Skip to content

Commit

Permalink
ci: synced file(s) with honestbank/.github
Browse files Browse the repository at this point in the history
  • Loading branch information
honestbank-bot committed Jun 24, 2024
1 parent bfc83b9 commit 4ce04f2
Show file tree
Hide file tree
Showing 6 changed files with 44 additions and 56 deletions.
2 changes: 1 addition & 1 deletion .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@
# the repo. Unless a later match takes precedence,
# @global-owner1 and @global-owner2 will be requested for
# review when someone opens a pull request.
* @honestbank/devops-engineers @honestbank/backend-engineers
* @honestbank/devops-engineers
3 changes: 2 additions & 1 deletion .github/pull_request_template.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,14 @@
-->

## Pull Request Submission Checklist
### Pull Request Submission Checklist

Please confirm that you have done the following before requesting reviews:

- [ ] I have confirmed that the PR type is appropriate for the change I am making according to the [Honest Pull Request and Commit Message Naming Conventions](https://www.notion.so/honestbank/Pull-Request-and-Commit-Message-Naming-Conventions-bd97f2cbb34c4c73b1ff3a3e384b850c).
- [ ] I have typed an adequate description that explains **why** I am making this change.
- [ ] I have installed and run standard pre-commit hooks that lints and validates my code.
- [ ] All entities that I am working with are up-to-date in Backstage; if updates are needed, I have linked the relevant PRs. [Backstage guide](https://www.notion.so/honestbank/How-to-Write-a-Backstage-Service-Catalog-Entry-a-catalog-info-yaml-file-21845ff72e404b14aed2ac989fb202cf?pvs=4)

### Description

Expand Down
20 changes: 16 additions & 4 deletions .github/workflows/checkov.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
name: "Checkov GitHub Action"
permissions: read-all

on:
pull_request:
branches: [test, dev, qa, prod, main]
Expand All @@ -10,13 +11,24 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@v3
with:
submodules: "recursive"
token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create empty baseline (if needed)
run: |
if [ -f .checkov.baseline ]; then
echo "⏩⏩⏩ Baseline file exists - do nothing."
else
echo "🆕🆕🆕 Baseline file does not exist - creating empty baseline file."
echo "{}" >> .checkov.baseline
fi
- name: Output baseline contents to console
run: |
echo "Checkov baseline file (.checkov.baseline) contents:"
cat .checkov.baseline
- name: Run Checkov
id: checkov
uses: bridgecrewio/checkov-action@master
with:
download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
quiet: true # optional: display only failed checks
config_file: ".checkov.yaml"
19 changes: 15 additions & 4 deletions .github/workflows/semantic-pr.yaml
Original file line number Diff line number Diff line change
@@ -1,17 +1,28 @@
name: "Semantic Pull Request"
permissions: read-all
# yamllint disable rule:line-length
# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows

# Use this workflow for public repos, since public repos cannot access our internal
# workflows repo.
---
name: public-semantic-pr
permissions:
contents: write
pull-requests: write

on:
pull_request:
types:
- opened
- edited
- reopened
- synchronize

jobs:
main:
name: Semantic Pull Request
public-semantic-pr:
name: public-semantic-pr
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@v4
name: Semantic Pull Request
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
42 changes: 5 additions & 37 deletions .github/workflows/terraform.yaml
Original file line number Diff line number Diff line change
@@ -1,32 +1,26 @@
name: "Terraform GitHub Action"

Check failure on line 1 in .github/workflows/terraform.yaml

View workflow job for this annotation

GitHub Actions / checkov

CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
permissions: read-all
on:
pull_request:
branches: [test, dev, qa, prod, main]
env:
tf_version: "latest"
tf_working_dir: "."
TF_WORKSPACE: ${{ github.base_ref }}
# This workflow is meant for public Terraform module repositories
# which are generally component modules that follow trunk-based development.
branches: [main]
jobs:
terraform:
name: "terraform"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
submodules: "recursive"
token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
- name: Set up Terraform
uses: hashicorp/setup-terraform@v1
uses: hashicorp/setup-terraform@v3
with:
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
- name: Terraform Format
id: fmt
run: terraform fmt
continue-on-error: true
env:
GITHUB_TOKEN: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
- name: Terraform Init
id: init
run: terraform init
Expand All @@ -37,29 +31,3 @@ jobs:
id: plan
run: terraform plan -no-color
continue-on-error: true
- uses: actions/github-script@v4
if: github.event_name == 'pull_request'
env:
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
with:
github-token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Validation 🤖${{ steps.validate.outputs.stdout }}
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`${process.env.PLAN}\`\`\`
</details>
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`;
github.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
14 changes: 5 additions & 9 deletions .github/workflows/terratest.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,4 @@
name: "Terratest GitHub Action"

Check failure on line 1 in .github/workflows/terratest.yaml

View workflow job for this annotation

GitHub Actions / checkov

CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
permissions:
pull-requests: write
contents: write

on:
pull_request:
branches: [test, dev, qa, prod, main]
Expand All @@ -19,15 +15,15 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
submodules: true
- name: Set up Go (1.16)
uses: actions/setup-go@v2
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.16
go-version: 1.20
id: go
- name: Run 'go test -v -timeout 30m'
- name: Run 'go test -v -timeout 60m'
run: |
cd test
go mod download
Expand Down

0 comments on commit 4ce04f2

Please sign in to comment.