Skip to content

Commit

Permalink
Merge branch 'main' into f_version_updates
Browse files Browse the repository at this point in the history
  • Loading branch information
mikef-nl committed Jul 2, 2024
2 parents 114e987 + 084fb1b commit 1bd4e6d
Show file tree
Hide file tree
Showing 22 changed files with 341 additions and 180 deletions.
19 changes: 11 additions & 8 deletions .github/labels.yaml
Original file line number Diff line number Diff line change
@@ -1,25 +1,28 @@
---
- name: breaking
color: 'b60205'
color: "b60205"
description: This change is not backwards compatible
- name: bug
color: 'd93f0b'
color: "d93f0b"
description: Something isn't working
- name: documentation
color: '0075ca'
color: "0075ca"
description: Improvements or additions to documentation
- name: enhancement
color: '0e8a16'
color: "0e8a16"
description: New feature or request
- name: feature
color: '0e8a16'
color: "0e8a16"
description: New feature or request
- name: fix
color: 'd93f0b'
color: "d93f0b"
description: Something isn't working
- name: misc
color: "#6B93D3"
description: Miscellaneous task not covered by something else
- name: no-changelog
color: 'cccccc'
color: "cccccc"
description: No entry should be added to the release notes and changelog
- name: security
color: '5319e7'
color: "5319e7"
description: Solving a security issue
5 changes: 3 additions & 2 deletions .github/workflows/label-synchronization.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
name: label-synchronization
on:
workflow_dispatch:
push:
branches:
- main
Expand All @@ -17,10 +18,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Synchronize labels
uses: crazy-max/ghaction-github-labeler@v4
uses: crazy-max/ghaction-github-labeler@v5
with:
dry-run: false
github-token: ${{ secrets.GITHUB_TOKEN }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/pr-validation.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
autolabeler:
runs-on: ubuntu-latest
steps:
- uses: release-drafter/release-drafter@v5
- uses: release-drafter/release-drafter@v6
with:
config-name: release-drafter-config.yaml
env:
Expand Down Expand Up @@ -79,7 +79,7 @@ jobs:
needs: autolabeler
runs-on: ubuntu-latest
steps:
- uses: danielchabr/pr-labels-checker@v3.1
- uses: danielchabr/pr-labels-checker@v3.3
id: lint_pr_labels
with:
hasSome: breaking,bug,documentation,enhancement,feature,fix,misc,security
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-drafter.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
draft:
runs-on: ubuntu-latest
steps:
- uses: release-drafter/release-drafter@v5
- uses: release-drafter/release-drafter@v6
with:
publish: false
prerelease: false
Expand Down
42 changes: 28 additions & 14 deletions .github/workflows/terraform-validation.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,45 +9,56 @@ permissions:

env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TF_IN_AUTOMATION: 1

jobs:
fmt-lint-validate:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Setup Terraform
uses: hashicorp/setup-terraform@v2

- name: Setup Terraform Linters
uses: terraform-linters/setup-tflint@v2
uses: terraform-linters/setup-tflint@v4
with:
github_token: ${{ github.token }}

- name: Terraform Format
id: fmt
run: terraform fmt -check -recursive

- name: Terraform Init
id: init
- name: Terraform Lint
id: lint
run: |
echo "Checking ."
tflint --format compact
for d in examples/*/; do
terraform -chdir=$d init
echo "Checking ${d} ..."
tflint --chdir=$d --format compact
done
- name: Terraform Validate
id: validate
if: ${{ !vars.SKIP_TERRAFORM_VALIDATE }}
run: |
for d in examples/*/; do
echo "Checking ${d} ..."
terraform -chdir=$d init
terraform -chdir=$d validate -no-color
done
env:
AWS_DEFAULT_REGION: eu-west-1

- name: Terraform Lint
id: lint
run: tflint --no-color --recursive --format compact
- name: Terraform Test
id: test
if: ${{ !vars.SKIP_TERRAFORM_TESTS }}
run: |
terraform init
terraform test
- uses: actions/github-script@v6
if: github.event_name == 'pull_request' || always()
Expand Down Expand Up @@ -98,12 +109,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}

- name: Render terraform docs inside the README.md and push changes back to PR branch
uses: terraform-docs/gh-actions@v1.0.0
uses: terraform-docs/gh-actions@v1.1.0
with:
args: --sort-by required
git-commit-message: "docs(readme): update module usage"
Expand All @@ -117,7 +128,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Terraform security scan
uses: aquasecurity/[email protected]
Expand All @@ -136,21 +147,24 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Run Checkov
uses: bridgecrewio/checkov-action@v12.2150.0
uses: bridgecrewio/checkov-action@v12
with:
container_user: 1000
directory: "/"
download_external_modules: false
framework: terraform
output_format: sarif
quiet: true
skip-checks: "CKV_GIT_5"
skip_check: "CKV_GIT_5,CKV_GLB_1,CKV_TF_1"
soft_fail: false
skip_path: "examples/"

### SKIP REASON ###
# Check | Description | Reason

# CKV_GIT_5 | Ensure GitHub pull requests have at least 2 approvals | We strive for at least 1 approval
# CKV_GLB_1 | Ensure at least two approving reviews are required to merge a GitLab MR | We strive for at least 1 approval
# CKV_TF_1 | Ensure Terraform module sources use a commit hash | We think this check is too restrictive and that versioning should be preferred over commit hash
4 changes: 2 additions & 2 deletions .github/workflows/update-changelog.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
token: ${{ secrets.MCAF_GITHUB_TOKEN }}

Expand All @@ -24,7 +24,7 @@ jobs:
release-notes: ${{ github.event.release.body }}

- name: Commit updated Changelog
uses: stefanzweifel/git-auto-commit-action@v4
uses: stefanzweifel/git-auto-commit-action@v5
with:
branch: ${{ github.event.repository.default_branch }}
commit_message: "docs(changelog): update changelog"
Expand Down
18 changes: 14 additions & 4 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
default_stages: [commit]
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
rev: v4.6.0
hooks:
- id: check-json
- id: check-merge-conflict
Expand All @@ -14,17 +14,27 @@ repos:
args:
- --autofix
- id: detect-aws-credentials
args:
- --allow-missing-credentials
- id: detect-private-key
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.81.0
rev: v1.88.4
hooks:
- id: terraform_fmt
- id: terraform_tflint
- id: terraform_docs
- id: terraform_validate
- repo: https://github.com/bridgecrewio/checkov.git
rev: 2.3.34
rev: 3.2.60
hooks:
- id: checkov
verbose: false
args: [--download-external-modules, "true", --quiet, --compact]
args:
- --download-external-modules
- "true"
- --quiet
- --compact
- --skip-check
- CKV_GIT_5,CKV_GLB_1,CKV_TF_1
- --skip-path
- examples/*
Loading

0 comments on commit 1bd4e6d

Please sign in to comment.