chore: manage github repo and secrets with terraform

01Joseph-Hwang10 · 01Joseph-Hwang10 · commit f0841e5a6aca · 2024-03-02T00:21:46.000+09:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,41 +1,40 @@
-name: Build and publish package
-
 on:
   push:
     branches:
       - master
 
-env:
-  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+permissions:
+  contents: write
+  pull-requests: write
+
+name: Release and publish packages
 
 jobs:
   release:
     runs-on: ubuntu-latest
-    concurrency: release
-    permissions:
-      id-token: write
-      contents: write
-
     steps:
-      # Checkout the repository
-      - uses: actions/checkout@v3
+      - uses: google-github-actions/release-please-action@v4
+        id: release
         with:
-          fetch-depth: 0
+          token: ${{ secrets.GH_PAT }}
+          config-file: release-please-config.json
+          manifest-file: .release-please-manifest.json
 
-      # Set-up git user
-      - name: Set-up git user
-        run: |
-          set -e
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
+      # Check-out the repository
+      - uses: actions/checkout@v4
+        if: ${{ steps.release.outputs.release_created == 'true' }}
+        with:
+          ref: ${{ github.event.after }}
 
       # Set up Python
       - uses: actions/setup-python@v1
+        if: ${{ steps.release.outputs.release_created == 'true' }}
         with:
           python-version: 3.11
 
       # Set up Poetry
       - uses: snok/install-poetry@v1
+        if: ${{ steps.release.outputs.release_created == 'true' }}
         with:
           virtualenvs-create: true
           virtualenvs-in-project: true
@@ -44,20 +43,22 @@ jobs:
       - name: Load cached venv
         id: cache-dependencies
         uses: actions/cache@v3
+        if: ${{ steps.release.outputs.release_created == 'true' }}
         with:
           path: .venv
           key: venv-${{ runner.os }}-${{ hashFiles('**/poetry.lock') }}
 
       # Install dependencies
-      - if: steps.cache-dependencies.outputs.cache-hit != 'true'
+      - if: ${{ steps.release.outputs.release_created == 'true' && steps.cache-dependencies.outputs.cache-hit != 'true' }}
         run: poetry install --without test,dev
 
-      # Version package
-      - run: poetry run semantic-release version
-
       # Configure basic credentials for PyPI
       - run: poetry config pypi-token.pypi "${{ secrets.PYPI_PASSWORD }}"
+        if: ${{ steps.release.outputs.release_created == 'true' }}
 
       # Build and publish package
       - run: poetry build
+        if: ${{ steps.release.outputs.release_created == 'true' }}
+
       - run: poetry publish
+        if: ${{ steps.release.outputs.release_created == 'true' }}
diff --git a/terraform/.gitignore b/terraform/.gitignore
@@ -0,0 +1,37 @@
+# Sensitive values
+vars
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -0,0 +1,39 @@
+resource "github_repository" "jtd_codebuild" {
+  name         = "jtd-codebuild"
+  visibility   = "public"
+  homepage_url = "https://pypi.org/project/jtd-codebuild/"
+  topics = [
+    "code-generation",
+    "json",
+    "json-type-definition"
+  ]
+  description = join(" ", [
+    "Tool for generating language specific",
+    "schemas and interfaces code from",
+    "JSON Type Definition IDL files in yaml format.",
+    "Powered by jtd-codegen.",
+  ])
+  has_downloads   = true
+  has_issues      = true
+  has_projects    = true
+  has_wiki        = true
+  has_discussions = false
+}
+
+resource "github_actions_secret" "pypi_username" {
+  repository      = github_repository.jtd_codebuild.name
+  secret_name     = "PYPI_USERNAME"
+  plaintext_value = var.pypi_username
+}
+
+resource "github_actions_secret" "pypi_password" {
+  repository      = github_repository.jtd_codebuild.name
+  secret_name     = "PYPI_PASSWORD"
+  plaintext_value = var.pypi_password
+}
+
+resource "github_actions_secret" "github_pat" {
+  repository      = github_repository.jtd_codebuild.name
+  secret_name     = "GH_PAT"
+  plaintext_value = var.github_pat
+}
diff --git a/terraform/provider.tf b/terraform/provider.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    github = {
+      source = "integrations/github"
+    }
+  }
+}
+
+provider "github" {
+  owner = var.github_owner
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -0,0 +1,23 @@
+variable "github_owner" {
+  type        = string
+  description = <<EOT
+    Variable for GitHub owner.
+
+    This represents what account or organization the repository will be created under.
+  EOT
+}
+
+variable "github_pat" {
+  type      = string
+  sensitive = true
+}
+
+variable "pypi_username" {
+  type      = string
+  sensitive = true
+}
+
+variable "pypi_password" {
+  type      = string
+  sensitive = true
+}
