From f935d9f419661e4dc06172af7efd81b0f9c9b938 Mon Sep 17 00:00:00 2001 From: Zack Annexstein Date: Fri, 27 Oct 2023 11:38:34 -0700 Subject: [PATCH] Update chore/update-configs branch from delivery-github-repo-management --- .checkov.yml | 3 + .env | 2 +- .github/ISSUE_TEMPLATE/general_issue.md | 2 +- .github/workflows/pr-merge-group.yml | 25 ++++++++ .github/workflows/pre-commit.yml | 20 ++++++ .../pull-request-opened-by-renovate.yml | 32 ++++++++++ .github/workflows/release-please.yml | 10 ++- .github/workflows/repo-config.yml | 19 ++++++ .github/workflows/slash-command-dispatch.yml | 27 ++++++-- .github/workflows/test-command.yml | 38 ++++++++++++ .gitignore | 7 ++- .pre-commit-config.yaml | 12 +++- CODEOWNERS | 4 ++ CONTRIBUTING.md | 62 +++++++++++++++++++ renovate.json5 | 16 ++++- 15 files changed, 262 insertions(+), 17 deletions(-) create mode 100644 .github/workflows/pr-merge-group.yml create mode 100644 .github/workflows/pre-commit.yml create mode 100644 .github/workflows/pull-request-opened-by-renovate.yml create mode 100644 .github/workflows/repo-config.yml create mode 100644 .github/workflows/test-command.yml create mode 100644 CONTRIBUTING.md diff --git a/.checkov.yml b/.checkov.yml index fcd0706..2c67e16 100644 --- a/.checkov.yml +++ b/.checkov.yml @@ -6,3 +6,6 @@ framework: terraform compact: true quiet: false summary-position: bottom + +skip-check: + - CKV_TF_1 # Ensure Terraform module sources use a commit hash // pending https://github.com/hashicorp/terraform/issues/29867 diff --git a/.env b/.env index efcada6..3ef6c32 100644 --- a/.env +++ b/.env @@ -1,3 +1,3 @@ BUILD_HARNESS_REPO=ghcr.io/defenseunicorns/build-harness/build-harness # renovate: datasource=github-tags depName=defenseunicorns/build-harness -BUILD_HARNESS_VERSION=1.11.2 +BUILD_HARNESS_VERSION=1.14.0 diff --git a/.github/ISSUE_TEMPLATE/general_issue.md b/.github/ISSUE_TEMPLATE/general_issue.md index ee92316..d089988 100644 --- a/.github/ISSUE_TEMPLATE/general_issue.md +++ b/.github/ISSUE_TEMPLATE/general_issue.md @@ -7,7 +7,7 @@ assignees: '' --- - + ### Persona diff --git a/.github/workflows/pr-merge-group.yml b/.github/workflows/pr-merge-group.yml new file mode 100644 index 0000000..e6d8b0e --- /dev/null +++ b/.github/workflows/pr-merge-group.yml @@ -0,0 +1,25 @@ +# triggers on merge_group and pull_request events +# only use this if merge queue is enabled, otherwise stick to test-command for e2e testing + +name: pr-merge-group +on: + merge_group: + types: [checks_requested] + pull_request: + +defaults: + run: + shell: bash -eo pipefail {0} + +permissions: + id-token: write # needed for oidc auth for AWS creds + contents: read + +jobs: + pr-merge-group-test: + uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/pr-merge-group-test.yml@main + secrets: + APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }} + APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }} + AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }} + AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }} diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml new file mode 100644 index 0000000..419689a --- /dev/null +++ b/.github/workflows/pre-commit.yml @@ -0,0 +1,20 @@ +# If the workflow trigger is "pull_request", run pre-commit checks. +name: pre-commit + +on: + pull_request: + merge_group: + workflow_dispatch: + + +permissions: + pull-requests: write + id-token: write + contents: read + +jobs: + pre-commit: + uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/pre-commit.yml@main + secrets: + APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }} + APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }} diff --git a/.github/workflows/pull-request-opened-by-renovate.yml b/.github/workflows/pull-request-opened-by-renovate.yml new file mode 100644 index 0000000..55f5a7a --- /dev/null +++ b/.github/workflows/pull-request-opened-by-renovate.yml @@ -0,0 +1,32 @@ +# If Renovate is not the author of the PR that triggers this workflow, it will do nothing. +# If Renovate is the author of the PR that triggers this workflow, but the workflow event is anything but "opened", it will do nothing. +# If Renovate is the author of the PR that triggers this workflow, and the workflow event is "opened", it will: +# 1. Autoformat using pre-commit and, if necessary, push an additional commit to the PR with the autoformat fixes. +# 2. Add the "/test all" comment to the PR, so that the Slash Command Dispatch workflow is triggered automatically. +# +# See ADR #0008. +name: auto-test +on: + pull_request: + # WARNING: DO NOT ADD MORE EVENT TYPES HERE! Because this workflow will push a new commit to the PR in the Autoformat step, adding more event types may cause an infinite loop. + types: + - opened + +permissions: + id-token: write + contents: write + +defaults: + run: + # We need -e -o pipefail for consistency with GitHub Actions' default behavior + shell: bash -e -o pipefail {0} + +jobs: + renovate-test: + if: github.event.client_payload.github.actor == 'renovate[bot]' || github.actor == 'renovate[bot]' + uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/renovate-test.yml@main + secrets: + APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }} + APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }} + AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }} + AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }} diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 2455139..ec4959d 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -13,9 +13,7 @@ permissions: jobs: release-please: - runs-on: ubuntu-latest - steps: - - uses: google-github-actions/release-please-action@v3 - with: - token: ${{ secrets.PAT }} - command: manifest + uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/release-please.yml@main + secrets: + APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }} + APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }} diff --git a/.github/workflows/repo-config.yml b/.github/workflows/repo-config.yml new file mode 100644 index 0000000..5f5712d --- /dev/null +++ b/.github/workflows/repo-config.yml @@ -0,0 +1,19 @@ +name: repo-config + +on: + schedule: + # daily at 11:00 UTC + - cron: '0 11 * * *' + +jobs: + repo-config: + uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/repo-config.yml@main + secrets: + APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }} + APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }} + with: + branch: main + checks: |- + checks: + - context: 'e2e-tests' + - context: 'pre-commit-checks' diff --git a/.github/workflows/slash-command-dispatch.yml b/.github/workflows/slash-command-dispatch.yml index bf5d63c..b6eecf8 100644 --- a/.github/workflows/slash-command-dispatch.yml +++ b/.github/workflows/slash-command-dispatch.yml @@ -9,11 +9,10 @@ on: jobs: - slashCommandDispatchUpdate: - if: github.event.issue.pull_request && contains(github.event.comment.body, '/update') + slashCommandDispatchTest: + if: github.event.issue.pull_request && contains(github.event.comment.body, '/test') runs-on: ubuntu-latest steps: - - name: Get token id: get_workflow_token uses: peter-murray/workflow-application-token-action@v2 @@ -26,6 +25,26 @@ jobs: with: token: ${{ steps.get_workflow_token.outputs.token }} reaction-token: ${{ steps.get_workflow_token.outputs.token }} - commands: update + commands: test permission: write issue-type: pull-request + + slashCommandDispatchUpdate: + if: github.event.issue.pull_request && contains(github.event.comment.body, '/update') + runs-on: ubuntu-latest + steps: + - name: Get token + id: get_workflow_token + uses: peter-murray/workflow-application-token-action@v2 + with: + application_id: ${{ secrets.NARWHAL_BOT_APP_ID }} + application_private_key: ${{ secrets.NARWHAL_BOT_SECRET }} + + - name: Slash Command Dispatch + uses: peter-evans/slash-command-dispatch@v3 + with: + token: ${{ steps.get_workflow_token.outputs.token }} + reaction-token: ${{ steps.get_workflow_token.outputs.token }} + commands: update + permission: write + issue-type: pull-request diff --git a/.github/workflows/test-command.yml b/.github/workflows/test-command.yml new file mode 100644 index 0000000..5a84d8f --- /dev/null +++ b/.github/workflows/test-command.yml @@ -0,0 +1,38 @@ +# usage: + # A user with write status to the repo can from a PR comment: + + # run a single test + # /test make= region= + + # run ping test + # /test ping + + # run all tests in the makefile + # /test + +name: test +on: + repository_dispatch: + types: [test-command] + + +permissions: + id-token: write + contents: read + +defaults: + run: + # We need -e -o pipefail for consistency with GitHub Actions' default behavior + shell: bash -e -o pipefail {0} + +jobs: + e2e-test: + uses: defenseunicorns/delivery-github-actions-workflows/.github/workflows/e2e-test.yml@main + secrets: + APPLICATION_ID: ${{ secrets.NARWHAL_BOT_APP_ID }} + APPLICATION_PRIVATE_KEY: ${{ secrets.NARWHAL_BOT_SECRET }} + AWS_COMMERCIAL_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_COMMERCIAL_ROLE_TO_ASSUME }} + AWS_GOVCLOUD_ROLE_TO_ASSUME: ${{ secrets.NARWHAL_AWS_GOVCLOUD_ROLE_TO_ASSUME }} + with: + # check if the required slash command args are present, if so populate the json matrix, else pass in null and relevant e2e tests that would require a make target and region will be skipped + e2e-test-matrix: ${{ (contains(github.event.client_payload.slash_command_args.named, 'make') && contains(github.event.client_payload.slash_command_args.named, 'region')) && format('[{{"make-target":"{0}", "region":"{1}"}}]', github.event.client_payload.slash_command_args.named.make, github.event.client_payload.slash_command_args.named.region) || null }} diff --git a/.gitignore b/.gitignore index 3b4e349..296cf43 100644 --- a/.gitignore +++ b/.gitignore @@ -1,11 +1,12 @@ .cache/ .idea/ .DS_Store +.vscode + # Local .terraform directories .terraform/ *.terraform.* - # .tfstate files *.tfstate *.tfstate.* @@ -56,3 +57,7 @@ backend.tf .external_modules examples/zarf-complete-example/build + +#ignore lamba builds json file created from deploying lambda resource + +**/ignore diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 65b1594..f1165bd 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -20,18 +20,24 @@ repos: rev: 0.2.0 hooks: - id: fix-smartquotes - - repo: https://github.com/dnephin/pre-commit-golang - rev: v0.5.1 + - repo: https://github.com/tekwizely/pre-commit-golang + rev: v1.0.0-rc.1 hooks: - id: go-fmt - id: golangci-lint + args: + - "--timeout=10m" + - "--verbose" - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.83.4 + rev: v1.83.5 hooks: - id: terraform_fmt - id: terraform_docs args: - --args=--lockfile=false + - --hook-config=--path-to-file=README.md # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc. + - --hook-config=--add-to-existing-file=true # Boolean. true or false + - --hook-config=--create-file-if-not-exist=true # Boolean. true or false - id: terraform_checkov verbose: true args: diff --git a/CODEOWNERS b/CODEOWNERS index d7bed48..23c476f 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1,5 @@ * @defenseunicorns/delivery-aws-iac + +# Privileged Files +/CODEOWNERS @defenseunicorns/delivery-aws-iac-admin +/LICENSE @defenseunicorns/delivery-aws-iac-admin diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..d4ba739 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,62 @@ +# Contributor Guide + +Thanks so much for wanting to help out! :tada: + +Most of what you'll see in this document is our attempt at documenting the lightweight development process that works for our team. We're always open to feedback and suggestions for improvement. The intention is not to force people to follow this process step by step, rather to document it as a norm and provide a baseline for discussion. + +## Developer Experience + +Continuous Delivery is core to our development philosophy. Check out [https://minimumcd.org](https://minimumcd.org/) for a good baseline agreement on what that means. + +Specifically: + +- We do trunk-based development (`main`) with short-lived feature branches that originate from the trunk, get merged to the trunk, and are deleted after the merge. +- We don't merge work into `main` that isn't releasable. +- We perform automated testing on all pushes to `main`. Fixing failing pipelines in `main` are prioritized over all other work. +- We create immutable release artifacts. + +### Developer Workflow + +:key: == Required by automation + +1. Pick an issue to work on, assign it to yourself, and drop a comment in the issue to let everyone know you're working on it. +2. Create a Draft Pull Request targeting the `main` branch as soon as you are able to, even if it is just 5 minutes after you started working on it. We lean towards working in the open as much as we can. If you're not sure what to put in the PR description, just put a link to the issue you're working on. If you're not sure what to put in the PR title, just put "WIP" (Work In Progress) and we'll help you out with the rest. +3. :key: The automated tests have to pass for the PR to be able to be merged. To run the tests in the PR add a comment to the PR that says `/test`. **NOTE** tests still have to pass in the merge queue, **you do not need to have tests pass in the PR, status checks are automatically reported as success in the PR**. If you want to run a specific test manually in the PR, you can use `/test make= region=`. The available CI tests are found in the [Makefile](./Makefile) and start with the string "test-ci-" +4. If your PR is still set as a Draft transition it to "Ready for Review" +5. Get it reviewed by a [CODEOWNER](./CODEOWNERS) +6. Add the PR to the merge queue +7. The merge queue will run different tests based on if it's a `release-please` pull request or just a regular pull request. If it's a `release-please` pull request, it will run all make targets starting with `test-ci-` and `test-release-` by default. If it's a regular pull request, it will run all make targets starting with `test-ci-` test by default. If the tests fail, the PR will be removed from the merge queue and the PR stays open. If the tests pass, the PR will be merged to `main` and the PR will be closed. +8. If the issue is fully resolved, close it. _Hint: You can add "Closes #XXX" to the PR description to automatically close the issue when the PR is merged._ + +### Pre-Commit Hooks + +This project uses [pre-commit](https://pre-commit.com/) to run a set of checks on your code before you commit it. You have the option to either install pre-commit and all other needed tools locally or use our docker-based build harness. To use the build harness, run + +```shell +make run-pre-commit-hooks +``` +> NOTE: Sometimes file ownership of stuff in the `.cache` folder can get messed up. You can optionally add the `fix-cache-permissions` target to the above command to fix that. It is idempotent so it is safe to run it every time. + +### Commit Messages + +Because we use the [release-please](https://github.com/googleapis/release-please) bot, commit messages to main must follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification. This is enforced by the [commitlint](https://commitlint.js.org/#/) tool. This requirement is only enforced on the `main` branch. Commit messages in PRs can be whatever you want them to be. "Squash" mode must be used when merging a PR, with a commit message that follows the Conventional Commits specification. + +### Release Process + +This repo uses the [release-please](https://github.com/googleapis/release-please) bot. Release-please will automatically open a PR to update the version of the repo when a commit is merged to `main` that follows the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification. The bot will automatically keep the PR up to date until a human merges it. When that happens the bot will automatically create a new release. + +### Backlog Management + +- We use [GitHub Issues](https://github.com/defenseunicorns/delivery-aws-iac/issues) to manage our backlog. +- Issues need to meet our Definition of Ready (see below). If it does not meet the Definition of Ready, we may close it and ask the requester to re-open it once it does. + +#### Definition of Ready for a Backlog Item + +To meet the Definition of Ready the issue needs to answer the following questions: +- Who is requesting it? +- What is being requested? +- Why is it needed? +- What is the impact? What will happen if the request is not fulfilled? +- How do we know that we are done? + +This can take various forms, and we don't care which form the issue takes as long as it answers the questions above. diff --git a/renovate.json5 b/renovate.json5 index 319c102..6b526c4 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -70,5 +70,19 @@ matchDatasources: ["github-tags", "git-tags"], versioning: "loose" } - ] + ], + "vulnerabilityAlerts": { + "enabled": true, + "groupName": null, + "schedule": [], + "dependencyDashboardApproval": false, + "minimumReleaseAge": null, + "rangeStrategy": "update-lockfile", + "commitMessageSuffix": "[SECURITY]", + "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability", + "prCreation": "immediate", + "labels": ["security"], + "automerge": true, + "assignees": ["@defenseunicorns/delivery-aws-iac"] + } }