fix: update CI/CD process to use composite actions and auto-release workflow

[bryantbiggs]

Description

• update CI workflow to use composite actions
• update pre-commit versions to latest
• update terraform-docs to latest version v0.16.0
• add new argument to terraform_docs hook which avoids pinning to exact version due to conflict of .terraform.lock.hcl file (Ignore extracting versions from terraform.lock.hcl terraform-docs/terraform-docs#527)
• add new hooks to pre-commit for whitespace and eof lines
• add new release.yml workflow. this workflow will automatically:
  • create and push new tag for next semver based on conventional-commits
  • create GitHub release with notes
  • update Changelog with release notes
  • this workflow will also automatically notify PRs that are included in the release, mimicking the manual behavior but now its automated https://github.com/clowdhaus/terraform-aws-rds/pull/1#issuecomment-952097291
• remove old chglog configs and Makefile

This takes what was completed for the Aurora module, and adds in one additional piece now which is the release workflow. I will open a PR on that module to add in these additional changes as well once we've proven they work as intended in this org

⚠️ Note - I don't know if the repos have master as a protected branch. If so, then we'll have to generate a GitHub PAT to use in the workflow in place of ${{ secrets.GITHUB_TOKEN }}. The default token provided by GitHub should work as intended if the branches are not protected

Motivation and Context

• consolidates CI actions and updates terraform-docs to latest
• automate release process in a standardized manner

Breaking Changes

• No

How Has This Been Tested?

• I have tested and validated these changes - see the fork I created to test and validate https://github.com/clowdhaus/terraform-aws-rds
  • Release created https://github.com/clowdhaus/terraform-aws-rds/releases/tag/v3.4.1
  • Changelog updated https://github.com/clowdhaus/terraform-aws-rds/blob/master/CHANGELOG.md
  • The changes in this PR are the same that were used on the fork to validate

[bryantbiggs]

These are removed since they will be managed by the semantic-release plugin going forward. They will get added back in when the first release kicks off, just like it did here following this same process https://github.com/clowdhaus/terraform-aws-rds/blob/master/CHANGELOG.md#changelog

[antonbabenko]

Few clarifications and questions mostly to become familiar with Semantic Release workflow.

[antonbabenko]

Few questions:

1. Does it mean that any change in these masks will trigger a release?
2. Can modules/**/*.tf be generalize to be **/*.tf to include changes in examples/*, too?
3. Is it right, that this GH Action will decide on the scope based on the commit message type (feat => major, fix: => minor, chore => patch). If so, do you know where the mapping is described? I can't find it on the GH Action homepage. Found answer on https://github.com/semantic-release/commit-analyzer
4. Is there any stop word to have in git commit message which will not trigger the release even if valid paths were changed? (e.g. [ci skip])

[bryantbiggs]

1. Correct - any PRs that match these path patterns will trigger a release and we can tailor the paths/pattern to whatever we choose
2. Yes - I believe the pattern **/*.tf means any *.tf file anywhere in the repo. However, if someone makes only a change to an example, I don't think that would be something "release worthy" since there are no source changes
3. 👍🏽
4. Yes - there are a few patterns which do not trigger releases. I generally use commit messages like chore: <something> and this pattern does not trigger a release (skips it)

[antonbabenko]

2. If anyone changes tf files in examples and the git commit message starts with fix:, we should still release a patch version. To prevent this we can set the message to start with chore:.

[bryantbiggs]

updated in 588f70e and added '**/*.py' since that will come up in a few repos and this keeps the file uniform across the repos

also, I tried to update to pre-commit 1.54 but it seems to be broken on terraform-docs now

[antonbabenko]

Thanks for the report on broken terraform_docs.

[antonbabenko]

Fixed. Please use v1.55.0.

[bryantbiggs]

looks good, updated to v1.55.0 🎉

[antonbabenko]

Another "strange questions" from me :)

1. Will this token be available for others to read? (eg. by adding another GH action YAML config and outputting ${{ secrets.GITHUB_TOKEN }} there?)
2. What is the minimum scope of the token should we have? Reading this IMPORTANT note and I am not sure I understand if Personal Access Token should be used (we have master as a protected branch).

[bryantbiggs]

1. This token is already there by default https://docs.github.com/en/actions/security-guides/automatic-token-authentication
2. Let me get back to you on that, I'll have to create a token and do a bunch of test runs to see what permissions are required

[bryantbiggs]

ok so it looks like we only need a token with public_repo scope for this to work

I would store this as an org secret under the name SEMANTIC_RELEASE_TOKEN. You can elect to select repos one by one as we add the workflow or allow all repos - up to you (will come up when you create the org secret as an option)

[bryantbiggs]

Also, I would make sure that the actions are locked down as well on the org. Here is what I have on my org - you can check by going to settings -> actions.

[antonbabenko]

persist-credentials: false should be used somewhere in the config, too, right?

[bryantbiggs]

If we use a personal access token then yes, we don't want to persist creds because they will conflict with the default token

[antonbabenko]

Sorry for the delay with this final review/check. I try to make it happen this week.

[bryantbiggs]

No worries at all! I think I've got a solution for PR updates, stay tuned

[antonbabenko]

Ok, I have added PAT token with the correct name. Let me merge this one and see how it works before copying it to any other repositories.

[antonbabenko]

🎉 This PR is included in version 3.4.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

[antonbabenko]

Looks good! Let me know if/when you have some news regarding pre-commit auto-fixes on behalf of users.

[bryantbiggs]

I think I have the solution - started working on it and need to finish it up, maybe this week or next

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.