chore: add semantic release, tflint, trivy

Author: necipallef

.github/CODEOWNERS

@@ -0,0 +1,4 @@
+# Users referenced in this file will automatically be requested as reviewers for PRs that modify the given paths.
+# See https://help.github.com/articles/about-code-owners/
+
+* @necipallef

.github/workflows/analyze-commits.yml

@@ -0,0 +1,11 @@
+name: Analyze Commit Messages
+on:
+  pull_request:
+
+permissions:
+  pull-requests: write
+  contents: write
+jobs:
+  analyze-commits:
+    name: Generate docs and coverage report
+    uses: fingerprintjs/dx-team-toolkit/.github/workflows/analyze-commits.yml@v1

.github/workflows/coverage-diff.yml

@@ -0,0 +1,14 @@
+name: Check coverage for PR
+
+on:
+  pull_request:
+
+jobs:
+  run-tests-check-coverage:
+    name: Run tests & check coverage
+    permissions:
+      checks: write
+      pull-requests: write
+    uses: fingerprintjs/dx-team-toolkit/.github/workflows/coverage-diff.yml@v1
+    with:
+      nodeVersion: 20

.github/workflows/coverage-report.yml

@@ -0,0 +1,15 @@
+name: Coverage
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  generate-docs-and-coverage:
+    name: Generate docs and coverage report
+    uses: fingerprintjs/dx-team-toolkit/.github/workflows/docs-and-coverage.yml@v1
+    with:
+      skip-docs-step: true
+      prepare-gh-pages-commands: |
+        mv coverage/lcov-report/* ./gh-pages/

.github/workflows/coverage.yml

@@ -0,0 +1,18 @@
+name: Generate docs and coverage report
+
+on:
+  push:
+    branches:
+      - main
+
+
+jobs:
+  generate-docs-and-coverage:
+    name: Generate docs and coverage report
+    uses: fingerprintjs/dx-team-toolkit/.github/workflows/docs-and-coverage.yml@v1
+    with:
+      skip-docs-step: true
+      node-version: 20
+      prepare-gh-pages-commands: |
+        mv coverage/lcov-report ./gh-pages/coverage
+        

.github/workflows/release.yml

@@ -0,0 +1,16 @@
+name: release
+on:
+  push:
+    branches:
+      - main
+      - rc
+
+jobs:
+  build-and-release:
+    name: 'Build project, run CI checks and publish new release'
+    uses: fingerprintjs/dx-team-toolkit/.github/workflows/release-typescript-project.yml@v1
+    with:
+      nodeVersion: 20
+      appId: ${{ vars.APP_ID }}
+    secrets:
+      APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}

.github/workflows/tflint.yml

@@ -0,0 +1,33 @@
+name: TFlint
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches:
+      - main
+      - rc
+
+jobs:
+  tflint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout source code
+
+      - uses: terraform-linters/setup-tflint@v4
+        name: Setup TFLint
+        with:
+          tflint_version: v0.50.3
+
+      - name: Show version
+        run: tflint --version
+
+      - name: Init TFLint
+        run: tflint --init
+        env:
+          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+          # GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Run TFLint
+        run: tflint -f compact

.github/workflows/trivy.yml

@@ -0,0 +1,23 @@
+name: Run Trivy
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches:
+      - main
+      - rc
+
+jobs:
+  build:
+    name: Scan
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in config mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'config'
+          exit-code: '1'
+          trivy-config: trivy.yaml

.husky/commit-msg

@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+npx commitlint --edit $1

.husky/pre-commit

@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+npx lint-staged

.husky/pre-push

@@ -0,0 +1,15 @@
+#!/bin/bash
+. "$(dirname "$0")/_/husky.sh"
+
+containsref() { if [[ $2 =~ $1 ]]; then echo 1; else echo 0; fi }
+
+push_command=$(ps -ocommand= -p $PPID | cut -d' ' -f 4)
+protected_branch='main'
+current_branch=$(git symbolic-ref HEAD | sed -e 's,.*/\(.*\),\1,')
+is_push_to_main_origin=$(containsref '[email protected]:/?fingerprintjs/' "$push_command")
+
+# Block pushes only to protected branch in main repository
+if [ $is_push_to_main_origin = 1 ] && [ "$protected_branch" = "$current_branch" ]; then
+  echo "You are on the $protected_branch branch, push blocked."
+  exit 1 # push will not execute
+fi

.releaserc

@@ -0,0 +1,56 @@
+{
+  "branches": [
+    "main",
+    {
+      "name": "rc",
+      "prerelease": true
+    }
+  ],
+  "plugins": [
+    [
+      "@semantic-release/commit-analyzer",
+      {
+        "config": "@fingerprintjs/conventional-changelog-dx-team",
+        "releaseRules": "@fingerprintjs/conventional-changelog-dx-team/release-rules"
+      }
+    ],
+    [
+      "@semantic-release/release-notes-generator",
+      {
+        "config": "@fingerprintjs/conventional-changelog-dx-team"
+      }
+    ],
+    "@semantic-release/changelog",
+    [
+      "@semantic-release/npm",
+      {
+        "npmPublish": false
+      }
+    ],
+    [
+      "@semantic-release/exec",
+      {
+        "prepareCmd": "./scripts/preparePackage.sh"
+      }
+    ],
+    [
+      "@semantic-release/git",
+      {
+        "message": "chore(release): ${nextRelease.version}\n\n${nextRelease.notes}",
+        "assets": [
+          "CHANGELOG.md"
+        ]
+      }
+    ],
+    [
+      "@semantic-release/github",
+      {
+        "assets": [
+          {
+            "path": "package.zip"
+          }
+        ]
+      }
+    ]
+  ]
+}

.trivyignore

@@ -0,0 +1,37 @@
+# Contributing to Fingerprint Pro Cloudfront Integration Terraform Module
+
+## Working with code
+
+
+For proposing changes, use the standard [pull request approach](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request). It's recommended to discuss fixes or new functionality in the Issues, first.
+
+* The `main` and `rc` branches are locked for the push action.
+* Releases are created from the `main` branch. If you have CloudFront Integration set up, it is running code from the `main` branch. Pull requests into the `main` branch are not accepted.
+* The `rc` branch functions as a candidate for the next release. Create your pull requests into this branch. The code in `rc` must always pass the tests.
+
+### Code style
+
+Consistent code formatting is enforced by [TFLint](https://github.com/terraform-linters/tflint) and [Prettier](https://prettier.io/).
+
+### Security scans
+
+We are using [Trivy](https://aquasecurity.github.io/trivy/v0.47/tutorials/misconfiguration/terraform/) to do security scans for us.
+
+### Commit style
+
+You are required to follow [conventional commits](https://www.conventionalcommits.org) rules.
+
+### How to test
+
+We manually test the implementation. End-to-end will be provided in the future.
+
+### How to release a new version
+
+Every PR should target `rc` branch first. Upon merge, if there are relevant changes a new release candidate is created.
+When that happens, an automated PR is created to `main` branch, and E2E tests run against it. If the tests pass, the PR can be merged and the release is created.
+
+The integration is automatically released on every push to the main branch if there are relevant changes. The workflow must be approved by one of the maintainers, first.
+
+### How to keep your integration up-to-date
+
+This Terraform module is in sync with Lambda function S3 bucket. Running `terraform apply` will deploy the latest version. 

CONTRIBUTING.md

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+zip package.zip main.tf outputs.tf variables.tf

scripts/preparePackage.sh

@@ -0,0 +1,14 @@
+timeout: 10m
+format: table
+dependency-tree: true
+list-all-pkgs: true
+exit-code: 1
+severity:
+  - HIGH
+  - CRITICAL
+scan:
+
+config:
+  misconfig-scanners: Terraform
+
+ignorefile: .trivyignore