From cf5087f3535751bb87dcdff74004880bd0439624 Mon Sep 17 00:00:00 2001 From: Nuru Date: Sun, 6 Dec 2020 22:57:57 -0800 Subject: [PATCH 01/15] Add update for README, group target --- modules/terraform/Makefile | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/terraform/Makefile b/modules/terraform/Makefile index 1d34bc58..7cec81e7 100644 --- a/modules/terraform/Makefile +++ b/modules/terraform/Makefile @@ -46,12 +46,19 @@ terraform/upgrade-modules: ## Rewrite the *.tf files to use registry notation for modules sources terraform/rewrite-module-source: - @sed -i -E 's,"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=tags/(.*?)","\1/\3/\2"\n version = "\4",g' $$(find . -type f -name '*.tf') + @sed -i -E 's,\s*source\s+=\s+"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=(tags/)?(.*?)", source = "\1/\3/\2"\n version = "\5",g' $$(find . -type f -not -name context.tf -name '*.tf') @$(TERRAFORM) fmt . @$(TERRAFORM) fmt examples/complete +terraform/rewrite-readme-source: + @sed -i -E 's,^(\s*)source\s+=\s+"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=(tags/)?master",\1source = "\2/\4/\2"\n\1# Cloud Posse recommends pinning module to a specific version\n\1# version = "x.x.x",g' README.yaml + ## Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0") terraform/remove-upper-bound: @sed -i -E 's,required_version\s*\=\s*\"(.*?)(\,\s*<.*)",required_version = "\1",g' $$(find . -type f -name 'versions.tf') @$(TERRAFORM) fmt . @$(TERRAFORM) fmt examples/complete + +terraform/v14-rewrite: TERRAFORM = terraform-0.13 +terraform/v14-rewrite: terraform/remove-upper-bound terraform/rewrite-module-source terraform/rewrite-readme-source + git diff --no-patch --exit-code README.yaml || $(MAKE) readme From f7d62a9457f048e8711c0bad2732f002affae5f0 Mon Sep 17 00:00:00 2001 From: Nuru Date: Sun, 6 Dec 2020 23:11:03 -0800 Subject: [PATCH 02/15] Fix typo in regex --- modules/terraform/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/terraform/Makefile b/modules/terraform/Makefile index 7cec81e7..ac6ae254 100644 --- a/modules/terraform/Makefile +++ b/modules/terraform/Makefile @@ -51,7 +51,7 @@ terraform/rewrite-module-source: @$(TERRAFORM) fmt examples/complete terraform/rewrite-readme-source: - @sed -i -E 's,^(\s*)source\s+=\s+"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=(tags/)?master",\1source = "\2/\4/\2"\n\1# Cloud Posse recommends pinning module to a specific version\n\1# version = "x.x.x",g' README.yaml + @sed -i -E 's,^(\s*)source\s+=\s+"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=(tags/)?master",\1source = "\2/\4/\3"\n\1# Cloud Posse recommends pinning module to a specific version\n\1# version = "x.x.x",g' README.yaml ## Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0") terraform/remove-upper-bound: From ef4553e44e7530989c1bfa92828eb60cb1b62f11 Mon Sep 17 00:00:00 2001 From: Maxim Mironenko Date: Mon, 7 Dec 2020 19:22:07 +0700 Subject: [PATCH 03/15] bump-tf-12-min-version and rewrite-required-providers targets added to terraform module --- modules/terraform/Makefile | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/modules/terraform/Makefile b/modules/terraform/Makefile index ac6ae254..1c2283c9 100644 --- a/modules/terraform/Makefile +++ b/modules/terraform/Makefile @@ -59,6 +59,23 @@ terraform/remove-upper-bound: @$(TERRAFORM) fmt . @$(TERRAFORM) fmt examples/complete +## Rewrite versions.tf to bump modules with minimum core version of '0.12.x' to '>= 0.12.26' +terraform/bump-tf-12-min-version: + @sed -i -E 's,required_version\s*\=\s*\"(\~>|>\=)\s?(0\.12\.0)\",required_version = ">= 0.12.26",g' $$(find . -type f -name 'versions.tf') + @$(TERRAFORM) fmt . + @$(TERRAFORM) fmt examples/complete + +## Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider +terraform/rewrite-required-providers: + @KEEP_VERSION=$(grep -Eo 'required_version\s*=\s*"(.*)"' versions.tf | cut -d '"' -f2) + @terraform-0.13 0.13upgrade -yes ./ + @terraform-0.13 0.13upgrade -yes examples/complete + @sed -i -E 's,(required_version\s*\=\s*\")(.*)(\"),\1'"$KEEP_VERSION"'\3,g' $$(find . -type f -name 'versions.tf') + @$(TERRAFORM) fmt . + @$(TERRAFORM) fmt examples/complete + +# terraform-0.13 0.13upgrade -yes examples/complete + terraform/v14-rewrite: TERRAFORM = terraform-0.13 -terraform/v14-rewrite: terraform/remove-upper-bound terraform/rewrite-module-source terraform/rewrite-readme-source +terraform/v14-rewrite: terraform/remove-upper-bound terraform/rewrite-module-source terraform/rewrite-readme-source terraform/bump-tf-12-min-version terraform/rewrite-required-providers git diff --no-patch --exit-code README.yaml || $(MAKE) readme From 579c08b23476e053e547a9a467a9afea48af202a Mon Sep 17 00:00:00 2001 From: Maxim Mironenko Date: Mon, 7 Dec 2020 19:37:50 +0700 Subject: [PATCH 04/15] readme update --- README.md | 2 ++ docs/targets.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/README.md b/README.md index 9eb24690..5da53f6e 100644 --- a/README.md +++ b/README.md @@ -237,12 +237,14 @@ Available targets: slack/notify/deploy Send notification to slack using "deploy" template template/build Create $OUT file by building it from $IN template file template/deps Install dependencies + terraform/bump-tf-12-min-version Rewrite versions.tf to bump modules with minimum core version of '0.12.x' to '>= 0.12.26' terraform/get-modules Ensure all modules can be fetched terraform/get-plugins Ensure all plugins can be fetched terraform/install Install terraform terraform/lint Lint check Terraform terraform/remove-upper-bound Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0") terraform/rewrite-module-source Rewrite the *.tf files to use registry notation for modules sources + terraform/rewrite-required-providers Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider terraform/upgrade-modules Upgrade all terraform module sources terraform/validate Basic terraform sanity check travis/docker-login Login into docker hub diff --git a/docs/targets.md b/docs/targets.md index 8d368fbb..80a55dce 100644 --- a/docs/targets.md +++ b/docs/targets.md @@ -114,12 +114,14 @@ Available targets: slack/notify/deploy Send notification to slack using "deploy" template template/build Create $OUT file by building it from $IN template file template/deps Install dependencies + terraform/bump-tf-12-min-version Rewrite versions.tf to bump modules with minimum core version of '0.12.x' to '>= 0.12.26' terraform/get-modules Ensure all modules can be fetched terraform/get-plugins Ensure all plugins can be fetched terraform/install Install terraform terraform/lint Lint check Terraform terraform/remove-upper-bound Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0") terraform/rewrite-module-source Rewrite the *.tf files to use registry notation for modules sources + terraform/rewrite-required-providers Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider terraform/upgrade-modules Upgrade all terraform module sources terraform/validate Basic terraform sanity check travis/docker-login Login into docker hub From 75bc20060d304b258a481a0bd4435d8a65651e53 Mon Sep 17 00:00:00 2001 From: Maxim Mironenko Date: Tue, 8 Dec 2020 00:23:50 +0700 Subject: [PATCH 05/15] code cleaning --- modules/terraform/Makefile | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/terraform/Makefile b/modules/terraform/Makefile index 1c2283c9..5904dec4 100644 --- a/modules/terraform/Makefile +++ b/modules/terraform/Makefile @@ -74,8 +74,6 @@ terraform/rewrite-required-providers: @$(TERRAFORM) fmt . @$(TERRAFORM) fmt examples/complete -# terraform-0.13 0.13upgrade -yes examples/complete - terraform/v14-rewrite: TERRAFORM = terraform-0.13 terraform/v14-rewrite: terraform/remove-upper-bound terraform/rewrite-module-source terraform/rewrite-readme-source terraform/bump-tf-12-min-version terraform/rewrite-required-providers git diff --no-patch --exit-code README.yaml || $(MAKE) readme From 1e954ad60f90655b2ce48356bc682f99f35b9660 Mon Sep 17 00:00:00 2001 From: Nuru Date: Mon, 7 Dec 2020 22:50:22 -0800 Subject: [PATCH 06/15] More Terraform updates --- Dockerfile | 4 +- modules/github/Makefile.init | 18 ++++-- modules/terraform/Makefile | 21 ++++--- templates/.github/CODEOWNERS | 4 ++ templates/.github/workflows/auto-release.yml | 59 +++++++++++++------ templates/README.md.gotmpl | 11 +++- templates/terraform/.github/mergify.yml | 51 ++++++++++++++++ .../.github/workflows/auto-context.yml | 54 +++++++++++++++++ .../.github/workflows/auto-readme.yml | 41 +++++++++++++ .../.github/workflows/chatops.yml | 0 10 files changed, 230 insertions(+), 33 deletions(-) create mode 100644 templates/terraform/.github/mergify.yml create mode 100644 templates/terraform/.github/workflows/auto-context.yml create mode 100644 templates/terraform/.github/workflows/auto-readme.yml rename templates/{ => terraform}/.github/workflows/chatops.yml (100%) diff --git a/Dockerfile b/Dockerfile index 35e900b9..6058923b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4-alpine3.11 +FROM golang:1.15.6-alpine3.12 LABEL maintainer="Cloud Posse " LABEL "com.github.actions.name"="Build Harness" @@ -32,6 +32,8 @@ RUN apk --update --no-cache add \ helm@cloudposse \ helmfile@cloudposse \ codefresh@cloudposse \ + terraform-config-inspect@cloudposse \ + vert@cloudposse \ yq@cloudposse && \ sed -i /PATH=/d /etc/profile diff --git a/modules/github/Makefile.init b/modules/github/Makefile.init index 835f0e42..b73307dd 100644 --- a/modules/github/Makefile.init +++ b/modules/github/Makefile.init @@ -8,14 +8,22 @@ GITHUB_TEMPLATES = \ .github/auto-release.yml \ .github/workflows/auto-release.yml -ifneq ($(wildcard *.tf),) -# Install test workflow for terraform projects -GITHUB_TEMPLATES += .github/workflows/chatops.yml -endif +# Install extra configuration for terraform projects +GITHUB_TERRAFORM_TEMPLATES = .github/workflows/chatops.yml +# ToDo once we can make Mergify a code owner +# .github/workflows/auto-context.yml \ +# .github/workflows/auto-readme.yml \ +# .github/mergify.yml + $(GITHUB_TEMPLATES): $(addprefix $(BUILD_HARNESS_PATH)/templates/, $(GITHUB_TEMPLATES)) mkdir -p $(dir $@) cp $(BUILD_HARNESS_PATH)/templates/$@ $@ git ls-files --error-unmatch $@ 2>/dev/null || git add $@ -github/init: $(GITHUB_TEMPLATES) +$(GITHUB_TERRAFORM_TEMPLATES): $(addprefix $(BUILD_HARNESS_PATH)/templates/terraform/, $(GITHUB_TERRAFORM_TEMPLATES)) + mkdir -p $(dir $@) + cp $(BUILD_HARNESS_PATH)/templates/terraform/$@ $@ + git ls-files --error-unmatch $@ 2>/dev/null || git add $@ + +github/init: $(GITHUB_TEMPLATES) $(if $(wildcard *.tf),$(GITHUB_TERRAFORM_TEMPLATES)) diff --git a/modules/terraform/Makefile b/modules/terraform/Makefile index 5904dec4..fef819fb 100644 --- a/modules/terraform/Makefile +++ b/modules/terraform/Makefile @@ -51,7 +51,7 @@ terraform/rewrite-module-source: @$(TERRAFORM) fmt examples/complete terraform/rewrite-readme-source: - @sed -i -E 's,^(\s*)source\s+=\s+"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=(tags/)?master",\1source = "\2/\4/\3"\n\1# Cloud Posse recommends pinning module to a specific version\n\1# version = "x.x.x",g' README.yaml + @sed -i -E 's,^(\s*)source\s+=\s+"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=(tags/)?master",\1source = "\2/\4/\3"\n\1# Cloud Posse recommends pinning every module to a specific version\n\1# version = "x.x.x",g' README.yaml ## Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0") terraform/remove-upper-bound: @@ -61,16 +61,21 @@ terraform/remove-upper-bound: ## Rewrite versions.tf to bump modules with minimum core version of '0.12.x' to '>= 0.12.26' terraform/bump-tf-12-min-version: - @sed -i -E 's,required_version\s*\=\s*\"(\~>|>\=)\s?(0\.12\.0)\",required_version = ">= 0.12.26",g' $$(find . -type f -name 'versions.tf') - @$(TERRAFORM) fmt . - @$(TERRAFORM) fmt examples/complete + @PIN="$$(terraform-config-inspect --json . | jq -r '.required_core[]')" ; \ + if vert "$$PIN" 0.12.26 >/dev/null; then \ + echo Module already pinned to "$$PIN" ; \ + else \ + sed -i -E 's,required_version\s*\=\s*\"(\~>|>\=)\s?(0\.12(\.\d+)?)\",required_version = ">= 0.12.26",g' $$(find . -type f -name 'versions.tf') ; \ + $(TERRAFORM) fmt . ; \ + $(TERRAFORM) fmt examples/complete ; \ + fi ## Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider terraform/rewrite-required-providers: - @KEEP_VERSION=$(grep -Eo 'required_version\s*=\s*"(.*)"' versions.tf | cut -d '"' -f2) - @terraform-0.13 0.13upgrade -yes ./ - @terraform-0.13 0.13upgrade -yes examples/complete - @sed -i -E 's,(required_version\s*\=\s*\")(.*)(\"),\1'"$KEEP_VERSION"'\3,g' $$(find . -type f -name 'versions.tf') + @KEEP_VERSION=$$(grep -Eo 'required_version\s*=\s*"(.*)"' versions.tf | cut -d '"' -f2) ; \ + terraform-0.13 0.13upgrade -yes ./ ; \ + terraform-0.13 0.13upgrade -yes examples/complete ; \ + sed -i -E 's,(required_version\s*\=\s*\")(.*)(\"),\1'"$$KEEP_VERSION"'\3,g' $$(find . -type f -name 'versions.tf') @$(TERRAFORM) fmt . @$(TERRAFORM) fmt examples/complete diff --git a/templates/.github/CODEOWNERS b/templates/.github/CODEOWNERS index 07b38d2c..0d745a58 100644 --- a/templates/.github/CODEOWNERS +++ b/templates/.github/CODEOWNERS @@ -15,3 +15,7 @@ # Cloud Posse must review any changes to standard context definition **/context.tf @cloudposse/engineering + +# Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration +.github/mergify.yml @cloudposse/admins +.github/CODEOWNERS @cloudposse/admins diff --git a/templates/.github/workflows/auto-release.yml b/templates/.github/workflows/auto-release.yml index ccc27be7..d0e13297 100644 --- a/templates/.github/workflows/auto-release.yml +++ b/templates/.github/workflows/auto-release.yml @@ -1,19 +1,44 @@ -name: auto-release +name-template: 'v$RESOLVED_VERSION' +tag-template: '$RESOLVED_VERSION' +version-template: '$MAJOR.$MINOR.$PATCH' +version-resolver: + major: + labels: + - 'major' + minor: + labels: + - 'minor' + - 'enhancement' + patch: + labels: + - 'auto-update' + - 'patch' + - 'fix' + - 'bugfix' + - 'bug' + - 'hotfix' + default: 'minor' -on: - push: - branches: - - master +categories: +- title: '🚀 Enhancements' + labels: + - 'enhancement' +- title: '🐛 Bug Fixes' + labels: + - 'fix' + - 'bugfix' + - 'bug' + - 'hotfix' +- title: '🤖 Automatic Update' + labels: + - 'auto-update' -jobs: - semver: - runs-on: ubuntu-latest - steps: - # Drafts your next Release notes as Pull Requests are merged into "master" - - uses: release-drafter/release-drafter@v5 - with: - publish: true - prerelease: false - config-name: auto-release.yml - env: - GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} +change-template: | +
+ $TITLE @$AUTHOR (#$NUMBER) + + $BODY +
+ +template: | + $CHANGES diff --git a/templates/README.md.gotmpl b/templates/README.md.gotmpl index dd7a78cd..277cd3ff 100644 --- a/templates/README.md.gotmpl +++ b/templates/README.md.gotmpl @@ -89,8 +89,15 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are ## Usage {{ if (file.Exists "main.tf") }} -**IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases. -Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases]({{ printf "https://github.com/%s/releases" (ds "config").github_repo}}). +**IMPORTANT:** We do not pin modules to versions in our examples because of the +difficulty of keeping the versions in the documentation in sync with the latest released versions. +We highly recommend that in your code you pin the version to the exact version you are +using so that your infrastructure remains stable, and update versions in a +systematic way so that they do not catch you by surprise. + +Also, because of a bug in the Terraform registry (hashicorp/terraform#21417), +the registry shows many of our inputs as required when in fact they are optional. +The table below correctly indicates which inputs are required. {{end}} {{ (ds "config").usage -}} diff --git a/templates/terraform/.github/mergify.yml b/templates/terraform/.github/mergify.yml new file mode 100644 index 00000000..c62ca014 --- /dev/null +++ b/templates/terraform/.github/mergify.yml @@ -0,0 +1,51 @@ +pull_request_rules: +- name: "approve automated PRs that have passed checks" + conditions: + - "check-success~=test/bats" + - "check-success~=test/readme" + - "check-success~=test/terratest" + - "base=master" + - "author=cloudpossebot" + - "head~=auto-update/.*" + actions: + review: + type: "APPROVE" + message: "We've automatically approved this PR because the checks from the automated Pull Request have passed." + +- name: "merge automated PRs when approved and tests pass" + conditions: + - "check-success~=test/bats" + - "check-success~=test/readme" + - "check-success~=test/terratest" + - "base=master" + - "head~=auto-update/.*" + - "#approved-reviews-by>=1" + - "#changes-requested-reviews-by=0" + - "#commented-reviews-by=0" + - "base=master" + - "author=cloudpossebot" + actions: + merge: + method: "squash" + +- name: "delete the head branch after merge" + conditions: + - "merged" + actions: + delete_head_branch: {} + +- name: "ask to resolve conflict" + conditions: + - "conflict" + actions: + comment: + message: "This pull request is now in conflicts. Could you fix it @{{author}}? 🙏" + +- name: "remove outdated reviews" + conditions: + - "base=master" + actions: + dismiss_reviews: + changes_requested: true + approved: true + message: "This Pull Request has been updated, so we're dismissing all reviews." diff --git a/templates/terraform/.github/workflows/auto-context.yml b/templates/terraform/.github/workflows/auto-context.yml new file mode 100644 index 00000000..e3f7b569 --- /dev/null +++ b/templates/terraform/.github/workflows/auto-context.yml @@ -0,0 +1,54 @@ +name: "auto-context" +on: + schedule: + # Update context.tf nightly + - cron: '0 3 * * *' + +jobs: + update: + if: github.event_name == 'schedule' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Update context.tf + shell: bash + id: update + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + if [[ -f context.tf ]]; then + echo "Discovered existing context.tf! Fetching most recent version to see if there is an update." + curl -o context.tf -fsSL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf + if git diff --no-patch --exit-code context.tf; then + echo "No changes detected! Exiting the job..." + else + echo "context.tf file was updated. Need to rebuild README.md." + make init + make readme/build + echo "::set-output name=create_pull_request=true" + fi + else + echo "This module has not yet been updated to support the context.tf pattern! Please update in order to support automatic updates." + fi + + - name: Create Pull Request + if: {{ steps.update.outputs.create_pull_request == 'true' }} + uses: cloudposse/actions/github/create-pull-request@0.20.0 + with: + token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} + commit-message: Update context.tf from origin source + title: Update context.tf + body: |- + ## what + This is an auto-generated PR that updates the `context.tf` file to the latest version from `cloudposse/terraform-null-label` + + ## why + To support all the features of the `context` interface. + + branch: auto-update/context.tf + base: master + delete-branch: true + labels: | + auto-update + context diff --git a/templates/terraform/.github/workflows/auto-readme.yml b/templates/terraform/.github/workflows/auto-readme.yml new file mode 100644 index 00000000..6229e606 --- /dev/null +++ b/templates/terraform/.github/workflows/auto-readme.yml @@ -0,0 +1,41 @@ +name: "auto-readme" +on: + schedule: + # Update README.md nightly + - cron: '0 4 * * *' + +jobs: + update: + if: github.event_name == 'schedule' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Update readme + shell: bash + id: update + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + make init + make readme/build + + - name: Create Pull Request + uses: cloudposse/actions/github/create-pull-request@0.20.0 + with: + token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} + commit-message: Update README.md and docs + title: Update README.md and docs + body: |- + ## what + This is an auto-generated PR that updates the README.md and docs + + ## why + To have most recent changes of README.md and doc from origin templates + + branch: auto-update/readme + base: master + delete-branch: true + labels: | + auto-update + readme diff --git a/templates/.github/workflows/chatops.yml b/templates/terraform/.github/workflows/chatops.yml similarity index 100% rename from templates/.github/workflows/chatops.yml rename to templates/terraform/.github/workflows/chatops.yml From f1acd3d0fa5ad557cf5c7d7e391872510cce9d45 Mon Sep 17 00:00:00 2001 From: Maxim Mironenko Date: Tue, 8 Dec 2020 15:11:09 +0700 Subject: [PATCH 07/15] removing apk cache for optimization and pass linter tests --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 6058923b..8dc5f988 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,6 +19,7 @@ RUN apk update && \ libc6-compat \ make \ py-pip && \ + rm -rf /var/cache/apk/* && \ git config --global advice.detachedHead false RUN curl -sSL https://apk.cloudposse.com/install.sh | bash From 12817ba17f00cfaada128620f5d2241d407feab7 Mon Sep 17 00:00:00 2001 From: Maxim Mironenko Date: Tue, 8 Dec 2020 16:20:29 +0700 Subject: [PATCH 08/15] updating Dockerfile to pass Hadolint tests, Hadolint config added to ignore pinning all packager --- .github/linters/.hadolint.yml | 6 ++++++ Dockerfile | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 .github/linters/.hadolint.yml diff --git a/.github/linters/.hadolint.yml b/.github/linters/.hadolint.yml new file mode 100644 index 00000000..b58d33fd --- /dev/null +++ b/.github/linters/.hadolint.yml @@ -0,0 +1,6 @@ +--- +########################## +## Hadolint config file ## +########################## +ignored: + - DL3018 \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 8dc5f988..271aeeac 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ LABEL "com.github.actions.icon"="tool" LABEL "com.github.actions.color"="blue" RUN apk update && \ - apk --update add \ + apk --no-cache add \ bash \ ca-certificates \ coreutils \ @@ -19,9 +19,9 @@ RUN apk update && \ libc6-compat \ make \ py-pip && \ - rm -rf /var/cache/apk/* && \ git config --global advice.detachedHead false +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN curl -sSL https://apk.cloudposse.com/install.sh | bash ## Install as packages @@ -38,7 +38,7 @@ RUN apk --update --no-cache add \ yq@cloudposse && \ sed -i /PATH=/d /etc/profile -ADD ./ /build-harness/ +COPY ./ /build-harness/ ENV INSTALL_PATH /usr/local/bin From 2ad0adf0d51472abb7805032928c518dbabe1ef2 Mon Sep 17 00:00:00 2001 From: Nuru Date: Tue, 8 Dec 2020 21:04:10 -0800 Subject: [PATCH 09/15] Allow you to run the build-harness docker image like Geodesic --- Dockerfile | 14 +++++++++++--- modules/packages/Makefile | 16 +++++++++++----- templates/Makefile.build-harness | 31 +++++++++++++++++++++++++++++++ 3 files changed, 53 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 271aeeac..9fc06e07 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,14 +6,14 @@ LABEL "com.github.actions.description"="Run any build-harness make target" LABEL "com.github.actions.icon"="tool" LABEL "com.github.actions.color"="blue" -RUN apk update && \ - apk --no-cache add \ +RUN apk --update --no-cache add \ bash \ ca-certificates \ coreutils \ curl \ git \ gettext \ + go \ grep \ jq \ libc6-compat \ @@ -22,7 +22,7 @@ RUN apk update && \ git config --global advice.detachedHead false SHELL ["/bin/bash", "-o", "pipefail", "-c"] -RUN curl -sSL https://apk.cloudposse.com/install.sh | bash +RUN curl -fsSL --retry 3 https://apk.cloudposse.com/install.sh | bash ## Install as packages @@ -30,20 +30,28 @@ RUN curl -sSL https://apk.cloudposse.com/install.sh | bash ## So can not be curl binary RUN apk --update --no-cache add \ chamber@cloudposse \ + gomplate@cloudposse \ helm@cloudposse \ helmfile@cloudposse \ codefresh@cloudposse \ + terraform-0.11@cloudposse terraform-0.12@cloudposse terraform-0.13@cloudposse terraform-0.14@cloudposse \ terraform-config-inspect@cloudposse \ vert@cloudposse \ yq@cloudposse && \ sed -i /PATH=/d /etc/profile +# Use Terraform 0.13 by default +ARG DEFAULT_TERRAFORM_VERSION=0.13 +RUN update-alternatives --set terraform /usr/share/terraform/$DEFAULT_TERRAFORM_VERSION/bin/terraform && \ + cp -p /usr/share/terraform/$DEFAULT_TERRAFORM_VERSION/bin/terraform /build-harness/vendor/terraform + COPY ./ /build-harness/ ENV INSTALL_PATH /usr/local/bin WORKDIR /build-harness +ARG PACKAGES_PREFER_HOST=true RUN make -s bash/lint make/lint RUN make -s template/deps aws/install terraform/install readme/deps RUN make -s go/deps-build go/deps-dev diff --git a/modules/packages/Makefile b/modules/packages/Makefile index fb8a2ce5..40d0395f 100644 --- a/modules/packages/Makefile +++ b/modules/packages/Makefile @@ -1,6 +1,7 @@ export INSTALL_PATH ?= $(BUILD_HARNESS_PATH)/vendor export PACKAGES_VERSION ?= 0.133.0 export PACKAGES_PATH ?= $(BUILD_HARNESS_PATH)/vendor/packages +export PACKAGES_PREFER_HOST ?= false ## Delete packages packages/delete: @@ -13,18 +14,23 @@ packages/reinstall: packages/delete packages/install ## Install packages packages/install: @if [ ! -d $(PACKAGES_PATH) ]; then \ - echo "Installing packages $(PACKAGES_VERSION)..."; \ + echo "* Installing packages $(PACKAGES_VERSION)..."; \ rm -rf $(PACKAGES_PATH); \ $(GIT) clone -c advice.detachedHead=false --depth=1 -b $(PACKAGES_VERSION) https://github.com/cloudposse/packages.git $(PACKAGES_PATH); \ rm -rf $(PACKAGES_PATH)/.git; \ fi ## Install package (e.g. helm, helmfile, kubectl) -packages/install/%: packages/install - @if [ ! -x $(INSTALL_PATH)/$(subst packages/install/,,$@) ]; then \ - $(MAKE) -C $(PACKAGES_PATH)/install $(subst packages/install/,,$@); \ +packages/install/%: + @binary="$*"; \ + if [[ -x "$(INSTALL_PATH)/$$binary" ]]; then \ + echo "* Package $$binary already installed"; \ + elif [[ "$(PACKAGES_PREFER_HOST)" == "true" ]] && installed=$$(command -v $* 2>/dev/null); then \ + echo Using "$*" from "$$installed" ; \ + cp -p "$$installed" "$*" ; \ else \ - echo "Package $(subst packages/install/,,$@) already installed"; \ + $(MAKE) packages/install && \ + $(MAKE) -C $(PACKAGES_PATH)/install "$*"; \ fi; ## Reinstall package (e.g. helm, helmfile, kubectl) diff --git a/templates/Makefile.build-harness b/templates/Makefile.build-harness index 5834360f..b89a9d55 100644 --- a/templates/Makefile.build-harness +++ b/templates/Makefile.build-harness @@ -1,7 +1,14 @@ +# +# This is a shim installed automatically by the build-harness +# https://github.com/cloudposse/build-harness +# + export SHELL = /bin/bash export BUILD_HARNESS_ORG ?= cloudposse export BUILD_HARNESS_PROJECT ?= build-harness +export BUILD_HARNESS_DOCKER_IMAGE ?= $(BUILD_HARNESS_ORG)/$(BUILD_HARNESS_PROJECT) export BUILD_HARNESS_BRANCH ?= master +export BUILD_HARNESS_DOCKER_TAG ?= latest export BUILD_HARNESS_PATH ?= $(shell until [ -d "$(BUILD_HARNESS_PROJECT)" ] || [ "`pwd`" == '/' ]; do cd ..; done; pwd)/$(BUILD_HARNESS_PROJECT) -include $(BUILD_HARNESS_PATH)/Makefile @@ -16,4 +23,28 @@ init:: clean:: @[ "$(BUILD_HARNESS_PATH)" == '/' ] || \ [ "$(BUILD_HARNESS_PATH)" == '.' ] || \ + [ "$(BUILD_HARNESS_PATH)" == '/$(BUILD_HARNESS_PROJECT)' ] || \ echo rm -rf $(BUILD_HARNESS_PATH) + +.PHONY: shell builder shell/pull builder/pull +shell/pull builder/pull: + @docker pull $(BUILD_HARNESS_DOCKER_IMAGE):$(BUILD_HARNESS_DOCKER_TAG) + @exit 0 + +DEFAULT_DOCKER_ENVS := AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN TERM AWS_PROFILE AWS_REGION \ + AWS_DEFAULT_PROFILE AWS_DEFAULT_REGION +EXTRA_DOCKER_ENVS ?= AWS_CONFIG_FILE AWS_SHARED_CREDENTIALS_FILE +MOUNT_HOME ?= $(shell [ -d "$$HOME" ] && printf -- "-e HOME -v \"%s\":\"%s\"" "$$HOME" "$$HOME") +DOCKER_ENVS ?= $(DEFAULT_DOCKER_ENVS) $(EXTRA_DOCKER_ENVS) + +shell builder: + $(info Starting $(BUILD_HARNESS_DOCKER_IMAGE):$(BUILD_HARNESS_DOCKER_TAG)) + docker run --name build-harness \ + --rm -it \ + -e PACKAGES_PREFER_HOST=true \ + $(addprefix -e ,$(DOCKER_ENVS)) \ + $(MOUNT_HOME) \ + -v $(CURDIR):/opt \ + --workdir /opt \ + --entrypoint /bin/bash \ + $(BUILD_HARNESS_DOCKER_IMAGE):$(BUILD_HARNESS_DOCKER_TAG) -l From 1d2d5bf7d0a68eb1e4b5829e4e6a7326904f4fb0 Mon Sep 17 00:00:00 2001 From: Nuru Date: Tue, 8 Dec 2020 21:04:36 -0800 Subject: [PATCH 10/15] Update to recipes for upgrading Terraform modules --- modules/terraform/Makefile | 56 +++++++++++++++++++++++--------------- 1 file changed, 34 insertions(+), 22 deletions(-) diff --git a/modules/terraform/Makefile b/modules/terraform/Makefile index fef819fb..2b424986 100644 --- a/modules/terraform/Makefile +++ b/modules/terraform/Makefile @@ -45,40 +45,52 @@ terraform/upgrade-modules: @$(BUILD_HARNESS_PATH)/bin/upgrade_terraform_modules.sh all ## Rewrite the *.tf files to use registry notation for modules sources +terraform/rewrite-module-source: TERRAFORM = terraform-0.13 terraform/rewrite-module-source: @sed -i -E 's,\s*source\s+=\s+"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=(tags/)?(.*?)", source = "\1/\3/\2"\n version = "\5",g' $$(find . -type f -not -name context.tf -name '*.tf') @$(TERRAFORM) fmt . @$(TERRAFORM) fmt examples/complete +terraform/rewrite-readme-source: TERRAFORM = terraform-0.13 terraform/rewrite-readme-source: @sed -i -E 's,^(\s*)source\s+=\s+"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=(tags/)?master",\1source = "\2/\4/\3"\n\1# Cloud Posse recommends pinning every module to a specific version\n\1# version = "x.x.x",g' README.yaml ## Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0") -terraform/remove-upper-bound: - @sed -i -E 's,required_version\s*\=\s*\"(.*?)(\,\s*<.*)",required_version = "\1",g' $$(find . -type f -name 'versions.tf') - @$(TERRAFORM) fmt . - @$(TERRAFORM) fmt examples/complete +terraform/loosen-constraints: TERRAFORM = terraform-0.13 +terraform/loosen-constraints: + @for v in $$(find . -type f -name 'versions.tf'); do \ + DIR="$$(dirname $$v)"; \ + sed -i -E 's,required_version\s*\=\s*\"(.*?)(\,\s*<.*)",required_version = "\1",g' "$$v" ; \ + sed -i -E 's,=\s*"\s*~>,= ">=,g' "$$v" ; \ + $(TERRAFORM) fmt "$$DIR" ; \ + done ## Rewrite versions.tf to bump modules with minimum core version of '0.12.x' to '>= 0.12.26' -terraform/bump-tf-12-min-version: - @PIN="$$(terraform-config-inspect --json . | jq -r '.required_core[]')" ; \ - if vert "$$PIN" 0.12.26 >/dev/null; then \ - echo Module already pinned to "$$PIN" ; \ - else \ - sed -i -E 's,required_version\s*\=\s*\"(\~>|>\=)\s?(0\.12(\.\d+)?)\",required_version = ">= 0.12.26",g' $$(find . -type f -name 'versions.tf') ; \ - $(TERRAFORM) fmt . ; \ - $(TERRAFORM) fmt examples/complete ; \ - fi +terraform/bump-tf-12-min-version: TERRAFORM = terraform-0.13 +terraform/bump-tf-12-min-version: terraform/loosen-constraints + @for v in $$(find . -type f -name 'versions.tf'); do \ + DIR="$$(dirname $$v)"; \ + PIN="$$(terraform-config-inspect --json "$$DIR" | jq -r '.required_core[]')" ; \ + if vert "$$PIN" 0.12.25 >/dev/null; then \ + echo updating "$$v" ; \ + sed -i -E 's,required_version\s*\=\s*\"(\~>|>\=)\s?(0\.12(\.\d+)?)\",required_version = ">= 0.12.26",g' "$$v" ; \ + $(TERRAFORM) fmt $$DIR ; \ + else \ + echo "$$v" already pinned to "$$PIN" ; \ + fi; \ + done ## Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider -terraform/rewrite-required-providers: - @KEEP_VERSION=$$(grep -Eo 'required_version\s*=\s*"(.*)"' versions.tf | cut -d '"' -f2) ; \ - terraform-0.13 0.13upgrade -yes ./ ; \ - terraform-0.13 0.13upgrade -yes examples/complete ; \ - sed -i -E 's,(required_version\s*\=\s*\")(.*)(\"),\1'"$$KEEP_VERSION"'\3,g' $$(find . -type f -name 'versions.tf') - @$(TERRAFORM) fmt . - @$(TERRAFORM) fmt examples/complete +terraform/rewrite-required-providers: TERRAFORM = terraform-0.13 +terraform/rewrite-required-providers: terraform/loosen-constraints + @for v in $$(find . -type f -name 'versions.tf'); do \ + DIR="$$(dirname $$v)"; \ + KEEP_VERSION=$$(grep -Eo 'required_version\s*=\s*"(.*)"' "$$v" | cut -d '"' -f2) ; \ + echo upgrading $$v ; \ + terraform-0.13 0.13upgrade -yes "$$DIR" ; \ + sed -i -E 's,(required_version\s*\=\s*\")(.*)(\"),\1'"$$KEEP_VERSION"'\3,g' "$$v" ; \ + done terraform/v14-rewrite: TERRAFORM = terraform-0.13 -terraform/v14-rewrite: terraform/remove-upper-bound terraform/rewrite-module-source terraform/rewrite-readme-source terraform/bump-tf-12-min-version terraform/rewrite-required-providers - git diff --no-patch --exit-code README.yaml || $(MAKE) readme +terraform/v14-rewrite: terraform/loosen-constraints terraform/rewrite-module-source terraform/rewrite-readme-source terraform/bump-tf-12-min-version terraform/rewrite-required-providers + @git diff --no-patch --exit-code README.yaml || $(MAKE) readme From b6362e021179c8fd63e1cad4b30f07e5559e5f35 Mon Sep 17 00:00:00 2001 From: Nuru Date: Wed, 9 Dec 2020 20:32:47 -0800 Subject: [PATCH 11/15] CODEOWNERS, run docker, mergify, and other updates/fixes --- Dockerfile | 2 + modules/github/Makefile.init | 23 +++++--- modules/packages/Makefile | 2 +- modules/terraform/Makefile | 19 +++--- templates/.github/CODEOWNERS | 9 ++- templates/.github/auto-release.yml | 39 ++++++------ templates/.github/workflows/auto-release.yml | 59 ++++++------------- .../.github/workflows/validate-codeowners.yml | 18 ++++++ templates/Makefile.build-harness | 9 ++- templates/README.md.gotmpl | 2 +- templates/terraform/.github/mergify.yml | 3 +- .../terraform/.github/workflows/chatops.yml | 4 +- 12 files changed, 105 insertions(+), 84 deletions(-) create mode 100644 templates/.github/workflows/validate-codeowners.yml diff --git a/Dockerfile b/Dockerfile index 9fc06e07..e63898f3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,6 +36,7 @@ RUN apk --update --no-cache add \ codefresh@cloudposse \ terraform-0.11@cloudposse terraform-0.12@cloudposse terraform-0.13@cloudposse terraform-0.14@cloudposse \ terraform-config-inspect@cloudposse \ + terraform-docs@cloudposse \ vert@cloudposse \ yq@cloudposse && \ sed -i /PATH=/d /etc/profile @@ -43,6 +44,7 @@ RUN apk --update --no-cache add \ # Use Terraform 0.13 by default ARG DEFAULT_TERRAFORM_VERSION=0.13 RUN update-alternatives --set terraform /usr/share/terraform/$DEFAULT_TERRAFORM_VERSION/bin/terraform && \ + mkdir -p /build-harness/vendor && \ cp -p /usr/share/terraform/$DEFAULT_TERRAFORM_VERSION/bin/terraform /build-harness/vendor/terraform COPY ./ /build-harness/ diff --git a/modules/github/Makefile.init b/modules/github/Makefile.init index b73307dd..88f472a3 100644 --- a/modules/github/Makefile.init +++ b/modules/github/Makefile.init @@ -6,14 +6,14 @@ GITHUB_TEMPLATES = \ .github/ISSUE_TEMPLATE/bug_report.md \ .github/ISSUE_TEMPLATE/question.md \ .github/auto-release.yml \ - .github/workflows/auto-release.yml + .github/workflows/auto-release.yml \ + .github/workflows/validate-codeowners.yml # Install extra configuration for terraform projects -GITHUB_TERRAFORM_TEMPLATES = .github/workflows/chatops.yml -# ToDo once we can make Mergify a code owner -# .github/workflows/auto-context.yml \ -# .github/workflows/auto-readme.yml \ -# .github/mergify.yml +GITHUB_TERRAFORM_TEMPLATES = .github/workflows/chatops.yml \ + .github/workflows/auto-context.yml \ + .github/workflows/auto-readme.yml \ + .github/mergify.yml $(GITHUB_TEMPLATES): $(addprefix $(BUILD_HARNESS_PATH)/templates/, $(GITHUB_TEMPLATES)) @@ -26,4 +26,13 @@ $(GITHUB_TERRAFORM_TEMPLATES): $(addprefix $(BUILD_HARNESS_PATH)/templates/terra cp $(BUILD_HARNESS_PATH)/templates/terraform/$@ $@ git ls-files --error-unmatch $@ 2>/dev/null || git add $@ -github/init: $(GITHUB_TEMPLATES) $(if $(wildcard *.tf),$(GITHUB_TERRAFORM_TEMPLATES)) +context: + curl -o context.tf -fsSL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf + git ls-files --error-unmatch context.tf 2>/dev/null || git add context.tf + @if [[ -d examples/complete ]]; then \ + cp -p context.tf examples/complete/context.tf ; \ + fi + +.PHONY: $(GITHUB_TEMPLATES) $(GITHUB_TERRAFORM_TEMPLATES) context + +github/init: $(GITHUB_TEMPLATES) $(if $(wildcard *.tf),$(GITHUB_TERRAFORM_TEMPLATES) context) diff --git a/modules/packages/Makefile b/modules/packages/Makefile index 40d0395f..b7a2bcd6 100644 --- a/modules/packages/Makefile +++ b/modules/packages/Makefile @@ -27,9 +27,9 @@ packages/install/%: echo "* Package $$binary already installed"; \ elif [[ "$(PACKAGES_PREFER_HOST)" == "true" ]] && installed=$$(command -v $* 2>/dev/null); then \ echo Using "$*" from "$$installed" ; \ - cp -p "$$installed" "$*" ; \ else \ $(MAKE) packages/install && \ + echo "* Installing $* to $(INSTALL_PATH)" && \ $(MAKE) -C $(PACKAGES_PATH)/install "$*"; \ fi; diff --git a/modules/terraform/Makefile b/modules/terraform/Makefile index 2b424986..88c059bb 100644 --- a/modules/terraform/Makefile +++ b/modules/terraform/Makefile @@ -41,26 +41,29 @@ else endif ## Upgrade all terraform module sources +## This target has not been upgraded to handle registry format terraform/upgrade-modules: - @$(BUILD_HARNESS_PATH)/bin/upgrade_terraform_modules.sh all + @echo "* $@ has been disabled because it has not been updated to handle Terraform registry syntax" + # @$(BUILD_HARNESS_PATH)/bin/upgrade_terraform_modules.sh all -## Rewrite the *.tf files to use registry notation for modules sources +# Rewrite the *.tf files to use registry notation for modules sources terraform/rewrite-module-source: TERRAFORM = terraform-0.13 terraform/rewrite-module-source: - @sed -i -E 's,\s*source\s+=\s+"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=(tags/)?(.*?)", source = "\1/\3/\2"\n version = "\5",g' $$(find . -type f -not -name context.tf -name '*.tf') + @sed -i -E 's,\s*source\s+=\s+"git::https://github.com/([^/]+)/terraform-([^-]+)-(.+).git\?ref=(tags/)?([0-9.]+)", source = "\1/\3/\2"\n version = "\5",g' $$(find . -type f -not -name context.tf -name '*.tf') @$(TERRAFORM) fmt . @$(TERRAFORM) fmt examples/complete terraform/rewrite-readme-source: TERRAFORM = terraform-0.13 terraform/rewrite-readme-source: - @sed -i -E 's,^(\s*)source\s+=\s+"git::https://github.com/(.*?)/terraform-([^-]*?)-(.*?).git\?ref=(tags/)?master",\1source = "\2/\4/\3"\n\1# Cloud Posse recommends pinning every module to a specific version\n\1# version = "x.x.x",g' README.yaml + @sed -i -E 's,^(\s*)source\s+=\s+"git::https://github.com/([^/]+)/terraform-([^-]+)-(.+).git\?ref=(tags/)?master",\1source = "\2/\4/\3"\n\1# Cloud Posse recommends pinning every module to a specific version\n\1# version = "x.x.x",g' README.yaml ## Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0") +## and convert "~>" constraints to ">=". terraform/loosen-constraints: TERRAFORM = terraform-0.13 terraform/loosen-constraints: @for v in $$(find . -type f -name 'versions.tf'); do \ DIR="$$(dirname $$v)"; \ - sed -i -E 's,required_version\s*\=\s*\"(.*?)(\,\s*<.*)",required_version = "\1",g' "$$v" ; \ + sed -i -E 's,\s\=\s*\"(.*[0-9.]+)(\,\s*<.*)", = "\1",g' "$$v" ; \ sed -i -E 's,=\s*"\s*~>,= ">=,g' "$$v" ; \ $(TERRAFORM) fmt "$$DIR" ; \ done @@ -84,13 +87,13 @@ terraform/bump-tf-12-min-version: terraform/loosen-constraints terraform/rewrite-required-providers: TERRAFORM = terraform-0.13 terraform/rewrite-required-providers: terraform/loosen-constraints @for v in $$(find . -type f -name 'versions.tf'); do \ - DIR="$$(dirname $$v)"; \ + DIR="$$(dirname $$v)" ; \ KEEP_VERSION=$$(grep -Eo 'required_version\s*=\s*"(.*)"' "$$v" | cut -d '"' -f2) ; \ echo upgrading $$v ; \ - terraform-0.13 0.13upgrade -yes "$$DIR" ; \ + terraform-0.13 0.13upgrade -yes "$$DIR" >/dev/null ; \ sed -i -E 's,(required_version\s*\=\s*\")(.*)(\"),\1'"$$KEEP_VERSION"'\3,g' "$$v" ; \ done terraform/v14-rewrite: TERRAFORM = terraform-0.13 -terraform/v14-rewrite: terraform/loosen-constraints terraform/rewrite-module-source terraform/rewrite-readme-source terraform/bump-tf-12-min-version terraform/rewrite-required-providers +terraform/v14-rewrite: terraform/loosen-constraints terraform/bump-tf-12-min-version terraform/rewrite-required-providers terraform/rewrite-module-source terraform/rewrite-readme-source @git diff --no-patch --exit-code README.yaml || $(MAKE) readme diff --git a/templates/.github/CODEOWNERS b/templates/.github/CODEOWNERS index 0d745a58..ceb46444 100644 --- a/templates/.github/CODEOWNERS +++ b/templates/.github/CODEOWNERS @@ -1,7 +1,7 @@ # Use this file to define individuals or teams that are responsible for code in a repository. # Read more: # -# Order is important: the last matching pattern takes the most precedence +# Order is important: the last matching pattern has the highest precedence # These owners will be the default owners for everything * @cloudposse/engineering @cloudposse/contributors @@ -13,8 +13,11 @@ # Cloud Posse must review any changes to GitHub actions .github/* @cloudposse/engineering -# Cloud Posse must review any changes to standard context definition -**/context.tf @cloudposse/engineering +# Cloud Posse must review any changes to standard context definition, +# but some changes can be rubber-stamped. +**/context.tf @cloudposse/engineering @cloudposse/approvers +README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers +docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers # Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration .github/mergify.yml @cloudposse/admins diff --git a/templates/.github/auto-release.yml b/templates/.github/auto-release.yml index 2836185f..18a1ca62 100644 --- a/templates/.github/auto-release.yml +++ b/templates/.github/auto-release.yml @@ -4,30 +4,35 @@ version-template: '$MAJOR.$MINOR.$PATCH' version-resolver: major: labels: - - 'major' + - 'major' minor: labels: - - 'minor' - - 'enhancement' + - 'minor' + - 'enhancement' patch: labels: - - 'patch' - - 'fix' - - 'bugfix' - - 'bug' - - 'hotfix' + - 'auto-update' + - 'patch' + - 'fix' + - 'bugfix' + - 'bug' + - 'hotfix' default: 'minor' categories: - - title: '🚀 Enhancements' - labels: - - 'enhancement' - - title: '🐛 Bug Fixes' - labels: - - 'fix' - - 'bugfix' - - 'bug' - - 'hotfix' +- title: '🚀 Enhancements' + labels: + - 'enhancement' + - 'patch' +- title: '🐛 Bug Fixes' + labels: + - 'fix' + - 'bugfix' + - 'bug' + - 'hotfix' +- title: '🤖 Automatic Updates' + labels: + - 'auto-update' change-template: |
diff --git a/templates/.github/workflows/auto-release.yml b/templates/.github/workflows/auto-release.yml index d0e13297..ccc27be7 100644 --- a/templates/.github/workflows/auto-release.yml +++ b/templates/.github/workflows/auto-release.yml @@ -1,44 +1,19 @@ -name-template: 'v$RESOLVED_VERSION' -tag-template: '$RESOLVED_VERSION' -version-template: '$MAJOR.$MINOR.$PATCH' -version-resolver: - major: - labels: - - 'major' - minor: - labels: - - 'minor' - - 'enhancement' - patch: - labels: - - 'auto-update' - - 'patch' - - 'fix' - - 'bugfix' - - 'bug' - - 'hotfix' - default: 'minor' +name: auto-release -categories: -- title: '🚀 Enhancements' - labels: - - 'enhancement' -- title: '🐛 Bug Fixes' - labels: - - 'fix' - - 'bugfix' - - 'bug' - - 'hotfix' -- title: '🤖 Automatic Update' - labels: - - 'auto-update' +on: + push: + branches: + - master -change-template: | -
- $TITLE @$AUTHOR (#$NUMBER) - - $BODY -
- -template: | - $CHANGES +jobs: + semver: + runs-on: ubuntu-latest + steps: + # Drafts your next Release notes as Pull Requests are merged into "master" + - uses: release-drafter/release-drafter@v5 + with: + publish: true + prerelease: false + config-name: auto-release.yml + env: + GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} diff --git a/templates/.github/workflows/validate-codeowners.yml b/templates/.github/workflows/validate-codeowners.yml new file mode 100644 index 00000000..0bc01d7e --- /dev/null +++ b/templates/.github/workflows/validate-codeowners.yml @@ -0,0 +1,18 @@ +name: Validate Codeowners +on: + pull_request: + paths: + - '**/CODEOWNERS' + - '.github/workflows/validate-codeowners.yml' + +jobs: + validate-codeowners: + runs-on: ubuntu-latest + steps: + - name: "Checkout source code at current commit" + uses: actions/checkout@v2 + - uses: mszostok/codeowners-validator@v0.5.0 + with: + checks: "files,syntax,owners,duppatterns" + # GitHub access token is required only if the `owners` check is enabled + github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}" diff --git a/templates/Makefile.build-harness b/templates/Makefile.build-harness index b89a9d55..fd5fa30f 100644 --- a/templates/Makefile.build-harness +++ b/templates/Makefile.build-harness @@ -37,6 +37,11 @@ EXTRA_DOCKER_ENVS ?= AWS_CONFIG_FILE AWS_SHARED_CREDENTIALS_FILE MOUNT_HOME ?= $(shell [ -d "$$HOME" ] && printf -- "-e HOME -v \"%s\":\"%s\"" "$$HOME" "$$HOME") DOCKER_ENVS ?= $(DEFAULT_DOCKER_ENVS) $(EXTRA_DOCKER_ENVS) +## Start a shell inside of the `build-harness` docker container with `make shell` or `make builder` +## Run `make` targets inside the shell by setting `TARGETS`, e.g. +## make builder TARGETS="github/init readme" +ARGS := $(if $(TARGETS),$(TARGETS),-l) +ENTRYPOINT := $(if $(TARGETS),/usr/bin/make,/bin/bash) shell builder: $(info Starting $(BUILD_HARNESS_DOCKER_IMAGE):$(BUILD_HARNESS_DOCKER_TAG)) docker run --name build-harness \ @@ -46,5 +51,5 @@ shell builder: $(MOUNT_HOME) \ -v $(CURDIR):/opt \ --workdir /opt \ - --entrypoint /bin/bash \ - $(BUILD_HARNESS_DOCKER_IMAGE):$(BUILD_HARNESS_DOCKER_TAG) -l + --entrypoint $(ENTRYPOINT) \ + $(BUILD_HARNESS_DOCKER_IMAGE):$(BUILD_HARNESS_DOCKER_TAG) $(ARGS) diff --git a/templates/README.md.gotmpl b/templates/README.md.gotmpl index 277cd3ff..439fbeb2 100644 --- a/templates/README.md.gotmpl +++ b/templates/README.md.gotmpl @@ -95,7 +95,7 @@ We highly recommend that in your code you pin the version to the exact version y using so that your infrastructure remains stable, and update versions in a systematic way so that they do not catch you by surprise. -Also, because of a bug in the Terraform registry (hashicorp/terraform#21417), +Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)), the registry shows many of our inputs as required when in fact they are optional. The table below correctly indicates which inputs are required. {{end}} diff --git a/templates/terraform/.github/mergify.yml b/templates/terraform/.github/mergify.yml index c62ca014..485982ff 100644 --- a/templates/terraform/.github/mergify.yml +++ b/templates/terraform/.github/mergify.yml @@ -10,6 +10,7 @@ pull_request_rules: actions: review: type: "APPROVE" + bot_account: "cloudposse-mergebot" message: "We've automatically approved this PR because the checks from the automated Pull Request have passed." - name: "merge automated PRs when approved and tests pass" @@ -39,7 +40,7 @@ pull_request_rules: - "conflict" actions: comment: - message: "This pull request is now in conflicts. Could you fix it @{{author}}? 🙏" + message: "This pull request is now in conflict. Could you fix it @{{author}}? 🙏" - name: "remove outdated reviews" conditions: diff --git a/templates/terraform/.github/workflows/chatops.yml b/templates/terraform/.github/workflows/chatops.yml index 0d943109..4ddc0674 100644 --- a/templates/terraform/.github/workflows/chatops.yml +++ b/templates/terraform/.github/workflows/chatops.yml @@ -9,7 +9,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: "Handle common commands" - uses: cloudposse/actions/github/slash-command-dispatch@0.16.0 + uses: cloudposse/actions/github/slash-command-dispatch@0.22.0 with: token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} reaction-token: ${{ secrets.GITHUB_TOKEN }} @@ -24,7 +24,7 @@ jobs: - name: "Checkout commit" uses: actions/checkout@v2 - name: "Run tests" - uses: cloudposse/actions/github/slash-command-dispatch@0.16.0 + uses: cloudposse/actions/github/slash-command-dispatch@0.22.0 with: token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} reaction-token: ${{ secrets.GITHUB_TOKEN }} From 167c78a1fbd914106d788431df50af5d83541105 Mon Sep 17 00:00:00 2001 From: Nuru Date: Wed, 9 Dec 2020 20:58:44 -0800 Subject: [PATCH 12/15] add validate-codeowners --- .github/workflows/chatops.yml | 4 ++-- .github/workflows/validate-codeowners.yml | 18 ++++++++++++++++++ README.md | 5 ++--- docs/targets.md | 5 ++--- .../.github/workflows/validate-codeowners.yml | 5 ++++- 5 files changed, 28 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/validate-codeowners.yml diff --git a/.github/workflows/chatops.yml b/.github/workflows/chatops.yml index 71293dd1..44b35b88 100644 --- a/.github/workflows/chatops.yml +++ b/.github/workflows/chatops.yml @@ -9,7 +9,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: "Handle common commands" - uses: cloudposse/actions/github/slash-command-dispatch@0.16.0 + uses: cloudposse/actions/github/slash-command-dispatch@0.22.0 with: token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} reaction-token: ${{ secrets.GITHUB_TOKEN }} @@ -24,7 +24,7 @@ jobs: - name: "Checkout commit" uses: actions/checkout@v2 - name: "Run tests" - uses: cloudposse/actions/github/slash-command-dispatch@0.16.0 + uses: cloudposse/actions/github/slash-command-dispatch@0.22.0 with: token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} reaction-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml new file mode 100644 index 00000000..0bc01d7e --- /dev/null +++ b/.github/workflows/validate-codeowners.yml @@ -0,0 +1,18 @@ +name: Validate Codeowners +on: + pull_request: + paths: + - '**/CODEOWNERS' + - '.github/workflows/validate-codeowners.yml' + +jobs: + validate-codeowners: + runs-on: ubuntu-latest + steps: + - name: "Checkout source code at current commit" + uses: actions/checkout@v2 + - uses: mszostok/codeowners-validator@v0.5.0 + with: + checks: "files,syntax,owners,duppatterns" + # GitHub access token is required only if the `owners` check is enabled + github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}" diff --git a/README.md b/README.md index 5da53f6e..1b40e0dd 100644 --- a/README.md +++ b/README.md @@ -242,10 +242,9 @@ Available targets: terraform/get-plugins Ensure all plugins can be fetched terraform/install Install terraform terraform/lint Lint check Terraform - terraform/remove-upper-bound Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0") - terraform/rewrite-module-source Rewrite the *.tf files to use registry notation for modules sources + terraform/loosen-constraints and convert "~>" constraints to ">=". terraform/rewrite-required-providers Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider - terraform/upgrade-modules Upgrade all terraform module sources + terraform/upgrade-modules This target has not been upgraded to handle registry format terraform/validate Basic terraform sanity check travis/docker-login Login into docker hub travis/docker-tag-and-push Tag & Push according Travis environment variables diff --git a/docs/targets.md b/docs/targets.md index 80a55dce..ffa0b810 100644 --- a/docs/targets.md +++ b/docs/targets.md @@ -119,10 +119,9 @@ Available targets: terraform/get-plugins Ensure all plugins can be fetched terraform/install Install terraform terraform/lint Lint check Terraform - terraform/remove-upper-bound Rewrite versions.tf to remove upper bound for terraform core version constraint (like this ">= 0.12.0, < 0.14.0") - terraform/rewrite-module-source Rewrite the *.tf files to use registry notation for modules sources + terraform/loosen-constraints and convert "~>" constraints to ">=". terraform/rewrite-required-providers Rewrite versions.tf to update existing configuration to add an explicit source attribute for each provider - terraform/upgrade-modules Upgrade all terraform module sources + terraform/upgrade-modules This target has not been upgraded to handle registry format terraform/validate Basic terraform sanity check travis/docker-login Login into docker hub travis/docker-tag-and-push Tag & Push according Travis environment variables diff --git a/templates/.github/workflows/validate-codeowners.yml b/templates/.github/workflows/validate-codeowners.yml index 0bc01d7e..ebdc5c03 100644 --- a/templates/.github/workflows/validate-codeowners.yml +++ b/templates/.github/workflows/validate-codeowners.yml @@ -13,6 +13,9 @@ jobs: uses: actions/checkout@v2 - uses: mszostok/codeowners-validator@v0.5.0 with: - checks: "files,syntax,owners,duppatterns" + # For now, remove "files" check to allow CODEOWNERS to specify non-existent + # files so we can use the same CODEOWNERS file for Terraform and non-Terraform repos + # checks: "files,syntax,owners,duppatterns" + checks: "syntax,owners,duppatterns" # GitHub access token is required only if the `owners` check is enabled github_access_token: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}" From 4812b12862021c3b278553be724e1dc1aa31c822 Mon Sep 17 00:00:00 2001 From: Nuru Date: Wed, 9 Dec 2020 21:34:59 -0800 Subject: [PATCH 13/15] Pedantic linter fixes --- modules/packages/Makefile | 16 ++++++++-------- modules/terraform/Makefile | 8 ++++---- templates/Makefile.build-harness | 8 ++++---- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/modules/packages/Makefile b/modules/packages/Makefile index b7a2bcd6..4cae84b6 100644 --- a/modules/packages/Makefile +++ b/modules/packages/Makefile @@ -14,22 +14,22 @@ packages/reinstall: packages/delete packages/install ## Install packages packages/install: @if [ ! -d $(PACKAGES_PATH) ]; then \ - echo "* Installing packages $(PACKAGES_VERSION)..."; \ - rm -rf $(PACKAGES_PATH); \ - $(GIT) clone -c advice.detachedHead=false --depth=1 -b $(PACKAGES_VERSION) https://github.com/cloudposse/packages.git $(PACKAGES_PATH); \ - rm -rf $(PACKAGES_PATH)/.git; \ + echo "* Installing packages $(PACKAGES_VERSION)..."; \ + rm -rf $(PACKAGES_PATH); \ + $(GIT) clone -c advice.detachedHead=false --depth=1 -b $(PACKAGES_VERSION) https://github.com/cloudposse/packages.git $(PACKAGES_PATH); \ + rm -rf $(PACKAGES_PATH)/.git; \ fi ## Install package (e.g. helm, helmfile, kubectl) packages/install/%: @binary="$*"; \ if [[ -x "$(INSTALL_PATH)/$$binary" ]]; then \ - echo "* Package $$binary already installed"; \ + echo "* Package $$binary already installed"; \ elif [[ "$(PACKAGES_PREFER_HOST)" == "true" ]] && installed=$$(command -v $* 2>/dev/null); then \ - echo Using "$*" from "$$installed" ; \ + echo Using "$*" from "$$installed" ; \ else \ - $(MAKE) packages/install && \ - echo "* Installing $* to $(INSTALL_PATH)" && \ + $(MAKE) packages/install && \ + echo "* Installing $* to $(INSTALL_PATH)" && \ $(MAKE) -C $(PACKAGES_PATH)/install "$*"; \ fi; diff --git a/modules/terraform/Makefile b/modules/terraform/Makefile index 88c059bb..5c560b7f 100644 --- a/modules/terraform/Makefile +++ b/modules/terraform/Makefile @@ -62,7 +62,7 @@ terraform/rewrite-readme-source: terraform/loosen-constraints: TERRAFORM = terraform-0.13 terraform/loosen-constraints: @for v in $$(find . -type f -name 'versions.tf'); do \ - DIR="$$(dirname $$v)"; \ + DIR="$$(dirname $$v)"; \ sed -i -E 's,\s\=\s*\"(.*[0-9.]+)(\,\s*<.*)", = "\1",g' "$$v" ; \ sed -i -E 's,=\s*"\s*~>,= ">=,g' "$$v" ; \ $(TERRAFORM) fmt "$$DIR" ; \ @@ -72,10 +72,10 @@ terraform/loosen-constraints: terraform/bump-tf-12-min-version: TERRAFORM = terraform-0.13 terraform/bump-tf-12-min-version: terraform/loosen-constraints @for v in $$(find . -type f -name 'versions.tf'); do \ - DIR="$$(dirname $$v)"; \ + DIR="$$(dirname $$v)"; \ PIN="$$(terraform-config-inspect --json "$$DIR" | jq -r '.required_core[]')" ; \ if vert "$$PIN" 0.12.25 >/dev/null; then \ - echo updating "$$v" ; \ + echo updating "$$v" ; \ sed -i -E 's,required_version\s*\=\s*\"(\~>|>\=)\s?(0\.12(\.\d+)?)\",required_version = ">= 0.12.26",g' "$$v" ; \ $(TERRAFORM) fmt $$DIR ; \ else \ @@ -87,7 +87,7 @@ terraform/bump-tf-12-min-version: terraform/loosen-constraints terraform/rewrite-required-providers: TERRAFORM = terraform-0.13 terraform/rewrite-required-providers: terraform/loosen-constraints @for v in $$(find . -type f -name 'versions.tf'); do \ - DIR="$$(dirname $$v)" ; \ + DIR="$$(dirname $$v)" ; \ KEEP_VERSION=$$(grep -Eo 'required_version\s*=\s*"(.*)"' "$$v" | cut -d '"' -f2) ; \ echo upgrading $$v ; \ terraform-0.13 0.13upgrade -yes "$$DIR" >/dev/null ; \ diff --git a/templates/Makefile.build-harness b/templates/Makefile.build-harness index fd5fa30f..a38afd72 100644 --- a/templates/Makefile.build-harness +++ b/templates/Makefile.build-harness @@ -22,9 +22,9 @@ init:: ## Clean build-harness clean:: @[ "$(BUILD_HARNESS_PATH)" == '/' ] || \ - [ "$(BUILD_HARNESS_PATH)" == '.' ] || \ - [ "$(BUILD_HARNESS_PATH)" == '/$(BUILD_HARNESS_PROJECT)' ] || \ - echo rm -rf $(BUILD_HARNESS_PATH) + [ "$(BUILD_HARNESS_PATH)" == '.' ] || \ + [ "$(BUILD_HARNESS_PATH)" == '/$(BUILD_HARNESS_PROJECT)' ] || \ + echo rm -rf $(BUILD_HARNESS_PATH) .PHONY: shell builder shell/pull builder/pull shell/pull builder/pull: @@ -32,7 +32,7 @@ shell/pull builder/pull: @exit 0 DEFAULT_DOCKER_ENVS := AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN TERM AWS_PROFILE AWS_REGION \ - AWS_DEFAULT_PROFILE AWS_DEFAULT_REGION + AWS_DEFAULT_PROFILE AWS_DEFAULT_REGION EXTRA_DOCKER_ENVS ?= AWS_CONFIG_FILE AWS_SHARED_CREDENTIALS_FILE MOUNT_HOME ?= $(shell [ -d "$$HOME" ] && printf -- "-e HOME -v \"%s\":\"%s\"" "$$HOME" "$$HOME") DOCKER_ENVS ?= $(DEFAULT_DOCKER_ENVS) $(EXTRA_DOCKER_ENVS) From 51ce3b011ad5c997c30e1a71361379208f744200 Mon Sep 17 00:00:00 2001 From: Nuru Date: Wed, 9 Dec 2020 21:59:39 -0800 Subject: [PATCH 14/15] Make bulid-harness the authority on context.tf --- modules/github/Makefile.init | 6 +++--- templates/terraform/.github/workflows/auto-context.yml | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/modules/github/Makefile.init b/modules/github/Makefile.init index 88f472a3..8a3db340 100644 --- a/modules/github/Makefile.init +++ b/modules/github/Makefile.init @@ -26,13 +26,13 @@ $(GITHUB_TERRAFORM_TEMPLATES): $(addprefix $(BUILD_HARNESS_PATH)/templates/terra cp $(BUILD_HARNESS_PATH)/templates/terraform/$@ $@ git ls-files --error-unmatch $@ 2>/dev/null || git add $@ -context: +github/init/context.tf: curl -o context.tf -fsSL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf git ls-files --error-unmatch context.tf 2>/dev/null || git add context.tf @if [[ -d examples/complete ]]; then \ cp -p context.tf examples/complete/context.tf ; \ fi -.PHONY: $(GITHUB_TEMPLATES) $(GITHUB_TERRAFORM_TEMPLATES) context +.PHONY: $(GITHUB_TEMPLATES) $(GITHUB_TERRAFORM_TEMPLATES) github/init/context.tf -github/init: $(GITHUB_TEMPLATES) $(if $(wildcard *.tf),$(GITHUB_TERRAFORM_TEMPLATES) context) +github/init: $(GITHUB_TEMPLATES) $(if $(wildcard *.tf),$(GITHUB_TERRAFORM_TEMPLATES) github/init/context.tf) diff --git a/templates/terraform/.github/workflows/auto-context.yml b/templates/terraform/.github/workflows/auto-context.yml index e3f7b569..739a3c9e 100644 --- a/templates/terraform/.github/workflows/auto-context.yml +++ b/templates/terraform/.github/workflows/auto-context.yml @@ -23,8 +23,9 @@ jobs: if git diff --no-patch --exit-code context.tf; then echo "No changes detected! Exiting the job..." else - echo "context.tf file was updated. Need to rebuild README.md." + echo "context.tf file has changed. Update examples and rebuild README.md." make init + make github/init/context.tf make readme/build echo "::set-output name=create_pull_request=true" fi @@ -34,7 +35,7 @@ jobs: - name: Create Pull Request if: {{ steps.update.outputs.create_pull_request == 'true' }} - uses: cloudposse/actions/github/create-pull-request@0.20.0 + uses: cloudposse/actions/github/create-pull-request@0.22.0 with: token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} commit-message: Update context.tf from origin source From 4c05cbd103676d8cd9e619eaac17cb14cb9b754d Mon Sep 17 00:00:00 2001 From: Nuru Date: Thu, 10 Dec 2020 15:29:32 -0800 Subject: [PATCH 15/15] Always validate CODEOWNERS --- templates/.github/workflows/validate-codeowners.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/templates/.github/workflows/validate-codeowners.yml b/templates/.github/workflows/validate-codeowners.yml index ebdc5c03..80442891 100644 --- a/templates/.github/workflows/validate-codeowners.yml +++ b/templates/.github/workflows/validate-codeowners.yml @@ -1,9 +1,6 @@ name: Validate Codeowners on: pull_request: - paths: - - '**/CODEOWNERS' - - '.github/workflows/validate-codeowners.yml' jobs: validate-codeowners: