diff --git a/.github/cherry-pick-bot.yml b/.github/cherry-pick-bot.yml deleted file mode 100644 index 1f62315d79..0000000000 --- a/.github/cherry-pick-bot.yml +++ /dev/null @@ -1,2 +0,0 @@ -enabled: true -preservePullRequestTitle: true diff --git a/.github/labeler.yml b/.github/labeler.yml deleted file mode 100644 index 6dd6741d81..0000000000 --- a/.github/labeler.yml +++ /dev/null @@ -1,50 +0,0 @@ -build: -- changed-files: - - any-glob-to-any-file: 'Dockerfile*' - -dependencies: -- changed-files: - - any-glob-to-any-file: 'yarn.lock' - - any-glob-to-any-file: 'go.*' - -docs: -- changed-files: - - any-glob-to-any-file: 'runatlantis.io/**/*.md' - - any-glob-to-any-file: 'README.md' - -github-actions: -- changed-files: - - any-glob-to-any-file: - - '.github/workflows/*.yml' - -go: -- changed-files: - - any-glob-to-any-file: '**/*.go' - -provider/azuredevops: -- changed-files: - - any-glob-to-any-file: 'server/**/*azuredevops*.go' - -provider/bitbucket: -- changed-files: - - any-glob-to-any-file: 'server/**/*bitbucket*.go' - - any-glob-to-any-file: 'server/events/vcs/bitbucketcloud/*.go' - - any-glob-to-any-file: 'server/events/vcs/bitbucketserver/*.go' - -provider/github: -- changed-files: - - any-glob-to-any-file: 'server/**/*github*.go' - -provider/gitlab: -- changed-files: - - any-glob-to-any-file: 'server/**/*gitlab*.go' - -website: -- changed-files: - - any-glob-to-any-file: 'runatlantis.io/.vitepress/**/*' - - any-glob-to-any-file: 'package.json' - - any-glob-to-any-file: 'package-lock.json' - -blog: -- changed-files: - - any-glob-to-any-file: 'runatlantis.io/blog/**' diff --git a/.github/release.yml b/.github/release.yml deleted file mode 100644 index cf8a202a91..0000000000 --- a/.github/release.yml +++ /dev/null @@ -1,45 +0,0 @@ -changelog: - exclude: - labels: - - ignore-for-release - - github-actions - authors: - - octocat - categories: - - title: Breaking Changes 🛠 - labels: - - Semver-Major - - breaking-change - - title: Exciting New Features 🎉 - labels: - - Semver-Minor - - enhancement - - feature - - title: Provider AzureDevops - labels: - - provider/azuredevops - - title: Provider Bitbucket - labels: - - provider/bitbucket - - title: Provider GitHub - labels: - - provider/github - - title: Provider GitLab - labels: - - provider/gitlab - - title: Bug fixes 🐛 - labels: - - bug - - title: Security changes - labels: - - security - - title: Documentation - labels: - - docs - - website - - title: Dependencies - labels: - - dependencies - - title: Other Changes 🔄 - labels: - - "*" diff --git a/.github/renovate.json5 b/.github/renovate.json5 deleted file mode 100644 index d3f8bb6af7..0000000000 --- a/.github/renovate.json5 +++ /dev/null @@ -1,149 +0,0 @@ -{ - extends: [ - 'config:best-practices', - ':separateMultipleMajorReleases', - 'schedule:daily', - 'security:openssf-scorecard', - ], - commitMessageSuffix: ' in {{packageFile}}', - dependencyDashboardAutoclose: true, - automerge: true, - baseBranchPatterns: [ - 'main', - '/^release-.*/', - ], - platformAutomerge: true, - labels: [ - 'dependencies', - ], - postUpdateOptions: [ - 'gomodTidy', - 'gomodUpdateImportPaths', - 'npmDedupe', - ], - prHourlyLimit: 1, - minimumReleaseAge: '5 days', - osvVulnerabilityAlerts: true, - vulnerabilityAlerts: { - enabled: true, - labels: [ - 'security', - ], - }, - packageRules: [ - // enable release branches for security updates - { - matchBaseBranches: [ - '/^release-.*/', - ], - matchUpdateTypes: [ - 'security', - ], - enabled: true, - }, - // disable release branches for anything else - { - matchBaseBranches: [ - '/^release-.*/', - ], - enabled: false, - }, - { - matchBaseBranches: [ - 'main', - ], - matchFileNames: [ - 'package.json', - 'package-lock.json', - ], - }, - { - matchFileNames: [ - 'testing/**', - ], - additionalBranchPrefix: '{{packageFileDir}}-', - groupName: 'conftest-testing', - matchPackageNames: [ - '/conftest/', - ], - }, - { - ignorePaths: [ - 'testing/**', - ], - groupName: 'github-', - matchPackageNames: [ - '/github-actions/', - ], - }, - { - ignorePaths: [ - 'server/controllers/events/testdata/**/*.tf', - ], - matchDatasources: [ - 'terraform', - ], - }, - { - matchDatasources: [ - 'docker', - ], - matchPackageNames: [ - 'node', - 'cimg/node', - ], - versioning: 'node', - }, - { - matchPackageNames: [ - 'go', - 'golang', - ], - versioning: 'go', - groupName: 'go', - }, - { - "matchFileNames": ["Dockerfile"], - "matchPackageNames": ["golang"], - "versioning": "docker", - "allowedVersions": "/-alpine$/" - } - ], - customManagers: [ - { - customType: 'regex', - managerFilePatterns: [ - '/(^|/)Dockerfile$/', - '/(^|/)Dockerfile\\.[^/]*$/', - ], - matchStrings: [ - 'renovate: datasource=(?.*?) depName=(?.*?)( versioning=(?.*?))?\\s(ARG|ENV) .*?_VERSION=(?.*)\\s', - ], - versioningTemplate: '{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}', - extractVersionTemplate: '^v(?\\d+\\.\\d+\\.\\d+)', - }, - { - customType: 'regex', - managerFilePatterns: [ - '/.*go$/', - ], - matchStrings: [ - '\\sconst .*Version = "(?.*)"\\s// renovate: datasource=(?.*?) depName=(?.*?)( versioning=(?.*?))?\\s', - ], - versioningTemplate: '{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}', - extractVersionTemplate: '^v(?\\d+\\.\\d+\\.\\d+)', - }, - { - customType: 'regex', - managerFilePatterns: [ - '/^\\.github/workflows/[^/]+\\.ya?ml$/', - '/Makefile$/', - ], - matchStrings: [ - 'renovate: datasource=(?.*?) depName=(?.*?)( versioning=(?.*?))?\\s.*?_VERSION: (?.*)\\s', - ], - versioningTemplate: '{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}', - extractVersionTemplate: '^v(?\\d+\\.\\d+\\.\\d+)', - }, - ], -} diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml index 779e78f950..461738b1bb 100644 --- a/.github/workflows/atlantis-image.yml +++ b/.github/workflows/atlantis-image.yml @@ -3,14 +3,10 @@ name: atlantis-image on: push: branches: - - 'main' - - 'release-**' - tags: - - v*.*.* + - "main" pull_request: branches: - - 'main' - - 'release-**' + - "main" types: - opened - reopened @@ -22,20 +18,18 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +env: + AWS_REGION: us-west-2 + jobs: changes: outputs: - should-run-build: ${{ steps.changes.outputs.src == 'true' || startsWith(github.ref, 'refs/tags/') }} + should-run-build: ${{ steps.changes.outputs.src == 'true' }} if: github.event.pull_request.draft == false runs-on: ubuntu-24.04 steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 + - uses: actions/checkout@v4 + - uses: dorny/paths-filter@v3 id: changes with: filters: | @@ -43,6 +37,7 @@ jobs: - 'Dockerfile' - 'docker-entrypoint.sh' - '.github/workflows/atlantis-image.yml' + - 'VERSION' - '**.go' - 'go.*' @@ -53,189 +48,127 @@ jobs: permissions: contents: read id-token: write - packages: write - attestations: write strategy: matrix: image_type: [alpine, debian] runs-on: ubuntu-24.04 env: - # Set docker repo to either the fork or the main repo where the branch exists - DOCKER_REPO: ghcr.io/${{ github.repository }} - # Push if not a pull request and references the main branch - PUSH: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) }} + # Determine target: staging for PRs, prod for main + ECR_REPO: ${{ github.event_name == 'pull_request' && 'atlantis-staging' || 'atlantis-prod' }} + AWS_ROLE_ARN: ${{ github.event_name == 'pull_request' && 'arn:aws:iam::953790153951:role/atlantis-staging-gha-role' || 'arn:aws:iam::011528294869:role/atlantis-prod-gha-role' }} steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - # Lint the Dockerfile first before setting anything up - - name: Lint Dockerfile - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "Dockerfile" - - - name: Set up Go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - with: - go-version-file: "go.mod" - - - name: Set up QEMU - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - with: - image: tonistiigi/binfmt:latest - platforms: arm64,arm - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - - - name: "Install cosign" - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 - if: env.PUSH == 'true' && github.event_name != 'pull_request' - - # release version is the name of the tag i.e. v0.10.0 - # release version also has the image type appended i.e. v0.10.0-alpine - # release tag is either pre-release or latest i.e. latest - # release tag also has the image type appended i.e. latest-alpine - # if it's v0.10.0 and alpine, it will do v0.10.0, v0.10.0-alpine, latest, latest-alpine - # if it's v0.10.0 and debian, it will do v0.10.0-debian, latest-debian - - name: Docker meta - id: meta - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 - env: - SUFFIX: ${{ format('-{0}', matrix.image_type) }} - with: - images: | - ${{ env.DOCKER_REPO }} - labels: | - org.opencontainers.image.authors="@runatlantis Github Org" - org.opencontainers.image.licenses=Apache-2.0 - tags: | - # semver - type=semver,pattern={{version}},prefix=v,suffix=${{ env.SUFFIX }} - type=semver,pattern={{version}},prefix=v,enable=${{ matrix.image_type == 'alpine' }} - type=semver,pattern={{major}}.{{minor}},prefix=v,suffix=${{ env.SUFFIX }} - # dev - type=raw,event=push,value=dev,enable={{is_default_branch}},suffix=${{ env.SUFFIX }} - type=raw,event=push,value=dev,enable={{is_default_branch}},suffix=${{ env.SUFFIX }}-{{ sha }} - type=raw,event=push,value=dev,enable=${{ github.ref == format('refs/heads/{0}', 'main') && matrix.image_type == 'alpine' }},suffix= - # prerelease - type=raw,event=tag,value=prerelease-latest,enable=${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, 'pre') && matrix.image_type == 'alpine' }},suffix= - type=raw,event=tag,value=prerelease-latest,enable=${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, 'pre') }},suffix=${{ env.SUFFIX }} - # latest - type=raw,event=tag,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') && !contains(github.ref, 'pre') && matrix.image_type == 'alpine' }},suffix= - type=raw,event=tag,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') && !contains(github.ref, 'pre') }},suffix=${{ env.SUFFIX }} - # pr - type=ref,event=pr,suffix=${{ env.SUFFIX }} - flavor: | - # This is disabled here so we can use the raw form above - latest=false - # Suffix is not used here since there's no way to disable it above - - - name: Login to Packages Container registry - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Publish release to container registry - - name: Populate release version - if: contains(fromJson('["push", "pull_request"]'), github.event_name) - run: echo "RELEASE_VERSION=${{ startsWith(github.ref, 'refs/tags/') && '${GITHUB_REF#refs/*/}' || 'dev' }}" >> $GITHUB_ENV - - - name: "Build ${{ env.PUSH == 'true' && 'and push' || '' }} ${{ env.DOCKER_REPO }} image" - id: build - if: contains(fromJson('["push", "pull_request"]'), github.event_name) - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 - with: - cache-from: type=gha - cache-to: type=gha,mode=max - context: . - build-args: | - ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }} - ATLANTIS_VERSION=${{ env.RELEASE_VERSION }} - ATLANTIS_COMMIT=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} - ATLANTIS_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} - platforms: linux/arm64/v8, linux/amd64, linux/arm/v7 - push: ${{ env.PUSH }} - tags: ${{ steps.meta.outputs.tags }} - target: ${{ matrix.image_type }} - labels: ${{ steps.meta.outputs.labels }} - outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} - - - name: "Create Image Attestation" - if: env.PUSH == 'true' && github.event_name != 'pull_request' - uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 - with: - subject-digest: ${{ steps.build.outputs.digest }} - subject-name: ghcr.io/${{ github.repository }} - push-to-registry: true - - - name: "Sign images with environment annotations" - # no key needed, we're using the GitHub OIDC flow - if: env.PUSH == 'true' && github.event_name != 'pull_request' - run: | - # Sign dev tags, version tags, and latest tags - echo "${TAGS}" | xargs -I {} cosign sign \ - --yes \ - -a actor=${{ github.actor}} \ - -a ref_name=${{ github.ref_name}} \ - -a ref=${{ github.sha }} \ - {}@${DIGEST} - env: - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build.outputs.digest }} - - test: - needs: [changes] - if: needs.changes.outputs.should-run-build == 'true' - name: Test Image With Goss - runs-on: ubuntu-24.04 - strategy: - matrix: - image_type: [alpine, debian] - platform: [linux/arm64/v8, linux/amd64, linux/arm/v7] - env: - # Set docker repo to either the fork or the main repo where the branch exists - DOCKER_REPO: ghcr.io/${{ github.repository }} + - uses: actions/checkout@v4 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + - name: Lint Dockerfile + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: "Dockerfile" + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 with: - egress-policy: audit + image: tonistiigi/binfmt:latest + platforms: arm64,arm - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 + uses: docker/setup-buildx-action@v3 - - name: "Build and load into Docker" - if: contains(fromJson('["push", "pull_request"]'), github.event_name) - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ env.AWS_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + + - name: Read version from VERSION file + id: version + run: | + VERSION=$(cat VERSION) + echo "version=v${VERSION}" >> $GITHUB_OUTPUT + echo "Version: v${VERSION}" + + - name: Generate ECR tags + id: ecr-tags + run: | + ECR_REGISTRY="${{ steps.login-ecr.outputs.registry }}" + ECR_REPO="${{ env.ECR_REPO }}" + IMAGE_TYPE="${{ matrix.image_type }}" + VERSION="${{ steps.version.outputs.version }}" + TAGS="" + + # Validate ECR registry is available + if [ -z "$ECR_REGISTRY" ]; then + echo "::error::ECR_REGISTRY is empty. ECR login may have failed." + exit 1 + fi + + add_tag() { + local tag=$1 + if [ -n "$TAGS" ]; then + TAGS="${TAGS}," + fi + TAGS="${TAGS}${ECR_REGISTRY}/${ECR_REPO}:${tag}-${IMAGE_TYPE}" + # Add tag without suffix for alpine (default) + if [ "$IMAGE_TYPE" == "alpine" ]; then + TAGS="${TAGS},${ECR_REGISTRY}/${ECR_REPO}:${tag}" + fi + } + + # Always add version and sha tags + add_tag "$VERSION" + add_tag "${GITHUB_SHA:0:7}" + + # PR -> also add pr-number tag + if [ "${{ github.event_name }}" == "pull_request" ]; then + PR_NUMBER="${{ github.event.pull_request.number }}" + add_tag "pr-${PR_NUMBER}" + fi + + # Main branch -> also add latest tag + if [ "${{ github.ref }}" == "refs/heads/main" ]; then + add_tag "latest" + fi + + echo "tags=${TAGS}" >> $GITHUB_OUTPUT + echo "ECR Tags: ${TAGS}" + + - name: Generate image metadata + id: meta + run: | + echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT + + - name: Build and push to ECR + id: build-ecr + uses: docker/build-push-action@v6 with: cache-from: type=gha cache-to: type=gha,mode=max context: . build-args: | ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }} - push: false - load: true - tags: "${{ env.DOCKER_REPO }}:goss-test" + ATLANTIS_VERSION=${{ steps.version.outputs.version }} + ATLANTIS_COMMIT=${{ github.sha }} + ATLANTIS_DATE=${{ steps.meta.outputs.created }} + platforms: linux/arm64/v8, linux/amd64, linux/arm/v7 + push: true + tags: ${{ steps.ecr-tags.outputs.tags }} target: ${{ matrix.image_type }} + labels: | + org.opencontainers.image.authors=@runatlantis Github Org + org.opencontainers.image.licenses=Apache-2.0 + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.created=${{ steps.meta.outputs.created }} - - name: "Setup Goss" - uses: e1himself/goss-installation-action@3b8340a7c772f8064444f48b0df4c2a80d2e50fc # v1.3.0 - with: - version: "v0.4.7" - - - name: Execute Goss tests + - name: Output ECR image details run: | - dgoss run --rm ${{ env.DOCKER_REPO }}:goss-test bash -c 'while true; do sleep 1; done;' + echo "✅ Successfully pushed to ECR repository: ${{ env.ECR_REPO }}" + echo "Version: ${{ steps.version.outputs.version }}" + echo "Image tags: ${{ steps.ecr-tags.outputs.tags }}" + echo "Image digest: ${{ steps.build-ecr.outputs.digest }}" skip-build: needs: [changes] @@ -246,10 +179,4 @@ jobs: image_type: [alpine, debian] runs-on: ubuntu-24.04 steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - run: 'echo "No build required"' - diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index e272a9d385..0000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,135 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: - - 'main' - - 'release-**' - pull_request: - # The branches below must be a subset of the branches above - types: - - opened - - reopened - - synchronize - - ready_for_review - branches: - - 'main' - - 'release-**' - - schedule: - - cron: '17 9 * * 5' - -permissions: - contents: read - -jobs: - changes: - permissions: - contents: read # for dorny/paths-filter to fetch a list of changed files - pull-requests: read # for dorny/paths-filter to read pull requests - outputs: - should-run-analyze: ${{ steps.changes.outputs.src == 'true' }} - if: github.event.pull_request.draft == false - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 - id: changes - with: - filters: | - src: - - '**.go' - - '**.js4' - - analyze: - needs: [changes] - name: Analyze - if: github.event.pull_request.draft == false && needs.changes.outputs.should-run-analyze == 'true' - runs-on: ubuntu-24.04 - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'go', 'javascript' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] - # Use only 'java' to analyze code written in Java, Kotlin or both - # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@f47c8e6a9bd05ef3ee422fc8d8663be7fe4bdc61 # v3 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@f47c8e6a9bd05ef3ee422fc8d8663be7fe4bdc61 # v3 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f47c8e6a9bd05ef3ee422fc8d8663be7fe4bdc61 # v3 - with: - category: "/language:${{matrix.language}}" - - skip-analyze: - needs: [changes] - if: needs.changes.outputs.should-run-analyze == 'false' - name: Analyze - strategy: - matrix: - language: [ 'go', 'javascript' ] - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - run: 'echo "No build required"' diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml deleted file mode 100644 index ca8e38f3cc..0000000000 --- a/.github/workflows/dependency-review.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Dependency Review Action -# -# This Action will scan dependency manifest files that change as part of a Pull Request, -# surfacing known-vulnerable versions of the packages declared or updated in the PR. -# Once installed, if the workflow run is marked as required, -# PRs introducing known-vulnerable packages will be blocked from merging. -# -# Source repository: https://github.com/actions/dependency-review-action -name: 'Dependency Review' -on: [pull_request] - -permissions: - contents: read - -jobs: - dependency-review: - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - name: 'Checkout Repository' - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - - name: 'Dependency Review' - uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml deleted file mode 100644 index 59eb835b6e..0000000000 --- a/.github/workflows/labeler.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: "Pull Request Labeler" - -on: - pull_request_target: - types: - - opened - - reopened - - synchronize - - ready_for_review - -permissions: - contents: read - -jobs: - triage: - permissions: - contents: read - pull-requests: write - if: github.event.pull_request.draft == false - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml deleted file mode 100644 index 0d47d9689c..0000000000 --- a/.github/workflows/lint.yml +++ /dev/null @@ -1,84 +0,0 @@ -name: linter - -on: - pull_request: - types: - - opened - - reopened - - synchronize - - ready_for_review - branches: - - "main" - - "release-**" - -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} - cancel-in-progress: true - -permissions: - # Required: allow read access to the content for analysis. - contents: read - # Optional: allow read access to pull request. Use with `only-new-issues` option. - pull-requests: read - # Optional: Allow write access to checks to allow the action to annotate code in the PR. - checks: write - -jobs: - changes: - outputs: - should-run-linting: ${{ steps.changes.outputs.go == 'true' }} - if: github.event.pull_request.draft == false - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 - id: changes - with: - filters: | - go: - - '**.go' - - 'go.*' - - '.github/workflows/lint.yml' - - '.golangci.yml' - - golangci-lint: - needs: [changes] - if: github.event.pull_request.draft == false && needs.changes.outputs.should-run-linting == 'true' - name: Linting - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - # need to setup go toolchain explicitly - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 - with: - go-version-file: go.mod - - - name: golangci-lint - uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8 - with: - # renovate: datasource=github-releases depName=golangci/golangci-lint - version: v2.5.0 - - skip-lint: - needs: [changes] - if: needs.changes.outputs.should-run-linting == 'false' - name: Linting - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - run: 'echo "No build required"' diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml deleted file mode 100644 index edcde7ced3..0000000000 --- a/.github/workflows/pr-lint.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: "Lint PR" - -on: - pull_request_target: - types: - - opened - - edited - - synchronize - -permissions: - pull-requests: read - -jobs: - main: - name: Validate PR title - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-size-labeler.yml b/.github/workflows/pr-size-labeler.yml deleted file mode 100644 index a24d0188ba..0000000000 --- a/.github/workflows/pr-size-labeler.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: pr-size - -on: [pull_request] - -permissions: - contents: read - -jobs: - labeler: - permissions: - pull-requests: write # for codelytv/pr-size-labeler to add labels & comment on PRs - runs-on: ubuntu-latest - name: Label the PR size - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: codelytv/pr-size-labeler@4ec67706cd878fbc1c8db0a5dcd28b6bb412e85a # v1 - with: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - xs_label: 'size/xs' - xs_max_size: '10' - s_label: 'size/s' - s_max_size: '200' - m_label: 'size/m' - m_max_size: '1000' - l_label: 'size/l' - l_max_size: '10000' - xl_label: 'size/xl' - fail_if_xl: 'false' - message_if_xl: > - This PR exceeds the recommended size of 1000 lines. - Please make sure you are NOT addressing multiple issues with one PR. - Note this PR might be rejected due to its size. - github_api_url: 'https://api.github.com' - files_to_ignore: '' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 5cdf74a06a..0000000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: release - -on: - push: - tags: - - v*.*.* - workflow_dispatch: - -jobs: - goreleaser: - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - with: - submodules: true - - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 - with: - go-version-file: go.mod - - - name: Run GoReleaser for stable release - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6 - if: (!contains(github.ref, 'pre')) - with: - # You can pass flags to goreleaser via GORELEASER_ARGS - # --clean will save you deleting the dist dir - args: release --clean - distribution: goreleaser # or 'goreleaser-pro' - version: "~> v2" # or 'latest', 'nightly', semver - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Generate changelog for pre release - if: contains(github.ref, 'pre') - id: changelog - run: | - echo "RELEASE_TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT - gh api repos/$GITHUB_REPOSITORY/releases/generate-notes \ - -f tag_name="${GITHUB_REF#refs/tags/}" \ - -f target_commitish=main \ - -q .body > tmp-CHANGELOG.md - env: - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/renovate-config.yml b/.github/workflows/renovate-config.yml deleted file mode 100644 index 00d0ad71ab..0000000000 --- a/.github/workflows/renovate-config.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: renovate-config - -on: - push: - paths: - - '.github/renovate.json5' - branches: - - main - - 'releases-**' - pull_request: - paths: - - '.github/renovate.json5' - workflow_dispatch: - -permissions: - contents: read - -jobs: - validate: - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 - - run: npx --package=renovate@latest -c renovate-config-validator diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml deleted file mode 100644 index e1cac197d5..0000000000 --- a/.github/workflows/scorecard.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: Scorecard supply-chain security -on: - schedule: - - cron: '0 5 * * 1' - push: - branches: - - main - -permissions: read-all - -jobs: - analysis: - name: Scorecard analysis - runs-on: ubuntu-latest - permissions: - # Needed to upload the results to code-scanning dashboard. - security-events: write - # Needed to publish results and get a badge (see publish_results below). - id-token: write - - steps: - - name: Harden Runner - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2 - with: - egress-policy: audit - - - name: 'Checkout code' - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - with: - persist-credentials: false - show-progress: false - - - name: 'Run analysis' - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 - with: - results_file: results.sarif - results_format: sarif - - # Public repositories: - # - Publish results to OpenSSF REST API for easy access by consumers - # - Allows the repository to include the Scorecard badge. - # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: - # - `publish_results` will always be set to `false`, regardless - # of the value entered here. - publish_results: true - - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - - name: 'Upload artifact' - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - # Upload the results to GitHub's code scanning dashboard. - - name: 'Upload to code-scanning' - uses: github/codeql-action/upload-sarif@42213152a85ae7569bdb6bec7bcd74cd691bfe41 # v3.30.9 - with: - sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml deleted file mode 100644 index b33817c817..0000000000 --- a/.github/workflows/stale.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Close Stale PRs -on: - schedule: - - cron: '30 1 * * *' -permissions: - contents: read - -jobs: - stale: - permissions: - issues: write # for actions/stale to close stale issues - pull-requests: write # for actions/stale to close stale PRs - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 - with: - stale-pr-message: 'This issue is stale because it has been open for 1 month with no activity. Remove stale label or comment or this will be closed in 1 month.' - stale-issue-message: This issue is stale because it has been open for 1 month with no activity. Remove stale label or comment or this will be closed in 1 month.' - remove-stale-when-updated: true - exempt-pr-labels: "never-stale" - exempt-issue-labels: "never-stale" - # 1 month - days-before-stale: 31 - # 1 month - days-before-close: 31 - only-labels: 'waiting-on-response' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml deleted file mode 100644 index 725bc84ade..0000000000 --- a/.github/workflows/test.yml +++ /dev/null @@ -1,213 +0,0 @@ -name: tester - -on: - push: - branches: - - "main" - - "release-**" - pull_request: - types: - - opened - - reopened - - synchronize - - ready_for_review - branches: - - "main" - - "release-**" - -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} - cancel-in-progress: true - -permissions: - contents: read - -env: - TERRAFORM_VERSION: 1.11.1 - NGROK_DOWNLOAD_URL: https://bin.equinox.io/a/bNzUz3YQtcB/ngrok-v3-3.33.1-linux-amd64.tar.gz - -jobs: - changes: - permissions: - contents: read # for dorny/paths-filter to fetch a list of changed files - pull-requests: read # for dorny/paths-filter to read pull requests - outputs: - should-run-tests: ${{ steps.changes.outputs.go == 'true' }} - if: github.event.pull_request.draft == false - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 - id: changes - with: - filters: | - go: - - '**.go' - - '**.txt' # golden file test output - - 'go.*' - - '**.tmpl' - - '.github/workflows/test.yml' - test: - needs: [changes] - if: needs.changes.outputs.should-run-tests == 'true' - name: Tests - runs-on: ubuntu-24.04 - # Use latest testing environment for automatic updates - # Previous: ghcr.io/runatlantis/testing-env:latest@sha256:725981e9090c977f8055f5ec5ba7a63430a8f0337ab955978e6b8cc2cd0236c3 - container: ghcr.io/runatlantis/testing-env:latest@sha256:13a736f35b22ac7af146ea3f0e8ac9cd751aa6847e5eafde83681b9fdcdbd245 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - # need to setup go toolchain explicitly - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 - with: - go-version-file: go.mod - - - run: make test-all - - run: make check-fmt - - ########################################################### - # Notifying #contributors about test failure on main branch - ########################################################### - - name: Slack failure notification - if: ${{ github.ref == 'refs/heads/main' && failure() }} - uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0 - with: - payload: | - { - "blocks": [ - { - "type": "section", - "text": { - "type": "mrkdwn", - "text": ":x: Failed GitHub Action:" - } - }, - { - "type": "section", - "fields": [ - { - "type": "mrkdwn", - "text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>" - }, - { - "type": "mrkdwn", - "text": "*Job:*\n${{ github.job }}" - }, - { - "type": "mrkdwn", - "text": "*Repo:*\n${{ github.repository }}" - } - ] - } - ] - } - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK - - skip-test: - needs: [changes] - if: needs.changes.outputs.should-run-tests == 'false' - name: Tests - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - run: 'echo "No build required"' - - e2e-github: - runs-on: ubuntu-latest - # dont run e2e tests on forked PRs - if: github.event.pull_request.head.repo.fork == false - env: - ATLANTIS_GH_USER: ${{ secrets.ATLANTISBOT_GITHUB_USERNAME }} - ATLANTIS_GH_TOKEN: ${{ secrets.ATLANTISBOT_GITHUB_TOKEN }} - NGROK_AUTH_TOKEN: ${{ secrets.ATLANTISBOT_NGROK_AUTH_TOKEN }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 - with: - go-version-file: go.mod - - # This version of TF will be downloaded before Atlantis is started. - # We do this instead of setting --default-tf-version because setting - # that flag starts the download asynchronously so we'd have a race - # condition. - - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3 - with: - terraform_version: ${{ env.TERRAFORM_VERSION }} - - - name: Setup ngrok - run: | - wget -q -O ngrok.tar.gz ${NGROK_DOWNLOAD_URL} - tar -xzf ngrok.tar.gz - chmod +x ngrok - ./ngrok version - - name: Setup gitconfig - run: | - git config --global user.email "maintainers@runatlantis.io" - git config --global user.name "atlantisbot" - - - run: | - make build-service - ./scripts/e2e.sh - e2e-gitlab: - runs-on: ubuntu-latest - # dont run e2e tests on forked PRs - if: github.event.pull_request.head.repo.fork == false - env: - ATLANTIS_GITLAB_USER: ${{ secrets.ATLANTISBOT_GITLAB_USERNAME }} - ATLANTIS_GITLAB_TOKEN: ${{ secrets.ATLANTISBOT_GITLAB_TOKEN }} - NGROK_AUTH_TOKEN: ${{ secrets.ATLANTISBOT_NGROK_AUTH_TOKEN }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 - with: - go-version-file: go.mod - - # This version of TF will be downloaded before Atlantis is started. - # We do this instead of setting --default-tf-version because setting - # that flag starts the download asynchronously so we'd have a race - # condition. - - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3 - with: - terraform_version: ${{ env.TERRAFORM_VERSION }} - - - name: Setup ngrok - run: | - wget -q -O ngrok.tar.gz ${NGROK_DOWNLOAD_URL} - tar -xzf ngrok.tar.gz - chmod +x ngrok - ./ngrok version - - name: Setup gitconfig - run: | - git config --global user.email "maintainers@runatlantis.io" - git config --global user.name "atlantisbot" - - - run: | - make build-service - ./scripts/e2e.sh diff --git a/.github/workflows/testing-env-image.yml b/.github/workflows/testing-env-image.yml deleted file mode 100644 index 2153f9dd0b..0000000000 --- a/.github/workflows/testing-env-image.yml +++ /dev/null @@ -1,100 +0,0 @@ -name: testing-env-image - -on: - push: - branches: - - 'main' - - 'release-**' - pull_request: - branches: - - 'main' - - 'release-**' - workflow_dispatch: - -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} - cancel-in-progress: true - -permissions: - contents: read - -jobs: - changes: - permissions: - contents: read # for dorny/paths-filter to fetch a list of changed files - pull-requests: read # for dorny/paths-filter to read pull requests - outputs: - should-run-build: ${{ steps.changes.outputs.src == 'true' }} - if: github.event.pull_request.draft == false - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 - id: changes - with: - filters: | - src: - - 'testing/**' - - '.github/workflows/testing-env-image.yml' - - build: - needs: [changes] - if: needs.changes.outputs.should-run-build == 'true' - name: Build Testing Env Image - runs-on: ubuntu-24.04 - permissions: - packages: write # for ghcr.io push - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - - name: Set up QEMU - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - with: - image: tonistiigi/binfmt:latest - platforms: arm64,arm - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - - - name: Login to Packages Container registry - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - run: echo "TODAY=$(date +"%Y.%m.%d")" >> $GITHUB_ENV - - name: Build and push testing-env:${{env.TODAY}} image - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 - with: - cache-from: type=gha - cache-to: type=gha,mode=max - context: testing - platforms: linux/arm64/v8,linux/amd64,linux/arm/v7 - push: ${{ github.event_name != 'pull_request' }} - tags: | - ghcr.io/runatlantis/testing-env:${{env.TODAY}} - ghcr.io/runatlantis/testing-env:latest - - skip-build: - needs: [changes] - if: needs.changes.outputs.should-run-build == 'false' - name: Build Testing Env Image - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - run: 'echo "No build required"' diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml deleted file mode 100644 index afa38f375d..0000000000 --- a/.github/workflows/website.yml +++ /dev/null @@ -1,111 +0,0 @@ -name: website - -on: - push: - branches: - - 'main' - - 'release-**' - pull_request: - types: - - opened - - reopened - - synchronize - - ready_for_review - branches: - - 'main' - - 'release-**' - -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} - cancel-in-progress: true - -permissions: - # Required: allow read access to the content for analysis. - contents: read - -jobs: - changes: - outputs: - should-run-website-check: ${{ steps.changes.outputs.src == 'true' }} - if: github.event.pull_request.draft == false - runs-on: ubuntu-24.04 - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 - id: changes - with: - filters: | - src: - - 'runatlantis.io/**' - - 'package-lock.json' - - 'package.json' - - '.github/workflows/website.yml' - - # Check that the website builds and there's no missing links. - website-check: - needs: [changes] - if: github.event.pull_request.draft == false && needs.changes.outputs.should-run-website-check == 'true' - name: Website Check - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - - name: markdown-lint - uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265 # v19 - with: - config: .markdownlint.yaml - globs: 'runatlantis.io/**/*.md' - - - name: Link Checker - id: lychee - uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2.6.1 - with: - args: >- - --verbose - --no-progress - --max-concurrency 5 - --max-retries 0 - --accept 200,429 - ./runatlantis.io - - - name: setup npm - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 - with: - cache: 'npm' - - - name: run http-server - run: | - # build site - npm install - npm run website:build - - # start http-server for integration testing - npx http-server runatlantis.io/.vitepress/dist & - - - name: Run Playwright E2E tests - run: | - npx playwright install --with-deps - npm run e2e - - skip-website-check: - needs: [changes] - if: needs.changes.outputs.should-run-website-check == 'false' - name: Website Check - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 - with: - egress-policy: audit - - - run: 'echo "No build required"' diff --git a/VERSION b/VERSION new file mode 100644 index 0000000000..6e8bf73aa5 --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +0.1.0