declapract-typescript-ehmpathy 0.43.19 → 0.44.1

package/dist/practices/cicd-app-react-native-expo/best-practice/.github/workflows/.deploy-expo.yml

@@ -15,19 +15,14 @@ on:
         type: string
         description: "the github environment that the apply step will be executed in"
         required: true
-      aws-region:
+      creds-aws-region:
         type: string
-        description: the aws region within which we should access
+        description: creds for aws, specifies the region
         required: true
-      aws-account-id:
+      creds-aws-role-arn:
         type: string
-        description: the id of the account the credentials are expected to access
+        description: creds for aws, specifies the role to assume via oidc
         required: true
-      needs-vpn-for-acceptance:
-        type: boolean
-        description: whether or not this environment needs vpn access for acceptance tests
-        required: false
-        default: false
       app-web-deployment-s3-bucket:
         type: string
         description: the s3 bucket within which the web app is deployed
@@ -37,15 +32,10 @@ on:
       expo-token:
         required: true
         description: required credentials to authenticate with expo eas
-      aws-access-key-id:
-        required: true
-        description: required credentials to authenticate with aws provider and state persistance
-      aws-secret-access-key:
-        required: true
-        description: required credentials to authenticate with aws provider and state persistance
-      open-vpn-config:
-        required: false
-        description: complete openvpn config required to enter the vpn, if needed
+
+permissions:
+  id-token: write # required for oidc
+  contents: read
 
 jobs:
   deploy-os:
@@ -66,19 +56,11 @@ jobs:
         with:
           node-version-file: ".nvmrc"
 
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials
+      - name: configure aws credentials (oidc)
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.aws-access-key-id }}
-          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
-          aws-region: ${{ inputs.aws-region }}
-
-      - name: confirm aws credentials
-        run: |
-          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ inputs.aws-account-id }} ]] \
-            && echo 'wrong aws account' && exit 1 \
-            || echo 'correct aws account';
+          role-to-assume: ${{ inputs.creds-aws-role-arn }}
+          aws-region: ${{ inputs.creds-aws-region }}
 
       - name: node-modules cache get
         uses: actions/cache/restore@v4
@@ -116,19 +98,11 @@ jobs:
         with:
           node-version-file: ".nvmrc"
 
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials
+      - name: configure aws credentials (oidc)
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.aws-access-key-id }}
-          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
-          aws-region: ${{ inputs.aws-region }}
-
-      - name: confirm aws credentials
-        run: |
-          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ inputs.aws-account-id }} ]] \
-            && echo 'wrong aws account' && exit 1 \
-            || echo 'correct aws account';
+          role-to-assume: ${{ inputs.creds-aws-role-arn }}
+          aws-region: ${{ inputs.creds-aws-region }}
 
       - name: node-modules cache get
         uses: actions/cache/restore@v4

package/dist/practices/cicd-app-react-native-expo/best-practice/.github/workflows/deploy.yml

@@ -35,11 +35,8 @@ jobs:
     uses: ./.github/workflows/.test.yml
     if: github.event_name != 'workflow_dispatch' || github.event.inputs.thoroughly == 'true'
     with:
-      aws-region: us-east-1
-      aws-account-id: '@declapract{variable.awsAccountId.dev}'
-    secrets:
-      aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+      creds-aws-region: us-east-1
+      creds-aws-role-arn: arn:aws:iam::@declapract{variable.awsAccountId.dev}:role/@declapract{variable.projectName}-github-actions-dev
 
   dev:
     uses: ./.github/workflows/.deploy-expo.yml
@@ -52,12 +49,10 @@ jobs:
       stage: dev
       build: development
       github-environment: dev
-      aws-region: us-east-1
-      aws-account-id: '@declapract{variable.awsAccountId.dev}'
+      creds-aws-region: us-east-1
+      creds-aws-role-arn: arn:aws:iam::@declapract{variable.awsAccountId.dev}:role/@declapract{variable.projectName}-github-actions-dev
     secrets:
       expo-token: ${{ secrets.EXPO_TOKEN }}
-      aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
 
   prod:
     uses: ./.github/workflows/.deploy-expo.yml
@@ -69,10 +64,8 @@ jobs:
       stage: prod
       build: production
       github-environment: prod
-      aws-region: us-east-1
-      aws-account-id: '@declapract{variable.awsAccountId.prod}'
+      creds-aws-region: us-east-1
+      creds-aws-role-arn: arn:aws:iam::@declapract{variable.awsAccountId.prod}:role/@declapract{variable.projectName}-github-actions-prod
       app-web-deployment-s3-bucket: s3://@declapract{variable.projectName}-@declapract{variable.infrastructureNamespaceId}-prod
     secrets:
       expo-token: ${{ secrets.EXPO_TOKEN }}
-      aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}

package/dist/practices/cicd-common/best-practice/.github/workflows/.declastruct.yml

@@ -13,10 +13,18 @@ on:
         type: boolean
         description: "whether the apply step is enabled. defaults to true on main"
         default: ${{ github.ref == 'refs/heads/main' }}
+      creds-github-app-owner:
+        type: string
+        required: false
+        description: "the owner of the github app to generate a token for"
+      creds-github-app-id:
+        type: string
+        required: false
+        description: "the id of the github app to generate a token for"
     secrets:
-      github-token:
+      creds-github-app-private-key:
         required: false
-        description: optional credentials to support authenticating with github provider
+        description: the private key of the github app to generate a token for
 
 jobs:
   # install the dependencies
@@ -43,13 +51,23 @@ jobs:
           path: ./node_modules
           key: ${{ needs.install.outputs.node-modules-cache-key }}
 
+      - name: get github auth, if creds supplied
+        if: ${{ inputs.creds-github-app-id }}
+        id: github-app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          owner: ${{ inputs.creds-github-app-owner }}
+          repositories: ${{ github.event.repository.name }}
+          app-id: ${{ inputs.creds-github-app-id }}
+          private-key: ${{ secrets.creds-github-app-private-key }}
+
       - name: declastruct plan
         id: plan
         run: |
           set -o pipefail
           npx declastruct plan --wish ${{ inputs.wish-path }} --into ${{ inputs.wish-path }}.plan.json | tee ./plan.log
         env:
-          GITHUB_TOKEN: ${{ secrets.github-token }} # allow specifying a github token to pass to the terraform command
+          GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }}
 
       - name: evaluate plan
         id: evaluate-plan
@@ -105,9 +123,19 @@ jobs:
           name: declastruct-plan
           path: ${{ steps.extract-dir.outputs.wish-dir }}
 
+      - name: get github auth, if creds supplied
+        if: ${{ inputs.creds-github-app-id }}
+        id: github-app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          owner: ${{ inputs.creds-github-app-owner }}
+          repositories: ${{ github.event.repository.name }}
+          app-id: ${{ inputs.creds-github-app-id }}
+          private-key: ${{ secrets.creds-github-app-private-key }}
+
       - name: declastruct apply
         run: |
           set -o pipefail
           npx declastruct apply --plan ${{ inputs.wish-path }}.plan.json | tee ./apply.log
         env:
-          GITHUB_TOKEN: ${{ secrets.github-token }} # allow specifying a github token to pass to the terraform command
+          GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }}

package/dist/practices/cicd-common/best-practice/.github/workflows/.test.yml

@@ -3,20 +3,19 @@ name: .test
 on:
   workflow_call:
     inputs:
-      aws-region:
-        type: string
-        description: the aws region within which we should run the tests
-        required: false
-    secrets:
-      aws-account-id:
-        description: the id of the account the credentials are expected to access
+      creds-aws-role-arn:
+        description: "creds for aws, specifies the role to assume via oidc. if not provided, aws auth is skipped"
         required: false
-      aws-access-key-id:
-        required: false
-        description: required credentials to authenticate with aws the aws account against which to run the tests
-      aws-secret-access-key:
+        type: string
+      creds-aws-region:
+        description: "creds for aws, specifies the region. defaults to us-east-1"
         required: false
-        description: required credentials to authenticate with aws the aws account against which to run the tests
+        type: string
+        default: "us-east-1"
+
+permissions:
+  id-token: write # required for oidc
+  contents: read
 
 jobs:
   # install the dependencies
@@ -152,21 +151,12 @@ jobs:
           path: ./node_modules
           key: ${{ needs.install.outputs.node-modules-cache-key }}
 
-      - name: configure aws credentials
-        if: "${{ inputs.aws-region != '' }}"
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials
+      - name: get aws auth, if creds supplied
+        if: ${{ inputs.creds-aws-role-arn }}
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.aws-access-key-id }}
-          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
-          aws-region: ${{ inputs.aws-region }}
-
-      - name: confirm aws credentials
-        if: "${{ inputs.aws-region != '' }}"
-        run: |
-          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ secrets.aws-account-id }} ]] \
-            && echo 'wrong aws account' && exit 1 \
-            || echo 'correct aws account';
+          role-to-assume: ${{ inputs.creds-aws-role-arn }}
+          aws-region: ${{ inputs.creds-aws-region }}
 
       - name: start:testdb
         run: npm run start:testdb --if-present
@@ -195,21 +185,12 @@ jobs:
           path: ./node_modules
           key: ${{ needs.install.outputs.node-modules-cache-key }}
 
-      - name: configure aws credentials
-        if: "${{ inputs.aws-region != '' }}"
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials
+      - name: get aws auth, if creds supplied
+        if: ${{ inputs.creds-aws-role-arn }}
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.aws-access-key-id }}
-          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
-          aws-region: ${{ inputs.aws-region }}
-
-      - name: confirm aws credentials
-        if: "${{ inputs.aws-region != '' }}"
-        run: |
-          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ secrets.aws-account-id }} ]] \
-            && echo 'wrong aws account' && exit 1 \
-            || echo 'correct aws account';
+          role-to-assume: ${{ inputs.creds-aws-role-arn }}
+          aws-region: ${{ inputs.creds-aws-region }}
 
       - name: start:testdb
         run: npm run start:testdb --if-present
@@ -218,4 +199,4 @@ jobs:
         run: npm run start:livedb:dev --if-present
 
       - name: test:acceptance:locally
-        run: npm run test:acceptance:locally
+        run: THOROUGH=true npm run test:acceptance --if-present

package/dist/practices/cicd-common/best-practice/.github/workflows/release.yml

@@ -6,12 +6,55 @@ on:
       - main
 
 jobs:
-  release-please:
+  please-release:
     runs-on: ubuntu-24.04
     steps:
-      - uses: google-github-actions/release-please-action@v3.7.6 # https://github.com/googleapis/release-please-action/issues/840
+      - uses: actions/checkout@v4
         with:
-          token: ${{ secrets.RELEASE_PLEASE_GITHUB_TOKEN }}
+          fetch-depth: 0 # need full history for tags
+
+      - name: check tags
+        id: check-tags
+        run: |
+          if git tag | grep -q .; then
+            echo "has-tags=true" >> $GITHUB_OUTPUT
+          else
+            echo "has-tags=false" >> $GITHUB_OUTPUT
+            echo "No tags found - will start at v0.1.0"
+          fi
+
+      - name: get github token
+        id: github-token
+        uses: actions/create-github-app-token@v2
+        with:
+          owner: ehmpathy
+          repositories: ${{ github.event.repository.name }}
+          app-id: ${{ vars.RHELEASE_APP_ID }}
+          private-key: ${{ secrets.RHELEASE_APP_PRIVATE_KEY }}
+
+      - name: upsert the tag or pr
+        id: release
+        uses: google-github-actions/release-please-action@v3.7.6 # https://github.com/googleapis/release-please-action/issues/840
+        with:
+          token: ${{ steps.github-token.outputs.token }}
           release-type: node
+          release-as: ${{ steps.check-tags.outputs.has-tags == 'false' && '0.1.0' || null }} # ensures new packages start at a sane choice of v0, instead of their default of v1
           pull-request-title-pattern: "chore(release): v${version} 🎉"
           changelog-path: changelog.md
+
+      - name: upvibe the pr, if pr
+        if: ${{ steps.release.outputs.pr }}
+        run: |
+          PR="${{ fromJson(steps.release.outputs.pr).number }}"
+
+          body="$(gh pr view "$PR" --json body -q .body)"
+
+          updated="$(printf "%s" "$body" \
+            | sed '1s/^:robot: I have created a release \*beep\* \*boop\*$/🐢 noice work! ready to let these changes ride?/' \
+            | sed 's/^### Features$/### features/' \
+            | sed 's/^### Bug Fixes$/### fixes/' \
+          )"
+
+          gh pr edit "$PR" --body "$updated"
+        env:
+          GH_TOKEN: ${{ steps.github-token.outputs.token }}

package/dist/practices/{cicd-package → cicd-common}/best-practice/.github/workflows/test.yml

@@ -4,7 +4,7 @@ on:
   workflow_call:
   push:
     branches-ignore:
-      - 'main' # exclude main branch, since deploy workflow triggers on main, and calls the test workflow inside of it already
+      - main # exclude main branch, since deploy workflow triggers on main, and calls the test workflow inside of it already
     tags-ignore:
       - v* # exclude tags, since deploy workflow triggers on tags, and calls the test workflow inside of it already
 
@@ -15,3 +15,6 @@ concurrency:
 jobs:
   suite:
     uses: ./.github/workflows/.test.yml
+    with:
+      creds-aws-region: us-east-1
+      creds-aws-role-arn: ${{ vars.CREDS_CICD_AWS_DEV_OIDC_ROLE_ARN }} # use aws auth via oidc, if this repo supplies it

package/dist/practices/cicd-package/best-practice/.github/workflows/provision.yml

@@ -20,5 +20,7 @@ jobs:
     with:
       wish-path: provision/github/declastruct.resources.ts
       github-environment: prod
+      creds-github-app-owner: ehmpathy
+      creds-github-app-id: ${{ vars.DECLASTRUCT_GITHUB_CONFORMER_APP_ID }}
     secrets:
-      github-token: ${{ secrets.PROVISION_GITHUB_GITHUB_TOKEN }}
+      creds-github-app-private-key: ${{ secrets.DECLASTRUCT_GITHUB_CONFORMER_APP_PRIVATE_KEY }}

package/dist/practices/cicd-package/best-practice/.github/workflows/publish.yml

@@ -12,6 +12,9 @@ concurrency:
 jobs:
   test:
     uses: ./.github/workflows/.test.yml
+    with:
+      creds-aws-region: us-east-1
+      creds-aws-role-arn: ${{ vars.CREDS_CICD_AWS_DEV_OIDC_ROLE_ARN }} # use aws auth via oidc, if this repo supplies it
 
   publish:
     uses: ./.github/workflows/.publish-npm.yml

package/dist/practices/cicd-service/best-practice/.github/workflows/.deploy-sls.yml

@@ -11,30 +11,28 @@ on:
         type: string
         description: "the github environment that the apply step will be executed in"
         required: true
-      aws-region:
-        type: string
-        description: the aws region within which we should access
+      creds-aws-region:
+        description: "creds for aws, specifies the region"
         required: true
-      aws-account-id:
         type: string
-        description: the id of the account the credentials are expected to access
+      creds-aws-role-arn:
+        description: "creds for aws, specifies the role to assume via oidc"
         required: true
+        type: string
       needs-vpn-for-acceptance:
         type: boolean
         description: whether or not this environment needs vpn access for acceptance tests
         required: false
         default: false
     secrets:
-      aws-access-key-id:
-        required: true
-        description: required credentials to authenticate with aws provider and state persistance
-      aws-secret-access-key:
-        required: true
-        description: required credentials to authenticate with aws provider and state persistance
       pagerduty-integration-key:
         required: false
         description: enables sending pagerduty alarms on failure
 
+permissions:
+  id-token: write # required for oidc
+  contents: read
+
 jobs:
   install:
     uses: ./.github/workflows/.install.yml
@@ -51,19 +49,11 @@ jobs:
         with:
           node-version-file: ".nvmrc"
 
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials
+      - name: configure aws credentials (oidc)
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.aws-access-key-id }}
-          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
-          aws-region: ${{ inputs.aws-region }}
-
-      - name: confirm aws credentials
-        run: |
-          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ inputs.aws-account-id }} ]] \
-            && echo 'wrong aws account' && exit 1 \
-            || echo 'correct aws account';
+          role-to-assume: ${{ inputs.creds-aws-role-arn }}
+          aws-region: ${{ inputs.creds-aws-region }}
 
       - name: node-modules cache get
         uses: actions/cache/restore@v4
@@ -87,19 +77,11 @@ jobs:
         with:
           node-version-file: ".nvmrc"
 
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials
+      - name: configure aws credentials (oidc)
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.aws-access-key-id }}
-          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
-          aws-region: ${{ inputs.aws-region }}
-
-      - name: confirm aws credentials
-        run: |
-          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ inputs.aws-account-id }} ]] \
-            && echo 'wrong aws account' && exit 1 \
-            || echo 'correct aws account';
+          role-to-assume: ${{ inputs.creds-aws-role-arn }}
+          aws-region: ${{ inputs.creds-aws-region }}
 
       - name: node-modules cache get
         uses: actions/cache/restore@v4
@@ -136,19 +118,11 @@ jobs:
         with:
           node-version-file: ".nvmrc"
 
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials
+      - name: configure aws credentials (oidc)
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.aws-access-key-id }}
-          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
-          aws-region: ${{ inputs.aws-region }}
-
-      - name: confirm aws credentials
-        run: |
-          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ inputs.aws-account-id }} ]] \
-            && echo 'wrong aws account' && exit 1 \
-            || echo 'correct aws account';
+          role-to-assume: ${{ inputs.creds-aws-role-arn }}
+          aws-region: ${{ inputs.creds-aws-region }}
 
       - name: node-modules cache get
         uses: actions/cache/restore@v4

package/dist/practices/cicd-service/best-practice/.github/workflows/.sql-schema-control.yml

@@ -14,19 +14,18 @@ on:
         type: boolean
         description: "whether the apply step is enabled. defaults to true on main"
         default: ${{ github.ref == 'refs/heads/main' }}
-      aws-region:
+      creds-aws-region:
         type: string
-        description: the aws region within which we should access
-      aws-account-id:
-        type: string
-        description: the id of the account the credentials are expected to access
-    secrets:
-      aws-access-key-id:
+        description: creds for aws, specifies the region
         required: true
-        description: required credentials to authenticate with aws provider for db credentials
-      aws-secret-access-key:
+      creds-aws-role-arn:
+        type: string
+        description: creds for aws, specifies the role to assume via oidc
         required: true
-        description: required credentials to authenticate with aws provider for db credentials
+
+permissions:
+  id-token: write # required for oidc
+  contents: read
 
 jobs:
   install:
@@ -53,19 +52,12 @@ jobs:
           key: ${{ needs.install.outputs.node-modules-cache-key }}
           fail-on-cache-miss: true
 
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials
+      - name: get aws auth
+        if: ${{ inputs.creds-aws-role-arn }}
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.aws-access-key-id }}
-          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
-          aws-region: ${{ inputs.aws-region }}
-
-      - name: confirm aws credentials
-        run: |
-          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ inputs.aws-account-id }} ]] \
-            && echo 'wrong aws account' && exit 1 \
-            || echo 'correct aws account';
+          role-to-assume: ${{ inputs.creds-aws-role-arn }}
+          aws-region: ${{ inputs.creds-aws-region }}
 
       - name: vpc:tunnel:open
         run: STAGE=${{ inputs.stage }} .agent/repo=.this/skills/use.vpc.tunnel.ts
@@ -115,19 +107,12 @@ jobs:
           key: ${{ needs.install.outputs.node-modules-cache-key }}
           fail-on-cache-miss: true
 
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials
+      - name: get aws auth
+        if: ${{ inputs.creds-aws-role-arn }}
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.aws-access-key-id }}
-          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
-          aws-region: ${{ inputs.aws-region }}
-
-      - name: confirm aws credentials
-        run: |
-          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ inputs.aws-account-id }} ]] \
-            && echo 'wrong aws account' && exit 1 \
-            || echo 'correct aws account';
+          role-to-assume: ${{ inputs.creds-aws-role-arn }}
+          aws-region: ${{ inputs.creds-aws-region }}
 
       - name: vpc:tunnel:open
         run: STAGE=${{ inputs.stage }} .agent/repo=.this/skills/use.vpc.tunnel.ts

package/dist/practices/cicd-service/best-practice/.github/workflows/.terraform.yml

@@ -13,22 +13,18 @@ on:
         type: boolean
         description: "whether the apply step is enabled. defaults to true on main"
         default: ${{ github.ref == 'refs/heads/main' }}
-      aws-region:
-        type: string
-        description: the aws region within which we should access
-      aws-account-id:
-        type: string
-        description: the id of the account the credentials are expected to access
-    secrets:
-      aws-access-key-id:
+      creds-aws-region:
+        description: "creds for aws, specifies the region"
         required: true
-        description: required credentials to authenticate with aws provider and state persistance
-      aws-secret-access-key:
+        type: string
+      creds-aws-role-arn:
+        description: "creds for aws, specifies the role to assume via oidc"
         required: true
-        description: required credentials to authenticate with aws provider and state persistance
-      github-token:
-        required: false
-        description: optional credentials to support authenticating with github provider
+        type: string
+
+permissions:
+  id-token: write # required for oidc
+  contents: read
 
 jobs:
   plan:
@@ -42,22 +38,15 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
 
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials
+      - name: get aws auth
+        if: ${{ inputs.creds-aws-role-arn }}
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.aws-access-key-id }}
-          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
-          aws-region: ${{ inputs.aws-region }}
-
-      - name: confirm aws credentials
-        run: |
-          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ inputs.aws-account-id }} ]] \
-            && echo 'wrong aws account' && exit 1 \
-            || echo 'correct aws account';
+          role-to-assume: ${{ inputs.creds-aws-role-arn }}
+          aws-region: ${{ inputs.creds-aws-region }}
 
       - name: setup terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@v3
 
       - name: terraform init
         run: terraform init
@@ -68,8 +57,6 @@ jobs:
       - name: terraform plan
         id: plan
         run: terraform plan -detailed-exitcode | tee ./plan.log
-        env:
-          GITHUB_TOKEN: ${{ secrets.github-token }} # allow specifying a github token to pass to the terraform command
 
       - name: evaluate plan
         id: evaluate-plan
@@ -96,27 +83,18 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
 
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials
+      - name: get aws auth
+        if: ${{ inputs.creds-aws-role-arn }}
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.aws-access-key-id }}
-          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
-          aws-region: ${{ inputs.aws-region }}
-
-      - name: confirm aws credentials
-        run: |
-          [[ ${{ steps.credentials.outputs.aws-account-id }} != ${{ inputs.aws-account-id }} ]] \
-            && echo 'wrong aws account' && exit 1 \
-            || echo 'correct aws account';
+          role-to-assume: ${{ inputs.creds-aws-role-arn }}
+          aws-region: ${{ inputs.creds-aws-region }}
 
       - name: setup terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@v3
 
       - name: terraform init
         run: terraform init
 
       - name: terraform apply
         run: terraform apply -auto-approve
-        env:
-          GITHUB_TOKEN: ${{ secrets.github-token }} # allow specifying a github token to pass to the terraform command

package/dist/practices/cicd-service/best-practice/.github/workflows/deploy.yml

@@ -5,26 +5,26 @@ on:
     tags:
       - v*
     branches:
-      - 'main'
-      - 'master'
+      - "main"
+      - "master"
   workflow_dispatch:
     inputs:
       stage:
-        description: 'which stage do you want to deploy to?'
+        description: "which stage do you want to deploy to?"
         type: choice
         options:
           - dev
           - prod
         required: true
-        default: 'dev'
+        default: "dev"
       thoroughly:
-        description: 'should we run tests before this deployment?'
+        description: "should we run tests before this deployment?"
         type: choice
         required: true
-        default: 'true'
+        default: "true"
         options:
-          - 'true'
-          - 'false'
+          - "true"
+          - "false"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }} # per [workflow] x [branch, tag]
@@ -35,11 +35,8 @@ jobs:
     uses: ./.github/workflows/.test.yml
     if: github.event_name != 'workflow_dispatch' || github.event.inputs.thoroughly == 'true'
     with:
-      aws-region: us-east-1
-    secrets:
-      aws-account-id: '@declapract{variable.awsAccountId.dev}'
-      aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+      creds-aws-region: us-east-1
+      creds-aws-role-arn: ${{ vars.CREDS_CICD_AWS_DEV_OIDC_ROLE_ARN }} # use aws auth via oidc, if this repo supplies it
 
   dev:
     uses: ./.github/workflows/.deploy-sls.yml
@@ -50,11 +47,8 @@ jobs:
     with:
       stage: dev
       github-environment: dev
-      aws-region: us-east-1
-      aws-account-id: '@declapract{variable.awsAccountId.dev}'
-    secrets:
-      aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+      creds-aws-region: us-east-1
+      creds-aws-role-arn: ${{ vars.CREDS_CICD_AWS_DEV_OIDC_ROLE_ARN }}
 
   prod:
     uses: ./.github/workflows/.deploy-sls.yml
@@ -65,9 +59,5 @@ jobs:
     with:
       stage: prod
       github-environment: prod
-      aws-region: us-east-1
-      aws-account-id: '@declapract{variable.awsAccountId.prod}'
-    secrets:
-      aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
-      pagerduty-integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }}
+      creds-aws-region: us-east-1
+      creds-aws-role-arn: ${{ vars.CREDS_CICD_AWS_PROD_OIDC_ROLE_ARN }}

package/dist/practices/cicd-service/best-practice/.github/workflows/provision.yml

@@ -20,62 +20,49 @@ jobs:
     with:
       working-directory: provision/aws/environments/test
       github-environment: dev
-      aws-region: us-east-1
-      aws-account-id: "@declapract{variable.awsAccountId.dev}"
-    secrets:
-      aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+      creds-aws-region: us-east-1
+      creds-aws-role-arn: ${{ vars.CREDS_CICD_AWS_DEV_OIDC_ROLE_ARN }}
 
   aws-dev:
     uses: ./.github/workflows/.terraform.yml
     with:
       working-directory: provision/aws/environments/dev
       github-environment: dev
-      aws-region: us-east-1
-      aws-account-id: "@declapract{variable.awsAccountId.dev}"
-    secrets:
-      aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+      creds-aws-region: us-east-1
+      creds-aws-role-arn: ${{ vars.CREDS_CICD_AWS_DEV_OIDC_ROLE_ARN }}
 
   aws-prod:
     uses: ./.github/workflows/.terraform.yml
     with:
       working-directory: provision/aws/environments/prod
       github-environment: prod
-      aws-region: us-east-1
-      aws-account-id: "@declapract{variable.awsAccountId.prod}"
       allow-apply: ${{ startsWith(github.ref, 'refs/tags/') }} # only apply to prod on tags
-    secrets:
-      aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
+      creds-aws-region: us-east-1
+      creds-aws-role-arn: ${{ vars.CREDS_CICD_AWS_PROD_OIDC_ROLE_ARN }}
 
   github:
     uses: ./.github/workflows/.declastruct.yml
     with:
       wish-path: provision/github/declastruct.resources.ts
       github-environment: prod
+      creds-github-app-owner: ehmpathy
+      creds-github-app-id: ${{ vars.DECLASTRUCT_GITHUB_CONFORMER_APP_ID }}
     secrets:
-      github-token: ${{ secrets.PROVISION_GITHUB_GITHUB_TOKEN }}
+      creds-github-app-private-key: ${{ secrets.DECLASTRUCT_GITHUB_CONFORMER_APP_PRIVATE_KEY }}
 
   sql-schema-dev:
     uses: ./.github/workflows/.sql-schema-control.yml
     with:
       stage: dev
       github-environment: dev
-      aws-region: us-east-1
-      aws-account-id: "@declapract{variable.awsAccountId.dev}"
-    secrets:
-      aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+      creds-aws-region: us-east-1
+      creds-aws-role-arn: ${{ vars.CREDS_CICD_AWS_DEV_OIDC_ROLE_ARN }}
 
   sql-schema-prod:
     uses: ./.github/workflows/.sql-schema-control.yml
     with:
       stage: prod
       github-environment: prod
-      aws-region: us-east-1
-      aws-account-id: "@declapract{variable.awsAccountId.prod}"
       allow-apply: ${{ startsWith(github.ref, 'refs/tags/') }} # only apply to prod on tags
-    secrets:
-      aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
+      creds-aws-region: us-east-1
+      creds-aws-role-arn: ${{ vars.CREDS_CICD_AWS_PROD_OIDC_ROLE_ARN }}

package/dist/practices/cicd-service/best-practice/package.json

@@ -1,6 +1,6 @@
 {
   "devDependencies": {
-    "declastruct": "@declapract{check.minVersion('1.5.1')}",
+    "declastruct": "@declapract{check.minVersion('1.7.0')}",
     "declastruct-aws": "@declapract{check.minVersion('1.3.0')}",
     "declastruct-unix-network": "@declapract{check.minVersion('1.0.3')}"
   }

package/dist/practices/provision-github/best-practice/package.json

@@ -1,6 +1,6 @@
 {
   "devDependencies": {
-    "declastruct": "@declapract{check.minVersion('1.5.1')}",
+    "declastruct": "@declapract{check.minVersion('1.7.0')}",
     "declastruct-github": "@declapract{check.minVersion('1.0.7')}"
   }
 }

package/dist/practices/provision-github/best-practice/provision/github/declastruct.resources.ts

@@ -34,8 +34,8 @@ export const getProviders = async (): Promise<DeclastructProvider[]> => [
 export const getResources = async (): Promise<DomainEntity<any>[]> => {
   // declare the repo
   const repo = DeclaredGithubRepo.as({
-    owner: 'ehmpathy',
-    name: 'rhachet-roles-ehmpathy',
+    owner: '@declapract{variable.organizationName}',
+    name: '@declapract{variable.projectName}',
     description: (pkg as any).description ?? null,
     visibility: (pkg as any).private === true ? 'private' : 'public',
     private: (pkg as any).private ?? false, // todo: why do we have to specify this twice?

package/package.json

@@ -2,7 +2,7 @@
   "name": "declapract-typescript-ehmpathy",
   "author": "ehmpathy",
   "description": "declapract best practices declarations for typescript",
-  "version": "0.43.19",
+  "version": "0.44.1",
   "license": "MIT",
   "main": "src/index.js",
   "repository": "ehmpathy/declapract-typescript-ehmpathy",
@@ -17,6 +17,7 @@
     "fix:format:terraform": "terraform fmt -recursive",
     "fix:format": "npm run fix:format:prettier",
     "fix:lint": "eslint -c ./.eslintrc.js src/**/*.ts --fix",
+    "fix": "npm run fix:format && npm run fix:lint",
     "build:clean": "rm dist/ -rf",
     "build:compile": "npx declapract compile",
     "build": "npm run build:clean && npm run build:compile",
@@ -80,6 +81,8 @@
     "husky": "8.0.3",
     "jest": "29.3.1",
     "prettier": "2.8.1",
+    "rhachet": "1.13.1",
+    "rhachet-roles-ehmpathy": "1.13.8",
     "test-fns": "1.4.2",
     "ts-jest": "29.4.5",
     "tsx": "4.20.6",

package/dist/practices/cicd-service/best-practice/.github/workflows/test.yml

@@ -1,23 +0,0 @@
-name: test
-
-on:
-  workflow_call:
-  push:
-    branches-ignore:
-      - 'main' # exclude main branch, since deploy workflow triggers on main, and calls the test workflow inside of it already
-    tags-ignore:
-      - v* # exclude tags, since deploy workflow triggers on tags, and calls the test workflow inside of it already
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }} # per [workflow] x [branch, tag]
-  cancel-in-progress: true #  cancel workflows for non-latest commits
-
-jobs:
-  suite:
-    uses: ./.github/workflows/.test.yml
-    with:
-      aws-region: us-east-1
-    secrets:
-      aws-account-id: '@declapract{variable.awsAccountId.dev}' # not a secret for services, but is a secret generically, since .test supports packages too
-      aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-      aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}