Merge pull request #3069 from philips-labs/npalm/ci

chore: ci
philips-labs · Mar 17, 2023 · a3eb81e · a3eb81e
2 parents 1fc52ac + 5c70d0b
commit a3eb81e
Show file tree

Hide file tree

Showing 35 changed files with 1,361 additions and 52 deletions.
diff --git a/.github/workflows/auto-approve-dependabot.yml b/.github/workflows/auto-approve-dependabot.yml
@@ -1,5 +1,4 @@
 name: Auto approve dependabot
-
 # Warning: The pull_request_target event is granted a read/write repository
 # token and can access secrets, even when it is triggered from a fork. Although
 # the workflow runs in the context of the base of the pull request, you should
@@ -8,12 +7,11 @@ name: Auto approve dependabot
 # the base branch, and to help prevent cache poisoning, you should not save the
 # cache if there is a possibility that the cache contents were altered. 
 on: pull_request_target
-
 jobs:
   approve:
     if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]'
     runs-on: ubuntu-latest
     steps:
-      - uses: hmarr/auto-approve-action@v3.1.0
+      - uses: hmarr/auto-approve-action@de8ae18c173c131e182d4adf2c874d8d2308a85b # ratchet:hmarr/auto-approve-action@v3.1.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/lambda-runner-binaries-syncer.yml b/.github/workflows/lambda-runner-binaries-syncer.yml
@@ -7,7 +7,6 @@ on:
     paths:
       - .github/workflows/lambda-runner-binaries-syncer.yml
       - "modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/**"
-
 jobs:
   build:
     uses: ./.github/workflows/lambda-template.yml

diff --git a/.github/workflows/lambda-runners.yml b/.github/workflows/lambda-runners.yml
@@ -7,7 +7,6 @@ on:
     paths:
       - .github/workflows/lambda-runners.yml
       - "modules/runners/lambdas/runners/**"
-
 jobs:
   build:
     uses: ./.github/workflows/lambda-template.yml

diff --git a/.github/workflows/lambda-webhook.yml b/.github/workflows/lambda-webhook.yml
@@ -7,7 +7,6 @@ on:
     paths:
       - .github/workflows/lambda-webhook.yml
       - "modules/webhook/lambdas/webhook/**"
-
 jobs:
   build:
     uses: ./.github/workflows/lambda-template.yml

diff --git a/.github/workflows/packer-build.yml b/.github/workflows/packer-build.yml
@@ -8,16 +8,14 @@ on:
       - "images/**"
       - ".github/workflows/packer-build.yml"
       - "module/runners/templates/**"
-
 env:
   AWS_REGION: eu-west-1
-
 jobs:
   verify_packer:
     name: Verify packer
     runs-on: ubuntu-latest
     container:
-      image: hashicorp/packer:1.7.8
+      image: index.docker.io/hashicorp/packer@sha256:f795aace438ef92e738228c21d5ceb7d5dd73ceb7e0b1efab5b0e90cbc4d4dcd # ratchet:hashicorp/packer:1.7.8
     strategy:
       matrix:
         image: ["linux-amzn2", "windows-core-2019", "windows-core-2022", "ubuntu-focal", "ubuntu-jammy", "ubuntu-jammy-arm64"]
@@ -26,13 +24,10 @@ jobs:
         working-directory: images/${{ matrix.image }}
     steps:
       - name: "Checkout"
-        uses: actions/checkout@v3
-
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3
       - name: packer init
         run: packer init .
-
       - name: check packer formatting
         run: packer fmt -recursive -check=true .
-
       - name: packer validate
         run: packer validate .
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,12 +1,10 @@
 name: Release build
-
 on:
   push:
     branches:
       - main
       - v1
   workflow_dispatch:
-
 jobs:
   prepare:
     name: Create dist
@@ -24,49 +22,43 @@ jobs:
         env:
           LAMBDA: ${{ matrix.lambda }}
         run: echo "name=${LAMBDA##*/}" >> $GITHUB_OUTPUT
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3
       - name: Add zip
         run: apt update && apt install zip
       - name: Build dist
         working-directory: ${{ matrix.lambda }}
         run: yarn install && yarn run test && yarn dist
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # ratchet:actions/upload-artifact@v3
         with:
           name: ${{ steps.lambda.outputs.name }}
           path: ${{ matrix.lambda }}/${{ steps.lambda.outputs.name }}.zip
           retention-days: 1
-
   release:
     name: release
     runs-on: ubuntu-latest
-    needs:
-      prepare
+    needs: prepare
     outputs:
       releases_created: ${{ steps.release.outputs.releases_created }}
       tag_name: ${{ steps.release.outputs.tag_name }}
     steps:
       - name: Get installation token
-        uses: philips-software/app-token-action@v1.1.2
+        uses: philips-software/app-token-action@a37926571e4cec6f219e06727136efdd073d8657 # ratchet:philips-software/app-token-action@v1.1.2
         id: token
         with:
           app_id: ${{ secrets.FOREST_RELEASER_APP_ID }}
           app_base64_private_key: ${{ secrets.FOREST_RELEASER_APP_PRIVATE_KEY_BASE64 }}
           auth_type: installation
-
-
       - name: Extract branch name
         id: branch
         shell: bash
         run: echo "name=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
-
       - name: Release
         id: release
         uses: google-github-actions/release-please-action@e0b9d1885d92e9a93d5ce8656de60e3b806e542c # ratchet:google-github-actions/release-please-action@v3
         with:
           default-branch: ${{ steps.branch.outputs.name }}
           release-type: terraform-module
           token: ${{ steps.token.outputs.token }}
-
   assets:
     name: upload assets
     if: ${{ needs.release.outputs.releases_created }}
@@ -78,15 +70,12 @@ jobs:
     permissions:
       contents: write
       actions: read
-
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/download-artifact@v3
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3
         with:
           name: ${{ matrix.asset }}
-
       - name: Upload Release Asset
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run:
-          gh release upload ${{ needs.release.outputs.tag_name }} ${{ matrix.asset }}.zip
+        run: gh release upload ${{ needs.release.outputs.tag_name }} ${{ matrix.asset }}.zip
diff --git a/.github/workflows/semantic-check.yml b/.github/workflows/semantic-check.yml
@@ -1,24 +1,20 @@
 name: "Semantic Check"
-
 on:
   pull_request_target:
     types:
       - opened
       - edited
       - synchronize
-
 permissions:
   contents: read
   pull-requests: read
-
 jobs:
   main:
     name: Semantic Commit Message Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3
+      - uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 # ratchet:amannn/action-semantic-pull-request@v5
         name: Check PR for Semantic Commit Message
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -3,25 +3,21 @@ on:
   schedule:
     - cron: "30 1 * * *"
   workflow_dispatch:
-
 permissions:
   issues: write
   pull-requests: write
-
 jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v7
+      - uses: actions/stale@6f05e4244c9a0b2ed3401882b05d701dd0a7289b # ratchet:actions/stale@v7
         with:
           stale-issue-message: >
-            This issue has been automatically marked as stale because it has not had
-            activity in the last 30 days. It will be closed if no further activity occurs. 
-            Thank you for your contributions.
+            This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs.  Thank you for your contributions.
+
           stale-pr-message: >
-            This pull request has been automatically marked as stale because it has not had
-            activity in the last 30 days. It will be closed if no further activity occurs. Thank you
-            for your contributions.
+            This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions.
+
           days-before-stale: 30
           days-before-close: 10
           close-issue-label: "abandoned"

diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml
@@ -0,0 +1,22 @@
+name: Update docs
+on:
+  push:
+    branches:
+      - release-please--branches--main
+permissions: read-all
+jobs:
+  docs:
+    # update docs after merge back to develop
+    name: Auto update terraform docs
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout branch
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
+      - name: Generate TF docs
+        uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 # ratchet:terraform-docs/gh-actions@v1.0.0
+        with:
+          find-dir: .
+          git-commit-message: "docs: auto update terraform docs"
+          git-push: true
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,7 +7,6 @@ on: @@
         paths:
           - .github/workflows/lambda-runner-binaries-syncer.yml
           - "modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/**"
     jobs:
       build:
         uses: ./.github/workflows/lambda-template.yml
@@ Expand Down @@