feat: Support for GitHub Apps

[milldr]

what

• Add support for use_local_github_credentials
• Correct spelling of succeed

why

• If we want to entire do away with GitHub PATs, we can require this component to be applied locally. This adds an option to do that.
• With feat: GitHub App Support aws-eks-argocd#16, we corrected spelling of "succeed". This needs to be updated to apply the changes to the application set

references

• feat: GitHub App Support aws-eks-argocd#16

Summary by CodeRabbit

• New Features

  • Introduced new configuration options to bypass pull request reviews and enable local GitHub credentials for easier setup.
  • Improved branch protection settings to integrate these new capabilities.

• Bug Fixes

  • Corrected a spelling error in notification messages for clarity.

• Documentation

  • Enhanced module documentation with updated and additional input variable details.

• Chores

  • Updated version control ignore rules and removed a redundant dependency.

[coderabbitai]

Walkthrough

This pull request introduces several Terraform module configuration improvements. A new pattern is added to .gitignore to ignore any directory or file named account-map. The CHANGELOG.md now documents a correction in notification spelling and references related pull requests. The README.md and variables.tf have new input variables (bypass_pull_request_actors and use_local_github_credentials) along with formatting refinements. Additionally, Terraform configuration files (context.tf, main.tf, provider-github.tf, and versions.tf) have been updated to adjust variable formatting, branch protection rules, and GitHub credentials handling.

Changes

File(s)	Summary of Changes
.gitignore	Added the entry **/account-map to ignore any account-map directories/files.
src/CHANGELOG.md	Added a new section for the argocd-github-repo component with a spelling correction and pull request reference.
src/README.md, src/variables.tf	Introduced new input variables (bypass_pull_request_actors, use_local_github_credentials) and reformatted existing variable descriptions. Spelling corrected in github_notifications.
src/context.tf	Adjusted indentation in the descriptor_formats variable description.
src/main.tf	Added a new attribute pull_request_bypassers to the branch protection resource.
src/provider-github.tf	Updated logic for assigning github_token and conditionally creating the SSM parameter based on use_local_github_credentials.
src/versions.tf	Removed the random provider declaration.

Sequence Diagram(s)

sequenceDiagram
  participant User as User
  participant Module as Terraform Module
  participant BP as github_branch_protection
  Note over User, Module: Set bypass_pull_request_actors variable
  User->>Module: Provide pull request bypass actors
  Module->>BP: Update required_pull_request_reviews (with pull_request_bypassers)
  BP->>GitHub: Apply branch protection rules with bypassers

Loading

sequenceDiagram
  participant User as User
  participant Module as Terraform Module
  participant Provider as provider-github.tf
  participant SSM as aws_ssm_parameter
  User->>Module: Set use_local_github_credentials (true/false)
  Module->>Provider: Check use_local_github_credentials flag
  alt use_local_github_credentials = true
    Provider->>Provider: Set github_token to null
    Provider-->SSM: Skip SSM parameter creation
  else use_local_github_credentials = false
    Provider->>SSM: Retrieve github_api_key value
    Provider->>Provider: Set github_token from SSM or override
  end

Loading

Poem

I hop along in code so bright,
Adjusting rules with all my might,
Branch protection now set with care,
And GitHub tokens handled fair,
With spelling fixed and inputs new,
A rabbit's cheer for changes true!
🐇🥕 Happy coding, through and through!

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d1c7a1a and 00baa96.

📒 Files selected for processing (1)

• src/main.tf (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/main.tf

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Mergify Merge Protections
• GitHub Check: Mergify Merge Protections
• GitHub Check: Summary

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai plan to trigger planning for file edits and PR creation.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Require terratest

Wonderful, this rule succeeded.

This rule require terratest status

• check-success = test/terratest

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/README.md (2)

144-144: Refined Descriptor Formats Documentation
The updated formatting and description for the descriptor_formats input variable improve clarity. There is no functional change here, just enhanced readability.

---

141-151: Minor Wording Style Suggestions
A couple of the variable descriptions could be streamlined per static analysis hints. For example, consider replacing phrases like “whether or not” with “whether” for conciseness, and a careful review of punctuation (e.g., adding a comma before “and” when joining two independent clauses) could further polish the documentation.

🧰 Tools

🪛 LanguageTool

[style] ~141-~141: Consider shortening this phrase to just ‘whether’, unless you mean ‘regardless of whether’.
Context: ... create_repo | Whether or not to create the repository or use an exis...

(WHETHER)

---

[grammar] ~145-~145: Did you mean “too false to”?
Context: ..."> enabled | Set to false to prevent the module from creating any re...

(TOO_ADJECTIVE_TO)

---

[style] ~147-~147: Consider shortening this phrase to just ‘whether’, unless you mean ‘regardless of whether’.
Context: ...D) for.

auto-sync determines whether or not the ArgoCD application will be automati...

(WHETHER)

---

[style] ~147-~147: Consider shortening this phrase to just ‘whether’, unless you mean ‘regardless of whether’.
Context: ...r/>
ignore-differences determines whether or not the ArgoCD application will ignore the ...

(WHETHER)

---

[uncategorized] ~148-~148: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...se. It is optional to provide this value and it can also be sourced from the `GITHUB...

(COMMA_COMPOUND_SENTENCE)

---

[style] ~148-~148: Reusing ‘It’ could be redundant. Try omitting the pronoun.
Context: ...t is optional to provide this value and it can also be sourced from the `GITHUB_BASE_U...

(SUBJECT_DROP)

---

[grammar] ~151-~151: It seems that a pronoun is missing.
Context: ... defined in the eks/argocd component. If want to add additional notifications, i...

(IF_VB)

🪛 markdownlint-cli2 (0.17.2)

147-147: Bare URL used
null

(MD034, no-bare-urls)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9100bfa and d1c7a1a.

📒 Files selected for processing (8)

• .gitignore (1 hunks)
• src/CHANGELOG.md (1 hunks)
• src/README.md (2 hunks)
• src/context.tf (1 hunks)
• src/main.tf (1 hunks)
• src/provider-github.tf (1 hunks)
• src/variables.tf (2 hunks)
• src/versions.tf (0 hunks)

💤 Files with no reviewable changes (1)

• src/versions.tf

🧰 Additional context used

🪛 LanguageTool

src/README.md

[style] ~141-~141: Consider shortening this phrase to just ‘whether’, unless you mean ‘regardless of whether’.
Context: ... create_repo | Whether or not to create the repository or use an exis...

(WHETHER)

---

[grammar] ~145-~145: Did you mean “too false to”?
Context: ..."> enabled | Set to false to prevent the module from creating any re...

(TOO_ADJECTIVE_TO)

---

[style] ~147-~147: Consider shortening this phrase to just ‘whether’, unless you mean ‘regardless of whether’.
Context: ...D) for.

auto-sync determines whether or not the ArgoCD application will be automati...

(WHETHER)

---

[style] ~147-~147: Consider shortening this phrase to just ‘whether’, unless you mean ‘regardless of whether’.
Context: ...r/>
ignore-differences determines whether or not the ArgoCD application will ignore the ...

(WHETHER)

---

[uncategorized] ~148-~148: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...se. It is optional to provide this value and it can also be sourced from the `GITHUB...

(COMMA_COMPOUND_SENTENCE)

---

[style] ~148-~148: Reusing ‘It’ could be redundant. Try omitting the pronoun.
Context: ...t is optional to provide this value and it can also be sourced from the `GITHUB_BASE_U...

(SUBJECT_DROP)

---

[grammar] ~151-~151: It seems that a pronoun is missing.
Context: ... defined in the eks/argocd component. If want to add additional notifications, i...

(IF_VB)

🪛 markdownlint-cli2 (0.17.2)

src/README.md

147-147: Bare URL used
null

(MD034, no-bare-urls)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Mergify Merge Protections
• GitHub Check: Mergify Merge Protections
• GitHub Check: Summary

🔇 Additional comments (11)

.gitignore (1)

78-78: Added ignore pattern for account-map.

The addition of **/account-map ensures that any directories or files named "account-map" are ignored by Git, which helps prevent unintentional versioning of local configuration files.

src/context.tf (1)

267-268: Improved formatting for descriptor_formats block.

Adjusting the indentation for the format and labels keys improves readability without affecting functionality.

src/main.tf (1)

88-88: Enhanced branch protection with bypass capability.

The new attribute pull_request_bypassers = var.bypass_pull_request_actors in the required_pull_request_reviews block adds flexibility by allowing designated users or teams to bypass pull request reviews. Please verify that the GitHub provider supports this attribute.

src/CHANGELOG.md (1)

1-6: Updated changelog with GitHub Apps support and spelling correction.

The new section documents the PR for the argocd-github-repo component and corrects the spelling from "succeded" to "succeeded" in the notification. This provides clear context and references the related pull requests.

src/variables.tf (3)

183-184: Corrected spelling in GitHub notification annotations.

The change fixes the typo in the github_notifications variable, updating "on-deploy-succeded" to "on-deploy-succeeded" for both the app-repo and argocd-repo notifications.

---

200-204: Added variable for bypass pull request actors.

The new variable bypass_pull_request_actors (a list of strings) allows users to specify GitHub usernames and team slugs that can bypass pull request requirements, enhancing branch protection rules.

---

205-209: Introduced use_local_github_credentials variable.

This boolean variable enables the use of local GitHub credentials from environment variables instead of pulling them from SSM, which supports flexibility in environments where local credential management is preferred.

src/provider-github.tf (2)

2-4: Clear GitHub Token Assignment Logic
The updated logic correctly distinguishes between using local credentials and fetching the token via SSM. When var.use_local_github_credentials is true, the github_token is set to null (which should disable remote token usage), otherwise it falls back to using either the override or the SSM value. Please ensure that downstream consumers of local.github_token correctly handle a null value.

---

8-8: Appropriate SSM Parameter Creation
The conditional for the count attribute now correctly prevents creating the SSM parameter when local credentials are in use (i.e. when var.use_local_github_credentials is true). This change aligns well with the new feature design.

src/README.md (2)

139-139: Documenting Bypass Actors
The addition of the bypass_pull_request_actors variable is clear and valuable for allowing specific GitHub users or teams to bypass pull request requirements. Its documentation and default value ([]) appear appropriate.

---

177-177: Introducing Local GitHub Credentials
The new input variable use_local_github_credentials is clearly documented as a boolean option to opt for local GitHub credentials instead of using SSM. This addition nicely complements the changes in provider-github.tf. Ensure that users are aware of the implications (e.g., that providing a null token and skipping SSM may affect authentication in certain environments).

[goruha]

/terratest

[github-actions]

These changes were released in v2.0.0.