Skip to content

Commit 82b7d1d

Browse files
OCM-24672 | chore: consolidate checks under make pre-push-checks
Unify the module merge gate in Makefile (inline pre-push-checks), add make tools for pinned CLI installs, extend the CI client image, add verify-min-terraform workflow, remove test.yml, and align docs. Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Amanda Hager Lopes de Andrade Katz <amanda.katz@redhat.com>
1 parent 863dcb4 commit 82b7d1d

20 files changed

Lines changed: 496 additions & 453 deletions

.dockerignore

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
.git
2+
bin/
3+
**/.terraform/
4+
.terraform-docs-cache/

.github/pull_request_template.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,6 @@ Examples: variable rename/removal, output rename/removal, default value change,
8383
- [ ] Relevant Jira/GitHub issues and related PRs are linked.
8484
- [ ] Tests were added/updated where appropriate.
8585
- [ ] I manually tested the change.
86-
- [ ] `make verify` passes.
87-
- [ ] `make verify-gen` passes.
86+
- [ ] `make pre-push-checks` passes (or each step: `verify`, `verify-gen`, `lint`, `unit-tests`, `license-check`, `docs-lint`).
8887
- [ ] Documentation was added/updated where appropriate (see `make terraform-docs`).
8988
- [ ] Any risk, limitation, or follow-up work is documented.

.github/workflows/generate_terraform_docs.yaml renamed to .github/workflows/generate-terraform-docs.yaml

Lines changed: 1 addition & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -28,15 +28,7 @@ jobs:
2828
ref: ${{ github.head_ref }}
2929

3030
- name: Install terraform-docs
31-
run: |
32-
set -euo pipefail
33-
TERRAFORM_DOCS_VERSION="$(grep -E '^ARG TERRAFORM_DOCS_VERSION=' Dockerfile | cut -d= -f2)"
34-
curl -sSLo ./terraform-docs.tar.gz "https://terraform-docs.io/dl/v${TERRAFORM_DOCS_VERSION}/terraform-docs-v${TERRAFORM_DOCS_VERSION}-linux-amd64.tar.gz"
35-
tar -xzf terraform-docs.tar.gz terraform-docs
36-
chmod +x terraform-docs
37-
sudo mv terraform-docs /usr/local/bin/terraform-docs
38-
rm -f terraform-docs.tar.gz
39-
terraform-docs version
31+
run: make terraform-docs-bin
4032

4133
# Commits are created via the GitHub Git Database API (not git commit) so GitHub can
4234
# attribute and verify them for the authenticated GitHub App installation.

.github/workflows/license-check.yaml

Lines changed: 1 addition & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -11,14 +11,8 @@ jobs:
1111
steps:
1212
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1313

14-
- name: Set up Go
15-
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
16-
with:
17-
go-version: '1.26.3'
18-
1914
- name: Install addlicense
20-
run: |
21-
go install github.com/google/addlicense@v1.2.0
15+
run: make license-check-bin
2216

2317
- name: Check license headers
2418
run: make license-check
Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
# Interim GitHub Actions security gate until OpenShift Prow runs the client image scan.
2+
# A dedicated Prow presubmit will be investigated and added in openshift/release.
3+
# Requires Docker on the runner (available on ubuntu-latest) for `make security-check-image`.
4+
name: Security check (Trivy image)
5+
6+
on:
7+
pull_request:
8+
paths:
9+
- Dockerfile
10+
- Makefile
11+
- trivy-image.yaml
12+
- hack/install-release-tool.sh
13+
14+
jobs:
15+
security-check-image:
16+
runs-on: ubuntu-latest
17+
permissions:
18+
contents: read
19+
steps:
20+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
21+
22+
- name: Install Trivy
23+
uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 # v0.2.6
24+
with:
25+
version: v0.70.0
26+
27+
- name: Build client image and scan for vulnerabilities
28+
run: make security-check-image TRIVY="$(command -v trivy)"
Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,11 @@
1-
name: Terraform test
1+
# Validates examples at the minimum Terraform version (root versions.tf required_version).
2+
name: Verify (minimum Terraform)
23

34
on:
45
pull_request:
56

67
jobs:
7-
test:
8+
verify-terraform-1-5-7:
89
runs-on: ubuntu-latest
910
permissions:
1011
contents: read
@@ -13,12 +14,8 @@ jobs:
1314

1415
- uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1
1516
with:
17+
terraform_version: "1.5.7"
1618
terraform_wrapper: false
1719

18-
- uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2
19-
20-
- name: Lint
21-
run: make lint
22-
23-
- name: Terraform unit tests
24-
run: make unit-tests
20+
- name: Validate examples (minimum supported Terraform)
21+
run: make verify

.gitignore

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# terraform-docs.sh pinned binary cache (version from Dockerfile)
1+
# terraform-docs local cache (version from Makefile)
22
.terraform-docs-cache/
33

44
# Local tool binaries (for example Vale installed via make docs-lint)

.trivyignore

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,2 @@
11
# Misconfiguration IDs to skip — see https://trivy.dev/latest/docs/configuration/filtering/
2-
# Prefer `#trivy:ignore:<ID>` on Terraform resources; use this file when required (e.g. Dockerfile).
3-
4-
# Root Dockerfile: tooling image installs yum/terraform/aws/rosa/terraform-docs as root; no non-root USER by design.
5-
DS-0002
2+
# Prefer `#trivy:ignore:<ID>` on Terraform resources; use this file only when inline suppression is not possible.

AGENTS.md

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,17 @@ Useful skills for this codebase:
5555
- Use **`sensitive`** on variables and outputs where values must not appear in logs or casual `terraform show` output; avoid echoing secrets in `local` values used only for debugging. Passthrough outputs (**`module.*` → root output**) must match submodule sensitivity—see **Security** in [`.cursor/rules/rosa-hcp-terraform.mdc`](.cursor/rules/rosa-hcp-terraform.mdc).
5656
- Do not add logging, outputs, or comments that expose credentials or session tokens.
5757

58+
## CI client Dockerfile (Prow)
59+
60+
The root **`Dockerfile`** builds the **OpenShift Prow** client image (`terraform-rhcs-rosa-hcp-clients`). Treat it as a **minimal supply-chain surface**: include **only** what presubmit jobs in [`openshift/release`](https://github.com/openshift/release/tree/master/ci-operator/config/terraform-redhat/terraform-rhcs-rosa-hcp) need today (`make verify`, `make verify-gen`, `make run-example`, and the tools behind `make pre-push-checks`).
61+
62+
When changing the Dockerfile:
63+
64+
- **Minimize attack surface** — prefer **`ubi-minimal`** with a **pinned** minor tag (not `:latest`); end with a **non-root** `USER` (currently `65532:65532`); do not add OS packages, compilers, or CLIs “for convenience” without a job that uses them.
65+
- **Pin versions** — base image, ROSA CLI, and Makefile tools; use **`# renovate:`** comments and existing patterns (`hack/install-release-tool.sh` release binaries, not `go install`, unless unavoidable).
66+
- **Avoid bloat** — the image is tool-heavy (Terraform, AWS CLI, ROSA, lint binaries); do not grow it with extra runtimes, caches, or unrelated utilities. Prefer release tarballs over full language SDKs in the final image.
67+
- **Security scans**`make security-check` / `make security-check-image` are separate from `make pre-push-checks`; fix findings or document narrow suppressions per the **Trivy** section below.
68+
5869
## Trivy (IaC misconfiguration)
5970

6071
Repo config: root **`trivy.yaml`** (severity, scanners, skips; includes **`examples/`**). CodeRabbit may run Trivy when enabled in **`.coderabbit.yaml`**. References: [Trivy config file](https://trivy.dev/latest/docs/references/configuration/config-file/), [filtering / ignores](https://trivy.dev/latest/docs/configuration/filtering/).
@@ -93,4 +104,4 @@ Use mocks for AWS and RHCS resources to verify logic without requiring live cred
93104

94105
When module behavior branches on a **boolean variable** (e.g. **`count = var.x ? 1 : 0`**), prefer **more than one `run` block** (or clearly separated scenarios) so **both** outcomes are covered—typically **`true` / `count = 1`** and **`false` / `count = 0`**—not only the default or “happy” path. That avoids regressions where the positive case passes but the opt-out path breaks.
95106

96-
For exact commands and pass/fail criteria, follow **`CONTRIBUTING.md`**.
107+
Before opening a PR, `make pre-push-checks` must pass locally; see **`CONTRIBUTING.md`** for commands and pass/fail criteria.

CONTRIBUTING.md

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,20 +17,24 @@ This repo is **ROSA HCP** only. The sibling **ROSA Classic** module is [`terrafo
1717
## Before you open a PR
1818

1919
1. **Format**`terraform fmt -recursive` (or format only dirs you changed).
20-
2. **Validate**`make verify` (runs `terraform init` + `validate` in each `examples/*` directory). Fix failures in examples you touch or that your change breaks.
20+
2. **Validate**`make verify` (runs `terraform init` + `validate` in each `examples/*` directory; compatible with the minimum Terraform version in root **`versions.tf`**, currently **>= 1.5.7**). Fix failures in examples you touch or that your change breaks.
2121
3. **Docs** — If you changed variables, outputs, modules, or root wiring: run `make verify-gen` (runs `terraform-docs` via [`scripts/terraform-docs.sh`](scripts/terraform-docs.sh), then [`scripts/verify-gen.sh`](scripts/verify-gen.sh) to ensure README inject blocks are committed).
2222
4. **Module tests** — If a submodule under `modules/<name>/tests/` has `*.tftest.hcl`, run `terraform init -backend=false && terraform test` from `modules/<name>/`, or run `make unit-tests` for all modules with tests.
23-
5. **Documentation lint**`make docs-lint` runs the pinned [Vale](https://docs.vale.sh/) CLI with Red Hat documentation styles (see [`.vale.ini`](.vale.ini)). Building Vale uses `CGO_ENABLED=1` and requires a C compiler toolchain on the first install.
23+
5. **Documentation lint**`make docs-lint` runs the pinned [Vale](https://docs.vale.sh/) CLI (release binary from [vale-cli/vale](https://github.com/vale-cli/vale)) with Red Hat documentation styles (see [`.vale.ini`](.vale.ini)).
2424
6. **Provider** — Treat [`terraform-redhat/rhcs`](https://github.com/terraform-redhat/terraform-provider-rhcs) as the source of truth: mirror its schemas in variables and docs. Add `validation` / `precondition` only to echo the provider’s required fields and allowed values (fail fast); do not duplicate or tighten rules the provider already enforces.
2525
7. **Module scope (AWS-only)** — If the change adds or expands **AWS-only** configuration (no `rhcs` surface), confirm it matches **`Module scope (AWS-only vs core HCP)`** in [`.cursor/rules/rosa-hcp-terraform.mdc`](.cursor/rules/rosa-hcp-terraform.mdc). In the PR, **link official Red Hat or cited ROSA HCP documentation** that supports shipping it in-repo, or explain why an exception is justified.
2626

27-
Run the full local verification flow (same steps planned for CI) with:
27+
Run the full local verification flow (same steps as the planned single OpenShift Prow presubmit) with:
2828

2929
```shell
30-
make basic-checks
30+
make pre-push-checks
3131
```
3232

33-
`make basic-checks` runs `verify`, `verify-gen`, `lint`, `unit-tests`, `license-check`, and `docs-lint` in order (fail-fast). Use `make run-checks -- basic --list-steps` or `--dry-run` to inspect the sequence without running it.
33+
`make pre-push-checks` runs `tools` (installs pinned CLI versions from the Makefile), then `verify`, `verify-gen`, `lint`, `unit-tests`, `license-check`, and `docs-lint` in order (fail-fast). Install tools alone with `make tools`. Run individual check targets when debugging one step. OpenShift Prow will use `make pre-push-checks` as the presubmit merge gate after `openshift/release` is updated. Until then, GitHub Actions runs `make verify` at Terraform 1.5.7 via **`verify-min-terraform.yml`**; run `make pre-push-checks` locally before opening a PR.
34+
35+
**Security (separate from the merge gate):** `make security-check` runs [Trivy](https://trivy.dev/) IaC misconfiguration scans using [`trivy.yaml`](trivy.yaml) (HIGH/CRITICAL). `make security-check-image` builds the root [`Dockerfile`](Dockerfile) and scans the image with [`trivy-image.yaml`](trivy-image.yaml) (fails on **CRITICAL** vulnerabilities with a known fix). Install Trivy locally with `make security-check-bin`.
36+
37+
Until OpenShift Prow runs the client image scan, GitHub Actions runs `make security-check-image` on pull requests when [`Makefile`](Makefile), [`Dockerfile`](Dockerfile), [`trivy-image.yaml`](trivy-image.yaml), or [`hack/install-release-tool.sh`](hack/install-release-tool.sh) change (`.github/workflows/security-check-image.yaml`, [setup-trivy](https://github.com/aquasecurity/setup-trivy)). A dedicated Prow presubmit in [`openshift/release`](https://github.com/openshift/release) will be investigated and added later. IaC scans (`make security-check`) remain local/Prow-only for now.
3438

3539
## Commit format
3640

0 commit comments

Comments
 (0)