gcp-nuke be born 🌅

.github/renovate.json

@@ -0,0 +1,85 @@
+{
+    "extends": [
+        "config:recommended"
+    ],
+    "vulnerabilityAlerts": {
+        "labels": ["security"],
+        "automerge": true,
+        "assignees": ["@ekristen"]
+    },
+    "osvVulnerabilityAlerts": true,
+    "packageRules": [
+        {
+            "matchUpdateTypes": [
+                "minor",
+                "patch"
+            ],
+            "matchCurrentVersion": "!/^0/",
+            "automerge": true
+        },
+        {
+            "matchDatasources": [
+                "go",
+                "docker"
+            ],
+            "groupName": "kubernetes",
+            "groupSlug": "kubernetes",
+            "matchPackagePatterns": [
+                "^k8s.io/"
+            ],
+            "matchPackageNames": [
+                "bitnami/kubectl"
+            ]
+        },
+        {
+            "matchManagers": [
+                "dockerfile"
+            ],
+            "matchUpdateTypes": [
+                "pin",
+                "digest"
+            ],
+            "automerge": true,
+            "labels": ["patch"]
+        },
+        {
+            "matchPackagePatterns": [
+                "^golang.*"
+            ],
+            "groupName": "golang",
+            "groupSlug": "golang"
+        },
+        {
+            "matchFileNames": [
+                ".github/workflows/*.yml"
+            ],
+            "matchDepTypes": [
+                "action"
+            ],
+            "matchCurrentVersion": "!/^0/",
+            "automerge": true,
+            "labels": ["bot/skip-changelog"]
+        }
+    ],
+    "regexManagers": [
+        {
+            "fileMatch": [
+                ".*.go$"
+            ],
+            "matchStrings": [
+                "\"(?<currentValue>.*)\" \/\/ renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\s"
+            ],
+            "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
+        },
+        {
+            "fileMatch": [
+                "^.github/workflows/.*"
+            ],
+            "matchStrings": [
+                "go-version: (?<currentValue>.*?).x\n"
+            ],
+            "depNameTemplate": "golang",
+            "datasourceTemplate": "docker"
+        }
+    ]
+}

.github/workflows/commit-lint.yml

@@ -0,0 +1,20 @@
+name: commit-lint
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  commit-lint:
+    name: commit-lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: wagoid/commitlint-github-action@v6

.github/workflows/docs.yml

@@ -0,0 +1,60 @@
+name: docs
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - docs/**
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: setup pages
+        uses: actions/configure-pages@v4
+      - name: setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+      - name: setup cache
+        run: |
+          echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV
+      - name: handle cache
+        uses: actions/cache@v4
+        with:
+          key: mkdocs-material-${{ env.cache_id }}
+          path: .cache
+          restore-keys: |
+            mkdocs-material-
+      - name: install mkdocs material
+        run: |
+          pip install mkdocs-material
+      - name: run mkdocs material
+        run: |
+          mkdocs build
+      - name: upload artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          # Upload entire repository
+          path: public/
+      - name: deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.github/workflows/golangci-lint.yml

@@ -0,0 +1,21 @@
+name: golangci-lint
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  golangci-lint:
+    name: golangci-lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.22.x'
+          cache: false
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6

.github/workflows/goreleaser.yml

@@ -0,0 +1,101 @@
+name: goreleaser
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - next
+    tags:
+      - "*"
+  release:
+    types:
+      - published
+
+permissions:
+  contents: write
+  packages: write
+  id-token: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        if: github.event_name == 'pull_request'
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref }}
+      - uses: actions/checkout@v4
+        if: github.event_name != 'pull_request'
+        with:
+          fetch-depth: 0
+      - name: setup-go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.22.x
+      - name: setup qemu
+        id: qemu
+        uses: docker/setup-qemu-action@v3
+      - name: setup docker buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: install cosign
+        uses: sigstore/cosign-installer@v3
+      - name: install quill
+        env:
+          QUILL_VERSION: 0.4.1
+        run: |
+          curl -Lo /tmp/quill_${QUILL_VERSION}_linux_amd64.tar.gz https://github.com/anchore/quill/releases/download/v${QUILL_VERSION}/quill_${QUILL_VERSION}_linux_amd64.tar.gz
+          tar -xvf /tmp/quill_${QUILL_VERSION}_linux_amd64.tar.gz -C /tmp
+          mv /tmp/quill /usr/local/bin/quill
+          chmod +x /usr/local/bin/quill
+      - name: set goreleaser default args
+        if: startsWith(github.ref, 'refs/tags/') == true
+        run: |
+          echo "GORELEASER_ARGS=" >> $GITHUB_ENV
+      - name: set goreleaser args for branch
+        if: startsWith(github.ref, 'refs/tags/') == false
+        run: |
+          echo "GORELEASER_ARGS=--snapshot" >> $GITHUB_ENV
+      - name: set goreleaser args renovate
+        if: startsWith(github.ref, 'refs/heads/renovate') == true
+        run: |
+          echo "GORELEASER_ARGS=--snapshot --skip publish --skip sign" >> $GITHUB_ENV
+      - name: setup-quill
+        uses: 1password/load-secrets-action@v1
+        # Extra Safeguard - This ensures the secrets are only loaded on tag and a tag that the repo owner triggered
+        if: startsWith(github.ref, 'refs/tags/') == true && github.actor == github.repository_owner
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          QUILL_NOTARY_KEY: ${{ secrets.OP_QUILL_NOTARY_KEY }}
+          QUILL_NOTARY_KEY_ID: ${{ secrets.OP_QUILL_NOTARY_KEY_ID }}
+          QUILL_NOTARY_ISSUER: ${{ secrets.OP_QUILL_NOTARY_ISSUER }}
+          QUILL_SIGN_PASSWORD: ${{ secrets.OP_QUILL_SIGN_PASSWORD }}
+          QUILL_SIGN_P12: ${{ secrets.OP_QUILL_SIGN_P12 }}
+      - name: run goreleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean ${{ env.GORELEASER_ARGS }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: push docker images (for branches)
+        if: github.ref == 'refs/heads/main' || github.event.pull_request.base.ref == 'main'
+        run: |
+          docker images --format "{{.Repository}}:{{.Tag}}" | grep "${{ github.repository }}" | xargs -L1 docker push
+      - name: upload artifacts
+        if: github.event.pull_request.base.ref == 'main'
+        uses: actions/upload-artifact@v4
+        with:
+          name: binaries
+          path: releases/*.tar.gz

.github/workflows/semantic-lint.yml

@@ -0,0 +1,20 @@
+name: semantic-lint
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/semantic.yml

@@ -0,0 +1,39 @@
+name: semantic
+on:
+  push:
+    branches:
+      - main
+      - next
+
+permissions:
+  contents: read # for checkout
+
+jobs:
+  release:
+    name: release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: setup node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+      - name: generate-token
+        id: generate_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.BOT2_APP_ID }}
+          private_key: ${{ secrets.BOT2_APP_PEM }}
+          revoke: true
+      - name: release
+        uses: cycjimmy/semantic-release-action@v4
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

.github/workflows/tests.yml

@@ -0,0 +1,21 @@
+name: tests
+on:
+  pull_request:
+    branches:
+      - main
+      - next
+jobs:
+  test:
+    name: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: 1.22.x
+      - name: download go mods
+        run: |
+          go mod download
+      - name: run go tests
+        run: |
+          go test -timeout 60s -run ./...

.gitignore

@@ -0,0 +1,12 @@
+.idea
+dist
+releases
+.envrc
+.envrc*
+.token
+.creds*
+config/*.yaml
+config.yaml
+test-*.yaml
+config*.yaml
+cosign.key