chore(project): setup the project

Author: timoa

.github/CODEOWNERS

@@ -0,0 +1 @@
+@timoa

.github/renovate.json

@@ -0,0 +1,38 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "github>renovatebot/.github"
+  ],
+  "platform": "github",
+  "platformAutomerge": true,
+  "branchPrefix": "fix/deps/",
+  "addLabels": [
+    "deps",
+    "security"
+  ],
+  "assignees": [
+    "timoa"
+  ],
+  "packageRules": [
+    {
+      "description": "Automerge renovate minor and patch updates",
+      "matchPackageNames": [
+        "renovate/renovate"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
+      "automerge": true,
+      "branchTopic": "{{{depNameSanitized}}}-{{{currentValue}}}"
+    },
+    {
+      "description": "Allow updates after 7 days (exclude renovate)",
+      "excludePackageNames": [
+        "renovate/renovate"
+      ],
+      "separateMinorPatch": true,
+      "stabilityDays": 7
+    }
+  ]
+}

.github/workflows/code-review.yml

@@ -0,0 +1,58 @@
+name: Code Review
+
+on: [pull_request]
+
+jobs:
+
+  # -- LINT -------------------------------------------------------------------
+  tflint:
+    name: TFLint
+    runs-on: ubuntu-latest
+
+    env:
+      TF_VAR_tenancy_ocid: ${{secrets.OCI_TENANCY_OCID}}
+      TF_VAR_user_ocid: ${{secrets.OCI_USER_OCID}}
+      TF_VAR_fingerprint: ${{secrets.OCI_FINGERPRINT}}
+      TF_VAR_private_key: ${{secrets.OCI_PRIVATE_KEY}}
+      TF_VAR_region: ${{secrets.OCI_REGION}}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      # Install latest Terraform manually as
+      #  Docker-based GitHub Actions are
+      #  slow due to lack of caching
+      # Note: Terraform is not needed for tflint
+      - name: Install Terraform
+        run: |
+          brew install terraform
+
+      # Run init to get module code to be able to use `--module`
+      - name: Terraform init
+        run: |
+          terraform init
+
+      # Run TFLint
+      - name: tflint with reviewdog output on the PR
+        uses: reviewdog/action-tflint@46e609666b039b775a150e84781ef79ea90089a8 # tag=v1.17.0
+
+  # -- SECURITY ---------------------------------------------------------------
+  tfsec:
+    name: TFSec
+    runs-on: ubuntu-latest
+
+    env:
+      TF_VAR_tenancy_ocid: ${{secrets.OCI_TENANCY_OCID}}
+      TF_VAR_user_ocid: ${{secrets.OCI_USER_OCID}}
+      TF_VAR_fingerprint: ${{secrets.OCI_FINGERPRINT}}
+      TF_VAR_private_key: ${{secrets.OCI_PRIVATE_KEY}}
+      TF_VAR_region: ${{secrets.OCI_REGION}}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      # Run TFSec
+      - name: Run tfsec with reviewdog output on the PR
+        uses: reviewdog/action-tfsec@3f1d245c545329b13061259c2f126305893ad138 # tag=v1.15.0

.github/workflows/terraform.yml

@@ -0,0 +1,99 @@
+name: Terraform
+
+on: [push]
+
+jobs:
+
+  # -- TESTS ------------------------------------------------------------------
+  tests:
+    runs-on: ubuntu-latest
+
+    env:
+      TF_VAR_tenancy_ocid: ${{secrets.OCI_TENANCY_OCID}}
+      TF_VAR_user_ocid: ${{secrets.OCI_USER_OCID}}
+      TF_VAR_fingerprint: ${{secrets.OCI_FINGERPRINT}}
+      TF_VAR_private_key: ${{secrets.OCI_PRIVATE_KEY}}
+      TF_VAR_region: ${{secrets.OCI_REGION}}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@17d4c9b8043b238f6f35641cdd8433da1e6f3867 # tag=v2.0.0
+
+      - name: Terraform Format
+        id: fmt
+        run: terraform fmt -check
+        continue-on-error: true
+
+      - name: Terraform Init
+        id: init
+        run: terraform init
+
+      - name: Terraform Plan
+        id: apply
+        run: terraform plan
+
+  # -- SAST SCAN --------------------------------------------------------------
+  code-security:
+    runs-on: ubuntu-latest
+    needs: tests
+    # Skip any PR created by dependabot to avoid permission issues
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      - name: Perform Scan
+        uses: ShiftLeftSecurity/scan-action@master
+
+        env:
+          WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SCAN_ANNOTATE_PR: true
+
+      - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
+        with:
+          name: reports
+          path: reports
+
+  # -- DOCUMENTATION ----------------------------------------------------------
+  documentation:
+    runs-on: ubuntu-latest
+    needs: tests
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      - name: Terraform Docs
+        uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 # tag=v1.0.0
+        with:
+          working-dir: .
+          output-file: USAGE.md
+          output-method: inject
+          git-push: "true"
+          git-commit-message: "chore(docs): update Terraform docs"
+
+  # -- RELEASE ----------------------------------------------------------------
+  release:
+    runs-on: ubuntu-latest
+    needs:
+      - tests
+      - code-security
+      - documentation
+    if: github.ref == 'refs/heads/main'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+        with:
+          ref: 'main' # Force checkout of main branch to avoid caching from previous jobs
+          persist-credentials: false
+
+      - name: Semantic Release
+        uses: cycjimmy/semantic-release-action@v3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.pre-commit-config.yaml

@@ -0,0 +1,32 @@
+repos:
+  #
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.1.0
+    hooks:
+      - id: check-yaml              ### Control YAML format
+      - id: end-of-file-fixer       ###  Fix end of file with one line
+      - id: trailing-whitespace     ### Remove end of line spaces
+      - id: check-added-large-files ### Check files size to add only 500ko max
+      - id: check-merge-conflict    ### Check if there is already merge conflict(s)
+      - id: detect-private-key      ### Detect private keys
+
+  # Terraform
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.62.3
+    hooks:
+      - id: terraform_fmt      ### Format the Terraform files
+      - id: terraform_validate ### Validate the Terraform project / module
+      - id: terraform_tflint   ### Lint the Terraform files following HashiCorp recommandations
+
+  # Checkov
+  - repo: https://github.com/bridgecrewio/checkov.git
+    rev: '2.0.917'
+    hooks:
+      - id: checkov ### Check misconfiguration and security issues
+
+  # Conventional Commit
+  - repo: https://github.com/compilerla/conventional-pre-commit
+    rev: v1.2.0
+    hooks:
+      - id: conventional-pre-commit ### Check if the commit message is compliant with the conventional commit style
+        stages: [commit-msg]

.releaserc

@@ -0,0 +1,73 @@
+{
+  "repositoryUrl": "https://github.com/timoa/terraform-oci-vscode-server.git",
+  "branches": [
+    "main"
+  ],
+  "tagFormat": "v${version}",
+  "plugins": [
+    [
+      "@semantic-release/commit-analyzer",
+      {
+        "preset": "angular",
+        "releaseRules": [
+          {
+            "type": "docs",
+            "release": "patch"
+          },
+          {
+            "type": "refactor",
+            "release": "patch"
+          },
+          {
+            "type": "test",
+            "release": "patch"
+          },
+          {
+            "type": "style",
+            "release": "patch"
+          }
+        ],
+        "parserOpts": {
+          "noteKeywords": [
+            "BREAKING CHANGE",
+            "BREAKING CHANGES",
+            "BREAKING"
+          ]
+        }
+      }
+    ],
+    [
+      "@semantic-release/release-notes-generator",
+      {
+        "preset": "angular",
+        "parserOpts": {
+          "noteKeywords": [
+            "BREAKING CHANGE",
+            "BREAKING CHANGES",
+            "BREAKING"
+          ]
+        }
+      }
+    ],
+    [
+      "@semantic-release/changelog",
+      {
+        "changelogFile": "CHANGELOG.md"
+      }
+    ],
+    [
+      "@semantic-release/git",
+      {
+        "assets": [
+          "CHANGELOG.md",
+          "README.md"
+        ]
+      }
+    ],
+    [
+      "@semantic-release/github", {
+        "assignees": "timoa"
+      }
+    ]
+  ]
+}

.terraform-docs.yml

@@ -0,0 +1,23 @@
+formatter: markdown table
+
+sections:
+  hide:
+    - providers
+
+output:
+  file: "USAGE.md"
+  mode: inject
+
+sort:
+  enabled: false
+
+settings:
+  anchor: true
+  color: true
+  default: true
+  description: true
+  escape: true
+  indent: 2
+  required: true
+  sensitive: true
+  type: true

.tflint.hcl

@@ -0,0 +1,53 @@
+config {
+  module              = true
+  force               = true
+  disabled_by_default = false
+}
+
+rule "terraform_deprecated_interpolation" {
+  enabled = true
+}
+
+rule "terraform_deprecated_index" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+}
+
+rule "terraform_required_version" {
+  enabled = true
+}
+
+rule "terraform_required_providers" {
+  enabled = true
+}
+
+rule "terraform_unused_required_providers" {
+  enabled = true
+}
+
+rule "terraform_standard_module_structure" {
+  enabled = true
+}