From 9c70a0bd28047768363b702a997a61a583c4296b Mon Sep 17 00:00:00 2001 From: Shunsuke Suzuki Date: Sun, 26 Nov 2023 18:49:02 +0900 Subject: [PATCH 1/2] limit GitHub App's repositories and permissions --- .github/workflows/actionlint.yaml | 2 +- .github/workflows/apply.yaml | 130 ++++++++++++++-- .github/workflows/release-module.yaml | 4 +- .github/workflows/scaffold-module.yaml | 16 +- .github/workflows/scaffold-tfmigrate.yaml | 16 +- .../workflows/scaffold-working-directory.yaml | 15 +- .../schedule-create-drift-issues.yaml | 23 ++- .github/workflows/schedule-detect-drifts.yaml | 35 ++++- .github/workflows/test.yaml | 53 +++---- .github/workflows/wc-conftest-verify.yaml | 26 ++-- .github/workflows/wc-enable-auto-merge.yaml | 37 +++++ .github/workflows/wc-enable-automerge.yaml | 29 ---- .github/workflows/wc-hide-comment.yaml | 30 ++-- .github/workflows/wc-opa-fmt.yaml | 27 ++-- .github/workflows/wc-plan.yaml | 146 ++++++++++++++++++ .github/workflows/wc-setup.yaml | 61 ++++++++ .github/workflows/wc-test-module.yaml | 62 ++++++++ .github/workflows/wc-test.yaml | 144 +++-------------- .../workflows/wc-update-aqua-checksums.yaml | 3 - 19 files changed, 613 insertions(+), 246 deletions(-) create mode 100644 .github/workflows/wc-enable-auto-merge.yaml delete mode 100644 .github/workflows/wc-enable-automerge.yaml create mode 100644 .github/workflows/wc-plan.yaml create mode 100644 .github/workflows/wc-setup.yaml create mode 100644 .github/workflows/wc-test-module.yaml diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index 8049afec0..e9974fef6 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -4,7 +4,7 @@ on: pull_request: branches: [main] paths: - - .github/** + - .github/workflows/** - aqua/actionlint.yaml jobs: actionlint: diff --git a/.github/workflows/apply.yaml b/.github/workflows/apply.yaml index 58743feeb..aadb80f41 100644 --- a/.github/workflows/apply.yaml +++ b/.github/workflows/apply.yaml @@ -4,17 +4,13 @@ on: push: branches: [dummy] # Disabled. CHANGEME Replace dummy with main env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TFACTION_IS_APPLY: 'true' -permissions: - actions: read - id-token: write - contents: read - issues: read # this is required to `gh pr list`'s `-l` option - pull-requests: write jobs: setup: runs-on: ubuntu-latest + permissions: + contents: read # For checkout a private repository + pull-requests: write # For ci-info and github-comment outputs: targets: ${{ steps.list-targets.outputs.targets }} steps: @@ -39,49 +35,153 @@ jobs: env: TFACTION_TARGET: ${{matrix.target.target}} TFACTION_JOB_TYPE: ${{matrix.target.job_type}} + permissions: + id-token: write # For OIDC + contents: read # To checkout a private repository steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Generate token - id: generate_token + + - name: Generate token for aqua-installer + id: aqua_installer_token uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 with: app_id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} + # If you use private registries, contents:read is required + permissions: >- + {} + # If you use private registries, please add private repositories + repositories: >- + [] - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 with: aqua_version: v2.21.0 + env: + AQUA_GITHUB_TOKEN: ${{ steps.aqua_installer_token.outputs.token }} - uses: suzuki-shunsuke/tfaction/export-secrets@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 with: secrets: ${{ toJSON(secrets) }} + - name: Generate token to download private Terraform Modules + id: gh_setup_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + # If you use private registries, contents:read is required + permissions: >- + { + "contents:read" + } + # private repositories hosting private modules + repositories: >- + [] + # This is required to download private modules in `terraform init` - run: gh auth setup-git env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + GITHUB_TOKEN: ${{ steps.gh_setup_token.outputs.token }} + + - name: Generate token to update drift issues + id: drift_issue_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + # issues:write - Create and update drift issues + permissions: >- + { + "issues": "write" + } + # GitHub Repository where Drift Detection issues are hosted + # https://suzuki-shunsuke.github.io/tfaction/docs/feature/drift-detection + repositories: >- + [ + "test-tfaction-drift-issues" + ] - run: tfaction get-or-create-drift-issue shell: bash env: - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + GITHUB_TOKEN: ${{ steps.drift_issue_token.outputs.token }} + + - name: Generate token for setup + id: setup_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + # pull_requests:write - Post comments + # issues:write - Update drift issues + permissions: >- + { + "pull_requests": "write", + "issues": "write" + } + repositories: >- + [ + "${{github.event.repository.name}}", + "test-tfaction-drift-issues" + ] - uses: suzuki-shunsuke/tfaction/setup@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 with: - github_app_token: ${{ steps.generate_token.outputs.token }} + github_app_token: ${{ steps.setup_token.outputs.token }} ssh_key: ${{ secrets.TERRAFORM_PRIVATE_MODULE_SSH_KEY }} # This isn't needed if you don't use SSH key to checkout private Terraform Modules + - name: Generate token for apply + id: apply_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + # pull_requests:write - Post comments + # actions:read - Download plan files + # issues:write - Update drift issues + permissions: >- + { + "pull_requests": "write", + "actions": "read", + "issues": "write" + } + repositories: >- + [ + "${{github.event.repository.name}}", + "test-tfaction-drift-issues" + ] + - uses: suzuki-shunsuke/tfaction/apply@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 with: - github_app_token: ${{ steps.generate_token.outputs.token }} + github_app_token: ${{ steps.apply_token.outputs.token }} + + - name: Generate token for creating follow up pr + id: follow_up_pr_token + if: failure() + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + # contents:write - Push commits + # pull_requests:write - Create a pull request + permissions: >- + { + "contents": "write", + "pull_requests": "write" + } + repositories: >- + [ + "${{github.event.repository.name}}" + ] - uses: suzuki-shunsuke/tfaction/create-follow-up-pr@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 if: failure() with: - github_app_token: ${{ steps.generate_token.outputs.token }} + github_app_token: ${{steps.follow_up_pr_token.outputs.token}} - uses: suzuki-shunsuke/tfaction/update-drift-issue@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 if: always() with: status: ${{job.status}} - github_token: ${{steps.generate_token.outputs.token}} + github_token: ${{steps.drift_issue_token.outputs.token}} diff --git a/.github/workflows/release-module.yaml b/.github/workflows/release-module.yaml index 83dee0a71..0d11c5557 100644 --- a/.github/workflows/release-module.yaml +++ b/.github/workflows/release-module.yaml @@ -10,14 +10,14 @@ on: version: description: 'Module version' required: true -permissions: - contents: write env: TFACTION_TARGET: ${{github.event.inputs.module_path}} jobs: release-module: name: "release-module (${{github.event.inputs.module_path}})" runs-on: ubuntu-latest + permissions: + contents: write # To create a release steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 diff --git a/.github/workflows/scaffold-module.yaml b/.github/workflows/scaffold-module.yaml index c606b3474..9cfb1ab48 100644 --- a/.github/workflows/scaffold-module.yaml +++ b/.github/workflows/scaffold-module.yaml @@ -7,17 +7,18 @@ on: module_path: description: 'module path' required: true -permissions: - contents: read - pull-requests: write jobs: scaffold: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 with: aqua_version: v2.21.0 + env: + AQUA_GITHUB_TOKEN: ${{github.token}} - name: Generate token id: generate_token @@ -25,6 +26,15 @@ jobs: with: app_id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} + # pull_requests:write - Create pull requests + # contents:write - Push commits + permissions: >- + { + "pull_requests": "write", + "contents": "write" + } + repositories: >- + ["${{github.event.repository.name}}"] - uses: suzuki-shunsuke/tfaction/scaffold-module@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 with: diff --git a/.github/workflows/scaffold-tfmigrate.yaml b/.github/workflows/scaffold-tfmigrate.yaml index 386b0244d..05c7341e7 100644 --- a/.github/workflows/scaffold-tfmigrate.yaml +++ b/.github/workflows/scaffold-tfmigrate.yaml @@ -15,12 +15,11 @@ on: required: false env: TFACTION_TARGET: ${{github.event.inputs.target}} -permissions: - contents: read - pull-requests: write jobs: scaffold: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -30,12 +29,21 @@ jobs: with: app_id: ${{secrets.APP_ID}} private_key: ${{secrets.APP_PRIVATE_KEY}} + # pull_requests:write - Create pull requests + # contents:write - Push commits + permissions: >- + { + "pull_requests": "write", + "contents": "write" + } + repositories: >- + ["${{github.event.repository.name}}"] - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 with: aqua_version: v2.21.0 env: - GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} + GITHUB_TOKEN: ${{github.token}} - uses: suzuki-shunsuke/tfaction/scaffold-tfmigrate@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 with: diff --git a/.github/workflows/scaffold-working-directory.yaml b/.github/workflows/scaffold-working-directory.yaml index 55ad75686..653bcca46 100644 --- a/.github/workflows/scaffold-working-directory.yaml +++ b/.github/workflows/scaffold-working-directory.yaml @@ -9,13 +9,11 @@ on: required: true env: TFACTION_WORKING_DIR: ${{github.event.inputs.working_dir}} -permissions: - id-token: write - contents: read - pull-requests: write jobs: scaffold: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 @@ -30,6 +28,15 @@ jobs: with: app_id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} + # pull_requests:write - Create pull requests + # contents:write - Push commits + permissions: >- + { + "pull_requests": "write", + "contents": "write" + } + repositories: >- + ["${{github.event.repository.name}}"] - uses: suzuki-shunsuke/tfaction/create-scaffold-pr@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 with: diff --git a/.github/workflows/schedule-create-drift-issues.yaml b/.github/workflows/schedule-create-drift-issues.yaml index 9dcd3d053..2a524d045 100644 --- a/.github/workflows/schedule-create-drift-issues.yaml +++ b/.github/workflows/schedule-create-drift-issues.yaml @@ -8,11 +8,32 @@ on: jobs: test: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{secrets.APP_ID}} + private_key: ${{secrets.APP_PRIVATE_KEY}} + # issues:write - Create issues + permissions: >- + { + "issues": "write" + } + # repository where Drift Detection issues are hosted + repositories: >- + ["test-tfaction-drift-issues"] + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 with: aqua_version: v2.21.0 + env: + AQUA_GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} + - run: tfaction create-drift-issues env: - GITHUB_TOKEN: ${{github.token}} + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} diff --git a/.github/workflows/schedule-detect-drifts.yaml b/.github/workflows/schedule-detect-drifts.yaml index 34ad0c47e..4cf9bc9e2 100644 --- a/.github/workflows/schedule-detect-drifts.yaml +++ b/.github/workflows/schedule-detect-drifts.yaml @@ -8,18 +8,41 @@ on: jobs: pick-out-drift-issues: runs-on: ubuntu-latest + permissions: + contents: read outputs: issues: ${{steps.pick-out-drift-issues.outputs.issues}} has_issues: ${{steps.pick-out-drift-issues.outputs.has_issues}} steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 with: aqua_version: v2.21.0 + env: + AQUA_GITHUB_TOKEN: ${{github.token}} + + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{secrets.APP_ID}} + private_key: ${{secrets.APP_PRIVATE_KEY}} + # issues:read - List issues + permissions: >- + { + "issues": "read" + } + # repository where Drift Detection issues are hosted + repositories: >- + [ + "test-tfaction-drift-issues" + ] + - run: tfaction pick-out-drift-issues id: pick-out-drift-issues env: - GITHUB_TOKEN: ${{github.token}} + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} detect-drift: name: "detect-drift (${{matrix.issue.target}})" @@ -42,6 +65,16 @@ jobs: with: app_id: ${{secrets.APP_ID}} private_key: ${{secrets.APP_PRIVATE_KEY}} + # issues:write - Create and update issues + permissions: >- + { + "issues": "write" + } + # issues of Drift Detection + repositories: >- + [ + "test-tfaction-drift-issues" + ] - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 with: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 6a2cfb063..9507bc301 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -6,12 +6,13 @@ concurrency: group: ${{ github.workflow }}--${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: path-filter: # Get changed files to filter jobs outputs: merge_commit_sha: ${{steps.pr.outputs.merge_commit_sha}} - update-aqua-checksums: ${{steps.changes.outputs.update-aqua-checksums}} renovate-config-validator: ${{steps.changes.outputs.renovate-config-validator}} conftest-verify: ${{steps.changes.outputs.conftest-verify}} @@ -47,10 +48,10 @@ jobs: - .github/workflows/test.yaml - aqua/opa.yaml - enable-automerge: + enable-auto-merge: # This job is used for main branch's branch protection rule's status check. # If all dependent jobs succeed or are skipped this job succeeds. - uses: ./.github/workflows/wc-enable-automerge.yaml + uses: ./.github/workflows/wc-enable-auto-merge.yaml needs: - status-check permissions: {} @@ -65,22 +66,22 @@ jobs: status-check: runs-on: ubuntu-latest needs: - - test - conftest-verify - - opa-fmt - hide-comment + - opa-fmt - renovate-config-validator + - test - update-aqua-checksums if: failure() steps: - run: exit 1 - test: - uses: ./.github/workflows/wc-test.yaml - if: 'false' # CHANGEME Please remove this. + conftest-verify: + uses: ./.github/workflows/wc-conftest-verify.yaml needs: path-filter + if: | + needs.path-filter.outputs.conftest-verify == 'true' permissions: - id-token: write contents: read pull-requests: write with: @@ -88,14 +89,10 @@ jobs: secrets: gh_app_id: ${{secrets.APP_ID}} gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} - terraform_private_module_ssh_key: ${{secrets.TERRAFORM_PRIVATE_MODULE_SSH_KEY}} - secrets: ${{toJSON(secrets)}} - conftest-verify: - uses: ./.github/workflows/wc-conftest-verify.yaml + hide-comment: + uses: ./.github/workflows/wc-hide-comment.yaml needs: path-filter - if: | - needs.path-filter.outputs.conftest-verify == 'true' permissions: contents: read pull-requests: write @@ -119,10 +116,21 @@ jobs: gh_app_id: ${{secrets.APP_ID}} gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} - hide-comment: - uses: ./.github/workflows/wc-hide-comment.yaml + renovate-config-validator: + uses: ./.github/workflows/wc-renovate-config-validator.yaml + needs: path-filter + if: needs.path-filter.outputs.renovate-config-validator == 'true' + with: + ref: ${{needs.path-filter.outputs.merge_commit_sha}} + permissions: + contents: read + + test: + uses: ./.github/workflows/wc-test.yaml + if: 'false' # CHANGEME Please remove this. needs: path-filter permissions: + id-token: write contents: read pull-requests: write with: @@ -130,15 +138,8 @@ jobs: secrets: gh_app_id: ${{secrets.APP_ID}} gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} - - renovate-config-validator: - uses: ./.github/workflows/wc-renovate-config-validator.yaml - needs: path-filter - if: needs.path-filter.outputs.renovate-config-validator == 'true' - with: - ref: ${{needs.path-filter.outputs.merge_commit_sha}} - permissions: - contents: read + terraform_private_module_ssh_key: ${{secrets.TERRAFORM_PRIVATE_MODULE_SSH_KEY}} + secrets: ${{toJSON(secrets)}} update-aqua-checksums: uses: ./.github/workflows/wc-update-aqua-checksums.yaml diff --git a/.github/workflows/wc-conftest-verify.yaml b/.github/workflows/wc-conftest-verify.yaml index b2a6ce7c1..f5a198ee7 100644 --- a/.github/workflows/wc-conftest-verify.yaml +++ b/.github/workflows/wc-conftest-verify.yaml @@ -1,5 +1,5 @@ --- -name: conftest-verify +name: conftest verify on: workflow_call: inputs: @@ -7,8 +7,6 @@ on: required: false type: string secrets: - gh_token: - required: false gh_app_id: required: false gh_app_private_key: @@ -25,18 +23,24 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{inputs.ref}} - - uses: suzuki-shunsuke/github-token-action@350d7506222e3a0016491abe85b5c4dd475b67d1 # v0.2.1 - id: token + + - id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 with: - github_token: ${{secrets.gh_token}} - github_app_id: ${{secrets.gh_app_id}} - github_app_private_key: ${{secrets.gh_app_private_key}} - default_github_token: ${{github.token}} + app_id: ${{secrets.gh_app_id}} + private_key: ${{secrets.gh_app_private_key}} + # pull_requests:write - Post comments + permissions: >- + {"pull_requests": "write"} + repositories: >- + ["${{github.event.repository.name}}"] + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 with: aqua_version: v2.21.0 env: - AQUA_GITHUB_TOKEN: ${{steps.token.outputs.token}} + AQUA_GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} + - run: github-comment exec -- conftest verify --no-color -p policy/terraform env: - GITHUB_TOKEN: ${{steps.token.outputs.token}} + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} diff --git a/.github/workflows/wc-enable-auto-merge.yaml b/.github/workflows/wc-enable-auto-merge.yaml new file mode 100644 index 000000000..1d0bc5238 --- /dev/null +++ b/.github/workflows/wc-enable-auto-merge.yaml @@ -0,0 +1,37 @@ +--- +name: Enable auto-merge +on: + workflow_call: + secrets: + gh_app_id: + required: true + gh_app_private_key: + required: true +jobs: + enable-automerge: + # Enable automerge to merge pull requests from Renovate automatically. + runs-on: ubuntu-latest + permissions: + contents: write # For enable automerge + pull-requests: write # For enable automerge + steps: + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{secrets.gh_app_id}} + private_key: ${{secrets.gh_app_private_key}} + # pull_requests:write - Enable auto-merge + # contents:write - Merge pull requests + permissions: >- + { + "pull_requests": "write", + "contents": "write" + } + repositories: >- + ["${{github.event.repository.name}}"] + + - run: gh -R "$GITHUB_REPOSITORY" pr merge --merge --auto --delete-branch "$PR_NUMBER" + env: + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} # Use GitHub App to trigger GitHub Actions Workflow by merge commit. + PR_NUMBER: ${{github.event.pull_request.number}} diff --git a/.github/workflows/wc-enable-automerge.yaml b/.github/workflows/wc-enable-automerge.yaml deleted file mode 100644 index a34af5fea..000000000 --- a/.github/workflows/wc-enable-automerge.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -name: enable-automerge -on: - workflow_call: - secrets: - gh_app_id: - required: false - gh_app_private_key: - required: false - -jobs: - enable-automerge: - runs-on: ubuntu-latest - permissions: {} - steps: - - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 - id: token - with: - app_id: ${{secrets.gh_app_id}} - private_key: ${{secrets.gh_app_private_key}} - permissions: >- - {"pull_requests": "write", "contents": "write"} - # repositories: >- - # ["${{github.repository}}"] - - - run: gh -R "$GITHUB_REPOSITORY" pr merge --squash --auto --delete-branch "$PR_NUMBER" - env: - GITHUB_TOKEN: ${{steps.token.outputs.token}} # Use GitHub App to trigger GitHub Actions Workflow by merge commit. - PR_NUMBER: ${{github.event.pull_request.number}} diff --git a/.github/workflows/wc-hide-comment.yaml b/.github/workflows/wc-hide-comment.yaml index f447a928a..23d896948 100644 --- a/.github/workflows/wc-hide-comment.yaml +++ b/.github/workflows/wc-hide-comment.yaml @@ -7,36 +7,40 @@ on: required: false type: string secrets: - gh_token: - required: false gh_app_id: required: false gh_app_private_key: required: false -permissions: - contents: read - pull-requests: write env: GH_COMMENT_SHA1: ${{inputs.ref}} jobs: hide-comment: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{inputs.ref}} - - uses: suzuki-shunsuke/github-token-action@350d7506222e3a0016491abe85b5c4dd475b67d1 # v0.2.1 - id: token + + - id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 with: - github_token: ${{secrets.gh_token}} - github_app_id: ${{secrets.gh_app_id}} - github_app_private_key: ${{secrets.gh_app_private_key}} - default_github_token: ${{github.token}} + app_id: ${{secrets.gh_app_id}} + private_key: ${{secrets.gh_app_private_key}} + # pull_requests:write - Post and hide comments + permissions: >- + {"pull_requests": "write"} + repositories: >- + ["${{github.event.repository.name}}"] + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 with: aqua_version: v2.21.0 env: - AQUA_GITHUB_TOKEN: ${{steps.token.outputs.token}} + AQUA_GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} + - run: github-comment exec -- github-comment hide env: - GITHUB_TOKEN: ${{steps.token.outputs.token}} + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} diff --git a/.github/workflows/wc-opa-fmt.yaml b/.github/workflows/wc-opa-fmt.yaml index 8f8b60b46..985233957 100644 --- a/.github/workflows/wc-opa-fmt.yaml +++ b/.github/workflows/wc-opa-fmt.yaml @@ -7,8 +7,6 @@ on: required: false type: string secrets: - gh_token: - required: false gh_app_id: required: false gh_app_private_key: @@ -17,24 +15,29 @@ jobs: opa-fmt: runs-on: ubuntu-latest permissions: - contents: read - pull-requests: write + contents: read # To checkout private repositories steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: ${{inputs.ref}} - - uses: suzuki-shunsuke/github-token-action@350d7506222e3a0016491abe85b5c4dd475b67d1 # v0.2.1 - id: token + + - id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 with: - github_token: ${{secrets.gh_token}} - github_app_id: ${{secrets.gh_app_id}} - github_app_private_key: ${{secrets.gh_app_private_key}} - default_github_token: ${{github.token}} + app_id: ${{secrets.gh_app_id}} + private_key: ${{secrets.gh_app_private_key}} + # contents:write - Push commits + permissions: >- + {"contents": "write"} + repositories: >- + ["${{github.event.repository.name}}"] + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 with: aqua_version: v2.21.0 env: - AQUA_GITHUB_TOKEN: ${{steps.token.outputs.token}} + AQUA_GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} + - uses: suzuki-shunsuke/github-action-opa-fmt@59d2b3726741e2aeb3fc96ba2cbdfd05ae879f28 # v0.1.0 with: - github_token: ${{steps.token.outputs.token}} + github_token: ${{steps.generate_token.outputs.token}} diff --git a/.github/workflows/wc-plan.yaml b/.github/workflows/wc-plan.yaml new file mode 100644 index 000000000..24f02f118 --- /dev/null +++ b/.github/workflows/wc-plan.yaml @@ -0,0 +1,146 @@ +--- +name: plan +on: + workflow_call: + inputs: + targets: + required: true + type: string + ref: + required: true + type: string + secrets: + gh_app_id: + required: true + gh_app_private_key: + required: true + +jobs: + plan: + name: "plan (${{matrix.target.target}})" + runs-on: ${{fromJSON(matrix.target.runs-on)}} + permissions: + pull-requests: write # For tfcmt and github-comment and reviewdog + id-token: write # For OIDC + contents: write # To push commits + # if services is empty, the build job is skipped + env: + TFACTION_TARGET: ${{matrix.target.target}} + TFACTION_JOB_TYPE: ${{matrix.target.job_type}} + GH_COMMENT_SHA1: ${{inputs.ref}} + TFCMT_SHA: ${{inputs.ref}} + strategy: + fail-fast: true + matrix: + target: ${{fromJSON(inputs.targets)}} + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} + + - name: Generate token (aqua) + id: aqua_installer_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{secrets.gh_app_id}} + private_key: ${{secrets.gh_app_private_key}} + permissions: >- + {} + repositories: >- + [] + + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.21.0 + env: + AQUA_GITHUB_TOKEN: ${{steps.aqua_installer_token.outputs.token}} + + - uses: suzuki-shunsuke/tfaction/export-secrets@v0.7.3 + with: + secrets: ${{toJSON(secrets)}} + + - name: Generate token to download private Terraform Modules + id: gh_setup_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{ secrets.gh_app_id }} + private_key: ${{ secrets.gh_app_private_key }} + # If you use private registries, contents:read is required + permissions: >- + { + "contents:read" + } + # private repositories hosting private modules + repositories: >- + [] + + # This is required to download private modules in `terraform init` + - run: gh auth setup-git + env: + GITHUB_TOKEN: ${{steps.gh_setup_token.outputs.token}} + + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{secrets.gh_app_id}} + private_key: ${{secrets.gh_app_private_key}} + # issues:write - Create labels + # pull_requests:write - Post comments and set labels + # contents:write - Push commits + permissions: >- + { + "pull_requests": "write", + "issues": "write", + "contents": "write" + } + repositories: >- + ["${{github.event.repository.name}}"] + + - uses: suzuki-shunsuke/tfaction/setup@v0.7.3 + with: + github_token: ${{steps.generate_token.outputs.token}} + env: + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} # For GitHub Provider + + - uses: suzuki-shunsuke/tfaction/get-target-config@v0.7.3 + id: target-config + + - name: Generate token (pull request write) + id: pull_request_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{secrets.gh_app_id}} + private_key: ${{secrets.gh_app_private_key}} + permissions: >- + { + "pull_requests": "write" + } + repositories: >- + ["${{github.event.repository.name}}"] + + - run: | + set -euo pipefail + tfprovidercheck -v + github-comment exec -- terraform version -json | github-comment exec -- tfprovidercheck + working-directory: ${{ steps.target-config.outputs.working_directory }} + env: + TFPROVIDERCHECK_CONFIG_BODY: | + providers: + - name: registry.terraform.io/hashicorp/google + - name: registry.terraform.io/hashicorp/aws + - name: registry.terraform.io/hashicorp/null + - name: registry.terraform.io/integrations/github + GITHUB_TOKEN: ${{steps.pull_request_token.outputs.token}} # For github-comment + + - uses: suzuki-shunsuke/tfaction/test@v0.7.3 + with: + github_token: ${{steps.generate_token.outputs.token}} + env: + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} # For GitHub Provider and reviewdog and github-comment + + - uses: suzuki-shunsuke/tfaction/plan@v0.7.3 + with: + github_token: ${{steps.generate_token.outputs.token}} + env: + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} # For GitHub Provider and tfcmt and github-comment diff --git a/.github/workflows/wc-setup.yaml b/.github/workflows/wc-setup.yaml new file mode 100644 index 000000000..5029616ed --- /dev/null +++ b/.github/workflows/wc-setup.yaml @@ -0,0 +1,61 @@ +--- +name: Set up +on: + workflow_call: + inputs: + ref: + required: true + type: string + secrets: + gh_app_id: + required: true + gh_app_private_key: + required: true + outputs: + targets: + description: targets + value: ${{jobs.setup.outputs.targets}} + modules: + description: targets + value: ${{jobs.setup.outputs.modules}} + merge_commit_sha: + description: targets + value: ${{jobs.setup.outputs.merge_commit_sha}} +jobs: + setup: + permissions: + contents: read # For checkout a private repository + pull-requests: write # For ci-info and github-comment + runs-on: ubuntu-latest + outputs: + targets: ${{steps.list-targets.outputs.targets}} + modules: ${{steps.list-targets.outputs.modules}} + merge_commit_sha: ${{inputs.ref}} + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} + + - id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{secrets.gh_app_id}} + private_key: ${{secrets.gh_app_private_key}} + # pull_requests:write - Post comments + permissions: >- + { + "pull_requests": "write" + } + repositories: >- + ["${{github.event.repository.name}}"] + + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.21.0 + env: + AQUA_GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} + + - uses: suzuki-shunsuke/tfaction/list-targets@pr/1291 + id: list-targets + env: + GITHUB_TOKEN: ${{steps.generate_token.outputs.token}} diff --git a/.github/workflows/wc-test-module.yaml b/.github/workflows/wc-test-module.yaml new file mode 100644 index 000000000..b8e9df9b0 --- /dev/null +++ b/.github/workflows/wc-test-module.yaml @@ -0,0 +1,62 @@ +--- +name: Test Modules +on: + workflow_call: + inputs: + modules: + required: true + type: string + ref: + required: true + type: string + secrets: + gh_app_id: + required: true + gh_app_private_key: + required: true +jobs: + test-module: + name: "test-module (${{matrix.target}})" + runs-on: ubuntu-latest + permissions: + contents: read + env: + TFACTION_TARGET: ${{matrix.target}} + strategy: + fail-fast: true + matrix: + target: ${{fromJSON(inputs.modules)}} + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{inputs.ref}} + + - name: Generate token + id: generate_token + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + with: + app_id: ${{secrets.gh_app_id}} + private_key: ${{secrets.gh_app_private_key}} + # pull_requests:write - Post comments + # contents:write - Push commits + permissions: >- + { + "pull_requests": "write", + "contents": "write" + } + repositories: >- + ["${{github.event.repository.name}}"] + + - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 + with: + aqua_version: v2.21.0 + aqua_opts: -l -a + working_directory: ${{matrix.target}} + env: + AQUA_GITHUB_TOKEN: ${{github.token}} + + - uses: suzuki-shunsuke/tfaction/test-module@v0.7.3 + with: + github_token: ${{steps.generate_token.outputs.token}} + env: + AQUA_GITHUB_TOKEN: ${{github.token}} diff --git a/.github/workflows/wc-test.yaml b/.github/workflows/wc-test.yaml index 0197950bc..d430ef77a 100644 --- a/.github/workflows/wc-test.yaml +++ b/.github/workflows/wc-test.yaml @@ -7,8 +7,6 @@ on: required: false type: string secrets: - gh_token: - required: false gh_app_id: required: false gh_app_private_key: @@ -30,132 +28,36 @@ permissions: jobs: setup: - runs-on: ubuntu-latest - outputs: - targets: ${{ steps.list-targets.outputs.targets }} - modules: ${{ steps.list-targets.outputs.modules }} - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{inputs.ref}} - - uses: suzuki-shunsuke/github-token-action@350d7506222e3a0016491abe85b5c4dd475b67d1 # v0.2.1 - id: token - with: - github_token: ${{secrets.gh_token}} - github_app_id: ${{secrets.gh_app_id}} - github_app_private_key: ${{secrets.gh_app_private_key}} - default_github_token: ${{github.token}} - - - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 - with: - aqua_version: v2.21.0 - env: - AQUA_GITHUB_TOKEN: ${{steps.token.outputs.token}} - - - uses: suzuki-shunsuke/tfaction/list-targets@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 - id: list-targets + uses: ./.github/workflows/wc-setup.yaml + permissions: + contents: read + pull-requests: write + with: + ref: ${{inputs.ref}} + secrets: + gh_app_id: ${{secrets.gh_app_id}} + gh_app_private_key: ${{secrets.gh_app_private_key}} test-module: - name: "test-module (${{matrix.target}})" - runs-on: ubuntu-latest + uses: ./.github/workflows/wc-test-module.yaml needs: setup # if services is empty, the build job is skipped if: "join(fromJSON(needs.setup.outputs.modules), '') != ''" - env: - TFACTION_TARGET: ${{matrix.target}} - strategy: - matrix: - target: ${{fromJSON(needs.setup.outputs.modules)}} - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{inputs.ref}} - - uses: suzuki-shunsuke/github-token-action@350d7506222e3a0016491abe85b5c4dd475b67d1 # v0.2.1 - id: token - with: - github_token: ${{secrets.gh_token}} - github_app_id: ${{secrets.gh_app_id}} - github_app_private_key: ${{secrets.gh_app_private_key}} - default_github_token: ${{github.token}} - - - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 - with: - aqua_version: v2.21.0 - aqua_opts: -l -a - working_directory: ${{matrix.target}} - env: - AQUA_GITHUB_TOKEN: ${{steps.token.outputs.token}} - - - uses: suzuki-shunsuke/tfaction/test-module@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 - with: - github_app_token: ${{steps.token.outputs.token}} + with: + modules: ${{needs.setup.outputs.modules}} + ref: ${{inputs.ref}} + secrets: + gh_app_id: ${{secrets.gh_app_id}} + gh_app_private_key: ${{secrets.gh_app_private_key}} plan: - name: "plan (${{matrix.target.target}})" - runs-on: ${{matrix.target.runs_on}} + uses: ./.github/workflows/wc-plan.yaml needs: setup # if services is empty, the build job is skipped if: "join(fromJSON(needs.setup.outputs.targets), '') != ''" - strategy: - fail-fast: true - matrix: - target: ${{fromJSON(needs.setup.outputs.targets)}} - env: - TFACTION_TARGET: ${{matrix.target.target}} - TFACTION_JOB_TYPE: ${{matrix.target.job_type}} - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{inputs.ref}} - - uses: suzuki-shunsuke/github-token-action@350d7506222e3a0016491abe85b5c4dd475b67d1 # v0.2.1 - id: token - with: - github_token: ${{secrets.gh_token}} - github_app_id: ${{secrets.gh_app_id}} - github_app_private_key: ${{secrets.gh_app_private_key}} - default_github_token: ${{github.token}} - - - uses: aquaproj/aqua-installer@928a2ee4243a9ee8312d80dc8cbaca88fb602a91 # v2.2.0 - with: - aqua_version: v2.21.0 - env: - AQUA_GITHUB_TOKEN: ${{steps.token.outputs.token}} - - - uses: suzuki-shunsuke/tfaction/export-secrets@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 - with: - secrets: ${{secrets.secrets}} - - # This is required to download private modules in `terraform init` - - run: gh auth setup-git - env: - GITHUB_TOKEN: ${{steps.token.outputs.token}} - - - uses: suzuki-shunsuke/tfaction/setup@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 - with: - github_app_token: ${{steps.token.outputs.token}} - ssh_key: ${{secrets.terraform_private_module_ssh_key}} # This isn't needed if you don't use SSH key to checkout private Terraform Modules - - - uses: suzuki-shunsuke/tfaction/get-target-config@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 - id: target-config - - - run: | - set -euo pipefail - github-comment exec -var "tfaction_target:$TFACTION_TARGET" -- tfprovidercheck -v - github-comment exec -var "tfaction_target:$TFACTION_TARGET" -- terraform version -json | github-comment exec -- tfprovidercheck - working-directory: ${{ steps.target-config.outputs.working_directory }} - env: - TFPROVIDERCHECK_CONFIG_BODY: | - providers: - - name: registry.terraform.io/hashicorp/google - - name: registry.terraform.io/hashicorp/aws - - name: registry.terraform.io/hashicorp/null - - name: registry.terraform.io/integrations/github - GITHUB_TOKEN: ${{steps.token.outputs.token}} # For github-comment - - - uses: suzuki-shunsuke/tfaction/test@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 - with: - github_app_token: ${{steps.token.outputs.token}} - - - uses: suzuki-shunsuke/tfaction/plan@5731fade20e41c1905c04095f0e3d68fac14a636 # v0.7.3 - with: - github_app_token: ${{steps.token.outputs.token}} + with: + targets: ${{needs.setup.outputs.targets}} + ref: ${{inputs.ref}} + secrets: + gh_app_id: ${{secrets.gh_app_id}} + gh_app_private_key: ${{secrets.gh_app_private_key}} diff --git a/.github/workflows/wc-update-aqua-checksums.yaml b/.github/workflows/wc-update-aqua-checksums.yaml index ea076c760..4cb371f05 100644 --- a/.github/workflows/wc-update-aqua-checksums.yaml +++ b/.github/workflows/wc-update-aqua-checksums.yaml @@ -7,8 +7,6 @@ on: required: false type: string secrets: - gh_token: - required: false gh_app_id: required: false gh_app_private_key: @@ -24,6 +22,5 @@ jobs: prune: true ref: ${{inputs.ref}} secrets: - gh_token: ${{secrets.gh_token}} gh_app_id: ${{secrets.gh_app_id}} gh_app_private_key: ${{secrets.gh_app_private_key}} From d754f920eef60988deb3333811a82bc3cd3e23c8 Mon Sep 17 00:00:00 2001 From: Shunsuke Suzuki Date: Sun, 26 Nov 2023 18:54:55 +0900 Subject: [PATCH 2/2] fix concurrency --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 9507bc301..83b52fec1 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -3,7 +3,7 @@ name: test on: pull_request_target concurrency: - group: ${{ github.workflow }}--${{ github.ref }} + group: ${{ github.workflow }}--${{ github.head_ref }} cancel-in-progress: true permissions: {}