feat: Add base for services

.github/actions/list_dockerfile/action.yml

@@ -0,0 +1,17 @@
+# From https://code.dblock.org/2021/09/03/generating-task-matrix-by-looping-over-repo-files-with-github-actions.html
+
+name: List Dockerfile
+description: List all Dockerfile as a matrix
+outputs:
+  matrix:
+    description: Matrix of all Dockerfile
+    value: ${{ steps.set_matrix.outputs.matrix }}
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/checkout@v4
+    - id: set_matrix
+      shell: bash
+      run: echo "matrix=$(find services -name Dockerfile -maxdepth 2 -print0 | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
+

.github/workflows/hadolint-else.yaml

@@ -0,0 +1,14 @@
+name: Dockerfile lint
+
+on:
+  pull_request:
+    paths-ignore:
+      - "Dockerfile"
+
+jobs:
+  lint:
+    name: Dockerfile lint
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          echo "No Dockerfile updated"

.github/workflows/hadolint.yaml

@@ -0,0 +1,53 @@
+name: Dockerfile lint
+
+on:
+  pull_request:
+    paths:
+      - "Dockerfile"
+
+jobs:
+  list_dockerfile:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: "actions/checkout@v2"
+      - uses: "./github/actions/list_dockerfile"
+        id: set_matrix
+    outputs:
+      matrix: ${{ steps.set_matrix.outputs.matrix }}
+
+  lint:
+    needs: list_dockerfile
+    name: Dockerfile lint by Hadolint Action
+    runs-on: ubuntu-latest
+    strategy:
+        matrix:
+          dockerfile: ${{ fromJson(needs.list_dockerfile.outputs.matrix) }}
+
+    steps:
+      - uses: "actions/checkout@v4"
+
+      - uses: "hadolint/hadolint-action@v3.1.0"
+        id: run_hadolint
+        with:
+          dockerfile: ${{ matrix.dockerfile }}
+          no-color: false
+          no-fail: false
+
+      - name: Create pull request comment
+        uses: "actions/github-script@v6"
+        if: github.event_name == 'pull_request'
+        with:
+          script: |
+            const hadolintOutput = `
+            #### Hadolint: \`${{ steps.run_hadolint.outcome }}\`
+            \`\`\`
+            ${process.env.HADOLINT_RESULTS}
+            \`\`\`
+            `;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: hadolintOutput,
+            });

.github/workflows/staging-apply.yaml

@@ -0,0 +1,102 @@
+name: Staging Terraform Apply
+
+on:
+  push:
+    branches:
+      - "main"
+
+env:
+  TF_CLOUD_ORGANIZATION: "pulsate-dev"
+  TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
+  TF_WORKSPACE: "pulsate-staging"
+  CONFIG_DIRECTORY: "./staging/"
+
+jobs:
+  list_dockerfile:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./github/actions/list_dockerfile
+        id: set_matrix
+    outputs:
+      matrix: ${{ steps.set_matrix.outputs.matrix }}
+  images:
+    needs: list_dockerfile
+    name: Push Docker images
+    runs-on: ubuntu-latest
+    strategy:
+        matrix:
+          dockerfile: ${{ fromJson(needs.list_dockerfile.outputs.matrix) }}
+
+    steps:
+      - uses: "actions/checkout@v4"
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/approvers/oreorebot2
+          tags: |
+            ${{ github.sha }}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3.0.0
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ github.token }}
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          file: ${{ matrix.dockerfile }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  apply:
+    needs: images
+    if: github.repository == 'approvers/pulsate'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: "actions/checkout@v4"
+
+      - id: "auth"
+        name: Authenticate to Google Cloud
+        uses: "google-github-actions/auth@v1"
+        with:
+          workload_identity_provider: "projects/1065320521129/locations/global/workloadIdentityPools/ci-pool/providers/ci-provider"
+          service_account: "staging-deploy-from-github-act@pulsate-staging-400117.iam.gserviceaccount.com"
+          token_format: "access_token"
+
+      - name: Upload Configuration
+        uses: "hashicorp/tfc-workflows-github/actions/upload-configuration@v1.0.4"
+        id: apply-upload
+        with:
+          workspace: ${{ env.TF_WORKSPACE }}
+          directory: ${{ env.CONFIG_DIRECTORY }}
+      - name: Create Apply Run
+        uses: "hashicorp/tfc-workflows-github/actions/create-run@v1.0.4"
+        id: apply-run
+        with:
+          workspace: ${{ env.TF_WORKSPACE }}
+          configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }}
+        env:
+          TF_VAR_access_token: "\"${{ steps.auth.outputs.access_token }}\""
+      - name: Apply
+        uses: "hashicorp/tfc-workflows-github/actions/apply-run@v1.0.4"
+        if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
+        id: apply
+        with:
+          run: ${{ steps.apply-run.outputs.run_id }}
+          comment: "Apply Run from GitHub Actions CI ${{ github.sha }}"

.github/workflows/staging-plan.yml

@@ -0,0 +1,90 @@
+name: Staging Terraform Plan
+
+on:
+  pull_request:
+    branches:
+      - "main"
+
+env:
+  TF_CLOUD_ORGANIZATION: "pulsate-dev"
+  TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
+  TF_WORKSPACE: "pulsate-staging"
+  CONFIG_DIRECTORY: "./staging/"
+
+jobs:
+  plan:
+    if: github.repository == 'approvers/pulsate'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
+    steps:
+      - uses: "actions/checkout@v4"
+
+      - id: "auth"
+        name: Authenticate to Google Cloud
+        uses: "google-github-actions/auth@v1"
+        with:
+          workload_identity_provider: "projects/1065320521129/locations/global/workloadIdentityPools/ci-pool/providers/ci-provider"
+          service_account: "staging-deploy-from-github-act@pulsate-staging-400117.iam.gserviceaccount.com"
+          token_format: "access_token"
+
+      - name: Upload Configuration
+        uses: "hashicorp/tfc-workflows-github/actions/upload-configuration@v1.0.4"
+        id: "plan-upload"
+        with:
+          workspace: ${{ env.TF_WORKSPACE }}
+          directory: ${{ env.CONFIG_DIRECTORY }}
+          speculative: true
+      - name: Create Plan Run
+        uses: "hashicorp/tfc-workflows-github/actions/create-run@v1.0.4"
+        id: plan-run
+        with:
+          workspace: ${{ env.TF_WORKSPACE }}
+          configuration_version: ${{ steps.plan-upload.outputs.configuration_version_id }}
+          plan_only: true
+        env:
+          TF_VAR_access_token: "\"${{ steps.auth.outputs.access_token }}\""
+      - name: Get Plan Output
+        uses: "hashicorp/tfc-workflows-github/actions/plan-output@v1.0.0"
+        id: plan-output
+        with:
+          plan: ${{ fromJSON(steps.plan-run.outputs.payload).data.relationships.plan.data.id }}
+      - name: Update PR
+        uses: "actions/github-script@v6"
+        id: plan-comment
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+            const botComment = comments.find(comment => {
+              return comment.user.type === 'Bot' && comment.body.includes('Terraform Cloud Plan Output')
+            });
+            const output = `#### Terraform Cloud Plan Output
+            \`\`\`
+            Plan: ${{ steps.plan-output.outputs.add }} to add, ${{ steps.plan-output.outputs.change }} to change, ${{ steps.plan-output.outputs.destroy }} to destroy.
+            \`\`\`
+            [Terraform Cloud Plan](${{ steps.plan-run.outputs.run_link }})
+            `;
+            // 3. Delete previous comment so PR timeline makes sense
+            if (botComment !== undefined) {
+              github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: output,
+              });
+            } else {
+              github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: output,
+              });
+            }
+

services/hello/.dockerignore

@@ -0,0 +1,2 @@
+*.env
+Dockerfile

services/hello/Dockerfile

@@ -0,0 +1,13 @@
+FROM denoland/deno:1.37.0
+
+EXPOSE 8000
+
+WORKDIR /app
+
+USER deno
+
+COPY . .
+
+RUN deno cache main.ts
+
+CMD ["run", "--allow-net", "main.ts"]

main.ts → services/hello/main.ts

@@ -1,4 +1,4 @@
-import nhttp from "nhttp";
+import nhttp from "https://deno.land/x/nhttp@1.3.9/mod.ts";
 
 if (import.meta.main) {
   const app = nhttp();

staging/backend.conf

@@ -0,0 +1 @@
+bucket = "tf-state-xxxxxxxxx"