diff --git a/.trunk/configs/.checkov.yaml b/.checkov.yaml similarity index 100% rename from .trunk/configs/.checkov.yaml rename to .checkov.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 2bbb389..9ed5d6e 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -4,7 +4,7 @@ concurrency: group: lint-${{ github.head_ref || github.run_id }} cancel-in-progress: true -on: pull_request +on: pull_request_target permissions: actions: read @@ -20,6 +20,10 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Trunk Check uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19 + env: + # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} conventional-title: runs-on: ubuntu-latest diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml index e9e712a..6de4368 100644 --- a/.github/workflows/release-please.yaml +++ b/.github/workflows/release-please.yaml @@ -14,6 +14,14 @@ jobs: release-please: runs-on: ubuntu-latest steps: + - name: Create Token for MasterpointBot App + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0 + id: generate-token + with: + app_id: ${{ secrets.MP_BOT_APP_ID }} + private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} + - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3 with: + token: ${{ steps.generate-token.outputs.token }} release-type: terraform-module diff --git a/.github/workflows/trunk-upgrade.yaml b/.github/workflows/trunk-upgrade.yaml index d9cf480..5ea1ae9 100644 --- a/.github/workflows/trunk-upgrade.yaml +++ b/.github/workflows/trunk-upgrade.yaml @@ -34,10 +34,29 @@ jobs: reviewers: "@masterpointio/masterpoint-internal" prefix: "chore: " - - name: Merge PR automatically + - name: Wait for checks to pass + Merge PR if: steps.trunk-upgrade.outputs.pull-request-number != '' env: - GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} + GH_TOKEN: ${{ steps.generate-token.outputs.token }} PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }} run: | - gh pr merge "$PR_NUMBER" --squash --auto --delete-branch + echo "Waiting for required status checks to pass on PR #$PR_NUMBER..." + while true; do + CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --required --json state,bucket) + echo "Current checks status: $CHECKS_JSON" + + if echo "$CHECKS_JSON" | jq -e '.[] | select(.bucket=="fail")' > /dev/null; then + echo "One or more required checks have failed. Exiting..." + exit 1 + fi + + FAILED_OR_PENDING_CHECKS=$(echo "$CHECKS_JSON" | jq '[.[] | select(.state!="SUCCESS" or .bucket!="pass")] | length') + if [ "$FAILED_OR_PENDING_CHECKS" -eq 0 ]; then + echo "All required checks passed. Merging PR https://github.com/${{ github.repository }}/pull/$PR_NUMBER..." + gh pr merge "$PR_NUMBER" --squash --delete-branch --admin + break + else + echo "Some required checks are still running or pending. Retrying in 30s..." + sleep 30 + fi + done diff --git a/.gitignore b/.gitignore index 08902b8..4c85809 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ # IDE/Editor settings **/.idea **/*.iml +.cursor/ .vscode/ *.orig *.draft @@ -45,5 +46,6 @@ backend.tf.json **/*.*swp **/.DS_Store -.cursor/rules -.claude +# Claude Code - we beleive engineers are responsible for the code they push no matter how it's generated. +# Therefore, configs specific to their coding practices are their responsibilty to judiciously manage. +.claude/* diff --git a/.trunk/configs/.markdownlint.yaml b/.markdownlint.yaml similarity index 100% rename from .trunk/configs/.markdownlint.yaml rename to .markdownlint.yaml diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..f01f0f6 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,42 @@ +plugin "terraform" { + enabled = true + preset = "all" +} + +config { + format = "compact" + + # Inspect vars passed into "module" blocks. eg, lint AMI value passed into ec2 module. + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/calling-modules.md + call_module_type = "all" + + # default values but keeping them here for clarity + disabled_by_default = false + force = false +} + +# Installing tflint rulesets from Github requires setting a GITHUB_TOKEN +# environment variable. Without it, you'll get an error like this: +# $ tflint --init +# Installing "aws" plugin... +# Failed to install a plugin; Failed to fetch GitHub releases: GET https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.39.0: 401 Bad credentials [] +# +# The solution is to provide a github PAT via a GITHUB_TOKEN env var, +# export GITHUB_TOKEN=github_pat_120abc123def456ghi789jkl123mno456pqr789stu123vwx456yz789 +# +# See docs for more info: https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting +plugin "aws" { + enabled = true + version = "0.39.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" + deep_check = false +} + +# Allow variables to exist in more files than ONLY variables.tf +# Example use cases where we prefer for variables to exist in context, +# - context.tf (applicable to the null-label module) +# - providers.tf (when passing in secret keys from SOPs - example, github provider) +# https://github.com/terraform-linters/tflint-ruleset-terraform/blob/main/docs/rules/terraform_standard_module_structure.md +rule "terraform_standard_module_structure" { + enabled = false +} \ No newline at end of file diff --git a/.trunk/.gitignore b/.trunk/.gitignore index 15966d0..072b680 100644 --- a/.trunk/.gitignore +++ b/.trunk/.gitignore @@ -6,4 +6,4 @@ plugins user_trunk.yaml user.yaml -tmp +tmp \ No newline at end of file diff --git a/.trunk/configs/.yamllint.yaml b/.yamllint.yaml similarity index 100% rename from .trunk/configs/.yamllint.yaml rename to .yamllint.yaml