-
Notifications
You must be signed in to change notification settings - Fork 1
/
.projenrc.ts
57 lines (48 loc) · 1.65 KB
/
.projenrc.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
import { CdklabsTypeScriptProject } from 'cdklabs-projen-project-types';
import { JsonFile } from 'projen';
const PROJEN_UPGRADE_SECRET = 'PROJEN_GITHUB_TOKEN';
const project = new CdklabsTypeScriptProject({
stability: 'stable',
private: false,
defaultReleaseBranch: 'main',
name: 'aws-secrets-github-sync',
projenrcTs: true,
repository: 'https://github.com/cdklabs/aws-secrets-github-sync.git',
authorEmail: 'aws-cdk-dev@amazon.com',
authorName: 'Amazon Web Services',
authorOrganization: true,
description: 'Update GitHub repository secrets from an AWS SecretsManager secret',
deps: ['aws-sdk', 'yargs@17.1.1'],
releaseToNpm: true,
workflowBootstrapSteps: [
{
name: 'Install Semgrep',
run: 'python3 -m pip install semgrep',
},
],
autoApproveUpgrades: true,
autoApproveOptions: { allowedUsernames: ['cdklabs-automation'] },
});
//----------------------------------------------------
// very meta (should be part of projen)
const secretsConfig = 'sm2gh.json';
new JsonFile(project, secretsConfig, {
obj: {
secret: 'publishing-secrets',
region: 'us-east-1',
prune: true,
keys: ['NPM_TOKEN', PROJEN_UPGRADE_SECRET],
},
});
project.addTask('secrets:update', {
description: 'Update this GitHub repository\'s secrets from AWS SecretsManager',
exec: `bin/aws-secrets-github-sync --config ${secretsConfig}`,
});
//----------------------------------------------------
const semgrep = project.addTask('semgrep', {
description: 'Static analysis',
exec: 'semgrep --config p/typescript',
condition: 'which semgrep', // only run if semgrep is installed
});
project.postCompileTask.spawn(semgrep);
project.synth();