From 23f84e4783af8081b01820547d28c1fbea090de4 Mon Sep 17 00:00:00 2001
From: Diego Lagos <92735530+diegolagospagopa@users.noreply.github.com>
Date: Fri, 25 Oct 2024 17:10:13 +0200
Subject: [PATCH 1/2] feat: [P4PU-637] github configuration with payment
 workflow (#137)

* moved .identity folder to .github/terraform

* added github action payments workflow

* updated terraform version

* updated releaserc.json to avoid comments in PR

* updated pre-commit config

* github: added rulesets

* github: removed actions

* pre-commit fixs

* code-owners with payment cloud
---
 .github/PULL_REQUEST_TEMPLATE.md              |  2 +-
 .../terraform}/.terraform.lock.hcl            |  2 +
 {.identity => .github/terraform}/00_data.tf   |  1 -
 .github/terraform/01_global.tf                | 52 +++++++++++++++++++
 .../terraform}/03_github_environment.tf       |  0
 .github/terraform/99_locals.tf                | 50 ++++++++++++++++++
 {.identity => .github/terraform}/99_main.tf   |  0
 .../terraform}/99_variables.tf                |  0
 .../terraform}/env/itn-dev/backend.ini        |  0
 .../terraform}/env/itn-dev/backend.tfvars     |  0
 .../terraform}/env/itn-dev/terraform.tfvars   |  0
 .../terraform}/env/itn-prod/backend.ini       |  0
 .../terraform}/env/itn-prod/backend.tfvars    |  0
 .../terraform}/env/itn-prod/terraform.tfvars  |  0
 .../terraform}/env/itn-uat/backend.ini        |  0
 .../terraform}/env/itn-uat/backend.tfvars     |  0
 .../terraform}/env/itn-uat/terraform.tfvars   |  0
 {.identity => .github/terraform}/terraform.sh |  0
 .github/workflows/code-review.yml             |  2 +-
 .../payments-flow-docker-snapshot.yml         | 32 ++++++++++++
 .github/workflows/payments-flow-release.yml   | 29 +++++++++++
 .github/workflows/release.yml                 | 25 ---------
 .github/workflows/snapshot-docker.yml         | 23 --------
 .github/workflows/trivy.yml                   |  2 +-
 .identity/99_locals.tf                        | 17 ------
 .pre-commit-config.yaml                       | 51 ++++++++++++++----
 .releaserc.json                               | 19 +++++++
 .terraform-version                            |  2 +-
 CODEOWNERS                                    |  2 +-
 force-release                                 |  2 +-
 30 files changed, 230 insertions(+), 83 deletions(-)
 rename {.identity => .github/terraform}/.terraform.lock.hcl (95%)
 rename {.identity => .github/terraform}/00_data.tf (99%)
 create mode 100644 .github/terraform/01_global.tf
 rename {.identity => .github/terraform}/03_github_environment.tf (100%)
 create mode 100644 .github/terraform/99_locals.tf
 rename {.identity => .github/terraform}/99_main.tf (100%)
 rename {.identity => .github/terraform}/99_variables.tf (100%)
 rename {.identity => .github/terraform}/env/itn-dev/backend.ini (100%)
 rename {.identity => .github/terraform}/env/itn-dev/backend.tfvars (100%)
 rename {.identity => .github/terraform}/env/itn-dev/terraform.tfvars (100%)
 rename {.identity => .github/terraform}/env/itn-prod/backend.ini (100%)
 rename {.identity => .github/terraform}/env/itn-prod/backend.tfvars (100%)
 rename {.identity => .github/terraform}/env/itn-prod/terraform.tfvars (100%)
 rename {.identity => .github/terraform}/env/itn-uat/backend.ini (100%)
 rename {.identity => .github/terraform}/env/itn-uat/backend.tfvars (100%)
 rename {.identity => .github/terraform}/env/itn-uat/terraform.tfvars (100%)
 rename {.identity => .github/terraform}/terraform.sh (100%)
 create mode 100644 .github/workflows/payments-flow-docker-snapshot.yml
 create mode 100644 .github/workflows/payments-flow-release.yml
 delete mode 100644 .github/workflows/release.yml
 delete mode 100644 .github/workflows/snapshot-docker.yml
 delete mode 100644 .identity/99_locals.tf
 create mode 100644 .releaserc.json

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 6ceafecf..308d8643 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -33,4 +33,4 @@
 <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
 
 - [ ] My change requires a change to the documentation.
-- [ ] I have updated the documentation accordingly.
\ No newline at end of file
+- [ ] I have updated the documentation accordingly.
diff --git a/.identity/.terraform.lock.hcl b/.github/terraform/.terraform.lock.hcl
similarity index 95%
rename from .identity/.terraform.lock.hcl
rename to .github/terraform/.terraform.lock.hcl
index 50ad9b01..284069aa 100644
--- a/.identity/.terraform.lock.hcl
+++ b/.github/terraform/.terraform.lock.hcl
@@ -5,6 +5,7 @@ provider "registry.terraform.io/hashicorp/azurerm" {
   version     = "3.116.0"
   constraints = "~> 3.108"
   hashes = [
+    "h1:2QbjtN4oMXzdA++Nvrj/wSmWZTPgXKOSFGGQCLEMrb4=",
     "h1:BCR3NIorFSvGG3v/+JOiiw3VM4PkChLO4m84wzD9NDo=",
     "zh:02b6606aff025fc2a962b3e568e000300abe959adac987183c24dac8eb057f4d",
     "zh:2a23a8ce24ff9e885925ffee0c3ea7eadba7a702541d05869275778aa47bdea7",
@@ -26,6 +27,7 @@ provider "registry.terraform.io/integrations/github" {
   constraints = "~> 6.3"
   hashes = [
     "h1:AG//wDT67eInhTk+SQdDz5o8R8YIIBrZGz7C9TXKDOw=",
+    "h1:smeAkyQqdvuOr8rtC/2+kdvWqS7YR92RWFrJL+k6z7A=",
     "zh:04fe3b820fe8c247b98b9d6810b8bb84d3e8ac08054faf450c42489815ef4bfa",
     "zh:24096b2d16208d1411a58bdb8df8cd9f0558fb9054ffeb95c4e7e90a9a34f976",
     "zh:2b27332adf8d08fbdc08b5f55e87691bce02c311219e6deb39c08753bd93db6d",
diff --git a/.identity/00_data.tf b/.github/terraform/00_data.tf
similarity index 99%
rename from .identity/00_data.tf
rename to .github/terraform/00_data.tf
index 61393d95..4b2ba7cd 100644
--- a/.identity/00_data.tf
+++ b/.github/terraform/00_data.tf
@@ -16,4 +16,3 @@ data "github_organization_teams" "all" {
   root_teams_only = true
   summary_only    = true
 }
-
diff --git a/.github/terraform/01_global.tf b/.github/terraform/01_global.tf
new file mode 100644
index 00000000..a17eb9d1
--- /dev/null
+++ b/.github/terraform/01_global.tf
@@ -0,0 +1,52 @@
+resource "github_branch" "release" {
+  for_each      = var.env == "prod" ? toset(local.branches) : []
+  repository    = local.github.repository
+  branch        = each.key
+  source_branch = "main"
+}
+
+resource "github_branch_default" "default" {
+  repository = local.github.repository
+  branch     = "develop"
+}
+
+resource "github_repository_ruleset" "branch_rules" {
+  for_each = var.env == "prod" ? local.branch_rulesets : {}
+
+  name        = each.key
+  repository  = local.github.repository
+  target      = "branch"
+  enforcement = "active"
+
+  conditions {
+    ref_name {
+      include = [each.value.ref_name]
+      exclude = []
+    }
+  }
+
+  dynamic "bypass_actors" {
+    for_each = each.value.bypass_actors == true ? toset(local.bypass_branch_rules_teams) : []
+    content {
+      actor_id    = lookup(local.team_name_to_id, bypass_actors.value)
+      actor_type  = "Team"
+      bypass_mode = "always"
+    }
+  }
+
+  rules {
+    creation                = false
+    update                  = false
+    deletion                = true
+    required_signatures     = false
+    required_linear_history = each.value.required_linear_history
+
+    pull_request {
+      dismiss_stale_reviews_on_push     = false
+      require_last_push_approval        = false
+      required_review_thread_resolution = false
+      require_code_owner_review         = each.value.require_code_owner_review
+      required_approving_review_count   = each.value.required_approving_review_count
+    }
+  }
+}
diff --git a/.identity/03_github_environment.tf b/.github/terraform/03_github_environment.tf
similarity index 100%
rename from .identity/03_github_environment.tf
rename to .github/terraform/03_github_environment.tf
diff --git a/.github/terraform/99_locals.tf b/.github/terraform/99_locals.tf
new file mode 100644
index 00000000..2b1b2ccd
--- /dev/null
+++ b/.github/terraform/99_locals.tf
@@ -0,0 +1,50 @@
+locals {
+  # Repo
+  github = {
+    org        = "pagopa"
+    repository = "arc-be"
+  }
+
+  repo_secrets = var.env_short == "p" ? {
+    SONAR_TOKEN = data.azurerm_key_vault_secret.sonar_token[0].value
+  } : {}
+
+  map_repo = {
+    "dev" : "*",
+    "uat" : "uat"
+    "prod" : "main"
+  }
+
+  branches                  = ["develop", "uat"]
+  bypass_branch_rules_teams = ["p4pa-admins", "payments-cloud-admin"]
+
+  # this is use to lookup the id for each team
+  team_name_to_id = {
+    for team in data.github_organization_teams.all.teams :
+    team.name => team.id
+  }
+
+  branch_rulesets = {
+    develop = {
+      ref_name                        = "refs/heads/develop"
+      bypass_actors                   = false
+      required_linear_history         = true
+      require_code_owner_review       = false
+      required_approving_review_count = 0
+    }
+    uat = {
+      ref_name                        = "refs/heads/uat"
+      bypass_actors                   = false
+      required_linear_history         = false
+      require_code_owner_review       = false
+      required_approving_review_count = 1
+    },
+    main = {
+      ref_name                        = "refs/heads/main"
+      bypass_actors                   = false
+      required_linear_history         = false
+      require_code_owner_review       = true
+      required_approving_review_count = 0
+    },
+  }
+}
diff --git a/.identity/99_main.tf b/.github/terraform/99_main.tf
similarity index 100%
rename from .identity/99_main.tf
rename to .github/terraform/99_main.tf
diff --git a/.identity/99_variables.tf b/.github/terraform/99_variables.tf
similarity index 100%
rename from .identity/99_variables.tf
rename to .github/terraform/99_variables.tf
diff --git a/.identity/env/itn-dev/backend.ini b/.github/terraform/env/itn-dev/backend.ini
similarity index 100%
rename from .identity/env/itn-dev/backend.ini
rename to .github/terraform/env/itn-dev/backend.ini
diff --git a/.identity/env/itn-dev/backend.tfvars b/.github/terraform/env/itn-dev/backend.tfvars
similarity index 100%
rename from .identity/env/itn-dev/backend.tfvars
rename to .github/terraform/env/itn-dev/backend.tfvars
diff --git a/.identity/env/itn-dev/terraform.tfvars b/.github/terraform/env/itn-dev/terraform.tfvars
similarity index 100%
rename from .identity/env/itn-dev/terraform.tfvars
rename to .github/terraform/env/itn-dev/terraform.tfvars
diff --git a/.identity/env/itn-prod/backend.ini b/.github/terraform/env/itn-prod/backend.ini
similarity index 100%
rename from .identity/env/itn-prod/backend.ini
rename to .github/terraform/env/itn-prod/backend.ini
diff --git a/.identity/env/itn-prod/backend.tfvars b/.github/terraform/env/itn-prod/backend.tfvars
similarity index 100%
rename from .identity/env/itn-prod/backend.tfvars
rename to .github/terraform/env/itn-prod/backend.tfvars
diff --git a/.identity/env/itn-prod/terraform.tfvars b/.github/terraform/env/itn-prod/terraform.tfvars
similarity index 100%
rename from .identity/env/itn-prod/terraform.tfvars
rename to .github/terraform/env/itn-prod/terraform.tfvars
diff --git a/.identity/env/itn-uat/backend.ini b/.github/terraform/env/itn-uat/backend.ini
similarity index 100%
rename from .identity/env/itn-uat/backend.ini
rename to .github/terraform/env/itn-uat/backend.ini
diff --git a/.identity/env/itn-uat/backend.tfvars b/.github/terraform/env/itn-uat/backend.tfvars
similarity index 100%
rename from .identity/env/itn-uat/backend.tfvars
rename to .github/terraform/env/itn-uat/backend.tfvars
diff --git a/.identity/env/itn-uat/terraform.tfvars b/.github/terraform/env/itn-uat/terraform.tfvars
similarity index 100%
rename from .identity/env/itn-uat/terraform.tfvars
rename to .github/terraform/env/itn-uat/terraform.tfvars
diff --git a/.identity/terraform.sh b/.github/terraform/terraform.sh
similarity index 100%
rename from .identity/terraform.sh
rename to .github/terraform/terraform.sh
diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml
index c1cb7695..3c62748f 100644
--- a/.github/workflows/code-review.yml
+++ b/.github/workflows/code-review.yml
@@ -43,4 +43,4 @@ jobs:
             -Dsonar.tests=src/test
             -Dsonar.java.binaries=build/classes
             -Dsonar.coverage.jacoco.xmlReportPaths=build/reports/jacoco/jacocoTestReport.xml
-            -Dsonar.coverage.exclusions=src/java/test/**
\ No newline at end of file
+            -Dsonar.coverage.exclusions=src/java/test/**
diff --git a/.github/workflows/payments-flow-docker-snapshot.yml b/.github/workflows/payments-flow-docker-snapshot.yml
new file mode 100644
index 00000000..d6614fa6
--- /dev/null
+++ b/.github/workflows/payments-flow-docker-snapshot.yml
@@ -0,0 +1,32 @@
+name: 📦 Payments Snapshot docker
+
+on:
+  push:
+    branches-ignore:
+      - 'develop'
+      - 'uat'
+      - 'main'
+    paths-ignore:
+      - 'CODEOWNERS'
+      - '**.md'
+      - '.**'
+  workflow_dispatch:
+
+env:
+  CURRENT_BRANCH: ${{ github.event.inputs.branch || github.ref_name }}
+
+jobs:
+  payments-flow-docker-snapshot:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: 🔖 Checkout code
+        # https://github.com/actions/checkout/releases/tag/v4.2.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        with:
+          ref: ${{ env.CURRENT_BRANCH }}
+
+      - name: 📦 Run Snapshot Docker Build/Push & Trigger
+        # https://github.com/pagopa/github-actions-template/releases/tag/v1.19.0
+        uses: pagopa/github-actions-template/payments-flow-docker-snapshot@37569377fa759368a01c1e7f40700b4118d65d0c
+        with:
+          current_branch: ${{ github.ref_name }}
diff --git a/.github/workflows/payments-flow-release.yml b/.github/workflows/payments-flow-release.yml
new file mode 100644
index 00000000..c98ae705
--- /dev/null
+++ b/.github/workflows/payments-flow-release.yml
@@ -0,0 +1,29 @@
+name: 🚀 Payments release
+
+on:
+  push:
+    branches:
+      - develop
+      - uat
+      - main
+    paths-ignore:
+      - 'CODEOWNERS'
+      - '**.md'
+      - '.**'
+  workflow_dispatch:
+
+jobs:
+  payments-flow-release:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: 🔖 Checkout code
+        # https://github.com/actions/checkout/releases/tag/v4.2.1
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        with:
+          ref: ${{ github.ref_name }}
+
+      - name: 🚀 release + docker + azdo
+        # https://github.com/pagopa/github-actions-template/releases/tag/v1.19.1
+        uses: pagopa/github-actions-template/payments-flow-release@3ae6a4268ccff000194696b21e1124d9e8ddf997
+        with:
+          current_branch: ${{ github.ref_name }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
deleted file mode 100644
index 82277ad3..00000000
--- a/.github/workflows/release.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-name: Release
-
-on:
-  # Trigger the workflow on push on the main branch
-  push:
-    branches:
-      - main
-    paths-ignore:
-      - 'CODEOWNERS'
-      - '**.md'
-      - '.**'
-
-jobs:
-  release:
-    name: Release
-    runs-on: ubuntu-22.04
-
-    steps:
-
-      - name: 🚀 Release with docker action
-        id: release
-        uses: pagopa/eng-github-actions-iac-template/global/release-with-docker@main #
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-
diff --git a/.github/workflows/snapshot-docker.yml b/.github/workflows/snapshot-docker.yml
deleted file mode 100644
index 3496adf1..00000000
--- a/.github/workflows/snapshot-docker.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-name: Snapshot docker build and push
-
-on:
-  push:
-    # Sequence of patterns matched against refs/heads
-    branches-ignore:
-      - 'main'
-    paths-ignore:
-      - 'CODEOWNERS'
-      - '**.md'
-      - '.**'
-
-jobs:
-  release:
-    name: Snapshot Docker
-    runs-on: ubuntu-22.04
-
-    steps:
-      - name: 📦 Docker build and push
-        id: release
-        uses: pagopa/eng-github-actions-iac-template/global/docker-build-push@main #
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 646c2246..f17b8c77 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -62,7 +62,7 @@ jobs:
           echo "CVE_CRITICAL=$(echo $SCAN_RESULTS | grep -o critical | wc -l)" >> $GITHUB_ENV
           echo "CVE_HIGH=$(echo $SCAN_RESULTS | grep -o high | wc -l)" >> $GITHUB_ENV
           echo "CVE_MEDIUM=$(echo $SCAN_RESULTS | grep -o medium | wc -l)" >> $GITHUB_ENV
-          
+
           echo -e $SCAN_RESULTS
       # - name: Send notification to Slack
       #   id: slack
diff --git a/.identity/99_locals.tf b/.identity/99_locals.tf
deleted file mode 100644
index ee465cc1..00000000
--- a/.identity/99_locals.tf
+++ /dev/null
@@ -1,17 +0,0 @@
-locals {
-  # Repo
-  github = {
-    org        = "pagopa"
-    repository = "arc-be"
-  }
-
-  repo_secrets = var.env_short == "p" ? {
-    SONAR_TOKEN = data.azurerm_key_vault_secret.sonar_token[0].value
-  } : {}
-
-  map_repo = {
-    "dev" : "*",
-    "uat" : "uat"
-    "prod" : "main"
-  }
-}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 96f3d73c..5e9e7f81 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,25 +1,54 @@
 repos:
+  ## general
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: c4a0b883114b00d8d76b479c820ce7950211c99b # v4.5.0
+    rev: v5.0.0
     hooks:
+      # Common errors
+      - id: end-of-file-fixer
+        exclude_types: [sql]
+        exclude: mypivot4-batch
       - id: trailing-whitespace
-      - id: check-added-large-files
+        args: [--markdown-linebreak-ext=md]
+        exclude_types: [sql]
+        exclude: mypivot4-batch
+      - id: check-yaml
+        exclude: mypivot4-batch
+      - id: check-executables-have-shebangs
+        exclude: mypivot4-batch
+      # Cross platform
+      - id: check-case-conflict
+        exclude: mypivot4-batch
+      - id: mixed-line-ending
+        args: [--fix=lf]
+        exclude_types: [sql]
+        exclude: mypivot4-batch
+      # Security
+      - id: detect-aws-credentials
+        args: ['--allow-missing-credentials']
+        exclude: mypivot4-batch
+      - id: detect-private-key
+  ## terraform
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.86.0
+    rev: v1.96.1
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
         args:
-          - markdown --sort-by required
+          - --hook-config=--path-to-file=README.md        # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc.
+          - --hook-config=--add-to-existing-file=true     # Boolean. true or false
+          - --hook-config=--create-file-if-not-exist=true # Boolean. true or false
+          - --args=--hide providers
+      # - id: terraform_tfsec
       - id: terraform_validate
         args:
           - --init-args=-lockfile=readonly
           - --args=-json
           - --args=-no-color
-#      - id: terraform_providers_lock
-#        args:
-#          - --args=-platform=windows_amd64
-#          - --args=-platform=darwin_amd64
-#          - --args=-platform=darwin_arm64
-#          - --args=-platform=linux_amd64
-#          - --args=-platform=linux_arm64
+          - --args=-compact-warnings
+      # - id: terraform_providers_lock
+      #   args:
+      #     - --args=-platform=windows_amd64
+      #     - --args=-platform=darwin_amd64
+      #     - --args=-platform=darwin_arm64
+      #     - --args=-platform=linux_amd64
+      #     - --args=-platform=linux_arm64
diff --git a/.releaserc.json b/.releaserc.json
new file mode 100644
index 00000000..57339cb7
--- /dev/null
+++ b/.releaserc.json
@@ -0,0 +1,19 @@
+{
+  "plugins": [
+    [
+      "@semantic-release/commit-analyzer",
+      {
+        "preset": "angular",
+        "releaseRules": [{ "type": "breaking", "release": "major" }]
+      }
+    ],
+    "@semantic-release/release-notes-generator",
+    [
+      "@semantic-release/github",
+      {
+        "successComment": false,
+        "failComment": false
+      }
+    ]
+  ]
+}
diff --git a/.terraform-version b/.terraform-version
index 6f2d3653..7bc1c404 100644
--- a/.terraform-version
+++ b/.terraform-version
@@ -1 +1 @@
-1.9.2
\ No newline at end of file
+1.9.6
diff --git a/CODEOWNERS b/CODEOWNERS
index c66af676..892a7375 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,3 +1,3 @@
 # see https://help.github.com/en/articles/about-code-owners#example-of-a-codeowners-file
 
-* @pagopa/arc-admins @Giuseppe-LaManna @oleksiybozhykntt @antonioT90
\ No newline at end of file
+* @pagopa/arc-admins @Giuseppe-LaManna @oleksiybozhykntt @antonioT90 @pagopa/payments-cloud-admin
diff --git a/force-release b/force-release
index a788b7b3..122d34e2 100644
--- a/force-release
+++ b/force-release
@@ -1 +1 @@
-1134
+2302

From a2373e651f2bc9a607ae4ec41d0ac27f15531270 Mon Sep 17 00:00:00 2001
From: Diego Lagos <92735530+diegolagospagopa@users.noreply.github.com>
Date: Fri, 25 Oct 2024 17:24:02 +0200
Subject: [PATCH 2/2] feat: [P4PU-637] Try release (#138)

force release
---
 force-release | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/force-release b/force-release
index 122d34e2..589edfdc 100644
--- a/force-release
+++ b/force-release
@@ -1 +1 @@
-2302
+1714