diff --git a/.trunk/configs/.checkov.yaml b/.checkov.yaml similarity index 100% rename from .trunk/configs/.checkov.yaml rename to .checkov.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index aa8f7e8..9ed5d6e 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,6 +1,10 @@ name: Lint -on: pull_request +concurrency: + group: lint-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +on: pull_request_target permissions: actions: read @@ -16,3 +20,14 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Trunk Check uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19 + env: + # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + conventional-title: + runs-on: ubuntu-latest + steps: + - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml index e9e712a..6de4368 100644 --- a/.github/workflows/release-please.yaml +++ b/.github/workflows/release-please.yaml @@ -14,6 +14,14 @@ jobs: release-please: runs-on: ubuntu-latest steps: + - name: Create Token for MasterpointBot App + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0 + id: generate-token + with: + app_id: ${{ secrets.MP_BOT_APP_ID }} + private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} + - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3 with: + token: ${{ steps.generate-token.outputs.token }} release-type: terraform-module diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 7a791ce..330fbbb 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -4,12 +4,7 @@ on: push: branches: - main - pull_request: - -env: - SPACELIFT_API_KEY_ENDPOINT: ${{ secrets.SPACELIFT_API_KEY_ENDPOINT }} - SPACELIFT_API_KEY_ID: ${{ secrets.SPACELIFT_API_KEY_ID }} - SPACELIFT_API_KEY_SECRET: ${{ secrets.SPACELIFT_API_KEY_SECRET }} + pull_request_target: permissions: actions: read diff --git a/.github/workflows/trunk-upgrade.yaml b/.github/workflows/trunk-upgrade.yaml index d9cf480..5ea1ae9 100644 --- a/.github/workflows/trunk-upgrade.yaml +++ b/.github/workflows/trunk-upgrade.yaml @@ -34,10 +34,29 @@ jobs: reviewers: "@masterpointio/masterpoint-internal" prefix: "chore: " - - name: Merge PR automatically + - name: Wait for checks to pass + Merge PR if: steps.trunk-upgrade.outputs.pull-request-number != '' env: - GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} + GH_TOKEN: ${{ steps.generate-token.outputs.token }} PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }} run: | - gh pr merge "$PR_NUMBER" --squash --auto --delete-branch + echo "Waiting for required status checks to pass on PR #$PR_NUMBER..." + while true; do + CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --required --json state,bucket) + echo "Current checks status: $CHECKS_JSON" + + if echo "$CHECKS_JSON" | jq -e '.[] | select(.bucket=="fail")' > /dev/null; then + echo "One or more required checks have failed. Exiting..." + exit 1 + fi + + FAILED_OR_PENDING_CHECKS=$(echo "$CHECKS_JSON" | jq '[.[] | select(.state!="SUCCESS" or .bucket!="pass")] | length') + if [ "$FAILED_OR_PENDING_CHECKS" -eq 0 ]; then + echo "All required checks passed. Merging PR https://github.com/${{ github.repository }}/pull/$PR_NUMBER..." + gh pr merge "$PR_NUMBER" --squash --delete-branch --admin + break + else + echo "Some required checks are still running or pending. Retrying in 30s..." + sleep 30 + fi + done diff --git a/.gitignore b/.gitignore index 9636abe..4c85809 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ # IDE/Editor settings **/.idea **/*.iml +.cursor/ .vscode/ *.orig *.draft @@ -44,3 +45,7 @@ backend.tf.json **/*.bak **/*.*swp **/.DS_Store + +# Claude Code - we beleive engineers are responsible for the code they push no matter how it's generated. +# Therefore, configs specific to their coding practices are their responsibilty to judiciously manage. +.claude/* diff --git a/.trunk/configs/.markdownlint.yaml b/.markdownlint.yaml similarity index 100% rename from .trunk/configs/.markdownlint.yaml rename to .markdownlint.yaml diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..f01f0f6 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,42 @@ +plugin "terraform" { + enabled = true + preset = "all" +} + +config { + format = "compact" + + # Inspect vars passed into "module" blocks. eg, lint AMI value passed into ec2 module. + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/calling-modules.md + call_module_type = "all" + + # default values but keeping them here for clarity + disabled_by_default = false + force = false +} + +# Installing tflint rulesets from Github requires setting a GITHUB_TOKEN +# environment variable. Without it, you'll get an error like this: +# $ tflint --init +# Installing "aws" plugin... +# Failed to install a plugin; Failed to fetch GitHub releases: GET https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.39.0: 401 Bad credentials [] +# +# The solution is to provide a github PAT via a GITHUB_TOKEN env var, +# export GITHUB_TOKEN=github_pat_120abc123def456ghi789jkl123mno456pqr789stu123vwx456yz789 +# +# See docs for more info: https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting +plugin "aws" { + enabled = true + version = "0.39.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" + deep_check = false +} + +# Allow variables to exist in more files than ONLY variables.tf +# Example use cases where we prefer for variables to exist in context, +# - context.tf (applicable to the null-label module) +# - providers.tf (when passing in secret keys from SOPs - example, github provider) +# https://github.com/terraform-linters/tflint-ruleset-terraform/blob/main/docs/rules/terraform_standard_module_structure.md +rule "terraform_standard_module_structure" { + enabled = false +} \ No newline at end of file diff --git a/.trunk/.gitignore b/.trunk/.gitignore index 15966d0..072b680 100644 --- a/.trunk/.gitignore +++ b/.trunk/.gitignore @@ -6,4 +6,4 @@ plugins user_trunk.yaml user.yaml -tmp +tmp \ No newline at end of file diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index 94de5a3..35c1009 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -2,17 +2,17 @@ # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml version: 0.1 cli: - version: 1.22.15 + version: 1.24.0 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins) plugins: sources: - id: trunk - ref: v1.6.8 + ref: v1.7.0 uri: https://github.com/trunk-io/plugins # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes) runtimes: enabled: - - node@18.20.5 + - node@22.16.0 - python@3.10.8 # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration) lint: @@ -20,17 +20,17 @@ lint: # Incompatible with some Terraform features: https://github.com/tenable/terrascan/issues/1331 - terrascan enabled: - - renovate@40.0.0 + - renovate@40.36.2 - tofu@1.9.1 - actionlint@1.7.7 - - checkov@3.2.413 + - checkov@3.2.435 - git-diff-check - - markdownlint@0.44.0 + - markdownlint@0.45.0 - prettier@3.5.3 - - tflint@0.56.0 - - trivy@0.61.1 - - trufflehog@3.88.26 - - yamllint@1.37.0 + - tflint@0.58.0 + - trivy@0.63.0 + - trufflehog@3.88.35 + - yamllint@1.37.1 ignore: - linters: [tofu] paths: diff --git a/.trunk/configs/.yamllint.yaml b/.yamllint.yaml similarity index 100% rename from .trunk/configs/.yamllint.yaml rename to .yamllint.yaml diff --git a/LICENSE b/LICENSE index 6b571c5..56d75ee 100644 --- a/LICENSE +++ b/LICENSE @@ -187,7 +187,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright 2024 Masterpoint + Copyright 2025 Masterpoint Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.