diff --git a/tasks/generate-files.yaml b/tasks/generate-files.yaml index 6ae6471..cfc471c 100644 --- a/tasks/generate-files.yaml +++ b/tasks/generate-files.yaml @@ -24,14 +24,18 @@ state: directory - name: Generate repo-ansible workflow - ansible.builtin.copy: - src: ./templates/.github/workflows/repo-ansible.yaml - dest: "{{ repo_path }}/.github/workflows/repo-ansible.yaml" + ansible.builtin.template: + src: ./templates/.github/workflows/auto-run-repo-ansible.yaml.j2 + dest: "{{ repo_path }}/.github/workflows/auto-run-repo-ansible.yaml" + variable_start_string: '[[' + variable_end_string: ']]' - name: Generate dependabot automerge workflow - ansible.builtin.copy: - src: ./templates/.github/workflows/dependabot-auto-merge.yaml - dest: "{{ repo_path }}/.github/workflows/dependabot-auto-merge.yaml" + ansible.builtin.template: + src: ./templates/.github/workflows/auto-merge-dependabot-prs.yaml.j2 + dest: "{{ repo_path }}/.github/workflows/auto-merge-dependabot-prs.yaml" + variable_start_string: '[[' + variable_end_string: ']]' when: repo.github.features.dependabot_auto_merge - name: Generate CODEOWNERS file diff --git a/tasks/migrations/migration-v0.10.2.yaml b/tasks/migrations/migration-v0.10.2.yaml new file mode 100644 index 0000000..9007a6d --- /dev/null +++ b/tasks/migrations/migration-v0.10.2.yaml @@ -0,0 +1,10 @@ +- name: remove renamed or repo-ansible dropped files + ansible.builtin.file: + path: "{{ repo_path }}/{{ item }}" + state: absent + loop: + - .devcontainer/git/hooks/pre-push + - .github/workflows/00-start.yaml + - .github/workflows/dependabot-auto-merge.yaml + - .github/workflows/repo-ansible.yaml + - .releaserc diff --git a/tasks/other-dev-generated-files.yaml b/tasks/other-dev-generated-files.yaml index b265c00..daff21b 100644 --- a/tasks/other-dev-generated-files.yaml +++ b/tasks/other-dev-generated-files.yaml @@ -1,9 +1,9 @@ - when: repo.github.features.sdlc_workflows block: - - name: copy semantic-release .releaserc file - ansible.builtin.copy: - src: ./templates/.releaserc - dest: "{{ repo_path }}/.releaserc" + - name: generate semantic-release config file + ansible.builtin.template: + src: ./templates/release.config.mjs.j2 + dest: "{{ repo_path }}/release.config.mjs" - name: find workflow extensions ansible.builtin.command: "./library/list_extension_workflows.py '{{ repo_path }}'" @@ -23,8 +23,6 @@ vars: workflow_group: "{{ item.workflow_group }}" loop: - - target: 00-start.yaml - workflow_group: "" - target: 10-review.yaml workflow_group: "10" - target: 30-release-and-build.yaml diff --git a/templates/.devcontainer/git/hooks/pre-push b/templates/.devcontainer/git/hooks/pre-push deleted file mode 100755 index 2e973ee..0000000 --- a/templates/.devcontainer/git/hooks/pre-push +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/bash - -temporary_file=$(mktemp) -# Temporary workaround on issue reported in #8432 -# shellcheck disable=2024 -sudo composer-unused --no-progress --output-format=github > "$temporary_file" -exit_code=$? - -grep -v 'ignored' "$temporary_file" -exit $exit_code diff --git a/templates/.github/workflows/00-start.yaml.j2 b/templates/.github/workflows/00-start.yaml.j2 deleted file mode 100644 index 6acff95..0000000 --- a/templates/.github/workflows/00-start.yaml.j2 +++ /dev/null @@ -1,33 +0,0 @@ -# [[ repo_managed ]] -name: RunGithubActionsWorkflows - -# workflow_dispatch enables option for manual runs -# workflow_call: it can be started by other workflows - -on: - workflow_dispatch: - workflow_call: - -jobs: - review: - uses: ./.github/workflows/10-review.yaml - secrets: inherit - release-and-build: - uses: ./.github/workflows/30-release-and-build.yaml - needs: review - secrets: inherit - helm: - uses: ./.github/workflows/40-helm.yaml - needs: release-and-build - secrets: inherit - with: - new-release-published: ${{ needs.release-and-build.outputs.new-release-published }} - release-version: ${{ needs.release-and-build.outputs.release-version }} - security: - uses: ./.github/workflows/50-security.yaml - needs: release-and-build - secrets: inherit - cleanup: - uses: ./.github/workflows/90-cleanup.yaml - needs: release-and-build - secrets: inherit diff --git a/templates/.github/workflows/10-review.yaml.j2 b/templates/.github/workflows/10-review.yaml.j2 index 6871d02..813c645 100644 --- a/templates/.github/workflows/10-review.yaml.j2 +++ b/templates/.github/workflows/10-review.yaml.j2 @@ -12,12 +12,10 @@ jobs: # Don't enforce commit conventions checks for Dependabot if: github.actor != 'dependabot[bot]' steps: - - name: Checkout - uses: actions/checkout@v4 + - uses: actions/checkout@v4 # interesting alternative: https://github.com/cocogitto/cocogitto - - name: Conventional commit checker - uses: webiny/action-conventional-commits@v1.3.0 + - uses: webiny/action-conventional-commits@v1.3.0 # XXX: normal action versioning syntax (`@v1`) doesn't work with this action, # possibly because not published on the GitHub marketplace diff --git a/templates/.github/workflows/30-release-and-build.yaml.j2 b/templates/.github/workflows/30-release-and-build.yaml.j2 index da2bc78..1b03dd4 100644 --- a/templates/.github/workflows/30-release-and-build.yaml.j2 +++ b/templates/.github/workflows/30-release-and-build.yaml.j2 @@ -3,14 +3,6 @@ name: Release on: workflow_dispatch: - workflow_call: - outputs: - new-release-published: - description: "Whether or not a new release was published." - value: ${{ jobs.build.outputs.new-release-published }} - release-version: - description: "The version string of the newly published release" - value: ${{ jobs.build.outputs.release-version }} push: branches: - [[ repo.github.default_branch ]] @@ -23,50 +15,26 @@ permissions: jobs: build: runs-on: ubuntu-latest - outputs: - new-release-published: ${{ steps.semantic-release.outputs.new-release-published }} - release-version: ${{ steps.semantic-release.outputs.release-version }} steps: - - name: GitHub Environment Variables Action - uses: FranzDiebold/github-env-vars-action@v2 + - uses: FranzDiebold/github-env-vars-action@v2 - uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + - uses: docker/setup-buildx-action@v3 with: # moby/buildkit v0.11.0 causes untagged images to appear in github # packages and the workaround does not seem to have any effect # (set provenance=false in docker/build-push-action@v4) driver-opts: network=host,image=moby/buildkit:v0.10.5 - - name: Create release - id: semantic-release + - id: semantic-release uses: codfish/semantic-release-action@v3 with: - # support releasing the "main" branch - # whilst preserving the action defaults - branches: | - [ - '+([0-9])?(.{+([0-9]),x}).x', - '[[ repo.github.default_branch ]]', - 'next', - 'next-major', - { - name: 'beta', - prerelease: true - }, - { - name: 'alpha', - prerelease: true - } - ] additional-packages: | ['@semantic-release/changelog', '@semantic-release/git', '@semantic-release/exec'] repository-url: 'https://github.com/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}.git' @@ -74,8 +42,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Docker meta - id: meta + - id: meta uses: docker/metadata-action@v5 with: images: | @@ -85,15 +52,13 @@ jobs: type=raw,value=latest,enable={{is_default_branch}} type=raw,value=${{ steps.semantic-release.outputs.release-version }} - - name: Login to Container Registry ghcr.io - uses: docker/login-action@v3 + - uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push - uses: docker/build-push-action@v6 + - uses: docker/build-push-action@v6 with: context: . provenance: false diff --git a/templates/.github/workflows/40-helm.yaml.j2 b/templates/.github/workflows/40-helm.yaml.j2 index 70faca6..08c8e56 100644 --- a/templates/.github/workflows/40-helm.yaml.j2 +++ b/templates/.github/workflows/40-helm.yaml.j2 @@ -3,14 +3,6 @@ name: Helm Publish on: workflow_dispatch: - workflow_call: - inputs: - new-release-published: - required: true - type: string - release-version: - required: true - type: string jobs: helm: diff --git a/templates/.github/workflows/50-security.yaml.j2 b/templates/.github/workflows/50-security.yaml.j2 index 0c68d04..d3b150f 100644 --- a/templates/.github/workflows/50-security.yaml.j2 +++ b/templates/.github/workflows/50-security.yaml.j2 @@ -9,21 +9,17 @@ jobs: name: security runs-on: ubuntu-latest steps: - - name: GitHub Environment Variables Action - uses: FranzDiebold/github-env-vars-action@v2 + - uses: FranzDiebold/github-env-vars-action@v2 - - name: Login to Docker Hub - uses: docker/login-action@v3 + - uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Docker pull - run: docker pull ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:latest + - run: docker pull ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:latest - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + - uses: aquasecurity/trivy-action@master with: image-ref: ghcr.io/linkorb/${{ env.CI_REPOSITORY_NAME }}:latest format: 'table' diff --git a/templates/.github/workflows/90-cleanup.yaml.j2 b/templates/.github/workflows/90-cleanup.yaml.j2 index 7708b0c..3c26537 100644 --- a/templates/.github/workflows/90-cleanup.yaml.j2 +++ b/templates/.github/workflows/90-cleanup.yaml.j2 @@ -1,11 +1,10 @@ # [[ repo_managed ]] -name: Cleanup +name: Scheduled Cleanup on: schedule: - cron: 0 13 * * 2 workflow_dispatch: - workflow_call: jobs: cleanup: @@ -15,10 +14,9 @@ jobs: packages: write steps: - - name: GitHub Environment Variables Action - uses: FranzDiebold/github-env-vars-action@v2 + - uses: FranzDiebold/github-env-vars-action@v2 - - name: Delete an old version of the package, keeping a few of the newest + - name: Keep last 5 published container images uses: actions/delete-package-versions@v5 with: package-name: "${{ env.CI_REPOSITORY_NAME }}" diff --git a/templates/.github/workflows/dependabot-auto-merge.yaml b/templates/.github/workflows/auto-merge-dependabot-prs.yaml.j2 similarity index 78% rename from templates/.github/workflows/dependabot-auto-merge.yaml rename to templates/.github/workflows/auto-merge-dependabot-prs.yaml.j2 index ce97a2a..af0729b 100644 --- a/templates/.github/workflows/dependabot-auto-merge.yaml +++ b/templates/.github/workflows/auto-merge-dependabot-prs.yaml.j2 @@ -1,3 +1,4 @@ +# [[ repo_managed ]] name: Auto-merge Dependabot PRs on: pull_request_target @@ -10,12 +11,10 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} steps: - - name: Dependabot metadata - id: metadata + - id: metadata uses: dependabot/fetch-metadata@v2 - - name: Enable auto-merge for Dependabot PRs - if: steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch' + - if: steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch' run: gh pr merge --merge "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} diff --git a/templates/.github/workflows/repo-ansible.yaml b/templates/.github/workflows/auto-run-repo-ansible.yaml.j2 similarity index 86% rename from templates/.github/workflows/repo-ansible.yaml rename to templates/.github/workflows/auto-run-repo-ansible.yaml.j2 index 14b9a6a..b714136 100644 --- a/templates/.github/workflows/repo-ansible.yaml +++ b/templates/.github/workflows/auto-run-repo-ansible.yaml.j2 @@ -1,3 +1,4 @@ +# [[ repo_managed ]] name: Auto-run repo-ansible on: @@ -6,12 +7,13 @@ on: pull_request_target: paths: - 'repo.yaml' + - 'docs/partials/*.md' push: branches: - - main - - master + - [[ repo.github.default_branch ]] paths: - 'repo.yaml' + - 'docs/partials/*.md' permissions: contents: write # allow git commits & push @@ -61,7 +63,7 @@ jobs: - if: ${{ env.IS_PULL_REQUEST == '1' && env.REPOSITORY_CHANGED == '1' }} - name: comment with changes + name: bot comment about repo-ansible detected changes uses: actions/github-script@v7 with: script: | @@ -70,7 +72,7 @@ jobs: issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, - body: `Following repo-ansible changes will be applied when merged to main/master branch + body: `Once PR is merged, repo-ansible will run on [[ repo.github.default_branch ]] and the following changes will apply \`\`\`shell ${changes} diff --git a/templates/.releaserc b/templates/.releaserc deleted file mode 100644 index 17cc813..0000000 --- a/templates/.releaserc +++ /dev/null @@ -1,38 +0,0 @@ -{ - "branches": ["master", "main" ], - "debug": "True", - "plugins": [ - [ - "@semantic-release/commit-analyzer", - { - "preset": "angular", - "releaseRules": [ - { "type": "chore", "release": "patch" }, - { "type": "test", "release": "patch" }, - { "type": "docs", "release": "patch" }, - { "type": "style", "release": "patch" }, - { "type": "refactor", "release": "patch" }, - { "type": "ci", "release": "patch" } - ] - } - ], - "@semantic-release/github", - "@semantic-release/release-notes-generator", - "@semantic-release/changelog", - [ - "@semantic-release/git", - { - "assets": [ - "CHANGELOG.md" - ], - "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" - } - ], - [ - "@semantic-release/exec", - { - "publishCmd": "echo ${nextRelease.version} > .gitrelease" - } - ] - ] -} diff --git a/templates/release.config.mjs.j2 b/templates/release.config.mjs.j2 new file mode 100644 index 0000000..21a82b4 --- /dev/null +++ b/templates/release.config.mjs.j2 @@ -0,0 +1,30 @@ +/** + * {{ repo_managed }} + * + * Configuration file used by the release workflow .github/workflows/30-release-and-build.yaml + */ +/** + * @type {import('semantic-release').GlobalConfig} + */ +export default { + branches: ["{{ repo.github.default_branch }}"], + debug: "True", + plugins: [ + [ "@semantic-release/commit-analyzer", { preset: "angular", releaseRules: [ + { type: "chore", release: "patch" }, + { type: "ci", release: "patch" }, + { type: "docs", release: "patch" }, + { type: "refactor", release: "patch" }, + { type: "style", release: "patch" }, + { type: "test", release: "patch" }, + ] } ], + "@semantic-release/github", + "@semantic-release/release-notes-generator", + "@semantic-release/changelog", + [ "@semantic-release/git", { + assets: [ "CHANGELOG.md" ], + message: "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" + } ], + [ "@semantic-release/exec", { publishCmd: "echo ${nextRelease.version} > .gitrelease" } ] + ] +}