diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index c6ee553..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -version: 2 -updates: - - package-ecosystem: "github-actions" - directory: / - schedule: - interval: daily - time: "11:00" - commit-message: - prefix: "gh-actions:" diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index 0346a8f..f83e11e 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -9,13 +9,13 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Get changed Dockerfile id: changed-files-specific - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 + uses: tj-actions/changed-files@2c85495a7bb72f2734cb5181e29b2ee5e08e61f7 # v13.1 with: files: | Dockerfile @@ -52,7 +52,7 @@ jobs: - name: Dive - check image for waste files if: steps.changed-files-specific.outputs.any_changed == 'true' - uses: MaxymVlasov/dive-action@fafb796951b322cc4926b8a5eafda89ab9de8edf # v1.5.1 + uses: MaxymVlasov/dive-action@0035999cae50d4ef657ac94be84f01812aa192a5 # v0.1.0 with: image: ghcr.io/${{ github.repository }}:${{ env.IMAGE_TAG }} config-file: ${{ github.workspace }}/.github/.dive-ci.yaml diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index 68a054f..3f79fb2 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -13,28 +13,27 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v5 - + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to ghcr.io - uses: docker/login-action@v3 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + - name: Login to GitHub Container Registry + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Set tag for image run: | echo IMAGE_TAG=$([ ${{ github.ref_type }} == 'tag' ] && echo ${{ github.ref_name }} || echo 'latest') >> $GITHUB_ENV - - name: Build and Push release to ghcr.io + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Build and Push release if: github.event_name != 'schedule' - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: context: . build-args: | @@ -49,9 +48,9 @@ jobs: secrets: | "github_token=${{ secrets.GITHUB_TOKEN }}" - - name: Build and Push nightly to ghcr.io + - name: Build and Push nightly if: github.event_name == 'schedule' - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: context: . build-args: | @@ -64,38 +63,3 @@ jobs: provenance: false secrets: | "github_token=${{ secrets.GITHUB_TOKEN }}" - - - name: Login to DockerHub Container Registry - uses: docker/login-action@v3 - with: - registry: registry.hub.docker.com - username: ${{ secrets.DOCKERHUB_USER }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - - - name: Build and Push release to DockerHub - if: github.event_name != 'schedule' - uses: docker/build-push-action@v5 - with: - context: . - build-args: | - INSTALL_ALL=true - platforms: linux/amd64,linux/arm64 - push: true - tags: | - registry.hub.docker.com/tofuutils/pre-commit-opentofu:${{ env.IMAGE_TAG }} - registry.hub.docker.com/tofuutils/pre-commit-opentofu:latest - provenance: false - - - name: Build and Push nightly to DockerHub - if: github.event_name == 'schedule' - uses: docker/build-push-action@v5 - with: - context: . - build-args: | - INSTALL_ALL=true - platforms: linux/amd64,linux/arm64 - push: true - tags: | - registry.hub.docker.com/tofuutils/pre-commit-opentofu:nightly - provenance: false - diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 3d86d51..7a8b642 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -14,7 +14,7 @@ jobs: steps: # Please look up the latest version from # https://github.com/amannn/action-semantic-pull-request/releases - - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 + - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index 96ca101..1085384 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -6,7 +6,7 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: | git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* @@ -31,16 +31,16 @@ jobs: curl -L "$(curl -s https://api.github.com/repos/hadolint/hadolint/releases/latest | grep -o -E -m 1 "https://.+?/hadolint-Linux-x86_64")" > hadolint \ && chmod +x hadolint && sudo mv hadolint /usr/bin/ # Need to success pre-commit fix push - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} # Skip tofu_tflint which interferes to commit pre-commit auto-fixes - - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 + - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 with: python-version: '3.9' - name: Execute pre-commit - uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99 + uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3 env: SKIP: no-commit-to-branch,hadolint with: @@ -49,7 +49,7 @@ jobs: # Run only skipped checks - name: Execute pre-commit check that have no auto-fixes if: always() - uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99 + uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe # v2.0.3 env: SKIP: check-added-large-files,check-merge-conflict,check-vcs-permalinks,forbid-new-submodules,no-commit-to-branch,end-of-file-fixer,trailing-whitespace,check-yaml,check-merge-conflict,check-executables-have-shebangs,check-case-conflict,mixed-line-ending,detect-aws-credentials,detect-private-key,shfmt,shellcheck with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d75e4e3..4aa0df1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,13 +18,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false fetch-depth: 0 - name: Release - uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 + uses: cycjimmy/semantic-release-action@61680d0e9b02ff86f5648ade99e01be17f0260a4 # v4.0.0 with: semantic_version: 18.0.0 extra_plugins: | diff --git a/.github/workflows/stale-actions.yaml b/.github/workflows/stale-actions.yaml index d797c08..32f08e7 100644 --- a/.github/workflows/stale-actions.yaml +++ b/.github/workflows/stale-actions.yaml @@ -7,7 +7,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0 + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Staling issues and PR's diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml index c5c5f66..d92c532 100644 --- a/.pre-commit-hooks.yaml +++ b/.pre-commit-hooks.yaml @@ -4,7 +4,7 @@ entry: hooks/infracost_breakdown.sh language: script require_serial: true - files: \.((tf|tofu)(vars)?|hcl)$ + files: \.(tf(vars)?|hcl)$ exclude: \.terraform\/.*$ - id: tofu_fmt @@ -12,38 +12,34 @@ description: Rewrites all OpenTofu configuration files to a canonical format. entry: hooks/tofu_fmt.sh language: script - files: \.(tf|tofu)(vars)?$ + files: (\.tf|\.tfvars)$ exclude: \.terraform\/.*$ - id: tofu_docs name: OpenTofu docs - description: - Inserts input and output documentation into README.md (using - terraform-docs). + description: Inserts input and output documentation into README.md (using terraform-docs). require_serial: true entry: hooks/tofu_docs.sh language: script - files: (\.(tf|tofu)|\.terraform\.lock\.hcl)$ + files: (\.tf|\.terraform\.lock\.hcl)$ exclude: \.terraform\/.*$ - id: tofu_docs_without_aggregate_type_defaults name: OpenTofu docs (without aggregate type defaults) - description: - Inserts input and output documentation into README.md (using - terraform-docs). Identical to terraform_docs. + description: Inserts input and output documentation into README.md (using terraform-docs). Identical to terraform_docs. require_serial: true entry: hooks/tofu_docs.sh language: script - files: \.(tf|tofu)$ + files: (\.tf)$ exclude: \.terraform\/.*$ - id: tofu_docs_replace name: OpenTofu docs (overwrite README.md) description: Overwrite content of README.md with terraform-docs. require_serial: true - entry: hooks/tofu_docs_replace.py + entry: terraform_docs_replace language: python - files: \.(tf|tofu)$ + files: (\.tf)$ exclude: \.terraform\/.*$ - id: tofu_validate @@ -52,7 +48,7 @@ require_serial: true entry: hooks/tofu_validate.sh language: script - files: \.(tf|tofu)(vars)?$ + files: (\.tf|\.tfvars)$ exclude: \.terraform\/.*$ - id: tofu_providers_lock @@ -70,13 +66,12 @@ require_serial: true entry: hooks/tofu_tflint.sh language: script - files: \.(tf|tofu)(vars)?$ + files: (\.tf|\.tfvars)$ exclude: \.terraform\/.*$ - id: terragrunt_fmt name: Terragrunt fmt - description: - Rewrites all Terragrunt configuration files to a canonical format. + description: Rewrites all Terragrunt configuration files to a canonical format. entry: hooks/terragrunt_fmt.sh language: script files: (\.hcl)$ @@ -92,20 +87,18 @@ - id: tofu_tfsec name: OpenTofu validate with tfsec (deprecated, use "tofu_trivy") - description: - Static analysis of OpenTofu templates to spot potential security issues. + description: Static analysis of OpenTofu templates to spot potential security issues. require_serial: true entry: hooks/tofu_tfsec.sh - files: \.(tf|tofu)(vars)?$ + files: \.tf(vars)?$ language: script - id: tofu_trivy name: OpenTofu validate with trivy - description: - Static analysis of OpenTofu templates to spot potential security issues. + description: Static analysis of OpenTofu templates to spot potential security issues. require_serial: true entry: hooks/tofu_trivy.sh - files: \.(tf|tofu)(vars)?$ + files: \.tf(vars)?$ language: script - id: checkov @@ -125,7 +118,7 @@ entry: hooks/tofu_checkov.sh language: script always_run: false - files: \.(tf|tofu)$ + files: \.tf$ exclude: \.terraform\/.*$ require_serial: true @@ -145,7 +138,7 @@ description: Runs terrascan on OpenTofu templates. language: script entry: hooks/terrascan.sh - files: \.(tf|tofu)$ + files: \.tf$ exclude: \.terraform\/.*$ require_serial: true @@ -156,5 +149,5 @@ entry: hooks/tfupdate.sh args: - --args=terraform - files: \.(tf|tofu)$ + files: \.tf$ require_serial: true diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c0f74a..9ff70da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,50 +2,6 @@ All notable changes to this project will be documented in this file. -## [2.2.1](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.2.0...v2.2.1) (2025-06-04) - - -### Bug Fixes - -* make infracost_breakdown.sh compatible with bash 3.2 (macOS) ([df886fa](https://github.com/tofuutils/pre-commit-opentofu/commit/df886fa772e7d1eedf5603327c0cf02968e7d779)) -* Update pre-commit/action version ([#30](https://github.com/tofuutils/pre-commit-opentofu/issues/30)) ([44c7b5d](https://github.com/tofuutils/pre-commit-opentofu/commit/44c7b5dec9362d2fe7ed5e8786f4d95956791d3d)) - -# [2.2.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.1.0...v2.2.0) (2025-03-29) - - -### Features - -* make release ([e625db1](https://github.com/tofuutils/pre-commit-opentofu/commit/e625db13ec285e132f43cdf6e5aa3f3272e45451)) - -# [2.1.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v2.0.0...v2.1.0) (2024-10-16) - - -### Features - -* spport .tofu files ([#6](https://github.com/tofuutils/pre-commit-opentofu/issues/6)) ([e059c58](https://github.com/tofuutils/pre-commit-opentofu/commit/e059c5859bceddf1ca018f55851f6940ad51f1c2)) - -# [2.0.0](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.4...v2.0.0) (2024-09-25) - - -### Features - -* **tofu:** add handling for missing tofu binary in Docker image This commit introduces logic to gracefully handle the case when the tofu binary is not found in the Docker image, improving the overall user experience. BREAKING CHANGE: The previous behavior of the application when the tofu binary was missing may have caused unexpected crashes. ([14fc63e](https://github.com/tofuutils/pre-commit-opentofu/commit/14fc63eb5b04e3ad1525d06e437b15935841775f)) - - -### BREAKING CHANGES - -* **tofu:** The previous behavior of the application when the tofu binary was missing may have caused unexpected crashes." - -## [1.0.4](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.3...v1.0.4) (2024-09-21) - - -### Bug Fixes - -* docker image reference in README.md ([7b04f0c](https://github.com/tofuutils/pre-commit-opentofu/commit/7b04f0c24940f1642c8f599bfd0794dd46b0b274)) -* docker image reference in README.md ([f9b71fe](https://github.com/tofuutils/pre-commit-opentofu/commit/f9b71fe08fedd4ceb23ced6fe2171edf24add290)) -* dockerhub ([0fac591](https://github.com/tofuutils/pre-commit-opentofu/commit/0fac59197f2f2cb4bc417917e5adb6ac92a20b7a)) -* entry for tofu_docs_replace ([f146463](https://github.com/tofuutils/pre-commit-opentofu/commit/f146463ac8effcfa441f3f6b21e811095f0da73c)) - ## [1.0.2](https://github.com/tofuutils/pre-commit-opentofu/compare/v1.0.1...v1.0.2) (2024-03-08) diff --git a/Dockerfile b/Dockerfile index 1616bfd..0f7426d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,22 +10,22 @@ RUN apk add --no-cache \ curl=~8 && \ # Upgrade packages for be able get latest Checkov python3 -m pip install --no-cache-dir --upgrade \ - pip \ - setuptools + pip \ + setuptools ARG PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION:-latest} -ARG TOFU_VERSION=${TOFU_VERSION:-1.9.0} +ARG TOFU_VERSION=${TOFU_VERSION:-1.6.1} # Install pre-commit RUN [ ${PRE_COMMIT_VERSION} = "latest" ] && pip3 install --no-cache-dir pre-commit \ || pip3 install --no-cache-dir pre-commit==${PRE_COMMIT_VERSION} + RUN curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip \ - && curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_SHA256SUMS \ - && [ $(sha256sum "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" | cut -f 1 -d ' ') = "$(grep "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" tofu_*_SHA256SUMS | cut -f 1 -d ' ')" ] \ - && unzip tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip -d /usr/bin/ \ - && rm "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" \ - && rm "tofu_${TOFU_VERSION}_SHA256SUMS" + && curl -LO https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_SHA256SUMS \ + && [ $(sha256sum "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" | cut -f 1 -d ' ') = "$(grep "tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip" tofu_*_SHA256SUMS | cut -f 1 -d ' ')" ] \ + && unzip tofu_${TOFU_VERSION}_${TARGETOS}_${TARGETARCH}.zip \ + && mv tofu /usr/bin/tofu # # Install tools @@ -47,18 +47,18 @@ ARG HCLEDIT_VERSION=${HCLEDIT_VERSION:-false} # specified in step below ARG INSTALL_ALL=${INSTALL_ALL:-false} RUN if [ "$INSTALL_ALL" != "false" ]; then \ - echo "export CHECKOV_VERSION=latest" >> /.env && \ - echo "export INFRACOST_VERSION=latest" >> /.env && \ - echo "export TERRAFORM_DOCS_VERSION=latest" >> /.env && \ - echo "export TERRAGRUNT_VERSION=latest" >> /.env && \ - echo "export TERRASCAN_VERSION=latest" >> /.env && \ - echo "export TFLINT_VERSION=latest" >> /.env && \ - echo "export TFSEC_VERSION=latest" >> /.env && \ - echo "export TRIVY_VERSION=latest" >> /.env && \ - echo "export TFUPDATE_VERSION=latest" >> /.env && \ - echo "export HCLEDIT_VERSION=latest" >> /.env \ + echo "export CHECKOV_VERSION=latest" >> /.env && \ + echo "export INFRACOST_VERSION=latest" >> /.env && \ + echo "export TERRAFORM_DOCS_VERSION=latest" >> /.env && \ + echo "export TERRAGRUNT_VERSION=latest" >> /.env && \ + echo "export TERRASCAN_VERSION=latest" >> /.env && \ + echo "export TFLINT_VERSION=latest" >> /.env && \ + echo "export TFSEC_VERSION=latest" >> /.env && \ + echo "export TRIVY_VERSION=latest" >> /.env && \ + echo "export TFUPDATE_VERSION=latest" >> /.env && \ + echo "export HCLEDIT_VERSION=latest" >> /.env \ ; else \ - touch /.env \ + touch /.env \ ; fi @@ -66,10 +66,10 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \ RUN . /.env && \ if [ "$CHECKOV_VERSION" != "false" ]; then \ ( \ - apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \ - [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ - || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ - apk del gcc libffi-dev musl-dev \ + apk add --no-cache gcc=~12 libffi-dev=~3 musl-dev=~1; \ + [ "$CHECKOV_VERSION" = "latest" ] && pip3 install --no-cache-dir checkov \ + || pip3 install --no-cache-dir checkov==${CHECKOV_VERSION}; \ + apk del gcc libffi-dev musl-dev \ ) \ ; fi @@ -77,9 +77,9 @@ RUN . /.env && \ RUN . /.env && \ if [ "$INFRACOST_VERSION" != "false" ]; then \ ( \ - INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases" && \ - [ "$INFRACOST_VERSION" = "latest" ] && curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \ - || curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \ + INFRACOST_RELEASES="https://api.github.com/repos/infracost/infracost/releases" && \ + [ "$INFRACOST_VERSION" = "latest" ] && curl -L "$(curl -s ${INFRACOST_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \ + || curl -L "$(curl -s ${INFRACOST_RELEASES} | grep -o -E "https://.+?v${INFRACOST_VERSION}/infracost-${TARGETOS}-${TARGETARCH}.tar.gz")" > infracost.tgz \ ) && tar -xzf infracost.tgz && rm infracost.tgz && mv infracost-${TARGETOS}-${TARGETARCH} infracost \ ; fi @@ -87,9 +87,9 @@ RUN . /.env && \ RUN . /.env && \ if [ "$TERRAFORM_DOCS_VERSION" != "false" ]; then \ ( \ - TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" && \ - [ "$TERRAFORM_DOCS_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \ - || curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \ + TERRAFORM_DOCS_RELEASES="https://api.github.com/repos/terraform-docs/terraform-docs/releases" && \ + [ "$TERRAFORM_DOCS_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES}/latest | grep -o -E -m 1 "https://.+?-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \ + || curl -L "$(curl -s ${TERRAFORM_DOCS_RELEASES} | grep -o -E "https://.+?v${TERRAFORM_DOCS_VERSION}-${TARGETOS}-${TARGETARCH}.tar.gz")" > terraform-docs.tgz \ ) && tar -xzf terraform-docs.tgz terraform-docs && rm terraform-docs.tgz && chmod +x terraform-docs \ ; fi @@ -97,9 +97,9 @@ RUN . /.env && \ RUN . /.env \ && if [ "$TERRAGRUNT_VERSION" != "false" ]; then \ ( \ - TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" && \ - [ "$TERRAGRUNT_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \ - || curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \ + TERRAGRUNT_RELEASES="https://api.github.com/repos/gruntwork-io/terragrunt/releases" && \ + [ "$TERRAGRUNT_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRAGRUNT_RELEASES}/latest | grep -o -E -m 1 "https://.+?/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \ + || curl -L "$(curl -s ${TERRAGRUNT_RELEASES} | grep -o -E -m 1 "https://.+?v${TERRAGRUNT_VERSION}/terragrunt_${TARGETOS}_${TARGETARCH}")" > terragrunt \ ) && chmod +x terragrunt \ ; fi @@ -111,9 +111,9 @@ RUN . /.env && \ # Convert the first letter to Uppercase OS="$(echo ${TARGETOS} | cut -c1 | tr '[:lower:]' '[:upper:]' | xargs echo -n; echo ${TARGETOS} | cut -c2-)"; \ ( \ - TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases" && \ - [ "$TERRASCAN_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \ - || curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \ + TERRASCAN_RELEASES="https://api.github.com/repos/tenable/terrascan/releases" && \ + [ "$TERRASCAN_VERSION" = "latest" ] && curl -L "$(curl -s ${TERRASCAN_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \ + || curl -L "$(curl -s ${TERRASCAN_RELEASES} | grep -o -E "https://.+?${TERRASCAN_VERSION}_${OS}_${ARCH}.tar.gz")" > terrascan.tar.gz \ ) && tar -xzf terrascan.tar.gz terrascan && rm terrascan.tar.gz && \ ./terrascan init \ ; fi @@ -122,9 +122,9 @@ RUN . /.env && \ RUN . /.env && \ if [ "$TFLINT_VERSION" != "false" ]; then \ ( \ - TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" && \ - [ "$TFLINT_VERSION" = "latest" ] && curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \ - || curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \ + TFLINT_RELEASES="https://api.github.com/repos/terraform-linters/tflint/releases" && \ + [ "$TFLINT_VERSION" = "latest" ] && curl -L "$(curl -s ${TFLINT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \ + || curl -L "$(curl -s ${TFLINT_RELEASES} | grep -o -E "https://.+?/v${TFLINT_VERSION}/tflint_${TARGETOS}_${TARGETARCH}.zip")" > tflint.zip \ ) && unzip tflint.zip && rm tflint.zip \ ; fi @@ -132,9 +132,9 @@ RUN . /.env && \ RUN . /.env && \ if [ "$TFSEC_VERSION" != "false" ]; then \ ( \ - TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" && \ - [ "$TFSEC_VERSION" = "latest" ] && curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \ - || curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \ + TFSEC_RELEASES="https://api.github.com/repos/aquasecurity/tfsec/releases" && \ + [ "$TFSEC_VERSION" = "latest" ] && curl -L "$(curl -s ${TFSEC_RELEASES}/latest | grep -o -E -m 1 "https://.+?/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \ + || curl -L "$(curl -s ${TFSEC_RELEASES} | grep -o -E -m 1 "https://.+?v${TFSEC_VERSION}/tfsec-${TARGETOS}-${TARGETARCH}")" > tfsec \ ) && chmod +x tfsec \ ; fi @@ -143,9 +143,9 @@ RUN . /.env && \ if [ "$TRIVY_VERSION" != "false" ]; then \ if [ "$TARGETARCH" != "amd64" ]; then ARCH="$TARGETARCH"; else ARCH="64bit"; fi; \ ( \ - TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" && \ - [ "$TRIVY_VERSION" = "latest" ] && curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \ - || curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \ + TRIVY_RELEASES="https://api.github.com/repos/aquasecurity/trivy/releases" && \ + [ "$TRIVY_VERSION" = "latest" ] && curl -L "$(curl -s ${TRIVY_RELEASES}/latest | grep -o -E -i -m 1 "https://.+?/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \ + || curl -L "$(curl -s ${TRIVY_RELEASES} | grep -o -E -i -m 1 "https://.+?/v${TRIVY_VERSION}/trivy_.+?_${TARGETOS}-${ARCH}.tar.gz")" > trivy.tar.gz \ ) && tar -xzf trivy.tar.gz trivy && rm trivy.tar.gz \ ; fi @@ -153,9 +153,9 @@ RUN . /.env && \ RUN . /.env && \ if [ "$TFUPDATE_VERSION" != "false" ]; then \ ( \ - TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" && \ - [ "$TFUPDATE_VERSION" = "latest" ] && curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \ - || curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \ + TFUPDATE_RELEASES="https://api.github.com/repos/minamijoyo/tfupdate/releases" && \ + [ "$TFUPDATE_VERSION" = "latest" ] && curl -L "$(curl -s ${TFUPDATE_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \ + || curl -L "$(curl -s ${TFUPDATE_RELEASES} | grep -o -E -m 1 "https://.+?${TFUPDATE_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > tfupdate.tgz \ ) && tar -xzf tfupdate.tgz tfupdate && rm tfupdate.tgz \ ; fi @@ -163,9 +163,9 @@ RUN . /.env && \ RUN . /.env && \ if [ "$HCLEDIT_VERSION" != "false" ]; then \ ( \ - HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" && \ - [ "$HCLEDIT_VERSION" = "latest" ] && curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \ - || curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \ + HCLEDIT_RELEASES="https://api.github.com/repos/minamijoyo/hcledit/releases" && \ + [ "$HCLEDIT_VERSION" = "latest" ] && curl -L "$(curl -s ${HCLEDIT_RELEASES}/latest | grep -o -E -m 1 "https://.+?_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \ + || curl -L "$(curl -s ${HCLEDIT_RELEASES} | grep -o -E -m 1 "https://.+?${HCLEDIT_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz")" > hcledit.tgz \ ) && tar -xzf hcledit.tgz hcledit && rm hcledit.tgz \ ; fi @@ -208,9 +208,8 @@ COPY --from=builder \ /usr/local/bin/pre-commit \ # Hooks and terraform binaries /bin_dir/ \ - /usr/bin/tofu \ /usr/local/bin/checkov* \ - /usr/bin/ + /usr/bin/ # Copy pre-commit packages COPY --from=builder /usr/local/lib/python3.12/site-packages/ /usr/local/lib/python3.12/site-packages/ # Copy terrascan policies @@ -218,10 +217,10 @@ COPY --from=builder /root/ /root/ # Install hooks extra deps RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \ - apk add --no-cache perl=~5 \ + apk add --no-cache perl=~5 \ ; fi && \ if [ "$(grep -o '^infracost SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \ - apk add --no-cache jq=~1 \ + apk add --no-cache jq=~1 \ ; fi && \ # Fix git runtime fatal: # unsafe repository ('/lint' is owned by someone else) @@ -235,4 +234,3 @@ ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-} ENV INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false} ENTRYPOINT [ "/entrypoint.sh" ] - diff --git a/README.md b/README.md index 023ad0c..1cd4a21 100644 --- a/README.md +++ b/README.md @@ -76,7 +76,7 @@ If you are using `pre-commit-opentofu` already or want to support its developmen ```bash TAG=latest -docker pull tofuutils/pre-commit-opentofu:$TAG +docker pull ghcr.io/tofuutils/pre-commit-opentofu:$TAG ``` All available tags [here](https://github.com/tofuutils/pre-commit-opentofu/pkgs/container/pre-commit-opentofu/versions). @@ -256,14 +256,14 @@ Or, using Docker ([available tags](https://github.com/tofuutils/pre-commit-opent ```bash TAG=latest -docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint tofuutils/pre-commit-opentofu:$TAG run -a +docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/tofuutils/pre-commit-opentofu:$TAG run -a ``` Execute this command to list the versions of the tools in Docker: ```bash TAG=latest -docker run --rm --entrypoint cat tofuutils/pre-commit-opentofu:$TAG /usr/bin/tools_versions_info +docker run --rm --entrypoint cat ghcr.io/tofuutils/pre-commit-opentofu:$TAG /usr/bin/tools_versions_info ``` ## Available Hooks @@ -552,7 +552,7 @@ To replicate functionality in `tofu_docs` hook: - --args=--config=.terraform-docs.yml ``` -### tofu_fmt +### terraftofu_fmtorm_fmt 1. `tofu_fmt` supports custom arguments so you can pass [supported flags](https://www.terraform.io/docs/cli/commands/fmt.html#usage). Eg: @@ -997,7 +997,7 @@ The [recommended command](#4-run) to run the Docker container is: ```bash TAG=latest -docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint tofuutils/pre-commit-opentofu:$TAG run -a +docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/tofuutils/pre-commit-opentofu:$TAG run -a ``` which uses your current session's user ID and group ID to set the variable in the run command. Without this setting, you may find files and directories owned by `root` in your local repository. @@ -1041,7 +1041,7 @@ Finally, you can execute `docker run` with an additional volume mount so that th # run pre-commit-opentofu with docker # adding volume for .netrc file # .netrc needs to be in /root/ dir -docker run --rm -e "USERID=$(id -u):$(id -g)" -v ~/.netrc:/root/.netrc -v $(pwd):/lint -w /lint tofuutils/pre-commit-opentofu:latest run -a +docker run --rm -e "USERID=$(id -u):$(id -g)" -v ~/.netrc:/root/.netrc -v $(pwd):/lint -w /lint ghcr.io/tofuutils/pre-commit-opentofu:latest run -a ``` ## Authors diff --git a/hooks/infracost_breakdown.sh b/hooks/infracost_breakdown.sh index 121f49b..5515791 100755 --- a/hooks/infracost_breakdown.sh +++ b/hooks/infracost_breakdown.sh @@ -70,24 +70,19 @@ function infracost_breakdown_ { # -h .totalHourlyCost > 0.1 # --hook-config=.currency == "USD" first_char=${check:0:1} - last_char=${check:$((${#check} - 1)):1} + last_char=${check: -1} if [ "$first_char" == "$last_char" ] && { [ "$first_char" == '"' ] || [ "$first_char" == "'" ] }; then - check="${check:1:$((${#check} - 2))}" + check="${check:1:-1}" fi - # Replace mapfile with while read loop for bash 3.2 compatibility - operations=() - while IFS= read -r line; do - operations+=("$line") - done < <(echo "$check" | grep -oE '[!<>=]{1,2}') - + mapfile -t operations < <(echo "$check" | grep -oE '[!<>=]{1,2}') # Get the very last operator, that is used in comparison inside `jq` query. # From the example below we need to pick the `>` which is in between `add` and `1000`, # but not the `!=`, which goes earlier in the `jq` expression # [.projects[].diff.totalMonthlyCost | select (.!=null) | tonumber] | add > 1000 - operation=${operations[$((${#operations[@]} - 1))]} + operation=${operations[-1]} IFS="$operation" read -r -a jq_check <<< "$check" real_value="$(jq "${jq_check[0]}" <<< "$RESULTS")" diff --git a/hooks/tofu_docs.sh b/hooks/tofu_docs.sh index 8b8d136..b7c9e30 100755 --- a/hooks/tofu_docs.sh +++ b/hooks/tofu_docs.sh @@ -155,7 +155,7 @@ function tofu_docs { # if $create_if_not_exist && [[ ! -f "$text_file" ]]; then dir_have_tf_files="$( - find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tofu|^tf$|^tfvars$' || + find . -maxdepth 1 -type f | sed 's|.*\.||' | sort -u | grep -oE '^tf$|^tfvars$' || exit 0 )" diff --git a/hooks/tofu_docs_replace.py b/hooks/tofu_docs_replace.py index 26f1d06..a9cf6c9 100644 --- a/hooks/tofu_docs_replace.py +++ b/hooks/tofu_docs_replace.py @@ -7,41 +7,30 @@ import sys def main(argv=None): parser = argparse.ArgumentParser( description="""Run terraform-docs on a set of files. Follows the standard convention of - pulling the documentation from main.(tf|tofu) in order to replace the entire + pulling the documentation from main.tf in order to replace the entire README.md file each time.""" ) parser.add_argument( - "--dest", - dest="dest", - default="README.md", + '--dest', dest='dest', default='README.md', ) parser.add_argument( - "--sort-inputs-by-required", - dest="sort", - action="store_true", - help="[deprecated] use --sort-by-required instead", + '--sort-inputs-by-required', dest='sort', action='store_true', + help='[deprecated] use --sort-by-required instead', ) parser.add_argument( - "--sort-by-required", - dest="sort", - action="store_true", + '--sort-by-required', dest='sort', action='store_true', ) parser.add_argument( - "--with-aggregate-type-defaults", - dest="aggregate", - action="store_true", - help="[deprecated]", + '--with-aggregate-type-defaults', dest='aggregate', action='store_true', + help='[deprecated]', ) - parser.add_argument("filenames", nargs="*", help="Filenames to check.") + parser.add_argument('filenames', nargs='*', help='Filenames to check.') args = parser.parse_args(argv) dirs = [] for filename in args.filenames: - if os.path.realpath(filename) not in dirs and ( - filename.endswith(".tf") - or filename.endswith(".tofu") - or filename.endswith(".tfvars") - ): + if (os.path.realpath(filename) not in dirs and + (filename.endswith(".tf") or filename.endswith(".tfvars"))): dirs.append(os.path.dirname(filename)) retval = 0 @@ -49,12 +38,12 @@ def main(argv=None): for dir in dirs: try: procArgs = [] - procArgs.append("terraform-docs") + procArgs.append('terraform-docs') if args.sort: - procArgs.append("--sort-by-required") - procArgs.append("md") + procArgs.append('--sort-by-required') + procArgs.append('md') procArgs.append("./{dir}".format(dir=dir)) - procArgs.append(">") + procArgs.append('>') procArgs.append("./{dir}/{dest}".format(dir=dir, dest=args.dest)) subprocess.check_call(" ".join(procArgs), shell=True) except subprocess.CalledProcessError as e: @@ -63,5 +52,5 @@ def main(argv=None): return retval -if __name__ == "__main__": +if __name__ == '__main__': sys.exit(main()) diff --git a/hooks/tofu_wrapper_module_for_each.sh b/hooks/tofu_wrapper_module_for_each.sh index c87db22..f1a70ef 100755 --- a/hooks/tofu_wrapper_module_for_each.sh +++ b/hooks/tofu_wrapper_module_for_each.sh @@ -312,10 +312,10 @@ EOF # Read content of all OpenTofu files # shellcheck disable=SC2207 - all_tf_content=$(find "${full_module_dir}" -regex '.*\.(tf|tofu)' -maxdepth 1 -type f -exec cat {} +) + all_tf_content=$(find "${full_module_dir}" -name '*.tf' -maxdepth 1 -type f -exec cat {} +) if [[ ! $all_tf_content ]]; then - common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.(tf|tofu) files." + common::colorify "yellow" "Skipping ${full_module_dir} because there are no *.tf files." continue fi