feat: add Dependabot configuration for automated dependency updates #80
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - develop | |
| pull_request: | |
| branches: | |
| - main | |
| - develop | |
| env: | |
| GO_VERSION: "1.24" | |
| GOLANGCI_LINT_VERSION: "v2.2.1" | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Run go mod tidy | |
| run: go mod tidy | |
| - name: Run golangci-lint | |
| uses: golangci/golangci-lint-action@v8 | |
| with: | |
| version: ${{ env.GOLANGCI_LINT_VERSION }} | |
| - name: Check code formatting | |
| run: | | |
| if [ -n "$(gofmt -l .)" ]; then | |
| echo "The following files need formatting:" | |
| gofmt -l . | |
| exit 1 | |
| fi | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| go-version: ["1.24"] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| cache: true | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Install gotestsum | |
| run: go install gotest.tools/gotestsum@latest | |
| - name: Run tests | |
| run: | | |
| gotestsum --junitfile junit.xml --format testname -- -v -cover -coverprofile=coverage.out ./internal/... | |
| - name: Upload test results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: test-results | |
| path: junit.xml | |
| - name: Upload coverage reports | |
| uses: codecov/codecov-action@v5 | |
| if: matrix.go-version == env.GO_VERSION | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| slug: Trozz/terraform-provider-pocketid | |
| files: ./coverage.out,./junit.xml | |
| flags: unittests | |
| name: codecov-umbrella | |
| fail_ci_if_error: true | |
| verbose: true | |
| # Acceptance tests are not run in CI because Pocket-ID requires: | |
| # 1. Manual passkey registration through the UI | |
| # 2. Manual API key generation through the UI | |
| # 3. No programmatic way to bootstrap an instance | |
| # | |
| # To run acceptance tests locally: | |
| # 1. Start a Pocket-ID instance | |
| # 2. Register a user with a passkey | |
| # 3. Generate an API key | |
| # 4. Set POCKETID_BASE_URL and POCKETID_API_TOKEN | |
| # 5. Run: make test-acc | |
| docs: | |
| name: Documentation | |
| runs-on: ubuntu-latest | |
| needs: [lint, test] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Install tfplugindocs | |
| run: go install github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs@latest | |
| - name: Generate documentation | |
| run: tfplugindocs generate --provider-name=pocketid | |
| - name: Check for uncommitted changes | |
| run: | | |
| if [[ -n $(git status -s) ]]; then | |
| echo "Documentation is out of date. Please run 'make docs' and commit the changes." | |
| git diff | |
| exit 1 | |
| fi | |
| pre-release: | |
| name: Pre-release | |
| runs-on: ubuntu-latest | |
| needs: [lint, test] | |
| if: github.ref == 'refs/heads/main' && github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' | |
| permissions: | |
| contents: write | |
| id-token: write | |
| attestations: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Check for Go file changes | |
| id: go_changes | |
| run: | | |
| # Get the latest tag | |
| LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "") | |
| if [ -z "$LATEST_TAG" ]; then | |
| echo "No previous tags found, assuming Go files changed" | |
| echo "changed=true" >> $GITHUB_OUTPUT | |
| else | |
| # Check if any Go files changed since the last tag | |
| GO_CHANGES=$(git diff --name-only ${LATEST_TAG}..HEAD -- '*.go' 'go.mod' 'go.sum' | wc -l) | |
| if [ "$GO_CHANGES" -gt 0 ]; then | |
| echo "Go files changed since ${LATEST_TAG}" | |
| echo "changed=true" >> $GITHUB_OUTPUT | |
| git diff --name-only ${LATEST_TAG}..HEAD -- '*.go' 'go.mod' 'go.sum' | |
| else | |
| echo "No Go files changed since ${LATEST_TAG}" | |
| echo "changed=false" >> $GITHUB_OUTPUT | |
| fi | |
| fi | |
| - name: Set up Go | |
| if: steps.go_changes.outputs.changed == 'true' | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Import GPG key | |
| if: steps.go_changes.outputs.changed == 'true' | |
| id: import_gpg | |
| uses: crazy-max/ghaction-import-gpg@v6 | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
| - name: Generate snapshot version | |
| if: steps.go_changes.outputs.changed == 'true' | |
| id: version | |
| run: | | |
| # Get the latest release tag (exclude pre-release tags) | |
| LATEST_TAG=$(git tag -l 'v*' | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | sort -V | tail -n1 || echo "v0.0.0") | |
| if [ -z "$LATEST_TAG" ]; then | |
| LATEST_TAG="v0.0.0" | |
| fi | |
| echo "Latest release tag: ${LATEST_TAG}" | |
| # Remove 'v' prefix | |
| VERSION=${LATEST_TAG#v} | |
| echo "Version without prefix: ${VERSION}" | |
| # Parse version components | |
| IFS='.' read -r major minor patch <<< "$VERSION" | |
| echo "Version components: major=${major}, minor=${minor}, patch=${patch}" | |
| # Generate new version | |
| NEW_VERSION="${major}.${minor}.$((patch + 1))-dev.$(date +%Y%m%d%H%M%S)+$(git rev-parse --short HEAD)" | |
| echo "Pre-release version: ${NEW_VERSION}" | |
| echo "version=${NEW_VERSION}" >> $GITHUB_OUTPUT | |
| - name: Run GoReleaser (snapshot) | |
| if: steps.go_changes.outputs.changed == 'true' | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| version: latest | |
| args: release --snapshot --skip=sign --clean --skip=validate | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate pre-release attestations | |
| if: steps.go_changes.outputs.changed == 'true' | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: | | |
| dist/*.zip | |
| dist/*_checksums.txt | |
| - name: Upload artifacts | |
| if: steps.go_changes.outputs.changed == 'true' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: pre-release-artifacts | |
| path: dist/* | |
| - name: Create GitHub pre-release | |
| if: steps.go_changes.outputs.changed == 'true' | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| name: "Development Build v${{ steps.version.outputs.version }}" | |
| tag_name: "v${{ steps.version.outputs.version }}" | |
| prerelease: true | |
| draft: false | |
| files: | | |
| dist/*.zip | |
| dist/*_checksums.txt | |
| body: | | |
| ## Development Build | |
| This is an automated development build from commit ${{ github.sha }}. | |
| **⚠️ This is a pre-release version and should not be used in production.** | |
| ### Commit Information | |
| - SHA: ${{ github.sha }} | |
| - Author: ${{ github.actor }} | |
| - Message: ${{ github.event.head_commit.message }} | |
| ### Installation | |
| Download the appropriate archive for your platform and extract the provider binary. | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| needs: [lint, test] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: "fs" | |
| scan-ref: "." | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| - name: Run gosec security scanner | |
| uses: securego/gosec@master | |
| with: | |
| args: "-fmt sarif -out gosec-results.sarif ./..." | |
| - name: Upload gosec results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: "gosec-results.sarif" |