build.yml

---
name: build

on:  # yamllint disable-line rule:truthy
  merge_group:
    types:
      - checks_requested
  # We use the default activity types for the pull_request event as specified here:
  # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request
  pull_request:
  push:
  repository_dispatch:
    types:
      - apb

# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,
# nounset, errexit, and pipefail. The `-x` will print all commands as they are
# run. Please see the GitHub Actions documentation for more information:
# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs
defaults:
  run:
    shell: bash -Eueo pipefail -x {0}

env:
  PIP_CACHE_DIR: ~/.cache/pip
  PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
  RUN_TMATE: ${{ secrets.RUN_TMATE }}
  TERRAFORM_DOCS_REPO_BRANCH_NAME: cisagov
  TERRAFORM_DOCS_REPO_DEPTH: 1
  TERRAFORM_DOCS_REPO_URL: https://github.com/mcdonnnj/terraform-docs.git

jobs:
  diagnostics:
    name: Run diagnostics
    # This job does not need any permissions
    permissions: {}
    runs-on: ubuntu-latest
    steps:
      # Note that a duplicate of this step must be added at the top of
      # each job.
      - name: Apply standard cisagov job preamble
        uses: cisagov/action-job-preamble@v1
        with:
          check_github_status: "true"
          # This functionality is poorly implemented and has been
          # causing problems due to the MITM implementation hogging or
          # leaking memory.  As a result we disable it by default.  If
          # you want to temporarily enable it, simply set
          # monitor_permissions equal to "true".
          #
          # TODO: Re-enable this functionality when practical.  See
          # cisagov/skeleton-generic#207 for more details.
          monitor_permissions: "false"
          output_workflow_context: "true"
          # Use a variable to specify the permissions monitoring
          # configuration. By default this will yield the
          # configuration stored in the cisagov organization-level
          # variable, but if you want to use a different configuration
          # then simply:
          # 1. Create a repository-level variable with the name
          # ACTIONS_PERMISSIONS_CONFIG.
          # 2. Set this new variable's value to the configuration you
          # want to use for this repository.
          #
          # Note in particular that changing the permissions
          # monitoring configuration *does not* require you to modify
          # this workflow.
          permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
  lint:
    needs:
      - diagnostics
    permissions:
      # actions/checkout needs this to fetch code
      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Apply standard cisagov job preamble
        uses: cisagov/action-job-preamble@v1
        with:
          # This functionality is poorly implemented and has been
          # causing problems due to the MITM implementation hogging or
          # leaking memory.  As a result we disable it by default.  If
          # you want to temporarily enable it, simply set
          # monitor_permissions equal to "true".
          #
          # TODO: Re-enable this functionality when practical.  See
          # cisagov/skeleton-generic#207 for more details.
          monitor_permissions: "false"
          # Use a variable to specify the permissions monitoring
          # configuration. By default this will yield the
          # configuration stored in the cisagov organization-level
          # variable, but if you want to use a different configuration
          # then simply:
          # 1. Create a repository-level variable with the name
          # ACTIONS_PERMISSIONS_CONFIG.
          # 2. Set this new variable's value to the configuration you
          # want to use for this repository.
          #
          # Note in particular that changing the permissions
          # monitoring configuration *does not* require you to modify
          # this workflow.
          permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
      - id: setup-env
        uses: cisagov/setup-env-github-action@v1
      - uses: actions/checkout@v6
      - id: setup-python
        uses: actions/setup-python@v6
        with:
          python-version: ${{ steps.setup-env.outputs.python-version }}
      # We need the Go version and Go cache location for the actions/cache step,
      # so the Go installation must happen before that.
      - id: setup-go
        uses: actions/setup-go@v6
        with:
          # There is no expectation for actual Go code so we disable caching as
          # it relies on the existence of a go.sum file.
          cache: false
          go-version: ${{ steps.setup-env.outputs.go-version }}
      - id: go-cache
        name: Lookup Go cache directory
        run: |
          echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
      - uses: actions/cache@v5
        env:
          BASE_CACHE_KEY: >-
            ${{ github.job }}-${{ runner.os
            }}-py${{ steps.setup-python.outputs.python-version
            }}-go${{ steps.setup-go.outputs.go-version
            }}-packer${{ steps.setup-env.outputs.packer-version
            }}-tf${{ steps.setup-env.outputs.terraform-version }}-
        with:
          key: >-
            ${{ env.BASE_CACHE_KEY }}${{
            hashFiles('**/requirements-test.txt') }}-${{
            hashFiles('**/requirements.txt') }}-${{
            hashFiles('**/.pre-commit-config.yaml') }}
          # Note that the .terraform directory IS NOT included in the
          # cache because if we were caching, then we would need to use
          # the `-upgrade=true` option. This option blindly pulls down the
          # latest modules and providers instead of checking to see if an
          # update is required. That behavior defeats the benefits of caching.
          # so there is no point in doing it for the .terraform directory.
          path: |
            ${{ env.PIP_CACHE_DIR }}
            ${{ env.PRE_COMMIT_CACHE_DIR }}
            ${{ steps.go-cache.outputs.dir }}
          restore-keys: |
            ${{ env.BASE_CACHE_KEY }}
      - uses: hashicorp/setup-packer@v3
        with:
          version: ${{ steps.setup-env.outputs.packer-version }}
      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
      - name: Install go-critic
        env:
          PACKAGE_URL: github.com/go-critic/go-critic/cmd/gocritic
          PACKAGE_VERSION: ${{ steps.setup-env.outputs.go-critic-version }}
        run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
      - name: Install goimports
        env:
          PACKAGE_URL: golang.org/x/tools/cmd/goimports
          PACKAGE_VERSION: ${{ steps.setup-env.outputs.goimports-version }}
        run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
      - name: Install gosec
        env:
          PACKAGE_URL: github.com/securego/gosec/v2/cmd/gosec
          PACKAGE_VERSION: ${{ steps.setup-env.outputs.gosec-version }}
        run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
      - name: Install staticcheck
        env:
          PACKAGE_URL: honnef.co/go/tools/cmd/staticcheck
          PACKAGE_VERSION: ${{ steps.setup-env.outputs.staticcheck-version }}
        run: go install ${PACKAGE_URL}@${PACKAGE_VERSION}
      # TODO: https://github.com/cisagov/skeleton-generic/issues/165
      # We are temporarily using a branch of @mcdonnnj's fork of terraform-docs that
      # groups changes from his PRs until they are approved and merged:
      # https://github.com/terraform-docs/terraform-docs/pull/745
      # https://github.com/terraform-docs/terraform-docs/pull/901
      # This temporary fix will allow for ATX header support when terraform-docs is run
      # during linting and output delimiter rows with cell spacing that passes
      # Markdownlint's MD060/table-column-style rule.
      - name: Clone ATX headers branch from terraform-docs fork
        run: |
          git clone \
           --branch $TERRAFORM_DOCS_REPO_BRANCH_NAME \
           --depth $TERRAFORM_DOCS_REPO_DEPTH \
           --single-branch \
           $TERRAFORM_DOCS_REPO_URL /tmp/terraform-docs
      - name: Build and install terraform-docs binary
        run: |
          go build \
          -C /tmp/terraform-docs \
          -o $(go env GOPATH)/bin/terraform-docs
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip setuptools
          pip install --upgrade --requirement requirements-test.txt
      - name: Install Ansible roles
        run: |
          ansible-galaxy install --force --role-file ansible/requirements.yml
          ansible-galaxy install --force --role-file packer/ansible/requirements.yml
      - name: Set up pre-commit hook environments
        run: pre-commit install-hooks
      - name: Run pre-commit on all files
        env:
          # We have seen some failures of packer init in GitHub Actions due to
          # rate limiting when pulling Packer plugins from GitHub.  Having
          # Packer use a GitHub API token should reduce this.  The rate
          # limiting for unauthenticated requests is 60 requests/hour while
          # the rate limiting for authenticated requests is 5000
          # requests/hour.
          PACKER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: pre-commit run --all-files
      - name: Setup tmate debug session
        uses: mxschmitt/action-tmate@v3
        if: env.RUN_TMATE