feat: Milestone/0.9 (#1019)

The release includes the following:

* Use [Online Boutique][ob-github] (v0.6.0) as a demo application instead of outdated fork of Hipster Shop
* Change the branching model from [gitflow] to [trunk-based]
* Modification of CI/CD including:
   * Cleanup not used workflows
   * Conversion from self-hosted to Github-hosted [agents]
   * Improved Terraform validation
   * Shell script linting validation
* Consolidation of all (non-Terraform) scripts into a single `sandboxctl` implemented in Bash script
* Support of "delete" operation that does not require shutting down (a.k.a. deleting) Google Cloud project.
* Revision of the site documentation and consolidation all documentation in the Github repo.
* Revision of the walkthrough guide to help in Sandbox launching 

As part of the above changes and in order to support further development, this release discontinues support of the following:

* Website ([cloud-ops-sandbox.dev](https://cloud-ops-sandbox.dev/)) has a deprecation note displayed in every page announcing end of life (in July).
* Website allows to users to launch previous minor release (version 0.8.0) of Sandbox in the case they need discontinued functionality.
* Support of the custom Cloud Shell image to launch Sandbox is stopped. Launching process will be guided using interactive tutorial.

### Discontinued functionality

This is release does not support some functions and features that exist in the previous minor release (0.8).

* Rating service does not in Online Boutique. It has the following effect on Sandbox features:
   * Sandbox stops provisioning AppEngine services and CloudSQL DB instance.
   * Sandbox does not demonstrate a window-based SLO definition.
   * SLO recipe that was using rating service will be removed
* Single-click installation is no longer available. Users will use the guided installation using the walkthrough tutorial (from README page).
* Launch process does not create a new project. Users will have to create a project by themselves.
* Suspension of SRE recipes. Online Boutique does not currently provide adequate support for chaos engineering that is used in SRE recipes. Because of it the version 0.9.0 does not feature SRE recipes. This functionality will be restored in the version 0.10.0 after changing the chaos engineering engine of the recipes. #1009 tracks the work on restoring this function.
* Load generator from Online Boutique does not expose GUI for manual customization. It only provides a constant low load. You can use CLI parameter `--skip-loadgenerator` to avoid load generation. GoogleCloudPlatform/microservices-demo#1692 was created to support this functionality in Online Boutique.

### Pending tasks

There is a number of tasks that are incomplete at the time of the 0.9.0 release. These tasks will be implemented in the following releases. The list below captures the current set of the tasks:

* integration tests to validate correctness of provisioned Cloud Ops resources
* enabling release-please bot to automate release PRs
* Use [cloud-ops-sandbox.dev](https://cloud-ops-sandbox.dev/) to host a _read-only_ version of Cloud Ops Sandbox that can be used for a reference or as a preview
* rennovated SRE recipes engine (will be released in version 0.10.0)

### 🛠️ Resolved issues

Fixes #1001, Fixes #1002, Fixes #1003, Fixes #1010, Fixes #1012, Fixes #1018, Fixes #1021, Fixes #987

The following issues will be closed by this release:
Closes #216, Closes #324, Closes #453 (as no longer reproducible), Closes #575, Closes #748, Closes #789, Closes #880, Closes #888, Closes #914 (obsolete), #1006 (obsolete)

[ob-github]: https://github.com/GoogleCloudPlatform/microservices-demo
[gitflow]: https://www.atlassian.com/git/tutorials/comparing-workflows/gitflow-workflow
[trunk-based]: https://trunkbaseddevelopment.com/
[agents]: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners

.github/conventional-commit-lint.yaml

@@ -1,5 +1,19 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Presubmit test that ensures that commit messages are build following convention
 # https://github.com/googleapis/repo-automation-bots/tree/main/packages/conventional-commit-lint
 
 enabled: true
-always_check_pr_title: true
+always_check_pr_title: false

.github/header-checker-lint.yml

@@ -1,3 +1,17 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # Presubmit test that ensures that source files contain valid license headers
 # https://github.com/googleapis/repo-automation-bots/tree/main/packages/header-checker-lint
 # Install: https://github.com/apps/license-header-lint-gcf

.github/workflows/README.md

@@ -35,9 +35,9 @@ jobs:
       cancel-in-progress: true
 ```
 
-### Terraform Lint - [lint-terraform.yaml]
+### Terraform workflow ([terraform.yaml])
 
-The workflow is triggered by changes to Terraform configurations used for provisioning Cloud Ops Sandbox:
+The workflow is triggered by changes to Terraform configurations in the project:
 
 ```yaml
 on:
@@ -46,19 +46,14 @@ on:
       - 'provisioning/terraform/**'
 ```
 
-It uses the [tflint] Github action.
+It defines two jobs:
 
-#### Handling skipped but required checks
-
-To allow using this workflow as a [required status check] the file [lint-terraform-other.yaml] is used. It defines the workflow with the same name that _does nothing_ when triggered for changes outside the Terraform configuration.
+1. Linting that validates formatting and other rules and dependecies using [tflint]
+2. End-to-end deployment that provisions Online Boutique demo app with Sandbox from scratch.
+And destroys it afterward.
 
-### End-to-end Deployment
+#### End-to-end deployment steps
 
-The workflow is triggered by pull request modifications (excluding a closure of the request) for branches `main` and branches with names starting with `milestone/` or `release/`.
-The workflow is not triggered for changes to documentation or markdown files.
-Permissions are updated to acquire the identity token from Google Cloud Identity service. See [blog] for more details.
-
-The workflow installs Google Cloud CLI to complete the list of required binaries (gcloud, git, kubectl).
 Then it triggers installation of Cloud Ops Sandbox using [install.sh] script.
 The deployment reuses the same GCS bucket to maintain Terraform state for all workflow executions but prefixes each one with the first 7 digits of SHA ( [`${{ github.sha }}`][sha] )of the commit.
 The installation is triggered with the following parameters:
@@ -68,12 +63,54 @@ The installation is triggered with the following parameters:
 * Allowing deployment of the load generator
 * Disabling configuration of Anthos Service Mesh and deployment of Online Boutique ingress
 
+#### Handling skipped but required checks
+
+The additional file [non-terraform.yaml] defines the workflow with the same name to support
+the use of the workflow as [required status check].
+It is configured to run on any "non-terraform" changes, so the required workflow will always
+guaranteed to terminate.
+
+### Required workflows
+
+The workflows triggered by pull request modifications (excluding a closure of the request)
+are enforced on `main` and branches with names starting with `milestone/` or `release/`.
+
+### Running jobs that require Google Cloud authentication
+
+Jobs that need to authenticate vs. Google Cloud use keyless authentication method.
+The method is described with more details in the [blog].
+Job permissions are updated to allow storing id token.
+The workflow installs Google Cloud CLI to complete the list of required binaries (gcloud, git, kubectl).
+
+## GitHub configurations and bots
+
+The repo defines templates for new [pull requests], [bugs] and [features].
+The configurations include the following bots:
+
+* [Blunderbuss]: Auto-assigner of a Github users to pull requests and issues
+* [Header checker]: Presubmit check that all files with configured extensions have the proper copyright header
+* [Conventional commit lint]: Presubmit check that all commit messages in PR follow the [convention]
+* [Snippets]: Scanner for possible code sample snippets to integrate them into Google Cloud documentation
+* [Trusted contributors]: Integrator for Github application trusted access to the repo
+
+For information about the customized workflow, see [workfows/README]
+
 [hosted]: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners
 [bots]: ../README.md
-[lint-terraform.yaml]: ./lint-terraform.yaml
-[lint-terraform-other.yaml]: ./lint-terraform-other.yaml
+[terraform.yaml]: ./terraform.yaml
+[non-terraform.yaml]: ./non-terraform.yaml
 [tflint]: https://github.com/marketplace/actions/setup-tflint
 [blog]: https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions
 [install.sh]: ../../provisioning/install.sh
 [sha]: https://docs.github.com/en/actions/learn-github-actions/contexts#github-context
 [required status check]: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging
+[pull requests]: ./PULL_REQUEST_TEMPLATE.md
+[bugs]: ISSUE_TEMPLATE/bug_report.md
+[features]: ISSUE_TEMPLATE/feature_request.md
+[blunderbuss]: https://github.com/googleapis/repo-automation-bots/tree/main/packages/blunderbuss
+[header checker]: https://github.com/googleapis/repo-automation-bots/tree/main/packages/header-checker-lint
+[workfows/README]: workflows/README.md
+[conventional commit lint]: https://github.com/googleapis/repo-automation-bots/tree/main/packages/conventional-commit-lint
+[convention]: https://www.conventionalcommits.org/en/v1.0.0/
+[snippets]: https://github.com/googleapis/repo-automation-bots/tree/main/packages/snippet-bot
+[trusted contributors]: https://github.com/googleapis/repo-automation-bots/tree/main/packages/trusted-contribution

.github/workflows/lint-terraform-other.yaml → .github/workflows/cli.yaml

@@ -11,19 +11,25 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+name: CLI
 
-# allow use of the workflow as required status check when no changes in provisioning/terraform/**
-# for details see https://github.com/orgs/community/discussions/49124
-name: terraform lint
 on:
   pull_request:
     types: [opened,synchronize,reopened]
-    paths-ignore:
-    - 'provisioning/terraform/**'
 
 jobs:
-  tflint:
-    name: "not terraform files"
+
+  shellcheck:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
+
     steps:
-    - run: 'echo "No terraform lint required"'
+    - name: Checkout source code
+      uses: actions/checkout@v3
+
+    - name: Check CLI script
+      run: shellcheck provisioning/sandboxctl

.github/workflows/non-terraform.yaml

@@ -0,0 +1,43 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+name: Terraform
+
+on:
+  pull_request:
+    types: [opened,synchronize,reopened]
+    paths-ignore:
+    - 'provisioning/terraform/**'
+
+
+jobs:
+  tflint:
+    permissions:
+      contents: read
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
+
+    steps:
+    - run: 'echo "No work to do for non-terraform changes"'
+
+
+  e2e-deployment:
+    permissions:
+      contents: read
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
+
+    steps:
+    - run: 'echo "No work to do for non-terraform changes"'