Use Organization's .github README.md.gotmpl (#368)

* Fetch org readme template * chore: update repo banner image * fetch template from main * add safe directory for git * add safe directory for git * add safe directory for git * test fix * test fix * test fix * test fix * test fix * test fix * test fix * test fix * use make native * fix lint error * bump checkout * bump checkout and do not ignore .git * Update tool versions, fix Docker build on Apple Silicon (#369) * formatting * remove -# syntax=docker/dockerfile:1.3 * move README_TEMPLATE_YAML dep and check for .git * Update lint for security * Restrict README template to whitelisted orgs * terminology * Do not allow override of remote URL * Fix (spurious) lint complaint * Better error message --------- Co-authored-by: screenshot-action 📷 <[email protected]> Co-authored-by: Nuru <[email protected]>
cloudposse · Jan 30, 2024 · 56cac58 · 56cac58
1 parent f2a5f44
commit 56cac58
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 412 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -13,12 +13,11 @@ jobs:
   lint-readme:
     name: readme
     runs-on: ubuntu-latest
+    container: cloudposse/build-harness:latest
     steps:
-      - uses: actions/checkout@master
-      - uses: docker://cloudposse/build-harness:latest
-        with:
-          entrypoint: /usr/bin/make
-          args: readme/lint
+      - uses: actions/checkout@v4
+      - shell: bash
+        run: /usr/bin/make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true readme/lint
 
   super-linter:
     name: superlinter

diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,4 @@
 .project
 build-harness.iml
 build-harness
+templates/README.md.gotmpl
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,5 @@
 FROM golang:1.20.13-alpine3.18
+
 LABEL maintainer="Cloud Posse <[email protected]>"
 
 LABEL "com.github.actions.name"="Build Harness"
@@ -81,13 +82,15 @@ RUN update-alternatives --set terraform /usr/share/terraform/$DEFAULT_TERRAFORM_
 
 # Install tflint
 RUN curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
+
 COPY <<EOF /root/.tflint.hcl
 plugin "aws" {
     enabled = true
     version = "0.26.0"
     source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 EOF
+
 RUN tflint --init
 
 # Patch for old Makefiles that expect a directory like x.x from the 0.x days.

diff --git a/modules/readme/Makefile b/modules/readme/Makefile
@@ -1,9 +1,58 @@
 export README_LINT ?= $(TMP)/README.md
 export README_FILE ?= README.md
 export README_YAML ?= README.yaml
+
+export README_TEMPLATE_REPO_REMOTE_NAME ?= origin
+export README_TEMPLATE_REPO_REMOTE ?= $(shell [ -d .git ] && git remote get-url $(README_TEMPLATE_REPO_REMOTE_NAME))
+
+# Parse https://github.com/...
+ifneq (,$(findstring https://github.com/,$(README_TEMPLATE_REPO_REMOTE)))
+URL_NO_PROTOCOL := $(subst https://github.com/,,$(README_TEMPLATE_REPO_REMOTE))
+export README_TEMPLATE_REPO_ORG ?= $(firstword $(subst /, ,$(URL_NO_PROTOCOL)))
+endif
+
+# Parse [email protected]:...
+ifneq (,$(findstring [email protected]:,$(README_TEMPLATE_REPO_REMOTE)))
+URL_NO_GIT := $(subst [email protected]:,,$(README_TEMPLATE_REPO_REMOTE))
+export README_TEMPLATE_REPO_ORG ?= $(firstword $(subst /, ,$(URL_NO_GIT)))
+endif
+
+export README_TEMPLATE_REPO ?= .github
+export README_TEMPLATE_REPO_REF ?= main
+export README_TEMPLATE_REPO_PATH ?= README.md.gotmpl
+export README_TEMPLATE_REPO_URL := https://raw.githubusercontent.com/$${README_GITHUB_ORG}/$(README_TEMPLATE_REPO)/$(README_TEMPLATE_REPO_REF)/$(README_TEMPLATE_REPO_PATH)
 export README_TEMPLATE_FILE ?= $(BUILD_HARNESS_PATH)/templates/README.md.gotmpl
-export README_TEMPLATE_YAML := $(if $(findstring http,$(README_YAML)),$(README_YAML),$(BUILD_HARNESS_PATH)/templates/$(README_YAML))
-export README_INCLUDES ?= $(file://$(shell pwd)/?type=text/plain)
+export README_TEMPLATE_YAML := $(BUILD_HARNESS_PATH)/templates/$(README_YAML)
+
+# Only allow allowlisted orgs to supply the README template
+export README_ALLOWLIST_ORGS := \
+	cloudposse \
+	cloudposse-archives \
+	cloudposse-corp \
+	cloudposse-depos \
+	cloudposse-examples \
+	cloudposse-github-actions \
+	cloudposse-sandbox \
+	cloudposse-terraform-components \
+	terraform-aws-components
+
+# Fetch the README.md.gotmpl every time, because we have no way of knowing if it's changed
+.PHONY: $(README_TEMPLATE_FILE)
+
+# Fetch the README.md.gotmpl corresponding to this repo's GitHub Org
+$(README_TEMPLATE_FILE):
+	@for README_GITHUB_ORG in $(README_ALLOWLIST_ORGS); do \
+		if [ "$${README_GITHUB_ORG}" == "$${README_TEMPLATE_REPO_ORG}" ]; then \
+			if curl -o $@ -fsSL "$(README_TEMPLATE_REPO_URL)"; then \
+				exit 0; \
+			else \
+				printf "Failed to fetch README template from %s\n" "$(README_TEMPLATE_REPO_URL)" >&2; \
+				exit 1; \
+			fi; \
+		fi; \
+	done; \
+	printf "Detected GitHub Org '%s' is not in the list of organizations allowed to provide README templates.\n" "$(README_TEMPLATE_REPO_ORG)" >&2; \
+	exit 1
 
 ## Alias for readme/build
 readme: readme/build
@@ -15,10 +64,10 @@ readme/deps: packages/install/gomplate
 ## Create basic minimalistic .README.md template file
 readme/init:
 	@if [ -f $(README_YAML) ]; then \
-	  echo "$(README_YAML) already exists!"; \
+		echo "$(README_YAML) already exists!"; \
 	else \
-	  cp $(README_TEMPLATE_YAML) $(README_YAML) ; \
-	  echo "$(README_YAML) created!"; \
+		cp $(README_TEMPLATE_YAML) $(README_YAML) ; \
+		echo "$(README_YAML) created!"; \
 	fi;
 
 ## Verify the `README.md` is up to date
@@ -28,7 +77,7 @@ readme/lint:
 	@rm -f $(README_LINT)
 
 ## Create README.md by building it from README.yaml
-readme/build: readme/deps $(README_DEPS)
+readme/build: readme/deps $(README_TEMPLATE_FILE) $(README_DEPS)
 	@gomplate --file $(README_TEMPLATE_FILE) --out $(README_FILE) --config $(BUILD_HARNESS_PATH)/configs/gomplate.yaml
 	@echo "Generated $(README_FILE) from $(README_TEMPLATE_FILE) using data from $(README_TEMPLATE_YAML)"