputs.token }}
reaction-token: ${{ steps.get_workflow_token.outputs.token }}
commands: update
commands: test
permission: write
issue-type: pull-request

slashCommandDispatchUpdate:
if: github.event.issue.pull_request && contains(github.event.comment.body, '/update')
runs-on: ubuntu-latest
steps:
- name: Get token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action@v2
with:
application_id: ${{ secrets.NARWHAL_BOT_APP_ID }}
application_private_key: ${{ secrets.NARWHAL_BOT_SECRET }}

- name: Slash Command Dispatch
uses: peter-evans/slash-command-dispatch@v3
with:
token: ${{ steps.get_workflow_token.outputs.token }}
reaction-token: ${{ steps.get_workflow_token.outputs.token }}
commands: update
permission: write
issue-type: pull-request
38 changes: 38 additions & 0 deletions .github/workflows/test-command.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# usage:
# A user with write status to the repo can from a PR comment:

# run a single test
# /test make=<make-target> region=<region>

# run ping test
# /test ping

# run all tests in the makefile
# /test

name: test
on:
repository_dispatch:
types: [test-command]


permissions:
id-token: write
contents: read

defaults:
run:
# We need -e -o pipefail for consistency with GitHub Actions' default behavior
shell: bash -e -o pipefail {0}

jobs:
e2e-test:
uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/e2e-test.yml@main
secrets:
APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }}
APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }}
AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }}
AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }}
with:
# check if the required slash command args are present, if so populate the json matrix, else pass in null and relevant e2e tests that would require a make target and region will be skipped
e2e-test-matrix: ${{ (contains(github.event.client_payload.slash_command_args.named, 'make') && contains(github.event.client_payload.slash_command_args.named, 'region')) && format('[{{"make-target":"{0}", "region":"{1}"}}]', github.event.client_payload.slash_command_args.named.make, github.event.client_payload.slash_command_args.named.region) || null }}
7 changes: 6 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
.cache/
.idea/
.DS_Store
.vscode


# Local .terraform directories
.terraform/
*.terraform.*

# .tfstate files
*.tfstate
*.tfstate.*
Expand Down Expand Up @@ -56,3 +57,7 @@ backend.tf
.external_modules

examples/zarf-complete-example/build

#ignore lamba builds json file created from deploying lambda resource

**/ignore
12 changes: 9 additions & 3 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,18 +20,24 @@ repos:
rev: 0.2.0
hooks:
- id: fix-smartquotes
- repo: https://github.com/dnephin/pre-commit-golang
rev: v0.5.1
- repo: https://github.com/tekwizely/pre-commit-golang
rev: v1.0.0-rc.1
hooks:
- id: go-fmt
- id: golangci-lint
args:
- "--timeout=10m"
- "--verbose"
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.83.4
rev: v1.83.5
hooks:
- id: terraform_fmt
- id: terraform_docs
args:
- --args=--lockfile=false
- --hook-config=--path-to-file=README.md # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc.
- --hook-config=--add-to-existing-file=true # Boolean. true or false
- --hook-config=--create-file-if-not-exist=true # Boolean. true or false
- id: terraform_checkov
verbose: true
args:
Expand Down
4 changes: 4 additions & 0 deletions CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -1 +1,5 @@
* @defenseunicorns/delivery-aws-iac

# Privileged Files
/CODEOWNERS @defenseunicorns/delivery-aws-iac-admin
/LICENSE @defenseunicorns/delivery-aws-iac-admin
62 changes: 62 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
# Contributor Guide

Thanks so much for wanting to help out! :tada:

Most of what you'll see in this document is our attempt at documenting the lightweight development process that works for our team. We're always open to feedback and suggestions for improvement. The intention is not to force people to follow this process step by step, rather to document it as a norm and provide a baseline for discussion.

## Developer Experience

Continuous Delivery is core to our development philosophy. Check out [https://minimumcd.org](https://minimumcd.org/) for a good baseline agreement on what that means.

Specifically:

- We do trunk-based development (`main`) with short-lived feature branches that originate from the trunk, get merged to the trunk, and are deleted after the merge.
- We don't merge work into `main` that isn't releasable.
- We perform automated testing on all pushes to `main`. Fixing failing pipelines in `main` are prioritized over all other work.
- We create immutable release artifacts.

### Developer Workflow

:key: == Required by automation

1. Pick an issue to work on, assign it to yourself, and drop a comment in the issue to let everyone know you're working on it.
2. Create a Draft Pull Request targeting the `main` branch as soon as you are able to, even if it is just 5 minutes after you started working on it. We lean towards working in the open as much as we can. If you're not sure what to put in the PR description, just put a link to the issue you're working on. If you're not sure what to put in the PR title, just put "WIP" (Work In Progress) and we'll help you out with the rest.
3. :key: The automated tests have to pass for the PR to be able to be merged. To run the tests in the PR add a comment to the PR that says `/test`. **NOTE** tests still have to pass in the merge queue, **you do not need to have tests pass in the PR, status checks are automatically reported as success in the PR**. If you want to run a specific test manually in the PR, you can use `/test make=<make-target> region=<region>`. The available CI tests are found in the [Makefile](./Makefile) and start with the string "test-ci-"
4. If your PR is still set as a Draft transition it to "Ready for Review"
5. Get it reviewed by a [CODEOWNER](./CODEOWNERS)
6. Add the PR to the merge queue
7. The merge queue will run different tests based on if it's a `release-please` pull request or just a regular pull request. If it's a `release-please` pull request, it will run all make targets starting with `test-ci-` and `test-release-` by default. If it's a regular pull request, it will run all make targets starting with `test-ci-` test by default. If the tests fail, the PR will be removed from the merge queue and the PR stays open. If the tests pass, the PR will be merged to `main` and the PR will be closed.
8. If the issue is fully resolved, close it. _Hint: You can add "Closes #XXX" to the PR description to automatically close the issue when the PR is merged._

### Pre-Commit Hooks

This project uses [pre-commit](https://pre-commit.com/) to run a set of checks on your code before you commit it. You have the option to either install pre-commit and all other needed tools locally or use our docker-based build harness. To use the build harness, run

```shell
make run-pre-commit-hooks
```
> NOTE: Sometimes file ownership of stuff in the `.cache` folder can get messed up. You can optionally add the `fix-cache-permissions` target to the above command to fix that. It is idempotent so it is safe to run it every time.
### Commit Messages

Because we use the [release-please](https://github.com/googleapis/release-please) bot, commit messages to main must follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification. This is enforced by the [commitlint](https://commitlint.js.org/#/) tool. This requirement is only enforced on the `main` branch. Commit messages in PRs can be whatever you want them to be. "Squash" mode must be used when merging a PR, with a commit message that follows the Conventional Commits specification.

### Release Process

This repo uses the [release-please](https://github.com/googleapis/release-please) bot. Release-please will automatically open a PR to update the version of the repo when a commit is merged to `main` that follows the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification. The bot will automatically keep the PR up to date until a human merges it. When that happens the bot will automatically create a new release.

### Backlog Management

- We use [GitHub Issues](https://github.com/defenseunicorns/delivery-aws-iac/issues) to manage our backlog.
- Issues need to meet our Definition of Ready (see below). If it does not meet the Definition of Ready, we may close it and ask the requester to re-open it once it does.

#### Definition of Ready for a Backlog Item

To meet the Definition of Ready the issue needs to answer the following questions:
- Who is requesting it?
- What is being requested?
- Why is it needed?
- What is the impact? What will happen if the request is not fulfilled?
- How do we know that we are done?

This can take various forms, and we don't care which form the issue takes as long as it answers the questions above.
16 changes: 15 additions & 1 deletion renovate.json5
Original file line number Diff line number Diff line change
Expand Up @@ -70,5 +70,19 @@
matchDatasources: ["github-tags", "git-tags"],
versioning: "loose"
}
]
],
"vulnerabilityAlerts": {
"enabled": true,
"groupName": null,
"schedule": [],
"dependencyDashboardApproval": false,
"minimumReleaseAge": null,
"rangeStrategy": "update-lockfile",
"commitMessageSuffix": "[SECURITY]",
"branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
"prCreation": "immediate",
"labels": ["security"],
"automerge": true,
"assignees": ["@defenseunicorns/delivery-aws-iac"]
}
}

0 comments on commit f935d9f

Please sign in to comment.