diff --git a/.commitlintrc.json b/.commitlintrc.json index 311c351..05a3caa 100644 --- a/.commitlintrc.json +++ b/.commitlintrc.json @@ -16,6 +16,7 @@ "delete-run", "dep-review", "get-token", + "pr-check", "pr-title", "ossf", "release", @@ -34,19 +35,7 @@ "type-enum": [ 2, "always", - [ - "build", - "chore", - "ci", - "docs", - "feat", - "fix", - "perf", - "refactor", - "revert", - "style", - "test" - ] + ["chore", "ci", "docs", "feat", "fix", "refactor"] ] } } diff --git a/.github/workflows/delete-workflow-run.yaml b/.github/workflows/delete-workflow-run.yaml index 1aca6fd..6ceca37 100644 --- a/.github/workflows/delete-workflow-run.yaml +++ b/.github/workflows/delete-workflow-run.yaml @@ -2,6 +2,7 @@ name: Delete old workflow runs on: schedule: - cron: 0 0 1 * * + workflow_dispatch: {} # Disable permissions for all available scopes permissions: {} @@ -24,4 +25,4 @@ jobs: token: ${{ github.token }} repository: ${{ github.repository }} retain_days: 90 - keep_minimum_runs: 14 + keep_minimum_runs: 6 diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index eede5c4..d00ef83 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -6,7 +6,7 @@ # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement name: Dependency Review on: - pull_request: + pull_request_target: types: [opened, reopened, synchronize] branches: [main] @@ -21,10 +21,17 @@ jobs: dependency-review: permissions: contents: read + pull-requests: write runs-on: ubuntu-latest timeout-minutes: 10 steps: - name: Checkout Repository uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + with: + persist-credentials: false + - name: Dependency Review uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 + with: + comment-summary-in-pr: always + fail-on-severity: high diff --git a/.github/workflows/pr-check.yaml b/.github/workflows/pr-check.yaml new file mode 100644 index 0000000..b7fecf1 --- /dev/null +++ b/.github/workflows/pr-check.yaml @@ -0,0 +1,23 @@ +name: PR Check +on: + pull_request_target: + types: [opened, edited, reopened, synchronize] + +# Disable permissions for all available scopes +permissions: {} + +jobs: + validate-pr-title: + name: Validate PR title + permissions: + contents: read + pull-requests: write + uses: 3ware/workflows/.github/workflows/pr-title.yaml@0bd5c5d052b31311b5f841f71f113260df047181 # 4.13.0 + + enforce-all-checks: + name: Checks + needs: [validate-pr-title] + permissions: + checks: read + uses: 3ware/workflows/.github/workflows/wait-for-checks.yaml@61d14ca4e861fc9c11acacc7d80a10a78775a4e3 # 4.11.0 + secrets: inherit diff --git a/.github/workflows/pr-title.yaml b/.github/workflows/pr-title.yaml index a8caf2f..4a30f7c 100644 --- a/.github/workflows/pr-title.yaml +++ b/.github/workflows/pr-title.yaml @@ -1,16 +1,13 @@ name: Validate PR title on: - pull_request: - types: [opened, edited, reopened, synchronize] - branches: [main] workflow_call: {} # Disable permissions for all available scopes permissions: {} concurrency: - group: ${{ github.workflow }}-${{ github.head_ref }} + group: pr-title-${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true defaults: @@ -50,7 +47,7 @@ jobs: Please update the title to be ${{ env.MAX_PR_TITLE_LENGTH }} characters or less. If you need help, feel free to ask! 😊 - - name: Exit if PR title is too long + - name: Long title summary if: ${{ fromJson(env.PR_TITLE_LENGTH) > fromJson(env.MAX_PR_TITLE_LENGTH) }} run: | echo "### :x: Pull Request title is invalid" >> $GITHUB_STEP_SUMMARY @@ -70,14 +67,19 @@ jobs: - name: Checkout repository uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - - name: Get commitlint scopes from configuration file - id: commit_scope + - name: Get attributes from commitlint configuration file + id: commitlint run: | { echo 'COMMIT_SCOPES<> "$GITHUB_ENV" + { + echo 'COMMIT_TYPES<> "$GITHUB_ENV" - name: Validate PR title conforms to conventional spec id: validate-pr-title @@ -87,6 +89,8 @@ jobs: # https://github.com/amannn/action-semantic-pull-request/issues/248 uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 with: + types: | + ${{ env.COMMIT_TYPES }} requireScope: true scopes: | ${{ env.COMMIT_SCOPES }} @@ -119,7 +123,8 @@ jobs: - name: Delete PR comment on resolution # Delete comment if the error message is null or the PR title is the correct length - if: ${{ always() && steps.validate-pr-title.outputs.error_message == null }} + if: ${{ steps.validate-pr-title.outputs.error_message == null }} + id: delete-comment uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0 with: header: pr-title-error @@ -127,7 +132,7 @@ jobs: - name: Summary with valid title # A length check is not required here because the validate-pr-title step will only run if the title is less than or equal to the max length - if: ${{ always() && steps.validate-pr-title.outputs.error_message == null }} + if: ${{ steps.validate-pr-title.outputs.error_message == null }} run: | echo "### :white_check_mark: Pull Request title is valid" >> $GITHUB_STEP_SUMMARY echo "The pull request title conforms to the conventional commit specification." >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/wait-for-checks.yaml b/.github/workflows/wait-for-checks.yaml index aeaf205..4d3a4ec 100644 --- a/.github/workflows/wait-for-checks.yaml +++ b/.github/workflows/wait-for-checks.yaml @@ -1,16 +1,13 @@ name: Checks on: - pull_request: - types: [opened, edited, reopened, synchronize] - branches: [main] workflow_call: {} # Disable permissions for all available scopes permissions: {} concurrency: - group: ${{ github.workflow }}-${{ github.head_ref }} + group: checks-${{ github.workflow }}-${{ github.head_ref }} cancel-in-progress: true jobs: @@ -26,21 +23,21 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} # check run "auto-approve-pr" is completed with conclusion "cancelled" (unsuccessful) when skipped # auto-approve-pr should run on the conclusion of enforce-all-checks, so checks should not check for auto-approve-pr - ignore: auto-approve-pr # ignore any pattern before '/ enforce-all-checks' for calling workflows # For example if the calling workflow job name is 'Checks' the path to ignore is 'Checks / enforce-all-checks' - ignore_pattern: .*\/ enforce-all-checks + ignore_pattern: .*\/ (enforce-all-checks|auto-approve-pr) - # Approve PR raised by 3ware-release[bot] to upgrade trunk on trunk branches - # after all checks have passed. - auto-approve-pr: - if: ${{ github.actor == '3ware-release[bot]' && github.head_ref == 'trunk-io/update-trunk' }} - needs: [enforce-all-checks] - runs-on: ubuntu-latest - timeout-minutes: 5 - steps: - - name: Auto Approve PR - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 - with: - github-token: ${{ secrets.PR_APPROVAL_PAT }} - review-message: All checks passed. Auto Approved. + # Approve PR raised by 3ware-release[bot] to upgrade trunk on trunk branches or by 3ware-terraform[bot] on project branches + # This job will only run if enforce-all-checks job has passed successfully on pull requests. This workflow could be called by + # a merge_group event: in this case it should not run + # auto-approve-pr: + # if: ${{ github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'auto-approve') }} + # needs: [enforce-all-checks] + # runs-on: ubuntu-latest + # timeout-minutes: 5 + # steps: + # - name: Auto Approve PR + # uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 + # with: + # github-token: ${{ secrets.PR_APPROVAL_PAT }} + # review-message: All checks passed. Auto Approved. diff --git a/.renovaterc.json b/.renovaterc.json5 similarity index 100% rename from .renovaterc.json rename to .renovaterc.json5 diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index 4598c95..b932ba9 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -2,7 +2,7 @@ # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml version: 0.1 cli: - version: 1.22.9 + version: 1.22.10 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins) plugins: sources: @@ -17,14 +17,14 @@ runtimes: # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration) lint: enabled: - - renovate@39.169.3 + - renovate@39.192.0 - actionlint@1.7.7 - - checkov@3.2.358 + - checkov@3.2.382 - git-diff-check - markdownlint@0.44.0 - - prettier@3.4.2 - - trivy@0.59.0 - - trufflehog@3.88.3 + - prettier@3.5.3 + - trivy@0.60.0 + - trufflehog@3.88.15 - yamllint@1.35.1 ignore: #* Prevent checking CHANGELOG.md files generated by semantic-release diff --git a/CHANGELOG.md b/CHANGELOG.md index 6afbe95..78fa138 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,62 @@ All notable changes to this project will be documented in this file. +## [4.15.1](https://github.com/3ware/workflows/compare/v4.15.0...v4.15.1) (2025-03-09) + + +### Bug Fixes + +* **dep-review:** Disable persist-credentials for checkout ([#180](https://github.com/3ware/workflows/issues/180)) ([729744b](https://github.com/3ware/workflows/commit/729744b34ff420150dc6855f3b2428e6bcde07fe)) + +## [4.15.0](https://github.com/3ware/workflows/compare/v4.14.2...v4.15.0) (2025-03-09) + + +### Enhancement + +* **dep-review:** Enable pr comment summary ([#179](https://github.com/3ware/workflows/issues/179)) ([849449f](https://github.com/3ware/workflows/commit/849449ff64602e1c00e67b456a01d53d11d41bcd)) + +## [4.14.2](https://github.com/3ware/workflows/compare/v4.14.1...v4.14.2) (2025-03-09) + + +### Bug Fixes + +* **workflows:** Add prefix to concurrency group names ([#178](https://github.com/3ware/workflows/issues/178)) ([37327f0](https://github.com/3ware/workflows/commit/37327f029989e2d8b94cb3a68bd78ca8ddf809ce)) + +## [4.14.1](https://github.com/3ware/workflows/compare/v4.14.0...v4.14.1) (2025-03-07) + + +### Bug Fixes + +* **checks:** Add `startsWith` auto-approve-pr condition ([#174](https://github.com/3ware/workflows/issues/174)) ([e939dec](https://github.com/3ware/workflows/commit/e939dec8ea5398b382dbd2d4d4a413d938c755f3)) + +## [4.14.0](https://github.com/3ware/workflows/compare/v4.13.0...v4.14.0) (2025-03-06) + + +### Enhancement + +* **checks:** Add condition to auto-approve 3ware-terraform PRs ([#173](https://github.com/3ware/workflows/issues/173)) ([2356929](https://github.com/3ware/workflows/commit/2356929a8b79f60f6e30a5c34e95035de2f33903)) + +## [4.13.0](https://github.com/3ware/workflows/compare/v4.12.0...v4.13.0) (2025-03-06) + + +### Features + +* **pr-check:** Create pr-check workflow ([#172](https://github.com/3ware/workflows/issues/172)) ([9c6cac7](https://github.com/3ware/workflows/commit/9c6cac70a8d306d5d1bbef1dcb789fd7adc33b6c)) + +## [4.12.0](https://github.com/3ware/workflows/compare/v4.11.1...v4.12.0) (2025-03-05) + + +### Enhancement + +* **pr-title:** Get commit types from commitlint configuration ([#170](https://github.com/3ware/workflows/issues/170)) ([e39a749](https://github.com/3ware/workflows/commit/e39a749c3b5e05c64284ae24d889fde4eea88ed5)) + +## [4.11.1](https://github.com/3ware/workflows/compare/v4.11.0...v4.11.1) (2025-03-05) + + +### Bug Fixes + +* **pr-title:** Remove unecessary `if always` conditions ([#169](https://github.com/3ware/workflows/issues/169)) ([016d847](https://github.com/3ware/workflows/commit/016d847b4c400c7cfd923888824782912358bc31)) + ## [4.11.0](https://github.com/3ware/workflows/compare/v4.10.0...v4.11.0) (2025-02-26)