feat(checks): Add wait-for-checks workflow (#113)

.github/README.md

@@ -1,6 +1,6 @@
 # 3ware reusable workflows
 
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/3ware/workflows/badge)](https://api.securityscorecards.dev/projects/github.com/3ware/workflows) [![semantic-release: conventionalcommits](https://img.shields.io/badge/semantic--release-conventionalcommits-blue?logo=semantic-release)](https://github.com/semantic-release/semantic-release) [![GitHub release](https://img.shields.io/github/release/3ware/workflows?include_prereleases=&sort=semver&color=yellow)](https://github.com/3ware/workflows/releases/) [![issues - workflows](https://img.shields.io/github/issues/3ware/workflows)](https://github.com/3ware/workflows/issues) [![CI](https://img.shields.io/github/actions/workflow/status/3ware/workflows/lint.yaml?label=CI&logo=githubactions&logoColor=white)](https://github.com/3ware/workflows/actions/workflows/lint.yaml)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/3ware/workflows/badge)](https://api.securityscorecards.dev/projects/github.com/3ware/workflows) [![semantic-release: conventionalcommits](https://img.shields.io/badge/semantic--release-conventionalcommits-blue?logo=semantic-release)](https://github.com/semantic-release/semantic-release) [![GitHub release](https://img.shields.io/github/release/3ware/workflows?include_prereleases=&sort=semver&color=yellow)](https://github.com/3ware/workflows/releases/) [![issues - workflows](https://img.shields.io/github/issues/3ware/workflows)](https://github.com/3ware/workflows/issues) [![CI](https://img.shields.io/github/actions/workflow/status/3ware/workflows/lint.yaml?label=CI&logo=githubactions&logoColor=white)](https://github.com/3ware/workflows/actions/workflows/wait-for-checks.yaml)
 
 The repository contains [GitHub Action](https://docs.github.com/en/actions) [reusable workflows](https://docs.github.com/en/actions/using-workflows/reusing-workflows) that can be consumed by other repositories.
 
@@ -9,6 +9,7 @@ The repository contains [GitHub Action](https://docs.github.com/en/actions) [reu
 - [3ware reusable workflows](#3ware-reusable-workflows)
   - [Table of contents](#table-of-contents)
   - [Workflows](#workflows)
+    - [dependency-review](#dependency-review)
     - [get-terraform-dir](#get-terraform-dir)
     - [get-workflow-token](#get-workflow-token)
       - [Encrypt the token output](#encrypt-the-token-output)
@@ -17,13 +18,18 @@ The repository contains [GitHub Action](https://docs.github.com/en/actions) [reu
       - [Use encrypted token output in calling workflow](#use-encrypted-token-output-in-calling-workflow)
       - [Decrypt the token](#decrypt-the-token)
       - [Use the token for authentication](#use-the-token-for-authentication)
-    - [lint](#lint)
     - [pr-title](#pr-title)
     - [release](#release)
+    - [scorecard](#scorecard)
     - [terraform-docs](#terraform-docs)
+    - [wait-for-checks](#wait-for-checks)
 
 ## Workflows
 
+### dependency review
+
+GitHub provides a [dependency review action](https://github.com/actions/dependency-review-action) to scan pull requests for vulnerabilities.
+
 ### get-terraform-dir
 
 This workflow uses [changed-files](https://github.com/tj-actions/changed-files) to output the terraform working directory which can then be used by other actions to initialise terraform. This is useful for multi directory configurations.
@@ -110,10 +116,6 @@ calling-workflow:
 
 Thanks to this [this blog post](https://nitratine.net/blog/post/how-to-pass-secrets-between-runners-in-github-actions/) and [stack overflow answer](https://stackoverflow.com/a/75387551/18073694) for the wise words. See [get-workflow-token](https://github.com/3ware/workflows/blob/main/.github/workflows/get-workflow-token.yaml) and [release](https://github.com/3ware/workflows/blob/main/.github/workflows/semantic-release.yaml) for complete workflows.
 
-### lint
-
-Linting is performed using [trunk.io](https://github.com/trunk-io/trunk-action). This action makes use of the [get-terraform-dir](#get-terraform-dir) workflow to find the terraform working directory and initialise terraform, if any terraform files have been updated, so validation and linting, using [tflint](https://github.com/terraform-linters/tflint), can be performed.
-
 ### pr-title
 
 This workflow ensures that Pull Request titles follow the [conventional syntax](https://www.conventionalcommits.org/en/v1.0.0-beta.2/) using the [semantic-pull-request](https://github.com/marketplace/actions/semantic-pull-request) action. When the Pull Request is Squashed & Merged into main, the Pull Request title is used as the commit message, which is analysed by the [release](#release) workflow.
@@ -122,6 +124,14 @@ This workflow ensures that Pull Request titles follow the [conventional syntax](
 
 [Semantic Release](https://github.com/marketplace/actions/action-for-semantic-release) generates tags and releases by mapping conventional commit messages to major, minor and patch version numbers. This action requires an authentication token to push the changes it generates to protected branches. It makes use of the [get-workflow-token](#get-workflow-token) for this, instead of using a PAT.
 
+### scorecard
+
+GitHub recommends using the [OSSF Scorecard action](https://github.com/marketplace/actions/ossf-scorecard-action) action in their [Security Hardening Guide](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-openssf-scorecards-to-secure-workflows) for GitHub Actions.
+
 ### terraform-docs
 
 [Terraform docs](https://github.com/marketplace/actions/terraform-docs-gh-actions) generates terraform module documentation and commits the updated _README_ to the repository. This workflow uses [get-workflow-token](#get-workflow-token) for authentication and [ghcommit-action](https://github.com/planetscale/ghcommit-action) to push the updated README with a verified commit.
+
+### wait-for-checks
+
+Since switching to [trunk-io's](https://docs.trunk.io/code-quality/setup-and-installation/github-integration) GitHub App for linting, the CI badge in this document was referencing a non-existent workflow. The [wait-for-checks](https://github.com/poseidon/wait-for-status-checks) workflow polls the checks api for the status of all the checks that run on a pull request and can be used as the sole required status check for a repository - and provide a reliable source for the CI badge.

.github/workflows/get-terraform-dir.yaml

@@ -64,15 +64,15 @@ jobs:
       - name: Terraform directory summary - changes
         if: ${{ steps.get-terraform-sum.outputs.all_changed_files_count != 0 }}
         run: |
-          echo "# :white_check_mark: Terraform file changes detected" >> $GITHUB_STEP_SUMMARY
+          echo "### :white_check_mark: Terraform file changes detected" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          echo "## Terraform changes have been detected in the following directories:" >> $GITHUB_STEP_SUMMARY
+          echo "#### Terraform changes have been detected in the following directories:" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           printf '%s\n' ${{ steps.get-terraform-sum.outputs.all_changed_files }} >> $GITHUB_STEP_SUMMARY
 
       - name: Terraform directory summary - no changes
         if: ${{ steps.get-terraform-sum.outputs.all_changed_files_count == 0 }}
         run: |
-          echo "# :negative_squared_cross_mark: Terraform file changes not detected" >> $GITHUB_STEP_SUMMARY
+          echo "### :negative_squared_cross_mark: Terraform file changes not detected" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "Terraform files have not been changed on this run" >> $GITHUB_STEP_SUMMARY

.github/workflows/pr-title.yaml

@@ -1,7 +1,7 @@
 name: Validate PR title
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, edited, synchronize]
     branches: [main]
   workflow_call: {}
@@ -50,13 +50,13 @@ jobs:
       - name: Summary with valid title
         if: ${{ always() && steps.validate-pr-title.outputs.error_message == null }}
         run: |
-          echo "# :white_check_mark: Pull Request title is valid" >> $GITHUB_STEP_SUMMARY
-          echo "The pull request title conforms to the conventional commit specification."
+          echo "### :white_check_mark: Pull Request title is valid" >> $GITHUB_STEP_SUMMARY
+          echo "The pull request title conforms to the conventional commit specification." >> $GITHUB_STEP_SUMMARY
 
       - name: Summary without invalid title
         if: ${{ always() && steps.validate-pr-title.outputs.error_message != null }}
         run: |
-          echo "# :bangbang: Pull Request title is invalid" >> $GITHUB_STEP_SUMMARY
+          echo "### :bangbang: Pull Request title is invalid" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "The pull request title does not conform to the conventional commit specification." >> $GITHUB_STEP_SUMMARY
           echo "${{ steps.validate-pr-title.outputs.error_message }}" >> $GITHUB_STEP_SUMMARY

.github/workflows/release.yaml

@@ -53,17 +53,17 @@ jobs:
       - name: Summary with release
         if: ${{ steps.release.outputs.new_release_published == 'true' }}
         run: |
-          echo "# :white_check_mark: New release published" >> $GITHUB_STEP_SUMMARY
+          echo "### :white_check_mark: New release published" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "Release bumped from v${{ steps.release.outputs.last_release_version }} to v${{ steps.release.outputs.new_release_version }}" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          echo "## CHANGELOG" >> $GITHUB_STEP_SUMMARY
-          echo ""
+          echo "#### CHANGELOG" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
           echo "${{ steps.release.outputs.new_release_notes }}" >>$GITHUB_STEP_SUMMARY
 
       - name: Summary without release
         if: ${{ steps.release.outputs.new_release_published == 'false' }}
         run: |
-          echo "# :negative_squared_cross_mark: No release published" >> $GITHUB_STEP_SUMMARY
+          echo "### :negative_squared_cross_mark: No release published" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "There are no relevant changes, so no new version is released" >> $GITHUB_STEP_SUMMARY

.github/workflows/terraform-docs.yaml

@@ -67,23 +67,23 @@ jobs:
       - name: Summary with commit failure
         if: ${{ failure() && steps.push-with-sig.outcome == 'failure' }}
         run: |
-          echo "# :bangbang: ${{ env.TF_DOCS_FILE }} not updated" >> $GITHUB_STEP_SUMMARY
+          echo "### :bangbang: ${{ env.TF_DOCS_FILE }} not updated" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          echo "## Commit failure" >> $GITHUB_STEP_SUMMARY
+          echo "#### Commit failure" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "Terraform documentation has not been updated" >> $GITHUB_STEP_SUMMARY
           echo "Please review the logs" >> $GITHUB_STEP_SUMMARY
 
       - name: Summary with document changes
         if: ${{ steps.push-with-sig.conclusion == 'success' }}
         run: |
-          echo "# :white_check_mark: Terraform docs updated" >> $GITHUB_STEP_SUMMARY
+          echo "### :white_check_mark: Terraform docs updated" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "${{ steps.terraform-docs.outputs.num_changed }} $TF_DOCS_FILE files updated on $BRANCH" >> $GITHUB_STEP_SUMMARY
 
       - name: Summary without document changes
         if: ${{ steps.terraform-docs.outputs.num_changed == 0 }}
         run: |
-          echo "# :negative_squared_cross_mark: ${{ env.TF_DOCS_FILE }} not updated" >> $GITHUB_STEP_SUMMARY
+          echo "### :negative_squared_cross_mark: ${{ env.TF_DOCS_FILE }} not updated" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "Terraform changes were not detected on this workflow" >> $GITHUB_STEP_SUMMARY

.github/workflows/wait-for-checks.yaml

@@ -0,0 +1,25 @@
+name: Checks
+
+on:
+  pull_request:
+    types: [opened, edited, synchronize]
+    branches: [main]
+
+# Disable permissions for all available scopes
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
+
+jobs:
+  enforce-all-checks:
+    permissions:
+      checks: read
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: GitHub Checks
+        uses: poseidon/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

commitlint.config.js

@@ -11,17 +11,17 @@ module.exports = {
       1,
       "always",
       [
+        "checks",
         "commitlint",
-        "delete-workflow-run",
+        "delete-run",
         "dep-review",
-        "get-terraform-dir",
-        "get-workflow-token",
-        "lint",
+        "get-token",
         "pr-title",
-        "security",
-        "scorecard",
+        "ossf",
         "release",
+        "terraform-dir",
         "terraform-docs",
+        "workflows",
       ],
     ],
     //"signed-off-by": [1, "always", "Signed-off-by:"],