fix: update workflows to meet new standards

.envrc

@@ -1,6 +1,12 @@
+#!/bin/env sh
+
 if [ -z "${NIX_ENV_LOADED}" ]; then
-	echo "entering dev environment..."
-  export NIX_ENV_LOADED=$(pwd)
+	printf "entering environment..."
+  NIX_ENV_LOADED="$(pwd)"
+  export NIX_ENV_LOADED
+
+  nix flake update --extra-experimental-features nix-command --extra-experimental-features flakes;
+  echo "nix store is using $(du -hs /nix/store)"
 
   nix develop \
     --ignore-environment \
@@ -15,30 +21,31 @@ if [ -z "${NIX_ENV_LOADED}" ]; then
     --keep AWS_ACCESS_KEY_ID \
     --keep AWS_SECRET_ACCESS_KEY \
     --keep AWS_SESSION_TOKEN \
-    --keep UPDATECLI_GPGTOKEN \
-    --keep UPDATECLI_GITHUB_TOKEN \
-    --keep UPDATECLI_GITHUB_ACTOR \
-    --keep GPG_SIGNING_KEY \
-    --keep NIX_ENV_LOADED \
     --keep TERM \
-    $(pwd)
+    --keep XDG_DATA_DIRS \
+    --keep NIX_ENV_LOADED \
+    "$(pwd)" || unset NIX_ENV_LOADED;
+
 else
-	echo "setting up dev environment..."
+	printf "setting up dev environment...\n"
+  unset NIX_ENV_LOADED
 
-	source .aliases
-	source .functions
-	source .variables
-	source .rcs
-fi
-if [ -z "$SSH_AUTH_SOCK" ]; then
-  echo "Unable to find SSH_AUTH_SOCK, is your agent running?";
-fi
-if [ -z "$(ssh-add -l | grep -v 'The agent has no identities.')" ]; then
-  echo "Your agent doesn't appear to have any identities loaded, please load a key or forward your agent.";
-fi
-if [ -z "$(env | grep 'AWS')" ]; then
-  echo "Unable to find AWS authentication information in the environment, please make sure you authenticate with AWS.";
-fi
-if [ -z "$(env | grep 'GITHUB_TOKEN')" ]; then
-  echo "Unable to find GITHUB authentication information in the environment, please make sure you authenticate with GITHUB.";
+	. .functions
+	. .variables
+	. .rcs
+	. .aliases
+
+
+	if [ -z "$SSH_AUTH_SOCK" ]; then eval "$(ssh-agent -s)"; ssh-add; fi
+	if [ "" = "$(env | grep 'AWS')" ]; then
+		printf "Unable to find AWS authentication information in the environment, \
+      please make sure you authenticate with AWS. \
+      Try using the 'aws' cli included in the environment.\n";
+	fi
+	if env | grep -q 'GITHUB_TOKEN'; then
+		printf "Unable to find GITHUB authentication information in the environment, \
+      please make sure you authenticate with GITHUB. \
+      Try using the 'gh' cli included in the environment.\n";
+	fi
 fi
+unset NIX_ENV_LOADED

.functions

@@ -1,46 +1,193 @@
+#!/bin/env bash
 # get current branch in git repo
-function parse_git_branch() {
-    BRANCH=`git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/\1/'`
-    if [ ! "${BRANCH}" == "" ]
-    then
-        STAT=`parse_git_dirty`
-        echo "[${BRANCH}${STAT}]"
-    else
-        echo ""
+git_status() {
+    BRANCH="$(git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/\1/')"
+    if [ ! "${BRANCH}" = "" ]; then
+      STAT="$(parse_git_dirty)"
+      if printf "%s" "$STAT" | grep -q -e '!' -e '?' -e '+' -e '>' -e 'x' -e '*'; then
+        printf "%s[%s %s]%s" "$(red)" "$BRANCH" "$STAT" "$(ce)"
+      else
+        printf "%s[%s%s]%s" "$(green)" "$BRANCH" "$STAT" "$(ce)"
+      fi
     fi
 }
 
+get_repo_owner() {
+  REPO="$(basename "$(git rev-parse --show-toplevel)")"
+  OWNER="$(basename "$(git rev-parse --show-toplevel | sed  s/"$REPO"//g)")"
+  printf "%s" "$OWNER"
+}
+
 # get current status of git repo
-function parse_git_dirty {
-    status=`git status 2>&1 | tee`
-    dirty=`echo -n "${status}" 2> /dev/null | grep "modified:" &> /dev/null; echo "$?"`
-    untracked=`echo -n "${status}" 2> /dev/null | grep "Untracked files" &> /dev/null; echo "$?"`
-    ahead=`echo -n "${status}" 2> /dev/null | grep "Your branch is ahead of" &> /dev/null; echo "$?"`
-    newfile=`echo -n "${status}" 2> /dev/null | grep "new file:" &> /dev/null; echo "$?"`
-    renamed=`echo -n "${status}" 2> /dev/null | grep "renamed:" &> /dev/null; echo "$?"`
-    deleted=`echo -n "${status}" 2> /dev/null | grep "deleted:" &> /dev/null; echo "$?"`
-    bits=''
-    if [ "${renamed}" == "0" ]; then
-        bits=">${bits}"
-    fi
-    if [ "${ahead}" == "0" ]; then
-        bits="*${bits}"
-    fi
-    if [ "${newfile}" == "0" ]; then
-        bits="+${bits}"
+parse_git_dirty() {
+    status="$(git status 2>&1 | tee)"
+    if [ "0" = "$(printf "%s" "${status}" 2> /dev/null | grep "Your branch is up to date with 'origin/main'" >/dev/null 2>&1; printf "%s" $?)" ]; then printf "%s" ""; fi # clean
+    if [ "0" = "$(printf "%s" "${status}" 2> /dev/null | grep "modified:" >/dev/null 2>&1; printf "%s" $?)" ]; then printf "%s" "!"; fi # dirty
+    if [ "0" = "$(printf "%s" "${status}" 2> /dev/null | grep "Untracked files" >/dev/null 2>&1; printf "%s" $?)" ]; then printf "%s" "?"; fi # untracked
+    if [ "0" = "$(printf "%s" "${status}" 2> /dev/null | grep "new file:" >/dev/null 2>&1; printf "%s" $?)" ]; then printf "%s" "+"; fi # new files
+    if [ "0" = "$(printf "%s" "${status}" 2> /dev/null | grep "renamed:" >/dev/null 2>&1; printf "%s" $?)" ]; then printf "%s" ">"; fi # renamed files
+    if [ "0" = "$(printf "%s" "${status}" 2> /dev/null | grep "deleted:" >/dev/null 2>&1; printf "%s" $?)" ]; then printf "%s" "x"; fi # deleted files
+    if [ "0" = "$(printf "%s" "${status}" 2> /dev/null | grep "Your branch is ahead of" >/dev/null 2>&1; printf "%s" $?)" ]; then printf "%s" "*"; fi # ahead of
+}
+
+encrypt_secrets() {
+  workspace="$(git rev-parse --show-toplevel)";
+  dir="$(pwd)";
+  cd "$workspace" || return;
+  while read -r file; do
+    if [ -f "$file" ]; then
+      if [ -f "$file.backup" ]; then
+        rm -rf "$file.backup"
+        cp "$file" "$file.backup"
+      fi
+      rm -rf "$file.age"
+      age -e -R "$workspace"/age_recipients.txt -o "$file.age" "$file"
     fi
-    if [ "${untracked}" == "0" ]; then
-        bits="?${bits}"
+  done <secret_file_list.txt
+  cd "$dir" || return;
+}
+
+decrypt_secrets() {
+  workspace="$(git rev-parse --show-toplevel)";
+  dir="$(pwd)";
+  cd "$workspace" || return;
+  while read -r file; do
+    if [ -f "$file.age" ]; then
+      printf "decrypting %s\n" "$file"
+      rm -rf "$file"
+      printf "%s" "$AGE_SECRET_KEY" | age -d -i - -o "$file" "$file.age"
     fi
-    if [ "${deleted}" == "0" ]; then
-        bits="x${bits}"
+  done <secret_file_list.txt
+  cd "$dir" || return;
+}
+
+encrypt_file() {
+  workspace="$(git rev-parse --show-toplevel)";
+  dir="$(pwd)";
+  printf "%s" "enter file to encrypt:";
+  while read -r file; do
+    if [ ! -f "$file" ]; then printf "%s" 'file not found'; exit 1; fi
+    printf "encrypting %s as %s.age" "$file" "$file";
+    if [ -f "$file.backup.age" ]; then
+      if [ -f "$file.age" ]; then
+        printf "found %s.backup.age, so saving %s.age as %s.backup.age" "$file" "$file" "$file"
+        rm -f "$file.backup.age"
+        cp "$file.age" "$file.backup.age"
+      fi
     fi
-    if [ "${dirty}" == "0" ]; then
-        bits="!${bits}"
+    rm -f "$file.age"
+    age -e -R "$workspace"/age_recipients.txt -o "$file.age" "$file";
+    break;
+  done <"${1:-/dev/stdin}"
+}
+
+# this clears out secrets and temp files that are only saved locally
+clear_local() {
+  echo "Removing secret files..."
+  workspace="$(git rev-parse --show-toplevel)";
+  dir="$(pwd)"
+  cd "$workspace" || exit
+  while read -r file; do
+    if [ -f "$file" ]; then
+      rm -rf "$file";
     fi
-    if [ ! "${bits}" == "" ]; then
-        echo " ${bits}"
-    else
-        echo ""
+  done <secret_file_list.txt
+  cd "$dir" || exit
+  echo "removing tf cache..."
+  while read -r file; do echo "removing $file..."; rm -rf "$file"; done <<<"$(find . -type d -name '.terraform')"
+  while read -r file; do echo "removing $file..."; rm -rf "$file"; done <<<"$(find . -type f -name '.terraform.lock.hcl')"
+}
+
+# Function to recursively find shell script files
+find_shell_scripts() {
+  dir="$1"
+  for file in "$dir"/*; do
+    if [ -d "$file" ]; then
+      # Skip .git and .terraform directories
+      if [ "$(basename "$file")" != ".git" ] && [ "$(basename "$file")" != ".terraform" ]; then
+        find_shell_scripts "$file"
+      fi
+    elif [ -f "$file" ]; then
+      # Check if the file has a shebang line
+      if head -n 1 "$file" | grep -q '^#!'; then
+        echo "$file"
+      fi
     fi
-}
+  done
+}
+
+shell_check() {
+  workspace="$(git rev-parse --show-toplevel)";
+  dir="$(pwd)";
+  cd "$workspace" || return;
+  while read -r file; do
+    echo "checking $file..."
+    shellcheck -x "$file"
+  done <<<"$(grep -Rl -e '^#!' | grep -v '.terraform'| grep -v '.git')"
+  cd "$dir" || return;
+}
+
+# ps1 color functions
+# add colors like this `red`\$`ce` generates red '$' prompt
+ps1_color_open() {
+  red=$1
+  green=$2
+  blue=$3
+  printf '\e[0;38;2;%s;%s;%sm' "$red" "$green" "$blue";
+}
+
+green() {
+  ps1_color_open 0 254 0
+}
+red() {
+  ps1_color_open 254 0 0
+}
+blue() {
+  ps1_color_open 0 0 254
+}
+orange() {
+  ps1_color_open 254 127 0
+}
+white() {
+  ps1_color_open 254 254 254
+}
+yellow() {
+  ps1_color_open 254 254 0
+}
+
+# color end
+ce() {
+  printf '\e[m'
+}
+
+reset_state() {
+  # WARNING! This will delete all saved state and encrypt the state files back for saving
+  echo "Removing state..."
+  workspace="$(git rev-parse --show-toplevel)";
+  dir="$(pwd)"
+  cd "$workspace" || return;
+  for lc in project prototypes servers; do
+    cd "$workspace/$lc" || return;
+    echo '{"version": 4,"serial": 3,"outputs": {},"resources": [],"check_results": null}' > terraform.tfstate
+    rm -f terraform.tfstate.age
+    age -e -R "$workspace/age_recipients.txt" -o terraform.tfstate.age terraform.tfstate
+  done
+  cd "$dir" || return;
+}
+
+set_terminal_size(){
+  row="$1"
+  col="$2"
+  if [ "$row" == "" ]; then row=70; fi
+  if [ "$col" == "" ]; then col=300; fi
+  stty rows "$row"
+  stty cols "$col"
+}
+
+set_repo_name() {
+  new_name="$1"
+  if [ -z "$new_name" ]; then echo "set new name as $1"; exit 1; fi
+  for file in $(git grep \"matttrach-demo\" | awk -F':' '{print $1}'| uniq | tr '\n' ' '); do
+    sed -i 's/matttrach-demo/generic-demo/g' "$file";
+  done
+}

.github/workflows/cleanup.yaml

@@ -20,32 +20,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: nicknovitski/nix-develop@v1.1.0
         with:
-          arguments: |
-            --ignore-environment \
-            --extra-experimental-features nix-command \
-            --extra-experimental-features flakes \
-            --keep HOME \
-            --keep SSH_AUTH_SOCK \
-            --keep GITHUB_TOKEN \
-            --keep AWS_ROLE \
-            --keep AWS_REGION \
-            --keep AWS_DEFAULT_REGION \
-            --keep AWS_ACCESS_KEY_ID \
-            --keep AWS_SECRET_ACCESS_KEY \
-            --keep AWS_SESSION_TOKEN \
-            --keep UPDATECLI_GPGTOKEN \
-            --keep UPDATECLI_GITHUB_TOKEN \
-            --keep UPDATECLI_GITHUB_ACTOR \
-            --keep GPG_SIGNING_KEY \
-            --keep NIX_ENV_LOADED \
-            --keep TERM \
-            ${{ github.workspace }}
+          fetch-depth: 0
+      - uses: matttrach/nix-installer-action@main
       - name: Get Ids
         id: get_ids
+        shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
         # 86400 = 24 hours in seconds (24 * 60 * 60)
         # you might increase this number if you need to look back further for leftovers
         run: |
@@ -66,6 +46,7 @@ jobs:
       # WARNING! if '--filter=""' then you will find everything in a region
       # WARNING! if '-d' is missing you will delete everything that is found
       - name: find-leftovers
+        shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}
         run: |
           check_leftovers() {
             local id="$1"