diff --git a/.github/.DS_Store b/.github/.DS_Store
new file mode 100644
index 0000000..35b804a
Binary files /dev/null and b/.github/.DS_Store differ
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 07b38d2..d3e90ea 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,17 +1,25 @@
# Use this file to define individuals or teams that are responsible for code in a repository.
# Read more:
#
-# Order is important: the last matching pattern takes the most precedence
+# Order is important: the last matching pattern has the highest precedence
# These owners will be the default owners for everything
-* @cloudposse/engineering @cloudposse/contributors
+* @zeroae/engineering
# Cloud Posse must review any changes to Makefiles
-**/Makefile @cloudposse/engineering
-**/Makefile.* @cloudposse/engineering
+**/Makefile @zeroae/engineering
+**/Makefile.* @zeroae/engineering
# Cloud Posse must review any changes to GitHub actions
-.github/* @cloudposse/engineering
+.github/* @zeroae/engineering
-# Cloud Posse must review any changes to standard context definition
-**/context.tf @cloudposse/engineering
+# Cloud Posse must review any changes to standard context definition,
+# but some changes can be rubber-stamped.
+**/*.tf @zeroae/engineering @zeroae/approvers
+README.yaml @zeroae/engineering @zeroae/approvers
+README.md @zeroae/engineering @zeroae/approvers
+docs/*.md @zeroae/engineering @zeroae/approvers
+
+# Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration
+.github/mergify.yml @zeroae/admins
+.github/CODEOWNERS @zeroae/admins
diff --git a/.github/auto-release.yml b/.github/auto-release.yml
index 2836185..b45efb7 100644
--- a/.github/auto-release.yml
+++ b/.github/auto-release.yml
@@ -4,30 +4,36 @@ version-template: '$MAJOR.$MINOR.$PATCH'
version-resolver:
major:
labels:
- - 'major'
+ - 'major'
minor:
labels:
- - 'minor'
- - 'enhancement'
+ - 'minor'
+ - 'enhancement'
patch:
labels:
- - 'patch'
- - 'fix'
- - 'bugfix'
- - 'bug'
- - 'hotfix'
+ - 'auto-update'
+ - 'patch'
+ - 'fix'
+ - 'bugfix'
+ - 'bug'
+ - 'hotfix'
+ - 'no-release'
default: 'minor'
categories:
- - title: '๐ Enhancements'
- labels:
- - 'enhancement'
- - title: '๐ Bug Fixes'
- labels:
- - 'fix'
- - 'bugfix'
- - 'bug'
- - 'hotfix'
+- title: '๐ Enhancements'
+ labels:
+ - 'enhancement'
+ - 'patch'
+- title: '๐ Bug Fixes'
+ labels:
+ - 'fix'
+ - 'bugfix'
+ - 'bug'
+ - 'hotfix'
+- title: '๐ค Automatic Updates'
+ labels:
+ - 'auto-update'
change-template: |
@@ -38,3 +44,11 @@ change-template: |
template: |
$CHANGES
+
+replacers:
+# Remove irrelevant information from Renovate bot
+- search: '/(?<=---\s)\s*^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm'
+ replace: ''
+# Remove Renovate bot banner image
+- search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm'
+ replace: ''
diff --git a/.github/mergify.yml b/.github/mergify.yml
new file mode 100644
index 0000000..ef15545
--- /dev/null
+++ b/.github/mergify.yml
@@ -0,0 +1,65 @@
+# https://docs.mergify.io/conditions.html
+# https://docs.mergify.io/actions.html
+pull_request_rules:
+- name: "approve automated PRs that have passed checks"
+ conditions:
+ - "author~=^(cloudpossebot|renovate\\[bot\\])$"
+ - "base=master"
+ - "-closed"
+ - "head~=^(auto-update|renovate)/.*"
+ - "check-success=test/bats"
+ - "check-success=test/readme"
+ - "check-success=test/terratest"
+ - "check-success=validate-codeowners"
+ actions:
+ review:
+ type: "APPROVE"
+ bot_account: "cloudposse-mergebot"
+ message: "We've automatically approved this PR because the checks from the automated Pull Request have passed."
+
+- name: "merge automated PRs when approved and tests pass"
+ conditions:
+ - "author~=^(cloudpossebot|renovate\\[bot\\])$"
+ - "base=master"
+ - "-closed"
+ - "head~=^(auto-update|renovate)/.*"
+ - "check-success=test/bats"
+ - "check-success=test/readme"
+ - "check-success=test/terratest"
+ - "check-success=validate-codeowners"
+ - "#approved-reviews-by>=1"
+ - "#changes-requested-reviews-by=0"
+ - "#commented-reviews-by=0"
+ actions:
+ merge:
+ method: "squash"
+
+- name: "delete the head branch after merge"
+ conditions:
+ - "merged"
+ actions:
+ delete_head_branch: {}
+
+- name: "ask to resolve conflict"
+ conditions:
+ - "conflict"
+ - "-closed"
+ actions:
+ comment:
+ message: "This pull request is now in conflict. Could you fix it @{{author}}? ๐"
+
+- name: "remove outdated reviews"
+ conditions:
+ - "base=master"
+ actions:
+ dismiss_reviews:
+ changes_requested: true
+ approved: true
+ message: "This Pull Request has been updated, so we're dismissing all reviews."
+
+- name: "close Pull Requests without files changed"
+ conditions:
+ - "#files=0"
+ actions:
+ close:
+ message: "This pull request has been automatically closed by Mergify because there are no longer any changes."
diff --git a/.github/renovate.json b/.github/renovate.json
new file mode 100644
index 0000000..ae4f0aa
--- /dev/null
+++ b/.github/renovate.json
@@ -0,0 +1,12 @@
+{
+ "extends": [
+ "config:base",
+ ":preserveSemverRanges"
+ ],
+ "labels": ["auto-update"],
+ "enabledManagers": ["terraform"],
+ "terraform": {
+ "ignorePaths": ["**/context.tf", "examples/**"]
+ }
+}
+
diff --git a/.github/workflows/auto-context.yml b/.github/workflows/auto-context.yml
new file mode 100644
index 0000000..665833a
--- /dev/null
+++ b/.github/workflows/auto-context.yml
@@ -0,0 +1,57 @@
+name: "auto-context"
+on:
+ schedule:
+ # Update context.tf nightly
+ - cron: '0 3 * * *'
+
+jobs:
+ update:
+ if: github.event_name == 'schedule'
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+
+ - name: Update context.tf
+ shell: bash
+ id: update
+ env:
+ GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+ run: |
+ if [[ -f context.tf ]]; then
+ echo "Discovered existing context.tf! Fetching most recent version to see if there is an update."
+ curl -o context.tf -fsSL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf
+ if git diff --no-patch --exit-code context.tf; then
+ echo "No changes detected! Exiting the job..."
+ else
+ echo "context.tf file has changed. Update examples and rebuild README.md."
+ make init
+ make github/init/context.tf
+ make readme/build
+ echo "::set-output name=create_pull_request::true"
+ fi
+ else
+ echo "This module has not yet been updated to support the context.tf pattern! Please update in order to support automatic updates."
+ fi
+
+ - name: Create Pull Request
+ if: steps.update.outputs.create_pull_request == 'true'
+ uses: cloudposse/actions/github/create-pull-request@0.30.0
+ with:
+ token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+ committer: 'cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>'
+ author: 'cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>'
+ commit-message: Update context.tf from origin source
+ title: Update context.tf
+ body: |-
+ ## what
+ This is an auto-generated PR that updates the `context.tf` file to the latest version from `cloudposse/terraform-null-label`
+
+ ## why
+ To support all the features of the `context` interface.
+
+ branch: auto-update/context.tf
+ base: master
+ delete-branch: true
+ labels: |
+ auto-update
+ context
diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml
new file mode 100644
index 0000000..c600d60
--- /dev/null
+++ b/.github/workflows/auto-format.yml
@@ -0,0 +1,88 @@
+name: Auto Format
+on:
+ pull_request_target:
+ types: [opened, synchronize]
+
+jobs:
+ auto-format:
+ runs-on: ubuntu-latest
+ container: cloudposse/build-harness:latest
+ steps:
+ # Checkout the pull request branch
+ # "An action in a workflow run canโt trigger a new workflow run. For example, if an action pushes code using
+ # the repositoryโs GITHUB_TOKEN, a new workflow will not run even when the repository contains
+ # a workflow configured to run when push events occur."
+ # However, using a personal access token will cause events to be triggered.
+ # We need that to ensure a status gets posted after the auto-format commit.
+ # We also want to trigger tests if the auto-format made no changes.
+ - uses: actions/checkout@v2
+ if: github.event.pull_request.state == 'open'
+ name: Privileged Checkout
+ with:
+ token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+ repository: ${{ github.event.pull_request.head.repo.full_name }}
+ # Check out the PR commit, not the merge commit
+ # Use `ref` instead of `sha` to enable pushing back to `ref`
+ ref: ${{ github.event.pull_request.head.ref }}
+
+ # Do all the formatting stuff
+ - name: Auto Format
+ if: github.event.pull_request.state == 'open'
+ shell: bash
+ env:
+ GITHUB_TOKEN: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
+ run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host
+
+ # Commit changes (if any) to the PR branch
+ - name: Commit changes to the PR branch
+ if: github.event.pull_request.state == 'open'
+ shell: bash
+ id: commit
+ env:
+ SENDER: ${{ github.event.sender.login }}
+ run: |
+ set -x
+ output=$(git diff --name-only)
+
+ if [ -n "$output" ]; then
+ echo "Changes detected. Pushing to the PR branch"
+ git config --global user.name 'cloudpossebot'
+ git config --global user.email '11232728+cloudpossebot@users.noreply.github.com'
+ git add -A
+ git commit -m "Auto Format"
+ # Prevent looping by not pushing changes in response to changes from cloudpossebot
+ [[ $SENDER == "cloudpossebot" ]] || git push
+ # Set status to fail, because the push should trigger another status check,
+ # and we use success to indicate the checks are finished.
+ printf "::set-output name=%s::%s\n" "changed" "true"
+ exit 1
+ else
+ printf "::set-output name=%s::%s\n" "changed" "false"
+ echo "No changes detected"
+ fi
+
+ - name: Auto Test
+ uses: cloudposse/actions/github/repository-dispatch@0.30.0
+ # match users by ID because logins (user names) are inconsistent,
+ # for example in the REST API Renovate Bot is `renovate[bot]` but
+ # in GraphQL it is just `renovate`, plus there is a non-bot
+ # user `renovate` with ID 1832810.
+ # Mergify bot: 37929162
+ # Renovate bot: 29139614
+ # Cloudpossebot: 11232728
+ # Need to use space separators to prevent "21" from matching "112144"
+ if: >
+ contains(' 37929162 29139614 11232728 ', format(' {0} ', github.event.pull_request.user.id))
+ && steps.commit.outputs.changed == 'false' && github.event.pull_request.state == 'open'
+ with:
+ token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+ repository: cloudposse/actions
+ event-type: test-command
+ client-payload: |-
+ { "slash_command":{"args": {"unnamed": {"all": "all", "arg1": "all"}}},
+ "pull_request": ${{ toJSON(github.event.pull_request) }},
+ "github":{"payload":{"repository": ${{ toJSON(github.event.repository) }},
+ "comment": {"id": ""}
+ }
+ }
+ }
diff --git a/.github/workflows/auto-readme.yml b/.github/workflows/auto-readme.yml
new file mode 100644
index 0000000..03232cd
--- /dev/null
+++ b/.github/workflows/auto-readme.yml
@@ -0,0 +1,55 @@
+name: "auto-readme"
+on:
+ schedule:
+ # Example of job definition:
+ # .---------------- minute (0 - 59)
+ # | .------------- hour (0 - 23)
+ # | | .---------- day of month (1 - 31)
+ # | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
+ # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
+ # | | | | |
+ # * * * * * user-name command to be executed
+
+ # Update README.md nightly at 4am UTC
+ - cron: '0 4 * * *'
+
+jobs:
+ update:
+ if: github.event_name == 'schedule'
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+
+ - name: Update readme
+ shell: bash
+ id: update
+ env:
+ GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+ run: |
+ make init
+ make readme/build
+ # Ignore changes if they are only whitespace
+ git diff --ignore-all-space --ignore-blank-lines --quiet README.md && { git restore README.md; echo Ignoring whitespace-only changes in README; }
+
+ - name: Create Pull Request
+ # This action will not create or change a pull request if there are no changes to make.
+ # If a PR of the auto-update/readme branch is open, this action will just update it, not create a new PR.
+ uses: cloudposse/actions/github/create-pull-request@0.30.0
+ with:
+ token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+ commit-message: Update README.md and docs
+ title: Update README.md and docs
+ body: |-
+ ## what
+ This is an auto-generated PR that updates the README.md and docs
+
+ ## why
+ To have most recent changes of README.md and doc from origin templates
+
+ branch: auto-update/readme
+ base: main
+ delete-branch: true
+ labels: |
+ auto-update
+ no-release
+ readme
diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index e21fbfe..3a38fae 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -3,17 +3,24 @@ name: auto-release
on:
push:
branches:
+ - main
- master
+ - production
jobs:
- semver:
+ publish:
runs-on: ubuntu-latest
steps:
- # Drafts your next Release notes as Pull Requests are merged into "master"
+ # Get PR from merged commit to master
+ - uses: actions-ecosystem/action-get-merged-pull-request@v1
+ id: get-merged-pull-request
+ with:
+ github_token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+ # Drafts your next Release notes as Pull Requests are merged into "main"
- uses: release-drafter/release-drafter@v5
with:
- publish: true
+ publish: ${{ !contains(steps.get-merged-pull-request.outputs.labels, 'no-release') }}
prerelease: false
config-name: auto-release.yml
env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
diff --git a/.github/workflows/chatops.yml b/.github/workflows/chatops.yml
index 0d94310..23f96d8 100644
--- a/.github/workflows/chatops.yml
+++ b/.github/workflows/chatops.yml
@@ -9,7 +9,7 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: "Handle common commands"
- uses: cloudposse/actions/github/slash-command-dispatch@0.16.0
+ uses: cloudposse/actions/github/slash-command-dispatch@0.30.0
with:
token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
reaction-token: ${{ secrets.GITHUB_TOKEN }}
@@ -24,7 +24,7 @@ jobs:
- name: "Checkout commit"
uses: actions/checkout@v2
- name: "Run tests"
- uses: cloudposse/actions/github/slash-command-dispatch@0.16.0
+ uses: cloudposse/actions/github/slash-command-dispatch@0.30.0
with:
token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
reaction-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
deleted file mode 100644
index aed08b7..0000000
--- a/.github/workflows/lint.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-name: lint
-
-on:
- push:
- branches:
- - master
- pull_request:
- types: [opened, synchronize, reopened]
-
-
-jobs:
- lint-readme:
- name: readme
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
- - uses: cloudposse/build-harness@master
- with:
- entrypoint: /usr/bin/make
- args: readme/lint
- # Super Linter is not ready for production
- # The go linter has a bug, terrascan does not work right
- # super-linter:
- # name: superlinter
- # runs-on: ubuntu-latest
- # steps:
- # - name: Checkout Code
- # uses: actions/checkout@v2
- # - name: Lint Code Base
- # uses: docker://github/super-linter:v3
- # env:
- # VALIDATE_ALL_CODEBASE: false
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
deleted file mode 100644
index f3602d4..0000000
--- a/.github/workflows/pre-commit.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-name: cloudposse-terraform-workflow
-
-on:
- pull_request:
- push:
- branches: [master]
-
-jobs:
- pre-commit:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v1
- - uses: actions/setup-python@v1
- - uses: pre-commit/action@v2.0.0
diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml
new file mode 100644
index 0000000..70f829e
--- /dev/null
+++ b/.github/workflows/validate-codeowners.yml
@@ -0,0 +1,29 @@
+name: Validate Codeowners
+on:
+ workflow_dispatch:
+
+ pull_request:
+
+jobs:
+ validate-codeowners:
+ runs-on: ubuntu-latest
+ steps:
+ - name: "Checkout source code at current commit"
+ uses: actions/checkout@v2
+ - uses: mszostok/codeowners-validator@v0.7.1
+ if: github.event.pull_request.head.repo.full_name == github.repository
+ name: "Full check of CODEOWNERS"
+ with:
+ # For now, remove "files" check to allow CODEOWNERS to specify non-existent
+ # files so we can use the same CODEOWNERS file for Terraform and non-Terraform repos
+ # checks: "files,syntax,owners,duppatterns"
+ checks: "syntax,owners,duppatterns"
+ owner_checker_allow_unowned_patterns: "false"
+ # GitHub access token is required only if the `owners` check is enabled
+ github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
+ - uses: mszostok/codeowners-validator@v0.7.1
+ if: github.event.pull_request.head.repo.full_name != github.repository
+ name: "Syntax check of CODEOWNERS"
+ with:
+ checks: "syntax,duppatterns"
+ owner_checker_allow_unowned_patterns: "false"