feat(repo): switch to bun (#191)

* switch to bun

* workflows

* terraform-docs: automated action

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

.github/workflows/github-ip-ranges.yaml

@@ -51,7 +51,7 @@ jobs:
         uses: ExpediaGroup/github-helpers@v1
         with:
           helper: create-pr
-          title: 'fix: update Github IP ranges'
+          title: "fix: update Github IP ranges"
           body: The GitHub IP ranges for hooks have changed on the [meta endpoint](https://api.github.com/meta).
           head: github-ip-range-update
           github_token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}

.github/workflows/publish.yaml

@@ -13,16 +13,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: .nvmrc
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
 
       - name: Install
-        run: npm ci
+        run: bun i
 
       - name: Build
-        run: npm run build
+        run: bun run build
 
       - name: Inject Mozilla Cert Bundles
         run: curl https://curl.se/ca/cacert.pem -o build/public-certs.pem

.github/workflows/release.yaml

@@ -1,3 +1,5 @@
+name: Release
+
 on:
   push:
     branches:
@@ -9,10 +11,16 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
         with:
-          fetch-depth: 0
+          node-version: latest
 
       - name: Create Release
-        run: npx semantic-release@v19.0.5 --debug --no-ci
+        run: bunx semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}

.github/workflows/test.yaml

@@ -12,22 +12,23 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: .nvmrc
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
 
       - name: Install
-        run: npm ci
+        run: bun i
 
       - name: Format
-        run: npm run format-check
+        run: bun run format-check
 
-      - name: Test
-        run: npm run test
+      - name: Type Check
+        run: bun tsc
 
       - name: Build
-        run: npm run build
+        run: bun run build
+
+      - name: Test
+        run: bun run test
 
   docs:
     runs-on: ubuntu-latest

.pre-commit-config.yaml

@@ -1,12 +1,12 @@
 repos:
-- repo: https://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.71.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
-  hooks:
-    - id: terraform_fmt
-    - id: terraform_docs
-    #- id: terraform_validate
-    - id: terraform_tflint
-      args:
-        - 'args=--deep'
-        - 'args=--enable-rule=terraform_documented_variables'
-    - id: terraform_tfsec
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.71.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_docs
+      #- id: terraform_validate
+      - id: terraform_tflint
+        args:
+          - "args=--deep"
+          - "args=--enable-rule=terraform_documented_variables"
+      - id: terraform_tfsec

.releaserc.yaml

@@ -1,5 +1,5 @@
 plugins:
-  - - '@semantic-release/commit-analyzer'
+  - - "@semantic-release/commit-analyzer"
     - preset: angular
       releaseRules:
         - breaking: true
@@ -12,8 +12,8 @@ plugins:
           release: patch
         - scope: no-release
           release: false
-  - '@semantic-release/release-notes-generator'
-  - - '@semantic-release/github'
+  - "@semantic-release/release-notes-generator"
+  - - "@semantic-release/github"
     - assets:
         - proxy-lambda.zip
 branches:

CONTRIBUTING.md

@@ -48,7 +48,7 @@ Push your changes to your branch and open a pull request against the parent repo
 
 Upon Pull Request submission, your code will be reviewed by the maintainers. They will confirm at least the following:
 
--   Tests run successfully (unit, coverage, integration, style).
--   Contribution policy has been followed.
+- Tests run successfully (unit, coverage, integration, style).
+- Contribution policy has been followed.
 
 One (human) reviewer will need to sign off on your Pull Request before it can be merged.

README.md

@@ -17,11 +17,13 @@ aws s3 cp "${file}" "${s3_destination}/${file}"
 ```
 
 Optionally, you may create a Lambda layer which optionally contains the following files:
-* `allowed-destination-hosts.json`: An array of destination hosts that the proxy can forward to. If omitted, all destinations will be allowed. Wildcard matching is supported via [micromatch](https://github.com/micromatch/micromatch)
-* `ca.pem`: A root CA certificate for forwarding to internal destinations with self-signed certs
-* `cert.pem`: A chain certificate for forwarding to internal destinations with self-signed certs
+
+- `allowed-destination-hosts.json`: An array of destination hosts that the proxy can forward to. If omitted, all destinations will be allowed. Wildcard matching is supported via [micromatch](https://github.com/micromatch/micromatch)
+- `ca.pem`: A root CA certificate for forwarding to internal destinations with self-signed certs
+- `cert.pem`: A chain certificate for forwarding to internal destinations with self-signed certs
 
 These files must be in a zipped `layer` directory, and this can be uploaded using the following script:
+
 ```shell
 # Zip and Upload Lambda Layer to s3_destination
 file="proxy-lambda-layer.zip"
@@ -32,6 +34,7 @@ aws s3 cp "${file}" "${s3_destination}/${file}"
 If the layer is used, its ARN must be passed to the `lambda_layer_arn` Terraform variable.
 
 ### Example Terraform Module Usage
+
 ```hcl
 module "github-webhook-proxy" {
   source     = "git::https://github.com/ExpediaGroup/github-webhook-proxy.git?ref=v2"
@@ -69,15 +72,15 @@ locals {
 ### Adding a New Webhook
 
 1. **Create the webhook proxy URL**
-    1. Obtain your desired destination URL, i.e. the internal endpoint where you want to send webhooks.
-    2. Encode your destination URL! An easy way to do this is to use `jq` in your terminal
-       (install it [here](https://stedolan.github.io/jq/download/) if you don't have it already): `jq -rn --arg x 'YOUR_DESTINATION_URL_HERE' '$x|@uri'`
-    3. Paste the encoded URL at the end of the webhook proxy base URL (`https://YOUR_API_URL/webhook`).
+   1. Obtain your desired destination URL, i.e. the internal endpoint where you want to send webhooks.
+   2. Encode your destination URL! An easy way to do this is to use `jq` in your terminal
+      (install it [here](https://stedolan.github.io/jq/download/) if you don't have it already): `jq -rn --arg x 'YOUR_DESTINATION_URL_HERE' '$x|@uri'`
+   3. Paste the encoded URL at the end of the webhook proxy base URL (`https://YOUR_API_URL/webhook`).
 2. **Add the webhook to your repository**
-    1. As an administrator, navigate to your repository settings -> Webhooks -> Add webhook
-    2. Paste your webhook proxy URL in the "Payload URL" box. You do not need to worry about "Content type".
-    3. By default, GitHub will only send requests on the "push" event, but you may configure it to send on other events as well.
-    4. Click "Add webhook"
+   1. As an administrator, navigate to your repository settings -> Webhooks -> Add webhook
+   2. Paste your webhook proxy URL in the "Payload URL" box. You do not need to worry about "Content type".
+   3. By default, GitHub will only send requests on the "push" event, but you may configure it to send on other events as well.
+   4. Click "Add webhook"
 
 ### Example Webhook Proxy URL Creation
 
@@ -116,13 +119,14 @@ the `endpointId` to make it a valid URL.
 
 The Lambda then performs the following validations:
 
-* The request must have an enterprise slug which matches the `enterprise_slug` environment variable, OR the request must
+- The request must have an enterprise slug which matches the `enterprise_slug` environment variable, OR the request must
   come from a personal repository where the username ends in the enterprise managed user suffix (if provided).
   The user suffix is passed via the `enterprise_managed_user_suffix` Terraform variable.
-* The request host must have an approved destination URL host, which is the decoded `endpointId` specified in the request
+- The request host must have an approved destination URL host, which is the decoded `endpointId` specified in the request
   URL. The list of allowed destination hosts is read from `allowed-destination-hosts.json` in the Lambda layer.
 
 ### TLS Support
+
 If a root and chain certificate are not provided in the Lambda layer, the runtime environment will supply certificates for requests.
 If these certificates are provided, however, the proxy will forward each request with `ca.pem` and `cert.pem` as the
 root and chain, respectively, with the root certificate appended to the [Mozilla CA certificate store](https://curl.se/docs/caextract.html).
@@ -136,14 +140,16 @@ receives from the destination. If an unexpected error occurs, the webhook proxy
 ## Repository Overview
 
 ### Terraform Module
+
 This repository contains Terraform (`*.tf`) files which are intended to be consumed as a Terraform module.
 The files are generally organized by resource type. See the "Resources" section in [USAGE.md](https://github.com/ExpediaGroup/github-webhook-proxy/tree/main/USAGE.md) for more infrastructure details.
 
 ### Lambda Function
+
 The Lambda function is a Node.js Lambda compiled from Typescript, and lives in the ["lambda" directory](https://github.com/ExpediaGroup/github-webhook-proxy/tree/main/lambda).
 
 ### GitHub IP Range Allowlist
+
 This repo has a GitHub Actions [workflow](https://github.com/ExpediaGroup/github-webhook-proxy/tree/main/.github/workflows/github-ip-ranges.yml) which checks that the [GitHub Hooks IP Ranges file](https://github.com/ExpediaGroup/github-webhook-proxy/tree/main/github-hooks-ip-ranges.tf) is up to date.
 It runs a script once a day which calls https://api.github.com/meta and ensures the IP ranges in "hooks" match our current IP allowlist in the API Gateway.
 If the list is out of date, it will create a PR to update it.
-