From 61124f61e6fd92b1115d773474b2cdb36bcca9da Mon Sep 17 00:00:00 2001 From: Karin Swanson Date: Thu, 5 Dec 2024 16:28:29 -0600 Subject: [PATCH 1/8] chore: add fork sync workflow --- .github/workflows/sync-fork.yaml | 151 +++++++++++++++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 .github/workflows/sync-fork.yaml diff --git a/.github/workflows/sync-fork.yaml b/.github/workflows/sync-fork.yaml new file mode 100644 index 0000000000..b6e5bd5946 --- /dev/null +++ b/.github/workflows/sync-fork.yaml @@ -0,0 +1,151 @@ +name: Sync Fork, Upload Zips, Create Release + +on: + workflow_dispatch: {} + +jobs: + sync-fork: + name: Sync Fork + runs-on: ubuntu-latest + outputs: + upstream_tag: ${{ steps.upstream_tag.upstream_tag}} + + steps: + - name: Checkout forked repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Fetch all history for accurate merging + + - name: Fork tag + id: fork_tag + run: | + # List all tags reachable from the current branch + LATEST_TAG=$(git describe --tags --abbrev=0) + + echo "Latest tag on the forked branch: $LATEST_TAG" + echo "fork_tag=$LATEST_TAG" >> $GITHUB_ENV + - name: Upstream tag + id: upstream_tag + run: | + # Fetch the latest release using GitHub API + LATEST_TAG=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ + https://api.github.com/repos/philips-labs/releases/latest | jq -r '.tag_name') + + echo "Latest upstream tag: $LATEST_TAG" + echo "upstream_tag=$LATEST_TAG" >> $GITHUB_ENV + - name: Compare Image Tags + id: compare-tags + shell: bash + run: | + echo "fork_tag=$fork_tag" + echo "upstream_tag=$upstream_tag" + if [ "$fork_tag" == "$upstream_tag" ]; then + echo "### :info: Fork is already synced, ending workflow." >> $GITHUB_STEP_SUMMARY + echo "Current forked tag matches the upstream tag. QA Tag: $fork_tag, PROD Tag: $upstream_tag " >> $GITHUB_STEP_SUMMARY + echo "duplicate_tag=true" >> $GITHUB_OUTPUT + else + echo "duplicate_tag=false" >> $GITHUB_OUTPUT + fi + - name: Cancel workflow if duplicate tags + if: ${{ steps.compare-tags.outputs.duplicate_tags == 'true' }} + uses: actions/github-script@v6 + with: + script: | + const https = require('https'); + const options = { + hostname: 'api.github.com', + path: `/repos/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}/cancel`, + headers: { + 'Authorization': `token ${process.env.GITHUB_TOKEN}`, + 'Content-Type': 'application/json', + 'User-Agent': 'actions/cancel-action' + }, + method: 'POST' + } + const req = https.request(options, (res) => { + res.on('data', (data) => { + if (res.statusCode != 202) { + let parsed = JSON.parse(data) + console.log(`Error: ${parsed.message}`) + process.exit(1) + } else { + console.log('Cancelled successfully.') + process.exit(0) + } + }) + }) + req.on('error', (error) => { + console.log(`HTTP Error: ${error}`) + process.exit(1) + }) + req.end(); + - name: Add upstream repository + run: | + git remote add upstream https://github.com/philips-labs/terraform-aws-github-runner.git + git fetch upstream + - name: Sync with upstream/main + if: success() + run: | + git checkout main + git merge upstream/main + git push origin main + create-release: + name: Create Release + runs-on: ubuntu-latest + needs: + - sync-fork + + steps: + - name: Checkout forked repository + uses: actions/checkout@v4 + + - name: Create a release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ needs.sync-fork.upstream_tag }} # Incremental tag + release_name: "Release ${{ needs.sync-fork.upstream_tag }}" + body: | + This release contains the latest changes synced from the upstream repository. + draft: false + prerelease: false + + download-s3-zips: #needs work + name: Download zips and store in s3 + runs-on: ubuntu-latest + needs: + - sync-fork + + steps: + - name: Download zips + run: | + wget "https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.upstream_tag }}/runners.zip" + wget "https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.upstream_tag }}/webhook.zip" + wget "https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.upstream_tag }}/runner-binaries-syncer.zip" + - name: Configure AWS credentials via OIDC + id: oidc-creds + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-east-1 + role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID_ORG }}:role/external/github_actions + role-session-name: tmchanges_assume_github_actions_role + output-credentials: true + + - name: Assume AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: us-east-1 + aws-access-key-id: ${{ steps.oidc-creds.outputs.aws-access-key-id }} + aws-secret-access-key: ${{ steps.oidc-creds.outputs.aws-secret-access-key }} + + - name: Upload zips to S3 + run: | + # mgmt-infra-dev + aws s3 cp runners.zip s3://mgmt-infra-dev-aws-gha-zips/${{ needs.sync-fork.upstream_tag }}/runners.zip + aws s3 cp runners.zip s3://mgmt-infra-dev-aws-gha-zips/${{ needs.sync-fork.upstream_tag }}/webhook.zip + aws s3 cp runners.zip s3://mgmt-infra-dev-aws-gha-zips/${{ needs.sync-fork.upstream_tag }}/runner-binaries-syncer.zip + # mgmt-infra-prod + aws s3 cp runners.zip s3://mgmt-infra-prod-aws-gha-zips/${{ needs.sync-fork.upstream_tag }}/runners.zip + aws s3 cp runners.zip s3://mgmt-infra-prod-aws-gha-zips/${{ needs.sync-fork.upstream_tag }}/webhook.zip + aws s3 cp runners.zip s3://mgmt-infra-prod-aws-gha-zips/${{ needs.sync-fork.upstream_tag }}/runner-binaries-syncer.zip \ No newline at end of file From 1cc4bc26e2a6dcaa100ab9fd45497d97655717c3 Mon Sep 17 00:00:00 2001 From: Karin Swanson Date: Thu, 5 Dec 2024 16:49:41 -0600 Subject: [PATCH 2/8] fix: url --- .github/workflows/sync-fork.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sync-fork.yaml b/.github/workflows/sync-fork.yaml index b6e5bd5946..73cde64518 100644 --- a/.github/workflows/sync-fork.yaml +++ b/.github/workflows/sync-fork.yaml @@ -29,8 +29,8 @@ jobs: run: | # Fetch the latest release using GitHub API LATEST_TAG=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ - https://api.github.com/repos/philips-labs/releases/latest | jq -r '.tag_name') - + https://api.github.com/repos/philips-labs/terraform-aws-github-runner/releases/latest | jq -r '.tag_name') + echo "Latest upstream tag: $LATEST_TAG" echo "upstream_tag=$LATEST_TAG" >> $GITHUB_ENV - name: Compare Image Tags From 9a7c5b9d399a348c21607f97b01eb591d4e27b81 Mon Sep 17 00:00:00 2001 From: Karin Swanson Date: Thu, 5 Dec 2024 16:59:04 -0600 Subject: [PATCH 3/8] fix: update outputs --- .github/workflows/sync-fork.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/sync-fork.yaml b/.github/workflows/sync-fork.yaml index 73cde64518..b0e974ce94 100644 --- a/.github/workflows/sync-fork.yaml +++ b/.github/workflows/sync-fork.yaml @@ -104,8 +104,8 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: - tag_name: ${{ needs.sync-fork.upstream_tag }} # Incremental tag - release_name: "Release ${{ needs.sync-fork.upstream_tag }}" + tag_name: ${{ needs.sync-fork.outputs.upstream_tag }} # Incremental tag + release_name: "Release ${{ needs.sync-fork.outputs.upstream_tag }}" body: | This release contains the latest changes synced from the upstream repository. draft: false @@ -120,9 +120,9 @@ jobs: steps: - name: Download zips run: | - wget "https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.upstream_tag }}/runners.zip" - wget "https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.upstream_tag }}/webhook.zip" - wget "https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.upstream_tag }}/runner-binaries-syncer.zip" + wget "https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.outputs.upstream_tag }}/runners.zip" + wget "https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.outputs.upstream_tag }}/webhook.zip" + wget "https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.outputs.upstream_tag }}/runner-binaries-syncer.zip" - name: Configure AWS credentials via OIDC id: oidc-creds uses: aws-actions/configure-aws-credentials@v4 @@ -142,10 +142,10 @@ jobs: - name: Upload zips to S3 run: | # mgmt-infra-dev - aws s3 cp runners.zip s3://mgmt-infra-dev-aws-gha-zips/${{ needs.sync-fork.upstream_tag }}/runners.zip - aws s3 cp runners.zip s3://mgmt-infra-dev-aws-gha-zips/${{ needs.sync-fork.upstream_tag }}/webhook.zip - aws s3 cp runners.zip s3://mgmt-infra-dev-aws-gha-zips/${{ needs.sync-fork.upstream_tag }}/runner-binaries-syncer.zip + aws s3 cp runners.zip s3://mgmt-infra-dev-aws-gha-zips/${{ needs.sync-fork.outputs.upstream_tag }}/runners.zip + aws s3 cp runners.zip s3://mgmt-infra-dev-aws-gha-zips/${{ needs.sync-fork.outputs.upstream_tag }}/webhook.zip + aws s3 cp runners.zip s3://mgmt-infra-dev-aws-gha-zips/${{ needs.sync-fork.outputs.upstream_tag }}/runner-binaries-syncer.zip # mgmt-infra-prod - aws s3 cp runners.zip s3://mgmt-infra-prod-aws-gha-zips/${{ needs.sync-fork.upstream_tag }}/runners.zip - aws s3 cp runners.zip s3://mgmt-infra-prod-aws-gha-zips/${{ needs.sync-fork.upstream_tag }}/webhook.zip - aws s3 cp runners.zip s3://mgmt-infra-prod-aws-gha-zips/${{ needs.sync-fork.upstream_tag }}/runner-binaries-syncer.zip \ No newline at end of file + aws s3 cp runners.zip s3://mgmt-infra-prod-aws-gha-zips/${{ needs.sync-fork.outputs.upstream_tag }}/runners.zip + aws s3 cp runners.zip s3://mgmt-infra-prod-aws-gha-zips/${{ needs.sync-fork.outputs.upstream_tag }}/webhook.zip + aws s3 cp runners.zip s3://mgmt-infra-prod-aws-gha-zips/${{ needs.sync-fork.outputs.upstream_tag }}/runner-binaries-syncer.zip \ No newline at end of file From b567fa9749a527d39c5d753e0e76f8c147783f80 Mon Sep 17 00:00:00 2001 From: Karin Swanson Date: Thu, 5 Dec 2024 17:19:54 -0600 Subject: [PATCH 4/8] fix: update refs --- .github/workflows/sync-fork.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/sync-fork.yaml b/.github/workflows/sync-fork.yaml index b0e974ce94..4ff3d9805c 100644 --- a/.github/workflows/sync-fork.yaml +++ b/.github/workflows/sync-fork.yaml @@ -8,7 +8,7 @@ jobs: name: Sync Fork runs-on: ubuntu-latest outputs: - upstream_tag: ${{ steps.upstream_tag.upstream_tag}} + upstream_tag: ${{ steps.philips_tag.upstream_tag}} steps: - name: Checkout forked repository @@ -25,7 +25,7 @@ jobs: echo "Latest tag on the forked branch: $LATEST_TAG" echo "fork_tag=$LATEST_TAG" >> $GITHUB_ENV - name: Upstream tag - id: upstream_tag + id: philips_tag run: | # Fetch the latest release using GitHub API LATEST_TAG=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ @@ -120,9 +120,9 @@ jobs: steps: - name: Download zips run: | - wget "https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.outputs.upstream_tag }}/runners.zip" - wget "https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.outputs.upstream_tag }}/webhook.zip" - wget "https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.outputs.upstream_tag }}/runner-binaries-syncer.zip" + wget https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.outputs.upstream_tag }}/runners.zip + wget https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.outputs.upstream_tag }}/webhook.zip + wget https://github.com/philips-labs/terraform-aws-github-runner/releases/download/${{ needs.sync-fork.outputs.upstream_tag }}/runner-binaries-syncer.zip - name: Configure AWS credentials via OIDC id: oidc-creds uses: aws-actions/configure-aws-credentials@v4 From e29f162e4bba2d060316ce3ec31592c551828d1c Mon Sep 17 00:00:00 2001 From: Karin Swanson Date: Thu, 5 Dec 2024 17:27:15 -0600 Subject: [PATCH 5/8] fix: missing outputs def --- .github/workflows/sync-fork.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sync-fork.yaml b/.github/workflows/sync-fork.yaml index 4ff3d9805c..921b84b4ac 100644 --- a/.github/workflows/sync-fork.yaml +++ b/.github/workflows/sync-fork.yaml @@ -8,7 +8,7 @@ jobs: name: Sync Fork runs-on: ubuntu-latest outputs: - upstream_tag: ${{ steps.philips_tag.upstream_tag}} + upstream_tag: ${{ steps.philips_tag.outputs.upstream_tag}} steps: - name: Checkout forked repository From cd83af495af64a732e81b3b108352f72c42127f2 Mon Sep 17 00:00:00 2001 From: Karin Swanson Date: Thu, 5 Dec 2024 17:30:44 -0600 Subject: [PATCH 6/8] silence all other workflows --- .github/dependabot.yml | 78 +++--- .github/workflows/codeql.yml | 72 +++--- .github/workflows/lambda.yml | 76 +++--- .github/workflows/packer-build.yml | 68 ++--- .github/workflows/release.yml | 94 +++---- .github/workflows/semantic-check.yml | 48 ++-- .github/workflows/stale.yml | 44 ++-- .github/workflows/terraform.yml | 356 +++++++++++++-------------- .github/workflows/update-docs.yml | 140 +++++------ 9 files changed, 488 insertions(+), 488 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 918fe2a8dd..c14056b959 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,43 +1,43 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for all configuration options: -# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates +# # To get started with Dependabot version updates, you'll need to specify which +# # package ecosystems to update and where the package manifests are located. +# # Please see the documentation for all configuration options: +# # https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates -# NPM production dependencies are part of the generated Lambda JavaScript. -# Therefore updates on production are prefixed with fix(component) to trigger releases. -# Development updates are prefixed with chore, and not triggering a release. +# # NPM production dependencies are part of the generated Lambda JavaScript. +# # Therefore updates on production are prefixed with fix(component) to trigger releases. +# # Development updates are prefixed with chore, and not triggering a release. -version: 2 -updates: - - package-ecosystem: "github-actions" - # Workflow files stored in the - # default location of `.github/workflows` - directory: "/" - schedule: - interval: "weekly" +# version: 2 +# updates: +# - package-ecosystem: "github-actions" +# # Workflow files stored in the +# # default location of `.github/workflows` +# directory: "/" +# schedule: +# interval: "weekly" - - package-ecosystem: "npm" - directory: "/lambdas" - schedule: - interval: "weekly" - groups: - aws: - patterns: - - "@aws-sdk/*" - octokit: - patterns: - - "@octokit/*" - aws-powertools: - patterns: - - "@aws-lambda-powertools/*" +# - package-ecosystem: "npm" +# directory: "/lambdas" +# schedule: +# interval: "weekly" +# groups: +# aws: +# patterns: +# - "@aws-sdk/*" +# octokit: +# patterns: +# - "@octokit/*" +# aws-powertools: +# patterns: +# - "@aws-lambda-powertools/*" - ignore: - - dependency-name: "@middy/core" - update-types: ["version-update:semver-major"] - - dependency-name: "@octokit/*" - update-types: ["version-update:semver-major"] - - dependency-name: "eslint" - update-types: ["version-update:semver-major"] - commit-message: - prefix: "fix(lambda)" - prefix-development: "chore(lambda)" +# ignore: +# - dependency-name: "@middy/core" +# update-types: ["version-update:semver-major"] +# - dependency-name: "@octokit/*" +# update-types: ["version-update:semver-major"] +# - dependency-name: "eslint" +# update-types: ["version-update:semver-major"] +# commit-message: +# prefix: "fix(lambda)" +# prefix-development: "chore(lambda)" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index dd063ac502..9016f1b991 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,41 +1,41 @@ -name: "CodeQL Advanced" +# name: "CodeQL Advanced" -on: - push: - branches: [ "main", "develop", "v1" ] - pull_request: - branches: [ "main", "develop", "v1" ] - paths-ignore: - - '**/*.md' - schedule: - - cron: '25 19 * * 2' +# on: +# push: +# branches: [ "main", "develop", "v1" ] +# pull_request: +# branches: [ "main", "develop", "v1" ] +# paths-ignore: +# - '**/*.md' +# schedule: +# - cron: '25 19 * * 2' -jobs: - analyze: - name: Analyze (${{ matrix.language }}) - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - permissions: - # required for all workflows - security-events: write +# jobs: +# analyze: +# name: Analyze (${{ matrix.language }}) +# runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} +# permissions: +# # required for all workflows +# security-events: write - strategy: - fail-fast: false - matrix: - include: - - language: javascript-typescript - build-mode: none - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# strategy: +# fail-fast: false +# matrix: +# include: +# - language: javascript-typescript +# build-mode: none +# steps: +# - name: Checkout repository +# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} +# # Initializes the CodeQL tools for scanning. +# - name: Initialize CodeQL +# uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 +# with: +# languages: ${{ matrix.language }} +# build-mode: ${{ matrix.build-mode }} - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 - with: - category: "/language:${{matrix.language}}" +# - name: Perform CodeQL Analysis +# uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 +# with: +# category: "/language:${{matrix.language}}" diff --git a/.github/workflows/lambda.yml b/.github/workflows/lambda.yml index bd190b8c56..02aef6093a 100644 --- a/.github/workflows/lambda.yml +++ b/.github/workflows/lambda.yml @@ -1,40 +1,40 @@ -name: Build lambdas -on: - pull_request: - branches: - - main - paths: - - 'lambdas/**' +# name: Build lambdas +# on: +# pull_request: +# branches: +# - main +# paths: +# - 'lambdas/**' -jobs: - build: - runs-on: ubuntu-latest - strategy: - matrix: - node: [20] - container: - image: node:${{ matrix.node }} - defaults: - run: - working-directory: ./lambdas +# jobs: +# build: +# runs-on: ubuntu-latest +# strategy: +# matrix: +# node: [20] +# container: +# image: node:${{ matrix.node }} +# defaults: +# run: +# working-directory: ./lambdas - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Install dependencies - run: yarn install --frozen-lockfile - - name: Run prettier - run: yarn format-check - - name: Run linter - run: yarn lint - - name: Run tests - id: test - run: yarn test - - name: Build distribution - run: yarn build - - name: Upload coverage report - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 - if: ${{ failure() }} - with: - name: coverage-reports - path: ./**/coverage - retention-days: 5 +# steps: +# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - name: Install dependencies +# run: yarn install --frozen-lockfile +# - name: Run prettier +# run: yarn format-check +# - name: Run linter +# run: yarn lint +# - name: Run tests +# id: test +# run: yarn test +# - name: Build distribution +# run: yarn build +# - name: Upload coverage report +# uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 +# if: ${{ failure() }} +# with: +# name: coverage-reports +# path: ./**/coverage +# retention-days: 5 diff --git a/.github/workflows/packer-build.yml b/.github/workflows/packer-build.yml index 4251f892ff..d3949a65b3 100644 --- a/.github/workflows/packer-build.yml +++ b/.github/workflows/packer-build.yml @@ -1,34 +1,34 @@ -name: "Packer checks" -on: - push: - branches: - - main - pull_request: - paths: - - "images/**" - - ".github/workflows/packer-build.yml" - - "module/runners/templates/**" -env: - AWS_REGION: eu-west-1 - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -jobs: - verify_packer: - name: Verify packer - runs-on: ubuntu-latest - container: - image: index.docker.io/hashicorp/packer@sha256:12c441b8a3994e7df9f0e2692d9298f14c387e70bcc06139420977dbf80a137b # 1.11.2 - strategy: - matrix: - image: ["linux-al2023", "windows-core-2019", "windows-core-2022", "ubuntu-focal", "ubuntu-jammy", "ubuntu-jammy-arm64"] - defaults: - run: - working-directory: images/${{ matrix.image }} - steps: - - name: "Checkout" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: packer init - run: packer init . - - name: check packer formatting - run: packer fmt -recursive -check=true . - - name: packer validate - run: packer validate -evaluate-datasources . +# name: "Packer checks" +# on: +# push: +# branches: +# - main +# pull_request: +# paths: +# - "images/**" +# - ".github/workflows/packer-build.yml" +# - "module/runners/templates/**" +# env: +# AWS_REGION: eu-west-1 +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# jobs: +# verify_packer: +# name: Verify packer +# runs-on: ubuntu-latest +# container: +# image: index.docker.io/hashicorp/packer@sha256:12c441b8a3994e7df9f0e2692d9298f14c387e70bcc06139420977dbf80a137b # 1.11.2 +# strategy: +# matrix: +# image: ["linux-al2023", "windows-core-2019", "windows-core-2022", "ubuntu-focal", "ubuntu-jammy", "ubuntu-jammy-arm64"] +# defaults: +# run: +# working-directory: images/${{ matrix.image }} +# steps: +# - name: "Checkout" +# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - name: packer init +# run: packer init . +# - name: check packer formatting +# run: packer fmt -recursive -check=true . +# - name: packer validate +# run: packer validate -evaluate-datasources . diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6832970c3f..8cc4d3057a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,48 +1,48 @@ -name: Release build -on: - push: - branches: - - main - - v1 - workflow_dispatch: +# name: Release build +# on: +# push: +# branches: +# - main +# - v1 +# workflow_dispatch: -jobs: - release: - name: Release - runs-on: ubuntu-latest - permissions: - contents: write - actions: write - steps: - - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - node-version: 20 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Build dist - working-directory: lambdas - run: yarn install --frozen-lockfile && yarn run test && yarn dist - - name: Get installation token - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 - id: token - with: - app-id: ${{ secrets.FOREST_RELEASER_APP_ID }} - private-key: ${{ secrets.FOREST_RELEASER_APP_PRIVATE_KEY }} - - name: Extract branch name - id: branch - shell: bash - run: echo "name=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT - - name: Release - id: release - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1 - with: - target-branch: ${{ steps.branch.outputs.name }} - release-type: terraform-module - token: ${{ steps.token.outputs.token }} - - name: Upload Release Asset - if: ${{ steps.release.outputs.releases_created == 'true' }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - for f in $(find . -name '*.zip'); do - gh release upload ${{ steps.release.outputs.tag_name }} $f - done +# jobs: +# release: +# name: Release +# runs-on: ubuntu-latest +# permissions: +# contents: write +# actions: write +# steps: +# - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 +# with: +# node-version: 20 +# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - name: Build dist +# working-directory: lambdas +# run: yarn install --frozen-lockfile && yarn run test && yarn dist +# - name: Get installation token +# uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 +# id: token +# with: +# app-id: ${{ secrets.FOREST_RELEASER_APP_ID }} +# private-key: ${{ secrets.FOREST_RELEASER_APP_PRIVATE_KEY }} +# - name: Extract branch name +# id: branch +# shell: bash +# run: echo "name=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT +# - name: Release +# id: release +# uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1 +# with: +# target-branch: ${{ steps.branch.outputs.name }} +# release-type: terraform-module +# token: ${{ steps.token.outputs.token }} +# - name: Upload Release Asset +# if: ${{ steps.release.outputs.releases_created == 'true' }} +# env: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# run: | +# for f in $(find . -name '*.zip'); do +# gh release upload ${{ steps.release.outputs.tag_name }} $f +# done diff --git a/.github/workflows/semantic-check.yml b/.github/workflows/semantic-check.yml index 886aa2e349..cbe7955155 100644 --- a/.github/workflows/semantic-check.yml +++ b/.github/workflows/semantic-check.yml @@ -1,24 +1,24 @@ -name: "Semantic Check" -on: - pull_request_target: - types: - - opened - - edited - - synchronize -permissions: - contents: read - pull-requests: read -jobs: - main: - name: Semantic Commit Message Check - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 - name: Check PR for Semantic Commit Message - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - requireScope: false - validateSingleCommit: true - ignoreLabels: release merge +# name: "Semantic Check" +# on: +# pull_request_target: +# types: +# - opened +# - edited +# - synchronize +# permissions: +# contents: read +# pull-requests: read +# jobs: +# main: +# name: Semantic Commit Message Check +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 +# name: Check PR for Semantic Commit Message +# env: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# with: +# requireScope: false +# validateSingleCommit: true +# ignoreLabels: release merge diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 9e3f86ef33..a4b85f76c2 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,24 +1,24 @@ -name: "Stale issue and PR workflow" -on: - schedule: - - cron: "30 1 * * *" - workflow_dispatch: -permissions: - issues: write - pull-requests: write -jobs: - stale: - runs-on: ubuntu-latest - steps: - - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 - with: - stale-issue-message: > - This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions. +# name: "Stale issue and PR workflow" +# on: +# schedule: +# - cron: "30 1 * * *" +# workflow_dispatch: +# permissions: +# issues: write +# pull-requests: write +# jobs: +# stale: +# runs-on: ubuntu-latest +# steps: +# - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 +# with: +# stale-issue-message: > +# This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions. - stale-pr-message: > - This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions. +# stale-pr-message: > +# This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions. - days-before-stale: 90 - days-before-close: 14 - close-issue-label: "abandoned" - exempt-issue-labels: "stale:exempt" +# days-before-stale: 90 +# days-before-close: 14 +# close-issue-label: "abandoned" +# exempt-issue-labels: "stale:exempt" diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index f4226c4270..fb978a54b1 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -1,182 +1,182 @@ -name: "Terraform checks" -on: - push: - branches: - - main - pull_request: - paths: ["**/*.tf", "**/*.hcl", ".github/workflows/terraform.yml"] +# name: "Terraform checks" +# on: +# push: +# branches: +# - main +# pull_request: +# paths: ["**/*.tf", "**/*.hcl", ".github/workflows/terraform.yml"] -permissions: - contents: read - pull-requests: write +# permissions: +# contents: read +# pull-requests: write -env: - AWS_REGION: eu-west-1 -jobs: - verify_module: - name: Verify module - strategy: - matrix: - terraform: [1.5.6, "latest"] - runs-on: ubuntu-latest - container: - image: hashicorp/terraform:${{ matrix.terraform }} - steps: - - name: "Checkout" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: "Fake zip files" # Validate will fail if it cannot find the zip files - run: | - touch lambdas/functions/webhook/webhook.zip - touch lambdas/functions/control-plane/runners.zip - touch lambdas/functions/gh-agent-syncer/runner-binaries-syncer.zip - touch lambdas/functions/ami-housekeeper/ami-housekeeper.zip - touch lambdas/functions/termination-watcher/termination-watcher.zip - - name: terraform init - run: terraform init -get -backend=false -input=false - - if: contains(matrix.terraform, '1.5.') - name: check terraform formatting - run: terraform fmt -recursive -check=true -write=false - - if: contains(matrix.terraform, 'latest') # check formatting for the latest release but avoid failing the build - name: check terraform formatting - run: terraform fmt -recursive -check=true -write=false - continue-on-error: true - - name: validate terraform - run: terraform validate - - if: contains(matrix.terraform, '1.5.') - name: Fix for actions/cache on alpine - run: apk add --no-cache tar - continue-on-error: true - - if: contains(matrix.terraform, '1.5.') - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 - name: Cache TFLint plugin dir - with: - path: ~/.tflint.d/plugins - key: tflint-${{ hashFiles('.tflint.hcl') }} - - if: contains(matrix.terraform, '1.5.') - name: Setup TFLint - uses: terraform-linters/setup-tflint@19a52fbac37dacb22a09518e4ef6ee234f2d4987 # v4.0.0 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - if: contains(matrix.terraform, '1.5.') - name: Run TFLint - run: | - tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl - tflint -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars +# env: +# AWS_REGION: eu-west-1 +# jobs: +# verify_module: +# name: Verify module +# strategy: +# matrix: +# terraform: [1.5.6, "latest"] +# runs-on: ubuntu-latest +# container: +# image: hashicorp/terraform:${{ matrix.terraform }} +# steps: +# - name: "Checkout" +# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - name: "Fake zip files" # Validate will fail if it cannot find the zip files +# run: | +# touch lambdas/functions/webhook/webhook.zip +# touch lambdas/functions/control-plane/runners.zip +# touch lambdas/functions/gh-agent-syncer/runner-binaries-syncer.zip +# touch lambdas/functions/ami-housekeeper/ami-housekeeper.zip +# touch lambdas/functions/termination-watcher/termination-watcher.zip +# - name: terraform init +# run: terraform init -get -backend=false -input=false +# - if: contains(matrix.terraform, '1.5.') +# name: check terraform formatting +# run: terraform fmt -recursive -check=true -write=false +# - if: contains(matrix.terraform, 'latest') # check formatting for the latest release but avoid failing the build +# name: check terraform formatting +# run: terraform fmt -recursive -check=true -write=false +# continue-on-error: true +# - name: validate terraform +# run: terraform validate +# - if: contains(matrix.terraform, '1.5.') +# name: Fix for actions/cache on alpine +# run: apk add --no-cache tar +# continue-on-error: true +# - if: contains(matrix.terraform, '1.5.') +# uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 +# name: Cache TFLint plugin dir +# with: +# path: ~/.tflint.d/plugins +# key: tflint-${{ hashFiles('.tflint.hcl') }} +# - if: contains(matrix.terraform, '1.5.') +# name: Setup TFLint +# uses: terraform-linters/setup-tflint@19a52fbac37dacb22a09518e4ef6ee234f2d4987 # v4.0.0 +# with: +# github_token: ${{ secrets.GITHUB_TOKEN }} +# - if: contains(matrix.terraform, '1.5.') +# name: Run TFLint +# run: | +# tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl +# tflint -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars - verify_modules: - name: Verify modules - strategy: - fail-fast: false - matrix: - terraform: [1.5.6, "latest"] - module: - [ - "ami-housekeeper", - "download-lambda", - "lambda", - "multi-runner", - "runner-binaries-syncer", - "runners", - "setup-iam-permissions", - "ssm", - "termination-watcher", - "webhook", - ] - defaults: - run: - working-directory: modules/${{ matrix.module }} - runs-on: ubuntu-latest - container: - image: hashicorp/terraform:${{ matrix.terraform }} - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: terraform init - run: terraform init -get -backend=false -input=false - - if: contains(matrix.terraform, '1.3.') - name: check terraform formatting - run: terraform fmt -recursive -check=true -write=false - - if: contains(matrix.terraform, 'latest') # check formatting for the latest release but avoid failing the build - name: check terraform formatting - run: terraform fmt -recursive -check=true -write=false - continue-on-error: true - - name: validate terraform - run: terraform validate - - if: contains(matrix.terraform, '1.3.') - name: Fix for actions/cache on alpine - run: apk add --no-cache tar - continue-on-error: true - - if: contains(matrix.terraform, '1.3.') - uses: actions/cache@v4 - name: Cache TFLint plugin dir - with: - path: ~/.tflint.d/plugins - key: tflint-${{ hashFiles('.tflint.hcl') }} - - if: contains(matrix.terraform, '1.3.') - name: Setup TFLint - uses: terraform-linters/setup-tflint@v4 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - if: contains(matrix.terraform, '1.3.') - name: Run TFLint - working-directory: ${{ github.workspace }} - run: | - tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir modules/${{ matrix.module }} - tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir modules/${{ matrix.module }} +# verify_modules: +# name: Verify modules +# strategy: +# fail-fast: false +# matrix: +# terraform: [1.5.6, "latest"] +# module: +# [ +# "ami-housekeeper", +# "download-lambda", +# "lambda", +# "multi-runner", +# "runner-binaries-syncer", +# "runners", +# "setup-iam-permissions", +# "ssm", +# "termination-watcher", +# "webhook", +# ] +# defaults: +# run: +# working-directory: modules/${{ matrix.module }} +# runs-on: ubuntu-latest +# container: +# image: hashicorp/terraform:${{ matrix.terraform }} +# steps: +# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - name: terraform init +# run: terraform init -get -backend=false -input=false +# - if: contains(matrix.terraform, '1.3.') +# name: check terraform formatting +# run: terraform fmt -recursive -check=true -write=false +# - if: contains(matrix.terraform, 'latest') # check formatting for the latest release but avoid failing the build +# name: check terraform formatting +# run: terraform fmt -recursive -check=true -write=false +# continue-on-error: true +# - name: validate terraform +# run: terraform validate +# - if: contains(matrix.terraform, '1.3.') +# name: Fix for actions/cache on alpine +# run: apk add --no-cache tar +# continue-on-error: true +# - if: contains(matrix.terraform, '1.3.') +# uses: actions/cache@v4 +# name: Cache TFLint plugin dir +# with: +# path: ~/.tflint.d/plugins +# key: tflint-${{ hashFiles('.tflint.hcl') }} +# - if: contains(matrix.terraform, '1.3.') +# name: Setup TFLint +# uses: terraform-linters/setup-tflint@v4 +# with: +# github_token: ${{ secrets.GITHUB_TOKEN }} +# - if: contains(matrix.terraform, '1.3.') +# name: Run TFLint +# working-directory: ${{ github.workspace }} +# run: | +# tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir modules/${{ matrix.module }} +# tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir modules/${{ matrix.module }} - verify_examples: - name: Verify examples - strategy: - fail-fast: false - matrix: - terraform: [1.5.6, "latest"] - example: - [ - "default", - "ubuntu", - "prebuilt", - "arm64", - "ephemeral", - "termination-watcher", - "windows", - "multi-runner", - ] - defaults: - run: - working-directory: examples/${{ matrix.example }} - runs-on: ubuntu-latest - container: - image: hashicorp/terraform:${{ matrix.terraform }} - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: terraform init - run: terraform init -get -backend=false -input=false - - if: contains(matrix.terraform, '1.5.') - name: check terraform formatting - run: terraform fmt -recursive -check=true -write=false - - if: contains(matrix.terraform, 'latest') # check formatting for the latest release but avoid failing the build - name: check terraform formatting - run: terraform fmt -recursive -check=true -write=false - continue-on-error: true - - name: validate terraform - run: terraform validate - - if: contains(matrix.terraform, '1.5.') - name: Fix for actions/cache on alpine - run: apk add --no-cache tar - continue-on-error: true - - if: contains(matrix.terraform, '1.5.') - uses: actions/cache@v4 - name: Cache TFLint plugin dir - with: - path: ~/.tflint.d/plugins - key: tflint-${{ hashFiles('.tflint.hcl') }} - - if: contains(matrix.terraform, '1.5.') - name: Setup TFLint - uses: terraform-linters/setup-tflint@v4 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - if: contains(matrix.terraform, '1.5.') - name: Run TFLint - working-directory: ${{ github.workspace }} - run: | - tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir modules/${{ matrix.module }} - tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir examples/${{ matrix.example }} +# verify_examples: +# name: Verify examples +# strategy: +# fail-fast: false +# matrix: +# terraform: [1.5.6, "latest"] +# example: +# [ +# "default", +# "ubuntu", +# "prebuilt", +# "arm64", +# "ephemeral", +# "termination-watcher", +# "windows", +# "multi-runner", +# ] +# defaults: +# run: +# working-directory: examples/${{ matrix.example }} +# runs-on: ubuntu-latest +# container: +# image: hashicorp/terraform:${{ matrix.terraform }} +# steps: +# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - name: terraform init +# run: terraform init -get -backend=false -input=false +# - if: contains(matrix.terraform, '1.5.') +# name: check terraform formatting +# run: terraform fmt -recursive -check=true -write=false +# - if: contains(matrix.terraform, 'latest') # check formatting for the latest release but avoid failing the build +# name: check terraform formatting +# run: terraform fmt -recursive -check=true -write=false +# continue-on-error: true +# - name: validate terraform +# run: terraform validate +# - if: contains(matrix.terraform, '1.5.') +# name: Fix for actions/cache on alpine +# run: apk add --no-cache tar +# continue-on-error: true +# - if: contains(matrix.terraform, '1.5.') +# uses: actions/cache@v4 +# name: Cache TFLint plugin dir +# with: +# path: ~/.tflint.d/plugins +# key: tflint-${{ hashFiles('.tflint.hcl') }} +# - if: contains(matrix.terraform, '1.5.') +# name: Setup TFLint +# uses: terraform-linters/setup-tflint@v4 +# with: +# github_token: ${{ secrets.GITHUB_TOKEN }} +# - if: contains(matrix.terraform, '1.5.') +# name: Run TFLint +# working-directory: ${{ github.workspace }} +# run: | +# tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir modules/${{ matrix.module }} +# tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir examples/${{ matrix.example }} diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index e5c49baddc..d9b32695df 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -1,76 +1,76 @@ -name: Update docs -on: - push: - paths: - - "**/*.tf" - - "**/*.md" - - ".github/workflows/update-docs.yml" +# name: Update docs +# on: +# push: +# paths: +# - "**/*.tf" +# - "**/*.md" +# - ".github/workflows/update-docs.yml" -permissions: - contents: write - pull-requests: write +# permissions: +# contents: write +# pull-requests: write -jobs: - docs: - name: Auto update terraform docs - runs-on: ubuntu-latest - steps: - - name: Checkout with GITHUB Action token - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - token: ${{ secrets.GITHUB_TOKEN }} +# jobs: +# docs: +# name: Auto update terraform docs +# runs-on: ubuntu-latest +# steps: +# - name: Checkout with GITHUB Action token +# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# with: +# token: ${{ secrets.GITHUB_TOKEN }} - # use an app to ensure CI is triggered - - name: Generate TF docs - if: github.repository_owner == 'philips-labs' - uses: terraform-docs/gh-actions@aeae0038ed47a547e0c0fca5c059d3335f48fb25 # v1.3.0 - with: - find-dir: . - git-commit-message: "docs: auto update terraform docs" - git-push: ${{ github.ref != 'refs/heads/main' || github.repository_owner != 'philips-labs' }} - git-push-user-name: philips-labs-pr|bot - git-push-user-email: "philips-labs-pr[bot]@users.noreply.github.com" +# # use an app to ensure CI is triggered +# - name: Generate TF docs +# if: github.repository_owner == 'philips-labs' +# uses: terraform-docs/gh-actions@aeae0038ed47a547e0c0fca5c059d3335f48fb25 # v1.3.0 +# with: +# find-dir: . +# git-commit-message: "docs: auto update terraform docs" +# git-push: ${{ github.ref != 'refs/heads/main' || github.repository_owner != 'philips-labs' }} +# git-push-user-name: philips-labs-pr|bot +# git-push-user-email: "philips-labs-pr[bot]@users.noreply.github.com" - - name: Generate TF docs (forks) - if: github.repository_owner != 'philips-labs' - uses: terraform-docs/gh-actions@aeae0038ed47a547e0c0fca5c059d3335f48fb25 # v1.3.0 - with: - find-dir: . - git-commit-message: "docs: auto update terraform docs" - git-push: ${{ github.ref != 'refs/heads/main' || github.repository_owner != 'philips-labs' }} +# - name: Generate TF docs (forks) +# if: github.repository_owner != 'philips-labs' +# uses: terraform-docs/gh-actions@aeae0038ed47a547e0c0fca5c059d3335f48fb25 # v1.3.0 +# with: +# find-dir: . +# git-commit-message: "docs: auto update terraform docs" +# git-push: ${{ github.ref != 'refs/heads/main' || github.repository_owner != 'philips-labs' }} - # change docs via PR in case of locked main branch - - name: Create Pull Request (main branch only) - if: github.ref == 'refs/heads/main' && github.repository_owner == 'philips-labs' - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 - with: - token: ${{ secrets.GITHUB_TOKEN }} - commit-message: "docs: auto update terraform docs" - title: "docs: Update Terraform docs" - branch: update-docs - branch-suffix: random - base: ${{ github.event.pull_request.base.ref }} - delete-branch: true +# # change docs via PR in case of locked main branch +# - name: Create Pull Request (main branch only) +# if: github.ref == 'refs/heads/main' && github.repository_owner == 'philips-labs' +# uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 +# with: +# token: ${{ secrets.GITHUB_TOKEN }} +# commit-message: "docs: auto update terraform docs" +# title: "docs: Update Terraform docs" +# branch: update-docs +# branch-suffix: random +# base: ${{ github.event.pull_request.base.ref }} +# delete-branch: true - deploy-pages: - needs: [docs] - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Configure Git Credentials - run: | - git config user.name github-actions[bot] - git config --global user.email "github-actions[bot]@users.noreply.github.com" - - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 - with: - python-version: 3.x - - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV - - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - with: - key: mkdocs-material-${{ env.cache_id }} - path: .cache - restore-keys: | - mkdocs-material- - - run: pip install mkdocs-material - - run: pip install mkdocs-material-extensions - - run: mkdocs gh-deploy --force -c -b gh-pages +# deploy-pages: +# needs: [docs] +# runs-on: ubuntu-latest +# steps: +# - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +# - name: Configure Git Credentials +# run: | +# git config user.name github-actions[bot] +# git config --global user.email "github-actions[bot]@users.noreply.github.com" +# - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 +# with: +# python-version: 3.x +# - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV +# - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 +# with: +# key: mkdocs-material-${{ env.cache_id }} +# path: .cache +# restore-keys: | +# mkdocs-material- +# - run: pip install mkdocs-material +# - run: pip install mkdocs-material-extensions +# - run: mkdocs gh-deploy --force -c -b gh-pages From 9b5e0edd212c6f7f0c10f25c6aa3a755360c6b8d Mon Sep 17 00:00:00 2001 From: Karin Swanson Date: Thu, 5 Dec 2024 17:35:59 -0600 Subject: [PATCH 7/8] add output var --- .github/workflows/sync-fork.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sync-fork.yaml b/.github/workflows/sync-fork.yaml index 921b84b4ac..2bff64b26d 100644 --- a/.github/workflows/sync-fork.yaml +++ b/.github/workflows/sync-fork.yaml @@ -33,6 +33,7 @@ jobs: echo "Latest upstream tag: $LATEST_TAG" echo "upstream_tag=$LATEST_TAG" >> $GITHUB_ENV + echo "upstream_tag=$LATEST_TAG" >> $GITHUB_OUTPUT - name: Compare Image Tags id: compare-tags shell: bash From af8a6b2b59f11831a08df8677d5ac53d7ea39ddb Mon Sep 17 00:00:00 2001 From: Karin Swanson Date: Fri, 6 Dec 2024 10:10:22 -0600 Subject: [PATCH 8/8] update aws session --- .github/workflows/sync-fork.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sync-fork.yaml b/.github/workflows/sync-fork.yaml index 2bff64b26d..af775bc41a 100644 --- a/.github/workflows/sync-fork.yaml +++ b/.github/workflows/sync-fork.yaml @@ -130,7 +130,7 @@ jobs: with: aws-region: us-east-1 role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID_ORG }}:role/external/github_actions - role-session-name: tmchanges_assume_github_actions_role + role-session-name: syncfork_assume_github_actions_role output-credentials: true - name: Assume AWS Credentials @@ -139,6 +139,7 @@ jobs: aws-region: us-east-1 aws-access-key-id: ${{ steps.oidc-creds.outputs.aws-access-key-id }} aws-secret-access-key: ${{ steps.oidc-creds.outputs.aws-secret-access-key }} + aws-session-token: ${{ steps.oidc-creds.outputs.aws-session-token }} - name: Upload zips to S3 run: |