We should consider using one of the following Terraform log levels during the GitHub Actions by default:

• TRACE
• DEBUG
• INFO
• WARN
• ERROR

This is as easy as adding an environment variable TF_LOG to the respective value, see https://developer.hashicorp.com/terraform/internals/debugging.

The advantage would be that we have detailed information about issues, which may occur, without executing the actions locally.

Would appreciate your input, @bucha, @vitaliy-golomoziy if you think it makes sense and which log level we should use.

Even though mage-os-ci is included in push_restrictions, the bot is not allowed to force push, which is required for the mirror synchronization script.

For this reason we need to keep push_restrictions as they are, but set allows_force_pushes to true.

https://github.com/mage-os/terraform/blob/main/main.tf#L88-L89

mage-os/github-actions@653be3b

compared with

mage-os/mageos-magento2@04659b5

According to observations by @Vinai, scheduled workflows on inactive repositories seem to be disabled automatically. This is also mentioned in the docs:

Warning: To prevent unnecessary workflow runs, scheduled workflows may be disabled automatically. When a public repository is forked, scheduled workflows are disabled by default. In a public repository, scheduled workflows are automatically disabled when no repository activity has occurred in 60 days.

This is an issue for us, because we have repositories with no activity in a long time, but we need the scheduled workflow to merge upstream changes nevertheless. There seem to be only two solutions:

1. Create empty dummy commits to pretend activity. This is e.g. implemented in https://github.com/marketplace/actions/keepalive-workflow. However, we should not have any dummy commits in our repositories.
2. Enable the workflow again after it has been disabled. I only found an AWS solution for this. In general, we could use the REST API to enable the workflow again as soon as it has been disabled. However, this seems to not be supported by Terraform yet, so we might want to create a separate GitHub Action for this?

See: https://github.com/mage-os/terraform/actions/runs/4861725626/jobs/8667116974#step:6:440

I'm not able to delete PR branches at https://github.com/mage-os/mage-os-website/branches since Terraform was initialized. This seems like it'll be necessary for repos under active development, to keep the branches clean.

Seems to be a side effect of the * branch restrictions on the repo.

I don't know how long the website will run from this repository with the content site merge discussions going on, so the website repo itself might not be worth a lot of specific effort at this point. But the same will probably come up for our other repos.

To create stronger visibility on GitHub, we should add topics to our repositories. Can be done very similar as for the homepage_url

We should document the permissions we set via Terraform in a human-readable format here or in a Google Doc or on the website or wherever.

The repo https://github.com/mage-os/mirror-magento-coding-standard/tree/develop/.github/workflows is missing the merge-upstream-changes.yml workflow.

https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository#archived

https://github.com/mage-os/mage-os-website needs to be archived.

Is it possible to define a default branch for specific repositories? For instance, we would like to use the 3.x branch as a default branch for https://github.com/mage-os/mageos-async-events/.

Maybe we should do another check for other missing repos -.-

It looks like we run into the warning mentioned in the Terraform docs:

Note: github_team_repository cannot be used in conjunction with github_repository_collaborators or they will fight over what your policy should be.

In the latest actions, the permissions for the tech-lead are always toggled between maintain and push.

The branch protection is currently stopping the merge-upstream-changes workflow from completing.

We currently use version 4 for the GitHub Terraform provider:

We should switch to version 5, which is already available since September. See https://github.com/integrations/terraform-provider-github/releases.

Somehow, it seems to be impossible to merge PRs even if they have enough approvals. An example would be mage-os/mageos-async-events-sinks#5:

It looks like merging is currently not possible for anyone but @Vinai.

Currently, members are able to push to a new branch, but after that the branch can not be updated.
The * branch protection rule is too broad. We need to be able to specify a list of branches to protect.
This list needs to be configurable on a per repository basis, since the repos use different branch names.

We need to make sure all repositories from https://github.com/orgs/mage-os/repositories are included. Currently, quite a few are still missing...

If we enable discussions on e.g. https://github.com/mage-os/mageos-magento2 manually, will this be reset by the next run of terraform apply?

Now that we support topics (see #29 / #49), we should add them for all repositories.

Which topics should all repositories have? I suggest mage-os, magento2 and adobe-commerce.

Which topics should all mirror repositories have? I suggest mirror.

Should we also adopt all topics from the respective "original" repositories?

Feel free to give feedback here, but this should probably also be discussed during the next tech meeting.

As can be seen here, the current condition on the GitHub Action "Terraform plan" does not work:

The action was executed on an issue comment, even though we only want to execute it on pull request comments with a certain text from certain authors. I checked the condition and it pretty much seems to use the same condition as shown in the docs.

Is it all MIT?

tldr:

Hashicorp switched the terraform license from an open-source license to a business license. The community is unsure about the future of terraform and created a fork called openTF. Sound familiar, right? 😄 .

For now, nothing has changed, and openTF is younger than Mage-OS 😅 . Nevertheless, it's worth following the discussion and eventually preparing a migration. There is no need to be a first-mover, but it should be on our radar.

Their "open letter"
Their GitHub Repo

Test if the permissions work in the way we want them to work.

Hi,
Sorry I know I should of done this last week, please could we create a repo for development environments for mage-os, can't remember the name @Vinai wanted, think it was development-environment

Nice one thanks

Currently the branch protection rules on https://github.com/mage-os/github-actions/settings/branches are set to * by the terraform rules. I've temporarily changed it to main, but as far as I know that will be reverted the next time the terraform config is applied.

We need only main to be protected is so release-please-* branches can be force-pushed to by a bot. The bot automatically creates releases when commits are made to the main branch.
The branch protection rule * prevents this from working.

This is about https://github.com/mage-os/terraform/actions/runs/9500022004/job/26182150184.

When a repository is archived, and we update some configuration like the branch protection rules, Terraform will try to apply the changes to the archived repository and GitHub will throw an error:

╷
│ Error: Repository is archived
│ 
│   with github_branch_protection.repositories["mage-os-website"],
│   on main.tf line 126, in resource "github_branch_protection" "repositories":
│  126: resource "github_branch_protection" "repositories" {
│ 
╵
Error: Process completed with exit code 1.

We had a similar issue in #54, but the new issue cannot be fixed in the same way.

My current idea is that we remove the old, archived repository from the Terraform state and from the variables.tf file. This way, Terraform might just ignore the existing, archived repository. Would that work, @Jakski?

Any other ideas?

For https://github.com/mage-os/mage-os-website, it makes sense to add the website https://mage-os.org/ as a repository URL. Terraform supports this via homepage_url. We should support this as well, so that we can optionally define a website for a repository.

For reference: https://registry.terraform.io/providers/integrations/github/latest/docs/resources/dependabot_organization_secret

Currently, pre-defined teams can get access to certain repositories. However, we also need the functionality to give individual contributors access to certain repositories. Therefore, I think we should extend this:

by

    contributors = ["contributor-username"]

And then we need to do something similar like here:

with the resource github_repository_collaborator instead of github_team_repository.

We could include some very classy default files in most of the repos. Damian uses good ones for issue templating, for example.

https://github.com/graycoreio/github-actions-magento2/tree/main/.github

Currently all repositories defined in variable "repositories" have branch protections turned on so all changes are submitted via pull requests. This makes sense in a regular repository but not so much in a mono-repository setup.

The mageos-async-events-sinks is a mono repository which runs an action to split the packages and push to remote as the mage-os-ci user, thus running into the problem of not being allowed to push because of said branch restrictions.

Some possible solutions that I can think of are

1. Create a new variable "mono-repositories" which copy the same branch protection configuration AND add push_allowances to the mage-os-ci user.
2. Add push_allowances to the mage-os-ci user on the existing branch protection rule meaning mage-os-ci could in theory bypass branch restrictions on all repositories defined by the variable.

https://hacktoberfest.com/participation/#maintainers

The resource https://github.com/mage-os/mageos-magento2-functional-testing-framework/blob/develop/.github/workflows/merge-upstream-changes.yml was not created by terraform.

Currently the reason is unknown. The code at