diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..2509343 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,17 @@ +version: 2 + +updates: + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + commit-message: + prefix: feat + + - package-ecosystem: "terraform" + directory: "/" + schedule: + interval: "daily" + commit-message: + prefix: feat diff --git a/.github/workflows/branch-name-check.yaml b/.github/workflows/branch-name-check.yaml new file mode 100644 index 0000000..396e83c --- /dev/null +++ b/.github/workflows/branch-name-check.yaml @@ -0,0 +1,14 @@ +name: 'Branch Naming Check' +on: pull_request + +jobs: + branch-naming-rules: + runs-on: ubuntu-latest + steps: + - uses: deepakputhraya/action-branch-name@master + with: + regex: 'DMVP-[0-9]*' # Regex the branch should match. This example enforces grouping + allowed_prefixes: 'DMVP-' # All branches should start with the given prefix + ignore: master,develop # Ignore exactly matching branch names from convention + min_length: 5 # Min length of the branch name + max_length: 30 # Max length of the branch name diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml new file mode 100644 index 0000000..960e52f --- /dev/null +++ b/.github/workflows/checkov.yaml @@ -0,0 +1,26 @@ +name: Checkov +on: + pull_request: + push: + branches: [main, master] +jobs: + terraform-validate: + runs-on: ubuntu-latest + permissions: + actions: write + contents: write + discussions: write + pull-requests: write + security-events: write + id-token: write + strategy: + matrix: + path: + - / + + steps: + - uses: dasmeta/reusable-actions-workflows/checkov@4.2.0 + with: + fetch-depth: 0 + directory: ${{ matrix.path }} + continue-on-error: true diff --git a/.github/workflows/pr-title-checker.yaml b/.github/workflows/pr-title-checker.yaml new file mode 100644 index 0000000..0ad09fb --- /dev/null +++ b/.github/workflows/pr-title-checker.yaml @@ -0,0 +1,16 @@ +name: 'PR Title Checker' +on: + pull_request: + types: [edited, opened, synchronize, reopened] + +jobs: + title-check: + runs-on: ubuntu-latest + steps: + - uses: deepakputhraya/action-pr-title@v1.0.2 + with: + regex: 'DMVP-[0-9]*:' # Regex the title should match. + allowed_prefixes: 'DMVP-' # title should start with the given prefix + prefix_case_sensitive: false # title prefix are case insensitive + min_length: 5 # Min length of the title + max_length: -1 # Max length of the title diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml new file mode 100644 index 0000000..f43ab25 --- /dev/null +++ b/.github/workflows/pre-commit.yaml @@ -0,0 +1,23 @@ +name: Pre-Commit +on: + pull_request: + push: + branches: [main, master] +jobs: + terraform-validate: + runs-on: ubuntu-latest + permissions: + actions: write + contents: write + discussions: write + pull-requests: write + id-token: write + steps: + - name: Pre-Commit + uses: dasmeta/reusable-actions-workflows/pre-commit@4.2.0 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + path: modules/${{ matrix.path }} + continue-on-error: true diff --git a/.github/workflows/semantic-release.yaml b/.github/workflows/semantic-release.yaml new file mode 100644 index 0000000..d6ce913 --- /dev/null +++ b/.github/workflows/semantic-release.yaml @@ -0,0 +1,22 @@ +name: Semantic-Release +on: [pull_request, push] +jobs: + publish: + runs-on: ubuntu-latest + permissions: + actions: write + contents: write + discussions: write + pull-requests: write + id-token: write + steps: + - uses: actions/checkout@v4 + - name: Setup Node.js + uses: actions/setup-node@v3 + with: + node-version: 16 + - name: Semantic Release + uses: cycjimmy/semantic-release-action@v4 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/terraform-test.yaml b/.github/workflows/terraform-test.yaml new file mode 100644 index 0000000..8a0f009 --- /dev/null +++ b/.github/workflows/terraform-test.yaml @@ -0,0 +1,27 @@ +name: Terraform Test +on: + pull_request: + push: + branches: [main, master] +jobs: + terraform-validate: + permissions: + actions: write + contents: write + discussions: write + pull-requests: write + id-token: write + runs-on: ubuntu-latest + strategy: + matrix: + path: + - / + + steps: + - uses: dasmeta/reusable-actions-workflows/terraform-test@4.2.0 + with: + aws-region: ${{ secrets.AWS_REGION}} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + path: ${{ matrix.path }} + continue-on-error: true diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yaml new file mode 100644 index 0000000..78eb241 --- /dev/null +++ b/.github/workflows/tflint.yaml @@ -0,0 +1,30 @@ +name: Tflint +on: + pull_request: + push: + branches: [main, master] + +jobs: + terraform-validate: + permissions: + actions: write + contents: write + discussions: write + pull-requests: write + id-token: write + security-events: write + runs-on: ubuntu-latest + strategy: + matrix: + path: + - / + + steps: + - uses: dasmeta/reusable-actions-workflows/tflint@4.2.0 + with: + aws-region: ${{ secrets.AWS_REGION}} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + path: ${{ matrix.path }} + repo-token: ${{ secrets.GITHUB_TOKEN }} + continue-on-error: true diff --git a/.github/workflows/tfsec.yaml b/.github/workflows/tfsec.yaml new file mode 100644 index 0000000..3f9ad3b --- /dev/null +++ b/.github/workflows/tfsec.yaml @@ -0,0 +1,20 @@ +name: TFSEC +on: + pull_request: + push: + branches: [main, master] +jobs: + terraform-tfsec: + runs-on: ubuntu-latest + permissions: + actions: write + contents: write + discussions: write + pull-requests: write + id-token: write + security-events: write + steps: + - uses: dasmeta/reusable-actions-workflows/tfsec@4.2.0 + with: + fetch-depth: 0 + continue-on-error: true diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..cd2b6fa --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,36 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.3.0 + hooks: + - id: check-added-large-files + - id: check-merge-conflict + - id: check-vcs-permalinks + - id: end-of-file-fixer + - id: trailing-whitespace + args: [--markdown-linebreak-ext=md] + exclude: CHANGELOG.md + - id: check-yaml + - id: check-merge-conflict + - id: check-case-conflict + - id: mixed-line-ending + args: [--fix=lf] + - id: detect-aws-credentials + args: ['--allow-missing-credentials'] + - id: detect-private-key + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.64.1 + hooks: + - id: terraform_fmt + - id: terraform_docs + args: + - --hook-config=--path-to-file=README.md + - --hook-config=--add-to-existing-file=true + - --hook-config=--create-file-if-not-exist=true + - repo: https://github.com/qoomon/git-conventional-commits + rev: v2.4.0 + hooks: + - id: conventional-commits + - repo: https://github.com/zricethezav/gitleaks + rev: v8.12.0 + hooks: + - id: gitleaks diff --git a/commitlint.config.js b/commitlint.config.js new file mode 100644 index 0000000..81c4b92 --- /dev/null +++ b/commitlint.config.js @@ -0,0 +1,5 @@ +module.exports = { + extends: [ + "@commitlint/config-conventional" + ] +} diff --git a/git-conventional-commits.json b/git-conventional-commits.json new file mode 100644 index 0000000..009fca5 --- /dev/null +++ b/git-conventional-commits.json @@ -0,0 +1,41 @@ +{ + "convention" : { + "commitTypes": [ + "feat", + "fix", + "perf", + "refactor", + "style", + "test", + "build", + "ops", + "docs", + "merge", + "chore" + ], + "commitScopes": [], + "releaseTagGlobPattern": "v[0-9]*.[0-9]*.[0-9]*", + "issueRegexPattern": "(^|\\s)#\\d+(\\s|$)" + }, + "changelog" : { + "commitTypes": [ + "feat", + "fix", + "perf", + "merge" + ], + "includeInvalidCommits": true, + "commitScopes": [], + "commitIgnoreRegexPattern": "^WIP ", + "headlines": { + "feat": "Features", + "fix": "Bug Fixes", + "perf": "Performance Improvements", + "merge": "Merged Branches", + "breakingChange": "BREAKING CHANGES" + }, + "commitUrl": "https://github.com/ACCOUNT/REPOSITORY/commit/%commit%", + "commitRangeUrl": "https://github.com/ACCOUNT/REPOSITORY/compare/%from%...%to%?diff=split", + "issueUrl": "https://github.com/ACCOUNT/REPOSITORY/issues/%issue%" + } +} diff --git a/githooks/commit-msg b/githooks/commit-msg new file mode 100755 index 0000000..b760692 --- /dev/null +++ b/githooks/commit-msg @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +# File generated by pre-commit: https://pre-commit.com +# ID: 138fd403232d2ddd5efb44317e38bf03 + +# start templated +INSTALL_PYTHON=/usr/bin/python3 +ARGS=(hook-impl --config=.pre-commit-config.yaml --hook-type=commit-msg) +# end templated + +HERE="$(cd "$(dirname "$0")" && pwd)" +ARGS+=(--hook-dir "$HERE" -- "$@") + +if command -v pre-commit > /dev/null; then + exec pre-commit "${ARGS[@]}" +elif [ -x "$INSTALL_PYTHON" ]; then + exec "$INSTALL_PYTHON" -mpre_commit "${ARGS[@]}" +else + echo '`pre-commit` not found. Did you forget to activate your virtualenv?' 1>&2 + exit 1 +fi diff --git a/githooks/pre-commit b/githooks/pre-commit new file mode 100755 index 0000000..c3aacd8 --- /dev/null +++ b/githooks/pre-commit @@ -0,0 +1,4 @@ +#!/bin/bash + +set -e +pre-commit run --show-diff-on-failure --color=always --all-files diff --git a/package.json b/package.json new file mode 100644 index 0000000..1782661 --- /dev/null +++ b/package.json @@ -0,0 +1,22 @@ +{ + "name": "app", + "devDependencies": { + "@commitlint/cli": "^17.0.3", + "@commitlint/config-conventional": "^17.0.3", + "husky": "^8.0.1", + "@semantic-release/github": "^8.0.4", + "semantic-release": "^19.0.3" + }, + "release": { + "branches": [ + "main", "master", "next" + ] + }, + "private": true, + "plugins": [ + "@semantic-release/commit-analyzer", + "@semantic-release/release-notes-generator", + "@semantic-release/github", + "@semantic-release/npm" + ] +}