feat: [P4PU-637] github configuration with payment workflow

.github/PULL_REQUEST_TEMPLATE.md

@@ -33,4 +33,4 @@
 <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
 
 - [ ] My change requires a change to the documentation.
-- [ ] I have updated the documentation accordingly.
+- [ ] I have updated the documentation accordingly.

.identity/00_data.tf → .github/terraform/00_data.tf

@@ -16,4 +16,3 @@ data "github_organization_teams" "all" {
   root_teams_only = true
   summary_only    = true
 }
-

.github/terraform/01_global.tf

@@ -0,0 +1,52 @@
+resource "github_branch" "release" {
+  for_each      = var.env == "prod" ? toset(local.branches) : []
+  repository    = local.github.repository
+  branch        = each.key
+  source_branch = "main"
+}
+
+resource "github_branch_default" "default" {
+  repository = local.github.repository
+  branch     = "develop"
+}
+
+resource "github_repository_ruleset" "branch_rules" {
+  for_each = var.env == "prod" ? local.branch_rulesets : {}
+
+  name        = each.key
+  repository  = local.github.repository
+  target      = "branch"
+  enforcement = "active"
+
+  conditions {
+    ref_name {
+      include = [each.value.ref_name]
+      exclude = []
+    }
+  }
+
+  dynamic "bypass_actors" {
+    for_each = each.value.bypass_actors == true ? toset(local.bypass_branch_rules_teams) : []
+    content {
+      actor_id    = lookup(local.team_name_to_id, bypass_actors.value)
+      actor_type  = "Team"
+      bypass_mode = "always"
+    }
+  }
+
+  rules {
+    creation                = false
+    update                  = false
+    deletion                = true
+    required_signatures     = false
+    required_linear_history = each.value.required_linear_history
+
+    pull_request {
+      dismiss_stale_reviews_on_push     = false
+      require_last_push_approval        = false
+      required_review_thread_resolution = false
+      require_code_owner_review         = each.value.require_code_owner_review
+      required_approving_review_count   = each.value.required_approving_review_count
+    }
+  }
+}

.github/terraform/99_locals.tf

@@ -0,0 +1,50 @@
+locals {
+  # Repo
+  github = {
+    org        = "pagopa"
+    repository = "arc-be"
+  }
+
+  repo_secrets = var.env_short == "p" ? {
+    SONAR_TOKEN = data.azurerm_key_vault_secret.sonar_token[0].value
+  } : {}
+
+  map_repo = {
+    "dev" : "*",
+    "uat" : "uat"
+    "prod" : "main"
+  }
+
+  branches                  = ["develop", "uat"]
+  bypass_branch_rules_teams = ["p4pa-admins", "payments-cloud-admin"]
+
+  # this is use to lookup the id for each team
+  team_name_to_id = {
+    for team in data.github_organization_teams.all.teams :
+    team.name => team.id
+  }
+
+  branch_rulesets = {
+    develop = {
+      ref_name                        = "refs/heads/develop"
+      bypass_actors                   = false
+      required_linear_history         = true
+      require_code_owner_review       = false
+      required_approving_review_count = 0
+    }
+    uat = {
+      ref_name                        = "refs/heads/uat"
+      bypass_actors                   = false
+      required_linear_history         = false
+      require_code_owner_review       = false
+      required_approving_review_count = 1
+    },
+    main = {
+      ref_name                        = "refs/heads/main"
+      bypass_actors                   = false
+      required_linear_history         = false
+      require_code_owner_review       = true
+      required_approving_review_count = 0
+    },
+  }
+}

.github/workflows/code-review.yml

@@ -43,4 +43,4 @@ jobs:
             -Dsonar.tests=src/test
             -Dsonar.java.binaries=build/classes
             -Dsonar.coverage.jacoco.xmlReportPaths=build/reports/jacoco/jacocoTestReport.xml
-            -Dsonar.coverage.exclusions=src/java/test/**
+            -Dsonar.coverage.exclusions=src/java/test/**

.github/workflows/payments-flow-docker-snapshot.yml

@@ -0,0 +1,32 @@
+name: 📦 Payments Snapshot docker
+
+on:
+  push:
+    branches-ignore:
+      - 'develop'
+      - 'uat'
+      - 'main'
+    paths-ignore:
+      - 'CODEOWNERS'
+      - '**.md'
+      - '.**'
+  workflow_dispatch:
+
+env:
+  CURRENT_BRANCH: ${{ github.event.inputs.branch || github.ref_name }}
+
+jobs:
+  payments-flow-docker-snapshot:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: 🔖 Checkout code
+        # https://github.com/actions/checkout/releases/tag/v4.2.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        with:
+          ref: ${{ env.CURRENT_BRANCH }}
+
+      - name: 📦 Run Snapshot Docker Build/Push & Trigger
+        # https://github.com/pagopa/github-actions-template/releases/tag/v1.19.0
+        uses: pagopa/github-actions-template/payments-flow-docker-snapshot@37569377fa759368a01c1e7f40700b4118d65d0c
+        with:
+          current_branch: ${{ github.ref_name }}

.github/workflows/payments-flow-release.yml

@@ -0,0 +1,29 @@
+name: 🚀 Payments release
+
+on:
+  push:
+    branches:
+      - develop
+      - uat
+      - main
+    paths-ignore:
+      - 'CODEOWNERS'
+      - '**.md'
+      - '.**'
+  workflow_dispatch:
+
+jobs:
+  payments-flow-release:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: 🔖 Checkout code
+        # https://github.com/actions/checkout/releases/tag/v4.2.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        with:
+          ref: ${{ github.ref_name }}
+
+      - name: 🚀 release + docker + azdo
+        # https://github.com/pagopa/github-actions-template/releases/tag/v1.19.1
+        uses: pagopa/github-actions-template/payments-flow-release@3ae6a4268ccff000194696b21e1124d9e8ddf997
+        with:
+          current_branch: ${{ github.ref_name }}

.github/workflows/trivy.yml

@@ -62,7 +62,7 @@ jobs:
           echo "CVE_CRITICAL=$(echo $SCAN_RESULTS | grep -o critical | wc -l)" >> $GITHUB_ENV
           echo "CVE_HIGH=$(echo $SCAN_RESULTS | grep -o high | wc -l)" >> $GITHUB_ENV
           echo "CVE_MEDIUM=$(echo $SCAN_RESULTS | grep -o medium | wc -l)" >> $GITHUB_ENV
-          
+
           echo -e $SCAN_RESULTS
       # - name: Send notification to Slack
       #   id: slack

.pre-commit-config.yaml

@@ -1,25 +1,54 @@
 repos:
+  ## general
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: c4a0b883114b00d8d76b479c820ce7950211c99b # v4.5.0
+    rev: v5.0.0
     hooks:
+      # Common errors
+      - id: end-of-file-fixer
+        exclude_types: [sql]
+        exclude: mypivot4-batch
       - id: trailing-whitespace
-      - id: check-added-large-files
+        args: [--markdown-linebreak-ext=md]
+        exclude_types: [sql]
+        exclude: mypivot4-batch
+      - id: check-yaml
+        exclude: mypivot4-batch
+      - id: check-executables-have-shebangs
+        exclude: mypivot4-batch
+      # Cross platform
+      - id: check-case-conflict
+        exclude: mypivot4-batch
+      - id: mixed-line-ending
+        args: [--fix=lf]
+        exclude_types: [sql]
+        exclude: mypivot4-batch
+      # Security
+      - id: detect-aws-credentials
+        args: ['--allow-missing-credentials']
+        exclude: mypivot4-batch
+      - id: detect-private-key
+  ## terraform
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.86.0
+    rev: v1.96.1
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
         args:
-          - markdown --sort-by required
+          - --hook-config=--path-to-file=README.md        # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc.
+          - --hook-config=--add-to-existing-file=true     # Boolean. true or false
+          - --hook-config=--create-file-if-not-exist=true # Boolean. true or false
+          - --args=--hide providers
+      # - id: terraform_tfsec
       - id: terraform_validate
         args:
           - --init-args=-lockfile=readonly
           - --args=-json
           - --args=-no-color
-#      - id: terraform_providers_lock
-#        args:
-#          - --args=-platform=windows_amd64
-#          - --args=-platform=darwin_amd64
-#          - --args=-platform=darwin_arm64
-#          - --args=-platform=linux_amd64
-#          - --args=-platform=linux_arm64
+          - --args=-compact-warnings
+      # - id: terraform_providers_lock
+      #   args:
+      #     - --args=-platform=windows_amd64
+      #     - --args=-platform=darwin_amd64
+      #     - --args=-platform=darwin_arm64
+      #     - --args=-platform=linux_amd64
+      #     - --args=-platform=linux_arm64

.releaserc.json

@@ -0,0 +1,19 @@
+{
+  "plugins": [
+    [
+      "@semantic-release/commit-analyzer",
+      {
+        "preset": "angular",
+        "releaseRules": [{ "type": "breaking", "release": "major" }]
+      }
+    ],
+    "@semantic-release/release-notes-generator",
+    [
+      "@semantic-release/github",
+      {
+        "successComment": false,
+        "failComment": false
+      }
+    ]
+  ]
+}

.terraform-version

@@ -1 +1 @@
-1.9.2
+1.9.6

CODEOWNERS

@@ -1,3 +1,3 @@
 # see https://help.github.com/en/articles/about-code-owners#example-of-a-codeowners-file
 
-* @pagopa/arc-admins @Giuseppe-LaManna @oleksiybozhykntt @antonioT90
+* @pagopa/arc-admins @Giuseppe-LaManna @oleksiybozhykntt @antonioT90 @pagopa/payments-cloud-admin

force-release

@@ -1 +1 @@
-1134
+2302