chore: sync files with stordco/common-config-elixir

stordco · Aug 7, 2024 · 405fe4d · 405fe4d
1 parent 1ee086a
commit 405fe4d
Show file tree

Hide file tree

Showing 8 changed files with 183 additions and 9 deletions.
diff --git a/.credo.exs b/.credo.exs
@@ -81,7 +81,7 @@
         # You can customize the priority of any check
         # Priority values are: `low, normal, high, higher`
         #
-        {Credo.Check.Design.AliasUsage, [priority: :low, if_nested_deeper_than: 2, if_called_more_often_than: 2]},
+        {Credo.Check.Design.AliasUsage, [priority: :low, if_nested_deeper_than: 4, if_called_more_often_than: 2]},
         {Credo.Check.Design.DuplicatedCode, false},
         # You can also customize the exit_status of each check.
         # If you don't want TODO comments to cause `mix credo` to fail, just

diff --git a/.github/release-please-config-hotfix.json b/.github/release-please-config-hotfix.json
@@ -0,0 +1,28 @@
+{
+  "$comment": "This file is synced with stordco/common-config-elixir. Any changes will be overwritten.",
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "changelog-sections": [
+    {
+      "type": "hotfix",
+      "section": "Hotfixes",
+      "hidden": false
+    }
+  ],
+  "draft": false,
+  "draft-pull-request": false,
+  "packages": {
+    ".": {
+      "extra-files": ["README.md"],
+      "release-type": "elixir"
+    }
+  },
+  "plugins": [
+    {
+      "type": "sentence-case"
+    }
+  ],
+  "prerelease": false,
+  "pull-request-header": "An automated hotfix release has been created for you.",
+  "pull-request-title-pattern": "chore(main): release hotfix ${version}",
+  "separate-pull-requests": true
+}
diff --git a/.github/release-please-config.json → .github/release-please-config-stable.json b/.github/release-please-config.json → .github/release-please-config-stable.json
@@ -7,6 +7,11 @@
       "section": "Features",
       "hidden": false
     },
+    {
+      "type": "hotfix",
+      "section": "Hotfixes",
+      "hidden": true
+    },
     {
       "type": "fix",
       "section": "Bug Fixes",
@@ -22,9 +27,7 @@
   "draft-pull-request": false,
   "packages": {
     ".": {
-      "extra-files": [
-        "README.md"
-      ],
+      "extra-files": ["README.md"],
       "release-type": "elixir"
     }
   },

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -46,7 +46,7 @@ jobs:
 
       - id: changed
         name: Get Changed Files
-        uses: tj-actions/changed-files@v43
+        uses: tj-actions/changed-files@v44
         with:
           files_yaml: |
             database:
@@ -56,6 +56,7 @@ jobs:
               - '.github/workflows/ci.yaml'
               - 'Dockerfile'
             documentation:
+              - 'docs/**'
               - 'priv/documentation/**'
               - '**.ex'
               - '**.md'
@@ -97,6 +98,9 @@ jobs:
     needs: [Changed]
     runs-on: ubuntu-latest
 
+    env:
+      MIX_ENV: test
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -214,3 +218,32 @@ jobs:
           - elixir: 1.15
             otp: 26
 
+  Trivy_Filesystem:
+    if: ${{ !startsWith(github.head_ref, 'release-please--branches') }}
+    name: Trivy Filesystem Scan
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Elixir
+        uses: stordco/actions-elixir/setup@v1
+        with:
+          github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+          hex-token: ${{ secrets.HEX_API_KEY }}
+          oban-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}
+          oban-token: ${{ secrets.OBAN_LICENSE_KEY }}
+
+      - name: Trivy Scan
+        uses: stordco/[email protected]
+        with:
+          github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+          scan-type: fs
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -30,7 +30,7 @@ jobs:
               return;
             }
 
-            const REGEX = /^(feat!|fix!|fix|feat|chore|(fix|feat|chore)\(\w.*\)):\s(\[\w{1,8}-\d{1,8}\]|.*).*/;
+            const REGEX = /^(feat!|fix!|hotfix!|fix|feat|chore|hotfix|(fix|feat|chore|hotfix)\(\w.*\)):\s(\[\w{1,8}-\d{1,8}\]|.*).*/;
 
             if (!REGEX.test(title)) {
               core.setFailed("Pull request title does not follow conventional commits");
@@ -43,7 +43,10 @@ jobs:
                 fix: [JIRA-1234] fix an existing feature
                 feat: [JIRA-1234] a new feature to release
                 feat!: a breaking change
+                hotfix: needed in production immediately
 
-            Note: Adding ! (i.e. \`feat!:\`) represents a breaking change and will result in a SemVer major release.
+            Adding ! (i.e. \`feat!:\`) represents a breaking change and will result in a SemVer major release.
+
+            Starting a commit with \`hotfix\` will result in a seperate hotfix release PR.
                 `.trim());
             }
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -6,21 +6,107 @@ on:
   push:
     branches:
       - main
+      - main-hotfix
 
 concurrency:
   group: release
   cancel-in-progress: false
 
 jobs:
-  Please:
+  Hotfix:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main-hotfix'
     runs-on: ubuntu-latest
 
     steps:
       - id: release
         name: Release
         uses: googleapis/release-please-action@v4
         with:
-          config-file: .github/release-please-config.json
+          config-file: .github/release-please-config-hotfix.json
+          manifest-file: .github/release-please-manifest.json
+          target-branch: main-hotfix
+          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+
+      - if: steps.release.outputs.release_created
+        name: Clone
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: main
+          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+
+      - if: steps.release.outputs.release_created
+        name: Setup Git
+        run: |
+          git config --global user.email "${{ github.actor }}@users.noreply.github.com"
+          git config --global user.name "${{ github.actor }}"
+        shell: bash
+
+      - if: steps.release.outputs.release_created
+        name: Cherry Pick
+        run: |
+          git cherry-pick ${{ github.sha }} -m1 --no-edit
+        shell: bash
+
+      - if: steps.release.outputs.release_created
+        name: Push
+        run: |
+          git push origin main
+        shell: bash
+
+      - if: steps.release.outputs.release_created
+        name: Delete
+        run: |
+          git push -d origin main-hotfix
+        shell: bash
+
+  Stable:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+
+    steps:
+      - id: release
+        name: Release
+        uses: googleapis/release-please-action@v4
+        with:
+          config-file: .github/release-please-config-stable.json
           manifest-file: .github/release-please-manifest.json
           target-branch: main
           token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+
+      - if: startsWith(github.event.head_commit.message, 'hotfix:')
+        name: Clone
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: main
+          token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+
+      - if: startsWith(github.event.head_commit.message, 'hotfix:')
+        name: Checkout
+        run: |
+          if git show-ref --verify --quiet refs/heads/main-hotfix; then
+            git checkout main-hotfix
+          else
+            git checkout -b main-hotfix tags/$(git describe --tags "$(git rev-list --tags --max-count=1)")
+          fi
+        shell: bash
+
+      - if: startsWith(github.event.head_commit.message, 'hotfix:')
+        name: Setup Git
+        run: |
+          git config --global user.email "${{ github.actor }}@users.noreply.github.com"
+          git config --global user.name "${{ github.actor }}"
+        shell: bash
+
+      - if: startsWith(github.event.head_commit.message, 'hotfix:')
+        name: Cherry Pick
+        run: |
+          git cherry-pick ${{ github.sha }} -m1 --no-edit
+        shell: bash
+
+      - if: startsWith(github.event.head_commit.message, 'hotfix:')
+        name: Push
+        run: |
+          git push origin main-hotfix
+        shell: bash
diff --git a/.github/workflows/staging.yaml b/.github/workflows/staging.yaml
@@ -26,6 +26,9 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    env:
+      MIX_ENV: test
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.trivy/fs-config.yaml b/.trivy/fs-config.yaml
@@ -0,0 +1,18 @@
+# This file is synced with stordco/common-config-elixir. Any changes will be overwritten.
+
+exit-code: '1'
+format: 'json'
+output: 'trivy-fs-results.json'
+scanners:
+  - vuln
+severity:
+  - CRITICAL
+  - HIGH
+  - MEDIUM
+  - LOW
+  - UNKNOWN
+timeout: '3m'
+vulnerability:
+  type:
+    - os
+    - library