Merge pull request #11 from getindata/chore/updates-and-workflows

chore: Update workflows and pre-commit hooks

Author: kacpermuda

.github/dependabot.yml

@@ -0,0 +1,40 @@
+version: 2
+updates:
+
+  # GitHub actions
+  - package-ecosystem: "github-actions"
+    directory: "/"  # For GitHub Actions "/" must be used for workflow files in ".github/workflows"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore: "
+    labels:
+      - "release/patch"
+
+  # Terraform
+  - package-ecosystem: "terraform"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore: "
+    labels:
+      - "release/patch"
+
+  - package-ecosystem: "terraform"
+    directory: "/examples/complete/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore: "
+    labels:
+      - "release/patch"
+
+  - package-ecosystem: "terraform"
+    directory: "/examples/simple/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore: "
+    labels:
+      - "release/patch"

.github/workflows/documentation.yml

@@ -1,4 +1,8 @@
-name: 'Validate PR title'
+name: Validate PR title
+
+permissions:
+  pull-requests: read
+  statuses: write
 
 on:
   pull_request_target:
@@ -9,42 +13,4 @@ on:
 
 jobs:
   main:
-    name: Validate PR title
-    runs-on: ubuntu-latest
-    steps:
-      # Please look up the latest version from
-      # https://github.com/amannn/action-semantic-pull-request/releases
-      - uses: amannn/action-semantic-pull-request@v4
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          # Configure which types are allowed.
-          # Default: https://github.com/commitizen/conventional-commit-types
-          types: |
-            feat
-            fix
-            improvement
-            docs
-            refactor
-            test
-            ci
-            chore
-          # Configure that a scope must always be provided.
-          requireScope: false
-          # Configure additional validation for the subject based on a regex.
-          # This example ensures the subject starts with an uppercase character.
-          subjectPattern: ^[A-Z].+$
-          # If `subjectPattern` is configured, you can use this property to override
-          # the default error message that is shown when the pattern doesn't match.
-          # The variables `subject` and `title` can be used within the message.
-          subjectPatternError: |
-            The subject "{subject}" found in the pull request title "{title}"
-            didn't match the configured pattern. Please ensure that the subject
-            starts with an uppercase character.
-          # For work-in-progress PRs you can typically use draft pull requests
-          # from Github. However, private repositories on the free plan don't have
-          # this option and therefore this action allows you to opt-in to using the
-          # special "[WIP]" prefix to indicate this state. This will avoid the
-          # validation of the PR title and the pull request checks remain pending.
-          # Note that a second check will be reported if this is enabled.
-          wip: true
+    uses: getindata/github-workflows/.github/workflows/gh-validate-pr-title.yml@v1

.github/workflows/pr-title.yml

@@ -1,82 +1,18 @@
-name: Pre-Commit
+name: TF Pre-Commit
+
+permissions:
+  contents: read
 
 on:
   pull_request:
     branches:
       - main
       - master
 
-env:
-  TERRAFORM_DOCS_VERSION: v0.16.0
-
 jobs:
-  collectInputs:
-    name: Collect workflow inputs
-    runs-on: ubuntu-latest
-    outputs:
-      directories: ${{ steps.dirs.outputs.directories }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Get root directories
-        id: dirs
-        uses: clowdhaus/terraform-composite-actions/[email protected]
-
-  preCommitMinVersions:
-    name: Min TF pre-commit
-    needs: collectInputs
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Terraform min/max versions
-        id: minMax
-        uses: clowdhaus/[email protected]
-        with:
-          directory: ${{ matrix.directory }}
-
-      - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
-        # Run only validate pre-commit check on min version supported
-        if: ${{ matrix.directory !=  '.' }}
-        uses: clowdhaus/terraform-composite-actions/[email protected]
-        with:
-          terraform-version: ${{ steps.minMax.outputs.minVersion }}
-          args: "terraform-validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*"
-
-      - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
-        # Run only validate pre-commit check on min version supported
-        if: ${{ matrix.directory ==  '.' }}
-        uses: clowdhaus/terraform-composite-actions/[email protected]
-        with:
-          terraform-version: ${{ steps.minMax.outputs.minVersion }}
-          args: "terraform-validate --color=always --show-diff-on-failure --files $(ls *.tf)"
-
-  preCommitMaxVersion:
-    name: Max TF pre-commit
-    runs-on: ubuntu-latest
-    needs: collectInputs
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          ref: ${{ github.event.pull_request.head.ref }}
-          repository: ${{github.event.pull_request.head.repo.full_name}}
-
-      - name: Terraform min/max versions
-        id: minMax
-        uses: clowdhaus/[email protected]
-
-        # Step required as tflint pre-commit hook requires module to be initialised
-      - run: terraform init
-
-      - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
-        uses: clowdhaus/terraform-composite-actions/[email protected]
-        with:
-          terraform-version: ${{ steps.minMax.outputs.maxVersion }}
-          terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
-          # tflint-version: ${{ env.TFLINT_VERSION }} # use this version with "Invicton-Labs/deepmerge/null" module
+  main:
+    uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v1
+    with:
+      # tflint v0.46.0 is the latest version we can use with pre-commit v0.1.20
+      # See .pre-commit-config.yaml for more details.
+      tflint-version: v0.46.0

.github/workflows/pre-commit.yml

@@ -1,67 +1,13 @@
 name: Create new release with changelog
 
+permissions:
+  contents: write
+  pull-requests: write
+
 on:
-  pull_request:
+  pull_request_target:
     types: [closed]
 
 jobs:
   release:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 100
-
-      - name: Check release label
-        id: release-label
-        uses: actions-ecosystem/action-release-label@v1
-        if: ${{ github.event.pull_request.merged == true }}
-
-      - name: Get latest tag
-        id: get-latest-tag
-        uses: actions-ecosystem/action-get-latest-tag@v1
-        if: ${{ steps.release-label.outputs.level != null }}
-
-      - name: Bump semantic version
-        id: bump-semver
-        uses: actions-ecosystem/action-bump-semver@v1
-        if: ${{ steps.release-label.outputs.level != null }}
-        with:
-          current_version: ${{ steps.get-latest-tag.outputs.tag }}
-          level: ${{ steps.release-label.outputs.level }}
-
-      - name: Tag release
-        id: tag-relese
-        uses: actions-ecosystem/action-push-tag@v1
-        if: ${{ steps.release-label.outputs.level != null }}
-        with:
-          tag: ${{ steps.bump-semver.outputs.new_version }}
-          message: "${{ steps.bump-semver.outputs.new_version }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}"
-
-      - name: Generate new release with changelog
-        id: release-with-changelog
-        uses: fregante/release-with-changelog@v3
-        if: ${{ steps.bump-semver.outputs.new_version != null }}
-        with:
-          token: "${{ secrets.GITHUB_TOKEN }}"
-          exclude: '^meta|^docs|^document|^lint|^ci|^refactor|readme|workflow|bump|dependencies|yml|^v?\d+\.\d+\.\d+'
-          tag: "${{ steps.bump-semver.outputs.new_version }}"
-          title: "Version ${{ steps.bump-semver.outputs.new_version }}"
-          commit-template: "- {title} ← {hash}"
-          skip-on-empty: true
-          template: |
-            ### Changelog
-
-            {commits}
-
-            {range}
-
-      - name: Comment PR
-        id: add-comment
-        uses: actions-ecosystem/action-create-comment@v1
-        if: ${{ steps.bump-semver.outputs.new_version != null }}
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          number: ${{ steps.get-merged-pull-request.outputs.number }}
-          body: |
-            The new version [${{ steps.bump-semver.outputs.new_version }}](https://github.com/${{ github.repository }}/releases/tag/${{ steps.bump-semver.outputs.new_version }}) has been released :tada:
+    uses: getindata/github-workflows/.github/workflows/gh-create-release.yml@v1

.github/workflows/release.yml

@@ -1,28 +1,35 @@
 repos:
   - repo: https://github.com/gruntwork-io/pre-commit
-    rev: "v0.1.17" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
+    # Stick to v0.1.20 until this bug is fixed: https://github.com/gruntwork-io/pre-commit/issues/102
+    # When updating, also check if tflint version in pre-commit workflow can be updated.
+    rev: "v0.1.20" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
     hooks:
+      - id: terraform-validate # It should be the first step as it runs terraform init required by tflint
+      - id: terraform-fmt
       - id: tflint
         args:
           - --module
           - --config=.tflint.hcl
-      - id: terraform-validate
-      - id: terraform-fmt
 
   - repo: https://github.com/terraform-docs/terraform-docs
-    rev: "v0.16.0" # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: "v0.16.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases
     hooks:
       - id: terraform-docs-go
         args: ["."]
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: "2.2.246" # Get the latest from: https://github.com/bridgecrewio/checkov/releases
+    rev: "2.5.13" # Get the latest from: https://github.com/bridgecrewio/checkov/releases
     hooks:
       - id: checkov
-        args: [--skip-check, "CKV2_GHA_1"] #Flase positive for top-level permissions
+        args: [--skip-check, "CKV_TF_1"] # Terraform module sources do not use a git url with a commit hash revision
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: "v4.3.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
+    rev: "v4.5.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
     hooks:
       - id: check-merge-conflict
+        args: ["--assume-in-merge"]
+      - id: mixed-line-ending
+        args: ["--fix=no"]
       - id: end-of-file-fixer
+      - id: check-case-conflict
+      - id: check-yaml

.pre-commit-config.yaml

@@ -1,38 +1,10 @@
-config {
-  ignore_module = {
-    "Invicton-Labs/deepmerge/null" = true
-  }
+plugin "terraform" {
+    enabled = true
+    version = "0.5.0"
+    source  = "github.com/terraform-linters/tflint-ruleset-terraform"
+    preset  = "all"
 }
 
-rule "terraform_deprecated_interpolation" {
-  enabled = true
-}
-
-rule "terraform_documented_outputs" {
-  enabled = true
-}
-
-rule "terraform_documented_variables" {
-  enabled = true
-}
-
-rule "terraform_typed_variables" {
-  enabled = true
-}
-
-rule "terraform_required_version" {
-  enabled = true
-}
-
-rule "terraform_required_providers" {
-  enabled = true
-}
-
-rule "terraform_unused_required_providers" {
-  enabled = true
-}
-
-rule "terraform_naming_convention" {
-  enabled = true
-  format  = "snake_case"
+rule "terraform_standard_module_structure" {
+  enabled = false  # Fails on context.tf
 }