chore(deps): github actions housekeeping (#207)

While working on #206 today, I discovered lots of small housekeeping-type things that could be improved with our actions. The most consequential of these is: https://github.com/cdktf/cdktf-repository-manager/blob/59b0ad5e300f71491f8411d9e530202cd8af5b66/.github/workflows/upgrade-repositories.yml#L99-L100 This will allow us to retry calls that fail due to rate limits, which might help alleviate the issue where sometimes, the PRs don't get merged because the "automerge" label didn't get added. Worth a try, anyway!
cdktf · Jul 12, 2023 · 48abc90 · 48abc90
1 parent 027ff04
commit 48abc90
Show file tree

Hide file tree

Showing 14 changed files with 56 additions and 53 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,10 +1,3 @@
-# We use this for automatic PR review assignment within Github.
-# We don't intent to gatekeep certain parts of the codebase and
-# won't use it in branch protection rules.
-# If individual users are specified in this file, this is mainly to
-# inform them of certain PRs and we don't require a review from them
-# to be able to merge PRs.
-
 # These owners will be the default owners for everything in
 # the repo. Unless a later match takes precedence, 
 # they will be requested for review when someone opens a 

diff --git a/.github/lib/copy-codeowners-file.js b/.github/lib/copy-codeowners-file.js
@@ -8,7 +8,7 @@ module.exports = () => {
   const fs = require("fs");
   const mainFolder = path.join(process.env.GITHUB_WORKSPACE, "main");
   const codeownersFile = fs.readFileSync(
-    path.join(mainFolder, "assets", "codeowners"),
+    path.join(mainFolder, ".github", "CODEOWNERS"),
     "utf-8"
   );
 

diff --git a/.github/workflows/add-codeowners.yml b/.github/workflows/add-codeowners.yml
@@ -10,7 +10,7 @@ jobs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - id: set-matrix
         run: |
           provider=$(jq -rcM "{ provider: keys }" provider.json)
@@ -26,31 +26,38 @@ jobs:
       max-parallel: 10
     steps:
       - name: Checkout this repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           path: main
       - name: Checkout cdktf-provider-${{ matrix.provider }}-go Repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           repository: cdktf/cdktf-provider-${{ matrix.provider }}-go
           token: ${{ secrets.GH_COMMENT_TOKEN }}
+          fetch-depth: 0
           path: provider
 
-      - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
-        name: Copy codeowners file to provider repo
+      - name: Set git identity
+        run: |-
+          git config user.name "team-tf-cdk"
+          git config user.email "github-team-tf-cdk@hashicorp.com"
+        working-directory: ./provider
+
+      - name: Delete old branches from previous runs
+        run: |
+          git branch -r | egrep -o "add-update-codeowners-file.*" | xargs -n 1 git push origin --delete
+        working-directory: ./provider
+        continue-on-error: true
+
+      - name: Copy codeowners file to provider repo
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             const {resolve} = require('path')
             const scriptPath = resolve("./main/.github/lib/copy-codeowners-file")
             const script = require(scriptPath)
             script()
 
-      - name: Set git identity
-        run: |-
-          git config user.name "team-tf-cdk"
-          git config user.email "github-team-tf-cdk@hashicorp.com"
-        working-directory: ./provider
-
       - name: Check for changes
         id: git_diff
         run: |
@@ -68,9 +75,11 @@ jobs:
 
       - if: steps.git_diff.outputs.has_changes
         name: "Create PR"
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           github-token: ${{ secrets.GH_COMMENT_TOKEN }}
+          retries: 5
+          retry-exempt-status-codes: 400,401,404
           script: |
             const {resolve} = require('path')
             const scriptPath = resolve("./main/.github/lib/create-pr")

diff --git a/.github/workflows/add-copyright-headers.yml b/.github/workflows/add-copyright-headers.yml
@@ -18,7 +18,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.3.0
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}

diff --git a/.github/workflows/create-next-pr.yml b/.github/workflows/create-next-pr.yml
@@ -11,7 +11,7 @@ jobs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - id: set-matrix
         run: |
           provider=$(jq -rcM "{ provider: keys }" provider.json)
@@ -29,6 +29,6 @@ jobs:
       max-parallel: 10
     steps:
       - name: Trigger workflow
-        run: gh workflow run next-cdktf-version-pr -R hashicorp/cdktf-provider-${{ matrix.provider }}
+        run: gh workflow run next-cdktf-version-pr -R cdktf/cdktf-provider-${{ matrix.provider }}
         env:
           GH_TOKEN: ${{ secrets.GH_COMMENT_TOKEN }}
diff --git a/.github/workflows/deploy-cdktf-stacks.yml b/.github/workflows/deploy-cdktf-stacks.yml
@@ -22,15 +22,15 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1
         with:
           terraform_version: 1.0.7
           cli_config_credentials_token: ${{ secrets.TF_CLOUD_TOKEN }}
 
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: "14"
 
@@ -44,11 +44,11 @@ jobs:
 
       - name: Send failures to Slack
         if: ${{ failure() && !cancelled() }}
-        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117
+        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
         with:
           payload: |
             {
-              "run_url": "https://github.com/hashicorp/terraform-ls/actions/runs/${{ github.run_id }}"
+              "run_url": "https://github.com/cdktf/cdktf-repository-manager/actions/runs/${{ github.run_id }}"
             }
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.FAILURE_SLACK_WEBHOOK_URL }}

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -13,7 +13,7 @@ jobs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - id: set-matrix
         run: |
           stack=$(jq -rcM ".stacks | { stack: keys }" sharded-stacks.json)

diff --git a/.github/workflows/diff-cdktf-stacks.yml b/.github/workflows/diff-cdktf-stacks.yml
@@ -19,15 +19,15 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1
         with:
           terraform_version: 1.0.7
           cli_config_credentials_token: ${{ secrets.TF_CLOUD_TOKEN }}
 
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c
+      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: "14"
 
@@ -44,7 +44,7 @@ jobs:
           terraform plan -no-color | tee ../../../plan_stdout_${{ matrix.stack }}.txt; echo $?
           set +o pipefail
         continue-on-error: true
-      - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+      - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         if: github.event_name == 'pull_request'
         with:
           github-token: ${{ secrets.GH_COMMENT_TOKEN }}

diff --git a/.github/workflows/diff.yml b/.github/workflows/diff.yml
@@ -9,7 +9,7 @@ jobs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - id: set-matrix
         run: |
           stack=$(jq -rcM ".stacks | { stack: keys }" sharded-stacks.json)

diff --git a/.github/workflows/gh-action-upgrade.yml b/.github/workflows/gh-action-upgrade.yml
@@ -8,22 +8,22 @@ on:
 
 env:
   GH_TOKEN: ${{ secrets.GH_TOKEN_ACTIONS_UPDATER }}
-  PR_TITLE: "chore: update github workflow actions"
+  PR_TITLE: "chore(deps): update github workflow actions"
 
 jobs:
   update:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           token: ${{ secrets.GH_TOKEN_ACTIONS_UPDATER }}
       - name: Find and close older versions of this same PR
         run: |
           prlist=$(gh search prs --repo ${{ github.repository }} --state open --match title "$PR_TITLE" --json number --jq '.[].number')
           [ -n "$prlist" ] && gh pr close -d --comment "Closing this because I'm about to open a newer PR." ${prlist}
+        continue-on-error: true
       - name: Run GitHub Actions Version Updater
-        if: success() || failure()
-        uses: saadmk11/github-actions-version-updater@a7fd643bb3e9c1ef8f5c70bb5b645f5a2a9f395c
+        uses: saadmk11/github-actions-version-updater@a7fd643bb3e9c1ef8f5c70bb5b645f5a2a9f395c # TSCCR: no entry for repository "saadmk11/github-actions-version-updater"
         with:
           token: ${{ secrets.GH_TOKEN_ACTIONS_UPDATER }}
           committer_username: "team-tf-cdk"
@@ -36,12 +36,13 @@ jobs:
 
   pin:
     runs-on: ubuntu-latest
-    if: success() || failure()
     needs: [update]
     steps:
       - name: Find and checkout the PR just created
+        id: find_pr
         run: |
           prnumber=$(gh search prs --repo ${{ github.repository }} --state open --match title "$PR_TITLE" --json number --jq '.[].number')
+          echo "pr=$prnumber" >> $GITHUB_OUTPUT
           gh pr checkout ${prnumber}
       - name: Setup TSCCR helper
         uses: hashicorp/setup-tsccr@v1
@@ -58,5 +59,8 @@ jobs:
         if: steps.get_changes.outputs.changed != 0
         run: |-
           git add .
-          git commit -s -m "chore: pin all workflows based on HashiCorp TSCCR"
+          git commit -s -m "chore(deps): pin all workflows based on HashiCorp TSCCR"
           git push
+      - name: Add automerge label
+        run: |
+          gh pr edit ${{ steps.find_pr.outputs.pr }} --add-label "automerge"
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
@@ -12,7 +12,7 @@ jobs:
   lock:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@c1b35aecc5cdb1a34539d14196df55838bb2f836
+      - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # v4.0.1
         with:
           issue-comment: >
             I'm going to lock this issue because it has been closed for at least 30 days. This helps our maintainers find and focus on the active issues.

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -11,7 +11,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84
+      - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0
         with:
           # For issues: post a "warning" message after 30 days, then close if another 30 days pass without a response. In another workflow, issues closed for 30 days will be locked.
           stale-issue-message: "Hi there! 👋 We haven't heard from you in 30 days and would like to know if the problem has been resolved or if you still need help. If we don't hear from you before then, I'll auto-close this issue in 30 days."

diff --git a/.github/workflows/upgrade-repositories.yml b/.github/workflows/upgrade-repositories.yml
@@ -11,7 +11,7 @@ jobs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
       - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - id: set-matrix
         run: |
           provider=$(jq -rcM "{ provider: keys }" provider.json)
@@ -29,17 +29,17 @@ jobs:
       max-parallel: 10
     steps:
       - name: Checkout this repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           path: main
       - name: Checkout cdktf-provider-${{ matrix.provider }} Repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           repository: cdktf/cdktf-provider-${{ matrix.provider }}
           token: ${{ secrets.GH_COMMENT_TOKEN }}
           path: provider
 
-      - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+      - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         name: Create projen run commands file
         with:
           script: |
@@ -74,7 +74,7 @@ jobs:
       - if: steps.git_diff.outputs.has_changes
         name: Detect breaking version changes
         id: diff_changes
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             const {resolve} = require('path')
@@ -93,9 +93,11 @@ jobs:
 
       - if: steps.git_diff.outputs.has_changes
         name: "Create PR"
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           github-token: ${{ secrets.GH_COMMENT_TOKEN }}
+          retries: 5
+          retry-exempt-status-codes: 400,401,404
           script: |
             const {resolve} = require('path')
             const scriptPath = resolve("./main/.github/lib/create-pr")
@@ -109,12 +111,12 @@ jobs:
 
       - name: Send failures to Slack
         if: ${{ failure() && !cancelled() }}
-        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117
+        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
         with:
           payload: |
             {
               "provider_name": "${{ matrix.provider }}",
-              "run_url": "https://github.com/hashicorp/cdktf-repository-manager/actions/runs/${{ github.run_id }}"
+              "run_url": "https://github.com/cdktf/cdktf-repository-manager/actions/runs/${{ github.run_id }}"
             }
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.FAILURE_SLACK_WEBHOOK_URL }}
diff --git a/assets/codeowners b/assets/codeowners