Refactor GitHub workflows and update Terraform configurations for imp…

…roved repository management
CSVD · Feb 19, 2025 · 69fe4c6 · 69fe4c6
1 parent 97a35c8
commit 69fe4c6
Show file tree

Hide file tree

Showing 10 changed files with 223 additions and 220 deletions.
diff --git a/.github/workflows/modtest-dev.yaml b/.github/workflows/modtest-dev.yaml
diff --git a/.github/workflows/terraform-doc.yaml b/.github/workflows/terraform-doc.yaml
diff --git a/.github/workflows/terraform-test.yml b/.github/workflows/terraform-test.yml
@@ -0,0 +1,55 @@
+name: "Terraform Test and Tag"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  pull-requests: read
+
+jobs:
+  terraform:
+    name: "Terraform Test"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "~>1.6.0"
+          terraform_wrapper: false
+
+      - name: Terraform Format
+        id: fmt
+        run: terraform fmt -check
+        continue-on-error: false
+
+      - name: Terraform Init
+        id: init
+        run: terraform init -backend=false
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate
+
+      - name: Run Terraform Tests
+        id: test
+        run: terraform test
+
+      - name: Bump version and push tag
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        uses: anothrNick/github-tag-action@1.67.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEFAULT_BUMP: patch
+          WITH_V: true
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/github_branch.tf b/github_branch.tf
@@ -35,32 +35,42 @@ locals {
 resource "github_branch_protection" "main" {
   count = (var.enforce_prs && !var.github_is_private) || var.github_is_private ? 1 : 0
 
-  repository_id = local.github_repo.node_id
-  pattern       = var.github_default_branch
-
-  # Basic protection settings
-  enforce_admins                  = var.github_enforce_admins_branch_protection
+  repository_id                   = local.github_repo.node_id
+  pattern                        = var.github_default_branch
+  enforce_admins                 = var.github_enforce_admins_branch_protection
   allows_deletions               = false
   allows_force_pushes            = false
   require_signed_commits         = true
   required_linear_history        = true
   require_conversation_resolution = true
+  lock_branch                    = false
 
-  required_status_checks {
-    strict = try(var.required_status_checks.strict, false)
-    contexts = try(var.required_status_checks.contexts, [])
+  dynamic "required_status_checks" {
+    for_each = var.required_status_checks != null ? ["true"] : []
+    content {
+      strict   = try(var.required_status_checks.strict, false)
+      contexts = try(var.required_status_checks.contexts, [])
+    }
   }
 
-  required_pull_request_reviews {
-    dismiss_stale_reviews           = var.github_dismiss_stale_reviews
-    restrict_dismissals            = true
-    pull_request_bypassers        = var.pull_request_bypassers
-    require_code_owner_reviews      = var.github_require_code_owner_reviews
-    required_approving_review_count = var.github_required_approving_review_count
+  dynamic "required_pull_request_reviews" {
+    for_each = var.enforce_prs ? ["true"] : []
+    content {
+      dismiss_stale_reviews           = var.github_dismiss_stale_reviews
+      restrict_dismissals            = true
+      require_code_owner_reviews      = var.github_require_code_owner_reviews
+      required_approving_review_count = var.github_required_approving_review_count
+      require_last_push_approval     = true
+    }
   }
 
-  restrict_pushes {
-    push_allowances = var.github_push_restrictions
+  dynamic "push_restrictions" {
+    for_each = length(var.github_push_restrictions) > 0 ? ["true"] : []
+    content {
+      users = var.github_push_restrictions
+      teams = []
+      apps  = []
+    }
   }
 
   lifecycle {

diff --git a/github_repo.tf b/github_repo.tf
@@ -2,6 +2,12 @@ locals {
   repo_name = var.force_name ? var.name : "${var.name}-${formatdate("YYYYMMDD", timestamp())}"
   
   github_repo = var.create_repo ? github_repository.repo[0] : data.github_repository.existing[0]
+
+  validate_merge_options = (
+    var.github_allow_merge_commit || 
+    var.github_allow_squash_merge || 
+    var.github_allow_rebase_merge
+  ) ? null : file("ERROR: At least one merge option must be enabled")
 }
 
 resource "github_repository" "repo" {
@@ -12,21 +18,41 @@ resource "github_repository" "repo" {
   has_issues            = var.github_has_issues
   has_projects          = var.github_has_projects
   has_wiki              = var.github_has_wiki
+  has_downloads         = var.github_has_downloads
   auto_init             = var.github_auto_init
   archive_on_destroy    = var.archive_on_destroy
   archived              = var.archived
   vulnerability_alerts  = var.vulnerability_alerts
   topics                = var.github_repo_topics
   homepage_url          = var.homepage_url
   gitignore_template    = var.gitignore_template
+  license_template      = var.license_template
   is_template           = var.is_template
+  has_discussions       = try(var.github_has_discussions, false)
+  merge_commit_title    = try(var.github_merge_commit_title, "MERGE_MESSAGE")
+  merge_commit_message  = try(var.github_merge_commit_message, "PR_TITLE")
+  squash_merge_commit_title = try(var.github_squash_merge_commit_title, "COMMIT_OR_PR_TITLE")
+  squash_merge_commit_message = try(var.github_squash_merge_commit_message, "COMMIT_MESSAGES")
+  allow_update_branch   = try(var.github_allow_update_branch, true)
 
   allow_merge_commit     = var.github_allow_merge_commit
   allow_squash_merge     = var.github_allow_squash_merge
   allow_rebase_merge     = var.github_allow_rebase_merge
   allow_auto_merge       = var.github_allow_auto_merge
   delete_branch_on_merge = var.github_delete_branch_on_merge
 
+  security_and_analysis {
+    advanced_security {
+      status = try(var.security_and_analysis.advanced_security.status, "disabled")
+    }
+    secret_scanning {
+      status = try(var.security_and_analysis.secret_scanning.status, "disabled")
+    }
+    secret_scanning_push_protection {
+      status = try(var.security_and_analysis.secret_scanning_push_protection.status, "disabled")
+    }
+  }
+
   dynamic "template" {
     for_each = var.template_repo == null ? [] : ["*"]
     content {
@@ -59,6 +85,17 @@ resource "github_repository" "repo" {
     }
   }
 
+  dynamic "pages" {
+    for_each = var.pages_config == null ? [] : ["true"]
+    content {
+      source {
+        branch = try(var.pages_config.branch, "gh-pages")
+        path   = try(var.pages_config.path, "/")
+      }
+      cname = try(var.pages_config.cname, null)
+    }
+  }
+
   lifecycle {
     ignore_changes = [
       auto_init,