From 7baf4146036ef03c195b83a297b581891c09745d Mon Sep 17 00:00:00 2001 From: matttrach Date: Fri, 22 Mar 2024 23:12:10 -0500 Subject: [PATCH 01/13] fix: update workflows to meet new standards Signed-off-by: matttrach --- .envrc | 57 ++--- .functions | 219 +++++++++++++++---- .github/workflows/cleanup.yaml | 67 ++++-- .github/workflows/release.yaml | 68 +++--- .github/workflows/update.yaml | 45 ++-- .github/workflows/validate.yaml | 331 +++++++++++++++++++---------- .rcs | 13 +- .variables | 11 +- examples/override/main.tf | 1 - examples/skipvpc/main.tf | 1 - flake.lock | 12 +- flake.nix | 18 +- modules/security_group/versions.tf | 17 ++ modules/ssh_key/versions.tf | 17 ++ modules/subnet/versions.tf | 17 ++ modules/vpc/versions.tf | 17 ++ 16 files changed, 641 insertions(+), 270 deletions(-) create mode 100644 modules/security_group/versions.tf create mode 100644 modules/ssh_key/versions.tf create mode 100644 modules/subnet/versions.tf create mode 100644 modules/vpc/versions.tf diff --git a/.envrc b/.envrc index 23ea8d5..509d351 100644 --- a/.envrc +++ b/.envrc @@ -1,6 +1,12 @@ +#!/bin/env sh + if [ -z "${NIX_ENV_LOADED}" ]; then - echo "entering dev environment..." - export NIX_ENV_LOADED=$(pwd) + printf "entering environment..." + NIX_ENV_LOADED="$(pwd)" + export NIX_ENV_LOADED + + nix flake update --extra-experimental-features nix-command --extra-experimental-features flakes; + echo "nix store is using $(du -hs /nix/store)" nix develop \ --ignore-environment \ @@ -15,30 +21,31 @@ if [ -z "${NIX_ENV_LOADED}" ]; then --keep AWS_ACCESS_KEY_ID \ --keep AWS_SECRET_ACCESS_KEY \ --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ --keep TERM \ - $(pwd) + --keep XDG_DATA_DIRS \ + --keep NIX_ENV_LOADED \ + "$(pwd)" || unset NIX_ENV_LOADED; + else - echo "setting up dev environment..." + printf "setting up dev environment...\n" + unset NIX_ENV_LOADED - source .aliases - source .functions - source .variables - source .rcs -fi -if [ -z "$SSH_AUTH_SOCK" ]; then - echo "Unable to find SSH_AUTH_SOCK, is your agent running?"; -fi -if [ -z "$(ssh-add -l | grep -v 'The agent has no identities.')" ]; then - echo "Your agent doesn't appear to have any identities loaded, please load a key or forward your agent."; -fi -if [ -z "$(env | grep 'AWS')" ]; then - echo "Unable to find AWS authentication information in the environment, please make sure you authenticate with AWS."; -fi -if [ -z "$(env | grep 'GITHUB_TOKEN')" ]; then - echo "Unable to find GITHUB authentication information in the environment, please make sure you authenticate with GITHUB."; + . .functions + . .variables + . .rcs + . .aliases + + + if [ -z "$SSH_AUTH_SOCK" ]; then eval "$(ssh-agent -s)"; ssh-add; fi + if [ "" = "$(env | grep 'AWS')" ]; then + printf "Unable to find AWS authentication information in the environment, \ + please make sure you authenticate with AWS. \ + Try using the 'aws' cli included in the environment.\n"; + fi + if env | grep -q 'GITHUB_TOKEN'; then + printf "Unable to find GITHUB authentication information in the environment, \ + please make sure you authenticate with GITHUB. \ + Try using the 'gh' cli included in the environment.\n"; + fi fi +unset NIX_ENV_LOADED \ No newline at end of file diff --git a/.functions b/.functions index 5a12cc3..4e2c629 100644 --- a/.functions +++ b/.functions @@ -1,46 +1,193 @@ +#!/bin/env bash # get current branch in git repo -function parse_git_branch() { - BRANCH=`git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/\1/'` - if [ ! "${BRANCH}" == "" ] - then - STAT=`parse_git_dirty` - echo "[${BRANCH}${STAT}]" - else - echo "" +git_status() { + BRANCH="$(git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/\1/')" + if [ ! "${BRANCH}" = "" ]; then + STAT="$(parse_git_dirty)" + if printf "%s" "$STAT" | grep -q -e '!' -e '?' -e '+' -e '>' -e 'x' -e '*'; then + printf "%s[%s %s]%s" "$(red)" "$BRANCH" "$STAT" "$(ce)" + else + printf "%s[%s%s]%s" "$(green)" "$BRANCH" "$STAT" "$(ce)" + fi fi } +get_repo_owner() { + REPO="$(basename "$(git rev-parse --show-toplevel)")" + OWNER="$(basename "$(git rev-parse --show-toplevel | sed s/"$REPO"//g)")" + printf "%s" "$OWNER" +} + # get current status of git repo -function parse_git_dirty { - status=`git status 2>&1 | tee` - dirty=`echo -n "${status}" 2> /dev/null | grep "modified:" &> /dev/null; echo "$?"` - untracked=`echo -n "${status}" 2> /dev/null | grep "Untracked files" &> /dev/null; echo "$?"` - ahead=`echo -n "${status}" 2> /dev/null | grep "Your branch is ahead of" &> /dev/null; echo "$?"` - newfile=`echo -n "${status}" 2> /dev/null | grep "new file:" &> /dev/null; echo "$?"` - renamed=`echo -n "${status}" 2> /dev/null | grep "renamed:" &> /dev/null; echo "$?"` - deleted=`echo -n "${status}" 2> /dev/null | grep "deleted:" &> /dev/null; echo "$?"` - bits='' - if [ "${renamed}" == "0" ]; then - bits=">${bits}" - fi - if [ "${ahead}" == "0" ]; then - bits="*${bits}" - fi - if [ "${newfile}" == "0" ]; then - bits="+${bits}" +parse_git_dirty() { + status="$(git status 2>&1 | tee)" + if [ "0" = "$(printf "%s" "${status}" 2> /dev/null | grep "Your branch is up to date with 'origin/main'" >/dev/null 2>&1; printf "%s" $?)" ]; then printf "%s" ""; fi # clean + if [ "0" = "$(printf "%s" "${status}" 2> /dev/null | grep "modified:" >/dev/null 2>&1; printf "%s" $?)" ]; then printf "%s" "!"; fi # dirty + if [ "0" = "$(printf "%s" "${status}" 2> /dev/null | grep "Untracked files" >/dev/null 2>&1; printf "%s" $?)" ]; then printf "%s" "?"; fi # untracked + if [ "0" = "$(printf "%s" "${status}" 2> /dev/null | grep "new file:" >/dev/null 2>&1; printf "%s" $?)" ]; then printf "%s" "+"; fi # new files + if [ "0" = "$(printf "%s" "${status}" 2> /dev/null | grep "renamed:" >/dev/null 2>&1; printf "%s" $?)" ]; then printf "%s" ">"; fi # renamed files + if [ "0" = "$(printf "%s" "${status}" 2> /dev/null | grep "deleted:" >/dev/null 2>&1; printf "%s" $?)" ]; then printf "%s" "x"; fi # deleted files + if [ "0" = "$(printf "%s" "${status}" 2> /dev/null | grep "Your branch is ahead of" >/dev/null 2>&1; printf "%s" $?)" ]; then printf "%s" "*"; fi # ahead of +} + +encrypt_secrets() { + workspace="$(git rev-parse --show-toplevel)"; + dir="$(pwd)"; + cd "$workspace" || return; + while read -r file; do + if [ -f "$file" ]; then + if [ -f "$file.backup" ]; then + rm -rf "$file.backup" + cp "$file" "$file.backup" + fi + rm -rf "$file.age" + age -e -R "$workspace"/age_recipients.txt -o "$file.age" "$file" fi - if [ "${untracked}" == "0" ]; then - bits="?${bits}" + done terraform.tfstate + rm -f terraform.tfstate.age + age -e -R "$workspace/age_recipients.txt" -o terraform.tfstate.age terraform.tfstate + done + cd "$dir" || return; +} + +set_terminal_size(){ + row="$1" + col="$2" + if [ "$row" == "" ]; then row=70; fi + if [ "$col" == "" ]; then col=300; fi + stty rows "$row" + stty cols "$col" +} + +set_repo_name() { + new_name="$1" + if [ -z "$new_name" ]; then echo "set new name as $1"; exit 1; fi + for file in $(git grep \"matttrach-demo\" | awk -F':' '{print $1}'| uniq | tr '\n' ' '); do + sed -i 's/matttrach-demo/generic-demo/g' "$file"; + done +} diff --git a/.github/workflows/cleanup.yaml b/.github/workflows/cleanup.yaml index 2f6f519..de518ae 100644 --- a/.github/workflows/cleanup.yaml +++ b/.github/workflows/cleanup.yaml @@ -20,32 +20,32 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - - uses: DeterminateSystems/magic-nix-cache-action@main - - uses: nicknovitski/nix-develop@v1.1.0 with: - arguments: | - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - ${{ github.workspace }} + fetch-depth: 0 + - uses: matttrach/nix-installer-action@main - name: Get Ids id: get_ids + shell: >- + nix develop + --ignore-environment + --extra-experimental-features nix-command + --extra-experimental-features flakes + --keep HOME + --keep SSH_AUTH_SOCK + --keep GITHUB_TOKEN + --keep AWS_ROLE + --keep AWS_REGION + --keep AWS_DEFAULT_REGION + --keep AWS_ACCESS_KEY_ID + --keep AWS_SECRET_ACCESS_KEY + --keep AWS_SESSION_TOKEN + --keep UPDATECLI_GPGTOKEN + --keep UPDATECLI_GITHUB_TOKEN + --keep UPDATECLI_GITHUB_ACTOR + --keep GPG_SIGNING_KEY + --keep NIX_ENV_LOADED + --keep TERM + --command bash -e {0} # 86400 = 24 hours in seconds (24 * 60 * 60) # you might increase this number if you need to look back further for leftovers run: | @@ -66,6 +66,27 @@ jobs: # WARNING! if '--filter=""' then you will find everything in a region # WARNING! if '-d' is missing you will delete everything that is found - name: find-leftovers + shell: >- + nix develop + --ignore-environment + --extra-experimental-features nix-command + --extra-experimental-features flakes + --keep HOME + --keep SSH_AUTH_SOCK + --keep GITHUB_TOKEN + --keep AWS_ROLE + --keep AWS_REGION + --keep AWS_DEFAULT_REGION + --keep AWS_ACCESS_KEY_ID + --keep AWS_SECRET_ACCESS_KEY + --keep AWS_SESSION_TOKEN + --keep UPDATECLI_GPGTOKEN + --keep UPDATECLI_GITHUB_TOKEN + --keep UPDATECLI_GITHUB_ACTOR + --keep GPG_SIGNING_KEY + --keep NIX_ENV_LOADED + --keep TERM + --command bash -e {0} run: | check_leftovers() { local id="$1" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 941c73c..e40d653 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -32,57 +32,47 @@ jobs: if: steps.release-please.outputs.pr with: token: ${{secrets.GITHUB_TOKEN}} - - uses: DeterminateSystems/nix-installer-action@main - if: steps.release-please.outputs.pr - - uses: nicknovitski/nix-develop@v1.1.0 - if: steps.release-please.outputs.pr - with: - arguments: | - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - ${{ github.workspace }} + fetch-depth: 0 - uses: aws-actions/configure-aws-credentials@v4 if: steps.release-please.outputs.pr with: role-to-assume: ${{env.AWS_ROLE}} role-session-name: ${{github.job}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}} aws-region: ${{env.AWS_REGION}} - - uses: actions/cache/restore@v4 - id: cache-terraform-restore + - uses: matttrach/nix-installer-action@main if: steps.release-please.outputs.pr - with: - path: ${{ github.workspace }}/.terraform - key: terraform-${{hashFiles('**/versions.tf','**/main.tf')}} - - run: terraform init -upgrade - if: steps.release-please.outputs.pr - - uses: actions/cache/save@v4 - id: cache-terraform-save - if: steps.release-please.outputs.pr - with: - path: ${{ github.workspace }}/.terraform - key: ${{ steps.cache-terraform-restore.outputs.cache-primary-key }} - - run: go version && cd ${{github.workspace}}/tests && go test -v -timeout=40m -parallel=10 && cd ${{github.workspace}} + - name: Run Tests if: steps.release-please.outputs.pr + shell: >- + nix develop + --ignore-environment + --extra-experimental-features nix-command + --extra-experimental-features flakes + --keep HOME + --keep SSH_AUTH_SOCK + --keep GITHUB_TOKEN + --keep AWS_ROLE + --keep AWS_REGION + --keep AWS_DEFAULT_REGION + --keep AWS_ACCESS_KEY_ID + --keep AWS_SECRET_ACCESS_KEY + --keep AWS_SESSION_TOKEN + --keep UPDATECLI_GPGTOKEN + --keep UPDATECLI_GITHUB_TOKEN + --keep UPDATECLI_GITHUB_ACTOR + --keep GPG_SIGNING_KEY + --keep NIX_ENV_LOADED + --keep TERM + --command bash -e {0} env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} GITHUB_OWNER: rancher IDENTIFIER: ${{github.job}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}} + run: | + go version + cd ${{github.workspace}}/tests + go test -v -timeout=40m -parallel=10 + cd ${{github.workspace}} - uses: peter-evans/create-or-update-comment@v4 name: 'Report Success' if: steps.release-please.outputs.pr diff --git a/.github/workflows/update.yaml b/.github/workflows/update.yaml index 1fb0611..291475a 100644 --- a/.github/workflows/update.yaml +++ b/.github/workflows/update.yaml @@ -15,30 +15,31 @@ jobs: if: github.ref == 'refs/heads/main' steps: - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - - uses: nicknovitski/nix-develop@v1.1.0 with: - arguments: | - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - ${{ github.workspace }} + fetch-depth: 0 + - uses: matttrach/nix-installer-action@main - name: Updatecli + shell: >- + nix develop + --ignore-environment + --extra-experimental-features nix-command + --extra-experimental-features flakes + --keep HOME + --keep SSH_AUTH_SOCK + --keep GITHUB_TOKEN + --keep AWS_ROLE + --keep AWS_REGION + --keep AWS_DEFAULT_REGION + --keep AWS_ACCESS_KEY_ID + --keep AWS_SECRET_ACCESS_KEY + --keep AWS_SESSION_TOKEN + --keep UPDATECLI_GPGTOKEN + --keep UPDATECLI_GITHUB_TOKEN + --keep UPDATECLI_GITHUB_ACTOR + --keep GPG_SIGNING_KEY + --keep NIX_ENV_LOADED + --keep TERM + --command bash -e {0} # Never use '--debug' option, because it might leak the access tokens. run: | gpgconf --kill all diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index 7f620ba..b8ce54f 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -1,136 +1,253 @@ name: validate on: - pull_request: - branches: - - main + # WARNING: do not make this repo public if you use this workflow, as a private repo you can safely trust the PRs not to be malicious + pull_request_target: + types: [opened, synchronize, reopened, ready_for_review] + branches: [main] + +env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_OWNER: ${{ github.repository_owner }} jobs: terraform: name: 'Terraform' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - - uses: nicknovitski/nix-develop@v1.1.0 - with: - arguments: | - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - ${{ github.workspace }} - - uses: actions/cache/restore@v4 - id: cache-terraform-restore - with: - path: ${{ github.workspace }}/.terraform - key: terraform - - run: terraform init -upgrade - - uses: actions/cache/save@v4 - id: cache-terraform-save - with: - path: ${{ github.workspace }}/.terraform - key: ${{ steps.cache-terraform-restore.outputs.cache-primary-key }} - - run: cd ${{ github.workspace }}/examples/basic && terraform version && terraform init -upgrade && terraform validate && cd ${{ github.workspace }} - - run: terraform fmt -check -recursive + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: matttrach/nix-installer-action@main + - name: lint terraform + shell: >- + nix develop + --ignore-environment + --extra-experimental-features nix-command + --extra-experimental-features flakes + --keep HOME + --keep SSH_AUTH_SOCK + --keep GITHUB_TOKEN + --keep AWS_ROLE + --keep AWS_REGION + --keep AWS_DEFAULT_REGION + --keep AWS_ACCESS_KEY_ID + --keep AWS_SECRET_ACCESS_KEY + --keep AWS_SESSION_TOKEN + --keep UPDATECLI_GPGTOKEN + --keep UPDATECLI_GITHUB_TOKEN + --keep UPDATECLI_GITHUB_ACTOR + --keep GPG_SIGNING_KEY + --keep NIX_ENV_LOADED + --keep TERM + --command bash -e {0} + run: | + set -e + set -x + terraform version + terraform fmt -check -recursive + for dir in project prototypes servers; do + cd "${{github.workspace}}/$dir" + terraform init -upgrade + terraform validate + tflint --init + tflint -f compact + tflint --recursive + done actionlint: name: 'Lint Workflows' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - - uses: nicknovitski/nix-develop@v1.1.0 - with: - arguments: | - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - ${{ github.workspace }} - - run: actionlint - - tflint: - name: 'TFLint' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: terraform-linters/setup-tflint@v4 - with: - tflint_version: latest - - run: tflint --version - - run: tflint --init - - run: tflint -f compact + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: matttrach/nix-installer-action@main + - name: action lint + shell: >- + nix develop + --ignore-environment + --extra-experimental-features nix-command + --extra-experimental-features flakes + --keep HOME + --keep SSH_AUTH_SOCK + --keep GITHUB_TOKEN + --keep AWS_ROLE + --keep AWS_REGION + --keep AWS_DEFAULT_REGION + --keep AWS_ACCESS_KEY_ID + --keep AWS_SECRET_ACCESS_KEY + --keep AWS_SESSION_TOKEN + --keep UPDATECLI_GPGTOKEN + --keep UPDATECLI_GITHUB_TOKEN + --keep UPDATECLI_GITHUB_ACTOR + --keep GPG_SIGNING_KEY + --keep NIX_ENV_LOADED + --keep TERM + --command bash -e {0} + run: actionlint shellcheck: - name: Shellcheck runs-on: ubuntu-latest steps: - - uses: ludeeus/action-shellcheck@master + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: matttrach/nix-installer-action@main + - name: shell check + shell: >- + nix develop + --ignore-environment + --extra-experimental-features nix-command + --extra-experimental-features flakes + --keep HOME + --keep SSH_AUTH_SOCK + --keep GITHUB_TOKEN + --keep AWS_ROLE + --keep AWS_REGION + --keep AWS_DEFAULT_REGION + --keep AWS_ACCESS_KEY_ID + --keep AWS_SECRET_ACCESS_KEY + --keep AWS_SESSION_TOKEN + --keep UPDATECLI_GPGTOKEN + --keep UPDATECLI_GITHUB_TOKEN + --keep UPDATECLI_GITHUB_ACTOR + --keep GPG_SIGNING_KEY + --keep NIX_ENV_LOADED + --keep TERM + --command bash -e {0} + run: | + git pull; + while read -r file; do + echo "checking $file..." + shellcheck -x "$file" + done <<<"$(grep -Rl -e '^#!' | grep -v '.terraform'| grep -v '.git')" validate-commit-message: - name: Validate Commit Message runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v5 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # fetch all history so that we can validate the commit messages + - uses: matttrach/nix-installer-action@main + - name: Check commit message + shell: >- + nix develop + --ignore-environment + --extra-experimental-features nix-command + --extra-experimental-features flakes + --keep HOME + --keep SSH_AUTH_SOCK + --keep GITHUB_TOKEN + --keep AWS_ROLE + --keep AWS_REGION + --keep AWS_DEFAULT_REGION + --keep AWS_ACCESS_KEY_ID + --keep AWS_SECRET_ACCESS_KEY + --keep AWS_SESSION_TOKEN + --keep UPDATECLI_GPGTOKEN + --keep UPDATECLI_GITHUB_TOKEN + --keep UPDATECLI_GITHUB_ACTOR + --keep GPG_SIGNING_KEY + --keep NIX_ENV_LOADED + --keep TERM + --command bash -e {0} + run: | + # Check commit messages + set -x + set -e + # This steps enforces https://www.conventionalcommits.org/en/v1.0.0/ + # This format enables automatic generation of changelogs and versioning + filter() { + COMMIT="$1" + ouput="$(echo "$COMMIT" | grep -e '^fix: ' -e '^feature: ' -e '^feat: ' -e 'refactor!: ' -e 'feature!: ' -e 'feat!: ' -e '^chore(main): ')" + return "$output" + } + + # Fetch the commit messages + + COMMIT_MESSAGES="$(gh pr view ${{github.event.number}} --json commits | jq -r '.commits[].messageHeadline')" + echo "Commit messages found: " + echo "$COMMIT_MESSAGES" + + while read -r message; do + echo "Checking commit message: $message" + if [ "" != "$(filter "$message")" ]; then + echo "Commit message does not start with the required prefix. + Please use one of the following prefixes: fix:, feature:, feat:, refactor!:, feature!:, feat:!. + 'chore(main): ' is also allowed for release PRs. + This enables release-please to automatically determine the type of release (major, minor, patch) based on the commit message." + exit 1 + else + echo "Commit message starts with the required prefix." + fi + done <<<"$COMMIT_MESSAGES" + + # Check if any commit message is empty + while read -r message; do + echo "Checking commit message: $message" + if [ "" == "$message" ]; then + echo "Found empty commit message." + exit 1 + else + echo "Commit message is not empty." + fi + done <<<"$COMMIT_MESSAGES" + + # Check if any commit message subject line is longer than 50 characters + while read -r message; do + echo "Checking commit message: $message" + if [ "$(wc -m <<<"$message")" -gt 50 ]; then + echo "Commit message subject line should be less than 50 characters." + exit 1 + else + echo "Commit message subject line is less than 50 characters." + fi + done <<<"$COMMIT_MESSAGES" + + # Spell check the commit messages using aspell + while read -r message; do + echo "Checking commit message: $message" + if [ "" != "$(echo "$message" | aspell list)" ]; then + echo "Commit messages contain spelling errors on words $WORDS." + echo "Also try updating the PR title not just amending the commits." + exit 1 + else + echo "Commit messages do not contain spelling errors." + fi + done <<<"$COMMIT_MESSAGES" gitleaks: name: 'Scan for Secrets' runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - - uses: nicknovitski/nix-develop@v1.1.0 with: - arguments: | - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - ${{ github.workspace }} - - run: gitleaks detect --no-banner -v --no-git - - run: gitleaks detect --no-banner -v + fetch-depth: 0 + - uses: matttrach/nix-installer-action@main + - name: Check for secrets + shell: >- + nix develop + --ignore-environment + --extra-experimental-features nix-command + --extra-experimental-features flakes + --keep HOME + --keep SSH_AUTH_SOCK + --keep GITHUB_TOKEN + --keep AWS_ROLE + --keep AWS_REGION + --keep AWS_DEFAULT_REGION + --keep AWS_ACCESS_KEY_ID + --keep AWS_SECRET_ACCESS_KEY + --keep AWS_SESSION_TOKEN + --keep UPDATECLI_GPGTOKEN + --keep UPDATECLI_GITHUB_TOKEN + --keep UPDATECLI_GITHUB_ACTOR + --keep GPG_SIGNING_KEY + --keep NIX_ENV_LOADED + --keep TERM + --command bash -e {0} + run: | + gitleaks detect --no-banner -v --no-git + gitleaks detect --no-banner -v diff --git a/.rcs b/.rcs index e327e42..b629f56 100644 --- a/.rcs +++ b/.rcs @@ -1,3 +1,10 @@ -source ~/.config/aws/default/rc # add personal aws auth vars -source ~/.config/alias/default/rc # add personal aliases -source ~/.config/github/default/rc # add personal github auth vars \ No newline at end of file +#!/bin/env sh +# shellcheck disable=SC1090 # disable shellcheck for external sourced files using dynamic directory +# shellcheck disable=SC1091 # disable shellcheck for external sourced files using dynamic directory +. "$HOME/.config/aws/default" # add personal aws auth vars +. "$HOME/.config/github/default" # add personal github auth vars +. "$HOME/.config/functions/default" # add personal functions +. "$HOME/.config/alias/default" # add personal aliases +. "$HOME/.config/age/default" # add age secrets +. "$HOME/.config/updatecli/default" # add updatecli secrets +. "$HOME/.config/docker/default" # add docker specific stuff \ No newline at end of file diff --git a/.variables b/.variables index 4ad4e93..266f935 100644 --- a/.variables +++ b/.variables @@ -1,5 +1,10 @@ +#!/bin/env sh export TF_IN_AUTOMATION=1 +TF_VAR_ip="$(curl -s 'https://api.ipify.org')" +export TF_VAR_ip export ACME_SERVER_URL="https://acme-v02.api.letsencrypt.org/directory" - -# expects parse_git_branch function to be defined -export PS1="\[\e[31m\]Dev:\[\e[m\] \[\e[32m\]\u\[\e[m\]\[\e[32m\]@\[\e[m\]\[\e[32m\]\h\[\e[m\] \[\e[34m\]\W\[\e[m\] \`parse_git_branch\` " \ No newline at end of file +tty_row="70" +tty_col="300" +set_terminal_size "$tty_row" "$tty_col" +# shellcheck disable=SC2140 +export PS1=""\$\(blue\)""\$\(get_repo_owner\)"/"\$\(ce\)""\$\(orange\)"\W "\$\(ce\)""\$\(git_status\)" " diff --git a/examples/override/main.tf b/examples/override/main.tf index 3fd49d9..c3b2896 100644 --- a/examples/override/main.tf +++ b/examples/override/main.tf @@ -7,7 +7,6 @@ provider "aws" { } locals { identifier = var.identifier - name = "tf-override-${local.identifier}" security_group_name = var.security_group_name key_name = var.key_name } diff --git a/examples/skipvpc/main.tf b/examples/skipvpc/main.tf index d63e60b..3f035bd 100644 --- a/examples/skipvpc/main.tf +++ b/examples/skipvpc/main.tf @@ -7,7 +7,6 @@ provider "aws" { } locals { identifier = var.identifier - name = "tf-skipsubnet-${local.identifier}" key = var.key key_name = var.key_name } diff --git a/flake.lock b/flake.lock index 770554c..0940f1a 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1705309234, - "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1706683685, - "narHash": "sha256-FtPPshEpxH/ewBOsdKBNhlsL2MLEFv1hEnQ19f/bFsQ=", + "lastModified": 1711106783, + "narHash": "sha256-PDwAcHahc6hEimyrgGmFdft75gmLrJOZ0txX7lFqq+I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5ad9903c16126a7d949101687af0aa589b1d7d3d", + "rev": "a3ed7406349a9335cb4c2a71369b697cecd9d351", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 12055a3..2afafaf 100644 --- a/flake.nix +++ b/flake.nix @@ -89,24 +89,34 @@ leftovers-wrapper = pkgs.writeShellScriptBin "leftovers" '' exec ${leftovers} "$@" ''; + aspellWithDicts = pkgs.aspellWithDicts (d: [d.en d.en-computers]); in { devShells.default = pkgs.mkShell { buildInputs = with pkgs; [ + act # run workflows locally with Docker actionlint + age + aspellWithDicts bashInteractive curl + docker + gh git gitleaks - go # need go for terratest - gnupg # need gpg for signing commits + gnupg + go jq + kubectl less - openssh # need openssh for running remote provisioners + ncurses + vim # for easily editing files that are not in this directory structure + openssh_hpn shellcheck tflint tfswitch - vim + tree # for easily finding files in this directory structure and helping generate docs + xterm ]; shellHook = '' homebin=$HOME/bin; diff --git a/modules/security_group/versions.tf b/modules/security_group/versions.tf new file mode 100644 index 0000000..7c63b5d --- /dev/null +++ b/modules/security_group/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.5.0, < 1.6" + required_providers { + local = { + source = "hashicorp/local" + version = ">= 2.4" + } + aws = { + source = "hashicorp/aws" + version = ">= 5.11" + } + http = { + source = "hashicorp/http" + version = ">= 3.4" + } + } +} \ No newline at end of file diff --git a/modules/ssh_key/versions.tf b/modules/ssh_key/versions.tf new file mode 100644 index 0000000..7c63b5d --- /dev/null +++ b/modules/ssh_key/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.5.0, < 1.6" + required_providers { + local = { + source = "hashicorp/local" + version = ">= 2.4" + } + aws = { + source = "hashicorp/aws" + version = ">= 5.11" + } + http = { + source = "hashicorp/http" + version = ">= 3.4" + } + } +} \ No newline at end of file diff --git a/modules/subnet/versions.tf b/modules/subnet/versions.tf new file mode 100644 index 0000000..7c63b5d --- /dev/null +++ b/modules/subnet/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.5.0, < 1.6" + required_providers { + local = { + source = "hashicorp/local" + version = ">= 2.4" + } + aws = { + source = "hashicorp/aws" + version = ">= 5.11" + } + http = { + source = "hashicorp/http" + version = ">= 3.4" + } + } +} \ No newline at end of file diff --git a/modules/vpc/versions.tf b/modules/vpc/versions.tf new file mode 100644 index 0000000..7c63b5d --- /dev/null +++ b/modules/vpc/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.5.0, < 1.6" + required_providers { + local = { + source = "hashicorp/local" + version = ">= 2.4" + } + aws = { + source = "hashicorp/aws" + version = ">= 5.11" + } + http = { + source = "hashicorp/http" + version = ">= 3.4" + } + } +} \ No newline at end of file From 0ab8a6cb02854d45bafd36001b3515b0adda49b2 Mon Sep 17 00:00:00 2001 From: matttrach Date: Fri, 22 Mar 2024 23:28:59 -0500 Subject: [PATCH 02/13] fix: update documentation Signed-off-by: matttrach --- README.md | 11 +++++++---- terraform.md | 10 +++++++++- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c158514..be2917e 100644 --- a/README.md +++ b/README.md @@ -11,13 +11,16 @@ ## AWS Access -The first step to using the AWS modules is having an AWS account, [here](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-creating.html) is a document describing this process. -You will need an API access key id and API secret key, you can get the API keys [following this tutorial](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey). +The first step to using the AWS modules is having an AWS account, + [here](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-creating.html) is a document describing this process. +You will need an API access key id and API secret key, + you can get the API keys [following this tutorial](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey). The Terraform AWS provider uses the AWS Go SDK, which allows the use of either environment variables or config files for authentication. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-settings You do not need the AWS cli to generate the files, just place them in the proper place and Terraform will find and read them. -We use environment variables to configure the AWS provider and load them by sourcing an RC file. +In development, we use environment variables to configure the AWS provider and load them by sourcing an RC file. +In CI we use OIDC connection to AWS to authenticate. ``` export AWS_ACCESS_KEY_ID='ABC123' @@ -26,7 +29,7 @@ export AWS_REGION='us-west-1' ``` These help the tests set you as the owner on the testing infra and generate the proper key. -The `.envrc` file sources `.rcs` file which assumes a local file at path `~/.config/aws/default/rc` exists with the above information. +The `.envrc` file sources `.rcs` file which assumes a local file at path `~/.config/aws/default` exists with the above information. ## Examples diff --git a/terraform.md b/terraform.md index 35008a5..5aec501 100644 --- a/terraform.md +++ b/terraform.md @@ -49,7 +49,7 @@ The word "Module" is used in three contexts: - an example of this would be a security group and its rules - while rules can be added separately from the group and are their own resources they do not make a lot of sense to have in their own external module - it may be useful to separate out the rules from the group in logical form to keep top level (implementation) modules clean -3. As an implementation of resources (Implementation Module/IMod) +3. As an implementation of resources (Implementation Module/Root module/IMod) - modules are generally considered a way to pull code into a terraform file, but eventually a "root" must be created - the "root module" or "impementation module" orchestrates a group of modules with the intent of actually provisioning resources (rather than just as a template or library) - using the git ops paradigm the implementation module should be considered the source of truth for the infrastructure @@ -99,6 +99,9 @@ For instance, you should not need to provision a new VPC for every implementatio This technique allows you to only generate a VPC once (or never, if you create it manually) by querying the provider before generating the resource. This also prevents users from having to know or pass the unique ids of resources into modules. Modules need selectors to accomplish this, usually in the form of some kind of name or default. +There is a trade off to this approach where dependency chains become coupled in a way the forces recreation of resources due to unknown values. +We diminish this trade off by explicitly ignoring this cases which Terraform calls "changes". +This in turn may cause infrastructure to stay around when you might expect it to go away, which is how we err on the side of caution. ## Parenthesis Around Ternaries @@ -115,6 +118,7 @@ Many times, variables need to be processed after an initial implementation is in variables can not be processed in the variables section, and processing the variable in multiple places throughout the config is prone to error, this standard will prevent unnecessary changes to the variables and the config as a whole. Basically, place everything in locals so you don't have to worry about moving them there later. +This also makes the interface able to be more stable than the underlying code. ## Embedded Scripts Should Use Heredoc @@ -168,16 +172,19 @@ There shouldn't be more than 3 levels of nested independent modules: (Core, Prim These independent modules represent provider resources, they should not have any nested independant modules. Core Modules should only call resources. +Most times these are local modules within a Primary module. ### Primary Modules These independent modules represent groups of core modules, they should not call resources. Primary Modules should only call Core Modules. +There is an exception for null_resource or terraform_data resources which many times are necessary to configure services. ### Secondary Modules These modules represent large systems, they should only call Primary Modules. Secondary Modules should only call Primary Modules. +There is an exception for null_resource or terraform_data resources which many times are necessary to configure services. ## Test Size @@ -196,3 +203,4 @@ Integration tests show that any two local modules work together. In this code base an "End to End" or "E2E" test refers to testing all of the units together. A module might have several E2E tests validating different configurations. +The vast majority of tests will be e2e, since that represents the highest value to our users. From 96000cb5e14932cf0f26753d52728cc4c7583458 Mon Sep 17 00:00:00 2001 From: matttrach Date: Fri, 22 Mar 2024 23:37:19 -0500 Subject: [PATCH 03/13] fix: use pull request without target Signed-off-by: matttrach --- .github/workflows/validate.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index b8ce54f..4c8839a 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -1,10 +1,8 @@ name: validate on: - # WARNING: do not make this repo public if you use this workflow, as a private repo you can safely trust the PRs not to be malicious - pull_request_target: - types: [opened, synchronize, reopened, ready_for_review] - branches: [main] + pull_request: + branches: main env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From f4064b39a5e72d48c2947d62b54b9bb6a2e4d4e9 Mon Sep 17 00:00:00 2001 From: matttrach Date: Fri, 22 Mar 2024 23:49:53 -0500 Subject: [PATCH 04/13] fix: try block notation Signed-off-by: matttrach --- .github/workflows/cleanup.yaml | 80 ++++++------- .github/workflows/release.yaml | 40 +++---- .github/workflows/update.yaml | 40 +++---- .github/workflows/validate.yaml | 200 ++++++++++++++++---------------- 4 files changed, 180 insertions(+), 180 deletions(-) diff --git a/.github/workflows/cleanup.yaml b/.github/workflows/cleanup.yaml index de518ae..9b04b5d 100644 --- a/.github/workflows/cleanup.yaml +++ b/.github/workflows/cleanup.yaml @@ -25,26 +25,26 @@ jobs: - uses: matttrach/nix-installer-action@main - name: Get Ids id: get_ids - shell: >- - nix develop - --ignore-environment - --extra-experimental-features nix-command - --extra-experimental-features flakes - --keep HOME - --keep SSH_AUTH_SOCK - --keep GITHUB_TOKEN - --keep AWS_ROLE - --keep AWS_REGION - --keep AWS_DEFAULT_REGION - --keep AWS_ACCESS_KEY_ID - --keep AWS_SECRET_ACCESS_KEY - --keep AWS_SESSION_TOKEN - --keep UPDATECLI_GPGTOKEN - --keep UPDATECLI_GITHUB_TOKEN - --keep UPDATECLI_GITHUB_ACTOR - --keep GPG_SIGNING_KEY - --keep NIX_ENV_LOADED - --keep TERM + shell: | + nix develop \ + --ignore-environment \ + --extra-experimental-features nix-command \ + --extra-experimental-features flakes \ + --keep HOME \ + --keep SSH_AUTH_SOCK \ + --keep GITHUB_TOKEN \ + --keep AWS_ROLE \ + --keep AWS_REGION \ + --keep AWS_DEFAULT_REGION \ + --keep AWS_ACCESS_KEY_ID \ + --keep AWS_SECRET_ACCESS_KEY \ + --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ + --keep TERM \ --command bash -e {0} # 86400 = 24 hours in seconds (24 * 60 * 60) # you might increase this number if you need to look back further for leftovers @@ -66,26 +66,26 @@ jobs: # WARNING! if '--filter=""' then you will find everything in a region # WARNING! if '-d' is missing you will delete everything that is found - name: find-leftovers - shell: >- - nix develop - --ignore-environment - --extra-experimental-features nix-command - --extra-experimental-features flakes - --keep HOME - --keep SSH_AUTH_SOCK - --keep GITHUB_TOKEN - --keep AWS_ROLE - --keep AWS_REGION - --keep AWS_DEFAULT_REGION - --keep AWS_ACCESS_KEY_ID - --keep AWS_SECRET_ACCESS_KEY - --keep AWS_SESSION_TOKEN - --keep UPDATECLI_GPGTOKEN - --keep UPDATECLI_GITHUB_TOKEN - --keep UPDATECLI_GITHUB_ACTOR - --keep GPG_SIGNING_KEY - --keep NIX_ENV_LOADED - --keep TERM + shell: | + nix develop \ + --ignore-environment \ + --extra-experimental-features nix-command \ + --extra-experimental-features flakes \ + --keep HOME \ + --keep SSH_AUTH_SOCK \ + --keep GITHUB_TOKEN \ + --keep AWS_ROLE \ + --keep AWS_REGION \ + --keep AWS_DEFAULT_REGION \ + --keep AWS_ACCESS_KEY_ID \ + --keep AWS_SECRET_ACCESS_KEY \ + --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ + --keep TERM \ --command bash -e {0} run: | check_leftovers() { diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e40d653..7d3b9ba 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -43,26 +43,26 @@ jobs: if: steps.release-please.outputs.pr - name: Run Tests if: steps.release-please.outputs.pr - shell: >- - nix develop - --ignore-environment - --extra-experimental-features nix-command - --extra-experimental-features flakes - --keep HOME - --keep SSH_AUTH_SOCK - --keep GITHUB_TOKEN - --keep AWS_ROLE - --keep AWS_REGION - --keep AWS_DEFAULT_REGION - --keep AWS_ACCESS_KEY_ID - --keep AWS_SECRET_ACCESS_KEY - --keep AWS_SESSION_TOKEN - --keep UPDATECLI_GPGTOKEN - --keep UPDATECLI_GITHUB_TOKEN - --keep UPDATECLI_GITHUB_ACTOR - --keep GPG_SIGNING_KEY - --keep NIX_ENV_LOADED - --keep TERM + shell: | + nix develop \ + --ignore-environment \ + --extra-experimental-features nix-command \ + --extra-experimental-features flakes \ + --keep HOME \ + --keep SSH_AUTH_SOCK \ + --keep GITHUB_TOKEN \ + --keep AWS_ROLE \ + --keep AWS_REGION \ + --keep AWS_DEFAULT_REGION \ + --keep AWS_ACCESS_KEY_ID \ + --keep AWS_SECRET_ACCESS_KEY \ + --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ + --keep TERM \ --command bash -e {0} env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/update.yaml b/.github/workflows/update.yaml index 291475a..ec0bd57 100644 --- a/.github/workflows/update.yaml +++ b/.github/workflows/update.yaml @@ -19,26 +19,26 @@ jobs: fetch-depth: 0 - uses: matttrach/nix-installer-action@main - name: Updatecli - shell: >- - nix develop - --ignore-environment - --extra-experimental-features nix-command - --extra-experimental-features flakes - --keep HOME - --keep SSH_AUTH_SOCK - --keep GITHUB_TOKEN - --keep AWS_ROLE - --keep AWS_REGION - --keep AWS_DEFAULT_REGION - --keep AWS_ACCESS_KEY_ID - --keep AWS_SECRET_ACCESS_KEY - --keep AWS_SESSION_TOKEN - --keep UPDATECLI_GPGTOKEN - --keep UPDATECLI_GITHUB_TOKEN - --keep UPDATECLI_GITHUB_ACTOR - --keep GPG_SIGNING_KEY - --keep NIX_ENV_LOADED - --keep TERM + shell: | + nix develop \ + --ignore-environment \ + --extra-experimental-features nix-command \ + --extra-experimental-features flakes \ + --keep HOME \ + --keep SSH_AUTH_SOCK \ + --keep GITHUB_TOKEN \ + --keep AWS_ROLE \ + --keep AWS_REGION \ + --keep AWS_DEFAULT_REGION \ + --keep AWS_ACCESS_KEY_ID \ + --keep AWS_SECRET_ACCESS_KEY \ + --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ + --keep TERM \ --command bash -e {0} # Never use '--debug' option, because it might leak the access tokens. run: | diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index 4c8839a..cb9aa77 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -19,26 +19,26 @@ jobs: fetch-depth: 0 - uses: matttrach/nix-installer-action@main - name: lint terraform - shell: >- - nix develop - --ignore-environment - --extra-experimental-features nix-command - --extra-experimental-features flakes - --keep HOME - --keep SSH_AUTH_SOCK - --keep GITHUB_TOKEN - --keep AWS_ROLE - --keep AWS_REGION - --keep AWS_DEFAULT_REGION - --keep AWS_ACCESS_KEY_ID - --keep AWS_SECRET_ACCESS_KEY - --keep AWS_SESSION_TOKEN - --keep UPDATECLI_GPGTOKEN - --keep UPDATECLI_GITHUB_TOKEN - --keep UPDATECLI_GITHUB_ACTOR - --keep GPG_SIGNING_KEY - --keep NIX_ENV_LOADED - --keep TERM + shell: | + nix develop \ + --ignore-environment \ + --extra-experimental-features nix-command \ + --extra-experimental-features flakes \ + --keep HOME \ + --keep SSH_AUTH_SOCK \ + --keep GITHUB_TOKEN \ + --keep AWS_ROLE \ + --keep AWS_REGION \ + --keep AWS_DEFAULT_REGION \ + --keep AWS_ACCESS_KEY_ID \ + --keep AWS_SECRET_ACCESS_KEY \ + --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ + --keep TERM \ --command bash -e {0} run: | set -e @@ -63,26 +63,26 @@ jobs: fetch-depth: 0 - uses: matttrach/nix-installer-action@main - name: action lint - shell: >- - nix develop - --ignore-environment - --extra-experimental-features nix-command - --extra-experimental-features flakes - --keep HOME - --keep SSH_AUTH_SOCK - --keep GITHUB_TOKEN - --keep AWS_ROLE - --keep AWS_REGION - --keep AWS_DEFAULT_REGION - --keep AWS_ACCESS_KEY_ID - --keep AWS_SECRET_ACCESS_KEY - --keep AWS_SESSION_TOKEN - --keep UPDATECLI_GPGTOKEN - --keep UPDATECLI_GITHUB_TOKEN - --keep UPDATECLI_GITHUB_ACTOR - --keep GPG_SIGNING_KEY - --keep NIX_ENV_LOADED - --keep TERM + shell: | + nix develop \ + --ignore-environment \ + --extra-experimental-features nix-command \ + --extra-experimental-features flakes \ + --keep HOME \ + --keep SSH_AUTH_SOCK \ + --keep GITHUB_TOKEN \ + --keep AWS_ROLE \ + --keep AWS_REGION \ + --keep AWS_DEFAULT_REGION \ + --keep AWS_ACCESS_KEY_ID \ + --keep AWS_SECRET_ACCESS_KEY \ + --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ + --keep TERM \ --command bash -e {0} run: actionlint @@ -94,26 +94,26 @@ jobs: fetch-depth: 0 - uses: matttrach/nix-installer-action@main - name: shell check - shell: >- - nix develop - --ignore-environment - --extra-experimental-features nix-command - --extra-experimental-features flakes - --keep HOME - --keep SSH_AUTH_SOCK - --keep GITHUB_TOKEN - --keep AWS_ROLE - --keep AWS_REGION - --keep AWS_DEFAULT_REGION - --keep AWS_ACCESS_KEY_ID - --keep AWS_SECRET_ACCESS_KEY - --keep AWS_SESSION_TOKEN - --keep UPDATECLI_GPGTOKEN - --keep UPDATECLI_GITHUB_TOKEN - --keep UPDATECLI_GITHUB_ACTOR - --keep GPG_SIGNING_KEY - --keep NIX_ENV_LOADED - --keep TERM + shell: | + nix develop \ + --ignore-environment \ + --extra-experimental-features nix-command \ + --extra-experimental-features flakes \ + --keep HOME \ + --keep SSH_AUTH_SOCK \ + --keep GITHUB_TOKEN \ + --keep AWS_ROLE \ + --keep AWS_REGION \ + --keep AWS_DEFAULT_REGION \ + --keep AWS_ACCESS_KEY_ID \ + --keep AWS_SECRET_ACCESS_KEY \ + --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ + --keep TERM \ --command bash -e {0} run: | git pull; @@ -130,26 +130,26 @@ jobs: fetch-depth: 0 # fetch all history so that we can validate the commit messages - uses: matttrach/nix-installer-action@main - name: Check commit message - shell: >- - nix develop - --ignore-environment - --extra-experimental-features nix-command - --extra-experimental-features flakes - --keep HOME - --keep SSH_AUTH_SOCK - --keep GITHUB_TOKEN - --keep AWS_ROLE - --keep AWS_REGION - --keep AWS_DEFAULT_REGION - --keep AWS_ACCESS_KEY_ID - --keep AWS_SECRET_ACCESS_KEY - --keep AWS_SESSION_TOKEN - --keep UPDATECLI_GPGTOKEN - --keep UPDATECLI_GITHUB_TOKEN - --keep UPDATECLI_GITHUB_ACTOR - --keep GPG_SIGNING_KEY - --keep NIX_ENV_LOADED - --keep TERM + shell: | + nix develop \ + --ignore-environment \ + --extra-experimental-features nix-command \ + --extra-experimental-features flakes \ + --keep HOME \ + --keep SSH_AUTH_SOCK \ + --keep GITHUB_TOKEN \ + --keep AWS_ROLE \ + --keep AWS_REGION \ + --keep AWS_DEFAULT_REGION \ + --keep AWS_ACCESS_KEY_ID \ + --keep AWS_SECRET_ACCESS_KEY \ + --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ + --keep TERM \ --command bash -e {0} run: | # Check commit messages @@ -225,26 +225,26 @@ jobs: fetch-depth: 0 - uses: matttrach/nix-installer-action@main - name: Check for secrets - shell: >- - nix develop - --ignore-environment - --extra-experimental-features nix-command - --extra-experimental-features flakes - --keep HOME - --keep SSH_AUTH_SOCK - --keep GITHUB_TOKEN - --keep AWS_ROLE - --keep AWS_REGION - --keep AWS_DEFAULT_REGION - --keep AWS_ACCESS_KEY_ID - --keep AWS_SECRET_ACCESS_KEY - --keep AWS_SESSION_TOKEN - --keep UPDATECLI_GPGTOKEN - --keep UPDATECLI_GITHUB_TOKEN - --keep UPDATECLI_GITHUB_ACTOR - --keep GPG_SIGNING_KEY - --keep NIX_ENV_LOADED - --keep TERM + shell: | + nix develop \ + --ignore-environment \ + --extra-experimental-features nix-command \ + --extra-experimental-features flakes \ + --keep HOME \ + --keep SSH_AUTH_SOCK \ + --keep GITHUB_TOKEN \ + --keep AWS_ROLE \ + --keep AWS_REGION \ + --keep AWS_DEFAULT_REGION \ + --keep AWS_ACCESS_KEY_ID \ + --keep AWS_SECRET_ACCESS_KEY \ + --keep AWS_SESSION_TOKEN \ + --keep UPDATECLI_GPGTOKEN \ + --keep UPDATECLI_GITHUB_TOKEN \ + --keep UPDATECLI_GITHUB_ACTOR \ + --keep GPG_SIGNING_KEY \ + --keep NIX_ENV_LOADED \ + --keep TERM \ --command bash -e {0} run: | gitleaks detect --no-banner -v --no-git From 88a8ee79f1c611659901869b2253bdb0fd9df096 Mon Sep 17 00:00:00 2001 From: matttrach Date: Fri, 22 Mar 2024 23:55:33 -0500 Subject: [PATCH 05/13] fix: try folded notation Signed-off-by: matttrach --- .github/workflows/validate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index cb9aa77..3a64656 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -94,7 +94,7 @@ jobs: fetch-depth: 0 - uses: matttrach/nix-installer-action@main - name: shell check - shell: | + shell: > nix develop \ --ignore-environment \ --extra-experimental-features nix-command \ From 2d73ec225d5c85cf57af3e2fd17e42eac1e30d56 Mon Sep 17 00:00:00 2001 From: matttrach Date: Fri, 22 Mar 2024 23:56:50 -0500 Subject: [PATCH 06/13] fix: try block with notes Signed-off-by: matttrach --- .github/workflows/validate.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index 3a64656..648062c 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -94,8 +94,8 @@ jobs: fetch-depth: 0 - uses: matttrach/nix-installer-action@main - name: shell check - shell: > - nix develop \ + shell: | + "nix develop \ --ignore-environment \ --extra-experimental-features nix-command \ --extra-experimental-features flakes \ @@ -114,7 +114,7 @@ jobs: --keep GPG_SIGNING_KEY \ --keep NIX_ENV_LOADED \ --keep TERM \ - --command bash -e {0} + --command bash -e {0}" run: | git pull; while read -r file; do From d8f48cddcbd622da1062809a1756e12cb2798974 Mon Sep 17 00:00:00 2001 From: matttrach Date: Sat, 23 Mar 2024 00:42:57 -0500 Subject: [PATCH 07/13] fix: put back in one line Signed-off-by: matttrach --- .github/workflows/cleanup.yaml | 44 +------------ .github/workflows/release.yaml | 22 +------ .github/workflows/update.yaml | 22 +------ .github/workflows/validate.yaml | 110 ++------------------------------ 4 files changed, 9 insertions(+), 189 deletions(-) diff --git a/.github/workflows/cleanup.yaml b/.github/workflows/cleanup.yaml index 9b04b5d..f97bee4 100644 --- a/.github/workflows/cleanup.yaml +++ b/.github/workflows/cleanup.yaml @@ -25,27 +25,7 @@ jobs: - uses: matttrach/nix-installer-action@main - name: Get Ids id: get_ids - shell: | - nix develop \ - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - --command bash -e {0} + shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} # 86400 = 24 hours in seconds (24 * 60 * 60) # you might increase this number if you need to look back further for leftovers run: | @@ -66,27 +46,7 @@ jobs: # WARNING! if '--filter=""' then you will find everything in a region # WARNING! if '-d' is missing you will delete everything that is found - name: find-leftovers - shell: | - nix develop \ - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - --command bash -e {0} + shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} run: | check_leftovers() { local id="$1" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7d3b9ba..94ccd6f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -43,27 +43,7 @@ jobs: if: steps.release-please.outputs.pr - name: Run Tests if: steps.release-please.outputs.pr - shell: | - nix develop \ - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - --command bash -e {0} + shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} GITHUB_OWNER: rancher diff --git a/.github/workflows/update.yaml b/.github/workflows/update.yaml index ec0bd57..6f910af 100644 --- a/.github/workflows/update.yaml +++ b/.github/workflows/update.yaml @@ -19,27 +19,7 @@ jobs: fetch-depth: 0 - uses: matttrach/nix-installer-action@main - name: Updatecli - shell: | - nix develop \ - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - --command bash -e {0} + shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} # Never use '--debug' option, because it might leak the access tokens. run: | gpgconf --kill all diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index 648062c..d4c8f5f 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -19,27 +19,7 @@ jobs: fetch-depth: 0 - uses: matttrach/nix-installer-action@main - name: lint terraform - shell: | - nix develop \ - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - --command bash -e {0} + shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} run: | set -e set -x @@ -63,27 +43,7 @@ jobs: fetch-depth: 0 - uses: matttrach/nix-installer-action@main - name: action lint - shell: | - nix develop \ - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - --command bash -e {0} + shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} run: actionlint shellcheck: @@ -94,27 +54,7 @@ jobs: fetch-depth: 0 - uses: matttrach/nix-installer-action@main - name: shell check - shell: | - "nix develop \ - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - --command bash -e {0}" + shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} run: | git pull; while read -r file; do @@ -130,27 +70,7 @@ jobs: fetch-depth: 0 # fetch all history so that we can validate the commit messages - uses: matttrach/nix-installer-action@main - name: Check commit message - shell: | - nix develop \ - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - --command bash -e {0} + shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} run: | # Check commit messages set -x @@ -225,27 +145,7 @@ jobs: fetch-depth: 0 - uses: matttrach/nix-installer-action@main - name: Check for secrets - shell: | - nix develop \ - --ignore-environment \ - --extra-experimental-features nix-command \ - --extra-experimental-features flakes \ - --keep HOME \ - --keep SSH_AUTH_SOCK \ - --keep GITHUB_TOKEN \ - --keep AWS_ROLE \ - --keep AWS_REGION \ - --keep AWS_DEFAULT_REGION \ - --keep AWS_ACCESS_KEY_ID \ - --keep AWS_SECRET_ACCESS_KEY \ - --keep AWS_SESSION_TOKEN \ - --keep UPDATECLI_GPGTOKEN \ - --keep UPDATECLI_GITHUB_TOKEN \ - --keep UPDATECLI_GITHUB_ACTOR \ - --keep GPG_SIGNING_KEY \ - --keep NIX_ENV_LOADED \ - --keep TERM \ - --command bash -e {0} + shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} run: | gitleaks detect --no-banner -v --no-git gitleaks detect --no-banner -v From f5416d5db901a5da30a4e56c106e797d98926cb6 Mon Sep 17 00:00:00 2001 From: matttrach Date: Sat, 23 Mar 2024 00:54:53 -0500 Subject: [PATCH 08/13] fix: improve validate Signed-off-by: matttrach --- .github/workflows/validate.yaml | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index d4c8f5f..9c35937 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -21,18 +21,8 @@ jobs: - name: lint terraform shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} run: | - set -e - set -x - terraform version terraform fmt -check -recursive - for dir in project prototypes servers; do - cd "${{github.workspace}}/$dir" - terraform init -upgrade - terraform validate - tflint --init - tflint -f compact - tflint --recursive - done + tflint --recursive actionlint: name: 'Lint Workflows' @@ -56,7 +46,6 @@ jobs: - name: shell check shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} run: | - git pull; while read -r file; do echo "checking $file..." shellcheck -x "$file" @@ -73,8 +62,6 @@ jobs: shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} run: | # Check commit messages - set -x - set -e # This steps enforces https://www.conventionalcommits.org/en/v1.0.0/ # This format enables automatic generation of changelogs and versioning filter() { From 00d56cda49daa6b9cf1251c3ecfeedd31dc9f8ee Mon Sep 17 00:00:00 2001 From: matttrach Date: Sat, 23 Mar 2024 01:09:52 -0500 Subject: [PATCH 09/13] fix: improve logging Signed-off-by: matttrach --- .github/workflows/validate.yaml | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index 9c35937..59727df 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -61,6 +61,8 @@ jobs: - name: Check commit message shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} run: | + set -e + set -x # Check commit messages # This steps enforces https://www.conventionalcommits.org/en/v1.0.0/ # This format enables automatic generation of changelogs and versioning @@ -77,49 +79,46 @@ jobs: echo "$COMMIT_MESSAGES" while read -r message; do - echo "Checking commit message: $message" if [ "" != "$(filter "$message")" ]; then echo "Commit message does not start with the required prefix. Please use one of the following prefixes: fix:, feature:, feat:, refactor!:, feature!:, feat:!. 'chore(main): ' is also allowed for release PRs. - This enables release-please to automatically determine the type of release (major, minor, patch) based on the commit message." + This enables release-please to automatically determine the type of release (major, minor, patch) based on the commit message. + $message" exit 1 else - echo "Commit message starts with the required prefix." + echo "Commit message $message starts with the required prefix." fi done <<<"$COMMIT_MESSAGES" # Check if any commit message is empty while read -r message; do - echo "Checking commit message: $message" if [ "" == "$message" ]; then - echo "Found empty commit message." + echo "Found empty commit message: $message." exit 1 else - echo "Commit message is not empty." + echo "Commit message $message is not empty." fi done <<<"$COMMIT_MESSAGES" # Check if any commit message subject line is longer than 50 characters while read -r message; do - echo "Checking commit message: $message" if [ "$(wc -m <<<"$message")" -gt 50 ]; then - echo "Commit message subject line should be less than 50 characters." + echo "Commit message subject line should be less than 50 characters, found $(wc -m "$message"). $message" exit 1 else - echo "Commit message subject line is less than 50 characters." + echo "Commit message subject line is less than 50 characters. $message" fi done <<<"$COMMIT_MESSAGES" # Spell check the commit messages using aspell while read -r message; do - echo "Checking commit message: $message" if [ "" != "$(echo "$message" | aspell list)" ]; then - echo "Commit messages contain spelling errors on words $WORDS." + echo "Commit message $message contains spelling errors on words: ^$WORDS\$" echo "Also try updating the PR title not just amending the commits." exit 1 else - echo "Commit messages do not contain spelling errors." + echo "Commit message doesnt contain spelling errors. $message" fi done <<<"$COMMIT_MESSAGES" From f2eb15cc59de672b1df1765ff81530e105f573e2 Mon Sep 17 00:00:00 2001 From: matttrach Date: Sat, 23 Mar 2024 01:19:48 -0500 Subject: [PATCH 10/13] fix: rewriting for better understanding Signed-off-by: matttrach --- .github/workflows/validate.yaml | 66 ++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 30 deletions(-) diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index 59727df..7216187 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -71,55 +71,61 @@ jobs: ouput="$(echo "$COMMIT" | grep -e '^fix: ' -e '^feature: ' -e '^feat: ' -e 'refactor!: ' -e 'feature!: ' -e 'feat!: ' -e '^chore(main): ')" return "$output" } - - # Fetch the commit messages - - COMMIT_MESSAGES="$(gh pr view ${{github.event.number}} --json commits | jq -r '.commits[].messageHeadline')" - echo "Commit messages found: " - echo "$COMMIT_MESSAGES" - - while read -r message; do + prefix_check() { + message="$1" if [ "" != "$(filter "$message")" ]; then - echo "Commit message does not start with the required prefix. + echo "...Commit message does not start with the required prefix. Please use one of the following prefixes: fix:, feature:, feat:, refactor!:, feature!:, feat:!. 'chore(main): ' is also allowed for release PRs. This enables release-please to automatically determine the type of release (major, minor, patch) based on the commit message. $message" exit 1 else - echo "Commit message $message starts with the required prefix." + echo "...Commit message starts with the required prefix." fi - done <<<"$COMMIT_MESSAGES" - - # Check if any commit message is empty - while read -r message; do + } + empty_check() { + message="$1" if [ "" == "$message" ]; then - echo "Found empty commit message: $message." + echo "...Empty commit message." exit 1 else - echo "Commit message $message is not empty." + echo "...Commit message isnt empty." fi - done <<<"$COMMIT_MESSAGES" - - # Check if any commit message subject line is longer than 50 characters - while read -r message; do + } + length_check() { + message="$1" if [ "$(wc -m <<<"$message")" -gt 50 ]; then - echo "Commit message subject line should be less than 50 characters, found $(wc -m "$message"). $message" + echo "...Commit message subject line should be less than 50 characters, found $(wc -m "$message")." exit 1 else - echo "Commit message subject line is less than 50 characters. $message" + echo "...Commit message subject line is less than 50 characters." fi - done <<<"$COMMIT_MESSAGES" - - # Spell check the commit messages using aspell - while read -r message; do - if [ "" != "$(echo "$message" | aspell list)" ]; then - echo "Commit message $message contains spelling errors on words: ^$WORDS\$" - echo "Also try updating the PR title not just amending the commits." + } + spell_check() { + message="$1" + if [ "" != "$(aspell list <<<"$message")" ]; then + echo "...Commit message contains spelling errors on words: ^$WORDS\$" + echo "...- Also try updating the PR title not just amending the commits." exit 1 else - echo "Commit message doesnt contain spelling errors. $message" + echo "...Commit message doesnt contain spelling errors." fi + } + + # Fetch the commit messages + + COMMIT_MESSAGES="$(gh pr view ${{github.event.number}} --json commits | jq -r '.commits[].messageHeadline')" + echo "Commit messages found: " + echo "$COMMIT_MESSAGES" + + while read -r message; do + echo "checking message ^$message\$" + prefix_check "$message" + empty_check "$message" + length_check "$message" + spell_check "$message" + echo "message ^$message\$ passed all checks" done <<<"$COMMIT_MESSAGES" gitleaks: From 6cb374c9a73736c4736c414f06a2c007143f1b20 Mon Sep 17 00:00:00 2001 From: matttrach Date: Sat, 23 Mar 2024 01:24:19 -0500 Subject: [PATCH 11/13] fix: remove explain Signed-off-by: matttrach --- .github/workflows/validate.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index 7216187..af0ae4e 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -62,7 +62,6 @@ jobs: shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} run: | set -e - set -x # Check commit messages # This steps enforces https://www.conventionalcommits.org/en/v1.0.0/ # This format enables automatic generation of changelogs and versioning From 77efd71a0e05f62c1a1f2c1f1bfa7f895ea317b6 Mon Sep 17 00:00:00 2001 From: matttrach Date: Sat, 23 Mar 2024 01:27:20 -0500 Subject: [PATCH 12/13] fix: echo outputs Signed-off-by: matttrach --- .github/workflows/validate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index af0ae4e..ce22c40 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -68,7 +68,7 @@ jobs: filter() { COMMIT="$1" ouput="$(echo "$COMMIT" | grep -e '^fix: ' -e '^feature: ' -e '^feat: ' -e 'refactor!: ' -e 'feature!: ' -e 'feat!: ' -e '^chore(main): ')" - return "$output" + echo "$output" } prefix_check() { message="$1" From 2e96f66d52f65a597e0919fd13a504f56f1bd676 Mon Sep 17 00:00:00 2001 From: matttrach Date: Sat, 23 Mar 2024 01:35:34 -0500 Subject: [PATCH 13/13] fix: actually output words Signed-off-by: matttrach --- .github/workflows/validate.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index ce22c40..17d3331 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -103,9 +103,10 @@ jobs: } spell_check() { message="$1" - if [ "" != "$(aspell list <<<"$message")" ]; then - echo "...Commit message contains spelling errors on words: ^$WORDS\$" - echo "...- Also try updating the PR title not just amending the commits." + WORDS="$(aspell list <<<"$message")" + if [ "" != "$WORDS" ]; then + echo "...Commit message contains spelling errors on: ^$WORDS\$" + echo "...Also try updating the PR title." exit 1 else echo "...Commit message doesnt contain spelling errors."