ci: overhaul workflows (#9)

Author: SweetOps

.github/auto-release.yml

@@ -34,21 +34,23 @@ categories:
   - 'feat'
 - title: '🐛 Bug Fixes'
   labels:
-  - 'auto-update'
   - 'patch'
   - 'fix'
   - 'bugfix'
   - 'bug'
   - 'hotfix'
   - 'refactor'
-  - 'ci'
-  - 'build'
   - 'docs'
   - 'test'
   - 'chore'
-- title: '🤖 Automatic Updates'
+- title: '📦 Updates'
   labels:
   - 'auto-update'
+  - 'build'
+  - 'ci'
+- title: ':hammer_and_wrench: Refactoring'
+  labels:
+  - 'refactor'
 
 change-template: |
   <details>

.github/dependabot.yml

@@ -0,0 +1,26 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - ci
+    commit-message:
+      prefix: "[skip-release] ci:"
+  - package-ecosystem: "terraform"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - build
+    commit-message:
+      prefix: "build:"
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - build
+    commit-message:
+      prefix: "[skip-release] build:"

.github/labels.yml

@@ -54,4 +54,4 @@
   description: Adding missing tests or correcting existing tests
 - color: dfb443
   name: chore
-  description: Adding missing tests or correcting existing tests
+  description: Adding missing tests or correcting existing tests

.github/workflows/ci.yml

@@ -0,0 +1,106 @@
+name: Validate and Test Terraform manifests
+
+on:
+  pull_request:
+
+env:
+  TERRAFORM_VERSION: ~1.9
+
+jobs:
+  terraform:
+    name: terraform
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+
+      - name: Ensure Terraform code is formated
+        run: terraform fmt -check
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Validate Terraform code
+        run: terraform validate -no-color
+
+  trivy:
+    name: trivy
+    runs-on: ubuntu-latest
+    needs: terraform
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Run trivy with reviewdog output on the PR
+        uses: reviewdog/action-trivy@v1
+        with:
+          trivy_command: config
+          trivy_target: .
+          github_token: ${{ secrets.github_token }}
+          reporter: github-pr-review
+          filter_mode: diff_context
+          fail_on_error: "true"
+
+  tflint:
+    name: tflint
+    runs-on: ubuntu-latest
+    needs: terraform
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Check with tflint
+        uses: reviewdog/action-tflint@v1
+        with:
+          github_token: ${{ secrets.github_token }}
+          reporter: github-pr-review
+          fail_on_error: "true"
+          filter_mode: diff_context
+          flags: "--module"
+
+  terratest:
+    name: terratest
+    runs-on: ubuntu-latest
+    needs: 
+      - terraform
+      - trivy
+      - tflint
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: tests/go.mod
+          cache-dependency-path: |
+            tests/go.sum
+
+      - name: Run terratest
+        run: make terratest

.github/workflows/docs.yml

@@ -6,30 +6,13 @@ jobs:
   docs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
-      - name: Render terraform docs inside the examples/basic/README.md
-        uses: terraform-docs/gh-actions@v1.0.0
+      - name: Render terraform docs
+        uses: terraform-docs/gh-actions@v1.2.0
         with:
-          working-dir: ./examples/basic/
-          git-push: "false"
-          output-file: README.md
-          config-file: ".terraform-docs.yml"
-
-      - name: Render terraform docs inside the examples/basic/README.md
-        uses: terraform-docs/[email protected]
-        with:
-          working-dir: ./examples/replicated/
-          git-push: "false"
-          output-file: README.md
-          config-file: ".terraform-docs.yml"
-
-      - name: Render terraform docs inside the README.md
-        uses: terraform-docs/[email protected]
-        with:
-          working-dir: .
+          working-dir: .,./examples/basic,./examples/replicated
           git-push: "true"
-          output-file: README.md
-          config-file: ".terraform-docs.yml"

.github/workflows/labeler.yml

@@ -1,21 +1,25 @@
----
 name: Sync labels
 
 on:
   push:
     branches:
-      - master
       - main
+  pull_request:
+    paths:
+      - ".github/labels.yml"
+      - ".github/workflows/labels.yml"
 
 jobs:
   sync-labels:
     name: Sync labels in the declarative way
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: micnncim/[email protected]
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Sync labels
+        uses: crazy-max/ghaction-github-labeler@v5
         with:
-          manifest: .github/labels.yml
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          yaml-file: .github/labels.yml
+          dry-run: ${{ github.event_name == 'pull_request' }}

.github/workflows/labels.yml

@@ -4,25 +4,34 @@ on:
   pull_request_target:
     types:
       - opened
-      - reopened
       - edited
       - synchronize
 
 jobs:
   lint-pr:
     runs-on: ubuntu-latest
-
     steps:
       - name: Lint PR
-        uses: aslafy-z/[email protected]
+        uses: amannn/action-semantic-pull-request@v5
         with:
-          preset: conventional-changelog-angular@^5.0.6
+          types: |
+            build
+            ci
+            docs
+            feat
+            fix
+            perf
+            refactor
+            style
+            test
+            chore
+          requireScope: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Comment for PR title conformance
         if: failure()
-        uses: peter-evans/create-or-update-comment@v3
+        uses: peter-evans/create-or-update-comment@v4
         with:
           issue-number: ${{tojson(github.event.number)}}
           body: |
@@ -40,3 +49,10 @@ jobs:
             * **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
             * **test**: Adding missing tests or correcting existing tests
             * **chore**: No production code change
+
+      - name: Add label to PR
+        if: github.actor != 'dependabot[bot]'
+        uses: fuxingloh/[email protected]
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          config-path: .github/labeler.yml

.github/workflows/pr-lint.yml

@@ -3,14 +3,15 @@ name: Release Drafter
 on:
   push:
     branches:
-      - master
       - main
 
 jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v5
+      - name: Create Release
+        if: "!contains(github.event.head_commit.message, '[skip-release]')"
+        uses: release-drafter/release-drafter@v6
         with:
           publish: true
           prerelease: false

.github/workflows/release.yml

@@ -7,9 +7,9 @@ on:
 jobs:
   stale:
     runs-on: ubuntu-latest
-
     steps:
-      - uses: actions/stale@v8
+      - name: Run stale actio
+        uses: actions/stale@v9
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-issue-message: "This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days"