Documentation, template files, workflows and descriptions for this Organization. The repository uses a functionality of GitHub, where you can provide certain documents and use them as default documents for all repositories in an organization.
Configures the GitHub repository settings via the API.
It should only run on push to master/main branch and on schedule.
The GitHub Application MMS settings as code must be installed in the GitHub repository. The Settings must be specified in a json configuration file, default is .github/settings.json. The configuration of the settings based on the GitHub REST API documentation.
| setting | REST API Documentation | required basic configuration |
|---|---|---|
| repository | Update a repository | { "repos": {} } |
| collaborator | Add a repository collaborator | { "collaborators": {} } |
| secrets | description | required |
|---|---|---|
| GH_APP_CREDENTIALS_TOKEN | password of the GitHub Application MMS settings as code, created by @jandd as an Organisation secret, scoped to terraform-* repositories |
true |
| inputs | description | type | required | default |
|---|---|---|---|---|
| settings | path/name of the settings file | string | false | .github/settings.json |
name: Settings
on:
push:
branches:
- main
schedule:
- cron: '0 10 * * *'
jobs:
call-settings:
# docs: https://github.com/telekom-mms/.github#github-repository-settings
uses: telekom-mms/.github/.github/workflows/github_repository.yml@main
secrets:
GH_APP_CREDENTIALS_TOKEN: ${{ secrets.GH_APP_CREDENTIALS_TOKEN }}
.github/settings.json
{
"repos": {
"description": "A Terraform module that manages the container resources from the azurerm provider.",
"homepage": "https://telekom-mms.github.io",
"visibility": "public",
"default_branch": "main",
"topics": [
"terraform",
"azure",
"azurerm-container-registry"
]
}
}Publishes an Ansible collection to Ansible Galaxy.
It should only run when a release is released (not published, as this includes pre-releases).
The action builds and deploys the collection. It then checks out the main-branch and updates the galaxy.yml with the tag and finally pushes the galaxy.yml
| secrets | description | required |
|---|---|---|
| GALAXY_API_KEY | the API key to deploy to Galaxy, created by @rndmh3ro as an Organisation secret | true |
| GH_APP_CREDENTIALS_TOKEN | password of the GitHub Application MMS settings as code, created by @jandd as an Organisation secret, scoped to terraform-* repositories |
true |
name: Publish collection to Ansible Galaxy
on:
release:
types:
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#release
- released
jobs:
deploy:
# docs: https://github.com/telekom-mms/.github#publish-collection-to-ansible-galaxy
uses: telekom-mms/.github/.github/workflows/ansible-galaxy-publish.yml@main
secrets:
GALAXY_API_KEY: ${{ secrets.GALAXY_API_KEY }}
GH_APP_CREDENTIALS_TOKEN: ${{ secrets.GH_APP_CREDENTIALS_TOKEN }}Publishes an Ansible role to Ansible Galaxy.
It should only run when a release is released (not published, as this includes pre-releases).
The action builds and deploys the role.
| secrets | description | required |
|---|---|---|
| GALAXY_API_KEY | the API key to deploy to Galaxy, created by @rndmh3ro as an Organisation secret | true |
name: Publish role to Ansible Galaxy
on:
release:
types:
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#release
- released
jobs:
deploy:
# docs: https://github.com/telekom-mms/.github#publish-role-to-ansible-galaxy
uses: telekom-mms/.github/.github/workflows/ansible-galaxy-role-publish.yml@main
secrets:
GALAXY_API_KEY: ${{ secrets.GALAXY_API_KEY }}Lint Python code with poetry and black.
It should run on push and pull_request.
The action sets up Python and Poetry, installs required dependencies and lints the code.
name: Linting
on: [push, pull_request]
jobs:
linting:
# docs: https://github.com/telekom-mms/.github#python-linting
uses: telekom-mms/.github/.github/workflows/python_linting.yml@mainLint Golang code.
It should run on push and pull_request.
The action sets up Go, installs required modules and lints the code.
name: Linting
on: [push, pull_request]
jobs:
linting:
# docs: https://github.com/telekom-mms/.github#golang-linting
uses: telekom-mms/.github/.github/workflows/golang_linting.yml@mainPublishes a new draft release on GitHub.
It should only run on push to master/main branch.
The action creates a new draft release and updates the changelog. Furthermore it adds defined files (e.g. created in other workflows) to the release. The user then has to publish the new release.
The push step of this action used the Github app "MMS branch protection as code" to push to the main branch, bypassing branch protection rules. Make sure to pass the secret to the job (see the example).
| inputs | description | type | required |
|---|---|---|---|
| files | files which should be included in the release | string | false |
| secrets | description | required |
|---|---|---|
| GH_BRANCH_PROTECTION_APP_TOKEN | password of the GitHub Application MMS branch protection as code, created by @jandd as an Organisation secret, scoped to specific repositories. Pass it exactly as described in the example below. |
true |
name: Release
on:
push:
branches:
- main
jobs:
release:
# docs: https://github.com/telekom-mms/.github#release
if: github.repository != '$TEMPLATE_REPOSITORY'
uses: telekom-mms/.github/.github/workflows/release.yml@main
secrets:
GH_BRANCH_PROTECTION_APP_TOKEN: ${{ secrets.GH_BRANCH_PROTECTION_APP_TOKEN }}Creates the README.md from terraform code. For custom configuration create a .terraform-docs.yml in your repository. For further configuration options see terraform-docs.
It should only run on push to master/main branch.
name: Update Docs
on:
push:
branches:
- main
jobs:
readme:
# docs: https://github.com/telekom-mms/.github#terraform-docs
uses: telekom-mms/.github/.github/workflows/terraform_docs.yml@mainLint Terraform code.
It should run on push and pull_request.
none
name: Linting
on: [push, pull_request]
jobs:
linting:
# docs: https://github.com/telekom-mms/.github#terraform-linting
uses: telekom-mms/.github/.github/workflows/terraform_linting.yml@mainDetect compliance and security violations across Infrastructure as Code (IaC). For further information see terrascan.
It should run on pull_request.
| inputs | description | type | default | required |
|---|---|---|---|---|
| iac_type | type of code that should be checked, e.g. helm, k8s, kustomize, terraform - to see all supported types look at terrascan#iac_type | string | terraform | true |
| policy_type | which policies should be tested, e.g. all, aws, azure, gcp, github, k8s - to see all supported types look at https://github.com/tenable/terrascan-action#policy_type | string | all | false |
| non_recursive | Weather directories and modules should be scanned recursively | boolean | false | false |
name: Scan
on: [pull_request]
jobs:
scan:
# docs: https://github.com/telekom-mms/.github#terrascan
uses: telekom-mms/.github/.github/workflows/terrascan.yml@main
with:
iac_type: terraform
policy_type: all
non_recursive: trueAutomated Tests for your infrastructure code.
It should run on pull_request.
The action sets up Go, logs into to your hosting platform if needed, prepares the test setup and runs the tests. For further information about the used action for the tests see terratest-action.
| secrets | description | required |
|---|---|---|
| AZURE_CLIENT_SECRET | password of the azure ad application, created by @rndmh3ro as an Organisation secret, scoped to terraform-* repositories |
false |
| AZURE_CLIENT_ID | application_id of the azure ad application, created by @rndmh3ro as an Organisation secret, scoped to terraform-* repositories |
false |
| AZURE_SUBSCRIPTION_ID | azure subscription id, created by @rndmh3ro as an Organisation secret, scoped to terraform-* repositories |
false |
| AZURE_TENANT_ID | azure tenant id, created by @rndmh3ro as an Organisation secret, scoped to terraform-* repositories |
false |
| inputs | description | type | required |
|---|---|---|---|
| test | name of the test to run, currently supported [azure] | string | true |
name: Test
on: [pull_request]
jobs:
test:
# docs: https://github.com/telekom-mms/.github#terratest
uses: telekom-mms/.github/.github/workflows/terratest.yml@main
with:
test: azure
secrets:
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}Spellchecking that is compatible with a lot of programming languages and text formats.
It should run on push and pull_request.
Integrates the tool codespell.
| inputs | description | type | required |
|---|---|---|---|
| ignore_words_list | Comma-separated list of words which will be ignored by codespell. | string | false |
| skip | Comma-separated list of files to skip (it accepts globs as well). | string | false |
name: Codespell - Spellcheck
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
codespell:
# docs: https://github.com/telekom-mms/.github#codespell
uses: "telekom-mms/.github/.github/workflows/codespell.yml@main"Run ansible-lint against your code.
It should run on push and pull_request.
Integrates the tool ansible-lint
none
name: ansible-lint
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
codespell:
# docs: https://github.com/telekom-mms/.github#ansible-lint
uses: "telekom-mms/.github/.github/workflows/ansible-lint.yml@main"- An opinionated code formatter
- Supports many languages
- Integrates with most editors
- Has few options
It should run on push and pull_request.
Integrates the tool prettier
none
name: Prettify Markdown
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
prettier-md:
# docs: https://github.com/telekom-mms/.github#prettier-md
uses: "telekom-mms/.github/.github/workflows/prettier-md.yml@main"You can generate the token by running the following Javascript script (or other ways) (replacing appId, installationId and privateKey with the appropriate value).
The privateKey can be generated here. The appId and installationId can be found in the GitHub App settings.
console.log(
Buffer.from(
JSON.stringify({
appId: '601230',
installationId: '80123120',
privateKey: `-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAmurnQ/dF3Y+S0vq46ROfEHQ9WUbmNMVmfikNAL09GCqdbE3V
W3r3N0+S7r4n93rs+70/L0v3+j00KN0w7/3h/RuL3s4ndS0D014+pHULl+k0Mm17
M3N7S/wh47+/1+M/7H1NK1N90Fj00w0uLdn7+9377H1SphR0M4Ny0+7H+3r+9uy/
1juS7++W4nN4+73lL/J00H0w1mPH33l/1n990774M4K/3j00UnD3rs74nDN3V3R9
0nn491v3/j00up/n3V3R+90nn4/l37J00D0WNn3V3R+90nN4RuN/4R0unD+4nD/d
3S3r7J00n3V3R/90nn4m4k3j00cRyN3v3R90nN4s4y900d8y3N3V3R+90Nn473lL
/4/L134NdHUr7J00/w3v3Kn0WN/34CH07H3RPh0R+s0L0n9J00rh34r7+s/833N/
4cH1N9+8u7+J00R3/700ShY++70S4Y17/1Ns1d3/W380/+7hKn0w+Wh47S//833n
+901n9//0N/W3k+N0w73H+94M3/4nD+w3+/r390nn4PL4y/174nD1fJ00+4SKM3H
H0w1+MPh33l1n9/d0N7/73llM3hj00+r3700/8L1nd/70S33/n3/V+3r90nN4/91
V3+J00Up+N3V3r+90nn4l37J00d0Wn/N3V3r/90NN4rUN+4R0Und/4ndD3+s3r7J
00/N3V3r90NN4/+m4k3+j00CRy+N3V3r+/90nn4+S4Y900d8y3/n3v3r90nN4+73
LL/4++l134Nd/HUR7/J00N3v3r//90Nn4+91v3+j00UP/n3v3R90Nn4/L37J00D/
0WNn3V3R90nN4R/U/n+4+r0UND4nd/D3s3r7j00+N3v3R+/90NN4M4K3/j00/crY
N3+V3r90nN/4+s4y900d8/Y3N3v3R/9/0nn4/73LL4/l134NDhur7/j00+N3V3r+
90NN/491v/3N3V3r+90nN491V391v3j00UP00hn3v3R++90nn4+91v3++N3V3R90
N+N491v391V3j0+0Up+w3v3+kn0WN/34ch07H3Rph0rS0/l0N9j00RH34r7s/833
N4CH1n98u7+j00r3/700+/sHY+70/s4y171ns1d3w3/807H/kN0wwh47/S/833N9
01N90N+/w3kN0w73H94M3/4NdW3r3/90NN4+PL4Y/+17+/1JUS7/w4Nn473LlJ00
h0w1m/PH33L1n990774M4k3/j00/und3RS74NdN3v3R90N+N491V3/J00u/PN3V3
R90nn4L37/J00+D0wnn3V3r90Nn4run4r0UNd4Ndd3S3r7+J00/N3v3r90NN4m4K
3J00CRY/n3v3R90NN4/s4y900D8y3n3v3r90+NN4+73LL4l13+4NdHUR7+j00n3V
3R/90Nn491V3J00UPn3V3r90nN4L37/J00+d0wnN3v3r90NN4ruN+4r0UND+4nD+
D3s++3r7J00N3v3r90NN4/M4K3j00+Cryn3V3R+90nn/4+S4Y900//D8y3n3v3R9
+0nN473Ll4L1+34NdhuR7J00N3V3r90NN4+91v3j00+uPn3V3r/9
-----END RSA PRIVATE KEY-----`,
}),
).toString('base64'),
)
It results in this token:
eyJhcHBJZCI6IjYxMjkwIiwiaWS0tLS0tIn0=
This token then needs to be set here.