From 8fd0c1ab696dafeeff9cf2ac704f44ca389ab20b Mon Sep 17 00:00:00 2001 From: Honest Bot <80818726+honestbank-bot@users.noreply.github.com> Date: Thu, 12 Sep 2024 10:09:27 +0700 Subject: [PATCH] ci: synced file(s) with honestbank/.github (#77) --- .github/CODEOWNERS | 3 ++ .github/pull_request_template.md | 3 +- .github/workflows/checkov.yaml | 14 +++++++- .github/workflows/semantic-pr.yaml | 19 ++++++++--- .github/workflows/terraform.yaml | 26 +++++---------- .github/workflows/terratest.yaml | 53 ++++++++---------------------- 6 files changed, 54 insertions(+), 64 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 4f482f3..533728b 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,3 +1,6 @@ +# DO NOT CHANGE. This file is being managed from a central repository +# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md + # This is a comment. # Each line is a file pattern followed by one or more owners. diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index a178f2c..7e799e2 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -6,13 +6,14 @@ --> -## Pull Request Submission Checklist +### Pull Request Submission Checklist Please confirm that you have done the following before requesting reviews: - [ ] I have confirmed that the PR type is appropriate for the change I am making according to the [Honest Pull Request and Commit Message Naming Conventions](https://www.notion.so/honestbank/Pull-Request-and-Commit-Message-Naming-Conventions-bd97f2cbb34c4c73b1ff3a3e384b850c). - [ ] I have typed an adequate description that explains **why** I am making this change. - [ ] I have installed and run standard pre-commit hooks that lints and validates my code. +- [ ] All entities that I am working with are up-to-date in Backstage; if updates are needed, I have linked the relevant PRs. [Backstage guide](https://www.notion.so/honestbank/How-to-Write-a-Backstage-Service-Catalog-Entry-a-catalog-info-yaml-file-21845ff72e404b14aed2ac989fb202cf?pvs=4) ### Description diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml index 7b14e67..ccec113 100644 --- a/.github/workflows/checkov.yaml +++ b/.github/workflows/checkov.yaml @@ -3,7 +3,7 @@ permissions: read-all on: pull_request: - branches: [main] + branches: [test, dev, qa, prod, main] jobs: checkov: @@ -15,6 +15,18 @@ jobs: with: submodules: "recursive" token: ${{ secrets.GITHUB_TOKEN }} + - name: Create empty baseline (if needed) + run: | + if [ -f .checkov.baseline ]; then + echo "⏩⏩⏩ Baseline file exists - do nothing." + else + echo "🆕🆕🆕 Baseline file does not exist - creating empty baseline file." + echo "{}" >> .checkov.baseline + fi + - name: Output baseline contents to console + run: | + echo "Checkov baseline file (.checkov.baseline) contents:" + cat .checkov.baseline - name: Run Checkov id: checkov uses: bridgecrewio/checkov-action@master diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml index 8d7887b..3627556 100644 --- a/.github/workflows/semantic-pr.yaml +++ b/.github/workflows/semantic-pr.yaml @@ -1,19 +1,28 @@ -name: "semantic-pull-request" -permissions: read-all +# yamllint disable rule:line-length +# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows + +# Use this workflow for public repos, since public repos cannot access our internal +# workflows repo. +--- +name: public-semantic-pr +permissions: + contents: write + pull-requests: write on: pull_request: types: - opened - edited + - reopened - synchronize jobs: - main: - name: semantic-pull-request + public-semantic-pr: + name: public-semantic-pr runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v5 + - uses: amannn/action-semantic-pull-request@v4 name: Semantic Pull Request env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index 05dec78..cbdc29f 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -1,26 +1,18 @@ -name: "Terraform GitHub Actions" -permissions: read-all - +name: "Terraform GitHub Action" on: pull_request: - branches: - - main - push: - branches: - - main -env: - tf_version: "latest" - tf_working_dir: "." - TF_VAR_google_credentials: ${{ secrets.GOOGLE_CREDENTIALS }} + # This workflow is meant for public Terraform module repositories + # which are generally component modules that follow trunk-based development. + branches: [main] jobs: terraform: - name: "Terraform - Format, Init, Validate, Plan, Fail on Change" + name: "terraform" runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@master + uses: actions/checkout@v4 with: - submodules: true + submodules: "recursive" - name: Set up Terraform uses: hashicorp/setup-terraform@v3 with: @@ -29,11 +21,9 @@ jobs: id: fmt run: terraform fmt continue-on-error: true - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Terraform Init id: init - run: terraform init -upgrade + run: terraform init - name: Terraform Validate id: validate run: terraform validate -no-color diff --git a/.github/workflows/terratest.yaml b/.github/workflows/terratest.yaml index cd07ee3..05041b1 100644 --- a/.github/workflows/terratest.yaml +++ b/.github/workflows/terratest.yaml @@ -1,55 +1,30 @@ -name: terratest -permissions: - contents: write - pull-requests: write - +name: "Terratest GitHub Action" on: pull_request: - branches: - - main + branches: [test, dev, qa, prod, main] push: - branches: - - main + branches: [test, dev, qa, prod, main] env: - COMPUTE_GOOGLE_CREDENTIALS: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS_COMPUTE }} - COMPUTE_GOOGLE_PROJECT: ${{ secrets.TERRATEST_GOOGLE_PROJECT_COMPUTE }} - TF_VAR_google_credentials: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS_COMPUTE }} - TF_VAR_shared_vpc_host_google_credentials: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS_NETWORK }} + AWS_ACCESS_KEY_ID: ${{ secrets.TERRATEST_AWS_ACCESS_KEY_ID }} + AWS_SECRET_KEY: ${{ secrets.TERRATEST_AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: ${{ secrets.TERRATEST_AWS_REGION }} + AWS_REGION: ${{ secrets.TERRATEST_AWS_REGION }} jobs: terratest: name: terratest runs-on: ubuntu-latest steps: - - name: Check out code into the Go module directory + - name: Checkout uses: actions/checkout@v4 with: submodules: true - - name: Set up Go (latest version greater than 1.19) + - name: Set up Go uses: actions/setup-go@v5 with: - go-version: '~>1.21' - - name: gcloud-auth - uses: google-github-actions/auth@v1 - with: - credentials_json: ${{ env.COMPUTE_GOOGLE_CREDENTIALS }} - - name: gcloud-setup - uses: google-github-actions/setup-gcloud@v1 - with: - version: "latest" # This is the default value, just being explicit - project_id: ${{ env.COMPUTE_GOOGLE_PROJECT }} - install_components: 'gke-gcloud-auth-plugin' - export_default_credentials: false - - name: Run terratest + go-version: 1.20 + id: go + - name: Run 'go test -v -timeout 60m' run: | cd test - go test -v -timeout 120m - - name: Release - if: github.event_name == 'push' - uses: cycjimmy/semantic-release-action@v4 - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - extra_plugins: | - @semantic-release/git@10.0.1 - @semantic-release/exec@6.0.3 - @semantic-release/changelog@6.0.1 + go mod download + go test -v -timeout 30m