From 8ea6d90392c77c526ee5aaa290d70c46dd4a7ebe Mon Sep 17 00:00:00 2001 From: Kevin Hellemun <17928966+OGKevin@users.noreply.github.com> Date: Mon, 30 Oct 2023 13:26:20 +0100 Subject: [PATCH] chore: update repo configuration --- .drone-templates | 1 + .drone.jsonnet | 135 +++++++++++++ .drone.yml | 517 +++++++++++++++++++++++++++++++++++++++++++++++ .gitignore | 1 + .gitmodules | 3 + .policy.yml | 39 ++++ 6 files changed, 696 insertions(+) create mode 160000 .drone-templates create mode 100644 .drone.jsonnet create mode 100644 .drone.yml create mode 100644 .gitmodules create mode 100644 .policy.yml diff --git a/.drone-templates b/.drone-templates new file mode 160000 index 0000000..b14fdc4 --- /dev/null +++ b/.drone-templates @@ -0,0 +1 @@ +Subproject commit b14fdc40e204f9d15da576452cbfe67446c3668f diff --git a/.drone.jsonnet b/.drone.jsonnet new file mode 100644 index 0000000..35d21e5 --- /dev/null +++ b/.drone.jsonnet @@ -0,0 +1,135 @@ +local common = import '.drone-templates/common.libsonnet'; +local images = import '.drone-templates/images.libsonnet'; +local jsonnet = import '.drone-templates/jsonnet.libsonnet'; +local renovate = import '.drone-templates/renovate.libsonnet'; + +local nodeImage = 'node:18-buster'; + +local koboPipeline = [ + common.defaultPushTrigger + common.platform + { + kind: 'pipeline', + name: 'npm', + type: 'docker', + steps: [ + { + name: 'set aws credentials', + image: images.debian.image + ':' + images.debian.version, + environment: { + CONFIG: { + from_secret: 'aws', + }, + }, + commands: [ + 'echo "$CONFIG" > /root/.aws/credentials', + ], + volumes: [ + { + name: 'aws-config', + path: '/root/.aws', + }, + ], + }, + { + name: 'copy kobo database', + image: 'docker.io/amazon/aws-cli:2.13.15@sha256:ac2c7d3827a8fef1024357ada9c6ccd8d0ce098a85cffd6803a52bb8cb4842ed', + commands: [ + 'aws --endpoint-url http://100.82.97.39:9000 s3 cp s3://repo-obsidian-kobo-highlights-import/KoboReader.sqlite /drone/src/KoboReader.sqlite', + ], + volumes: [ + { + name: 'aws-config', + path: '/root/.aws', + }, + ], + }, + { + name: 'install', + image: nodeImage, + volumes: [ + { + name: 'node_modules', + path: '/drone/src/node_modules', + }, + ], + commands: [ + 'npm install', + ], + }, + { + name: 'lint', + image: nodeImage, + volumes: [ + { + name: 'node_modules', + path: '/drone/src/node_modules', + }, + ], + commands: [ + 'npm run lint', + ], + depends_on: [ + 'install', + ], + }, + { + name: 'test', + image: nodeImage, + volumes: [ + { + name: 'node_modules', + path: '/drone/src/node_modules', + }, + ], + commands: [ + 'npm run test', + ], + depends_on: [ + 'install', + 'copy kobo database', + ], + }, + { + name: 'build', + image: nodeImage, + volumes: [ + { + name: 'node_modules', + path: '/drone/src/node_modules', + }, + ], + commands: [ + 'npm run build', + ], + depends_on: [ + 'install', + ], + }, + ], + volumes: [ + { + name: 'node_modules', + host: { + path: '/tmp/node_modules/kobo', + }, + }, + { + name: 'aws-config', + temp: {}, + }, + ], + }, + { + kind: 'secret', + name: 'aws', + get: { + path: 'secret/data/ci/aws', + name: 'credentials', + }, + }, +]; + +renovate + jsonnet + koboPipeline + +[ + x[1] + for x in common.f.kv(common.secrets) +] diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..f99b18c --- /dev/null +++ b/.drone.yml @@ -0,0 +1,517 @@ +--- +{ + "kind": "pipeline", + "name": "renovate-push", + "platform": { + "arch": "arm64", + "os": "linux" + }, + "steps": [ + { + "commands": [ + "renovate-config-validator" + ], + "image": "renovate/renovate:37.13.3@sha256:d103ca33a98264d9367a2d5917b03ef4250a2cdd96a5c450fab983ddcfcfdb47", + "name": "validate config", + "user": "610:610" + }, + { + "commands": [ + "chown 610 /secret" + ], + "image": "debian:11@sha256:7a89d1fd045f797f2f34dd778bdf19335587357c3603859f2048f4c0285b06a8", + "name": "fix secrets ownership", + "volumes": [ + { + "name": "secret", + "path": "/secret" + } + ], + "when": { + "branch": [ + "main", + "master" + ] + } + }, + { + "image": "rssnyder/drone-github-app:latest@sha256:5867cd348c73f1258b6b14f6139fb79d0d47cf36ad657e62166ebaef7e8eb0f7", + "name": "get app token", + "settings": { + "APP_ID": { + "from_secret": "github_app_id" + }, + "INSTALLATION": { + "from_secret": "github_installation_id" + }, + "PEM_B64": { + "from_secret": "github_private_key" + }, + "TOKEN_FILE": "/secret/gh-token.txt" + }, + "user": "610:610", + "volumes": [ + { + "name": "secret", + "path": "/secret" + } + ], + "when": { + "branch": [ + "main", + "master" + ] + } + }, + { + "commands": [ + "export RENOVATE_TOKEN=\"$(cat /secret/gh-token.txt)\"", + "export GITHUB_COM_TOKEN=\"$(cat /secret/gh-token.txt)\"", + "consul kv get renovate/\"${DRONE_REPO}\"/.lock || consul lock -timeout 1m -child-exit-code \"renovate/${DRONE_REPO}\" docker-entrypoint.sh" + ], + "environment": { + "DOCKER_GHCR_IO_PASSWORD": { + "from_secret": "ghcr_token" + }, + "DOCKER_GHCR_IO_USERNAME": { + "from_secret": "ghcr_user" + }, + "LOG_LEVEL": "debug", + "RENOVATE_BASE_DIR": "/data", + "RENOVATE_DETECT_HOST_RULES_FROM_ENV": "true", + "RENOVATE_FORK_PROCESSING": "enabled", + "RENOVATE_GIT_AUTHOR": "OGKevin Robot <140143426+ogkevin-robot[bot]@users.noreply.github.com>", + "RENOVATE_ONBOARDING": "true", + "RENOVATE_PERSIST_REPO_DATA": "true", + "RENOVATE_PLATFORM_COMMIT": "true", + "RENOVATE_REDIS_URL": "redis://${OG_REDIS_URL}/2", + "RENOVATE_REPOSITORIES": "${DRONE_REPO}", + "RENOVATE_REVIEWERS": "OGKevin", + "RENOVATE_USERNAME": "OGKevin-robot[bot]" + }, + "image": "renovate/renovate:37.13.3@sha256:d103ca33a98264d9367a2d5917b03ef4250a2cdd96a5c450fab983ddcfcfdb47", + "name": "renovate", + "user": "610:610", + "volumes": [ + { + "name": "secret", + "path": "/secret" + }, + { + "name": "consul", + "path": "/usr/local/bin/consul" + }, + { + "name": "renovate", + "path": "/data" + } + ], + "when": { + "branch": [ + "main", + "master" + ] + } + } + ], + "trigger": { + "event": [ + "push", + "custom" + ] + }, + "type": "docker", + "volumes": [ + { + "name": "secret", + "temp": { } + }, + { + "host": { + "path": "/var/lib/nomad/volumes/renovate" + }, + "name": "renovate" + }, + { + "host": { + "path": "/usr/local/bin/consul" + }, + "name": "consul" + } + ] +} +--- +{ + "kind": "pipeline", + "name": "renovate-cron", + "platform": { + "arch": "arm64", + "os": "linux" + }, + "steps": [ + { + "commands": [ + "renovate-config-validator" + ], + "image": "renovate/renovate:37.13.3@sha256:d103ca33a98264d9367a2d5917b03ef4250a2cdd96a5c450fab983ddcfcfdb47", + "name": "validate config", + "user": "610:610" + }, + { + "commands": [ + "chown 610 /secret" + ], + "image": "debian:11@sha256:7a89d1fd045f797f2f34dd778bdf19335587357c3603859f2048f4c0285b06a8", + "name": "fix secrets ownership", + "volumes": [ + { + "name": "secret", + "path": "/secret" + } + ], + "when": { + "branch": [ + "main", + "master" + ] + } + }, + { + "image": "rssnyder/drone-github-app:latest@sha256:5867cd348c73f1258b6b14f6139fb79d0d47cf36ad657e62166ebaef7e8eb0f7", + "name": "get app token", + "settings": { + "APP_ID": { + "from_secret": "github_app_id" + }, + "INSTALLATION": { + "from_secret": "github_installation_id" + }, + "PEM_B64": { + "from_secret": "github_private_key" + }, + "TOKEN_FILE": "/secret/gh-token.txt" + }, + "user": "610:610", + "volumes": [ + { + "name": "secret", + "path": "/secret" + } + ], + "when": { + "branch": [ + "main", + "master" + ] + } + }, + { + "commands": [ + "export RENOVATE_TOKEN=\"$(cat /secret/gh-token.txt)\"", + "export GITHUB_COM_TOKEN=\"$(cat /secret/gh-token.txt)\"", + "consul kv get renovate/\"${DRONE_REPO}\"/.lock || consul lock -timeout 1m -child-exit-code \"renovate/${DRONE_REPO}\" docker-entrypoint.sh" + ], + "environment": { + "DOCKER_GHCR_IO_PASSWORD": { + "from_secret": "ghcr_token" + }, + "DOCKER_GHCR_IO_USERNAME": { + "from_secret": "ghcr_user" + }, + "LOG_LEVEL": "debug", + "RENOVATE_BASE_DIR": "/data", + "RENOVATE_DETECT_HOST_RULES_FROM_ENV": "true", + "RENOVATE_FORK_PROCESSING": "enabled", + "RENOVATE_GIT_AUTHOR": "OGKevin Robot <140143426+ogkevin-robot[bot]@users.noreply.github.com>", + "RENOVATE_ONBOARDING": "true", + "RENOVATE_PERSIST_REPO_DATA": "true", + "RENOVATE_PLATFORM_COMMIT": "true", + "RENOVATE_REDIS_URL": "redis://${OG_REDIS_URL}/2", + "RENOVATE_REPOSITORIES": "${DRONE_REPO}", + "RENOVATE_REVIEWERS": "OGKevin", + "RENOVATE_USERNAME": "OGKevin-robot[bot]" + }, + "image": "renovate/renovate:37.13.3@sha256:d103ca33a98264d9367a2d5917b03ef4250a2cdd96a5c450fab983ddcfcfdb47", + "name": "renovate", + "user": "610:610", + "volumes": [ + { + "name": "secret", + "path": "/secret" + }, + { + "name": "consul", + "path": "/usr/local/bin/consul" + }, + { + "name": "renovate", + "path": "/data" + } + ], + "when": { + "branch": [ + "main", + "master" + ] + } + } + ], + "trigger": { + "branch": [ + "main", + "master" + ], + "cron": [ + "renovate" + ], + "event": [ + "cron" + ] + }, + "type": "docker", + "volumes": [ + { + "name": "secret", + "temp": { } + }, + { + "host": { + "path": "/var/lib/nomad/volumes/renovate" + }, + "name": "renovate" + }, + { + "host": { + "path": "/usr/local/bin/consul" + }, + "name": "consul" + } + ] +} +--- +{ + "kind": "pipeline", + "name": "jsonnet", + "platform": { + "arch": "arm64", + "os": "linux" + }, + "steps": [ + { + "commands": [ + "git diff --name-only HEAD~1 | grep '.jsonnet$' | xargs -I{} jsonnetfmt -i {}", + "git diff --name-only HEAD~1 | grep '.libsonnet$' | xargs -I{} jsonnetfmt -i {}", + "git diff --exit-code" + ], + "image": "ghcr.io/ogkevin/jsonnet:latest@sha256:bf24a4427731e89b42014529918f122614b2ae96aa62adc7defe867e636f5dc7", + "name": "lint" + } + ], + "trigger": { + "event": [ + "custom", + "push" + ] + }, + "type": "docker" +} +--- +{ + "kind": "pipeline", + "name": "npm", + "platform": { + "arch": "arm64", + "os": "linux" + }, + "steps": [ + { + "commands": [ + "echo \"$CONFIG\" > /root/.aws/credentials" + ], + "environment": { + "CONFIG": { + "from_secret": "aws" + } + }, + "image": "debian:11@sha256:7a89d1fd045f797f2f34dd778bdf19335587357c3603859f2048f4c0285b06a8", + "name": "set aws credentials", + "volumes": [ + { + "name": "aws-config", + "path": "/root/.aws" + } + ] + }, + { + "commands": [ + "aws --endpoint-url http://100.82.97.39:9000 s3 cp s3://repo-obsidian-kobo-highlights-import/KoboReader.sqlite /drone/src/KoboReader.sqlite" + ], + "image": "docker.io/amazon/aws-cli:2.13.15@sha256:ac2c7d3827a8fef1024357ada9c6ccd8d0ce098a85cffd6803a52bb8cb4842ed", + "name": "copy kobo database", + "volumes": [ + { + "name": "aws-config", + "path": "/root/.aws" + } + ] + }, + { + "commands": [ + "npm install" + ], + "image": "node:18-buster", + "name": "install", + "volumes": [ + { + "name": "node_modules", + "path": "/drone/src/node_modules" + } + ] + }, + { + "commands": [ + "npm run lint" + ], + "depends_on": [ + "install" + ], + "image": "node:18-buster", + "name": "lint", + "volumes": [ + { + "name": "node_modules", + "path": "/drone/src/node_modules" + } + ] + }, + { + "commands": [ + "npm run test" + ], + "depends_on": [ + "install", + "copy kobo database" + ], + "image": "node:18-buster", + "name": "test", + "volumes": [ + { + "name": "node_modules", + "path": "/drone/src/node_modules" + } + ] + }, + { + "commands": [ + "npm run build" + ], + "depends_on": [ + "install" + ], + "image": "node:18-buster", + "name": "build", + "volumes": [ + { + "name": "node_modules", + "path": "/drone/src/node_modules" + } + ] + } + ], + "trigger": { + "event": [ + "custom", + "push" + ] + }, + "type": "docker", + "volumes": [ + { + "host": { + "path": "/tmp/node_modules/kobo" + }, + "name": "node_modules" + }, + { + "name": "aws-config", + "temp": { } + } + ] +} +--- +{ + "get": { + "name": "credentials", + "path": "secret/data/ci/aws" + }, + "kind": "secret", + "name": "aws" +} +--- +{ + "get": { + "name": "token", + "path": "secret/data/ci/dockerhub" + }, + "kind": "secret", + "name": "dockerhub_token" +} +--- +{ + "get": { + "name": "user", + "path": "secret/data/ci/dockerhub" + }, + "kind": "secret", + "name": "dockerhub_user" +} +--- +{ + "get": { + "name": "token", + "path": "secret/data/ci/ghcr" + }, + "kind": "secret", + "name": "ghcr_token" +} +--- +{ + "get": { + "name": "user", + "path": "secret/data/ci/ghcr" + }, + "kind": "secret", + "name": "ghcr_user" +} +--- +{ + "get": { + "name": "app_id", + "path": "secret/data/ci/github" + }, + "kind": "secret", + "name": "github_app_id" +} +--- +{ + "get": { + "name": "installation_id", + "path": "secret/data/ci/github" + }, + "kind": "secret", + "name": "github_installation_id" +} +--- +{ + "get": { + "name": "app_base64_private_key", + "path": "secret/data/ci/github" + }, + "kind": "secret", + "name": "github_private_key" +} +--- +kind: signature +hmac: 298f4691829addfbfef7cb437712b705289fca5f306ab17ee08077f597a5190c + +... diff --git a/.gitignore b/.gitignore index 9c7605f..17c9eb9 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,4 @@ lib coverage .nyc_output KoboReader.sqlite +.drone-secrets diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..51f38f4 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule ".drone-templates"] + path = .drone-templates + url = git@github.com:OGKevin/drone-templates.git diff --git a/.policy.yml b/.policy.yml new file mode 100644 index 0000000..bb0cff6 --- /dev/null +++ b/.policy.yml @@ -0,0 +1,39 @@ +policy: + approval: + - or: + - Kevin made a change + - Kevin approves + - Kevin helps bot and approves + +approval_rules: + - name: Kevin made a change + if: + has_author_in: + users: [ "OGKevin" ] + options: + allow_author: true + allow_contributor: true + - name: Kevin approves + options: + methods: + comments: + - "/lgtm" + github_review: true + requires: + count: 1 + users: [ "OGKevin" ] + - name: Kevin helps bot and approves + if: + has_author_in: + users: [ "ogkevin-robot[bot]" ] + has_contributor_in: + users: [ "OGKevin" ] + options: + allow_non_author_contributor: true + methods: + comments: + - "/lgtm" + github_review: true + requires: + count: 1 + users: [ "OGKevin" ]