chore: sync files with stordco/common-config-elixir (#45)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: stord-engineering-account

.credo.exs

@@ -81,7 +81,7 @@
         # You can customize the priority of any check
         # Priority values are: `low, normal, high, higher`
         #
-        {Credo.Check.Design.AliasUsage, [priority: :low, if_nested_deeper_than: 2, if_called_more_often_than: 2]},
+        {Credo.Check.Design.AliasUsage, [priority: :low, if_nested_deeper_than: 4, if_called_more_often_than: 2]},
         {Credo.Check.Design.DuplicatedCode, false},
         # You can also customize the exit_status of each check.
         # If you don't want TODO comments to cause `mix credo` to fail, just

.github/pull_request_template.md

@@ -1,3 +1,9 @@
+## Related Ticket(s)
+
+<!--
+Enter the Jira issue below in the following format: PROJECT-##
+-->
+
 ## Checklist
 
 <!--

.github/release-please-config.json renamed to .github/release-please-config-stable.json

@@ -7,6 +7,11 @@
       "section": "Features",
       "hidden": false
     },
+    {
+      "type": "hotfix",
+      "section": "Hotfixes",
+      "hidden": true
+    },
     {
       "type": "fix",
       "section": "Bug Fixes",
@@ -22,9 +27,7 @@
   "draft-pull-request": false,
   "packages": {
     ".": {
-      "extra-files": [
-        "README.md"
-      ],
+      "extra-files": ["README.md"],
       "release-type": "elixir"
     }
   },

.github/workflows/ci.yaml

@@ -33,10 +33,11 @@ jobs:
     runs-on: ubuntu-latest
 
     outputs:
-      database: ${{ steps.changed.outputs.database_any_changed }}
-      docker: ${{ steps.changed.outputs.docker_any_changed }}
-      elixir: ${{ steps.changed.outputs.elixir_any_changed }}
-      helm: ${{ steps.changed.outputs.helm_any_changed }}
+      database: ${{ steps.changed.outputs.database }}
+      docker: ${{ steps.changed.outputs.docker }}
+      documentation: ${{ steps.changed.outputs.documentation }}
+      elixir: ${{ steps.changed.outputs.elixir }}
+      helm: ${{ steps.changed.outputs.helm }}
 
     steps:
       - name: Checkout
@@ -46,26 +47,37 @@ jobs:
 
       - id: changed
         name: Get Changed Files
-        uses: tj-actions/changed-files@v43
-        with:
-          files_yaml: |
-            database:
-              - '.github/workflows/ci.yaml'
-              - 'priv/*repo/**'
-            docker:
-              - '.github/workflows/ci.yaml'
-              - 'Dockerfile'
-            elixir:
-              - '.github/workflows/ci.yaml'
-              - 'priv/**'
-              - '**.ex'
-              - '**.exs'
-              - '**.heex'
-            helm:
-              - '.github/workflows/ci.yaml'
-              - '.github/workflows/staging.yaml'
-              - '.github/workflows/production.yaml'
-              - 'helm/**'
+        run: |
+          # Using fetch-depth 2 above, we should always be able to get the full list of changes files:
+          # - In a pull-request, GHA merges the PR branch into main
+          # - When pushed to main, we always squash merge, so there is only one new commit
+
+          CHANGED_FILES=$(git diff --name-only HEAD^1 HEAD)
+
+          declare -A patterns
+          patterns["database"]=".github/workflows/ci.yaml priv/.*repo/.*"
+          patterns["docker"]=".github/workflows/ci.yaml Dockerfile"
+          patterns["documentation"]="docs/.* priv/documentation/.* .*.ex .*.md"
+          patterns["elixir"]=".github/workflows/ci.yaml .tool-versions priv/.* .*.ex .*.exs .*.heex"
+          patterns["helm"]=".github/workflows/ci.yaml .github/workflows/staging.yaml .github/workflows/production.yaml helm/.*"
+
+          for filetype in ${!patterns[@]}; do
+            found="false"
+            echo "==> Checking: $filetype"
+            for pattern in ${patterns[$filetype]}; do
+              for changed_file in $CHANGED_FILES; do
+                if [[ "$changed_file" =~ $pattern ]]; then
+                  echo "====> Found change: $changed_file"
+                  found="true"
+                  break
+                fi
+              done
+              if [[ "$found" == "true" ]]; then
+                break
+              fi
+            done
+            echo "$filetype=$found" >> $GITHUB_OUTPUT
+          done
 
   Credo:
     if: ${{ !startsWith(github.head_ref, 'release-please--branches') && needs.Changed.outputs.elixir == 'true' }}
@@ -92,6 +104,9 @@ jobs:
     needs: [Changed]
     runs-on: ubuntu-latest
 
+    env:
+      MIX_ENV: test
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -128,7 +143,7 @@ jobs:
         run: mix dialyzer --format github
 
   Documentation:
-    if: ${{ !startsWith(github.head_ref, 'release-please--branches') && needs.Changed.outputs.elixir == 'true' }}
+    if: ${{ !startsWith(github.head_ref, 'release-please--branches') && needs.Changed.outputs.documentation == 'true' }}
     needs: [Changed]
     runs-on: ubuntu-latest
 
@@ -209,3 +224,34 @@ jobs:
           - elixir: 1.15
             otp: 26
 
+  Trivy_Filesystem:
+    if: ${{ !startsWith(github.head_ref, 'release-please--branches') }}
+    name: Trivy Filesystem Scan
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Elixir
+        uses: stordco/actions-elixir/setup@v1
+        with:
+          github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+          hex-token: ${{ secrets.HEX_API_KEY }}
+          oban-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}
+          oban-token: ${{ secrets.OBAN_LICENSE_KEY }}
+
+      - name: Trivy Scan
+        uses: stordco/actions-trivy@v1
+        with:
+          github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
+          scan-type: fs
+          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack-channel-id: ${{ secrets.SLACK_SECURITY_ALERTS }}
+          update-db: false
+

.github/workflows/pr.yaml

@@ -30,7 +30,7 @@ jobs:
               return;
             }
 
-            const REGEX = /^(feat!|fix!|fix|feat|chore|(fix|feat|chore)\(\w.*\)):\s(\[\w{1,8}-\d{1,8}\]|.*).*/;
+            const REGEX = /^(feat!|fix!|hotfix!|fix|feat|chore|hotfix|(fix|feat|chore|hotfix)\(\w.*\)):\s(\[\w{1,8}-\d{1,8}\]|.*).*/;
 
             if (!REGEX.test(title)) {
               core.setFailed("Pull request title does not follow conventional commits");
@@ -43,7 +43,10 @@ jobs:
                 fix: [JIRA-1234] fix an existing feature
                 feat: [JIRA-1234] a new feature to release
                 feat!: a breaking change
+                hotfix: needed in production immediately
 
-            Note: Adding ! (i.e. \`feat!:\`) represents a breaking change and will result in a SemVer major release.
+            Adding ! (i.e. \`feat!:\`) represents a breaking change and will result in a SemVer major release.
+
+            Starting a commit with \`hotfix\` will result in a seperate hotfix release PR.
                 `.trim());
             }

.github/workflows/release.yaml

@@ -12,15 +12,15 @@ concurrency:
   cancel-in-progress: false
 
 jobs:
-  Please:
+  Stable:
     runs-on: ubuntu-latest
 
     steps:
       - id: release
         name: Release
-        uses: google-github-actions/release-please-action@v4
+        uses: googleapis/release-please-action@v4
         with:
-          config-file: .github/release-please-config.json
+          config-file: .github/release-please-config-stable.json
           manifest-file: .github/release-please-manifest.json
           target-branch: main
           token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}

.github/workflows/staging.yaml

@@ -26,6 +26,9 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    env:
+      MIX_ENV: test
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -38,7 +41,7 @@ jobs:
           oban-fingerprint: ${{ secrets.OBAN_KEY_FINGERPRINT }}
           oban-token: ${{ secrets.OBAN_LICENSE_KEY }}
 
-      - name: Build
+      - name: Docs
         run: mix docs
 
       - name: Set CNAME

.github/workflows/trivy.yaml

@@ -0,0 +1,32 @@
+# This file is synced with stordco/common-config-elixir. Any changes will be overwritten.
+
+name: Update Trivy Cache
+
+on:
+  schedule:
+    - cron: "0 0 * * *" # Run daily at midnight UTC
+  workflow_dispatch: # Allow manual triggering
+
+jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup oras
+        uses: oras-project/setup-oras@v1
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}

.trivy/fs-config.yaml

@@ -0,0 +1,18 @@
+# This file is synced with stordco/common-config-elixir. Any changes will be overwritten.
+
+exit-code: '1'
+format: 'json'
+output: 'trivy-fs-results.json'
+scanners:
+  - vuln
+severity:
+  - CRITICAL
+  - HIGH
+  - MEDIUM
+  - LOW
+  - UNKNOWN
+timeout: '3m'
+vulnerability:
+  type:
+    - os
+    - library