fix: update workflow to include id tag, cleanup, new flake, etc

.envrc

@@ -15,23 +15,30 @@ if [ -z "${NIX_ENV_LOADED}" ]; then
     --keep AWS_ACCESS_KEY_ID \
     --keep AWS_SECRET_ACCESS_KEY \
     --keep AWS_SESSION_TOKEN \
-    --keep TERM \
+    --keep UPDATECLI_GPGTOKEN \
+    --keep UPDATECLI_GITHUB_TOKEN \
+    --keep UPDATECLI_GITHUB_ACTOR \
+    --keep GPG_SIGNING_KEY \
     --keep NIX_ENV_LOADED \
+    --keep TERM \
     $(pwd)
 else
 	echo "setting up dev environment..."
 
+	source .aliases
 	source .functions
 	source .variables
 	source .rcs
-	source .aliases
-
-	if [ -z "$SSH_AUTH_SOCK" ]; then eval $(ssh-agent -s); fi
-
-	if [ -z "$(env | grep 'AWS')" ]; then
-		echo "Unable to find AWS authentication information in the environment, please make sure you authenticate with AWS.";
-	fi
-	if [ -z "$(env | grep 'GITHUB_TOKEN')" ]; then
-		echo "Unable to find GITHUB authentication information in the environment, please make sure you authenticate with GITHUB.";
-	fi
+fi
+if [ -z "$SSH_AUTH_SOCK" ]; then
+  echo "Unable to find SSH_AUTH_SOCK, is your agent running?";
+fi
+if [ -z "$(ssh-add -l | grep -v 'The agent has no identities.')" ]; then
+  echo "Your agent doesn't appear to have any identities loaded, please load a key or forward your agent.";
+fi
+if [ -z "$(env | grep 'AWS')" ]; then
+  echo "Unable to find AWS authentication information in the environment, please make sure you authenticate with AWS.";
+fi
+if [ -z "$(env | grep 'GITHUB_TOKEN')" ]; then
+  echo "Unable to find GITHUB authentication information in the environment, please make sure you authenticate with GITHUB.";
 fi

.github/workflows/cleanup.yaml

@@ -0,0 +1,117 @@
+name: cleanup
+
+on:
+  schedule:
+    # At minute 30 past every 6th hour from 5 through 18 on every day-of-week from Monday through Friday.
+    # 6:30, 12:30, 18:30
+    - cron: '30 5-18/6 * * 1-5'
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+permissions: write-all
+
+env:
+  AWS_REGION: us-west-1
+  AWS_ROLE: arn:aws:iam::270074865685:role/terraform-module-ci-test
+  GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+jobs:
+  leftovers:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: nicknovitski/nix-develop@v1.1.0
+        with:
+          arguments: |
+            --ignore-environment \
+            --extra-experimental-features nix-command \
+            --extra-experimental-features flakes \
+            --keep HOME \
+            --keep SSH_AUTH_SOCK \
+            --keep GITHUB_TOKEN \
+            --keep AWS_ROLE \
+            --keep AWS_REGION \
+            --keep AWS_DEFAULT_REGION \
+            --keep AWS_ACCESS_KEY_ID \
+            --keep AWS_SECRET_ACCESS_KEY \
+            --keep AWS_SESSION_TOKEN \
+            --keep UPDATECLI_GPGTOKEN \
+            --keep UPDATECLI_GITHUB_TOKEN \
+            --keep UPDATECLI_GITHUB_ACTOR \
+            --keep GPG_SIGNING_KEY \
+            --keep NIX_ENV_LOADED \
+            --keep TERM \
+            ${{ github.workspace }}
+      - name: Get Ids
+        id: get_ids
+        # 86400 = 24 hours in seconds (24 * 60 * 60)
+        # you might increase this number if you need to look back further for leftovers
+        run: |
+          DATA="$( \
+            curl -s \
+              --header 'Authorization: Bearer ${{secrets.GITHUB_TOKEN}}' \
+              '${{github.api_url}}/repos/${{github.repository}}/actions/runs' \
+            | jq -r '.workflow_runs[] | select(.created_at > (now - 86400)) | select(.status != "in_progress") | select((.name |= ascii_downcase | .name) == "release") | "\((.name |= ascii_downcase | .name))-\(.id)-\(.run_number)-\(.run_attempt)"' \
+            | jq -R -s -c 'split("\n")[:-1]' \
+          )"
+          echo ids="$DATA" >> "$GITHUB_OUTPUT"
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{env.AWS_ROLE}}
+          role-session-name: ${{github.job}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}
+          aws-region: ${{env.AWS_REGION}}
+      # rather than actually delete things, it errors and notifies so that you can run leftovers interactively
+      # WARNING! if '--filter=""' then you will find everything in a region
+      # WARNING! if '-d' is missing you will delete everything that is found
+      - name: find-leftovers
+        run: |
+          check_leftovers() {
+            local id="$1"
+            local region="$2"
+            echo "checking for leftovers in $region for $id"
+            leftovers -d --iaas=aws --aws-region="$region" --filter="$id" \
+              | grep -Pv 'is not authorized to perform|status code:|Access Denied' \
+              >> leftovers.output
+            return $?
+          }
+          issue_body() {
+            local region="$1"
+            local id="$2"
+            local output="$3"
+            local url="$4"
+            local found="Leftovers were found in region $region with id $id.\n"
+            local tics='\n```\n'
+            BODY="$found $url $tics $output $tics"
+            echo -n "$BODY"
+          }
+          post_issue() {
+            local id="$1"
+            local region="$2"
+            local output="$3"
+            echo "found some leftovers for $id in $region"
+            echo "please clean up with leftovers tool"
+            local url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+            echo -n '{"title":"Leftovers Found!","body":"' > data.json
+            issue_body "$region" "$id" "$output" "$url" >> data.json
+            echo -n '","labels":["leftovers"]}' >> data.json
+            cat data.json
+            jq '.' data.json
+            curl -s -X POST -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -d @data.json "${{ github.api_url }}/repos/${{ github.repository }}/issues"
+          }
+
+          ID_LIST='${{ steps.get_ids.outputs.ids }}'
+          DATA=$(jq -r .[] <<< "$ID_LIST")
+          echo "" > leftovers.output
+          REGIONS="us-west-1 us-west-2"
+
+          for id in $DATA; do
+            for region in $REGIONS; do
+              if check_leftovers "$id" "$region"; then
+                output="$(awk '{printf "%s\\n", $0}' leftovers.output)";
+                post_issue "$id" "$region" "$output";
+                exit 1;
+              fi
+            done
+          done

.github/workflows/release.yaml

@@ -1,4 +1,4 @@
-name: Release
+name: release
 
 on:
   push:
@@ -40,12 +40,6 @@ jobs:
         if: steps.release-please.outputs.pr
       - run: sudo chmod 0755 /nix/store
         if: steps.release-please.outputs.pr
-      - uses: actions/cache/restore@v4
-        id: cache-nix-restore
-        if: steps.release-please.outputs.pr
-        with:
-          path: /nix/store
-          key: nix-${{ hashFiles('**/flake.nix') }}
       - uses: DeterminateSystems/nix-installer-action@main
         if: steps.release-please.outputs.pr
       - uses: nicknovitski/nix-develop@v1.1.0
@@ -64,14 +58,13 @@ jobs:
             --keep AWS_ACCESS_KEY_ID \
             --keep AWS_SECRET_ACCESS_KEY \
             --keep AWS_SESSION_TOKEN \
+            --keep UPDATECLI_GPGTOKEN \
+            --keep UPDATECLI_GITHUB_TOKEN \
+            --keep UPDATECLI_GITHUB_ACTOR \
+            --keep GPG_SIGNING_KEY \
+            --keep NIX_ENV_LOADED \
             --keep TERM \
             ${{ github.workspace }}
-      - uses: actions/cache/save@v4
-        id: cache-nix-save
-        if: steps.release-please.outputs.pr
-        with:
-          path: /nix/store
-          key: ${{ steps.cache-nix-restore.outputs.cache-primary-key }}
       - uses: aws-actions/configure-aws-credentials@v4
         if: steps.release-please.outputs.pr
         with:

.github/workflows/update.yaml

@@ -0,0 +1,56 @@
+name: update
+
+on:
+  schedule:
+    # Runs at 06 PM UTC
+    - cron: '0 18 * * *'
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+permissions: write-all
+
+jobs:
+  updatecli:
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: nicknovitski/nix-develop@v1.1.0
+        with:
+          arguments: |
+            --ignore-environment \
+            --extra-experimental-features nix-command \
+            --extra-experimental-features flakes \
+            --keep HOME \
+            --keep SSH_AUTH_SOCK \
+            --keep GITHUB_TOKEN \
+            --keep AWS_ROLE \
+            --keep AWS_REGION \
+            --keep AWS_DEFAULT_REGION \
+            --keep AWS_ACCESS_KEY_ID \
+            --keep AWS_SECRET_ACCESS_KEY \
+            --keep AWS_SESSION_TOKEN \
+            --keep UPDATECLI_GPGTOKEN \
+            --keep UPDATECLI_GITHUB_TOKEN \
+            --keep UPDATECLI_GITHUB_ACTOR \
+            --keep GPG_SIGNING_KEY \
+            --keep NIX_ENV_LOADED \
+            --keep TERM \
+            ${{ github.workspace }}
+      - name: Updatecli
+        # Never use '--debug' option, because it might leak the access tokens.
+        run: |
+          gpgconf --kill all
+          echo -n "${{ secrets.GPG_SIGNING_KEY }}" | gpg --import
+          gpg --list-secret-keys --keyid-format=long
+          UPDATECLI_GPGTOKEN="$(gpg -q --list-secret-keys --keyid-format=long | grep 'no-reply@github.com>$' -B2 | grep '^sec'| awk '{print $2}' | awk -F '/' '{print $2}')"
+          UPDATECLI_GPGKEY="$(gpg --armor --export no-reply@github.com)"
+          export UPDATECLI_GPGTOKEN
+          export UPDATECLI_GPGKEY
+          echo "updatecli_gpgtoken is $UPDATECLI_GPGTOKEN"
+          echo "updatecli_gpgkey is $UPDATECLI_GPGKEY"
+          updatecli apply --clean --config ./updatecli/updatecli.d/ --values ./updatecli/values.yaml
+        env:
+          UPDATECLI_GITHUB_ACTOR: ${{ github.actor }}
+          UPDATECLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/tests.yaml → .github/workflows/validate.yaml

@@ -1,4 +1,4 @@
-name: Tests
+name: validate
 
 on:
   pull_request:
@@ -27,6 +27,11 @@ jobs:
           --keep AWS_ACCESS_KEY_ID \
           --keep AWS_SECRET_ACCESS_KEY \
           --keep AWS_SESSION_TOKEN \
+          --keep UPDATECLI_GPGTOKEN \
+          --keep UPDATECLI_GITHUB_TOKEN \
+          --keep UPDATECLI_GITHUB_ACTOR \
+          --keep GPG_SIGNING_KEY \
+          --keep NIX_ENV_LOADED \
           --keep TERM \
           ${{ github.workspace }}
     - uses: actions/cache/restore@v4
@@ -64,6 +69,11 @@ jobs:
           --keep AWS_ACCESS_KEY_ID \
           --keep AWS_SECRET_ACCESS_KEY \
           --keep AWS_SESSION_TOKEN \
+          --keep UPDATECLI_GPGTOKEN \
+          --keep UPDATECLI_GITHUB_TOKEN \
+          --keep UPDATECLI_GITHUB_ACTOR \
+          --keep GPG_SIGNING_KEY \
+          --keep NIX_ENV_LOADED \
           --keep TERM \
           ${{ github.workspace }}
     - run: actionlint
@@ -93,3 +103,34 @@ jobs:
       - uses: amannn/action-semantic-pull-request@v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  gitleaks:
+    name: 'Scan for Secrets'
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: DeterminateSystems/nix-installer-action@main
+    - uses: nicknovitski/nix-develop@v1.1.0
+      with:
+        arguments: |
+          --ignore-environment \
+          --extra-experimental-features nix-command \
+          --extra-experimental-features flakes \
+          --keep HOME \
+          --keep SSH_AUTH_SOCK \
+          --keep GITHUB_TOKEN \
+          --keep AWS_ROLE \
+          --keep AWS_REGION \
+          --keep AWS_DEFAULT_REGION \
+          --keep AWS_ACCESS_KEY_ID \
+          --keep AWS_SECRET_ACCESS_KEY \
+          --keep AWS_SESSION_TOKEN \
+          --keep UPDATECLI_GPGTOKEN \
+          --keep UPDATECLI_GITHUB_TOKEN \
+          --keep UPDATECLI_GITHUB_ACTOR \
+          --keep GPG_SIGNING_KEY \
+          --keep NIX_ENV_LOADED \
+          --keep TERM \
+          ${{ github.workspace }}
+    - run: gitleaks detect --no-banner -v --no-git
+    - run: gitleaks detect --no-banner -v