ci: overhaul workflows (#22)

Author: SweetOps

.github/auto-release.yml

@@ -34,21 +34,23 @@ categories:
   - 'feat'
 - title: '🐛 Bug Fixes'
   labels:
-  - 'auto-update'
   - 'patch'
   - 'fix'
   - 'bugfix'
   - 'bug'
   - 'hotfix'
   - 'refactor'
-  - 'ci'
-  - 'build'
   - 'docs'
   - 'test'
   - 'chore'
-- title: '🤖 Automatic Updates'
+- title: '📦 Updates'
   labels:
   - 'auto-update'
+  - 'build'
+  - 'ci'
+- title: ':hammer_and_wrench: Refactoring'
+  labels:
+  - 'refactor'
 
 change-template: |
   <details>

.github/dependabot.yml

@@ -5,10 +5,22 @@ updates:
     schedule:
       interval: "weekly"
     labels:
-      - "chore"
+      - ci
+    commit-message:
+      prefix: "[skip-release] ci:"
   - package-ecosystem: "terraform"
     directory: "/"
     schedule:
       interval: "weekly"
     labels:
-      - "chore"
+      - build
+    commit-message:
+      prefix: "build:"
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - build
+    commit-message:
+      prefix: "[skip-release] build:"

.github/workflows/ci.yml

@@ -0,0 +1,106 @@
+name: Validate and Test Terraform manifests
+
+on:
+  pull_request:
+
+env:
+  TERRAFORM_VERSION: ~1.9
+
+jobs:
+  terraform:
+    name: terraform
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+
+      - name: Ensure Terraform code is formated
+        run: terraform fmt -check
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Validate Terraform code
+        run: terraform validate -no-color
+
+  trivy:
+    name: trivy
+    runs-on: ubuntu-latest
+    needs: terraform
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Run trivy with reviewdog output on the PR
+        uses: reviewdog/action-trivy@v1
+        with:
+          trivy_command: config
+          trivy_target: .
+          github_token: ${{ secrets.github_token }}
+          reporter: github-pr-review
+          filter_mode: diff_context
+          fail_on_error: "true"
+
+  tflint:
+    name: tflint
+    runs-on: ubuntu-latest
+    needs: terraform
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Check with tflint
+        uses: reviewdog/action-tflint@v1
+        with:
+          github_token: ${{ secrets.github_token }}
+          reporter: github-pr-review
+          fail_on_error: "true"
+          filter_mode: diff_context
+          flags: "--module"
+
+  terratest:
+    name: terratest
+    runs-on: ubuntu-latest
+    needs: 
+      - terraform
+      - trivy
+      - tflint
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: tests/go.mod
+          cache-dependency-path: |
+            tests/go.sum
+
+      - name: Run terratest
+        run: make terratest

.github/workflows/docs.yml

@@ -11,17 +11,8 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
-      - name: Render terraform docs inside the examples/basic/README.md
+      - name: Render terraform docs
         uses: terraform-docs/gh-actions@v1.2.0
         with:
-          working-dir: ./examples/basic/
-          git-push: "false"
-          output-file: README.md
-          config-file: ./examples/basic/.terraform-docs.yml
-
-      - name: Render terraform docs inside the README.md
-        uses: terraform-docs/gh-actions@v1.2.0
-        with:
-          working-dir: .
+          working-dir: .,./examples/basic
           git-push: "true"
-          output-file: README.md

.github/workflows/labeler.yml

@@ -10,7 +10,6 @@ on:
 jobs:
   lint-pr:
     runs-on: ubuntu-latest
-
     steps:
       - name: Lint PR
         uses: amannn/action-semantic-pull-request@v5
@@ -50,3 +49,10 @@ jobs:
             * **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
             * **test**: Adding missing tests or correcting existing tests
             * **chore**: No production code change
+
+      - name: Add label to PR
+        if: github.actor != 'dependabot[bot]'
+        uses: fuxingloh/multi-labeler@v4.0.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          config-path: .github/labeler.yml

.github/workflows/pr-lint.yml

@@ -9,7 +9,9 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v6
+      - name: Create Release
+        if: "!contains(github.event.head_commit.message, '[skip-release]')"
+        uses: release-drafter/release-drafter@v6
         with:
           publish: true
           prerelease: false

.github/workflows/release.yml

@@ -7,9 +7,9 @@ on:
 jobs:
   stale:
     runs-on: ubuntu-latest
-
     steps:
-      - uses: actions/stale@v9
+      - name: Run stale actio
+        uses: actions/stale@v9
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-issue-message: "This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days"