ci: synced file(s) with honestbank/.github

honestbank · Jun 12, 2024 · 136f95d · 136f95d
1 parent d569afc
commit 136f95d
Show file tree

Hide file tree

Showing 9 changed files with 177 additions and 21 deletions.
diff --git a/.checkov.yaml b/.checkov.yaml
@@ -1,11 +1,14 @@
 compact: true
-directory: .
+directory:
+  - .
 download-external-modules: true
 evaluate-variables: true
 external-modules-download-path: .external_modules
 framework:
-- all
+  - all
 quiet: true
 skip-path:
   - .external_modules
   - modules
+  - catalog-info.yml
+baseline: .checkov.baseline
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -8,4 +8,4 @@
 # the repo. Unless a later match takes precedence,
 # @global-owner1 and @global-owner2 will be requested for
 # review when someone opens a pull request.
-*       @honestbank/devops-engineers @honestbank/backend-engineers
+*       @honestbank/devops-engineers
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -6,13 +6,14 @@
 
 -->
 
-## Pull Request Submission Checklist
+### Pull Request Submission Checklist
 
 Please confirm that you have done the following before requesting reviews:
 
 - [ ] I have confirmed that the PR type is appropriate for the change I am making according to the [Honest Pull Request and Commit Message Naming Conventions](https://www.notion.so/honestbank/Pull-Request-and-Commit-Message-Naming-Conventions-bd97f2cbb34c4c73b1ff3a3e384b850c).
 - [ ] I have typed an adequate description that explains **why** I am making this change.
 - [ ] I have installed and run standard pre-commit hooks that lints and validates my code.
+- [ ] All entities that I am working with are up-to-date in Backstage; if updates are needed, I have linked the relevant PRs. [Backstage guide](https://www.notion.so/honestbank/How-to-Write-a-Backstage-Service-Catalog-Entry-a-catalog-info-yaml-file-21845ff72e404b14aed2ac989fb202cf?pvs=4)
 
 ### Description
 

diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml
@@ -1,4 +1,6 @@
 name: "Checkov GitHub Action"
+permissions: read-all
+
 on:
   pull_request:
     branches: [test, dev, qa, prod, main]
@@ -9,13 +11,24 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           submodules: "recursive"
-          token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Create empty baseline (if needed)
+        run: |
+          if [ -f .checkov.baseline ]; then
+            echo "⏩⏩⏩ Baseline file exists - do nothing."
+          else
+            echo "🆕🆕🆕 Baseline file does not exist - creating empty baseline file."
+            echo "{}" >> .checkov.baseline
+          fi
+      - name: Output baseline contents to console
+        run: |
+            echo "Checkov baseline file (.checkov.baseline) contents:"
+            cat .checkov.baseline
       - name: Run Checkov
         id: checkov
         uses: bridgecrewio/checkov-action@master
         with:
-          download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
-          quiet: true # optional: display only failed checks
+          config_file: ".checkov.yaml"
diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml
@@ -1,15 +1,25 @@
-name: "Semantic Pull Request"
+# yamllint disable rule:line-length
+# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows
+
+# Use this workflow for public repos, since public repos cannot access our internal
+# workflows repo.
+---
+name: public-semantic-pr
+permissions:
+  contents: write
+  pull-requests: write
 
 on:
   pull_request:
     types:
       - opened
       - edited
+      - reopened
       - synchronize
 
 jobs:
-  main:
-    name: Semantic Pull Request
+  public-semantic-pr:
+    name: public-semantic-pr
     runs-on: ubuntu-latest
     steps:
       - uses: amannn/action-semantic-pull-request@v4

diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
@@ -0,0 +1,33 @@
+name: "Terraform GitHub Action"
+on:
+  pull_request:
+    # This workflow is meant for public Terraform module repositories
+    # which are generally component modules that follow trunk-based development.
+    branches: [main]
+jobs:
+  terraform:
+    name: "terraform"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: "recursive"
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+      - name: Terraform Format
+        id: fmt
+        run: terraform fmt
+        continue-on-error: true
+      - name: Terraform Init
+        id: init
+        run: terraform init
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan -no-color
+        continue-on-error: true
diff --git a/.github/workflows/terratest.yaml b/.github/workflows/terratest.yaml
@@ -0,0 +1,30 @@
+name: "Terratest GitHub Action"
+on:
+  pull_request:
+    branches: [test, dev, qa, prod, main]
+  push:
+    branches: [test, dev, qa, prod, main]
+env:
+  AWS_ACCESS_KEY_ID: ${{ secrets.TERRATEST_AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_KEY: ${{ secrets.TERRATEST_AWS_SECRET_ACCESS_KEY }}
+  AWS_DEFAULT_REGION: ${{ secrets.TERRATEST_AWS_REGION }}
+  AWS_REGION: ${{ secrets.TERRATEST_AWS_REGION }}
+jobs:
+  terratest:
+    name: terratest
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.20
+        id: go
+      - name: Run 'go test -v -timeout 60m'
+        run: |
+          cd test
+          go mod download
+          go test -v -timeout 30m
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,23 +1,70 @@
+# DO NOT CHANGE. This file is being managed from a central repository
+# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md
+
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
+
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0 # Get the latest version from: https://github.com/pre-commit/pre-commit-hooks/releases
+    rev: v4.5.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
     hooks:
-      - id: end-of-file-fixer
-      - id: trailing-whitespace
       - id: check-yaml
+        args: ["--allow-multiple-documents"]
       - id: check-added-large-files
+      - id: detect-aws-credentials
+        args: ["--allow-missing-credentials"]
+  - repo: local
+    hooks:
+      - id: create-checkov-baseline
+        name: Create Checkov Baseline
+        entry: bash -c 'if [ ! -f .checkov.baseline ]; then echo "{}" > .checkov.baseline && touch baseline-created; fi'
+        language: system
+        stages: [commit]
+        pass_filenames: false
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.74.1 # Get the latest version from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.88.4 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt
-      - id: terraform_docs
-        args:
-          - --args=--config=.terraform-docs.yml
       - id: terraform_validate
-        exclude: test/
+        args:
+          - --hook-config=--retry-once-with-cleanup=true
+          - --tf-init-args=-upgrade
       - id: terraform_tfsec
-        exclude: test/
+        exclude: "test/"
+        args:
+          - --args=--exclude-downloaded-modules
       - id: terraform_checkov
-        exclude: test/
+        exclude: "test/"
+        args:
+          - --args=--config-file __GIT_WORKING_DIR__/.checkov.yaml --baseline __GIT_WORKING_DIR__/.checkov.baseline
+  - repo: local
+    hooks:
+      - id: delete-checkov-baseline
+        name: Delete Checkov Baseline
+        entry: bash -c 'if [ -f baseline-created ]; then rm .checkov.baseline && rm baseline-created; fi'
+        language: system
+        stages: [commit]
+        pass_filenames: false
+  - repo: https://github.com/gitguardian/ggshield
+    rev: v1.26.0
+    hooks:
+      - id: ggshield
+        language: python
+        stages: [commit]
+        args: ["secret", "scan", "pre-commit"]
+  - repo: local
+    hooks:
+      - id: docs
+        name: docs
+        entry: make
+        args: ["docs"]
+        language: system
+        pass_filenames: false
+  # Run this at the end so that we don't end up in infinite loop
+  # where the end of line fixer runs first and then the docs and fmt
+  # and other hooks that modify files will break it again.
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
diff --git a/Makefile b/Makefile
@@ -0,0 +1,19 @@
+commit: docs validate
+
+docs:
+	terraform-docs --lockfile=false -c .terraform-docs.yml .
+
+init:
+	git submodule update --init --recursive
+	terraform init -upgrade
+
+lint:
+	terraform fmt --recursive
+
+tests:
+# Super long timeout since this Makefile will be used in various repositories
+	cd test; go clean -testcache; go test -v -timeout 60m
+
+validate: lint
+	terraform init --upgrade
+	terraform validate