diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e6703295..3a319f6e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,7 +7,11 @@ updates: directory: / schedule: interval: daily - - package-ecosystem: "terraform" - directory: "/terraform" + - package-ecosystem: terraform + directory: /terraform schedule: - interval: "daily" + interval: daily + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fcee0799..e858ecf7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -280,7 +280,7 @@ jobs: run: | REPORT_FILE=$(mktemp -t summary.md.XXXXX) cat >> $REPORT_FILE << 'ENDOFREPORT' - ## Build Lambdas Summary + ## Build CLI Summary
Compiled Checksums (before packing) diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml index aabda62b..cd0c1200 100644 --- a/.github/workflows/deploy-production.yml +++ b/.github/workflows/deploy-production.yml @@ -109,6 +109,8 @@ jobs: update_release: name: Update release runs-on: ubuntu-latest + permissions: + contents: write needs: - tf-apply env: diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index 3b606694..2881de5c 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -11,8 +11,8 @@ permissions: contents: read jobs: - qa_go: - name: QA for Go + prepare-go-qa: + name: Prepare for Go QA runs-on: ubuntu-latest steps: - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 @@ -20,13 +20,11 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > - actions-results-receiver-production.githubapp.com:443 api.github.com:443 github.com:443 objects.githubusercontent.com:443 proxy.golang.org:443 sum.golang.org:443 - storage.googleapis.com:443 - uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} @@ -53,15 +51,141 @@ jobs: run: task prebuild-lambda - name: Check Formatting run: test -z "$(go fmt ./...)" || echo "Formatting check failed." - - name: Test + + go-test: + name: Run Go Tests + runs-on: ubuntu-latest + needs: + - prepare-go-qa + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - name: Restore Taskfile cache + uses: actions/cache/restore@v3 + with: + key: ${{ runner.os }}-qa-taskfile + path: | + ./.task + ./bin + ./cover.out + ./cover.html + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - uses: arduino/setup-task@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + version: 3.x + - name: Run tests run: task test - - name: Vet + + go-vet: + name: Vet Go Code + runs-on: ubuntu-latest + needs: + - prepare-go-qa + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + proxy.golang.org:443 + sum.golang.org:443 + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - name: Vet source code run: go vet ./... - - name: Lint + + go-lint: + name: Lint Go Code + runs-on: ubuntu-latest + needs: + - prepare-go-qa + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + proxy.golang.org:443 + sum.golang.org:443 + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - name: Lint with Staticcheck uses: dominikh/staticcheck-action@v1.3.0 with: install-go: false - - name: Ensure all go binaries compile + + go-build: + name: Ensure Go Builds + runs-on: ubuntu-latest + needs: + - prepare-go-qa + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - name: Restore Taskfile cache + uses: actions/cache/restore@v3 + with: + key: ${{ runner.os }}-qa-taskfile + path: | + ./.task + ./bin + ./cover.out + ./cover.html + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - uses: arduino/setup-task@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + version: 3.x + - name: Ensure all binaries can compile run: task build build-cli tflint: diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml index 48f5b655..e36cdc0f 100644 --- a/.github/workflows/terraform-plan.yml +++ b/.github/workflows/terraform-plan.yml @@ -94,7 +94,6 @@ jobs: TF_CLI_ARGS: "-no-color" TF_IN_AUTOMATION: "true" TF_INPUT: 0 - TF_PLUGIN_CACHE_DIR: ~/.terraform.d/plugin-cache concurrency: group: ${{ inputs.concurrency-group }} cancel-in-progress: false @@ -205,7 +204,6 @@ jobs: name: ${{ env.ARTIFACTS_KEY }} path: | ${{ github.workspace }}/terraform - !${{ env.TF_PLUGIN_CACHE_DIR }} !${{ github.workspace }}/terraform/.terraform if-no-files-found: error retention-days: ${{ inputs.artifacts-retention-days }}