Merge branch 'develop' into chore/bump-version-to-2.3.0

nimblehq · Nov 30, 2023 · 3faf52f · 3faf52f
2 parents 92c5156 + 3e1c307
commit 3faf52f
Show file tree

Hide file tree

Showing 3 changed files with 149 additions and 10 deletions.
diff --git a/.github/workflows/increment-version.yml b/.github/workflows/increment-version.yml
@@ -0,0 +1,136 @@
+name: Increment version
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      newVersion:
+        description: Version to increment
+        required: true
+        default: auto
+        type: string
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  VERSION_FILE: ./package.json
+
+jobs:
+  set-next-version:
+    name: Set next version automatically
+    runs-on: ubuntu-latest
+    if: github.event_name != 'workflow_dispatch' || github.event.inputs.newVersion == 'auto'
+    outputs:
+      version: ${{ steps.set-next-version.outputs.version }}
+
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@v4
+        with:
+          ref: main
+
+      - name: Get version on main
+        id: get-main-version
+        run: |
+          currentVersion=$(node -p -e "require('${{ env.VERSION_FILE }}').version")
+          echo "version=$currentVersion" >> $GITHUB_OUTPUT
+
+      - name: Checkout develop
+        uses: actions/checkout@v4
+        with:
+          ref: develop
+
+      - name: Get version on develop
+        id: get-develop-version
+        run: |
+          currentVersion=$(node -p -e "require('${{ env.VERSION_FILE }}').version")
+          echo "version=$currentVersion" >> $GITHUB_OUTPUT
+
+      - name: Set next version
+        id: set-next-version
+        env:
+          VERSION_DELIMITER: .
+        run: |
+          function ver { printf "%03d%03d%03d%03d" $(echo "$1" | tr '${VERSION_DELIMITER}' ' '); }
+
+          echo "main version: $(ver ${{ steps.get-main-version.outputs.version }})"
+          echo "develop version: $(ver ${{ steps.get-develop-version.outputs.version }})"
+
+          if [[ $(ver ${{ steps.get-main-version.outputs.version }}) -gt $(ver ${{ steps.get-develop-version.outputs.version }}) ]]; then
+            echo "main version is greater than develop version"
+
+            echo "version=${{ steps.get-main-version.outputs.version }}" >> $GITHUB_OUTPUT
+          else
+            echo "develop version is greater or equal to main version"
+
+            versionComponents=($(echo "${{ steps.get-develop-version.outputs.version }}" | tr ${VERSION_DELIMITER} '\n'))
+
+            versionComponents[1]=$((versionComponents[1]+1))
+            versionComponents[2]=0
+
+            nextVersion=$(IFS=${VERSION_DELIMITER} ; echo "${versionComponents[*]}")
+
+            echo "version=$nextVersion" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Print next version
+        run: |
+          echo "Next version: ${{ steps.set-next-version.outputs.version }}"
+
+  increment-version:
+    name: Increment version
+    runs-on: ubuntu-latest
+    needs: [set-next-version]
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: develop
+
+      - name: Set next version
+        id: next-version
+        run: |
+          if [ ${{ github.event_name }} != 'workflow_dispatch' ] || [ ${{ github.event.inputs.newVersion }} == 'auto' ]; then
+            echo "version=${{ needs.set-next-version.outputs.version }}" >> $GITHUB_OUTPUT
+          else
+            echo "version=${{ github.event.inputs.newVersion }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Change version in ${{ env.VERSION_FILE }}
+        run: |
+          jq ".version = \"${{ steps.next-version.outputs.version }}\"" ${{ env.VERSION_FILE }} > ${{ env.VERSION_FILE }}.tmp && mv ${{ env.VERSION_FILE }}.tmp ${{ env.VERSION_FILE }}
+
+      - name: Update package-lock.json
+        run: npm install
+
+      - name: Create a new pull request
+        uses: peter-evans/create-pull-request@v5
+        with:
+          token: ${{ github.token }}
+          branch: chore/bump-version-to-${{ steps.next-version.outputs.version }}
+          base: develop
+          delete-branch: true
+          title: "[Chore] Bump version to ${{ steps.next-version.outputs.version }}"
+          commit-message: "Bump version to ${{ steps.next-version.outputs.version }}"
+          labels: |
+            type : chore
+          body: |
+            ## What happened 👀
+
+            Bump version to ${{ steps.next-version.outputs.version }}
+
+            ## Insight 📝
+
+            Automatically created by the GitHub Actions workflow.
+
+            ## Proof Of Work 📹
+
+            On the Files changed tab
diff --git a/templates/addons/aws/modules/iam_groups/data.tf b/templates/addons/aws/modules/iam_groups/data.tf
@@ -1,10 +1,10 @@
 locals {
   # Comes from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html
-  # This policy allows users to view and edit their own passwords, access keys, MFA devices, X.509 certificates, SSH keys, and Git credentials. 
-  # In addition, users are required to set up and authenticate using MFA before performing any other operations in AWS. 
-  # It also means this policy does NOT allow users to reset a password while signing in to the AWS Management Console for the first time. 
+  # This policy allows users to view and edit their own passwords, access keys, MFA devices, X.509 certificates, SSH keys, and Git credentials.
+  # In addition, users are required to set up and authenticate using MFA before performing any other operations in AWS.
+  # It also means this policy does NOT allow users to reset a password while signing in to the AWS Management Console for the first time.
   # They must first set up their MFA because allowing users to change their password without MFA can be a security risk.
-  # 
+  #
   # The following actions are added to the initial policy from AWS
   # - iam:GetLoginProfile: allows the IAM user to view their account information on the security page.
   # - iam:GetAccessKeyLastUsed: allows the IAM user to view the last time their access key was used.
@@ -123,13 +123,13 @@ locals {
   # For the bot account
   # It must be able to manage policies during terraform apply & create/delete users, permissions, etc. during terraform apply
   full_iam_access_policy = jsonencode({
-    version = "2012-10-17"
-    statement = [
+    Version = "2012-10-17"
+    Statement = [
       {
-        sid       = "AllowManageRoleAndPolicy"
-        effect    = "Allow"
-        resources = ["arn:aws:iam::*"]
-        actions   = ["iam:*"]
+        Sid      = "AllowManageRoleAndPolicy"
+        Effect   = "Allow"
+        Resource = ["arn:aws:iam::*"]
+        Action   = ["iam:*"]
       }
     ]
   })

diff --git a/templates/addons/aws/modules/iam_groups/main.tf b/templates/addons/aws/modules/iam_groups/main.tf
@@ -35,7 +35,10 @@ resource "aws_iam_group_policy_attachment" "bot_power_user_access" {
   policy_arn = data.aws_iam_policy.power_user_access.arn
 }
 
+# This IAM policy is needed for the bot account to manage IAM users & groups
+# tfsec:ignore:aws-iam-no-policy-wildcards
 resource "aws_iam_group_policy" "bot_full_iam_access" {
+  name   = "AllowFullIamAccess"
   group  = aws_iam_group.bot.name
   policy = local.full_iam_access_policy
 }