Added webhook support (#20)

erikreinert · web-flow · commit f5dfb70c9dfd · 2024-07-13T14:07:03.000-07:00
* feat: added webhook and build configs support

* refactor: rename webhook_urls to webhooks

- Updated README.md to reflect the new variable name
- Modified main.tf to use the new variable name
- Changed the variable name in variables.tf to webhooks
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -0,0 +1,16 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "config:base",
+        ":semanticCommitTypeAll(chore)"
+    ],
+    "lockFileMaintenance": {
+        "enabled": true,
+        "extends": [
+            "schedule:weekly"
+        ]
+    },
+    "nix": {
+        "enabled": true
+    }
+}
diff --git a/.github/workflows/flake.yaml b/.github/workflows/flake.yaml
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
@@ -0,0 +1,39 @@
+name: terraform
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+env:
+  CACHIX_BINARY_CACHE: altf4llc-os
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: cachix/install-nix-action@v27
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - uses: cachix/cachix-action@v15
+        with:
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          name: ${{ env.CACHIX_BINARY_CACHE }}
+      - uses: actions/checkout@v4
+      - run: nix develop -c just check
+
+  package:
+    needs:
+      - check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: cachix/install-nix-action@v27
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - uses: cachix/cachix-action@v15
+        with:
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          name: ${{ env.CACHIX_BINARY_CACHE }}
+      - uses: actions/checkout@v4
+      - run: nix develop -c just package
diff --git a/.gitignore b/.gitignore
@@ -1,13 +1,9 @@
-# Nix directories
 .direnv
-result
+*.tfplan
 
 # Local .terraform directories
 **/.terraform/*
 
-# Terraform lockfile
-.terraform.lock.hcl
-
 # .tfstate files
 *.tfstate
 *.tfstate.*
@@ -17,8 +13,8 @@ crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json
@@ -39,3 +35,4 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -19,13 +19,13 @@ teams = { "1234567890" = "maintain" }
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_github"></a> [github](#requirement\_github) | 6.0.0 |
+| <a name="requirement_github"></a> [github](#requirement\_github) | ~> 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_github"></a> [github](#provider\_github) | 6.0.0 |
+| <a name="provider_github"></a> [github](#provider\_github) | ~> 6.0 |
 
 ## Modules
 
@@ -35,9 +35,10 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [github_branch_protection.self](https://registry.terraform.io/providers/integrations/github/6.0.0/docs/resources/branch_protection) | resource |
-| [github_repository.self](https://registry.terraform.io/providers/integrations/github/6.0.0/docs/resources/repository) | resource |
-| [github_team_repository.self](https://registry.terraform.io/providers/integrations/github/6.0.0/docs/resources/team_repository) | resource |
+| [github_branch_protection.self](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection) | resource |
+| [github_repository.self](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository) | resource |
+| [github_repository_webhook.self](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_webhook) | resource |
+| [github_team_repository.self](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_repository) | resource |
 
 ## Inputs
 
@@ -71,6 +72,7 @@ No modules.
 | <a name="input_topics"></a> [topics](#input\_topics) | The topics of the repository | `list(string)` | `[]` | no |
 | <a name="input_visibility"></a> [visibility](#input\_visibility) | The visibility of the repository | `string` | `"private"` | no |
 | <a name="input_vulnerability_alerts"></a> [vulnerability\_alerts](#input\_vulnerability\_alerts) | Whether the repository has vulnerability alerts enabled | `bool` | `false` | no |
+| <a name="input_webhooks"></a> [webhooks](#input\_webhooks) | The URLs of the webhooks | <pre>list(object({<br>    active       = bool<br>    events       = list(string)<br>    content_type = string<br>    url          = string<br>  }))</pre> | `[]` | no |
 
 ## Outputs
 
diff --git a/build-configs.yaml b/build-configs.yaml
@@ -0,0 +1,9 @@
+---
+name: terraform-github-repository
+template: terraform-module
+parameters:
+  nix:
+    cachix:
+      binaryCache: altf4llc-os
+  providers:
+    - github
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -1,33 +1,23 @@
 {
-  description = "terraform-github-repository";
-
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
 
   outputs = inputs @ {
     flake-parts,
     nixpkgs,
     ...
   }:
     flake-parts.lib.mkFlake {inherit inputs;} {
-      systems = ["x86_64-linux" "aarch64-darwin" "x86_64-darwin"];
+      systems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin" "x86_64-darwin"];
+
       perSystem = {
         config,
-        self',
-        inputs',
         pkgs,
         system,
         ...
       }: let
-        inherit (pkgs) just terraform-docs;
-        terraform = pkgs.terraform.withPlugins (p: [
-          (pkgs.terraform-providers.mkProvider {
-            hash = "sha256-y8DMpNSySMbe7E+sGVQcQdEyulq4Wnp5ryYD7FQO/fc=";
-            homepage = "https://registry.terraform.io/providers/integrations/github";
-            owner = "integrations";
-            repo = "terraform-provider-github";
-            rev = "v6.0.0";
-            vendorHash = null;
-          })
+        inherit (pkgs) just mkShell terraform-docs;
+        terraform = pkgs.terraform.withPlugins (ps: [
+          ps.github
         ]);
       in {
         _module.args.pkgs = import nixpkgs {
@@ -36,10 +26,10 @@
         };
 
         devShells = {
-          default = pkgs.mkShell {
-            buildInputs = [
+          default = mkShell {
+            inputsFrom = [config.packages.default];
+            nativeBuildInputs = [
               just
-              terraform
               terraform-docs
             ];
           };
@@ -49,13 +39,13 @@
           default =
             pkgs.runCommand "default"
             {
+              nativeBuildInputs = [terraform];
               src = ./.;
             } ''
               mkdir -p $out
               cp -R $src/*.tf $out
-
-              ${terraform}/bin/terraform -chdir="$out" init
-              ${terraform}/bin/terraform -chdir="$out" validate
+              terraform -chdir="$out" init
+              terraform -chdir="$out" validate
             '';
         };
       };
diff --git a/justfile b/justfile
@@ -1,23 +1,6 @@
 _default:
     just --list
 
-build:
-    nix build --json --no-link --print-build-logs
-
-cache-build cache_name="altf4llc-os":
-    just build \
-        | jq -r '.[].outputs | to_entries[].value' \
-        | cachix push {{ cache_name }}
-
-cache-inputs cache_name="altf4llc-os":
-    nix flake archive --json \
-      | jq -r '.path,(.inputs|to_entries[].value.path)' \
-      | cachix push "{{ cache_name }}"
-
-cache-shell cache_name="altf4llc-os":
-    nix develop --profile "dev-profile" -c true
-    cachix push "{{ cache_name }}" "dev-profile"
-
 check:
     nix flake check
 
@@ -29,5 +12,8 @@ docs:
 init:
     terraform init
 
+package:
+    nix build --json --no-link --print-build-logs .
+
 validate:
     terraform validate
diff --git a/main.tf b/main.tf
@@ -64,3 +64,17 @@ resource "github_branch_protection" "self" {
     required_approving_review_count = var.required_approving_review_count
   }
 }
+
+resource "github_repository_webhook" "self" {
+  for_each = toset(var.webhooks)
+
+  active     = each.value.active
+  events     = each.value.events
+  repository = github_repository.self.name
+
+  configuration {
+    content_type = each.value.content_type
+    insecure_ssl = false
+    url          = each.value.url
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -180,3 +180,14 @@ variable "vulnerability_alerts" {
   description = "Whether the repository has vulnerability alerts enabled"
   type        = bool
 }
+
+variable "webhooks" {
+  default     = []
+  description = "The URLs of the webhooks"
+  type = list(object({
+    active       = bool
+    events       = list(string)
+    content_type = string
+    url          = string
+  }))
+}
diff --git a/versions.tf b/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     github = {
       source  = "integrations/github"
-      version = "6.0.0"
+      version = "~> 6.0"
     }
   }
 }
