diff --git a/.checkov.yaml b/.checkov.yaml new file mode 100644 index 0000000..63752a3 --- /dev/null +++ b/.checkov.yaml @@ -0,0 +1,13 @@ +compact: true +directory: +- . +download-external-modules: true +evaluate-variables: true +external-modules-download-path: .external_modules +framework: +- all +quiet: true +skip-path: + - .external_modules + - modules + - catalog-info.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 16c3064..533728b 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,3 +1,6 @@ +# DO NOT CHANGE. This file is being managed from a central repository +# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md + # This is a comment. # Each line is a file pattern followed by one or more owners. @@ -5,4 +8,4 @@ # the repo. Unless a later match takes precedence, # @global-owner1 and @global-owner2 will be requested for # review when someone opens a pull request. -* @honestbank/devops-engineers @honestbank/honestbank-engineers +* @honestbank/devops-engineers diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 3d3a091..039f966 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -3,8 +3,23 @@ * All PRs should reference an issue in our issue tracker. If one doesn't exist, please create one! * PR titles should follow https://www.conventionalcommits.org. + --> +### Pull Request Submission Checklist + +Please confirm that you have done the following before requesting reviews: + +- [ ] I have confirmed that the PR type is appropriate for the change I am making according to the [Honest Pull Request and Commit Message Naming Conventions](https://www.notion.so/honestbank/Pull-Request-and-Commit-Message-Naming-Conventions-bd97f2cbb34c4c73b1ff3a3e384b850c). +- [ ] I have typed an adequate description that explains **why** I am making this change. +- [ ] I have installed and run standard pre-commit hooks that lints and validates my code. + ### Description * + +### Experiment Link + + + +GrowthBook Experiment Link: https://app.growthbook.io/features/ diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml new file mode 100644 index 0000000..1cbe949 --- /dev/null +++ b/.github/workflows/checkov.yaml @@ -0,0 +1,27 @@ +# yamllint disable rule:line-length +# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows +--- +name: "repository-checkov" +permissions: read-all + +on: # yamllint disable-line rule:truthy + pull_request: + branches: + - test + - dev + - qa + - prod + - main + push: + branches: + - test + - dev + - qa + - prod + - main + +jobs: + repository-checkov: + name: repository-checkov + uses: honestbank/workflows/.github/workflows/shared-checkov.yaml@main + secrets: inherit diff --git a/.github/workflows/repository-checkov.yaml b/.github/workflows/repository-checkov.yaml new file mode 100644 index 0000000..1cbe949 --- /dev/null +++ b/.github/workflows/repository-checkov.yaml @@ -0,0 +1,27 @@ +# yamllint disable rule:line-length +# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows +--- +name: "repository-checkov" +permissions: read-all + +on: # yamllint disable-line rule:truthy + pull_request: + branches: + - test + - dev + - qa + - prod + - main + push: + branches: + - test + - dev + - qa + - prod + - main + +jobs: + repository-checkov: + name: repository-checkov + uses: honestbank/workflows/.github/workflows/shared-checkov.yaml@main + secrets: inherit diff --git a/.github/workflows/repository-semantic-pr.yaml b/.github/workflows/repository-semantic-pr.yaml new file mode 100644 index 0000000..9807ae0 --- /dev/null +++ b/.github/workflows/repository-semantic-pr.yaml @@ -0,0 +1,19 @@ +# yamllint disable rule:line-length +# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows +--- +name: "repository-semantic-pr" +permissions: read-all + +on: # yamllint disable-line rule:truthy + pull_request: + types: + - opened + - edited + - reopened + - synchronize + +jobs: + repository-semantic-pr: + name: repository-semantic-pr + uses: honestbank/workflows/.github/workflows/shared-semantic-pr.yaml@main + secrets: inherit diff --git a/.github/workflows/repository-shiftleft-terraform.yaml b/.github/workflows/repository-shiftleft-terraform.yaml new file mode 100644 index 0000000..20fa16a --- /dev/null +++ b/.github/workflows/repository-shiftleft-terraform.yaml @@ -0,0 +1,33 @@ +# yamllint disable rule:line-length +# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows +--- +name: "repository-shiftleft-terraform" +permissions: read-all + +on: # yamllint disable-line rule:truthy + pull_request: + branches: + - test + - dev + - qa + - prod + - main + push: + branches: + - test + - dev + - qa + - prod + - main + schedule: + # * is a special character in YAML so you have to quote this string + # schedule a job to run every day at 17:30 UTC + - cron: '30 17 * * *' + +jobs: + repository-shiftleft-terraform: + name: repository-shiftleft-terraform + uses: honestbank/workflows/.github/workflows/shared-terraform-shiftleft.yaml@main + with: + repo_name: ${{ github.event.repository.name }} + secrets: inherit diff --git a/.github/workflows/shiftleft-terraform.yaml b/.github/workflows/shiftleft-terraform.yaml new file mode 100644 index 0000000..20fa16a --- /dev/null +++ b/.github/workflows/shiftleft-terraform.yaml @@ -0,0 +1,33 @@ +# yamllint disable rule:line-length +# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows +--- +name: "repository-shiftleft-terraform" +permissions: read-all + +on: # yamllint disable-line rule:truthy + pull_request: + branches: + - test + - dev + - qa + - prod + - main + push: + branches: + - test + - dev + - qa + - prod + - main + schedule: + # * is a special character in YAML so you have to quote this string + # schedule a job to run every day at 17:30 UTC + - cron: '30 17 * * *' + +jobs: + repository-shiftleft-terraform: + name: repository-shiftleft-terraform + uses: honestbank/workflows/.github/workflows/shared-terraform-shiftleft.yaml@main + with: + repo_name: ${{ github.event.repository.name }} + secrets: inherit diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1121529..8dd2f1e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,18 +1,33 @@ +# DO NOT CHANGE. This file is being managed from a central repository +# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md + # See https://pre-commit.com for more information # See https://pre-commit.com/hooks.html for more hooks + repos: - - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 - hooks: - - id: trailing-whitespace - - id: end-of-file-fixer - - id: check-yaml - - id: check-added-large-files - - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.48.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-added-large-files + - id: detect-aws-credentials + args: ["--allow-missing-credentials"] + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.77.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases hooks: - id: terraform_fmt - id: terraform_docs - - id: terraform_validate # Disabled due to flakiness -# - id: terraform_tfsec # Temporarily disabled due to PSP warnings on GKE -# - id: checkov # Disabled due to crashing + - id: terraform_validate + - id: terraform_tfsec + exclude: "test/" + - id: terraform_checkov + exclude: "test/" + - repo: https://github.com/gitguardian/ggshield + rev: v1.14.2 + hooks: + - id: ggshield + language: python + stages: [commit] + args: [ 'secret', 'scan', 'pre-commit' ]