Merge pull request #83 from remerge/initialize-template

Initialize copier template

.checkov.yml

@@ -0,0 +1,31 @@
+---
+quiet: true
+compact: false
+
+skip-check:
+  # https://github.com/bridgecrewio/checkov/issues/5286
+  - CKV_TF_1
+  # do not enforce Customer Supplied Encryption Keys (CSEK)
+  - CKV_GCP_37
+  - CKV_GCP_38
+  - CKV_GCP_80
+  - CKV_GCP_81
+  - CKV_GCP_83
+  - CKV_GCP_84
+  - CKV_GCP_85
+  - CKV_GCP_90
+  - CKV_GCP_91
+  - CKV_GCP_93
+  # do not enforce vpc flow logs
+  - CKV_GCP_26
+  - CKV_GCP_61
+  # restricted default service account is ok
+  - CKV_GCP_30
+  # do not enforce bucket access log
+  - CKV_GCP_62
+  # do not enforce bucket object versioning
+  - CKV_GCP_78
+  # we want serial port console access
+  - CKV_GCP_35
+  # base64 high entropy check causes too many false positives
+  - CKV_SECRET_6

.copier-answers.yml

@@ -0,0 +1,16 @@
+---
+# Changes here will be overwritten by Copier
+_commit: v2.4.4
+_src_path: gh:remerge/template
+project_id: workflows
+project_license: private
+project_name: GitHub Actions Workflows
+project_owner: core
+project_type: default
+run_workflows_for_all_branches: false
+use_ansible: false
+use_consul: false
+use_golang: false
+use_nomad: false
+use_python: false
+use_terraform: false

.envrc

@@ -0,0 +1,20 @@
+# Turns on shell execution strictness. This will force the .envrc
+# evaluation context to exit immediately if:
+#
+# - any command in a pipeline returns a non-zero exit status that is
+#   not otherwise handled as part of `if`, `while`, or `until` tests,
+#   return value negation (`!`), or part of a boolean (`&&` or `||`)
+#   chain.
+# - any variable that has not explicitly been set or declared (with
+#   either `declare` or `local`) is referenced.
+strict_env
+
+# Loads a ".env" file into the current environment
+dotenv_if_exists "${PWD}"/../.env
+dotenv_if_exists "${PWD}"/.env
+
+# Add local scripts to PATH
+PATH_add "${PWD}/bin"
+
+# Enforce correct 1Password account
+export OP_ACCOUNT=remerge.1password.com

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# By default all files are owned by the project owner
+* @remerge/core

.github/actionlint.yaml

@@ -1,7 +1,8 @@
 ---
 self-hosted-runner:
-  # Labels of self-hosted runner in array of string
   labels:
     - generic
-    - default
+    - self-hosted
     - nomad
+    - docker
+    - default

.github/workflows/actions-doc.yml

@@ -1,3 +1,4 @@
+---
 name: Update github actions doc
 on:
   workflow_run:
@@ -20,8 +21,8 @@ jobs:
         run: python ./scripts/documentation/main.py -p .github/workflows/ > ./doc.md
       - uses: remerge/Github-action-confluence-sync@develop
         with:
-          from: './doc.md'
-          to: '2306670708'
+          from: "./doc.md"
+          to: "2306670708"
           cloud: remerge
           user: ${{secrets.confluence_user_email}}
           token: ${{secrets.confluence_token}}

.github/workflows/actions-lint.yml

@@ -1,3 +1,4 @@
+---
 name: Lint github action
 on: [push]
 

.github/workflows/check-repos-i-depend-on.yml

@@ -1,3 +1,4 @@
+---
 # we want to run the "go get $dependency && go mod tidy && open PR if needed"
 # workflow for every dependency every time the main branch gets updated.
 # this fixes possible merge conflicts in existing branches/PRs and closes them
@@ -39,32 +40,32 @@ jobs:
     outputs:
       dependencies: ${{ steps.prepare.outputs.dependencies }}
     steps:
-    - name: Set up SSH agent
-      uses: webfactory/[email protected]
-      with:
-        ssh-private-key: ${{ secrets.ssh_key }}
+      - name: Set up SSH agent
+        uses: webfactory/[email protected]
+        with:
+          ssh-private-key: ${{ secrets.ssh_key }}
 
-    - name: Set global git config
-      run: git config --global [email protected]:.insteadof https://github.com/
+      - name: Set global git config
+        run: git config --global [email protected]:.insteadof https://github.com/
 
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Set up Go
-      uses: actions/setup-go@v2
-      with:
-        go-version: ${{ inputs.golang_version || env.GO_VERSION }}
+      - name: Check out code
+        uses: actions/checkout@v3
 
-    - name: Prepare dependencies
-      id: prepare
-      run: |
-        DELIMITER=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
-        DEPS=$(go list -m -f '{{if not .Indirect}}{{if not .Main}}{{.Path}}{{end}}{{end}}' all | grep "github.com/remerge/" | awk -F'/' '{print $NF}' | awk '{print $1}' | jq -R . | jq -s .)
-        {
-          echo "dependencies<<$DELIMITER"
-          echo "$DEPS"
-          echo "$DELIMITER"
-        } >> "$GITHUB_OUTPUT"
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ inputs.golang_version || env.GO_VERSION }}
+
+      - name: Prepare dependencies
+        id: prepare
+        run: |
+          DELIMITER=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+          DEPS=$(go list -m -f '{{if not .Indirect}}{{if not .Main}}{{.Path}}{{end}}{{end}}' all | grep "github.com/remerge/" | awk -F'/' '{print $NF}' | awk '{print $1}' | jq -R . | jq -s .)
+          {
+            echo "dependencies<<$DELIMITER"
+            echo "$DEPS"
+            echo "$DELIMITER"
+          } >> "$GITHUB_OUTPUT"
 
   notify-self-about-all-dependencies:
     needs: prepare-dependencies
@@ -73,15 +74,15 @@ jobs:
         dependency: ${{ fromJSON(needs.prepare-dependencies.outputs.dependencies) }}
     runs-on: ${{ inputs.os }}
     steps:
-    - run: echo ${{ matrix.dependency }}
-      shell: bash
+      - run: echo ${{ matrix.dependency }}
+        shell: bash
 
-    - name: Check possible dependency update
-      uses: remerge/check-possible-dependency-update@main
-      with:
-        repo_path: "github.com/remerge/${{ matrix.dependency }}"
-        repo_name: "remerge/${{ matrix.dependency }}"
-        assign_to: ${{ inputs.assign_to }}
-        app_id: ${{ secrets.app_id }}
-        app_key: ${{ secrets.app_key }}
-        ssh_key: ${{ secrets.ssh_key }}
+      - name: Check possible dependency update
+        uses: remerge/check-possible-dependency-update@main
+        with:
+          repo_path: "github.com/remerge/${{ matrix.dependency }}"
+          repo_name: "remerge/${{ matrix.dependency }}"
+          assign_to: ${{ inputs.assign_to }}
+          app_id: ${{ secrets.app_id }}
+          app_key: ${{ secrets.app_key }}
+          ssh_key: ${{ secrets.ssh_key }}

.github/workflows/docker-gcr-push.yml

@@ -1,3 +1,4 @@
+---
 name: Docker build and push to GCR
 
 on:

.github/workflows/docker.yml

@@ -1,3 +1,4 @@
+---
 name: Docker build and push to GAR
 
 on:

.github/workflows/go-build.yml

@@ -1,3 +1,4 @@
+---
 name: Go app build
 
 on:
@@ -17,16 +18,16 @@ on:
         description: "Git branches eligible to build"
         type: string
         required: false
-        default: 'production'
+        default: "production"
       os:
         description: "OS version to run the workflow on. If not provided, defaults to 'ubuntu-latest'"
         type: string
         default: ubuntu-latest
         required: false
     outputs:
       artifact:
-        description: 'Binary output artifact'
-        value: '${{ jobs.go-app.outputs.artifact }}'
+        description: "Binary output artifact"
+        value: "${{ jobs.go-app.outputs.artifact }}"
     secrets:
       ssh_key:
         description: "SSH key to use"
@@ -40,34 +41,34 @@ jobs:
       GOPRIVATE: ${{ inputs.goprivate }}
       REPONAME: ${{ github.event.repository.name }}
     outputs:
-      artifact: '${{ github.event.repository.name }}.linux.amd64'
+      artifact: "${{ github.event.repository.name }}.linux.amd64"
 
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/cache@v3
-      with:
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-build-
+      - uses: actions/checkout@v3
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-
 
-    - run: echo "GO_VERSION=$(grep '^go ' < go.mod | awk '{print $2}')" >> "$GITHUB_ENV"
-    - uses: actions/setup-go@v4
-      with:
-        go-version: ${{ inputs.golang_version || env.GO_VERSION }}
-    - uses: webfactory/[email protected]
-      with:
-        ssh-private-key: '${{ secrets.ssh_key }}'
-    - run: 'git config --global url."[email protected]:".insteadOf "https://github.com/"'
+      - run: echo "GO_VERSION=$(grep '^go ' < go.mod | awk '{print $2}')" >> "$GITHUB_ENV"
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ inputs.golang_version || env.GO_VERSION }}
+      - uses: webfactory/[email protected]
+        with:
+          ssh-private-key: "${{ secrets.ssh_key }}"
+      - run: 'git config --global url."[email protected]:".insteadOf "https://github.com/"'
 
-    - run: make dist
-      env:
-        CI_COMMIT: ${{ github.sha }}
-        CI_REPO: ${{ env.REPONAME }}
-        CI_NUM: ${{ github.run_id }}
-    - uses: actions/upload-artifact@v3
-      with:
-        name: ${{ env.REPONAME }}.linux.amd64
-        path: .build/${{ env.REPONAME }}.linux.amd64
+      - run: make dist
+        env:
+          CI_COMMIT: ${{ github.sha }}
+          CI_REPO: ${{ env.REPONAME }}
+          CI_NUM: ${{ github.run_id }}
+      - uses: actions/upload-artifact@v3
+        with:
+          name: ${{ env.REPONAME }}.linux.amd64
+          path: .build/${{ env.REPONAME }}.linux.amd64

.github/workflows/go-checks.yml

@@ -1,3 +1,4 @@
+---
 # Runs common checks for Go package: lint (fmt, modules, static, shadowing),
 # tests and race.
 
@@ -24,7 +25,7 @@ on:
       lint-target:
         type: string
         required: false
-        default: 'lint'
+        default: "lint"
         description: "Lint Make target"
       no-lint-gen:
         type: boolean
@@ -69,49 +70,49 @@ jobs:
     name: "lint_and_test"
     runs-on: ${{ inputs.os }}
     steps:
-    - uses: actions/checkout@v3
-    - run: echo "GO_VERSION=$(grep '^go ' < go.mod | awk '{print $2}')" >> "$GITHUB_ENV"
-    - name: go modules cache
-      uses: actions/cache@v3
-      with:
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg
-        key: ${{ runner.os }}-go-mod-${{ github.job }}-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-mod-${{ github.job }}-
-    - name: go tools cache
-      uses: actions/cache@v3
-      with:
-        path: |
-          ${{ github.workspace }}/.tools
-        key: ${{ runner.os }}-go-tools-${{ inputs.golang_version || env.GO_VERSION }}-${{ github.job }}
-        restore-keys: |
-          ${{ runner.os }}-go-tools-${{ inputs.golang_version || env.GO_VERSION }}-${{ github.job }}
-    - uses: actions/setup-go@v4
-      with:
-        go-version: ${{ inputs.golang_version || env.GO_VERSION }}
-    - uses: ruby/setup-ruby@v1
-      with:
-        bundler-cache: true
-        ruby-version: '${{ inputs.lint-gen-ruby-version }}'
-      if: "${{ !inputs.no-lint-gen && inputs.lint-gen-ruby-version != '' }}"
+      - uses: actions/checkout@v3
+      - run: echo "GO_VERSION=$(grep '^go ' < go.mod | awk '{print $2}')" >> "$GITHUB_ENV"
+      - name: go modules cache
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg
+          key: ${{ runner.os }}-go-mod-${{ github.job }}-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-mod-${{ github.job }}-
+      - name: go tools cache
+        uses: actions/cache@v3
+        with:
+          path: |
+            ${{ github.workspace }}/.tools
+          key: ${{ runner.os }}-go-tools-${{ inputs.golang_version || env.GO_VERSION }}-${{ github.job }}
+          restore-keys: |
+            ${{ runner.os }}-go-tools-${{ inputs.golang_version || env.GO_VERSION }}-${{ github.job }}
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ inputs.golang_version || env.GO_VERSION }}
+      - uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+          ruby-version: "${{ inputs.lint-gen-ruby-version }}"
+        if: "${{ !inputs.no-lint-gen && inputs.lint-gen-ruby-version != '' }}"
 
-    - uses: webfactory/[email protected]
-      with:
-        ssh-private-key: '${{ secrets.ssh_key }}'
-      if: "${{ inputs.goprivate != '' }}"
+      - uses: webfactory/[email protected]
+        with:
+          ssh-private-key: "${{ secrets.ssh_key }}"
+        if: "${{ inputs.goprivate != '' }}"
 
-    - run: 'git config --global url."[email protected]:".insteadOf "https://github.com/"'
-      if: "${{ inputs.goprivate != '' }}"
+      - run: 'git config --global url."[email protected]:".insteadOf "https://github.com/"'
+        if: "${{ inputs.goprivate != '' }}"
 
-    - run: make ${{ inputs.lint-target }}
-    - run: make gen && git diff --exit-code --name-only HEAD
-      if: '!inputs.no-lint-gen'
-    - run: 'docker-compose -f "${{ inputs.compose-file }}" up -d --build && sleep ${{ inputs.compose-wait }}'
-      if: "${{ !inputs.no-compose && hashFiles(inputs.compose-file) != '' }}"
-    - run: make test-nocache
-    - run: make race-nocache
-      if: '!inputs.no-race'
-    - run: 'docker-compose -f "${{ inputs.compose-file }}" down'
-      if: "${{ always() && !inputs.no-compose && hashFiles(inputs.compose-file) != '' }}"
+      - run: make ${{ inputs.lint-target }}
+      - run: make gen && git diff --exit-code --name-only HEAD
+        if: "${{ !inputs.no-lint-gen }}"
+      - run: 'docker-compose -f "${{ inputs.compose-file }}" up -d --build && sleep ${{ inputs.compose-wait }}'
+        if: "${{ !inputs.no-compose && hashFiles(inputs.compose-file) != '' }}"
+      - run: make test-nocache
+      - run: make race-nocache
+        if: "${{ !inputs.no-race }}"
+      - run: 'docker-compose -f "${{ inputs.compose-file }}" down'
+        if: "${{ always() && !inputs.no-compose && hashFiles(inputs.compose-file) != '' }}"