diff --git a/.github/renovate.json5 b/.github/renovate.json5 index b4c3ecf..275d017 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -3,16 +3,9 @@ "config:best-practices", "github>aquaproj/aqua-renovate-config#2.7.5" ], - "schedule": [ - "after 9am on the first day of the month" - ], - "assigneesFromCodeOwners": true, - "dependencyDashboardAutoclose": true, - "addLabels": [ - "auto-upgrade" - ], "enabledManagers": [ - "terraform" + "terraform", + "github-actions" ], "terraform": { "ignorePaths": [ @@ -23,34 +16,49 @@ "\\.tofu$" ] }, + "schedule": [ + "after 9am on the first day of the month" + ], + "assigneesFromCodeOwners": true, + "dependencyDashboardAutoclose": true, + "addLabels": ["{{manager}}"], "packageRules": [ { - "matchDepTypes": [ - "optionalDependencies" - ], - // Allow auto merge if it's not a major version update - "matchUpdateTypes": [ - "minor", - "patch", - "pin", - "digest" - ], - "automerge": true + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["minor", "patch", "pin", "digest"], + "automerge": true, + "automergeType": "branch", + "groupName": "github-actions-auto-upgrade", + "addLabels": ["auto-upgrade"] + }, + { + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["major"], + "groupName": "github-actions-needs-review", + "addLabels": ["needs-review"] + }, + { + "matchManagers": ["terraform"], + "groupName": "tf", + "addLabels": ["needs-review"] }, { "matchFileNames": ["**/*.tofu", "**/*.tf"], "matchDatasources": ["terraform-provider", "terraform-module"], - "registryUrls": ["https://registry.opentofu.org"] + "registryUrls": ["https://registry.opentofu.org"], + "groupName": "tf" }, { "matchFileNames": ["**/*.tofu"], "matchDepTypes": ["required_version"], - "registryUrls": ["https://registry.opentofu.org"] + "registryUrls": ["https://registry.opentofu.org"], + "groupName": "tf" }, { "matchFileNames": ["**/*.tf"], "matchDepTypes": ["required_version"], - "registryUrls": ["https://registry.terraform.io"] + "registryUrls": ["https://registry.terraform.io"], + "groupName": "tf" } ] } diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index dd5e030..2bbb389 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,5 +1,9 @@ name: Lint +concurrency: + group: lint-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + on: pull_request permissions: @@ -13,6 +17,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out Git repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Trunk Check - uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 #v1.1.19 + uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19 + + conventional-title: + runs-on: ubuntu-latest + steps: + - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 31600a3..1574792 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -13,9 +13,6 @@ permissions: id-token: write pull-requests: read -env: - AWS_REGION: us-east-1 - jobs: tf-test: name: 🧪 ${{ matrix.tf }} test @@ -24,46 +21,8 @@ jobs: matrix: tf: [tofu, terraform] steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Aqua Cache - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 - if: ${{ !github.event.act }} # Don't enable the cache step if we're using act for testing + - uses: masterpointio/github-action-tf-test@c3b619f3bca9e4f482b9e0fb3166ab3f02d9d54c # v1.0.0 with: - path: ~/.local/share/aquaproj-aqua - key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('aqua.yaml')}} - restore-keys: | - v1-aqua-installer-${{runner.os}}-${{runner.arch}}- - - - name: Install Aqua - uses: aquaproj/aqua-installer@5e54e5cee8a95ee2ce7c04cb993da6dfad13e59c # v3.2.1 - with: - aqua_version: v2.48.1 - - - name: Aqua Install - shell: bash - run: aqua install --tags ${{ matrix.tf }} - - - name: Check if TF AWS provider is used - id: check_aws_provider - run: | - if grep -q "aws" $(find . -name "versions.tf" -o -name "versions.tofu" -type f); then - echo "Found aws in versions.tf or versions.tofu files" - echo "contains_hashicorp=true" >> $GITHUB_OUTPUT - else - echo "No versions.tf or versions.tofu files contain aws" - echo "contains_hashicorp=false" >> $GITHUB_OUTPUT - fi - - # Assume into the `masterpoint-testing` AWS account with OIDC for testing ONLY if the AWS provider is used - # Not needed for modules that don't use the AWS provider, for example, exclusive Spacelift modules - - name: Configure AWS Credentials on `masterpoint-testing` AWS Account - if: steps.check_aws_provider.outputs.contains_hashicorp == 'true' - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 - with: - role-to-assume: arn:aws:iam::115843287071:role/mp-ue1-testing-oidc-github - role-session-name: GitHubActionsOIDC-MP-Infra-Repo - aws-region: ${{ env.AWS_REGION }} - - - run: ${{ matrix.tf }} init - - run: ${{ matrix.tf }} test + tf_type: ${{ matrix.tf }} + aws_role_arn: ${{ vars.TF_TEST_AWS_ROLE_ARN }} + github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/trunk-upgrade.yaml b/.github/workflows/trunk-upgrade.yaml index e116e8f..d9cf480 100644 --- a/.github/workflows/trunk-upgrade.yaml +++ b/.github/workflows/trunk-upgrade.yaml @@ -27,8 +27,17 @@ jobs: private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} - name: Upgrade + id: trunk-upgrade uses: trunk-io/trunk-action/upgrade@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19 with: github-token: ${{ steps.generate-token.outputs.token }} reviewers: "@masterpointio/masterpoint-internal" prefix: "chore: " + + - name: Merge PR automatically + if: steps.trunk-upgrade.outputs.pull-request-number != '' + env: + GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} + PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }} + run: | + gh pr merge "$PR_NUMBER" --squash --auto --delete-branch diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index c76391f..8f2a801 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -2,7 +2,7 @@ # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml version: 0.1 cli: - version: 1.22.12 + version: 1.22.15 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins) plugins: sources: @@ -20,17 +20,17 @@ lint: # Incompatible with some Terraform features: https://github.com/tenable/terrascan/issues/1331 - terrascan enabled: - - renovate@39.263.0 + - renovate@40.0.6 - tofu@1.9.1 - actionlint@1.7.7 - - checkov@3.2.412 + - checkov@3.2.420 - git-diff-check - markdownlint@0.44.0 - prettier@3.5.3 - - tflint@0.56.0 - - trivy@0.61.1 - - trufflehog@3.88.25 - - yamllint@1.37.0 + - tflint@0.57.0 + - trivy@0.62.1 + - trufflehog@3.88.29 + - yamllint@1.37.1 ignore: - linters: [tofu] paths: diff --git a/LICENSE b/LICENSE index 6b571c5..56d75ee 100644 --- a/LICENSE +++ b/LICENSE @@ -187,7 +187,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright 2024 Masterpoint + Copyright 2025 Masterpoint Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/README.md b/README.md index 8e99277..86f28ba 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,6 @@ Big shout out to the following projects which this project uses/depends on/menti 1. [cloudposse/terraform-aws-dynamic-subnets](https://github.com/cloudposse/terraform-aws-dynamic-subnets) 1. [cloudposse/terraform-aws-kms-key](https://github.com/cloudposse/terraform-aws-kms-key) 1. [cloudposse/terraform-aws-s3-bucket](https://github.com/cloudposse/terraform-aws-s3-bucket) -1. Cloud Posse's Terratest Setup. ![SSM Agent Session Manager Example](https://i.imgur.com/lWcRiQf.png)