Merge pull request #162 from dealroom/repo-sync/core-mothership/default

🔄 synced file(s) with dealroom/core-mothership
dealroom · Aug 7, 2024 · 4d14a7d · 4d14a7d
2 parents 88b4b16 + ec500e9
commit 4d14a7d
Show file tree

Hide file tree

Showing 14 changed files with 70 additions and 21 deletions.
diff --git a/.github/actions/github-release/action.yml b/.github/actions/github-release/action.yml
@@ -11,7 +11,7 @@ runs:
   using: composite
   steps:
     - id: version-bump
-      uses: anothrNick/github-tag-action@afe4b67b57b8ab0908e4767109a5342003639e2e # 1.69.0
+      uses: anothrNick/github-tag-action@777684df761b882a3f4f70db16ac70d8cc78d0ea # 1.70.0
       env:
         GITHUB_TOKEN: ${{ inputs.github-token }}
         WITH_V: "true"

diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -33,7 +33,7 @@ runs:
         path: ${{ steps.extcache.outputs.dir }}
         key: ${{ steps.extcache.outputs.key }}
         restore-keys: ${{ steps.extcache.outputs.key }}
-    - uses: shivammathur/setup-php@2e947f1f6932d141d076ca441d0e1e881775e95b # 2.31.0
+    - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1
       with:
         php-version: ${{ inputs.php-version }}
         extensions: ${{ inputs.extensions }}

diff --git a/.github/linters/.checkov.yaml b/.github/linters/.checkov.yaml
@@ -0,0 +1,35 @@
+---
+# Don't report passed checks in output
+quiet: true
+
+# Download external modules
+download-external-modules: true
+
+
+skip-path:
+  # Ignore checks for helm deps as they are mostly impossible to fix without upstream changes
+  - charts/[^/]+/charts/
+  # Ignore PHP vendor directory
+  - vendor/
+
+# Skip certain checks globally
+skip-check:
+  # "Ensure Terraform module sources use a commit hash"
+  # We will not do that just, because Renovate bot is not able to update the commit hashes in the module sources
+  # @see https://github.com/renovatebot/renovate/issues/23248
+  - CKV_TF_1
+
+  # Disable some checks for GKE which are not needed
+  - CKV_GCP_22 # We do not use Shielded Nodes
+  - CKV_GCP_61 # We do not require VPC Flow Logs
+  - CKV_GCP_68 # We do not use Shielded Nodes
+  - CKV_GCP_69 # GKE Metadata server is enabled
+  - CKV_GCP_72 # We do not use Shielded Nodes
+  - CKV2_GCP_5 # False positives @see https://github.com/bridgecrewio/checkov/issues/4729
+
+  # Disable specific kubernetes checks
+  - CKV_K8S_9  # Do not require configuraiton of readiness probes for all containers as it's not always needed
+  - CKV_K8S_11 # We do not want to set CPU limits because it's considered a bad practice
+  - CKV_K8S_15 # We do not want to set imagePullPolicy to Always as it's not efficient
+  - CKV_K8S_21 # False positives for the kubernetes namespace in helm charts @see https://github.com/bridgecrewio/checkov/issues/3910
+...
diff --git a/.github/linters/.gitleaks.toml b/.github/linters/.gitleaks.toml
@@ -11,5 +11,6 @@ useDefault = true
         '''prod_secrets''',
         '''project_id_secrets''',
         '''key_temp_file''',
+        '''client_id''',
     ]
     regexTarget = "line"
diff --git a/.github/linters/.hadolint.yaml b/.github/linters/.hadolint.yaml
@@ -2,8 +2,8 @@
 # The changes to this file will be automatically overwritten on the next sync. Do not edit by hand!
 
 ignored:
-  - DL3003
-  - DL3008
-  - DL3018
-  - DL3029
-  - DL4006
+  - DL3003 # Use WORKDIR to switch to a directory
+  - DL3008 # Pin versions in apt get install
+  - DL3018 # Pin versions in pip
+  - DL3029 # Use COPY instead of ADD for files and directories
+  - DL4006 # Set the SHELL option -o pipefail explicitly
diff --git a/.github/linters/.jscpd.json b/.github/linters/.jscpd.json
@@ -8,7 +8,10 @@
     "**/node_modules/**",
     "**/dist/**",
     "**/build/**",
-    "**/vendor/**"
+    "**/vendor/**",
+    "**/.external_modules/**",
+    "**/.terraform/**",
+    "**/README.md"
   ],
   "absolute": true
 }
diff --git a/.github/linters/.textlintrc b/.github/linters/.textlintrc
@@ -1,7 +1,11 @@
 {
   "rules": {
     "terminology": {
-      "exclude": ["web[- ]?site(s)?", "site$1"]
+      "exclude": [
+        "web[- ]?site(s)?",
+        "site$1",
+        "Git"
+      ]
     }
   }
 }
diff --git a/.github/linters/.tflint.hcl b/.github/linters/.tflint.hcl
@@ -17,6 +17,6 @@ plugin "aws" {
 
 plugin "google" {
   enabled = true
-  version = "0.29.0"
+  version = "0.30.0"
   source  = "github.com/terraform-linters/tflint-ruleset-google"
 }
diff --git a/.github/super-linter.env b/.github/super-linter.env
@@ -14,6 +14,10 @@ DEFAULT_BRANCH=main
 # We are using tflint separately (for each workspace) so we don't need to run it here
 VALIDATE_TERRAFORM_TFLINT=false
 
+# Terrascan is a no-go for now because it does not actually support the latest Terraform version
+# @see https://github.com/tenable/terrascan/issues/1331
+VALIDATE_TERRAFORM_TERRASCAN=false
+
 # We are using PHPStan instead which should be sufficient and
 # enabling both of them could cause clashes between the two
 VALIDATE_PHP_PSALM=false
@@ -23,9 +27,3 @@ VALIDATE_GO=false
 
 # Ignore CRDs for now as not all of them have a schema
 KUBERNETES_KUBECONFORM_OPTIONS=--ignore-missing-schemas
-
-# Temporary disable terrascan for now, @see https://dealroom.atlassian.net/browse/DRP-4983
-VALIDATE_TERRAFORM_TERRASCAN=false
-
-# Temporary disable checkov for now, @see https://dealroom.atlassian.net/browse/DRP-4983
-VALIDATE_CHECKOV=false
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -45,10 +45,10 @@ jobs:
           fetch-depth: 0
       - name: Ensure SHA pinned actions
         uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b88cd0aad2c36a63e42c71f81cb1958fed95ac87 # v3.0.10
-      - name: Check that "do not merge" label is not present
-        if: contains(github.event.pull_request.labels.*.name, 'do not merge')
+      - name: Check that "do not merge" or "do-not-merge" label is not present
+        if: contains(github.event.pull_request.labels.*.name, 'do not merge') || contains(github.event.pull_request.labels.*.name, 'do-not-merge')
         run: |
-          echo 'The "do not merge" label is present on this PR. Please remove it before continuing.'
+          echo 'The "do not merge" or "do-not-merge" label is present. Please remove it before merging.'
           exit 1
         shell: bash
       - name: Check if a setup action exists
@@ -65,8 +65,10 @@ jobs:
           github-token: ${{ secrets.GH_TOKEN_DEALROOMBA }}
           extensions: ${{ vars.EXTENSIONS || 'none' }}
       - name: Lint Codebase
-        uses: super-linter/super-linter/slim@88ea3923a7e1f89dd485d079f6eb5f5e8f937589 # v6.6.0
+        uses: super-linter/super-linter/slim@b4515bd4ad9d0aa4681960e053916ab991bdbe96 # v6.8.0
         # For a full list of environment variables see `.github/super-linter.env`
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          # Required for checkov pulling external modules from private repositories
+          GITHUB_PAT: ${{ secrets.GH_TOKEN_DEALROOMBA }}
           VALIDATE_ALL_CODEBASE: ${{ vars.LINT_VALIDATE_ALL_CODEBASE || 'true' }}
diff --git a/.github/workflows/migrate_20240320.yml b/.github/workflows/migrate_20240320.yml
@@ -1,3 +1,4 @@
+# jscpd:ignore-start
 # Auto-synced file, managed by [dealroom/core-mothership](https://github.com/dealroom/core-mothership)
 # The changes to this file will be automatically overwritten on the next sync. Do not edit by hand!
 
@@ -59,3 +60,4 @@ jobs:
           gh workflow disable -R "$GITHUB_REPOSITORY" "${{ github.workflow }}"
         env:
           GH_TOKEN: ${{ github.token }}
+# jscpd:ignore-end
diff --git a/.github/workflows/migrate_20240412.yml b/.github/workflows/migrate_20240412.yml
@@ -1,3 +1,4 @@
+# jscpd:ignore-start
 # Auto-synced file, managed by [dealroom/core-mothership](https://github.com/dealroom/core-mothership)
 # The changes to this file will be automatically overwritten on the next sync. Do not edit by hand!
 
@@ -37,3 +38,4 @@ jobs:
           gh workflow disable -R "$GITHUB_REPOSITORY" "${{ github.workflow }}"
         env:
           GH_TOKEN: ${{ github.token }}
+# jscpd:ignore-end
diff --git a/.github/workflows/migrate_20240620.yml b/.github/workflows/migrate_20240620.yml
@@ -1,3 +1,4 @@
+# jscpd:ignore-start
 # Auto-synced file, managed by [dealroom/core-mothership](https://github.com/dealroom/core-mothership)
 # The changes to this file will be automatically overwritten on the next sync. Do not edit by hand!
 
@@ -48,3 +49,4 @@ jobs:
           gh workflow disable -R "$GITHUB_REPOSITORY" "${{ github.workflow }}"
         env:
           GH_TOKEN: ${{ github.token }}
+# jscpd:ignore-end
diff --git a/README.md b/README.md
@@ -93,6 +93,6 @@ PHPUnit is used for testing, run:
 
 ## Releases and CI/CD
 
-The release is done automatically using GitHub actions on every push to the `main` branch.
+The release is done automatically using GitHub Actions on every push to the `main` branch.
 After the release is done, a new tag is created and pushed to GitHub,
 which triggers a new release in [packagist](https://packagist.org/).