From aae4959a2f45901172e6c3af5f93f46b22e3611b Mon Sep 17 00:00:00 2001 From: tyler Date: Tue, 19 Sep 2023 00:12:21 +0000 Subject: [PATCH 01/11] Parallelize more jobs in "QA Checks" workflow --- .github/workflows/qa.yml | 128 ++++++++++++++++++++++++++++++++++----- 1 file changed, 113 insertions(+), 15 deletions(-) diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index 3b606694..fcde8825 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -11,22 +11,14 @@ permissions: contents: read jobs: - qa_go: - name: QA for Go + prepare-go-qa: + name: Prepare for Go QA runs-on: ubuntu-latest steps: - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 with: disable-sudo: true - egress-policy: block - allowed-endpoints: > - actions-results-receiver-production.githubapp.com:443 - api.github.com:443 - github.com:443 - objects.githubusercontent.com:443 - proxy.golang.org:443 - sum.golang.org:443 - storage.googleapis.com:443 + egress-policy: audit - uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} @@ -53,15 +45,121 @@ jobs: run: task prebuild-lambda - name: Check Formatting run: test -z "$(go fmt ./...)" || echo "Formatting check failed." - - name: Test + + go-test: + name: Run Go Tests + runs-on: ubuntu-latest + needs: + - prepare-go-qa + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: audit + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - name: Restore Taskfile cache + uses: actions/cache/restore@v3 + with: + key: ${{ runner.os }}-qa-taskfile + path: | + ./.task + ./bin + ./cover.out + ./cover.html + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - uses: arduino/setup-task@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + version: 3.x + - name: Run tests run: task test - - name: Vet + + go-vet: + name: Vet Go Code + runs-on: ubuntu-latest + needs: + - prepare-go-qa + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: audit + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - name: Vet source code run: go vet ./... - - name: Lint + + go-lint: + name: Lint Go Code + runs-on: ubuntu-latest + needs: + - prepare-go-qa + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: audit + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - name: Lint with Staticcheck uses: dominikh/staticcheck-action@v1.3.0 with: install-go: false - - name: Ensure all go binaries compile + + go-build: + name: Ensure Go Builds + runs-on: ubuntu-latest + needs: + - prepare-go-qa + steps: + - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + disable-sudo: true + egress-policy: audit + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + show-progress: 'false' + persist-credentials: 'false' + - name: Restore Taskfile cache + uses: actions/cache/restore@v3 + with: + key: ${{ runner.os }}-qa-taskfile + path: | + ./.task + ./bin + ./cover.out + ./cover.html + - uses: actions/setup-go@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + go-version-file: go.mod + - uses: arduino/setup-task@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + version: 3.x + - name: Ensure all binaries can compile run: task build build-cli tflint: From 747d2b81395cac12042c23254ac187737dba026f Mon Sep 17 00:00:00 2001 From: tyler Date: Tue, 19 Sep 2023 00:13:46 +0000 Subject: [PATCH 02/11] Configure Dependabot for github-actions updates --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e6703295..d914bafc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,3 +11,7 @@ updates: directory: "/terraform" schedule: interval: "daily" + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily From 436f45ca56bd8527e51375c1309bc259e4989c5d Mon Sep 17 00:00:00 2001 From: tyler Date: Tue, 19 Sep 2023 00:14:16 +0000 Subject: [PATCH 03/11] Tweak: Remove unnecessary quotes in yaml --- .github/dependabot.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d914bafc..3a319f6e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,10 +7,10 @@ updates: directory: / schedule: interval: daily - - package-ecosystem: "terraform" - directory: "/terraform" + - package-ecosystem: terraform + directory: /terraform schedule: - interval: "daily" + interval: daily - package-ecosystem: github-actions directory: / schedule: From bfdf8d92f3ddce4c6756a7d88ddaf01f3763af74 Mon Sep 17 00:00:00 2001 From: tyler Date: Tue, 19 Sep 2023 00:15:07 +0000 Subject: [PATCH 04/11] Temporarily change CI trigger for testing --- .github/workflows/ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 023b9dff..92fc8878 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,7 +1,8 @@ name: Continuous Integration on: - pull_request_target: {} + # pull_request_target: {} + pull_request: {} jobs: qa: From d5776131234f3389f616ba52dc70bf25e2ff7a77 Mon Sep 17 00:00:00 2001 From: tyler Date: Tue, 19 Sep 2023 01:08:14 +0000 Subject: [PATCH 05/11] Fix typo in build summary template --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fcee0799..e858ecf7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -280,7 +280,7 @@ jobs: run: | REPORT_FILE=$(mktemp -t summary.md.XXXXX) cat >> $REPORT_FILE << 'ENDOFREPORT' - ## Build Lambdas Summary + ## Build CLI Summary
Compiled Checksums (before packing) From d1d1b1314015a9384e4f0e38de2c21829f77f823 Mon Sep 17 00:00:00 2001 From: tyler Date: Tue, 19 Sep 2023 01:46:44 +0000 Subject: [PATCH 06/11] Exclude path glob matching TF_PLUGIN_CACHE_DIR env var --- .github/workflows/terraform-plan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml index 48f5b655..70fb3734 100644 --- a/.github/workflows/terraform-plan.yml +++ b/.github/workflows/terraform-plan.yml @@ -205,7 +205,7 @@ jobs: name: ${{ env.ARTIFACTS_KEY }} path: | ${{ github.workspace }}/terraform - !${{ env.TF_PLUGIN_CACHE_DIR }} + !**/${{ env.TF_PLUGIN_CACHE_DIR }}/** !${{ github.workspace }}/terraform/.terraform if-no-files-found: error retention-days: ${{ inputs.artifacts-retention-days }} From 1cb00b2514a632c13f170bc5b0e48961c344ba41 Mon Sep 17 00:00:00 2001 From: tyler Date: Tue, 19 Sep 2023 02:33:31 +0000 Subject: [PATCH 07/11] Allow "Deploy Production" workflow to update releases --- .github/workflows/deploy-production.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml index aabda62b..cd0c1200 100644 --- a/.github/workflows/deploy-production.yml +++ b/.github/workflows/deploy-production.yml @@ -109,6 +109,8 @@ jobs: update_release: name: Update release runs-on: ubuntu-latest + permissions: + contents: write needs: - tf-apply env: From 1b673dddfc4cf5f662452378e05c403c3f387682 Mon Sep 17 00:00:00 2001 From: tyler Date: Tue, 19 Sep 2023 02:35:40 +0000 Subject: [PATCH 08/11] Undo testing mod to CI trigger --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 92fc8878..023b9dff 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,8 +1,7 @@ name: Continuous Integration on: - # pull_request_target: {} - pull_request: {} + pull_request_target: {} jobs: qa: From a558c0e412b16c627cb25d108fd14b441c68754c Mon Sep 17 00:00:00 2001 From: tyler Date: Tue, 19 Sep 2023 02:42:03 +0000 Subject: [PATCH 09/11] Modifications to enable PR testing (will undo) --- .github/workflows/ci.yml | 3 ++- .github/workflows/terraform-plan.yml | 4 ---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 023b9dff..92fc8878 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,7 +1,8 @@ name: Continuous Integration on: - pull_request_target: {} + # pull_request_target: {} + pull_request: {} jobs: qa: diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml index 70fb3734..a95fdd35 100644 --- a/.github/workflows/terraform-plan.yml +++ b/.github/workflows/terraform-plan.yml @@ -94,7 +94,6 @@ jobs: TF_CLI_ARGS: "-no-color" TF_IN_AUTOMATION: "true" TF_INPUT: 0 - TF_PLUGIN_CACHE_DIR: ~/.terraform.d/plugin-cache concurrency: group: ${{ inputs.concurrency-group }} cancel-in-progress: false @@ -192,20 +191,17 @@ jobs: run: terraform show tfplan - name: Encrypt terraform plan file id: encrypt_plan - if: success() && inputs.upload-artifacts env: GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} run: | gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 tfplan rm tfplan - name: Store terraform artifacts - if: success() && inputs.upload-artifacts uses: actions/upload-artifact@v3 with: name: ${{ env.ARTIFACTS_KEY }} path: | ${{ github.workspace }}/terraform - !**/${{ env.TF_PLUGIN_CACHE_DIR }}/** !${{ github.workspace }}/terraform/.terraform if-no-files-found: error retention-days: ${{ inputs.artifacts-retention-days }} From 2911ccf0e559d2a7785f010ae52050498818a301 Mon Sep 17 00:00:00 2001 From: tyler Date: Tue, 19 Sep 2023 02:53:26 +0000 Subject: [PATCH 10/11] Apply egress blocks from audit --- .github/workflows/qa.yml | 36 +++++++++++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index fcde8825..2881de5c 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -18,7 +18,13 @@ jobs: - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 with: disable-sudo: true - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 - uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} @@ -55,7 +61,13 @@ jobs: - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 with: disable-sudo: true - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 - uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} @@ -90,7 +102,11 @@ jobs: - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 with: disable-sudo: true - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + proxy.golang.org:443 + sum.golang.org:443 - uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} @@ -112,7 +128,11 @@ jobs: - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 with: disable-sudo: true - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + proxy.golang.org:443 + sum.golang.org:443 - uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} @@ -136,7 +156,13 @@ jobs: - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 with: disable-sudo: true - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + sum.golang.org:443 - uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} From 8dc26940ec686d906289b2e2dc223d132425db98 Mon Sep 17 00:00:00 2001 From: tyler Date: Tue, 19 Sep 2023 02:56:13 +0000 Subject: [PATCH 11/11] Remove temp workarounds for CI testing --- .github/workflows/ci.yml | 3 +-- .github/workflows/terraform-plan.yml | 2 ++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 92fc8878..023b9dff 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,8 +1,7 @@ name: Continuous Integration on: - # pull_request_target: {} - pull_request: {} + pull_request_target: {} jobs: qa: diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml index a95fdd35..e36cdc0f 100644 --- a/.github/workflows/terraform-plan.yml +++ b/.github/workflows/terraform-plan.yml @@ -191,12 +191,14 @@ jobs: run: terraform show tfplan - name: Encrypt terraform plan file id: encrypt_plan + if: success() && inputs.upload-artifacts env: GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }} run: | gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 tfplan rm tfplan - name: Store terraform artifacts + if: success() && inputs.upload-artifacts uses: actions/upload-artifact@v3 with: name: ${{ env.ARTIFACTS_KEY }}