fix: improve logs #51
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: validate | |
on: | |
pull_request: | |
branches: main | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GITHUB_OWNER: ${{ github.repository_owner }} | |
jobs: | |
terraform: | |
name: 'Terraform' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: matttrach/nix-installer-action@main | |
- name: lint terraform | |
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} | |
run: | | |
terraform fmt -check -recursive | |
tflint --recursive | |
actionlint: | |
name: 'Lint Workflows' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: matttrach/nix-installer-action@main | |
- name: action lint | |
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} | |
run: actionlint | |
shellcheck: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: matttrach/nix-installer-action@main | |
- name: shell check | |
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} | |
run: | | |
while read -r file; do | |
echo "checking $file..." | |
shellcheck -x "$file" | |
done <<<"$(grep -Rl -e '^#!' | grep -v '.terraform'| grep -v '.git')" | |
validate-commit-message: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # fetch all history so that we can validate the commit messages | |
- uses: matttrach/nix-installer-action@main | |
- name: Check commit message | |
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} | |
run: | | |
set -e | |
# Check commit messages | |
# This steps enforces https://www.conventionalcommits.org/en/v1.0.0/ | |
# This format enables automatic generation of changelogs and versioning | |
filter() { | |
COMMIT="$1" | |
ouput="$(echo "$COMMIT" | grep -e '^fix: ' -e '^feature: ' -e '^feat: ' -e 'refactor!: ' -e 'feature!: ' -e 'feat!: ' -e '^chore(main): ')" | |
echo "$output" | |
} | |
prefix_check() { | |
message="$1" | |
if [ "" != "$(filter "$message")" ]; then | |
echo "...Commit message does not start with the required prefix. | |
Please use one of the following prefixes: fix:, feature:, feat:, refactor!:, feature!:, feat:!. | |
'chore(main): ' is also allowed for release PRs. | |
This enables release-please to automatically determine the type of release (major, minor, patch) based on the commit message. | |
$message" | |
exit 1 | |
else | |
echo "...Commit message starts with the required prefix." | |
fi | |
} | |
empty_check() { | |
message="$1" | |
if [ "" == "$message" ]; then | |
echo "...Empty commit message." | |
exit 1 | |
else | |
echo "...Commit message isnt empty." | |
fi | |
} | |
length_check() { | |
message="$1" | |
if [ "$(wc -m <<<"$message")" -gt 50 ]; then | |
echo "...Commit message subject line should be less than 50 characters, found $(wc -m "$message")." | |
exit 1 | |
else | |
echo "...Commit message subject line is less than 50 characters." | |
fi | |
} | |
spell_check() { | |
message="$1" | |
WORDS="$(aspell list <<<"$message")" | |
if [ "" != "$WORDS" ]; then | |
echo "...Commit message contains spelling errors on: ^$WORDS\$" | |
echo "...Also try updating the PR title." | |
exit 1 | |
else | |
echo "...Commit message doesnt contain spelling errors." | |
fi | |
} | |
# Fetch the commit messages | |
COMMIT_MESSAGES="$(gh pr view ${{github.event.number}} --json commits | jq -r '.commits[].messageHeadline')" | |
echo "Commit messages found: " | |
echo "$COMMIT_MESSAGES" | |
if [ "" == "$COMMIT_MESSAGES" ]; then echo "...No commit messages found"; exit 1; fi | |
while read -r message; do | |
echo "checking message ^$message\$" | |
prefix_check "$message" | |
empty_check "$message" | |
length_check "$message" | |
spell_check "$message" | |
echo "message ^$message\$ passed all checks" | |
done <<<"$COMMIT_MESSAGES" | |
gitleaks: | |
name: 'Scan for Secrets' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: matttrach/nix-installer-action@main | |
- name: Check for secrets | |
shell: nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep GITHUB_TOKEN --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_ENV_LOADED --keep TERM --command bash -e {0} | |
run: | | |
gitleaks detect --no-banner -v --no-git | |
gitleaks detect --no-banner -v |