Skip to content

Commit 0ef316d

Browse files
authored
Merge branch 'master' into fix/major-tag
2 parents ace517a + f6ef7e5 commit 0ef316d

13 files changed

Lines changed: 319 additions & 6 deletions

.github/workflows/cf-deploy.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,9 @@ on:
7474
GITHUB:
7575
required: false
7676
description: 'GitHub token'
77+
NAORU_API_KEY:
78+
required: false
79+
description: 'API key for naoru AI failure diagnosis (OpenRouter provider by default).'
7780

7881
jobs:
7982
deploy-cf-stack:
@@ -115,4 +118,24 @@ jobs:
115118
no-fail-on-empty-changeset: "1"
116119
parameter-overrides: ${{ inputs.parameter-overrides }}
117120
capabilities: ${{ inputs.capabilities }}
121+
122+
naoru:
123+
name: 🩺 Diagnose failure (naoru)
124+
needs: [deploy-cf-stack]
125+
if: ${{ failure() }}
126+
runs-on: ubuntu-latest
127+
permissions:
128+
contents: read
129+
actions: read
130+
pull-requests: write
131+
steps:
132+
- name: 🩺 Diagnose with naoru
133+
env:
134+
NAORU_KEY: ${{ secrets.NAORU_API_KEY }}
135+
if: ${{ env.NAORU_KEY != '' }}
136+
uses: clouddrove/naoru@v0
137+
with:
138+
api-key: ${{ secrets.NAORU_API_KEY }}
139+
provider: openrouter
140+
model: openai/gpt-4o
118141
...

.github/workflows/ci.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -371,3 +371,23 @@ jobs:
371371
echo "- Total Documentation Files: $doc_count" >> $GITHUB_STEP_SUMMARY
372372
echo "" >> $GITHUB_STEP_SUMMARY
373373
echo "✅ All checks completed!"
374+
375+
naoru:
376+
name: 🩺 Diagnose failure (naoru)
377+
needs: [validate-yaml, lint-yaml, validate-workflows, security-scan, validate-docs, validate-naming, actionlint, generate-docs, check-deprecated, validate-permissions]
378+
if: ${{ failure() }}
379+
runs-on: ubuntu-latest
380+
permissions:
381+
contents: read
382+
actions: read
383+
pull-requests: write
384+
steps:
385+
- name: 🩺 Diagnose with naoru
386+
env:
387+
NAORU_KEY: ${{ secrets.NAORU_API_KEY }}
388+
if: ${{ env.NAORU_KEY != '' }}
389+
uses: clouddrove/naoru@v0
390+
with:
391+
api-key: ${{ secrets.NAORU_API_KEY }}
392+
provider: openrouter
393+
model: openai/gpt-4o

.github/workflows/docker-build-push.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,9 @@ on:
4848
DOCKERHUB_PASSWORD:
4949
description: 'dockerhub password'
5050
required: false
51+
NAORU_API_KEY:
52+
required: false
53+
description: 'API key for naoru AI failure diagnosis (OpenRouter provider by default).'
5154

5255
jobs:
5356
build-image:
@@ -127,4 +130,24 @@ jobs:
127130
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
128131
docker build -t $images:$IMAGE_TAG $BUILD_PATH
129132
docker push $images:$IMAGE_TAG
133+
134+
naoru:
135+
name: 🩺 Diagnose failure (naoru)
136+
needs: [build-image]
137+
if: ${{ failure() }}
138+
runs-on: ubuntu-latest
139+
permissions:
140+
contents: read
141+
actions: read
142+
pull-requests: write
143+
steps:
144+
- name: 🩺 Diagnose with naoru
145+
env:
146+
NAORU_KEY: ${{ secrets.NAORU_API_KEY }}
147+
if: ${{ env.NAORU_KEY != '' }}
148+
uses: clouddrove/naoru@v0
149+
with:
150+
api-key: ${{ secrets.NAORU_API_KEY }}
151+
provider: openrouter
152+
model: openai/gpt-4o
130153
...

.github/workflows/docker-scanner.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ jobs:
3535
uses: docker/setup-qemu-action@v4
3636

3737
- name: 🛠️ Set up Docker Buildx
38-
uses: docker/setup-buildx-action@v4.0.0
38+
uses: docker/setup-buildx-action@v4.1.0
3939

4040
- name: 🏗️ Build and export to Docker
4141
id: build-id

.github/workflows/docker-scout.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,7 @@ jobs:
5353
uses: actions/checkout@v6
5454

5555
- name: ⚙️ Setup Docker buildx
56-
uses: docker/setup-buildx-action@v4.0.0
56+
uses: docker/setup-buildx-action@v4.1.0
5757
with:
5858
driver-opts: |
5959
image=moby/buildkit:v0.10.6

.github/workflows/helm-deploy.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -108,6 +108,9 @@ on:
108108
set-parameters:
109109
required: false
110110
description: 'Overriding the default values using --set flag'
111+
NAORU_API_KEY:
112+
required: false
113+
description: 'API key for naoru AI failure diagnosis (OpenRouter provider by default).'
111114
jobs:
112115
helm-action:
113116
runs-on: ubuntu-latest
@@ -223,4 +226,24 @@ jobs:
223226
if: ${{ inputs.uninstall == true }}
224227
run: |
225228
helm uninstall ${{ inputs.release-name }} -n ${{ inputs.namespace }}
229+
230+
naoru:
231+
name: 🩺 Diagnose failure (naoru)
232+
needs: [helm-action]
233+
if: ${{ failure() }}
234+
runs-on: ubuntu-latest
235+
permissions:
236+
contents: read
237+
actions: read
238+
pull-requests: write
239+
steps:
240+
- name: 🩺 Diagnose with naoru
241+
env:
242+
NAORU_KEY: ${{ secrets.NAORU_API_KEY }}
243+
if: ${{ env.NAORU_KEY != '' }}
244+
uses: clouddrove/naoru@v0
245+
with:
246+
api-key: ${{ secrets.NAORU_API_KEY }}
247+
provider: openrouter
248+
model: openai/gpt-4o
226249
...

.github/workflows/pr-auto-merge.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ jobs:
3737
shell: bash
3838

3939
- name: Wait for "${{ matrix.tf-checks }}" to Succeed
40-
uses: lewagon/wait-on-check-action@v1.6.0
40+
uses: lewagon/wait-on-check-action@v1.8.0
4141
with:
4242
ref: ${{ github.event.pull_request.head.sha }}
4343
check-name: ${{ matrix.tf-checks }}
@@ -65,7 +65,7 @@ jobs:
6565
shell: bash
6666

6767
- name: Wait for "${{ matrix.tf-checks }}" to Succeed
68-
uses: lewagon/wait-on-check-action@v1.6.0
68+
uses: lewagon/wait-on-check-action@v1.8.0
6969
with:
7070
ref: ${{ github.event.pull_request.head.sha }}
7171
check-name: ${{ matrix.tf-checks }}

.github/workflows/pr-claude-review.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ jobs:
3535
with:
3636
fetch-depth: 1
3737
- name: Automatic PR Review
38-
uses: anthropics/claude-code-action@v1.0.123
38+
uses: anthropics/claude-code-action@v1.0.148
3939
with:
4040
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
4141
prompt: |

.github/workflows/pr-gitleaks-scan.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ jobs:
2424
ref: ${{ inputs.checkout_ref != '' && inputs.checkout_ref || github.ref }}
2525

2626
- name: 🔐 Run gitleaks on PR changes
27-
uses: gitleaks/gitleaks-action@v2
27+
uses: gitleaks/gitleaks-action@v3
2828
env:
2929
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3030
...
Lines changed: 146 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,146 @@
1+
---
2+
name: 🔄 Terraform Registry Webhook Sync
3+
4+
# Audits the Terraform Registry webhook on every matching repo in one or more
5+
# orgs and ensures it fires on tag/branch creation+deletion (not just push),
6+
# so new module tags auto-sync to registry.terraform.io without a manual resync.
7+
#
8+
# Root cause this fixes: the registry installs a webhook subscribed to "push"
9+
# only. Tag ingestion keys off the "create" event, so new tags never reach the
10+
# registry and require a manual "Resync Module" click. Adding create+delete to
11+
# the hook makes sync automatic and self-healing for newly published repos.
12+
13+
on:
14+
workflow_call:
15+
inputs:
16+
orgs:
17+
description: 'Comma-separated GitHub orgs to audit. e.g. "clouddrove,org2,org3"'
18+
required: true
19+
type: string
20+
repo_filter:
21+
description: 'Only repos whose name matches this regex are touched.'
22+
required: false
23+
type: string
24+
default: '^terraform-'
25+
required_events:
26+
description: 'Comma-separated webhook events the registry hook must have.'
27+
required: false
28+
type: string
29+
default: 'push,create,delete'
30+
dry_run:
31+
description: 'When true, report drift only; do not modify any webhook.'
32+
required: false
33+
type: boolean
34+
default: false
35+
secrets:
36+
GH_ADMIN_TOKEN:
37+
description: 'PAT with admin:repo_hook + repo (read) scope across the orgs.'
38+
required: true
39+
40+
workflow_dispatch:
41+
inputs:
42+
orgs:
43+
description: 'Comma-separated GitHub orgs to audit.'
44+
required: true
45+
type: string
46+
repo_filter:
47+
description: 'Repo name regex filter.'
48+
required: false
49+
type: string
50+
default: '^terraform-'
51+
required_events:
52+
description: 'Webhook events the registry hook must have.'
53+
required: false
54+
type: string
55+
default: 'push,create,delete'
56+
dry_run:
57+
description: 'Report drift only; do not modify.'
58+
required: false
59+
type: boolean
60+
default: false
61+
62+
permissions:
63+
contents: read
64+
65+
jobs:
66+
sync-webhooks:
67+
name: 🔍 Audit & fix registry webhooks
68+
runs-on: ubuntu-latest
69+
env:
70+
GH_TOKEN: ${{ secrets.GH_ADMIN_TOKEN || github.token }}
71+
ORGS: ${{ inputs.orgs }}
72+
REPO_FILTER: ${{ inputs.repo_filter }}
73+
REQUIRED_EVENTS: ${{ inputs.required_events }}
74+
DRY_RUN: ${{ inputs.dry_run }}
75+
steps:
76+
- name: 🔄 Reconcile webhooks
77+
shell: bash
78+
run: |
79+
set -euo pipefail
80+
81+
# jq array of events the registry hook must contain.
82+
mapfile -t WANT < <(echo "$REQUIRED_EVENTS" | tr ',' '\n' | sed 's/ //g' | grep -v '^$')
83+
WANT_JSON=$(printf '%s\n' "${WANT[@]}" | jq -R . | jq -sc .)
84+
echo "Required events: $WANT_JSON | dry_run=$DRY_RUN"
85+
86+
changed=0; ok=0; missing=0; total=0
87+
summary=""
88+
89+
IFS=',' read -ra ORG_LIST <<< "$ORGS"
90+
for org in "${ORG_LIST[@]}"; do
91+
org=$(echo "$org" | xargs) # trim
92+
[ -z "$org" ] && continue
93+
echo "::group::Org $org"
94+
95+
# All repos in the org matching the filter (paginated).
96+
repos=$(gh api "orgs/$org/repos" --paginate \
97+
--jq ".[] | select(.name|test(\"$REPO_FILTER\")) | .name")
98+
99+
for repo in $repos; do
100+
total=$((total+1))
101+
# Find the registry's webhook on this repo, if any.
102+
hook=$(gh api "repos/$org/$repo/hooks" \
103+
--jq '.[] | select(.config.url // "" | test("registry.terraform.io")) | {id, events}' \
104+
2>/dev/null | jq -sc '.[0] // empty') || hook=""
105+
106+
if [ -z "$hook" ]; then
107+
missing=$((missing+1))
108+
summary+="⚠️ $org/$repo: no registry webhook (publish module on registry first)\n"
109+
continue
110+
fi
111+
112+
id=$(echo "$hook" | jq -r '.id')
113+
have=$(echo "$hook" | jq -c '.events')
114+
# Drift = any required event not already present.
115+
drift=$(jq -nc --argjson have "$have" --argjson want "$WANT_JSON" \
116+
'$want - $have')
117+
118+
if [ "$drift" = "[]" ]; then
119+
ok=$((ok+1))
120+
continue
121+
fi
122+
123+
if [ "$DRY_RUN" = "true" ]; then
124+
summary+="🔸 $org/$repo: hook $id missing $drift (would set $WANT_JSON)\n"
125+
changed=$((changed+1))
126+
continue
127+
fi
128+
129+
# PATCH: set the hook's events to the full required set.
130+
args=(); for e in "${WANT[@]}"; do args+=(-f "events[]=$e"); done
131+
gh api -X PATCH "repos/$org/$repo/hooks/$id" "${args[@]}" >/dev/null
132+
summary+="✅ $org/$repo: hook $id updated -> $WANT_JSON (was missing $drift)\n"
133+
changed=$((changed+1))
134+
done
135+
echo "::endgroup::"
136+
done
137+
138+
echo "## Registry webhook sync" >> "$GITHUB_STEP_SUMMARY"
139+
echo "" >> "$GITHUB_STEP_SUMMARY"
140+
echo "- Repos scanned: $total" >> "$GITHUB_STEP_SUMMARY"
141+
echo "- Already correct: $ok" >> "$GITHUB_STEP_SUMMARY"
142+
echo "- Changed${DRY_RUN:+ (dry-run)}: $changed" >> "$GITHUB_STEP_SUMMARY"
143+
echo "- No registry hook: $missing" >> "$GITHUB_STEP_SUMMARY"
144+
echo "" >> "$GITHUB_STEP_SUMMARY"
145+
echo -e "$summary" >> "$GITHUB_STEP_SUMMARY"
146+
echo -e "$summary"

0 commit comments

Comments
 (0)