chore(repo): Add workflows and configuration files (#1)

.editorconfig

@@ -0,0 +1,18 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+# Default settings
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+# Do not trim trailing whitespace on Markdown files as double space can be used
+# for a newline
+[*.md]
+trim_trailing_whitespace = false

.envrc

@@ -0,0 +1,4 @@
+# Read sensitive environment variables from 1password.
+
+# User token for access to remote state on terraform cloud.
+export TF_TOKEN_APP_TERRAFORM_IO="$(op read op://Servers/TF_TOKEN_APP_TERRAFORM_IO/password)"

.github/README.md

@@ -0,0 +1 @@
+# More Than Certified GitOps MiniCamp 2024

.github/workflows/pr-check.yaml

@@ -0,0 +1,14 @@
+name: PR Check
+on:
+  pull_request:
+    types: [opened, edited, synchronize]
+
+# Disable permissions for all available scopes
+permissions: {}
+
+jobs:
+  validate-pr-title:
+    name: Validate PR title
+    permissions:
+      pull-requests: write
+    uses: 3ware/workflows/.github/workflows/pr-title.yaml@7880d6b986d1d689f5d219e901b863f1378fea9c # v4.4.0

.github/workflows/release.yaml

@@ -0,0 +1,18 @@
+name: Release
+run-name: ${{ github.event.workflow_run.display_title }}
+
+on:
+  workflow_run:
+    workflows: [OpenTofu CI]
+    types: [completed]
+    branches: [main]
+
+# Disable permissions for all available scopes
+permissions: {}
+
+jobs:
+  semantic-release:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    name: Release
+    uses: 3ware/workflows/.github/workflows/release.yaml@7880d6b986d1d689f5d219e901b863f1378fea9c # v4.4.0
+    secrets: inherit

.github/workflows/trunk-check.yaml

@@ -0,0 +1,26 @@
+name: Trunk Check
+
+on:
+  pull_request:
+    branches: [main]
+
+# Disable permissions for all available scopes.
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.repository }}
+  cancel-in-progress: true
+
+jobs:
+  trunk-check:
+    name: Trunk Check
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      checks: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Trunk Check
+        uses: trunk-io/trunk-action@0c109cf103b1bf745bb0cd8ec19d00a4609527d8 # v1.1.17

.github/workflows/wait-for-checks.yaml

@@ -0,0 +1,25 @@
+name: Checks
+
+on:
+  pull_request:
+    types: [opened, edited, synchronize]
+    branches: [main]
+
+# Disable permissions for all available scopes
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
+
+jobs:
+  enforce-all-checks:
+    permissions:
+      checks: read
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: GitHub Checks
+        uses: poseidon/wait-for-status-checks@6988432d64ad3f9c2608db4ca16fded1b7d36ead # v0.5.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

.releaserc.json

@@ -0,0 +1,57 @@
+{
+  "branches": ["main"],
+  "plugins": [
+    [
+      "@semantic-release/commit-analyzer",
+      {
+        "preset": "conventionalcommits",
+        "releaseRules": [
+          { "breaking": true, "release": "major" },
+          { "type": "refactor", "release": "minor" },
+          { "type": "chore", "scope": "deps", "release": "patch" }
+        ]
+      }
+    ],
+    [
+      "@semantic-release/release-notes-generator",
+      {
+        "preset": "conventionalcommits",
+        "presetConfig": {
+          "types": [
+            { "type": "refactor", "section": "Enhancement", "hidden": false },
+            { "type": "feat", "section": "Features", "hidden": false },
+            { "type": "fix", "section": "Bug Fixes", "hidden": false },
+            {
+              "type": "chore",
+              "scope": "deps",
+              "section": "Chores",
+              "hidden": false
+            }
+          ]
+        }
+      }
+    ],
+    [
+      "@semantic-release/github",
+      {
+        "successComment": "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version}",
+        "labels": false,
+        "releasedLabels": false
+      }
+    ],
+    [
+      "@semantic-release/changelog",
+      {
+        "changelogFile": "CHANGELOG.md",
+        "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file."
+      }
+    ],
+    [
+      "@semantic-release/git",
+      {
+        "assets": ["CHANGELOG.md"],
+        "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+      }
+    ]
+  ]
+}

.trunk/.gitignore

@@ -0,0 +1,9 @@
+*out
+*logs
+*actions
+*notifications
+*tools
+plugins
+user_trunk.yaml
+user.yaml
+tmp

.trunk/configs/.markdownlint.yaml

@@ -0,0 +1,10 @@
+# Autoformatter friendly markdownlint config (all formatting rules disabled)
+default: true
+blank_lines: false
+bullet: false
+html: false
+indentation: false
+line_length: false
+spaces: false
+url: false
+whitespace: false

.trunk/configs/.tflint.hcl

@@ -0,0 +1,12 @@
+plugin "terraform" {
+  enabled = true
+  preset = "all"
+}
+
+plugin "aws" {
+  enabled = true
+  version = "0.33.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+
+  deep_check = true
+}

.trunk/configs/.yamllint.yaml

@@ -0,0 +1,10 @@
+rules:
+  quoted-strings:
+    required: only-when-needed
+    extra-allowed: ["{|}"]
+  empty-values:
+    forbid-in-block-mappings: true
+    forbid-in-flow-mappings: true
+  key-duplicates: {}
+  octal-values:
+    forbid-implicit-octal: true

.trunk/trunk.yaml

@@ -0,0 +1,68 @@
+# This file controls the behavior of Trunk: https://docs.trunk.io/cli
+# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
+version: 0.1
+cli:
+  version: 1.22.6
+# Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
+plugins:
+  sources:
+    - id: trunk
+      ref: v1.6.3
+      uri: https://github.com/trunk-io/plugins
+# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
+runtimes:
+  enabled:
+    - [email protected]
+    - [email protected]
+# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
+lint:
+  enabled:
+    - [email protected]
+    - [email protected]
+    - [email protected]:
+        commands: [fmt, validate]
+    - [email protected]
+    - [email protected]
+    - git-diff-check
+    - [email protected]
+    - [email protected]
+    - [email protected]
+    - [email protected]
+  definitions:
+    - name: tflint
+      environment:
+        - name: TFLINT_CONFIG_FILE
+          value: ${workspace}/.trunk/configs/.tflint.hcl
+        - name: TFLINT_PLUGIN_DIR
+          value: ${workspace}/.trunk/plugins/
+        - name: AWS_ACCESS_KEY_ID
+          value: ${env.AWS_ACCESS_KEY_ID}
+        - name: AWS_SECRET_ACCESS_KEY
+          value: ${env.AWS_SECRET_ACCESS_KEY}
+        - name: AWS_SESSION_TOKEN
+          value: ${env.AWS_SESSION_TOKEN}
+    - name: tofu
+      environment:
+        - name: XDG_CONFIG_HOME
+          value: ${env.XDG_CONFIG_HOME}
+          optional: true
+        - name: XDG_DATA_HOME
+          value: ${env.XDG_DATA_HOME}
+          optional: true
+  ignore:
+    #* Prevent checking README.md files generated by terraform-docs and
+    #* CHANGELOG.md files generated by semantic-release
+    - linters: [prettier, markdownlint]
+      paths:
+        - CHANGELOG.md
+        - tf/**/README.md
+    - linters: [prettier]
+      paths:
+        - "**/*.enc.yaml"
+actions:
+  enabled:
+    - commitlint
+    - trunk-announce
+    - trunk-check-pre-push
+    - trunk-fmt-pre-commit
+    - trunk-upgrade-available

commitlint.config.js

@@ -0,0 +1,48 @@
+module.exports = {
+  rules: {
+    "body-leading-blank": [1, "always"],
+    "body-max-line-length": [2, "always", 72],
+    "footer-leading-blank": [1, "always"],
+    "footer-max-line-length": [2, "always", 72],
+    "header-max-length": [2, "always", 72],
+    "scope-case": [2, "always", "lower-case"],
+    "scope-empty": [1, "never"],
+    "scope-enum": [
+      1,
+      "always",
+      [
+        "checks",
+        "commitlint",
+        "pr-check",
+        "renbot",
+        "repo",
+        "tofu",
+        "tofu-ci",
+        "trunk",
+      ],
+    ],
+    //"signed-off-by": [1, "always", "Signed-off-by:"],
+    "subject-case": [1, "always", "sentence-case"],
+    "subject-empty": [2, "never"],
+    "subject-full-stop": [2, "never", "."],
+    "type-case": [2, "always", "lower-case"],
+    "type-empty": [2, "never"],
+    "type-enum": [
+      2,
+      "always",
+      [
+        "build",
+        "chore",
+        "ci",
+        "docs",
+        "feat",
+        "fix",
+        "perf",
+        "refactor",
+        "revert",
+        "style",
+        "test",
+      ],
+    ],
+  },
+};

renovate.json

@@ -0,0 +1,7 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "enabledManagers": ["tflint-plugin"],
+  "minimumReleaseAge": "3 days",
+  "addLabels": ["auto-update"],
+  "schedule": ["before 4am on the first day of the month"]
+}