From 07741450238085cd2926a72d16008048a82e966e Mon Sep 17 00:00:00 2001 From: Victor Date: Wed, 13 Mar 2024 22:48:42 +0000 Subject: [PATCH 1/3] ci: update dotfiles and configs --- .github/dependabot.yaml | 6 ----- .github/renovate.json | 3 +++ .github/workflows/ci.yaml | 2 +- .github/workflows/release.yaml | 2 +- .github/workflows/security-scan.yaml | 17 ++++++++++++++ .github/workflows/update-dependencies.yaml | 26 ++++++++++++++++++++++ .pre-commit-config.yaml | 11 ++++----- .releaserc.json | 14 +----------- script/bootstrap | 15 +++++++++++++ script/setup | 10 +++++++++ 10 files changed, 78 insertions(+), 28 deletions(-) delete mode 100644 .github/dependabot.yaml create mode 100644 .github/renovate.json create mode 100644 .github/workflows/security-scan.yaml create mode 100644 .github/workflows/update-dependencies.yaml create mode 100755 script/bootstrap create mode 100755 script/setup diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml deleted file mode 100644 index 253bcb7..0000000 --- a/.github/dependabot.yaml +++ /dev/null @@ -1,6 +0,0 @@ -version: 2 -updates: - - package-ecosystem: github-actions - directory: / - schedule: - interval: daily diff --git a/.github/renovate.json b/.github/renovate.json new file mode 100644 index 0000000..32417a5 --- /dev/null +++ b/.github/renovate.json @@ -0,0 +1,3 @@ +{ + "extends": ["github>open-turo/renovate-config#v1"] +} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 576eb96..6a0cf9c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,8 +1,8 @@ name: CI on: + workflow_dispatch: pull_request: - branches: [main] jobs: lint: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0d4c92c..f35f843 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,7 +2,7 @@ name: Release on: push: - branches: [main] + branches: [main, "v*"] jobs: lint: diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml new file mode 100644 index 0000000..09b00d0 --- /dev/null +++ b/.github/workflows/security-scan.yaml @@ -0,0 +1,17 @@ +name: Security scan + +on: + pull_request: {} + workflow_dispatch: {} + push: + branches: [main] + +jobs: + security-scan: + name: Security scan + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: open-turo/actions-security/static-analysis@v1 + with: + semgrep-app-token: ${{ secrets.SEMGREP_APP_TOKEN }} diff --git a/.github/workflows/update-dependencies.yaml b/.github/workflows/update-dependencies.yaml new file mode 100644 index 0000000..7dd3bfe --- /dev/null +++ b/.github/workflows/update-dependencies.yaml @@ -0,0 +1,26 @@ +name: Update dependencies +concurrency: update-dependencies + +on: + schedule: + # Every day at midnight + - cron: "0 0 * * *" + workflow_dispatch: + issue_comment: + types: + - edited + pull_request: + types: + - edited + +jobs: + update-dependencies: + runs-on: ubuntu-latest + name: Update dependencies + # Only run in turo-dependency-manager PRs or when manually triggered or as part of a schedule + if: (github.event_name == 'issue_comment' && github.event.issue.user.login == 'turo-dependency-manager') || (github.event_name == 'pull_request' && github.actor == 'turo-dependency-manager') || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + steps: + - name: Update dependencies + uses: open-turo/action-renovate@v1 + with: + github-token: ${{ secrets.TURO_GITHUB_DEPENDENCY_MANAGER_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2e7b01d..25bee97 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,26 +1,23 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.1.0 # Use the ref you want to point at + rev: v4.5.0 hooks: - id: check-json - id: check-yaml - - id: pretty-format-json - args: - - --autofix - id: end-of-file-fixer - id: trailing-whitespace - repo: https://github.com/pre-commit/mirrors-prettier - rev: v2.5.1 + rev: v3.1.0 hooks: - id: prettier stages: [commit] - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook - rev: v8.0.0 + rev: v9.9.0 hooks: - id: commitlint stages: [commit-msg] additional_dependencies: ["@open-turo/commitlint-config-conventional"] - repo: https://github.com/rhysd/actionlint - rev: v1.6.8 + rev: v1.6.26 hooks: - id: actionlint diff --git a/.releaserc.json b/.releaserc.json index df364cb..db57aea 100644 --- a/.releaserc.json +++ b/.releaserc.json @@ -1,15 +1,3 @@ { - "branches": [ - "main", - { - "channel": "next", - "name": "(f|b|c)/*", - "prerelease": "beta-<%= (/^\\w+-\\d+/.exec(name.substr(2)) || [])[0] %>" - } - ], - "plugins": [ - "@semantic-release/commit-analyzer", - "@semantic-release/release-notes-generator", - "@semantic-release/github" - ] + "extends": "@open-turo/semantic-release-config" } diff --git a/script/bootstrap b/script/bootstrap new file mode 100755 index 0000000..116492d --- /dev/null +++ b/script/bootstrap @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +# script/bootstrap: Resolve all dependencies that the application requires to +# run. + +set -e + +cd "$(dirname "$0")/.." + +# Local only checks +if [[ $CI != "true" ]]; then + echo -e "==> Setting up commit hooks" + pre-commit install + pre-commit install --hook-type commit-msg +fi diff --git a/script/setup b/script/setup new file mode 100755 index 0000000..fd9a157 --- /dev/null +++ b/script/setup @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +# script/setup: Set up application for the first time after cloning, or set it +# back to the initial first unused state. + +set -e + +cd "$(dirname "$0")/.." + +script/bootstrap From f13430d15ceacc0fa281a7496854ea5ea5e9c725 Mon Sep 17 00:00:00 2001 From: Victor Date: Wed, 13 Mar 2024 22:50:05 +0000 Subject: [PATCH 2/3] ci: use actions-gha@v2 --- .github/workflows/ci.yaml | 4 ++-- .github/workflows/release.yaml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6a0cf9c..b64010a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -9,7 +9,7 @@ jobs: name: Lint runs-on: ubuntu-latest steps: - - uses: open-turo/actions-gha/lint@v1 + - uses: open-turo/actions-gha/lint@v2 with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -17,6 +17,6 @@ jobs: name: Test runs-on: ubuntu-latest steps: - - uses: open-turo/actions-gha/test@v1 + - uses: open-turo/actions-gha/test@v2 with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f35f843..4174eb7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -9,7 +9,7 @@ jobs: name: Lint runs-on: ubuntu-latest steps: - - uses: open-turo/actions-gha/lint@v1 + - uses: open-turo/actions-gha/lint@v2 with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -17,7 +17,7 @@ jobs: name: Test runs-on: ubuntu-latest steps: - - uses: open-turo/actions-gha/test@v1 + - uses: open-turo/actions-gha/test@v2 with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -30,6 +30,6 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: open-turo/actions-gha/release@v1 + - uses: open-turo/actions-gha/release@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From f2cdbf526b65d4628f2c0f412dbca45e63fe63cd Mon Sep 17 00:00:00 2001 From: Victor Date: Thu, 14 Mar 2024 15:56:52 +0000 Subject: [PATCH 3/3] feat: update kubesealer and extract docker-compose into a file --- run-sync/action.yaml | 35 +---------------------------------- run-sync/docker-compose.yaml | 29 +++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 34 deletions(-) create mode 100644 run-sync/docker-compose.yaml diff --git a/run-sync/action.yaml b/run-sync/action.yaml index 97a0e4b..8b61f19 100644 --- a/run-sync/action.yaml +++ b/run-sync/action.yaml @@ -32,40 +32,7 @@ runs: - name: setup docker-compose.yaml working-directory: ${{ runner.temp }}/kubesealer shell: bash - run: | - - cat << EOF > docker-compose.yaml - version: "3.4" - - services: - op-connect-api: - image: 1password/connect-api:latest - ports: - - "8080:8080" - volumes: - - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json" - - "data:/home/opuser/.op/data" - healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:8080/heartbeat"] - interval: 2s - timeout: 1s - retries: 5 - start_period: 5s - op-connect-sync: - image: 1password/connect-sync:latest - ports: - - "8081:8080" - volumes: - - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json" - - "data:/home/opuser/.op/data" - kubesealer: - image: turo/kubesealer:latest - env_file: .env - - volumes: - data: - - EOF + run: cp ${{ github.action_path }}/docker-compose.yaml . - name: docker versions shell: bash diff --git a/run-sync/docker-compose.yaml b/run-sync/docker-compose.yaml new file mode 100644 index 0000000..fdf9689 --- /dev/null +++ b/run-sync/docker-compose.yaml @@ -0,0 +1,29 @@ +version: "3.4" + +services: + op-connect-api: + image: 1password/connect-api:latest + ports: + - "8080:8080" + volumes: + - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json" + - "data:/home/opuser/.op/data" + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:8080/heartbeat"] + interval: 2s + timeout: 1s + retries: 5 + start_period: 5s + op-connect-sync: + image: 1password/connect-sync:latest + ports: + - "8081:8080" + volumes: + - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json" + - "data:/home/opuser/.op/data" + kubesealer: + image: turo/kubesealer:4.11.0 + env_file: .env + +volumes: + data: