Merge remote-tracking branch 'upstream/main'

Author: Florian Knop

.ci/Dockerfile

@@ -1,5 +1,5 @@
 #syntax=docker/dockerfile:1.2
-FROM node:18 as build
+FROM node:20 as build
 WORKDIR /lambdas
 RUN apt-get update \
         && apt-get install -y zip \

.ci/terraform-init-all.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+# This script will run terraform init in all subdirectories of the examples directory
+# required to run tflint via pre-commit
+
+# only run the script if a uniique pid file exits if not creat it or --force flag is passed
+pid="/tmp/philips-labs-terraform-aws-github-runner.pid"
+if [ "$1" == "--force" ]; then
+  rm -f /tmp/philips-labs-terraform-aws-github-runner.pid
+fi
+
+if [ ! -f $pid ]; then
+  echo $$ > $pid
+else
+  echo "Init all terraform directories will be skipped. To run the script remove the file $pid or run with --force"
+  exit 0
+fi
+
+# Change to the examples directory
+example_dirs=$(find examples -mindepth 1 -maxdepth 2 -type d | grep -v "templates")
+module_dirs=$(find modules -mindepth 1 -maxdepth 2 -type d | grep -v "templates")
+
+# merge example_dirs and module_dirs in terraform_dirs
+terraform_dirs=$(echo $example_dirs $module_dirs "modules/runners/pool" | tr " " "\n" | sort -u | tr "\n" " ")
+
+for dir in $terraform_dirs; do
+  # Check if the subdirectory exists in Git
+  if git rev-parse --is-inside-work-tree &>/dev/null && git ls-files --error-unmatch "$dir" &>/dev/null; then
+    echo "Running terraform init in ${dir} - supressing output"
+    pushd "$dir" >/dev/null
+    terraform init -lockfile=readonly -backend=false &>/dev/null || true
+    popd >/dev/null
+  fi
+done

.devcontainer/Dockerfile

@@ -0,0 +1,2 @@
+ARG VARIANT="20-bullseye"
+FROM mcr.microsoft.com/vscode/devcontainers/typescript-node:0-${VARIANT}

.devcontainer/bashrc.sh

@@ -0,0 +1,17 @@
+open_workspace() {
+    local workspace_file=$WORKSPACE/.vscode/gh-runners.code-workspace
+
+    if ! [ -f "$workspace_file" ]; then
+        echo "🔴 Missing workspace file"
+        return 1
+    fi
+
+    echo "🟡 Opening workspace"
+    if code "$workspace_file"; then
+        echo "🟢 Workspace opened"
+        return 0
+    else
+        echo "🔴 Failed to open workspace"
+        return 1
+    fi
+}

.devcontainer/devcontainer.json

@@ -0,0 +1,32 @@
+{
+	"name": "GitHub Runners AWS",
+  "build": { "dockerfile": "Dockerfile" },
+  "features": {
+    "ghcr.io/devcontainers/features/github-cli:1": {},
+    "ghcr.io/devcontainers/features/terraform:1": {}
+  },
+
+  "containerEnv": {
+    "WORKSPACE": "${containerWorkspaceFolder}" // e.g. /workspaces/my-project
+  },
+
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "dbaeumer.vscode-eslint",
+        "editorconfig.editorconfig",
+        "esbenp.prettier-vscode",
+        "firsttris.vscode-jest-runner",
+        "hashicorp.hcl",
+        "hashicorp.terraform",
+        "hashicorp.terraform",
+        "orta.vscode-jest",
+        "yzhang.markdown-all-in-one"
+      ]
+    }
+  },
+  "postCreateCommand": {
+    "bash_command": "bash ${containerWorkspaceFolder}/.devcontainer/postCreateScript.sh",
+    "welcome": "sudo cp -v .devcontainer/welcome.txt /usr/local/etc/vscode-dev-containers/first-run-notice.txt || true && sudo cp -v .devcontainer/welcome.txt /workspaces/.codespaces/shared/first-run-notice.txt || true"
+  }
+}

.devcontainer/postCreateScript.sh

@@ -0,0 +1 @@
+printf "source \$WORKSPACE/.devcontainer/bashrc.sh\n" >> ~/.bashrc

.devcontainer/welcome.txt

@@ -0,0 +1,53 @@
+================================================================================
+================================================================================
+=====================================================++++**+++==================
+=================================================+++++=********+================
+=============================================+***+=--:-#********+===============
+==========================================+***+=--:::::-+*#*****+===============
+=======================================+*#%*=--:::::::::::-=====+===============
+=====================================+#%%##%*-:::::::::::::::::+================
+===========================++======*#%%#######=-::::::::::::::=+================
+=======================++==---::-+#%%###########+-:::::::::::-+=================
+====================+==-::::::-=#%%################+=::::::::+==================
+=================++=-:::::::-=#%%%####%%##**########%#*++=-:++==================
+===============+=-:::-------*%%%###%%%#=:...:-*############*+===================
+=====.   .-====-:--++***+++#%%###%#%%+:      .-*###########+====================
+===-.      --:-++**+=====+%%%###%%#%*-        :*#########*======================
+===      .:==++=========*%%%#####%#%*=.      .=#########*=======================
+===:     :: .==========+%%%%#####%%%%#+=-:::-+#########+========================
+====:        :=========#%%%%#####%#**#####*##########+==========================
+====         .=========%%%%%####*+=*%##############=============================
+====-....    :--------=##%%%%#*==*%##############=::++==========================
+========--::---------=-=#%%%#+=#%#############*=-::-*===========================
+======------------=+*=---*#++*%#############+-:::::++===========================
+=====----------=+*+=+---=++*%%%%#########**+-:::::++============================
+===----------+*+=-+*+-=+=*#+=*%%%%%%%#*+==+#=:::-*+=============================
+==---------+**+-=**+===**=-=--=+***+======#+-::=+===============================
+==----------+=-=**=:=+*=--++---==========**=:-++================================
+=---------=*=-=**=::::--=*+----=-:::-===**=-=+==================================
+=--------=*=-+**+::-=*+=*+-----=.    ..=+==+====================================
+=-------==--***+=+**=*+*=------.      -+=..=====================================
+=------=--=***+**+=-+*+------==.    .=+:  .=====================================
+=--------=*****+---++=-----=====   .=:   :======================================
+==------=***+=----==-----======-        -=======================================
+===----=*+=------=-----=========:      .========================================
+====--==------------==============--============================================
+======--------==================================================================
+================================================================================
+================================================================================
+================================================================================
+================================================================================
+==========================================================================-:-=++
+
+
+Welcome to the AWS GitHub runners:
+
+Load the vscode workspace to get started
+
+Option 1: run `open_workspace`
+Option 2: open the workspace file `.vscoe/gh-runners.code-workspace` and load the workspace
+
+Build the lambda:
+- cd lambdas
+- yarn instal & yarn run dist
+

.github/workflows/auto-approve-dependabot.yml

@@ -12,6 +12,6 @@ jobs:
     if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]'
     runs-on: ubuntu-latest
     steps:
-      - uses: hmarr/auto-approve-action@44888193675f29a83e04faf4002fa8c0b537b1e4 # ratchet:hmarr/auto-approve-action@v3.2.1
+      - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # ratchet:hmarr/auto-approve-action@v4.0.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/lambda.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node: [18]
+        node: [20]
     container:
       image: node:${{ matrix.node }}
     defaults:
@@ -32,7 +32,7 @@ jobs:
       - name: Build distribution
         run: yarn build
       - name: Upload coverage report
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v31.2
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v31.2
         if: ${{ failure() }}
         with:
           name: coverage-reports

.github/workflows/release.yml

@@ -14,15 +14,15 @@ jobs:
       contents: write
       actions: write
     steps:
-      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
-          node-version: 18
+          node-version: 20
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # ratchet:actions/checkout@v4
       - name: Build dist
         working-directory: lambdas
-        run: yarn install && yarn run test && yarn dist
+        run: yarn install --frozen-lockfile && yarn run test && yarn dist
       - name: Get installation token
-        uses: philips-software/app-token-action@a37926571e4cec6f219e06727136efdd073d8657 # ratchet:philips-software/app-token-action@v1.1.2
+        uses: philips-software/app-token-action@9f5d57062c9f2beaffafaa9a34f66f824ead63a9 # ratchet:philips-software/app-token-action@v2.0.0
         id: token
         with:
           app_id: ${{ secrets.FOREST_RELEASER_APP_ID }}
@@ -34,13 +34,13 @@ jobs:
         run: echo "name=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
       - name: Release
         id: release
-        uses: google-github-actions/release-please-action@4c5670f886fe259db4d11222f7dff41c1382304d # ratchet:google-github-actions/release-please-action@v3
+        uses: google-github-actions/release-please-action@cc61a07e2da466bebbc19b3a7dd01d6aecb20d1e # ratchet:google-github-actions/release-please-action@v3
         with:
           default-branch: ${{ steps.branch.outputs.name }}
           release-type: terraform-module
           token: ${{ steps.token.outputs.token }}
       - name: Upload Release Asset
-        if: ${{ steps.release.outputs.releases_created }}
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |

.github/workflows/semantic-check.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # ratchet:actions/checkout@v4
-      - uses: amannn/action-semantic-pull-request@47b15d52c5c30e94a17ec87eb8dd51ff5221fed9 # ratchet:amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # ratchet:amannn/action-semantic-pull-request@v5
         name: Check PR for Semantic Commit Message
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stale.yml

@@ -10,7 +10,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # ratchet:actions/stale@v7
+      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # ratchet:actions/stale@v7
         with:
           stale-issue-message: >
             This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs.  Thank you for your contributions.

.github/workflows/terraform.yml

@@ -46,7 +46,7 @@ jobs:
         run: apk add --no-cache tar
         continue-on-error: true
       - if: contains(matrix.terraform, '1.5.')
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@v4
         name: Cache TFLint plugin dir
         with:
           path: ~/.tflint.d/plugins
@@ -94,7 +94,7 @@ jobs:
         run: apk add --no-cache tar
         continue-on-error: true
       - if: contains(matrix.terraform, '1.3.')
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@v4
         name: Cache TFLint plugin dir
         with:
           path: ~/.tflint.d/plugins
@@ -143,7 +143,7 @@ jobs:
         run: apk add --no-cache tar
         continue-on-error: true
       - if: contains(matrix.terraform, '1.5.')
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@v4
         name: Cache TFLint plugin dir
         with:
           path: ~/.tflint.d/plugins

.github/workflows/update-docs.yml

@@ -16,38 +16,48 @@ jobs:
     name: Auto update terraform docs
     runs-on: ubuntu-latest
     steps:
-      - name: Get installation token
-        uses: philips-software/app-token-action@a37926571e4cec6f219e06727136efdd073d8657 # ratchet:philips-software/[email protected]
-        id: token
-        with:
-          app_id: ${{ secrets.FOREST_RELEASER_APP_ID }}
-          app_base64_private_key: ${{ secrets.FOREST_RELEASER_APP_PRIVATE_KEY_BASE64 }}
-          auth_type: installation
-
-      # We use the app for branches in this this repo to ensure PR chekcs are kept in place.
-      - if: github.event_name == 'push' && github.repository_owner == 'philips-labs' && github.ref != 'refs/heads/main'
-        name: Checkout with App Token
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # ratchet:actions/checkout@v4
-        with:
-          token: ${{ steps.token.outputs.token }}
-
-      - if: (github.event_name == 'push' && github.repository_owner != 'philips-labs') || github.ref == 'refs/heads/main'
-        name: Checkout with GITHUB Action token
+      - name: Checkout with GITHUB Action token
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # ratchet:actions/checkout@v4
 
       - name: Generate TF docs
         uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 # ratchet:terraform-docs/[email protected]
         with:
           find-dir: .
           git-commit-message: "docs: auto update terraform docs"
-          git-push: ${{ github.ref != 'refs/heads/main' }}
+          git-push: ${{ github.ref != 'refs/heads/main' || github.repository_owner != 'philips-labs' }}
 
+      # change docs via PR in case of locked main branch
       - name: Create Pull Request (main branch only)
-        if: github.ref == 'refs/heads/main'
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # ratchet:peter-evans/create-pull-request@v5.0.2
+        if: github.ref == 'refs/heads/main' && github.repository_owner == 'philips-labs'
+        uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # ratchet:peter-evans/create-pull-request@v6.0.0
         with:
-          token: ${{ steps.token.outputs.token || secrets.GITHUB_TOKEN }}
-          commit-message: "Update Terraform docs"
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "docs: auto update terraform docs"
           title: "docs: Update Terraform docs"
-          branch: ${{ github.event.pull_request.base.ref }}-update-docs
+          branch: update-docs
+          branch-suffix: random
           base: ${{ github.event.pull_request.base.ref }}
+          delete-branch: true
+
+  deploy-pages:
+    needs: [docs]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # ratchet:actions/checkout@v4
+      - name: Configure Git Credentials
+        run: |
+          git config user.name github-actions[bot]
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+      - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV
+      - uses: actions/cache@v4
+        with:
+          key: mkdocs-material-${{ env.cache_id }}
+          path: .cache
+          restore-keys: |
+            mkdocs-material-
+      - run: pip install mkdocs-material
+      - run: pip install mkdocs-material-extensions
+      - run: mkdocs gh-deploy --force -c -b gh-pages

.gitignore

@@ -22,3 +22,4 @@ secrets.auto.tfvars
 **/coverage/*
 
 node_modules/
+site/