opentofu · mbialon · Sep 23, 2023 · Jul 31, 2023 · Jul 31, 2023 · Jul 31, 2023
diff --git a/.github/labeler-issue-triage.yml → .github/labeler-issue-triage.yaml b/.github/labeler-issue-triage.yml → .github/labeler-issue-triage.yaml
diff --git a/.github/labeler-pull-request-triage.yml → .github/labeler-pull-request-triage.yaml b/.github/labeler-pull-request-triage.yml → .github/labeler-pull-request-triage.yaml
diff --git a/.github/workflows/acctest-oidc.yaml b/.github/workflows/acctest-oidc.yaml
diff --git a/.github/workflows/depscheck.yaml b/.github/workflows/depscheck.yaml
@@ -19,3 +19,7 @@ jobs:
       - run: bash scripts/gogetcookie.sh
       - run: make tools
       - run: make depscheck
+
+  save-artifacts-on-fail:
+    if: ${{ needs.depscheck.result }} == 'failure'
+    uses: ./.github/workflows/save-artifacts.yaml
diff --git a/.github/workflows/docs-lint.yaml b/.github/workflows/docs-lint.yaml
@@ -18,3 +18,7 @@ jobs:
       - run: bash scripts/gogetcookie.sh
       - run: make tools
       - run: make docs-lint
+
+  save-artifacts-on-fail:
+    if: ${{ needs.docs-lint.result }} == 'failure'
+    uses: ./.github/workflows/save-artifacts.yaml
diff --git a/.github/workflows/golint.yaml b/.github/workflows/golint.yaml
@@ -20,3 +20,7 @@ jobs:
         with:
           version: 'v1.50.1'
           args: -v
+
+  save-artifacts-on-fail:
+    if: ${{ needs.golint.result }} == 'failure'
+    uses: ./.github/workflows/save-artifacts.yaml
diff --git a/.github/workflows/increment-milestone.yaml b/.github/workflows/increment-milestone.yaml
@@ -0,0 +1,23 @@
+---
+name: Increment Milestone
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+permissions:
+  issues: write
+  contents: read
+
+jobs:
+  increment-milestone:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+          fetch-depth: 0
+
+      - name: "Increment Milestone"
+        shell: bash
+        run: bash ./scripts/increment-milestone.sh -u https://api.github.com/repos${{ github.owner }}/${{ github.repository }}/milestones -r ${{github.ref_name}} -t ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/issue-comment-created.yaml b/.github/workflows/issue-comment-created.yaml
@@ -10,28 +10,33 @@ permissions:
   issues: write
 
 jobs:
-  issue_comment_triage:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
-        with:
-          github_token: "${{ secrets.GITHUB_TOKEN }}"
-          labels: stale
-      - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
-        if: ${{ !github.event.issue.pull_request }}
-        with:
-          github_token: "${{ secrets.GITHUB_TOKEN }}"
-          labels: waiting-response
-      - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
-        if: (github.event.issue.pull_request && github.actor == github.event.issue.user.login)
-        with:
-          github_token: "${{ secrets.GITHUB_TOKEN }}"
-          labels: waiting-response
+  remove-stale:
+    uses: ./.github/workflows/remove-issue-label.yaml
+    with:
+      label-name: "stale"
+
+  remove-waiting-response-from-issue:
+    uses: ./.github/workflows/remove-issue-label.yaml
+    if: ${{ !github.event.issue.pull_request }}
+    with:
+      label-name: "waiting-response"
+
+  remove-waiting-response-from-pr:
+    uses: ./.github/workflows/remove-issue-label.yaml
+    if: (github.event.issue.pull_request && github.actor == github.event.issue.user.login)
+    with:
+      label-name: "waiting-response"
 
   pull_request_comment:
     runs-on: ubuntu-latest
     if: github.event.issue.pull_request && endsWith(github.event.comment.body, '/wr')
     steps:
-      - shell: bash
-        run: |
-          curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "https://api.github.com/repos${{ github.owner }}/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels" -d '{"labels":["waiting-response"]}'
+      - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
+        with:
+          script: |
+            github.rest.issues.addLabels({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              labels: ["waiting-response"]
+            })
diff --git a/.github/workflows/issue-opened.yaml b/.github/workflows/issue-opened.yaml
@@ -16,5 +16,5 @@ jobs:
       - uses: github/issue-labeler@98b5412841f6c4b0b3d9c29d53c13fad16bd7de2 # v3.2
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
-          configuration-path: .github/labeler-issue-triage.yml
+          configuration-path: .github/labeler-issue-triage.yaml
           enable-versioned-regex: 0
diff --git a/.github/workflows/link-milestone.yaml b/.github/workflows/link-milestone.yaml
@@ -17,7 +17,8 @@ jobs:
     steps:
       - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version-file: .go-version
+          go-version: '1.20.5'
+
       - run: |
           go install github.com/stephybun/link-milestone@latest
           link-milestone

diff --git a/.github/workflows/provider-test.yaml b/.github/workflows/provider-test.yaml
@@ -0,0 +1,88 @@
+---
+name: Provider Tests
+on:
+  pull_request:
+    types: ["opened", "synchronize"]
+    paths:
+      - '.github/workflows/provider-test.yaml'
+      - 'internal/**.go'
+      - 'vendor/github.com/hashicorp/go-azure-sdk/sdk/auth/**'
+      - 'vendor/github.com/hashicorp/go-azure-sdk/sdk/environments/**'
+
+permissions:
+  contents: read
+  id-token: write
+  pull-requests: read
+
+jobs:
+  secrets-check:
+    runs-on: ubuntu-latest
+    outputs:
+      available: "${{ steps.check-secrets.outputs.available }}"
+    steps:
+      # we check for the ACTIONS_ID_TOKEN_REQUEST_URL variable as a proxy for other secrets
+      # it will be unset when running for a PR from a fork, in which case we don't run these tests
+      - id: check-secrets
+        run: |
+          if [[ "${ACTIONS_ID_TOKEN_REQUEST_URL}" == "" ]]; then
+            echo "available=false" | tee ${GITHUB_OUTPUT}
+          else
+            echo "available=true" | tee ${GITHUB_OUTPUT}
+          fi
+
+  provider-tests:
+    runs-on: [custom, linux, large]
+    needs: [secrets-check]
+    if: needs.secrets-check.outputs.available == 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      - name: Install Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version-file: ./.go-version
+
+      - name: Azure CLI login
+        run: az login --output none --username="${{ secrets.AZCLI_USERNAME }}" --password="${{ secrets.AZCLI_PASSWORD }}"
+
+      - name: Set OIDC Token
+        run: |
+          echo "ARM_OIDC_TOKEN=$(curl -H "Accept: application/json; api-version=2.0" -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" -H "Content-Type: application/json" -G --data-urlencode "audience=api://AzureADTokenExchange" "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value')" >>${GITHUB_ENV}
+
+      - name: Set OIDC Token File Path
+        run: echo "${ARM_OIDC_TOKEN}" >"${RUNNER_TEMP}/oidc-token.jwt" && echo "ARM_OIDC_TOKEN_FILE_PATH=${RUNNER_TEMP}/oidc-token.jwt" >>${GITHUB_ENV}
+
+      - name: Set Client ID Path
+        run: echo "${{ secrets.ARM_CLIENT_ID }}" >"${RUNNER_TEMP}/client-id" && echo "ARM_CLIENT_ID_PATH=${RUNNER_TEMP}/client-id" >>${GITHUB_ENV}
+
+      - name: Set Client Secret Path
+        run: echo "${{ secrets.ARM_CLIENT_SECRET }}" >"${RUNNER_TEMP}/client-secret" && echo "ARM_CLIENT_SECRET_PATH=${RUNNER_TEMP}/client-secret" >>${GITHUB_ENV}
+
+      - name: Set Client Certificate Path
+        run: echo "${{ secrets.ARM_CLIENT_CERTIFICATE }}" | base64 -d >"${RUNNER_TEMP}/client-certificate.pfx" && echo "ARM_CLIENT_CERTIFICATE_PATH=${RUNNER_TEMP}/client-certificate.pfx" >>${GITHUB_ENV}
+
+      - name: Run provider tests
+        run: make testacc TEST=./internal/provider TESTARGS="-run '^TestAcc'"
+        env:
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
+          ARM_CLIENT_CERTIFICATE: ${{ secrets.ARM_CLIENT_CERTIFICATE }}
+          ARM_CLIENT_CERTIFICATE_PASSWORD: ${{ secrets.ARM_CLIENT_CERTIFICATE_PASSWORD }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
+
+      - name: Clean Up OIDC Token File Path
+        run: rm -f "${RUNNER_TEMP}/oidc-token.jwt"
+        if: always()
+
+      - name: Clean Up Client ID Path
+        run: rm -f "${RUNNER_TEMP}/client-id"
+        if: always()
+
+      - name: Clean Up Client Secret Path
+        run: rm -f "${RUNNER_TEMP}/client-secret"
+        if: always()
+
+  save-artifacts-on-fail:
+    if: ${{ needs.secrets-check.result }} == 'failure' || ${{ needs.provider-tests.result }} == 'failure'
+    uses: ./.github/workflows/save-artifacts.yaml
diff --git a/.github/workflows/pull-request-new-commit.yaml b/.github/workflows/pull-request-new-commit.yaml
@@ -0,0 +1,15 @@
+---
+name: Pull Request New Commit
+
+permissions:
+  pull-requests: write
+
+on:
+  pull_request_target:
+    types: [synchronize]
+
+jobs:
+  remove-waiting-response:
+    uses: ./.github/workflows/remove-issue-label.yaml
+    with:
+      label-name: "waiting-response"
diff --git a/.github/workflows/pull-request-reviewed-workflow.yaml b/.github/workflows/pull-request-reviewed-workflow.yaml
@@ -0,0 +1,55 @@
+---
+name: "Pull Request Reviewed Workflow"
+
+on:
+  workflow_run:
+    workflows:
+      - "Pull Request Reviewed"
+    types:
+      - completed
+
+permissions:
+  pull-requests: write
+
+jobs:
+  add-or-remove-waiting-response:
+    runs-on: ubuntu-latest
+    outputs:
+      ghrepo: ${{ steps.env_vars.outputs.ghrepo }}
+      ghowner: ${{ steps.env_vars.outputs.ghowner }}
+      prnumber: ${{ steps.env_vars.outputs.prnumber }}
+      action: ${{ steps.env_vars.outputs.action }}
+      artifact_outcome: ${{ steps.env_vars.outputs.artifact_outcome }}
+    steps:
+      - name: Get Artifact
+        id: get_artifact
+        continue-on-error: true
+        uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2.27.0
+        with:
+          github_token: ${{secrets.GITHUB_TOKEN}}
+          workflow: pull-request-reviewed.yaml
+
+      - name: env_vars
+        id: env_vars
+        if: steps.get_artifact.outcome == 'success'
+        run: |
+          echo "ghrepo=$(cat artifact/ghrepo.txt)" >>${GITHUB_OUTPUT}
+          echo "ghowner=$(cat artifact/ghowner.txt)" >>${GITHUB_OUTPUT}
+          echo "prnumber=$(cat artifact/prnumber.txt)" >>${GITHUB_OUTPUT}
+          echo "action=$(cat artifact/action.txt)" >>${GITHUB_OUTPUT}
+          echo "artifact_outcome=success" >>${GITHUB_OUTPUT}
+
+  add-waiting-reponse:
+    needs: add-or-remove-waiting-response
+    runs-on: ubuntu-latest
+    if: needs.add-or-remove-waiting-response.outputs.artifact_outcome == 'success' && needs.add-or-remove-waiting-response.outputs.action == 'add-waiting-response'
+    steps:
+      - run: |
+          curl -X POST -H "Accept: application/vnd.github+json" -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "https://api.github.com/repos${{ needs.add-or-remove-waiting-response.outputs.ghowner }}/${{ needs.add-or-remove-waiting-response.outputs.ghrepo }}/issues/${{ needs.add-or-remove-waiting-response.outputs.prnumber }}/labels" -d '{"labels":["waiting-response"]}'
+
+  remove-waiting-reponse:
+    needs: add-or-remove-waiting-response
+    if: needs.add-or-remove-waiting-response.outputs.artifact_outcome == 'success' && needs.add-or-remove-waiting-response.outputs.action == 'remove-waiting-response'
+    uses: ./.github/workflows/remove-issue-label.yaml
+    with:
+      label-name: "waiting-response"
diff --git a/.github/workflows/pull-request-reviewed.yaml b/.github/workflows/pull-request-reviewed.yaml
@@ -0,0 +1,38 @@
+---
+name: "Pull Request Reviewed"
+
+on:
+  pull_request_review:
+    types: [submitted]
+
+permissions:
+  pull-requests: read
+
+jobs:
+  add-or-remove-waiting-response:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Set Artifacts for add-waiting-response"
+        if: github.event.review.state != 'approved' && github.actor != github.event.pull_request.user.login
+        shell: bash
+        run: |
+          mkdir -p wr_actions
+          echo ${{ github.owner }} > wr_actions/ghowner.txt
+          echo ${{ github.repository }} > wr_actions/ghrepo.txt
+          echo ${{ github.event.pull_request.number }} > wr_actions/prnumber.txt
+          echo "add-waiting-response" > wr_actions/action.txt
+
+      - name: "Set Artifacts for remove-waiting-response"
+        if: github.actor == github.event.pull_request.user.login
+        shell: bash
+        run: |
+          mkdir -p wr_actions
+          echo ${{ github.owner }} > wr_actions/ghowner.txt
+          echo ${{ github.repository }} > wr_actions/ghrepo.txt
+          echo ${{ github.event.pull_request.number }} > wr_actions/prnumber.txt
+          echo "remove-waiting-response" > wr_actions/action.txt                
+
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: artifact
+          path: wr_actions
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -13,8 +13,9 @@ jobs:
     steps:
       - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
         with:
-          configuration-path: .github/labeler-pull-request-triage.yml
+          configuration-path: .github/labeler-pull-request-triage.yaml
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
+
       - uses: CodelyTV/pr-size-labeler@54ef36785e9f4cb5ecf1949cfc9b00dbb621d761 # v1.8.1
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}