diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 918fe2a8dd..c14056b959 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,43 +1,43 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for all configuration options: -# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates +# # To get started with Dependabot version updates, you'll need to specify which +# # package ecosystems to update and where the package manifests are located. +# # Please see the documentation for all configuration options: +# # https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates -# NPM production dependencies are part of the generated Lambda JavaScript. -# Therefore updates on production are prefixed with fix(component) to trigger releases. -# Development updates are prefixed with chore, and not triggering a release. +# # NPM production dependencies are part of the generated Lambda JavaScript. +# # Therefore updates on production are prefixed with fix(component) to trigger releases. +# # Development updates are prefixed with chore, and not triggering a release. -version: 2 -updates: - - package-ecosystem: "github-actions" - # Workflow files stored in the - # default location of `.github/workflows` - directory: "/" - schedule: - interval: "weekly" +# version: 2 +# updates: +# - package-ecosystem: "github-actions" +# # Workflow files stored in the +# # default location of `.github/workflows` +# directory: "/" +# schedule: +# interval: "weekly" - - package-ecosystem: "npm" - directory: "/lambdas" - schedule: - interval: "weekly" - groups: - aws: - patterns: - - "@aws-sdk/*" - octokit: - patterns: - - "@octokit/*" - aws-powertools: - patterns: - - "@aws-lambda-powertools/*" +# - package-ecosystem: "npm" +# directory: "/lambdas" +# schedule: +# interval: "weekly" +# groups: +# aws: +# patterns: +# - "@aws-sdk/*" +# octokit: +# patterns: +# - "@octokit/*" +# aws-powertools: +# patterns: +# - "@aws-lambda-powertools/*" - ignore: - - dependency-name: "@middy/core" - update-types: ["version-update:semver-major"] - - dependency-name: "@octokit/*" - update-types: ["version-update:semver-major"] - - dependency-name: "eslint" - update-types: ["version-update:semver-major"] - commit-message: - prefix: "fix(lambda)" - prefix-development: "chore(lambda)" +# ignore: +# - dependency-name: "@middy/core" +# update-types: ["version-update:semver-major"] +# - dependency-name: "@octokit/*" +# update-types: ["version-update:semver-major"] +# - dependency-name: "eslint" +# update-types: ["version-update:semver-major"] +# commit-message: +# prefix: "fix(lambda)" +# prefix-development: "chore(lambda)" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index dd063ac502..9016f1b991 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,41 +1,41 @@ -name: "CodeQL Advanced" +# name: "CodeQL Advanced" -on: - push: - branches: [ "main", "develop", "v1" ] - pull_request: - branches: [ "main", "develop", "v1" ] - paths-ignore: - - '**/*.md' - schedule: - - cron: '25 19 * * 2' +# on: +# push: +# branches: [ "main", "develop", "v1" ] +# pull_request: +# branches: [ "main", "develop", "v1" ] +# paths-ignore: +# - '**/*.md' +# schedule: +# - cron: '25 19 * * 2' -jobs: - analyze: - name: Analyze (${{ matrix.language }}) - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - permissions: - # required for all workflows - security-events: write +# jobs: +# analyze: +# name: Analyze (${{ matrix.language }}) +# runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} +# permissions: +# # required for all workflows +# security-events: write - strategy: - fail-fast: false - matrix: - include: - - language: javascript-typescript - build-mode: none - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# strategy: +# fail-fast: false +# matrix: +# include: +# - language: javascript-typescript +# build-mode: none +# steps: +# - name: Checkout repository +# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} +# # Initializes the CodeQL tools for scanning. +# - name: Initialize CodeQL +# uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 +# with: +# languages: ${{ matrix.language }} +# build-mode: ${{ matrix.build-mode }} - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 - with: - category: "/language:${{matrix.language}}" +# - name: Perform CodeQL Analysis +# uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 +# with: +# category: "/language:${{matrix.language}}" diff --git a/.github/workflows/lambda.yml b/.github/workflows/lambda.yml index bd190b8c56..02aef6093a 100644 --- a/.github/workflows/lambda.yml +++ b/.github/workflows/lambda.yml @@ -1,40 +1,40 @@ -name: Build lambdas -on: - pull_request: - branches: - - main - paths: - - 'lambdas/**' +# name: Build lambdas +# on: +# pull_request: +# branches: +# - main +# paths: +# - 'lambdas/**' -jobs: - build: - runs-on: ubuntu-latest - strategy: - matrix: - node: [20] - container: - image: node:${{ matrix.node }} - defaults: - run: - working-directory: ./lambdas +# jobs: +# build: +# runs-on: ubuntu-latest +# strategy: +# matrix: +# node: [20] +# container: +# image: node:${{ matrix.node }} +# defaults: +# run: +# working-directory: ./lambdas - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Install dependencies - run: yarn install --frozen-lockfile - - name: Run prettier - run: yarn format-check - - name: Run linter - run: yarn lint - - name: Run tests - id: test - run: yarn test - - name: Build distribution - run: yarn build - - name: Upload coverage report - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 - if: ${{ failure() }} - with: - name: coverage-reports - path: ./**/coverage - retention-days: 5 +# steps: +# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - name: Install dependencies +# run: yarn install --frozen-lockfile +# - name: Run prettier +# run: yarn format-check +# - name: Run linter +# run: yarn lint +# - name: Run tests +# id: test +# run: yarn test +# - name: Build distribution +# run: yarn build +# - name: Upload coverage report +# uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 +# if: ${{ failure() }} +# with: +# name: coverage-reports +# path: ./**/coverage +# retention-days: 5 diff --git a/.github/workflows/packer-build.yml b/.github/workflows/packer-build.yml index 4251f892ff..d3949a65b3 100644 --- a/.github/workflows/packer-build.yml +++ b/.github/workflows/packer-build.yml @@ -1,34 +1,34 @@ -name: "Packer checks" -on: - push: - branches: - - main - pull_request: - paths: - - "images/**" - - ".github/workflows/packer-build.yml" - - "module/runners/templates/**" -env: - AWS_REGION: eu-west-1 - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -jobs: - verify_packer: - name: Verify packer - runs-on: ubuntu-latest - container: - image: index.docker.io/hashicorp/packer@sha256:12c441b8a3994e7df9f0e2692d9298f14c387e70bcc06139420977dbf80a137b # 1.11.2 - strategy: - matrix: - image: ["linux-al2023", "windows-core-2019", "windows-core-2022", "ubuntu-focal", "ubuntu-jammy", "ubuntu-jammy-arm64"] - defaults: - run: - working-directory: images/${{ matrix.image }} - steps: - - name: "Checkout" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: packer init - run: packer init . - - name: check packer formatting - run: packer fmt -recursive -check=true . - - name: packer validate - run: packer validate -evaluate-datasources . +# name: "Packer checks" +# on: +# push: +# branches: +# - main +# pull_request: +# paths: +# - "images/**" +# - ".github/workflows/packer-build.yml" +# - "module/runners/templates/**" +# env: +# AWS_REGION: eu-west-1 +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# jobs: +# verify_packer: +# name: Verify packer +# runs-on: ubuntu-latest +# container: +# image: index.docker.io/hashicorp/packer@sha256:12c441b8a3994e7df9f0e2692d9298f14c387e70bcc06139420977dbf80a137b # 1.11.2 +# strategy: +# matrix: +# image: ["linux-al2023", "windows-core-2019", "windows-core-2022", "ubuntu-focal", "ubuntu-jammy", "ubuntu-jammy-arm64"] +# defaults: +# run: +# working-directory: images/${{ matrix.image }} +# steps: +# - name: "Checkout" +# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - name: packer init +# run: packer init . +# - name: check packer formatting +# run: packer fmt -recursive -check=true . +# - name: packer validate +# run: packer validate -evaluate-datasources . diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6832970c3f..8cc4d3057a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,48 +1,48 @@ -name: Release build -on: - push: - branches: - - main - - v1 - workflow_dispatch: +# name: Release build +# on: +# push: +# branches: +# - main +# - v1 +# workflow_dispatch: -jobs: - release: - name: Release - runs-on: ubuntu-latest - permissions: - contents: write - actions: write - steps: - - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - node-version: 20 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Build dist - working-directory: lambdas - run: yarn install --frozen-lockfile && yarn run test && yarn dist - - name: Get installation token - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 - id: token - with: - app-id: ${{ secrets.FOREST_RELEASER_APP_ID }} - private-key: ${{ secrets.FOREST_RELEASER_APP_PRIVATE_KEY }} - - name: Extract branch name - id: branch - shell: bash - run: echo "name=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT - - name: Release - id: release - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1 - with: - target-branch: ${{ steps.branch.outputs.name }} - release-type: terraform-module - token: ${{ steps.token.outputs.token }} - - name: Upload Release Asset - if: ${{ steps.release.outputs.releases_created == 'true' }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - for f in $(find . -name '*.zip'); do - gh release upload ${{ steps.release.outputs.tag_name }} $f - done +# jobs: +# release: +# name: Release +# runs-on: ubuntu-latest +# permissions: +# contents: write +# actions: write +# steps: +# - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 +# with: +# node-version: 20 +# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - name: Build dist +# working-directory: lambdas +# run: yarn install --frozen-lockfile && yarn run test && yarn dist +# - name: Get installation token +# uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 +# id: token +# with: +# app-id: ${{ secrets.FOREST_RELEASER_APP_ID }} +# private-key: ${{ secrets.FOREST_RELEASER_APP_PRIVATE_KEY }} +# - name: Extract branch name +# id: branch +# shell: bash +# run: echo "name=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT +# - name: Release +# id: release +# uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1 +# with: +# target-branch: ${{ steps.branch.outputs.name }} +# release-type: terraform-module +# token: ${{ steps.token.outputs.token }} +# - name: Upload Release Asset +# if: ${{ steps.release.outputs.releases_created == 'true' }} +# env: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# run: | +# for f in $(find . -name '*.zip'); do +# gh release upload ${{ steps.release.outputs.tag_name }} $f +# done diff --git a/.github/workflows/semantic-check.yml b/.github/workflows/semantic-check.yml index 886aa2e349..cbe7955155 100644 --- a/.github/workflows/semantic-check.yml +++ b/.github/workflows/semantic-check.yml @@ -1,24 +1,24 @@ -name: "Semantic Check" -on: - pull_request_target: - types: - - opened - - edited - - synchronize -permissions: - contents: read - pull-requests: read -jobs: - main: - name: Semantic Commit Message Check - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 - name: Check PR for Semantic Commit Message - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - requireScope: false - validateSingleCommit: true - ignoreLabels: release merge +# name: "Semantic Check" +# on: +# pull_request_target: +# types: +# - opened +# - edited +# - synchronize +# permissions: +# contents: read +# pull-requests: read +# jobs: +# main: +# name: Semantic Commit Message Check +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 +# name: Check PR for Semantic Commit Message +# env: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# with: +# requireScope: false +# validateSingleCommit: true +# ignoreLabels: release merge diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 9e3f86ef33..a4b85f76c2 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,24 +1,24 @@ -name: "Stale issue and PR workflow" -on: - schedule: - - cron: "30 1 * * *" - workflow_dispatch: -permissions: - issues: write - pull-requests: write -jobs: - stale: - runs-on: ubuntu-latest - steps: - - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 - with: - stale-issue-message: > - This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions. +# name: "Stale issue and PR workflow" +# on: +# schedule: +# - cron: "30 1 * * *" +# workflow_dispatch: +# permissions: +# issues: write +# pull-requests: write +# jobs: +# stale: +# runs-on: ubuntu-latest +# steps: +# - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 +# with: +# stale-issue-message: > +# This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions. - stale-pr-message: > - This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions. +# stale-pr-message: > +# This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions. - days-before-stale: 90 - days-before-close: 14 - close-issue-label: "abandoned" - exempt-issue-labels: "stale:exempt" +# days-before-stale: 90 +# days-before-close: 14 +# close-issue-label: "abandoned" +# exempt-issue-labels: "stale:exempt" diff --git a/.github/workflows/sync-fork.yaml b/.github/workflows/sync-fork.yaml new file mode 100644 index 0000000000..af775bc41a --- /dev/null +++ b/.github/workflows/sync-fork.yaml @@ -0,0 +1,153 @@ +name: Sync Fork, Upload Zips, Create Release + +on: + workflow_dispatch: {} + +jobs: + sync-fork: + name: Sync Fork + runs-on: ubuntu-latest + outputs: + upstream_tag: ${{ steps.philips_tag.outputs.upstream_tag}} + + steps: + - name: Checkout forked repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Fetch all history for accurate merging + + - name: Fork tag + id: fork_tag + run: | + # List all tags reachable from the current branch + LATEST_TAG=$(git describe --tags --abbrev=0) + + echo "Latest tag on the forked branch: $LATEST_TAG" + echo "fork_tag=$LATEST_TAG" >> $GITHUB_ENV + - name: Upstream tag + id: philips_tag + run: | + # Fetch the latest release using GitHub API + LATEST_TAG=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ + https://api.github.com/repos/philips-labs/terraform-aws-github-runner/releases/latest | jq -r '.tag_name') + + echo "Latest upstream tag: $LATEST_TAG" + echo "upstream_tag=$LATEST_TAG" >> $GITHUB_ENV + echo "upstream_tag=$LATEST_TAG" >> $GITHUB_OUTPUT + - name: Compare Image Tags + id: compare-tags + shell: bash + run: | + echo "fork_tag=$fork_tag" + echo "upstream_tag=$upstream_tag" + if [ "$fork_tag" == "$upstream_tag" ]; then + echo "### :info: Fork is already synced, ending workflow." >> $GITHUB_STEP_SUMMARY + echo "Current forked tag matches the upstream tag. QA Tag: $fork_tag, PROD Tag: $upstream_tag " >> $GITHUB_STEP_SUMMARY + echo "duplicate_tag=true" >> $GITHUB_OUTPUT + else + echo "duplicate_tag=false" >> $GITHUB_OUTPUT + fi + - name: Cancel workflow if duplicate tags + if: ${{ steps.compare-tags.outputs.duplicate_tags == 'true' }} + uses: actions/github-script@v6 + with: + script: | + const https = require('https'); + const options = { + hostname: 'api.github.com', + path: `/repos/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}/cancel`, + headers: { + 'Authorization': `token ${process.env.GITHUB_TOKEN}`, + 'Content-Type': 'application/json', + 'User-Agent': 'actions/cancel-action' + }, + method: 'POST' + } + const req = https.request(options, (res) => { + res.on('data', (data) => { + if (res.statusCode != 202) { + let parsed = JSON.parse(data) + console.log(`Error: ${parsed.message}`) + process.exit(1) + } else { + console.log('Cancelled successfully.') + process.exit(0) + } + }) + }) + req.on('error', (error) => { + console.log(`HTTP Error: ${error}`) + process.exit(1) + }) + req.end(); + - name: Add upstream repository + run: | + git remote add upstream https://github.com/philips-labs/terraform-aws-github-runner.git + git fetch upstream + - name: Sync with upstream/main + if: success() + run: | + git checkout main + git merge upstream/main + git push origin main + create-release: + name: Create Release + runs-on: ubuntu-latest + needs: + - sync-fork + + steps: + - name: Checkout forked repository + uses: actions/checkout@v4 + + - name: Create a release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ needs.sync-fork.outputs.upstream_tag }} # Incremental tag + release_name: "Release ${{ needs.sync-fork.outputs.upstream_tag }}" + body: | + This release contains the latest changes synced from the upstream repository. + draft: false + prerelease: false + + download-s3-zips: #needs work + name: Download zips and store in s3 + runs-on: ubuntu-latest + needs: + - sync-fork + + steps: + - name: Download zips + run: | + wget https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.outputs.upstream_tag }}/runners.zip + wget https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.outputs.upstream_tag }}/webhook.zip + wget https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.outputs.upstream_tag }}/runner-binaries-syncer.zip + - name: Configure AWS credentials via OIDC + id: oidc-creds + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-east-1 + role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID_ORG }}:role/external/github_actions + role-session-name: syncfork_assume_github_actions_role + output-credentials: true + + - name: Assume AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-east-1 + aws-access-key-id: ${{ steps.oidc-creds.outputs.aws-access-key-id }} + aws-secret-access-key: ${{ steps.oidc-creds.outputs.aws-secret-access-key }} + aws-session-token: ${{ steps.oidc-creds.outputs.aws-session-token }} + + - name: Upload zips to S3 + run: | + # mgmt-infra-dev + aws s3 cp runners.zip s3://mgmt-infra-dev-aws-gha-zips/${{ needs.sync-fork.outputs.upstream_tag }}/runners.zip + aws s3 cp runners.zip s3://mgmt-infra-dev-aws-gha-zips/${{ needs.sync-fork.outputs.upstream_tag }}/webhook.zip + aws s3 cp runners.zip s3://mgmt-infra-dev-aws-gha-zips/${{ needs.sync-fork.outputs.upstream_tag }}/runner-binaries-syncer.zip + # mgmt-infra-prod + aws s3 cp runners.zip s3://mgmt-infra-prod-aws-gha-zips/${{ needs.sync-fork.outputs.upstream_tag }}/runners.zip + aws s3 cp runners.zip s3://mgmt-infra-prod-aws-gha-zips/${{ needs.sync-fork.outputs.upstream_tag }}/webhook.zip + aws s3 cp runners.zip s3://mgmt-infra-prod-aws-gha-zips/${{ needs.sync-fork.outputs.upstream_tag }}/runner-binaries-syncer.zip \ No newline at end of file diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index f4226c4270..fb978a54b1 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -1,182 +1,182 @@ -name: "Terraform checks" -on: - push: - branches: - - main - pull_request: - paths: ["**/*.tf", "**/*.hcl", ".github/workflows/terraform.yml"] +# name: "Terraform checks" +# on: +# push: +# branches: +# - main +# pull_request: +# paths: ["**/*.tf", "**/*.hcl", ".github/workflows/terraform.yml"] -permissions: - contents: read - pull-requests: write +# permissions: +# contents: read +# pull-requests: write -env: - AWS_REGION: eu-west-1 -jobs: - verify_module: - name: Verify module - strategy: - matrix: - terraform: [1.5.6, "latest"] - runs-on: ubuntu-latest - container: - image: hashicorp/terraform:${{ matrix.terraform }} - steps: - - name: "Checkout" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: "Fake zip files" # Validate will fail if it cannot find the zip files - run: | - touch lambdas/functions/webhook/webhook.zip - touch lambdas/functions/control-plane/runners.zip - touch lambdas/functions/gh-agent-syncer/runner-binaries-syncer.zip - touch lambdas/functions/ami-housekeeper/ami-housekeeper.zip - touch lambdas/functions/termination-watcher/termination-watcher.zip - - name: terraform init - run: terraform init -get -backend=false -input=false - - if: contains(matrix.terraform, '1.5.') - name: check terraform formatting - run: terraform fmt -recursive -check=true -write=false - - if: contains(matrix.terraform, 'latest') # check formatting for the latest release but avoid failing the build - name: check terraform formatting - run: terraform fmt -recursive -check=true -write=false - continue-on-error: true - - name: validate terraform - run: terraform validate - - if: contains(matrix.terraform, '1.5.') - name: Fix for actions/cache on alpine - run: apk add --no-cache tar - continue-on-error: true - - if: contains(matrix.terraform, '1.5.') - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 - name: Cache TFLint plugin dir - with: - path: ~/.tflint.d/plugins - key: tflint-${{ hashFiles('.tflint.hcl') }} - - if: contains(matrix.terraform, '1.5.') - name: Setup TFLint - uses: terraform-linters/setup-tflint@19a52fbac37dacb22a09518e4ef6ee234f2d4987 # v4.0.0 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - if: contains(matrix.terraform, '1.5.') - name: Run TFLint - run: | - tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl - tflint -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars +# env: +# AWS_REGION: eu-west-1 +# jobs: +# verify_module: +# name: Verify module +# strategy: +# matrix: +# terraform: [1.5.6, "latest"] +# runs-on: ubuntu-latest +# container: +# image: hashicorp/terraform:${{ matrix.terraform }} +# steps: +# - name: "Checkout" +# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - name: "Fake zip files" # Validate will fail if it cannot find the zip files +# run: | +# touch lambdas/functions/webhook/webhook.zip +# touch lambdas/functions/control-plane/runners.zip +# touch lambdas/functions/gh-agent-syncer/runner-binaries-syncer.zip +# touch lambdas/functions/ami-housekeeper/ami-housekeeper.zip +# touch lambdas/functions/termination-watcher/termination-watcher.zip +# - name: terraform init +# run: terraform init -get -backend=false -input=false +# - if: contains(matrix.terraform, '1.5.') +# name: check terraform formatting +# run: terraform fmt -recursive -check=true -write=false +# - if: contains(matrix.terraform, 'latest') # check formatting for the latest release but avoid failing the build +# name: check terraform formatting +# run: terraform fmt -recursive -check=true -write=false +# continue-on-error: true +# - name: validate terraform +# run: terraform validate +# - if: contains(matrix.terraform, '1.5.') +# name: Fix for actions/cache on alpine +# run: apk add --no-cache tar +# continue-on-error: true +# - if: contains(matrix.terraform, '1.5.') +# uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 +# name: Cache TFLint plugin dir +# with: +# path: ~/.tflint.d/plugins +# key: tflint-${{ hashFiles('.tflint.hcl') }} +# - if: contains(matrix.terraform, '1.5.') +# name: Setup TFLint +# uses: terraform-linters/setup-tflint@19a52fbac37dacb22a09518e4ef6ee234f2d4987 # v4.0.0 +# with: +# github_token: ${{ secrets.GITHUB_TOKEN }} +# - if: contains(matrix.terraform, '1.5.') +# name: Run TFLint +# run: | +# tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl +# tflint -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars - verify_modules: - name: Verify modules - strategy: - fail-fast: false - matrix: - terraform: [1.5.6, "latest"] - module: - [ - "ami-housekeeper", - "download-lambda", - "lambda", - "multi-runner", - "runner-binaries-syncer", - "runners", - "setup-iam-permissions", - "ssm", - "termination-watcher", - "webhook", - ] - defaults: - run: - working-directory: modules/${{ matrix.module }} - runs-on: ubuntu-latest - container: - image: hashicorp/terraform:${{ matrix.terraform }} - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: terraform init - run: terraform init -get -backend=false -input=false - - if: contains(matrix.terraform, '1.3.') - name: check terraform formatting - run: terraform fmt -recursive -check=true -write=false - - if: contains(matrix.terraform, 'latest') # check formatting for the latest release but avoid failing the build - name: check terraform formatting - run: terraform fmt -recursive -check=true -write=false - continue-on-error: true - - name: validate terraform - run: terraform validate - - if: contains(matrix.terraform, '1.3.') - name: Fix for actions/cache on alpine - run: apk add --no-cache tar - continue-on-error: true - - if: contains(matrix.terraform, '1.3.') - uses: actions/cache@v4 - name: Cache TFLint plugin dir - with: - path: ~/.tflint.d/plugins - key: tflint-${{ hashFiles('.tflint.hcl') }} - - if: contains(matrix.terraform, '1.3.') - name: Setup TFLint - uses: terraform-linters/setup-tflint@v4 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - if: contains(matrix.terraform, '1.3.') - name: Run TFLint - working-directory: ${{ github.workspace }} - run: | - tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir modules/${{ matrix.module }} - tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir modules/${{ matrix.module }} +# verify_modules: +# name: Verify modules +# strategy: +# fail-fast: false +# matrix: +# terraform: [1.5.6, "latest"] +# module: +# [ +# "ami-housekeeper", +# "download-lambda", +# "lambda", +# "multi-runner", +# "runner-binaries-syncer", +# "runners", +# "setup-iam-permissions", +# "ssm", +# "termination-watcher", +# "webhook", +# ] +# defaults: +# run: +# working-directory: modules/${{ matrix.module }} +# runs-on: ubuntu-latest +# container: +# image: hashicorp/terraform:${{ matrix.terraform }} +# steps: +# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - name: terraform init +# run: terraform init -get -backend=false -input=false +# - if: contains(matrix.terraform, '1.3.') +# name: check terraform formatting +# run: terraform fmt -recursive -check=true -write=false +# - if: contains(matrix.terraform, 'latest') # check formatting for the latest release but avoid failing the build +# name: check terraform formatting +# run: terraform fmt -recursive -check=true -write=false +# continue-on-error: true +# - name: validate terraform +# run: terraform validate +# - if: contains(matrix.terraform, '1.3.') +# name: Fix for actions/cache on alpine +# run: apk add --no-cache tar +# continue-on-error: true +# - if: contains(matrix.terraform, '1.3.') +# uses: actions/cache@v4 +# name: Cache TFLint plugin dir +# with: +# path: ~/.tflint.d/plugins +# key: tflint-${{ hashFiles('.tflint.hcl') }} +# - if: contains(matrix.terraform, '1.3.') +# name: Setup TFLint +# uses: terraform-linters/setup-tflint@v4 +# with: +# github_token: ${{ secrets.GITHUB_TOKEN }} +# - if: contains(matrix.terraform, '1.3.') +# name: Run TFLint +# working-directory: ${{ github.workspace }} +# run: | +# tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir modules/${{ matrix.module }} +# tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir modules/${{ matrix.module }} - verify_examples: - name: Verify examples - strategy: - fail-fast: false - matrix: - terraform: [1.5.6, "latest"] - example: - [ - "default", - "ubuntu", - "prebuilt", - "arm64", - "ephemeral", - "termination-watcher", - "windows", - "multi-runner", - ] - defaults: - run: - working-directory: examples/${{ matrix.example }} - runs-on: ubuntu-latest - container: - image: hashicorp/terraform:${{ matrix.terraform }} - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: terraform init - run: terraform init -get -backend=false -input=false - - if: contains(matrix.terraform, '1.5.') - name: check terraform formatting - run: terraform fmt -recursive -check=true -write=false - - if: contains(matrix.terraform, 'latest') # check formatting for the latest release but avoid failing the build - name: check terraform formatting - run: terraform fmt -recursive -check=true -write=false - continue-on-error: true - - name: validate terraform - run: terraform validate - - if: contains(matrix.terraform, '1.5.') - name: Fix for actions/cache on alpine - run: apk add --no-cache tar - continue-on-error: true - - if: contains(matrix.terraform, '1.5.') - uses: actions/cache@v4 - name: Cache TFLint plugin dir - with: - path: ~/.tflint.d/plugins - key: tflint-${{ hashFiles('.tflint.hcl') }} - - if: contains(matrix.terraform, '1.5.') - name: Setup TFLint - uses: terraform-linters/setup-tflint@v4 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - if: contains(matrix.terraform, '1.5.') - name: Run TFLint - working-directory: ${{ github.workspace }} - run: | - tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir modules/${{ matrix.module }} - tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir examples/${{ matrix.example }} +# verify_examples: +# name: Verify examples +# strategy: +# fail-fast: false +# matrix: +# terraform: [1.5.6, "latest"] +# example: +# [ +# "default", +# "ubuntu", +# "prebuilt", +# "arm64", +# "ephemeral", +# "termination-watcher", +# "windows", +# "multi-runner", +# ] +# defaults: +# run: +# working-directory: examples/${{ matrix.example }} +# runs-on: ubuntu-latest +# container: +# image: hashicorp/terraform:${{ matrix.terraform }} +# steps: +# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - name: terraform init +# run: terraform init -get -backend=false -input=false +# - if: contains(matrix.terraform, '1.5.') +# name: check terraform formatting +# run: terraform fmt -recursive -check=true -write=false +# - if: contains(matrix.terraform, 'latest') # check formatting for the latest release but avoid failing the build +# name: check terraform formatting +# run: terraform fmt -recursive -check=true -write=false +# continue-on-error: true +# - name: validate terraform +# run: terraform validate +# - if: contains(matrix.terraform, '1.5.') +# name: Fix for actions/cache on alpine +# run: apk add --no-cache tar +# continue-on-error: true +# - if: contains(matrix.terraform, '1.5.') +# uses: actions/cache@v4 +# name: Cache TFLint plugin dir +# with: +# path: ~/.tflint.d/plugins +# key: tflint-${{ hashFiles('.tflint.hcl') }} +# - if: contains(matrix.terraform, '1.5.') +# name: Setup TFLint +# uses: terraform-linters/setup-tflint@v4 +# with: +# github_token: ${{ secrets.GITHUB_TOKEN }} +# - if: contains(matrix.terraform, '1.5.') +# name: Run TFLint +# working-directory: ${{ github.workspace }} +# run: | +# tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir modules/${{ matrix.module }} +# tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir examples/${{ matrix.example }} diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index e5c49baddc..d9b32695df 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -1,76 +1,76 @@ -name: Update docs -on: - push: - paths: - - "**/*.tf" - - "**/*.md" - - ".github/workflows/update-docs.yml" +# name: Update docs +# on: +# push: +# paths: +# - "**/*.tf" +# - "**/*.md" +# - ".github/workflows/update-docs.yml" -permissions: - contents: write - pull-requests: write +# permissions: +# contents: write +# pull-requests: write -jobs: - docs: - name: Auto update terraform docs - runs-on: ubuntu-latest - steps: - - name: Checkout with GITHUB Action token - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - token: ${{ secrets.GITHUB_TOKEN }} +# jobs: +# docs: +# name: Auto update terraform docs +# runs-on: ubuntu-latest +# steps: +# - name: Checkout with GITHUB Action token +# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# with: +# token: ${{ secrets.GITHUB_TOKEN }} - # use an app to ensure CI is triggered - - name: Generate TF docs - if: github.repository_owner == 'philips-labs' - uses: terraform-docs/gh-actions@aeae0038ed47a547e0c0fca5c059d3335f48fb25 # v1.3.0 - with: - find-dir: . - git-commit-message: "docs: auto update terraform docs" - git-push: ${{ github.ref != 'refs/heads/main' || github.repository_owner != 'philips-labs' }} - git-push-user-name: philips-labs-pr|bot - git-push-user-email: "philips-labs-pr[bot]@users.noreply.github.com" +# # use an app to ensure CI is triggered +# - name: Generate TF docs +# if: github.repository_owner == 'philips-labs' +# uses: terraform-docs/gh-actions@aeae0038ed47a547e0c0fca5c059d3335f48fb25 # v1.3.0 +# with: +# find-dir: . +# git-commit-message: "docs: auto update terraform docs" +# git-push: ${{ github.ref != 'refs/heads/main' || github.repository_owner != 'philips-labs' }} +# git-push-user-name: philips-labs-pr|bot +# git-push-user-email: "philips-labs-pr[bot]@users.noreply.github.com" - - name: Generate TF docs (forks) - if: github.repository_owner != 'philips-labs' - uses: terraform-docs/gh-actions@aeae0038ed47a547e0c0fca5c059d3335f48fb25 # v1.3.0 - with: - find-dir: . - git-commit-message: "docs: auto update terraform docs" - git-push: ${{ github.ref != 'refs/heads/main' || github.repository_owner != 'philips-labs' }} +# - name: Generate TF docs (forks) +# if: github.repository_owner != 'philips-labs' +# uses: terraform-docs/gh-actions@aeae0038ed47a547e0c0fca5c059d3335f48fb25 # v1.3.0 +# with: +# find-dir: . +# git-commit-message: "docs: auto update terraform docs" +# git-push: ${{ github.ref != 'refs/heads/main' || github.repository_owner != 'philips-labs' }} - # change docs via PR in case of locked main branch - - name: Create Pull Request (main branch only) - if: github.ref == 'refs/heads/main' && github.repository_owner == 'philips-labs' - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 - with: - token: ${{ secrets.GITHUB_TOKEN }} - commit-message: "docs: auto update terraform docs" - title: "docs: Update Terraform docs" - branch: update-docs - branch-suffix: random - base: ${{ github.event.pull_request.base.ref }} - delete-branch: true +# # change docs via PR in case of locked main branch +# - name: Create Pull Request (main branch only) +# if: github.ref == 'refs/heads/main' && github.repository_owner == 'philips-labs' +# uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 +# with: +# token: ${{ secrets.GITHUB_TOKEN }} +# commit-message: "docs: auto update terraform docs" +# title: "docs: Update Terraform docs" +# branch: update-docs +# branch-suffix: random +# base: ${{ github.event.pull_request.base.ref }} +# delete-branch: true - deploy-pages: - needs: [docs] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Configure Git Credentials - run: | - git config user.name github-actions[bot] - git config --global user.email "github-actions[bot]@users.noreply.github.com" - - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 - with: - python-version: 3.x - - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - with: - key: mkdocs-material-${{ env.cache_id }} - path: .cache - restore-keys: | - mkdocs-material- - - run: pip install mkdocs-material - - run: pip install mkdocs-material-extensions - - run: mkdocs gh-deploy --force -c -b gh-pages +# deploy-pages: +# needs: [docs] +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - name: Configure Git Credentials +# run: | +# git config user.name github-actions[bot] +# git config --global user.email "github-actions[bot]@users.noreply.github.com" +# - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 +# with: +# python-version: 3.x +# - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV +# - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 +# with: +# key: mkdocs-material-${{ env.cache_id }} +# path: .cache +# restore-keys: | +# mkdocs-material- +# - run: pip install mkdocs-material +# - run: pip install mkdocs-material-extensions +# - run: mkdocs gh-deploy --force -c -b gh-pages