diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000000..e69de29bb2 diff --git a/.github/workflows/add_to_octokit_project.yml b/.github/workflows/add_to_octokit_project.yml deleted file mode 100644 index a29942d1fc..0000000000 --- a/.github/workflows/add_to_octokit_project.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Add PRs and issues to Octokit org project - -on: - issues: - types: [reopened, opened] - pull_request_target: - types: [reopened, opened] - -jobs: - add-to-project: - name: Add issue to project - runs-on: ubuntu-latest - continue-on-error: true - if: ${{ github.repository == 'integrations/terraform-provider-github' }} - steps: - - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e #v1.0.2 - with: - project-url: https://github.com/orgs/octokit/projects/10 - github-token: ${{ secrets.OCTOKITBOT_PROJECT_ACTION_TOKEN }} - labeled: "Status: Stale" - label-operator: NOT diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000000..ec9476ae55 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,41 @@ +name: GitHub Actions CI + +on: + push: + branches: + - main + - release-v* + pull_request: + branches: + - main + - release-v* + +concurrency: + group: ci-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read # for actions/checkout + +jobs: + ci: + name: Continuous Integration + runs-on: ubuntu-latest + defaults: + run: + shell: bash + env: + GITHUB_TEST_ORGANIZATION: kfcampbell-terraform-provider + steps: + - name: Checkout + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + - name: Set-up Go + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 + with: + go-version-file: go.mod + cache: true + - run: make tools + - run: make lint + - run: make website-lint + - run: make build + - run: make test diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index a42cff4356..0000000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,138 +0,0 @@ -name: GitHub Actions CI - -on: - push: - branches: [main] - pull_request: {} - -permissions: - contents: read # for actions/checkout - -env: - test_stacks_directory: test_tf_stacks - -jobs: - ci: - name: Continuous Integration - runs-on: ubuntu-latest - env: - GITHUB_TEST_ORGANIZATION: kfcampbell-terraform-provider - steps: - - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: go.mod - cache: true - - run: make tools - - run: make lint - - run: make website-lint - - run: make build - - run: make test - - generate-matrix: - name: Generate matrix for test stacks - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - has-tests: ${{ steps.set-matrix.outputs.has-tests }} - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - - - name: Generate matrix - id: set-matrix - run: | - if [ -d "${{ env.test_stacks_directory }}" ]; then - # find all directories and validate their names - VALID_TESTS=() - INVALID_TESTS=() - - while IFS= read -r dir; do - dirname=$(basename "$dir") - # validate that directory name only contains alphanumeric, hyphens, underscores, and dots - if [[ "$dirname" =~ ^[a-zA-Z0-9_.-]+$ ]]; then - VALID_TESTS+=("$dirname") - else - INVALID_TESTS+=("$dirname") - fi - done < <(find ${{ env.test_stacks_directory }} -mindepth 1 -maxdepth 1 -type d) - - # report invalid directory names if any - if [ ${#INVALID_TESTS[@]} -gt 0 ]; then - echo "::warning::Invalid test directory names found (must contain only alphanumeric, hyphens, underscores, and dots):" - printf ' - %s (will be skipped)\n' "${INVALID_TESTS[@]}" - fi - - # create JSON array from valid tests - if [ ${#VALID_TESTS[@]} -gt 0 ]; then - TESTS=$(printf '%s\n' "${VALID_TESTS[@]}" | jq -R -s -c 'split("\n")[:-1]') - echo "matrix=${TESTS}" >> $GITHUB_OUTPUT - echo "has-tests=true" >> $GITHUB_OUTPUT - echo "Found valid test directories: ${TESTS}" - else - echo "matrix=[]" >> $GITHUB_OUTPUT - echo "has-tests=false" >> $GITHUB_OUTPUT - echo "No valid test directories found" - fi - else - echo "Test directory ${{ env.test_stacks_directory }} does not exist" - echo "matrix=[]" >> $GITHUB_OUTPUT - echo "has-tests=false" >> $GITHUB_OUTPUT - fi - - tests: - name: Run tests for Terraform test stacks - needs: [ci, generate-matrix] - if: ${{ needs.generate-matrix.outputs.has-tests == 'true' }} # only run if there are some test stacks - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - tests: ${{ fromJson(needs.generate-matrix.outputs.matrix) }} - - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - - - name: Setup Go - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: go.mod - cache: true - - - name: Build provider - run: go build -o terraform-provider-github - - - name: Setup dev overrides - run: | - ROOT_DIR=$(pwd) - cat > ~/.terraformrc << EOF - provider_installation { - dev_overrides { - "integrations/github" = "${ROOT_DIR}" - } - direct {} - } - EOF - - - name: Verify dev overrides setup - run: cat ~/.terraformrc - - - name: Setup Terraform - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 - with: - terraform_version: 1.x - - - name: Check Terraform version - run: terraform version - - - name: Terraform init - continue-on-error: true # continue even if init fails - run: terraform -chdir=./${{ env.test_stacks_directory }}/${{ matrix.tests }} init - - - name: Terraform validate - run: terraform -chdir=./${{ env.test_stacks_directory }}/${{ matrix.tests }} validate - - - name: Clean up - run: rm -f ~/.terraformrc terraform-provider-github diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml new file mode 100644 index 0000000000..c7e4f6cdf8 --- /dev/null +++ b/.github/workflows/codeql.yaml @@ -0,0 +1,88 @@ +name: CodeQL + +on: + workflow_dispatch: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "16 7 * * 5" + +concurrency: + group: codeql-${{ github.ref }} + cancel-in-progress: true + +permissions: read-all + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + queries: security-extended # can be 'default' (use empty for 'default'), 'security-and-quality', 'security-extended' + - language: go + build-mode: manual + queries: "" # will be used 'default' queries + defaults: + run: + shell: bash + steps: + - name: Checkout + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + + - name: Set-up Go + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 + if: matrix.language == 'go' + with: + go-version-file: go.mod + cache: true + + - name: Initialize CodeQL + uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + queries: ${{ matrix.queries }} + + - name: Build Go + if: ${{ matrix.language == 'go' }} + run: go build ./... + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + with: + category: "/language:${{matrix.language}}" + + check: + name: Check CodeQL Analysis + if: always() && github.event_name == 'pull_request' + needs: + - analyze + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - name: Check + env: + INPUT_RESULTS: ${{ join(needs.*.result, ' ') }} + run: | + set -euo pipefail + read -a results <<< "${INPUT_RESULTS}" + for result in "${results[@]}"; do + if [[ "${result}" == "failure" ]] || [[ "${result}" == "cancelled" ]]; then + echo "::error::Workflow failed!" + exit 1 + fi + done diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 8315de0ef5..0000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: CodeQL - -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '16 7 * * 5' - -jobs: - analyze: - name: Analyze (${{ matrix.language }}) - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - include: - - language: actions - build-mode: none - queries: security-extended # can be 'default' (use empty for 'default'), 'security-and-quality', 'security-extended' - - language: go - build-mode: autobuild - queries: '' # will be used 'default' queries - - steps: - - name: Checkout repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - if: matrix.language == 'go' - with: - go-version-file: 'go.mod' - cache: true - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix['build-mode'] }} - queries: ${{ matrix.queries }} - - - name: Autobuild - uses: github/codeql-action/autobuild@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 - with: - category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dotcom-acceptance-tests-all.yml b/.github/workflows/dotcom-acceptance-tests-all.yml deleted file mode 100644 index d3a7d48d0c..0000000000 --- a/.github/workflows/dotcom-acceptance-tests-all.yml +++ /dev/null @@ -1,97 +0,0 @@ -name: Dotcom Acceptance Tests (All) - -on: - schedule: - # ┌───────────── minute (0 - 59) - # │ ┌───────────── hour (0 - 23) - # │ │ ┌───────────── day of the month (1 - 31) - # │ │ │ ┌───────────── month (1 - 12 or JAN-DEC) - # │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT) - # * * * * * - - cron: '0 0 * * 3' - -jobs: - - acceptance-tests-anonymous: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 2 - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - name: Acceptance Tests (Anonymous) - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: INFO - RUN_ALL: true - - acceptance-tests-individual: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 2 - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - - name: Acceptance Tests (Individual) - id: acceptance-tests-individual - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: INFO - RUN_ALL: true - GITHUB_OWNER: github-terraform-test-user - GITHUB_TEST_USER_TOKEN: ${{ secrets.DOTCOM_TEST_USER_TOKEN }} - GITHUB_TEST_ORGANIZATION: terraformtesting - - - name: Failed Acceptance Tests (Individual) - if: ${{ failure() }} - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: DEBUG - RUN_ALLOWED: ${{ steps.acceptance-tests-individual.outputs.failed }} - GITHUB_OWNER: github-terraform-test-user - GITHUB_TEST_USER_TOKEN: ${{ secrets.DOTCOM_TEST_USER_TOKEN }} - GITHUB_TEST_ORGANIZATION: terraformtesting - - acceptance-tests-organization: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 2 - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - - name: Acceptance Tests (Organization) - id: acceptance-tests-organization - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: INFO - RUN_ALL: true - GITHUB_ORGANIZATION: terraformtesting - GITHUB_TEST_USER_TOKEN: ${{ secrets.DOTCOM_TEST_USER_TOKEN }} - GITHUB_TEST_OWNER: github-terraform-test-user - - - name: Failed Acceptance Tests (Organization) - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - if: ${{ failure() }} - with: - TF_LOG: DEBUG - RUN_ALLOWED: ${{ steps.acceptance-tests-organization.outputs.failed }} - GITHUB_ORGANIZATION: terraformtesting - GITHUB_TEST_USER_TOKEN: ${{ secrets.DOTCOM_TEST_USER_TOKEN }} - GITHUB_TEST_OWNER: github-terraform-test-user diff --git a/.github/workflows/dotcom-acceptance-tests-manual.yml b/.github/workflows/dotcom-acceptance-tests-manual.yml deleted file mode 100644 index f72e4c79e0..0000000000 --- a/.github/workflows/dotcom-acceptance-tests-manual.yml +++ /dev/null @@ -1,115 +0,0 @@ -name: Dotcom Acceptance Tests (manual) - -on: - pull_request: - types: [labeled] - -jobs: - - acceptance-tests-anonymous: - runs-on: ubuntu-latest - if: contains(join(github.event.pull_request.labels.*.name, ', '), 'test/') - steps: - - name: Parse Args - id: args - run: | - echo "::set-output name=run_allowed::$( - jq -rc .label.name $GITHUB_EVENT_PATH | cut -d/ -f 2 - )" - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - name: Acceptance Tests (Anonymous) - id: acceptance-tests-anonymous - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: INFO - RUN_ALLOWED: ${{ steps.args.outputs.run_allowed }} - - name: Failed Acceptance Tests (Anonymous) - if: ${{ failure() }} - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: DEBUG - RUN_ALLOWED: ${{ steps.acceptance-tests-anonymous.outputs.run_allowed }} - - - acceptance-tests-individual: - runs-on: ubuntu-latest - if: contains(join(github.event.pull_request.labels.*.name, ', '), 'test') - steps: - - name: Parse Args - id: args - run: | - echo "::set-output name=run_allowed::$( - jq -rc .label.name $GITHUB_EVENT_PATH | cut -d/ -f 2 - )" - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - name: Acceptance Tests (Individual) - id: acceptance-tests-individual - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: INFO - RUN_ALLOWED: ${{ steps.args.outputs.run_allowed }} - GITHUB_OWNER: github-terraform-test-user - GITHUB_TEST_USER_TOKEN: ${{ secrets.DOTCOM_TEST_USER_TOKEN }} - GITHUB_TEST_ORGANIZATION: terraformtesting - - name: Failed Acceptance Tests (Individual) - if: ${{ failure() }} - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: DEBUG - RUN_ALLOWED: ${{ steps.args.outputs.run_allowed }} - GITHUB_OWNER: github-terraform-test-user - GITHUB_TEST_USER_TOKEN: ${{ secrets.DOTCOM_TEST_USER_TOKEN }} - GITHUB_TEST_ORGANIZATION: terraformtesting - - acceptance-tests-organization: - runs-on: ubuntu-latest - if: contains(join(github.event.pull_request.labels.*.name, ', '), 'test') - steps: - - name: Parse Args - id: args - run: | - echo "::set-output name=run_allowed::$( - jq -rc .label.name $GITHUB_EVENT_PATH | cut -d/ -f 2 - )" - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.sha }} - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - - name: Acceptance Tests (Organization) - id: acceptance-tests-organization - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: INFO - RUN_ALLOWED: ${{ steps.args.outputs.run_allowed }} - GITHUB_ORGANIZATION: terraformtesting - GITHUB_TEST_USER_TOKEN: ${{ secrets.DOTCOM_TEST_USER_TOKEN }} - GITHUB_TEST_OWNER: github-terraform-test-user - - - name: Failed Acceptance Tests (Organization) - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - if: ${{ failure() }} - with: - TF_LOG: DEBUG - RUN_ALLOWED: ${{ steps.args.outputs.run_allowed }} - GITHUB_ORGANIZATION: terraformtesting - GITHUB_TEST_USER_TOKEN: ${{ secrets.DOTCOM_TEST_USER_TOKEN }} - GITHUB_TEST_OWNER: github-terraform-test-user diff --git a/.github/workflows/dotcom-acceptance-tests.yaml b/.github/workflows/dotcom-acceptance-tests.yaml new file mode 100644 index 0000000000..828ab99eb4 --- /dev/null +++ b/.github/workflows/dotcom-acceptance-tests.yaml @@ -0,0 +1,109 @@ +name: Acceptance Tests (github.com) + +on: + workflow_dispatch: + # push: + # branches: + # - main + # - release-v* + # pull_request_target: + # types: + # - opened + # - synchronize + # - reopened + # - labeled + # branches: + # - main + # - release-v* + +permissions: read-all + +jobs: + test: + name: Test ${{ matrix.mode }} + runs-on: ubuntu-latest + permissions: + contents: read + environment: + name: acctest-dotcom + strategy: + matrix: + mode: [anonymous, individual, organization] # team, enterprise + fail-fast: false + defaults: + run: + shell: bash + steps: + - name: Checkout + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + + - name: Check secrets + env: + INPUT_ALLOWED_SECRETS: ${{ vars.DOTCOM_ACCEPTANCE_TESTS_ALLOWED_SECRETS || 'DOTCOM_TEST_USER_TOKEN' }} + INPUT_SECRETS: ${{ toJSON(secrets) }} + run: | + set -eou pipefail + + secret_keys="$(jq --raw-output --compact-output '[. | keys[] | select(test("^(?:(?:ACTIONS)|(?:actions)|(?:GITHUB)|(?:github)|(?:TEST)|(?:test))_") | not)] | sort | join(",")' <<<"${INPUT_SECRETS}")" + if [[ "${secret_keys}" != "${INPUT_ALLOWED_SECRETS}" ]]; then + echo "::error::Too many or too few secrets configured: ${secret_keys}" + exit 1 + fi + + - name: Check credentials + id: credentials + if: matrix.mode != 'anonymous' + env: + TEST_USER_TOKEN: ${{ secrets.DOTCOM_TEST_USER_TOKEN }} + run: | + set -eou pipefail + + if [[ -z "${TEST_USER_TOKEN}" ]]; then + echo "::error::Missing credentials" + exit 1 + fi + + echo "token=${TEST_USER_TOKEN}" >> "${GITHUB_OUTPUT}" + + - name: Set-up Go + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 + with: + go-version-file: go.mod + cache: true + + - name: Run tests + env: + TF_ACC: "1" + TF_LOG: INFO + GITHUB_TOKEN: ${{ steps.credentials.outputs.token }} + GITHUB_BASE_URL: https://api.github.com/ + GITHUB_TEST_TYPE: ${{ matrix.mode }} + GITHUB_OWNER: ${{ (matrix.mode == 'individual' && 'github-terraform-test-user') || (matrix.mode == 'organization' && 'terraformtesting') || '' }} + GITHUB_ORGANIZATION: ${{ (matrix.mode == 'organization' && 'terraformtesting') || '' }} + GITHUB_TEST_ORGANIZATION: ${{ (matrix.mode == 'individual' && 'terraformtesting') || '' }} + GITHUB_TEST_OWNER: ${{ (matrix.mode == 'organization' && 'github-terraform-test-user') || '' }} + GITHUB_TEST_USER_TOKEN: ${{ steps.credentials.outputs.token }} + run: go test -run "^TestAcc*" ./github -v -race -coverprofile=coverage.txt -covermode=atomic -timeout 120m -count=1 + + check: + name: Check DotCom Acceptance Tests + if: always() && github.event_name == 'pull_request' + needs: + - test + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - name: Check + env: + INPUT_RESULTS: ${{ join(needs.*.result, ' ') }} + run: | + set -euo pipefail + read -a results <<< "${INPUT_RESULTS}" + for result in "${results[@]}"; do + if [[ "${result}" == "failure" ]] || [[ "${result}" == "cancelled" ]]; then + echo "::error::Workflow failed!" + exit 1 + fi + done diff --git a/.github/workflows/dotcom-acceptance-tests.yml b/.github/workflows/dotcom-acceptance-tests.yml deleted file mode 100644 index f7a58e730e..0000000000 --- a/.github/workflows/dotcom-acceptance-tests.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: Dotcom Acceptance Tests - -on: - push: - branches: - - test/** - -jobs: - - acceptance-tests-anonymous: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 2 - - name: Acceptance Tests (Anonymous) - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: INFO - - acceptance-tests-individual: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 2 - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - name: Acceptance Tests (Individual) - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: INFO - GITHUB_OWNER: github-terraform-test-user - GITHUB_TEST_USER_TOKEN: ${{ secrets.DOTCOM_TEST_USER_TOKEN }} - GITHUB_TEST_ORGANIZATION: terraformtesting - - acceptance-tests-organization: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 2 - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - name: Acceptance Tests (Organization) - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: INFO - GITHUB_ORGANIZATION: terraformtesting - GITHUB_TEST_USER_TOKEN: ${{ secrets.DOTCOM_TEST_USER_TOKEN }} - GITHUB_TEST_OWNER: github-terraform-test-user diff --git a/.github/workflows/ghes-acceptance-tests-all.yml b/.github/workflows/ghes-acceptance-tests-all.yml deleted file mode 100644 index 060b99ec92..0000000000 --- a/.github/workflows/ghes-acceptance-tests-all.yml +++ /dev/null @@ -1,112 +0,0 @@ -name: GHES Acceptance Tests (All) - -on: - schedule: - # ┌───────────── minute (0 - 59) - # │ ┌───────────── hour (0 - 23) - # │ │ ┌───────────── day of the month (1 - 31) - # │ │ │ ┌───────────── month (1 - 12 or JAN-DEC) - # │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT) - # * * * * * - - cron: '0 0 * * 3' - -jobs: - runtime: - runs-on: ubuntu-latest - steps: - - name: Query server address - id: server-address - run: | - SERVER_ADDRESS=$(dig +short terraformtesting-ghe.eastus.cloudapp.azure.com) - echo "::set-output name=server-address::${SERVER_ADDRESS}" - outputs: - server-address: ${{ steps.server-address.outputs.server-address }} - - acceptance-tests-anonymous: - needs: [runtime] - if: ${{ needs.runtime.outputs.server-address != '255.255.255.255' }} - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 2 - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - name: Acceptance Tests (Anonymous) - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - GITHUB_BASE_URL: "https://terraformtesting-ghe.eastus.cloudapp.azure.com/" - - acceptance-tests-individual: - needs: [runtime] - if: ${{ needs.runtime.outputs.server-address != '255.255.255.255' }} - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 2 - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - - name: Acceptance Tests (Individual) - id: acceptance-tests-individual - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: INFO - RUN_ALL: true - GITHUB_BASE_URL: "https://terraformtesting-ghe.eastus.cloudapp.azure.com/" - GITHUB_OWNER: administrator - GITHUB_TEST_USER_TOKEN: ${{ secrets.GHES_TEST_USER_TOKEN }} - - - name: Failed Acceptance Tests (Individual) - if: ${{ failure() }} - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: DEBUG - RUN_ALLOWED: ${{ steps.acceptance-tests-individual.outputs.failed }} - GITHUB_BASE_URL: "https://terraformtesting-ghe.eastus.cloudapp.azure.com/" - GITHUB_OWNER: administrator - GITHUB_TEST_USER_TOKEN: ${{ secrets.GHES_TEST_USER_TOKEN }} - - acceptance-tests-organization: - needs: [runtime] - if: ${{ needs.runtime.outputs.server-address != '255.255.255.255' }} - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 2 - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - - name: Acceptance Tests (Organization) - id: acceptance-tests-organization - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - TF_LOG: INFO - RUN_ALL: true - GITHUB_BASE_URL: "https://terraformtesting-ghe.eastus.cloudapp.azure.com/" - GITHUB_ORGANIZATION: terraformtesting - GITHUB_TEST_USER_TOKEN: ${{ secrets.GHES_TEST_USER_TOKEN }} - - - name: Failed Acceptance Tests (Organization) - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - if: ${{ failure() }} - with: - TF_LOG: DEBUG - RUN_ALLOWED: ${{ steps.acceptance-tests-organization.outputs.failed }} - GITHUB_BASE_URL: "https://terraformtesting-ghe.eastus.cloudapp.azure.com/" - GITHUB_ORGANIZATION: terraformtesting - GITHUB_TEST_USER_TOKEN: ${{ secrets.GHES_TEST_USER_TOKEN }} diff --git a/.github/workflows/ghes-acceptance-tests.yaml b/.github/workflows/ghes-acceptance-tests.yaml new file mode 100644 index 0000000000..0627fa5c79 --- /dev/null +++ b/.github/workflows/ghes-acceptance-tests.yaml @@ -0,0 +1,121 @@ +name: Acceptance Tests (GHES) + +on: + workflow_dispatch: + # pull_request_target: + # types: + # - opened + # - synchronize + # - reopened + # - labeled + # branches: + # - main + # - release-v* + +permissions: read-all + +jobs: + test: + name: Test GHES + runs-on: ubuntu-latest + permissions: + contents: read + environment: + name: acctest-ghes + defaults: + run: + shell: bash + steps: + - name: Checkout + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + + - name: Check secrets + env: + INPUT_ALLOWED_SECRETS: ${{ vars.GHES_ACCEPTANCE_TESTS_ALLOWED_SECRETS || 'GHES_TEST_USER_TOKEN' }} + INPUT_SECRETS: ${{ toJSON(secrets) }} + run: | + set -eou pipefail + + secret_keys="$(jq --raw-output --compact-output '[. | keys[] | select(test("^(?:(?:ACTIONS)|(?:actions)|(?:GITHUB)|(?:github)|(?:TEST)|(?:test))_") | not)] | sort | join(",")' <<<"${INPUT_SECRETS}")" + if [[ "${secret_keys}" != "${INPUT_ALLOWED_SECRETS}" ]]; then + echo "::error::Too many or too few secrets configured: ${secret_keys}" + exit 1 + fi + + - name: Check server address + id: server + env: + GHES_TEST_SERVER_HOST: ${{ vars.GHES_TEST_SERVER_HOST }} + run: | + set -eou pipefail + + host="${GHES_TEST_SERVER_HOST}" + + if [[ -z "${host}" ]]; then + echo "::error::Missing GHES server address" + exit 1 + fi + + test="$(dig +short "${host}")" + + if [[ "${test}" != "255.255.255.255" ]]; then + echo "Invalid server address" >&2 + exit 1 + fi + + echo "address=https://${host}/" >> "${GITHUB_OUTPUT}" + + - name: Check credentials + id: credentials + env: + TEST_USER_TOKEN: ${{ secrets.GHES_TEST_USER_TOKEN }} + run: | + set -eou pipefail + + if [[ -z "${TEST_USER_TOKEN}" ]]; then + echo "::error::Missing credentials" + exit 1 + fi + + echo "token=${TEST_USER_TOKEN}" >> "${GITHUB_OUTPUT}" + + - name: Set-up Go + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 + with: + go-version-file: go.mod + cache: true + + - name: Run tests + env: + TF_ACC: "1" + TF_LOG: INFO + GITHUB_TOKEN: ${{ steps.credentials.outputs.token }} + GITHUB_BASE_URL: ${{ steps.server.outputs.address }} + GITHUB_TEST_TYPE: enterprise + GITHUB_OWNER: terraformtesting + GITHUB_ORGANIZATION: terraformtesting + GITHUB_TEST_USER_TOKEN: ${{ steps.credentials.outputs.token }} + run: go test -run "^TestAcc*" ./github -v -race -coverprofile=coverage.txt -covermode=atomic -timeout 120m -count=1 + + check: + name: Check GHES Acceptance Tests + if: always() && github.event_name == 'pull_request' + needs: + - test + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - name: Check + env: + INPUT_RESULTS: ${{ join(needs.*.result, ' ') }} + run: | + set -euo pipefail + read -a results <<< "${INPUT_RESULTS}" + for result in "${results[@]}"; do + if [[ "${result}" == "failure" ]] || [[ "${result}" == "cancelled" ]]; then + echo "::error::Workflow failed!" + exit 1 + fi + done diff --git a/.github/workflows/ghes-acceptance-tests.yml b/.github/workflows/ghes-acceptance-tests.yml deleted file mode 100644 index 300a71e41c..0000000000 --- a/.github/workflows/ghes-acceptance-tests.yml +++ /dev/null @@ -1,79 +0,0 @@ -name: GHES Acceptance Tests - -on: - push: - branches: - - test/** - -jobs: - runtime: - runs-on: ubuntu-latest - steps: - - name: Query server address - id: server-address - run: | - SERVER_ADDRESS=$(dig +short terraformtesting-ghe.eastus.cloudapp.azure.com) - echo "::set-output name=server-address::${SERVER_ADDRESS}" - outputs: - server-address: ${{ steps.server-address.outputs.server-address }} - - acceptance-tests-anonymous: - needs: [runtime] - if: ${{ needs.runtime.outputs.server-address != '255.255.255.255' }} - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 2 - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - name: Acceptance Tests (Anonymous) - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - GITHUB_BASE_URL: "https://terraformtesting-ghe.eastus.cloudapp.azure.com/" - - acceptance-tests-individual: - needs: [runtime] - if: ${{ needs.runtime.outputs.server-address != '255.255.255.255' }} - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 2 - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - name: Acceptance Tests (Individual) - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - GITHUB_BASE_URL: "https://terraformtesting-ghe.eastus.cloudapp.azure.com/" - GITHUB_OWNER: administrator - GITHUB_TEST_USER_TOKEN: ${{ secrets.GHES_TEST_USER_TOKEN }} - - acceptance-tests-organization: - needs: [runtime] - if: ${{ needs.runtime.outputs.server-address != '255.255.255.255' }} - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 2 - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - name: Acceptance Tests (Organization) - uses: terraformtesting/acceptance-tests@66f4842d934555dde0f59bf1a00abd0fc710ece4 # v2.2.0 - with: - GITHUB_BASE_URL: "https://terraformtesting-ghe.eastus.cloudapp.azure.com/" - GITHUB_ORGANIZATION: terraformtesting - GITHUB_TEST_USER_TOKEN: ${{ secrets.GHES_TEST_USER_TOKEN }} diff --git a/.github/workflows/immediate-response.yml b/.github/workflows/immediate-response.yaml similarity index 55% rename from .github/workflows/immediate-response.yml rename to .github/workflows/immediate-response.yaml index 938bdd5598..6baaaec0f4 100644 --- a/.github/workflows/immediate-response.yml +++ b/.github/workflows/immediate-response.yaml @@ -1,7 +1,5 @@ -name: Issue/PR response -permissions: - issues: write - pull-requests: write +name: Issue/PR Response + on: issues: types: @@ -9,23 +7,27 @@ on: pull_request_target: types: - opened + +permissions: read-all + jobs: - respond-to-issue: - if: ${{ github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]' && - github.actor != 'githubactions[bot]' && github.actor != 'octokitbot' && - github.repository == 'integrations/terraform-provider-github' }} + respond: + name: Respond to Issue or PR + if: github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]' && github.actor != 'githubactions[bot]' && github.actor != 'octokitbot' && github.repository == 'integrations/terraform-provider-github' runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write + defaults: + run: + shell: bash steps: - - name: Determine issue or PR number - id: extract - run: echo "NUMBER=${{ github.event.issue.number || github.event.pull_request.number }}" >> "$GITHUB_OUTPUT" - - - name: Respond to issue or PR + - name: Comment uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: - issue-number: ${{ steps.extract.outputs.NUMBER }} + issue-number: ${{ github.event.issue.number || github.event.pull_request.number }} body: > 👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! - We have a [process in place](https://github.com/octokit/.github/blob/main/community/prioritization_response.md#overview) for prioritizing and responding to your input. + We have a [process in place](https://github.com/octokit/.github/blob/main/community/prioritization_response.md#overview) for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with `Status: Up for grabs`. You & others like you are the reason all of this works! So thank you & happy coding! 🚀 diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yaml similarity index 61% rename from .github/workflows/labeler.yml rename to .github/workflows/labeler.yaml index d22e251e1f..cd090f9d37 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yaml @@ -4,13 +4,18 @@ on: pull_request_target: types: [opened, synchronize, reopened] -permissions: - contents: read - pull-requests: write # Use this if all labels already exist in the repository (i.e., pre-defined in .github/labeler.yml). +permissions: read-all jobs: labeler: + name: Label PRs runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write # Use this if all labels already exist in the repository (i.e., pre-defined in .github/labeler.yml). + defaults: + run: + shell: bash steps: - name: Run Labeler uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000000..0b0792deea --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,67 @@ +name: Release + +# This GitHub action creates a release when a tag that matches the pattern +# "v*" (e.g. v0.1.0) is created. +on: + push: + tags: + - v* + +concurrency: + group: release + cancel-in-progress: false + +permissions: read-all + +jobs: + goreleaser: + name: GoReleaser + runs-on: ubuntu-latest + # Releases need permissions to read and write the repository contents. + # GitHub considers creating releases and uploading assets as writing contents. + permissions: + contents: write + environment: + name: release + defaults: + run: + shell: bash + steps: + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + # Allow goreleaser to access older tag information. + fetch-depth: 0 + + - name: Set-up Go + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 + with: + go-version-file: go.mod + cache: true + + - name: Install Syft + uses: anchore/sbom-action/download-syft@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10 + + - name: Install Cosign + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + + - name: Import GPG key + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 + id: import_gpg + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.PASSPHRASE }} + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 + id: goreleaser + env: + # GitHub sets the GITHUB_TOKEN secret automatically. + GITHUB_TOKEN: ${{ github.token }} + GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + with: + args: release --clean + + - name: Attest artifacts + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + with: + subject-checksums: ./dist/${{ github.event.repository.name }}_${{ fromJSON(steps.goreleaser.outputs.metadata).version }}_SHA256SUMS diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 0df975241a..0000000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,101 +0,0 @@ -# Terraform Provider release workflow. -name: Release - -# This GitHub action creates a release when a tag that matches the pattern -# "v*" (e.g. v0.1.0) is created. -on: - push: - tags: - - 'v*' - -# Releases need permissions to read and write the repository contents. -# GitHub considers creating releases and uploading assets as writing contents. -permissions: - contents: write - -jobs: - pre-release-tests: - name: Run tests before release - runs-on: ubuntu-latest - env: - test_stacks_directory: test_tf_stacks # root directory for test stacks - pre_release_tests: provider_only # directory name for pre-release tests - permissions: - contents: read - - steps: - - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - - - name: Setup Go - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: go.mod - cache: true - - - name: Build provider - run: go build -o terraform-provider-github - - - name: Setup dev overrides - run: | - ROOT_DIR=$(pwd) - cat > ~/.terraformrc << EOF - provider_installation { - dev_overrides { - "integrations/github" = "${ROOT_DIR}" - } - direct {} - } - EOF - - - name: Verify dev overrides setup - run: cat ~/.terraformrc - - - name: Setup Terraform - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 - with: - terraform_version: 1.x - - - name: Check Terraform version - run: terraform version - - - name: Terraform init - continue-on-error: true # continue even if init fails - run: terraform -chdir=./${{ env.test_stacks_directory }}/${{ env.pre_release_tests }} init - - - name: Terraform validate - run: terraform -chdir=./${{ env.test_stacks_directory }}/${{ env.pre_release_tests }} validate - - - name: Clean up - run: rm -f ~/.terraformrc terraform-provider-github - - goreleaser: - needs: [ pre-release-tests ] # runs only if pre-release tests pass - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - with: - # Allow goreleaser to access older tag information. - fetch-depth: 0 - - - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 - with: - go-version-file: 'go.mod' - cache: true - - - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 - id: import_gpg - with: - gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.PASSPHRASE }} - - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 - with: - args: release --clean - version: '~> v2' - env: - # GitHub sets the GITHUB_TOKEN secret automatically. - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yaml similarity index 76% rename from .github/workflows/stale.yml rename to .github/workflows/stale.yaml index c4841745fc..3675d43a3f 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yaml @@ -1,4 +1,5 @@ -name: Close stale issues and PRs +name: Close Stale Issues & PRs + on: workflow_dispatch: schedule: @@ -8,12 +9,22 @@ on: # │ │ │ ┌───────────── month (1 - 12 or JAN-DEC) # │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT) # * * * * * - - cron: '0 0 * * 3' - - cron: '30 1 * * *' + - cron: "0 0 * * 3" + - cron: "30 1 * * *" + +permissions: read-all jobs: stale: + name: Stale runs-on: ubuntu-latest + permissions: + contents: read # If we want to delete branches write is required + issues: write + pull-requests: write + defaults: + run: + shell: bash steps: - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0 with: @@ -29,8 +40,8 @@ jobs: Thank you for your contributions and help in keeping things tidy! days-before-stale: 270 days-before-close: 7 - exempt-issue-labels: 'Status: Pinned' - exempt-pr-labels: 'Status: Pinned' + exempt-issue-labels: "Status: Pinned" + exempt-pr-labels: "Status: Pinned" operations-per-run: 100 - stale-issue-label: 'Status: Stale' - stale-pr-label: 'Status: Stale' + stale-issue-label: "Status: Stale" + stale-pr-label: "Status: Stale" diff --git a/.goreleaser.yml b/.goreleaser.yml index a6aa94bad6..624747d147 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,10 +1,15 @@ # Visit https://goreleaser.com for documentation on how to customize this # behavior. version: 2 + +env: + - COSIGN_YES=true + before: hooks: # this is just an example and not a requirement for provider building/publishing - go mod tidy + builds: - env: # goreleaser does not work with CGO, it could also complicate @@ -30,32 +35,51 @@ builds: - goos: darwin goarch: "386" binary: "{{ .ProjectName }}_v{{ .Version }}" + archives: - - formats: [ 'zip' ] + - formats: ['zip'] name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}" + +sboms: + - id: default + artifacts: source + checksum: extra_files: - glob: "terraform-registry-manifest.json" name_template: "{{ .ProjectName }}_{{ .Version }}_manifest.json" name_template: "{{ .ProjectName }}_{{ .Version }}_SHA256SUMS" algorithm: sha256 + signs: - - artifacts: checksum + - id: gpg + cmd: gpg args: - # if you are using this in a GitHub action or some other automated pipeline, you - # need to pass the batch flag to indicate its not interactive. - - "--batch" - - "--local-user" - - "{{ .Env.GPG_FINGERPRINT }}" # set this environment variable for your signing key - - "--output" + - --batch + - --local-user + - "{{ .Env.GPG_FINGERPRINT }}" + - --output - "${signature}" - - "--detach-sign" + - --detach-sign - "${artifact}" + artifacts: checksum + - id: cosign + signature: "${artifact}.sbom.json.bundle" + cmd: cosign + args: + - sign-blob + - --new-bundle-format + - --bundle + - "${signature}" + - "${artifact}" + artifacts: checksum + release: extra_files: - - glob: "terraform-registry-manifest.json" + - glob: terraform-registry-manifest.json name_template: "{{ .ProjectName }}_{{ .Version }}_manifest.json" - # If you want to manually examine the release before its live, uncomment this line: - # draft: true + # If you want to manually examine the release before its live, uncomment this line: + # draft: true + changelog: disable: true diff --git a/RELEASE.md b/RELEASE.md index 2be591e519..1384bf3e01 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -1,22 +1,22 @@ ## Release Flow -The release process uses GitHub Actions and [`goreleaser`](https://github.com/goreleaser/goreleaser) to build, sign, and upload provider binaries to a GitHub release. +The release process uses GitHub Actions and [`goreleaser`](https://github.com/goreleaser/goreleaser) to build, sign, and upload provider binaries to a GitHub release. Release are triggered by a tag with the pattern `v*` (e.g. `v1.2.3`); these tags may only be created from the default branch (`main`) or branches that match the pattern `release-v*`. The release flow is as follows: -1. Navigate to the [repository's Releases page](https://github.com/integrations/terraform-provider-github/releases) and click "Draft a new release". -1. Create a new tag that makes sense with the project's semantic versioning. - 1. Before releasing a major version, check the following: - - Read [this doc](https://developer.hashicorp.com/terraform/plugin/best-practices/versioning#versioning-specification) for Hashicorp's major release guidance. - - Ensure there hasn't been a major release in the past year. - - Check all [major-release-tagged](https://github.com/integrations/terraform-provider-github/pulls?q=label%3AvNext) PRs and add them to the release branch as appropriate. - - Ensure all applicable schema changes include [schema migration functions](https://github.com/integrations/terraform-provider-github/blob/a361b158a645282a238cdefa5c40ae950556a4a7/github/migrate_github_repository.go#L20) so consumers' state is not disrupted. -1. Auto-generate the release notes. + +[!IMPORTANT] +> In you're planning on releasing a major version, please ensure you've completed the following tasks: +> +> - Read Hashicorp guidance on [incrementing the major version](https://developer.hashicorp.com/terraform/plugin/best-practices/versioning#example-major-number-increments). +> - Check if there are any outstanding [PRs with breaking changes](https://github.com/integrations/terraform-provider-github/issues?q=state%3Aopen%20label%3A%22Type%3A%20Breaking%20change%22) that could be included in the release. +> - Check that all deprecations have been addressed and removed from the codebase. + +1. Navigate to the [repository's Releases page](https://github.com/integrations/terraform-provider-github/releases) and click _Draft a new release_. +1. Create a new [SemVer](https://semver.org/) tag for the release. +1. Select the target as either the default branch (`main`) or a release branch (a branch matching the pattern `release-v*`) +1. Click _Generate release notes_. +1. If this release is from a release branch (unless it really is the latest release) uncheck the _Set as the latest release_ checkbox. 1. Click "Publish release". -1. GitHub Actions will trigger the release workflow which can be -[viewed here](https://github.com/integrations/terraform-provider-github/actions?query=workflow%3Arelease). -After the workflow executes successfully, the GitHub release created in the prior step will -have the relevant assets available for consumption. -1. The new release will show up in https://registry.terraform.io/providers/integrations/github/latest for consumption -by Terraform users. -1. For terraform `0.12.X` users, the new release is available for consumption once it is present in -https://releases.hashicorp.com/terraform-provider-github/. +1. GitHub Actions will trigger the [release workflow](https://github.com/integrations/terraform-provider-github/actions/workflows/release.yaml). + +After the workflow executes successfully, the GitHub release created in the prior step will have the relevant assets available for consumption and the new version will show up in the [Terraform Registry](https://registry.terraform.io/providers/integrations/github/latest). diff --git a/github/config.go b/github/config.go index d2647dd55e..61f214a4aa 100644 --- a/github/config.go +++ b/github/config.go @@ -2,6 +2,7 @@ package github import ( "context" + "fmt" "net/http" "net/url" "path" @@ -103,7 +104,7 @@ func (c *Config) NewRESTClient(client *http.Client) (*github.Client, error) { hostname := uv3.Hostname() if hostname != DotComHost && !GHECDataResidencyHostMatch.MatchString(hostname) { - uv3.Path = path.Join(uv3.Path, "api/v3/") + uv3.Path = fmt.Sprintf("%s/", path.Join(uv3.Path, "api/v3")) } v3client, err := github.NewClient(client).WithEnterpriseURLs(uv3.String(), "") diff --git a/test_tf_stacks/provider_only/provider.tf b/test_tf_stacks/provider_only/provider.tf deleted file mode 100644 index 31555fe31a..0000000000 --- a/test_tf_stacks/provider_only/provider.tf +++ /dev/null @@ -1,11 +0,0 @@ -terraform { - required_providers { - github = { - source = "integrations/github" - } - } -} - -provider "github" { - token = "fake_token_for_validation" -} diff --git a/test_tf_stacks/test_secrets/test.tf b/test_tf_stacks/test_secrets/test.tf deleted file mode 100644 index ed857f4e68..0000000000 --- a/test_tf_stacks/test_secrets/test.tf +++ /dev/null @@ -1,27 +0,0 @@ -terraform { - required_providers { - github = { - source = "integrations/github" - } - } -} - -provider "github" { - token = "fake_token_for_validation" -} - -# Test both resources with different configurations -resource "github_actions_secret" "test" { - repository = "test_repo" - secret_name = "test_secret" - plaintext_value = "test_value" - destroy_on_drift = true -} - -resource "github_actions_organization_secret" "test" { - secret_name = "org_secret" - encrypted_value = "dGVzdA==" - visibility = "private" - destroy_on_drift = false -} -