plus3it · lorengordon · May 13, 2025 · May 9, 2025 · May 12, 2025 · May 12, 2025
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.26.2
+current_version = 0.27.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -16,14 +16,14 @@ updates:
       interval: weekly
     open-pull-requests-limit: 10
   - package-ecosystem: docker
-    directory: "/.github/dependencies/python38"
+    directory: "/.github/dependencies/python312"
     schedule:
       interval: weekly
     ignore:
       # See <https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore>
       - dependency-name: python
         update-types:
-          # Ignore major/minor to pin python 3.8.x
+          # Ignore major/minor to pin python 3.12.x
           - "version-update:semver-major"
           - "version-update:semver-minor"
     open-pull-requests-limit: 10

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,85 @@
+name: Build, test, and publish container image
+
+on:
+  # Run pull requests against the default branch
+  pull_request:
+    branches: [master]
+
+  # Run on push to default branch
+  push:
+    branches: [master]
+
+  # Run when a release is created
+  release:
+    types: [released]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone this git repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - name: Docker meta
+        if: github.event_name != 'pull_request'
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804
+        with:
+          # list of Docker images to use as base name for tags
+          images: |
+            plus3it/tardigrade-ci
+            ghcr.io/plus3it/tardigrade-ci
+          flavor: |
+            latest=false
+          # generate Docker tags based on the following events/attributes
+          tags: |
+            # set latest tag for default branch
+            type=raw,value=latest,enable={{is_default_branch}}
+            # set version tags for releases
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
+
+      - name: Login to Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+
+      - name: Build and export
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1
+        with:
+          context: .
+          load: true
+          tags: plus3it/tardigrade-ci:test
+          secrets: |
+            "GITHUB_ACCESS_TOKEN=${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Run bats tests
+        if: github.event_name == 'pull_request'
+        run: docker run --rm -e "GITHUB_ACCESS_TOKEN=${{ secrets.GITHUB_TOKEN }}" plus3it/tardigrade-ci:test bats/test
+
+      - name: Push to registries
+        if: github.event_name != 'pull_request'
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1
+        with:
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          secrets: |
+            "GITHUB_ACCESS_TOKEN=${{ secrets.GH_READONLY_TOKEN }}"
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,22 @@
+name: Run lint and static analyis checks
+on:
+  pull_request:
+
+concurrency:
+  group: lint-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Clone this git repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - name: Install lint dependencies
+        run: make lint/install
+
+      - name: Run lint checks
+        run: make -o docs/lint lint
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,19 @@
+name: Create GitHub Release
+
+on:
+  # Run on demand
+  workflow_dispatch:
+
+  # Run on push to default branch when .bumpversion.cfg version is updated
+  push:
+    branches:
+      - main
+      - master
+    paths:
+      - .bumpversion.cfg
+
+jobs:
+  release:
+    uses: plus3it/actions-workflows/.github/workflows/release.yml@00bdf2c02c2bb252dc7ba7f74816ac8359aa6693
+    secrets:
+      release-token: ${{ secrets.GH_RELEASES_TOKEN }}
diff --git a/.travis.yml b/.travis.yml
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,24 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### [0.27.0](https://github.com/plus3it/tardigrade-ci/releases/tag/0.27.0)
+
+**Released**: 2025.05.14
+
+**Summary**:
+
+* Uses github actions instead of travis-ci
+* Publishes container image to both dockerhub and ghcr.io
+* Uses docker secret instead of build-arg to set GITHUB_ACCESS_TOKEN
+
+* Updates tool versions:
+    * cfn-lint 1.35.1
+    * editorconfig-checker 3.3.0
+    * golang 1.24.3
+    * localstack 4.4.0
+    * terragrunt 0.78.2
+    * yq 4.45.4
+
 ### [0.26.2](https://github.com/plus3it/tardigrade-ci/releases/tag/0.26.2)
 
 **Released**: 2025.05.05

diff --git a/Dockerfile b/Dockerfile
@@ -1,9 +1,8 @@
-FROM golang:1.24.3-bookworm as golang
+FROM golang:1.24.3-bookworm AS golang
 
 FROM python:3.13.3-bookworm
 
 ARG PROJECT_NAME=tardigrade-ci
-ARG GITHUB_ACCESS_TOKEN
 
 ENV USER=${PROJECT_NAME}
 ENV USER_UID=1000
@@ -43,7 +42,8 @@ COPY --chown=${USER}:${USER} --from=golang /go/ /go/
 COPY --chown=${USER}:${USER} . /${PROJECT_NAME}
 COPY entrypoint.sh /usr/local/bin/entrypoint.sh
 
-RUN make -C /${PROJECT_NAME} fixuid/install \
+RUN --mount=type=secret,id=GITHUB_ACCESS_TOKEN,env=GITHUB_ACCESS_TOKEN \
+    make -C /${PROJECT_NAME} fixuid/install \
     && cp /root/bin/fixuid /usr/local/bin/fixuid \
     && chown root:root /usr/local/bin/fixuid \
     && chmod 4755 /usr/local/bin/fixuid\
@@ -58,10 +58,12 @@ ENV PYENV_ROOT=${HOME}/.pyenv
 ENV PATH="$PYENV_ROOT/shims:$PYENV_ROOT/bin:${HOME}/.local/bin:${HOME}/bin:/go/bin:/usr/local/go/bin:${PATH}"
 ENV GOPATH=/go
 
-RUN make -C /${PROJECT_NAME} install
+RUN --mount=type=secret,id=GITHUB_ACCESS_TOKEN,env=GITHUB_ACCESS_TOKEN \
+    make -C /${PROJECT_NAME} install
 
 # Install python versions
-RUN make -C /${PROJECT_NAME} python312/install
+RUN --mount=type=secret,id=GITHUB_ACCESS_TOKEN,env=GITHUB_ACCESS_TOKEN \
+    make -C /${PROJECT_NAME} python312/install
 RUN pyenv global system $(pyenv versions | grep 3.12)
 RUN python --version \
     && python3 --version \