Pre-Commit #801
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Pre-Commit | |
| on: | |
| merge_group: | |
| pull_request: | |
| branches: | |
| - main | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| push: | |
| branches: | |
| - main | |
| schedule: | |
| # Run once a week (see https://crontab.guru) | |
| - cron: "0 0 * * 0" | |
| workflow_dispatch: | |
| # Cancel any in-progress job when a new workflow is triggered | |
| concurrency: | |
| cancel-in-progress: true | |
| group: pre-commit-${{ github.workflow }}-${{ github.ref }} | |
| permissions: | |
| contents: read | |
| env: | |
| GO_VERSION: "1.26.3" | |
| PYTHON_VERSION: "3.14.5" | |
| TFD_VERSION: "v0.22.0" | |
| jobs: | |
| pre-commit: | |
| name: Update pre-commit hooks and run pre-commit | |
| runs-on: ubuntu-latest | |
| outputs: | |
| has-fixes: ${{ steps.capture.outputs.has-fixes }} | |
| steps: | |
| - name: Checkout git repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref || github.ref }} | |
| persist-credentials: false | |
| - name: Set up Python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: 'pip' | |
| cache-dependency-path: '.hooks/requirements.txt' | |
| - name: Install dependencies | |
| run: | | |
| python3 -m pip install -r .hooks/requirements.txt | |
| - name: Install Ansible collections | |
| run: | | |
| ansible-galaxy collection install -r ansible/requirements.yml --force | |
| - name: Build and install collection locally | |
| working-directory: ansible | |
| run: | | |
| ansible-galaxy collection build --force | |
| ansible-galaxy collection install dreadnode-goad-*.tar.gz -p ~/.ansible/collections --force --pre | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4 | |
| with: | |
| terraform_version: "1.9.7" | |
| - name: Set up Terragrunt | |
| run: | | |
| TG_VERSION="v0.69.1" | |
| curl -fsSL -o /tmp/terragrunt \ | |
| "https://github.com/gruntwork-io/terragrunt/releases/download/${TG_VERSION}/terragrunt_linux_amd64" | |
| sudo install -m 0755 /tmp/terragrunt /usr/local/bin/terragrunt | |
| terragrunt --version | |
| - name: Set up TFLint | |
| uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6 | |
| with: | |
| tflint_version: v0.61.0 | |
| - name: Init TFLint | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: tflint --init --config .hooks/linters/.tflint.hcl | |
| - name: Set up terraform-docs | |
| run: | | |
| curl -fsSL -o /tmp/terraform-docs.tar.gz \ | |
| "https://github.com/terraform-docs/terraform-docs/releases/download/${TFD_VERSION}/terraform-docs-${TFD_VERSION}-linux-amd64.tar.gz" | |
| tar -xzf /tmp/terraform-docs.tar.gz -C /tmp terraform-docs | |
| sudo install -m 0755 /tmp/terraform-docs /usr/local/bin/terraform-docs | |
| terraform-docs --version | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install Go tools | |
| run: | | |
| # Install shfmt | |
| go install mvdan.cc/sh/v3/cmd/shfmt@v3.13.1 | |
| # Install goimports | |
| go install golang.org/x/tools/cmd/goimports@v0.44.0 | |
| # Install gocyclo | |
| go install github.com/fzipp/gocyclo/cmd/gocyclo@v0.6.0 | |
| # Install gocritic | |
| go install github.com/go-critic/go-critic/cmd/gocritic@v0.14.3 | |
| # Add Go bin directory to PATH | |
| echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH" | |
| - name: Install golangci-lint | |
| uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 | |
| with: | |
| install-only: true | |
| - name: Run pre-commit | |
| id: precommit | |
| run: | | |
| pre-commit run --show-diff-on-failure --color=always --all-files | |
| - name: Capture autofix patch | |
| id: capture | |
| if: ${{ failure() && steps.precommit.outcome == 'failure' }} | |
| run: | | |
| if git diff --quiet HEAD; then | |
| echo "pre-commit failed without modifying tracked files; no autofix possible" | |
| echo "has-fixes=false" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| git diff --binary HEAD > autofix.patch | |
| echo "has-fixes=true" >> "$GITHUB_OUTPUT" | |
| - name: Upload autofix patch | |
| if: ${{ failure() && steps.capture.outputs.has-fixes == 'true' }} | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: autofix-patch | |
| path: autofix.patch | |
| retention-days: 1 | |
| if-no-files-found: error | |
| autocommit: | |
| name: Apply pre-commit autofixes to bot PR | |
| needs: pre-commit | |
| if: >- | |
| failure() && | |
| needs.pre-commit.outputs.has-fixes == 'true' && | |
| github.event_name == 'pull_request' && | |
| github.event.pull_request.user.login == 'dreadnode-renovate-bot[bot]' && | |
| !github.event.pull_request.head.repo.fork | |
| runs-on: ubuntu-latest | |
| environment: pre-commit-autofix | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Generate app token | |
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| id: app-token | |
| with: | |
| app-id: "${{ secrets.BOT_APP_ID }}" | |
| private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" | |
| - name: Check PR is still open | |
| id: pr-state | |
| env: | |
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| state=$(gh pr view "${PR_NUMBER}" --repo "${GITHUB_REPOSITORY}" --json state --jq .state) | |
| echo "PR #${PR_NUMBER} state: ${state}" | |
| if [ "${state}" = "OPEN" ]; then | |
| echo "open=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "open=false" >> "$GITHUB_OUTPUT" | |
| echo "Skipping autofix push: PR is ${state}." | |
| fi | |
| - name: Checkout PR head | |
| if: steps.pr-state.outputs.open == 'true' | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| persist-credentials: false | |
| - name: Download autofix patch | |
| if: steps.pr-state.outputs.open == 'true' | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: autofix-patch | |
| - name: Apply patch and push | |
| if: steps.pr-state.outputs.open == 'true' | |
| env: | |
| HEAD_REF: ${{ github.event.pull_request.head.ref }} | |
| APP_TOKEN: ${{ steps.app-token.outputs.token }} | |
| GIT_AUTHOR_NAME: "${{ secrets.BOT_USERNAME }}[bot]" | |
| GIT_AUTHOR_EMAIL: "${{ secrets.BOT_USER_ID }}+${{ secrets.BOT_USERNAME }}[bot]@users.noreply.github.com" | |
| GIT_COMMITTER_NAME: "${{ secrets.BOT_USERNAME }}[bot]" | |
| GIT_COMMITTER_EMAIL: "${{ secrets.BOT_USER_ID }}+${{ secrets.BOT_USERNAME }}[bot]@users.noreply.github.com" | |
| run: | | |
| git apply --index autofix.patch | |
| git commit -m "chore: apply pre-commit autofixes" | |
| AUTH_HEADER="AUTHORIZATION: basic $(printf 'x-access-token:%s' "${APP_TOKEN}" | base64 -w0)" | |
| git -c http.https://github.com/.extraheader="${AUTH_HEADER}" \ | |
| push "https://github.com/${GITHUB_REPOSITORY}.git" "HEAD:${HEAD_REF}" |