Merge branch 'main' into feat/refactor_data_sources

deploymenttheory · Dec 23, 2024 · ab2f5c9 · ab2f5c9
2 parents 3da450d + f0638b1
commit ab2f5c9
Show file tree

Hide file tree

Showing 19 changed files with 875 additions and 100 deletions.
diff --git a/.github/workflows/api-privileges-maintenance.yml b/.github/workflows/api-privileges-maintenance.yml
@@ -25,8 +25,14 @@ jobs:
   update-api-privileges:
     runs-on: ubuntu-latest
     steps:
+
+    - name: Harden Runner
+      uses: step-security/[email protected]
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
-      uses: actions/checkout@v4.1.7
+      uses: actions/checkout@v4.2.2
 
     - name: Set up Go
       uses: actions/[email protected]

diff --git a/.github/workflows/app-installers-maintenance.yml b/.github/workflows/app-installers-maintenance.yml
@@ -15,8 +15,14 @@ jobs:
   update-app-catalog-app-installer-titles:
     runs-on: ubuntu-latest
     steps:
+
+    - name: Harden Runner
+      uses: step-security/[email protected]
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
-      uses: actions/checkout@v4.1.7
+      uses: actions/checkout@v4.2.2
 
     - name: Set up Go
       uses: actions/[email protected]

diff --git a/.github/workflows/auto-merge-dependabot.yml b/.github/workflows/auto-merge-dependabot.yml
@@ -0,0 +1,25 @@
+name: Auto-Merge Dependabot
+
+on:
+  pull_request:
+
+jobs:
+  auto-merge:
+    name: '🤖 Auto-Merge Dependabot'
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+
+      - name: Harden Runner
+        uses: step-security/[email protected]
+        with:
+          egress-policy: audit
+
+      - uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+
+      - uses: ahmadnassri/[email protected]
+        with:
+          target: minor
+          github-token: ${{ secrets.DEPENDABOT_PAT }}
diff --git a/.github/workflows/code-check-and-tests.yaml b/.github/workflows/code-check-and-tests.yaml
@@ -23,11 +23,21 @@ jobs:
     runs-on: ubuntu-20.04
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+
+      - name: Harden Runner
+        uses: step-security/[email protected]
+        with:
+          egress-policy: audit
+
+      - uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+
       - uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
           cache: true
+
       - name: get dependencies
         run: |
           go mod tidy

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -39,8 +39,15 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
+    - name: Harden Runner
+      uses: step-security/[email protected]
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/[email protected]
+      with:
+        fetch-depth: 0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

diff --git a/.github/workflows/dependancy-review.yml b/.github/workflows/dependancy-review.yml
@@ -0,0 +1,24 @@
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    name: '🔎 Dependency Review'
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Harden Runner
+        uses: step-security/[email protected]
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
diff --git a/.github/workflows/generate-docs.yml b/.github/workflows/generate-docs.yml
@@ -0,0 +1,94 @@
+name: Generate Docs
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths-ignore:
+      - '.github/**/*'
+      - 'scripts/**/*'
+  workflow_dispatch:
+
+permissions:
+  contents: write  # Required to update documentation in the repo
+  pull-requests: write
+
+jobs:
+  provider-docs:
+    name: '📚 Generate Go and TF Provider Docs'
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Harden Runner
+      uses: step-security/[email protected]
+      with:
+        egress-policy: audit
+
+    - uses: actions/[email protected]
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+
+    - uses: actions/[email protected]
+      with:
+        cache: true
+        go-version-file: 'go.mod'
+
+    - uses: hashicorp/[email protected]
+      with:
+        terraform_version: '1.10.2'
+        terraform_wrapper: true
+
+    # Creates provider documentation for godoc.org and pkg.go.dev
+    - name: 'go generate'
+      run: go generate ./...
+
+    # Format all Terraform files
+    - name: Format Terraform files
+      run: |
+        find . -type f -name "*.tf" -exec terraform fmt {} \;
+    
+    # Creates provider documentation for Terraform
+    - name: Render terraform docs and push changes back to PR
+      uses: terraform-docs/[email protected]
+      with:
+        working-dir: examples/
+        git-push: "true"
+        output-format: markdown document
+        output-file: USAGE.md
+        output-method: replace
+        args: --sensitive=false --hide requirements --required=false
+        indention: 3
+        config-file: .terraform-docs.yml
+
+    - name: Generate tf docs
+      run: |
+        go install github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs
+        cd $GITHUB_WORKSPACE
+        tfplugindocs generate --examples-dir $GITHUB_WORKSPACE/examples
+
+    - name: Check for changes in generated Go docs and formatted Terraform files
+      id: go-gen-check
+      run: |
+        if [[ -n $(git status --porcelain) ]]; then
+          echo "changes=true" >> $GITHUB_OUTPUT
+        else
+          echo "changes=false" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Commit changes in Go + provider docs and Terraform formatting
+      if: steps.go-gen-check.outputs.changes == 'true'
+      uses: stefanzweifel/[email protected]
+      with:
+        commit_message: "chore: update go documentation, provider documentation and format terraform files"
+        file_pattern: '**/*.go **/*.tf docs/**/*'
+
+        commit_options: '--no-verify --signoff'
+        commit_user_name: "GitHub Actions Bot"
+        commit_user_email: "github-actions[bot]@users.noreply.github.com"
+        commit_author: "GitHub Actions Bot <github-actions[bot]@users.noreply.github.com>"
+        status_options: '--untracked-files=no'
+        add_options: '-u'
+        push_options: '--force'
+        skip_dirty_check: false
+        skip_fetch: true
+        skip_checkout: true
diff --git a/.github/workflows/gosec-scan.yml b/.github/workflows/gosec-scan.yml
@@ -16,8 +16,16 @@ jobs:
     env:
       GO111MODULE: on
     steps:
-      - name: Checkout Source
-        uses: actions/[email protected]
+
+      - name: Harden Runner
+        uses: step-security/[email protected]
+        with:
+          egress-policy: audit
+
+      - uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+
       - name: Run Gosec Security Scanner
         uses: securego/[email protected]
         with:

diff --git a/.github/workflows/pr-title-validation.yml b/.github/workflows/pr-title-validation.yml
@@ -0,0 +1,48 @@
+name: PR Title Validation
+
+on:
+  pull_request:
+    types: [opened, edited, synchronize, reopened]
+
+jobs:
+  validate-pr-title:
+    name: '✅ Validate PR Title'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check PR Title
+        run: |
+          PR_TITLE="${{ github.event.pull_request.title }}"
+          PATTERN="^(([Ff]eat|[Ff]ix|[Dd]ocs|[Ss]tyle|[Rr]efactor|[Tt]est|[Cc]hore|[Bb]uild|[Cc]i|[Pp]erf)(\(.+\))?: .+|dependabot.*)$"
+          
+          if ! echo "$PR_TITLE" | grep -qE "$PATTERN"; then
+            echo "❌ ERROR: Invalid PR title format"
+            echo ""
+            echo "Got PR title: $PR_TITLE"
+            echo ""
+            echo "PR titles must:"
+            echo "1. Start with one of these prefixes (case-insensitive first letter):"
+            echo "   - feat     / Feat     (for new features)"
+            echo "   - fix      / Fix      (for bug fixes)"
+            echo "   - docs     / Docs     (for documentation)"
+            echo "   - style    / Style    (for formatting)"
+            echo "   - refactor / Refactor (for code restructuring)"
+            echo "   - test     / Test     (for adding tests)"
+            echo "   - chore    / Chore    (for maintenance)"
+            echo "   - build    / Build    (for build system)"
+            echo "   - ci       / CI       (for CI/CD)"
+            echo "   - perf     / Perf     (for performance)"
+            echo ""
+            echo "2. Optionally include a scope in parentheses after the type"
+            echo ""
+            echo "3. Include a description after a colon and space"
+            echo ""
+            echo "Examples:"
+            echo "✅ feat: add new resource"
+            echo "✅ feat(api): add new endpoint"
+            echo "✅ fix: resolve connection timeout"
+            echo "✅ fix(database): fix query performance"
+            echo "✅ dependabot: bump lodash from 4.17.20 to 4.17.21"
+            exit 1
+          fi
+          
+          echo "✅ PR title '$PR_TITLE' follows the conventional commit format and is compatible with the release-please"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -25,7 +25,16 @@
       runs-on: ubuntu-latest
       timeout-minutes: 5
       steps:
-        - uses: actions/checkout@v4
+
+        - name: Harden Runner
+          uses: step-security/[email protected]
+          with:
+            egress-policy: audit
+
+        - uses: actions/[email protected]
+          with:
+            fetch-depth: 0
+
         - uses: actions/setup-go@v5
           with:
             go-version-file: 'go.mod'
@@ -36,11 +45,21 @@
     generate:
       runs-on: ubuntu-latest
       steps:
-        - uses: actions/checkout@v4
+
+        - name: Harden Runner
+          uses: step-security/[email protected]
+          with:
+            egress-policy: audit
+
+        - uses: actions/[email protected]
+          with:
+            fetch-depth: 0
+
         - uses: actions/setup-go@v5
           with:
             go-version-file: 'go.mod'
             cache: true
+
         - run: go generate ./...
         - name: git diff
           run: |

diff --git a/.github/workflows/user-account-maintenance.yml b/.github/workflows/user-account-maintenance.yml
@@ -26,8 +26,14 @@ jobs:
   update-user-account-privileges:
     runs-on: ubuntu-latest
     steps:
+
+    - name: Harden Runner
+      uses: step-security/[email protected]
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
-      uses: actions/checkout@v4.1.7
+      uses: actions/checkout@v4.2.2
 
     - name: Set up Go
       uses: actions/[email protected]