diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 08ea211..533728b 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -8,4 +8,4 @@ # the repo. Unless a later match takes precedence, # @global-owner1 and @global-owner2 will be requested for # review when someone opens a pull request. -* @honestbank/devops-engineers @honestbank/backend-engineers +* @honestbank/devops-engineers diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index a178f2c..7e799e2 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -6,13 +6,14 @@ --> -## Pull Request Submission Checklist +### Pull Request Submission Checklist Please confirm that you have done the following before requesting reviews: - [ ] I have confirmed that the PR type is appropriate for the change I am making according to the [Honest Pull Request and Commit Message Naming Conventions](https://www.notion.so/honestbank/Pull-Request-and-Commit-Message-Naming-Conventions-bd97f2cbb34c4c73b1ff3a3e384b850c). - [ ] I have typed an adequate description that explains **why** I am making this change. - [ ] I have installed and run standard pre-commit hooks that lints and validates my code. +- [ ] All entities that I am working with are up-to-date in Backstage; if updates are needed, I have linked the relevant PRs. [Backstage guide](https://www.notion.so/honestbank/How-to-Write-a-Backstage-Service-Catalog-Entry-a-catalog-info-yaml-file-21845ff72e404b14aed2ac989fb202cf?pvs=4) ### Description diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml index c0e4451..ccec113 100644 --- a/.github/workflows/checkov.yaml +++ b/.github/workflows/checkov.yaml @@ -1,4 +1,6 @@ name: "Checkov GitHub Action" +permissions: read-all + on: pull_request: branches: [test, dev, qa, prod, main] @@ -9,13 +11,24 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: submodules: "recursive" - token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} + - name: Create empty baseline (if needed) + run: | + if [ -f .checkov.baseline ]; then + echo "⏩⏩⏩ Baseline file exists - do nothing." + else + echo "🆕🆕🆕 Baseline file does not exist - creating empty baseline file." + echo "{}" >> .checkov.baseline + fi + - name: Output baseline contents to console + run: | + echo "Checkov baseline file (.checkov.baseline) contents:" + cat .checkov.baseline - name: Run Checkov id: checkov uses: bridgecrewio/checkov-action@master with: - download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry - quiet: true # optional: display only failed checks + config_file: ".checkov.yaml" diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml index 34da00e..3627556 100644 --- a/.github/workflows/semantic-pr.yaml +++ b/.github/workflows/semantic-pr.yaml @@ -1,15 +1,25 @@ -name: "Semantic Pull Request" +# yamllint disable rule:line-length +# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows + +# Use this workflow for public repos, since public repos cannot access our internal +# workflows repo. +--- +name: public-semantic-pr +permissions: + contents: write + pull-requests: write on: pull_request: types: - opened - edited + - reopened - synchronize jobs: - main: - name: Semantic Pull Request + public-semantic-pr: + name: public-semantic-pr runs-on: ubuntu-latest steps: - uses: amannn/action-semantic-pull-request@v4 diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml new file mode 100644 index 0000000..cbdc29f --- /dev/null +++ b/.github/workflows/terraform.yaml @@ -0,0 +1,33 @@ +name: "Terraform GitHub Action" +on: + pull_request: + # This workflow is meant for public Terraform module repositories + # which are generally component modules that follow trunk-based development. + branches: [main] +jobs: + terraform: + name: "terraform" + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: "recursive" + - name: Set up Terraform + uses: hashicorp/setup-terraform@v3 + with: + cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + - name: Terraform Format + id: fmt + run: terraform fmt + continue-on-error: true + - name: Terraform Init + id: init + run: terraform init + - name: Terraform Validate + id: validate + run: terraform validate -no-color + - name: Terraform Plan + id: plan + run: terraform plan -no-color + continue-on-error: true diff --git a/.github/workflows/terratest.yaml b/.github/workflows/terratest.yaml new file mode 100644 index 0000000..05041b1 --- /dev/null +++ b/.github/workflows/terratest.yaml @@ -0,0 +1,30 @@ +name: "Terratest GitHub Action" +on: + pull_request: + branches: [test, dev, qa, prod, main] + push: + branches: [test, dev, qa, prod, main] +env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRATEST_AWS_ACCESS_KEY_ID }} + AWS_SECRET_KEY: ${{ secrets.TERRATEST_AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: ${{ secrets.TERRATEST_AWS_REGION }} + AWS_REGION: ${{ secrets.TERRATEST_AWS_REGION }} +jobs: + terratest: + name: terratest + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: true + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: 1.20 + id: go + - name: Run 'go test -v -timeout 60m' + run: | + cd test + go mod download + go test -v -timeout 30m