feat: Pin Terraform versions as Digests, and init SemVer (#28)

SpotOnInc · Jan 17, 2023 · f3c33a5 · f3c33a5
1 parent 5b3fced
commit f3c33a5
Show file tree

Hide file tree

Showing 7 changed files with 144 additions and 10 deletions.
diff --git a/.github/workflows/generate-renovate-config.yaml b/.github/workflows/generate-renovate-config.yaml
@@ -46,4 +46,4 @@ jobs:
         default_author: github_actor
         # The message for the commit.
         # Default: 'Commit from GitHub Actions (name of the workflow)'
-        message: '[Auto] Regenerate default.json'
+        message: 'chore: Regenerate default.json'
diff --git a/.github/workflows/pr-title-validation.yaml b/.github/workflows/pr-title-validation.yaml
@@ -0,0 +1,52 @@
+name: "Validate PR title"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      # Please look up the latest version from
+      # https://github.com/amannn/action-semantic-pull-request/releases
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          # Configure which types are allowed.
+          # Default: https://github.com/commitizen/conventional-commit-types
+          types: |
+            fix
+            feat
+            docs
+            ci
+            chore
+          # Configure that a scope must always be provided.
+          requireScope: false
+          # Configure additional validation for the subject based on a regex.
+          # This example ensures the subject starts with an uppercase character.
+          subjectPattern: ^[A-Z].+$
+          # If `subjectPattern` is configured, you can use this property to override
+          # the default error message that is shown when the pattern doesn't match.
+          # The variables `subject` and `title` can be used within the message.
+          subjectPatternError: |
+            The subject "{subject}" found in the pull request title "{title}"
+            didn't match the configured pattern. Please ensure that the subject
+            starts with an uppercase character.
+          # For work-in-progress PRs you can typically use draft pull requests
+          # from Github. However, private repositories on the free plan don't have
+          # this option and therefore this action allows you to opt-in to using the
+          # special "[WIP]" prefix to indicate this state. This will avoid the
+          # validation of the PR title and the pull request checks remain pending.
+          # Note that a second check will be reported if this is enabled.
+          wip: true
+          # When using "Squash and merge" on a PR with only one commit, GitHub
+          # will suggest using that commit message instead of the PR title for the
+          # merge commit, and it's easy to commit this by mistake. Enable this option
+          # to also validate the commit message for one commit PRs.
+          validateSingleCommit: false
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,30 @@
+name: Release
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - 'default.js'
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Release
+        uses: cycjimmy/semantic-release-action@v2
+        with:
+          semantic_version: 18.0.0
+          extra_plugins: |
+            @semantic-release/changelog@6.0.0
+            @semantic-release/git@10.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GHA_AUTOFIX_COMMIT_KEY }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -37,6 +37,7 @@ repos:
       - id: check-json # checks json files for parseable syntax.
       - id: pretty-format-json # sets a standard for formatting json files.
         args: [--autofix, --no-sort-keys]
+        exclude: default.json
 
       # Symlinks
       - id: check-symlinks # checks for symlinks which do not point to anything.

diff --git a/.releaserc.json b/.releaserc.json
@@ -0,0 +1,35 @@
+{
+  "branches": [
+    "main",
+    "master"
+  ],
+  "ci": false,
+  "plugins": [
+    "@semantic-release/commit-analyzer",
+    "@semantic-release/release-notes-generator",
+    [
+      "@semantic-release/github",
+      {
+        "successComment": "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:",
+        "labels": false,
+        "releasedLabels": false
+      }
+    ],
+    [
+      "@semantic-release/changelog",
+      {
+        "changelogFile": "CHANGELOG.md",
+        "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file."
+      }
+    ],
+    [
+      "@semantic-release/git",
+      {
+        "assets": [
+          "CHANGELOG.md"
+        ],
+        "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+      }
+    ]
+  ]
+}
diff --git a/README.md b/README.md
@@ -1,6 +1,5 @@
 # renovate-config
 
-
 This is [Shareable Config Presets](https://docs.renovatebot.com/config-presets/) for SpotOn. It contains wide-use [Renovatebot](https://github.com/renovatebot/renovate) configs, based on our toolset and mindset.
 
 * [Usage](#usage)
@@ -10,7 +9,6 @@ This is [Shareable Config Presets](https://docs.renovatebot.com/config-presets/)
   * [Repos configuration](#repos-configuration)
 * [Troubleshooting](#troubleshooting)
 
-
 ## Usage
 
 <!-- markdownlint-disable-next-line no-inline-html -->
@@ -61,6 +59,9 @@ To change the default config, please edit [`default.template.json5`](default.tem
 
 That needs to describe what settings do and save `renovate-config/default.json` name magic which [is not present for `.json5`](https://github.com/renovatebot/renovate/issues/15370#issuecomment-1113137651).
 
+---
+
+In case when new `default.json` config does not apply more than 6 hours - create test repo and copy-paste the whole `default.json`, but rename it to `renovate.json`. Renovatebot will test the configuration and create issues if it found problems with the configuration. Or you can ask ChatGPT :)
 
 ## Useful links
 
@@ -109,6 +110,7 @@ That needs to describe what settings do and save `renovate-config/default.json`
 * [Group all packages starting with `abc` together in one PR](https://docs.renovatebot.com/faq/#group-all-packages-starting-with-abc-together-in-one-pr)
 * [:pinVersions](https://docs.renovatebot.com/presets-default/#pinversions) - maintain a single version only and not SemVer ranges
 * [:rebaseStalePrs](https://docs.renovatebot.com/presets-default/#rebasestaleprs) - Rebase existing PRs any time the base branch has been updated.
+* [Update package/GHA references in Markdown files](https://github.com/renovatebot/.github/blob/d9b3c1914f4bf9dbecc6456610ca89530260572f/default.json#L121-L140)
 
 
 ## Troubleshooting

diff --git a/default.template.json5 b/default.template.json5
@@ -25,7 +25,7 @@
     // Update `_VERSION` variables in Dockerfiles.                            | https://docs.renovatebot.com/presets-regexManagers/#regexmanagersdockerfileversions
     "regexManagers:dockerfileVersions",
     // Update `_VERSION` environment variables in GitHub Action files.        | https://docs.renovatebot.com/presets-regexManagers/#regexmanagersgithubactionsversions
-    "regexManagers:githubActionsVersions"
+    "regexManagers:githubActionsVersions",
   ],
 
   // Dependency Dashboard issue customization.                                | https://docs.renovatebot.com/configuration-options/#dependencydashboard
@@ -41,7 +41,7 @@
   "rollbackPrs": true,
   // All matched addLabels strings will be attached to the PR.                | https://docs.renovatebot.com/configuration-options/#addlabels
   "addLabels": [
-    "auto-update"
+    "auto-update",
   ],
   // Sometimes you need to change your Renovate configuration.
   // To help with this, Renovate will create config migration pull requests.  | https://docs.renovatebot.com/configuration-options/#configmigration
@@ -54,16 +54,30 @@
     "description": "Be sure that the Dependency graph and Dependabot alerts are enabled for the repo. Details: https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts",
     "enabled": true,
     // Append `security` label.
-    "addLabels": ["security"]
+    "addLabels": ["security"],
   },
-
+  // Terraform manager custom settings                                        | https://docs.renovatebot.com/modules/manager/terraform/
   "terraform": {
     "ignorePaths": [
-      "**/context.tf" // Cloud Posse managed
-    ]
+      "**/context.tf", // Cloud Posse managed
+    ],
+    "pinDigests": true, // Make versions idempotent
   },
   // In beta. Need opt-in. Details - https://docs.renovatebot.com/modules/manager/pre-commit/
   "pre-commit": {
     "enabled": true
-  }
+  },
+  "packageRules": [
+    // Maybe useful. Get it from https://github.com/renovatebot/.github/blob/d9b3c1914f4bf9dbecc6456610ca89530260572f/default.json#L39-L44
+    {
+      "description": "v prefix workaround for action updates",
+      "matchDepTypes": ["action"],
+      "extractVersion": "^(?<version>v\\d+\\.\\d+\\.\\d+)$",
+      "versioning": "regex:^v(?<major>\\d+)(\\.(?<minor>\\d+)\\.(?<patch>\\d+))?$"
+    },
+  ],
+  // No files by default. Enable to all possible files                        | https://docs.renovatebot.com/modules/manager/kubernetes/
+  "kubernetes": {
+    "fileMatch": ["\\.yaml$"]
+  },
 }