Skip to content

Commit

Permalink
ci: synced file(s) with honestbank/.github
Browse files Browse the repository at this point in the history
  • Loading branch information
honestbank-bot committed Jul 9, 2024
1 parent 6b51641 commit d7f51a1
Show file tree
Hide file tree
Showing 6 changed files with 54 additions and 64 deletions.
3 changes: 3 additions & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
# DO NOT CHANGE. This file is being managed from a central repository
# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md

# This is a comment.
# Each line is a file pattern followed by one or more owners.

Expand Down
3 changes: 2 additions & 1 deletion .github/pull_request_template.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,14 @@
-->

## Pull Request Submission Checklist
### Pull Request Submission Checklist

Please confirm that you have done the following before requesting reviews:

- [ ] I have confirmed that the PR type is appropriate for the change I am making according to the [Honest Pull Request and Commit Message Naming Conventions](https://www.notion.so/honestbank/Pull-Request-and-Commit-Message-Naming-Conventions-bd97f2cbb34c4c73b1ff3a3e384b850c).
- [ ] I have typed an adequate description that explains **why** I am making this change.
- [ ] I have installed and run standard pre-commit hooks that lints and validates my code.
- [ ] All entities that I am working with are up-to-date in Backstage; if updates are needed, I have linked the relevant PRs. [Backstage guide](https://www.notion.so/honestbank/How-to-Write-a-Backstage-Service-Catalog-Entry-a-catalog-info-yaml-file-21845ff72e404b14aed2ac989fb202cf?pvs=4)

### Description

Expand Down
14 changes: 13 additions & 1 deletion .github/workflows/checkov.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ permissions: read-all

on:
pull_request:
branches: [main]
branches: [test, dev, qa, prod, main]

jobs:
checkov:
Expand All @@ -15,6 +15,18 @@ jobs:
with:
submodules: "recursive"
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create empty baseline (if needed)
run: |
if [ -f .checkov.baseline ]; then
echo "⏩⏩⏩ Baseline file exists - do nothing."
else
echo "🆕🆕🆕 Baseline file does not exist - creating empty baseline file."
echo "{}" >> .checkov.baseline
fi
- name: Output baseline contents to console
run: |
echo "Checkov baseline file (.checkov.baseline) contents:"
cat .checkov.baseline
- name: Run Checkov
id: checkov
uses: bridgecrewio/checkov-action@master
Expand Down
19 changes: 14 additions & 5 deletions .github/workflows/semantic-pr.yaml
Original file line number Diff line number Diff line change
@@ -1,19 +1,28 @@
name: "semantic-pull-request"
permissions: read-all
# yamllint disable rule:line-length
# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows

# Use this workflow for public repos, since public repos cannot access our internal
# workflows repo.
---
name: public-semantic-pr
permissions:
contents: write
pull-requests: write

on:
pull_request:
types:
- opened
- edited
- reopened
- synchronize

jobs:
main:
name: semantic-pull-request
public-semantic-pr:
name: public-semantic-pr
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@v5
- uses: amannn/action-semantic-pull-request@v4
name: Semantic Pull Request
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
26 changes: 8 additions & 18 deletions .github/workflows/terraform.yaml
Original file line number Diff line number Diff line change
@@ -1,26 +1,18 @@
name: "Terraform GitHub Actions"
permissions: read-all

name: "Terraform GitHub Action"

Check failure on line 1 in .github/workflows/terraform.yaml

View workflow job for this annotation

GitHub Actions / checkov

CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
on:
pull_request:
branches:
- main
push:
branches:
- main
env:
tf_version: "latest"
tf_working_dir: "."
TF_VAR_google_credentials: ${{ secrets.GOOGLE_CREDENTIALS }}
# This workflow is meant for public Terraform module repositories
# which are generally component modules that follow trunk-based development.
branches: [main]
jobs:
terraform:
name: "Terraform - Format, Init, Validate, Plan, Fail on Change"
name: "terraform"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@master
uses: actions/checkout@v4
with:
submodules: true
submodules: "recursive"
- name: Set up Terraform
uses: hashicorp/setup-terraform@v3
with:
Expand All @@ -29,11 +21,9 @@ jobs:
id: fmt
run: terraform fmt
continue-on-error: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Terraform Init
id: init
run: terraform init -upgrade
run: terraform init
- name: Terraform Validate
id: validate
run: terraform validate -no-color
Expand Down
53 changes: 14 additions & 39 deletions .github/workflows/terratest.yaml
Original file line number Diff line number Diff line change
@@ -1,55 +1,30 @@
name: terratest
permissions:
contents: write
pull-requests: write

name: "Terratest GitHub Action"
on:
pull_request:
branches:
- main
branches: [test, dev, qa, prod, main]
push:
branches:
- main
branches: [test, dev, qa, prod, main]
env:
COMPUTE_GOOGLE_CREDENTIALS: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS_COMPUTE }}
COMPUTE_GOOGLE_PROJECT: ${{ secrets.TERRATEST_GOOGLE_PROJECT_COMPUTE }}
TF_VAR_google_credentials: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS_COMPUTE }}
TF_VAR_shared_vpc_host_google_credentials: ${{ secrets.TERRATEST_GOOGLE_CREDENTIALS_NETWORK }}
AWS_ACCESS_KEY_ID: ${{ secrets.TERRATEST_AWS_ACCESS_KEY_ID }}
AWS_SECRET_KEY: ${{ secrets.TERRATEST_AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.TERRATEST_AWS_REGION }}
AWS_REGION: ${{ secrets.TERRATEST_AWS_REGION }}
jobs:
terratest:
name: terratest
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: Set up Go (latest version greater than 1.19)
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '~>1.21'
- name: gcloud-auth
uses: google-github-actions/auth@v1
with:
credentials_json: ${{ env.COMPUTE_GOOGLE_CREDENTIALS }}
- name: gcloud-setup
uses: google-github-actions/setup-gcloud@v1
with:
version: "latest" # This is the default value, just being explicit
project_id: ${{ env.COMPUTE_GOOGLE_PROJECT }}
install_components: 'gke-gcloud-auth-plugin'
export_default_credentials: false
- name: Run terratest
go-version: 1.20
id: go
- name: Run 'go test -v -timeout 60m'
run: |
cd test
go test -v -timeout 120m
- name: Release
if: github.event_name == 'push'
uses: cycjimmy/semantic-release-action@v4
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
extra_plugins: |
@semantic-release/[email protected]
@semantic-release/[email protected]
@semantic-release/[email protected]
go mod download
go test -v -timeout 30m

0 comments on commit d7f51a1

Please sign in to comment.