ci: overhaul workflows (#22)

.github/auto-release.yml

@@ -34,21 +34,23 @@ categories:
   - 'feat'
 - title: '🐛 Bug Fixes'
   labels:
-  - 'auto-update'
   - 'patch'
   - 'fix'
   - 'bugfix'
   - 'bug'
   - 'hotfix'
   - 'refactor'
-  - 'ci'
-  - 'build'
   - 'docs'
   - 'test'
   - 'chore'
-- title: '🤖 Automatic Updates'
+- title: '📦 Updates'
   labels:
   - 'auto-update'
+  - 'build'
+  - 'ci'
+- title: ':hammer_and_wrench: Refactoring'
+  labels:
+  - 'refactor'
 
 change-template: |
   <details>

.github/dependabot.yml

@@ -5,10 +5,22 @@ updates:
     schedule:
       interval: "weekly"
     labels:
-      - "chore"
+      - ci
+    commit-message:
+      prefix: "[skip-release] ci:"
   - package-ecosystem: "terraform"
     directory: "/"
     schedule:
       interval: "weekly"
     labels:
-      - "chore"
+      - build
+    commit-message:
+      prefix: "build:"
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - build
+    commit-message:
+      prefix: "[skip-release] build:"

.github/workflows/ci.yml

@@ -0,0 +1,106 @@
+name: Validate and Test Terraform manifests
+
+on:
+  pull_request:
+
+env:
+  TERRAFORM_VERSION: ~1.9
+
+jobs:
+  terraform:
+    name: terraform
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+
+      - name: Ensure Terraform code is formated
+        run: terraform fmt -check
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Validate Terraform code
+        run: terraform validate -no-color
+
+  trivy:
+    name: trivy
+    runs-on: ubuntu-latest
+    needs: terraform
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Run trivy with reviewdog output on the PR
+        uses: reviewdog/action-trivy@v1
+        with:
+          trivy_command: config
+          trivy_target: .
+          github_token: ${{ secrets.github_token }}
+          reporter: github-pr-review
+          filter_mode: diff_context
+          fail_on_error: "true"
+
+  tflint:
+    name: tflint
+    runs-on: ubuntu-latest
+    needs: terraform
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Check with tflint
+        uses: reviewdog/action-tflint@v1
+        with:
+          github_token: ${{ secrets.github_token }}
+          reporter: github-pr-review
+          fail_on_error: "true"
+          filter_mode: diff_context
+          flags: "--module"
+
+  terratest:
+    name: terratest
+    runs-on: ubuntu-latest
+    needs: 
+      - terraform
+      - trivy
+      - tflint
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: tests/go.mod
+          cache-dependency-path: |
+            tests/go.sum
+
+      - name: Run terratest
+        run: make terratest

.github/workflows/docs.yml

@@ -11,17 +11,8 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
-      - name: Render terraform docs inside the examples/basic/README.md
+      - name: Render terraform docs
         uses: terraform-docs/[email protected]
         with:
-          working-dir: ./examples/basic/
-          git-push: "false"
-          output-file: README.md
-          config-file: ./examples/basic/.terraform-docs.yml
-
-      - name: Render terraform docs inside the README.md
-        uses: terraform-docs/[email protected]
-        with:
-          working-dir: .
+          working-dir: .,./examples/basic
           git-push: "true"
-          output-file: README.md

.github/workflows/pr-lint.yml

@@ -10,7 +10,6 @@ on:
 jobs:
   lint-pr:
     runs-on: ubuntu-latest
-
     steps:
       - name: Lint PR
         uses: amannn/action-semantic-pull-request@v5
@@ -50,3 +49,10 @@ jobs:
             * **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
             * **test**: Adding missing tests or correcting existing tests
             * **chore**: No production code change
+
+      - name: Add label to PR
+        if: github.actor != 'dependabot[bot]'
+        uses: fuxingloh/[email protected]
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          config-path: .github/labeler.yml

.github/workflows/release.yml

@@ -9,7 +9,9 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v6
+      - name: Create Release
+        if: "!contains(github.event.head_commit.message, '[skip-release]')"
+        uses: release-drafter/release-drafter@v6
         with:
           publish: true
           prerelease: false

.github/workflows/stale.yml

@@ -7,9 +7,9 @@ on:
 jobs:
   stale:
     runs-on: ubuntu-latest
-
     steps:
-      - uses: actions/stale@v9
+      - name: Run stale actio
+        uses: actions/stale@v9
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-issue-message: "This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days"

.terraform-docs.yml

@@ -38,7 +38,7 @@ settings:
   hide-empty: false
   html: true
   indent: 2
-  lockfile: true
+  lockfile: false
   required: true
   sensitive: true
   type: true

Makefile

@@ -0,0 +1,2 @@
+terratest:
+	cd tests; go mod tidy; go test -v -count=1 ./...; cd -

README.md

@@ -4,10 +4,16 @@
 ## Usage
 ```hcl
 module "aweasome_module" {
-  source    = "../../"
-  name      = "aweasome"
-  stage     = "production"
-  namespace = "sweetops"
+  source     = "../../"
+  name       = "aweasome"
+  stage      = "production"
+  namespace  = "sweetops"
+  attributes = var.attributes
+}
+
+output "id" {
+  value       = module.aweasome_module.id
+  description = "ID"
 }
 ```
 ## Requirements
@@ -52,7 +58,7 @@ No resources.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_test"></a> [test](#output\_test) | Default output |
+| <a name="output_id"></a> [id](#output\_id) | ID |
 <!-- END_TF_DOCS -->
 
 ## License

examples/basic/.terraform-docs.yml

@@ -20,7 +20,7 @@ settings:
   hide-empty: false
   html: true
   indent: 2
-  lockfile: true
+  lockfile: false
   required: true
   sensitive: true
   type: true

examples/basic/README.md

@@ -21,9 +21,13 @@ No resources.
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_id"></a> [id](#output\_id) | ID |
 <!-- END_TF_DOCS -->