diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index 97990d8..6a115cd 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -2,7 +2,7 @@ name: auto-approve on: - pull_request: + pull_request_target: types: - opened - labeled @@ -17,12 +17,12 @@ jobs: if: contains(github.event.pull_request.labels.*.name, 'auto-approve') && github.event.pull_request.draft == false steps: - name: Checkout PR - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - name: Auto-approve PRs by other users as team-tf-cdk - if: github.event.pull_request.user.login != 'team-tf-cdk' + if: github.event.pull_request.user.login != 'team-tf-cdk' && (contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association) || github.actor == 'dependabot[bot]) env: GH_TOKEN: ${{ secrets.PROJEN_GITHUB_TOKEN }} run: gh pr review ${{ github.event.pull_request.number }} --approve diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml index fdf5494..2b285c2 100644 --- a/.github/workflows/automerge.yml +++ b/.github/workflows/automerge.yml @@ -2,7 +2,7 @@ name: automerge on: - pull_request: + pull_request_target: types: - opened - labeled @@ -18,8 +18,9 @@ jobs: if: contains(github.event.pull_request.labels.*.name, 'automerge') && github.event.pull_request.draft == false steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - name: Turn on automerge for this PR + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 + - name: Turn on automerge for this PR by a trusted user or bot + if: github.event.pull_request.user.login == 'team-tf-cdk' || contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association) || github.actor == 'dependabot[bot] env: GH_TOKEN: ${{ secrets.PROJEN_GITHUB_TOKEN }} run: gh pr merge --auto --squash ${{ github.event.pull_request.number }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 49ff805..9fda32c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,7 +15,7 @@ jobs: CI: "true" steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} @@ -34,7 +34,7 @@ jobs: git diff --staged --patch --exit-code > .repo.patch || echo "self_mutation_happened=true" >> $GITHUB_OUTPUT - name: Upload patch if: steps.self_mutation.outputs.self_mutation_happened - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: name: .repo.patch path: .repo.patch @@ -48,7 +48,7 @@ jobs: run: cd dist && getfacl -R . > permissions-backup.acl continue-on-error: true - name: Upload artifact - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: name: build-artifact path: dist @@ -60,7 +60,7 @@ jobs: if: always() && needs.build.outputs.self_mutation_happened && !(github.event.pull_request.head.repo.full_name != github.repository) steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 with: token: ${{ secrets.PROJEN_GITHUB_TOKEN }} ref: ${{ github.event.pull_request.head.ref }} @@ -89,7 +89,7 @@ jobs: permissions: {} if: "! needs.build.outputs.self_mutation_happened" steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - name: Download build artifacts @@ -114,7 +114,7 @@ jobs: permissions: {} if: "! needs.build.outputs.self_mutation_happened" steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - uses: actions/setup-python@v4 diff --git a/.github/workflows/pull-request-lint.yml b/.github/workflows/pull-request-lint.yml index a91d10c..b8286be 100644 --- a/.github/workflows/pull-request-lint.yml +++ b/.github/workflows/pull-request-lint.yml @@ -17,7 +17,7 @@ jobs: permissions: pull-requests: write steps: - - uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 + - uses: amannn/action-semantic-pull-request@47b15d52c5c30e94a17ec87eb8dd51ff5221fed9 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6d300a4..4089cbb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,12 @@ on: push: branches: - main + paths-ignore: + - examples/** + - .github/ISSUE_TEMPLATE/** + - .github/CODEOWNERS + - .github/dependabot.yml + - .github/**/*.md workflow_dispatch: {} jobs: release: @@ -17,7 +23,7 @@ jobs: CI: "true" steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 with: fetch-depth: 0 - name: Set git identity @@ -37,7 +43,7 @@ jobs: continue-on-error: true - name: Upload artifact if: ${{ steps.git_remote.outputs.latest_commit == github.sha }} - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: name: build-artifact path: dist @@ -49,7 +55,7 @@ jobs: contents: write if: needs.release.outputs.latest_commit == github.sha steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - name: Download build artifacts @@ -78,7 +84,7 @@ jobs: contents: read if: needs.release.outputs.latest_commit == github.sha steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - name: Download build artifacts @@ -111,7 +117,7 @@ jobs: contents: read if: needs.release.outputs.latest_commit == github.sha steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - uses: actions/setup-python@v4 diff --git a/.github/workflows/upgrade-cdktf.yml b/.github/workflows/upgrade-cdktf.yml index 3a32d22..2b09728 100644 --- a/.github/workflows/upgrade-cdktf.yml +++ b/.github/workflows/upgrade-cdktf.yml @@ -17,7 +17,7 @@ jobs: CHECKPOINT_DISABLE: "1" steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 - name: Install run: yarn install - name: Get current CDKTF version @@ -39,7 +39,7 @@ jobs: run: scripts/update-cdktf.sh ${{ steps.latest_version.outputs.value }} - name: Create draft pull request if: steps.current_version.outputs.short != steps.latest_version.outputs.short - uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 with: commit-message: "chore!: upgrade to cdktf ${{ steps.latest_version.outputs.value }}" branch: auto/upgrade-cdktf-${{ steps.latest_version.outputs.short }} diff --git a/.github/workflows/upgrade-main.yml b/.github/workflows/upgrade-main.yml index f24ec75..d1825c7 100644 --- a/.github/workflows/upgrade-main.yml +++ b/.github/workflows/upgrade-main.yml @@ -15,7 +15,7 @@ jobs: patch_created: ${{ steps.create_patch.outputs.patch_created }} steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 with: ref: main - name: Install dependencies @@ -29,7 +29,7 @@ jobs: git diff --staged --patch --exit-code > .repo.patch || echo "patch_created=true" >> $GITHUB_OUTPUT - name: Upload patch if: steps.create_patch.outputs.patch_created - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: name: .repo.patch path: .repo.patch @@ -42,7 +42,7 @@ jobs: if: ${{ needs.upgrade.outputs.patch_created }} steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 with: ref: main - name: Download patch @@ -58,7 +58,7 @@ jobs: git config user.email "github-team-tf-cdk@hashicorp.com" - name: Create Pull Request id: create-pr - uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 with: token: ${{ secrets.PROJEN_GITHUB_TOKEN }} commit-message: |- diff --git a/.npmignore b/.npmignore index 83fdd38..b0fc6b7 100644 --- a/.npmignore +++ b/.npmignore @@ -21,3 +21,7 @@ dist tsconfig.tsbuildinfo /.eslintrc.json !.jsii +scripts +projenrc +/.projenrc.ts +.copywrite.hcl