Merge pull request #2227 from pascaliske/renovate/github-codeql-actio… #616
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
name: Terraform | |
on: | |
push: | |
branches: | |
- main | |
paths: | |
- 'terraform/**' | |
- '.github/workflows/terraform.yml' | |
pull_request: | |
branches: | |
- main | |
paths: | |
- 'terraform/**' | |
- '.github/workflows/terraform.yml' | |
permissions: | |
contents: read | |
pull-requests: write | |
env: | |
TF_INPUT: false | |
TF_IN_AUTOMATION: true | |
TF_VAR_GOOGLE_VERIFICATION_TOKEN: ${{ secrets.GOOGLE_VERIFICATION_TOKEN }} | |
CLOUDFLARE_API_TOKEN: ${{ secrets.CF_API_TOKEN }} | |
jobs: | |
linting: | |
name: Linting | |
runs-on: ubuntu-latest | |
steps: | |
# checkout | |
- uses: actions/checkout@v4 | |
# setup taskfile | |
- uses: arduino/setup-task@v1 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
# setup terraform | |
- uses: hashicorp/setup-terraform@v3 | |
# setup tflint | |
- uses: terraform-linters/setup-tflint@v4 | |
# init terraform | |
- name: Init Terraform | |
run: task tf:init -- -backend=false | |
# validate terraform | |
- name: Validate Terraform | |
run: task tf:validate | |
# lint terraform | |
- name: Lint Terraform | |
run: task tf:lint | |
scan: | |
name: Scan | |
runs-on: ubuntu-latest | |
steps: | |
# checkout | |
- uses: actions/checkout@v4 | |
# setup tfsec | |
- uses: tfsec/[email protected] | |
with: | |
working_directory: terraform | |
sarif_file: tfsec.sarif | |
# upload report to github | |
- uses: github/codeql-action/[email protected] | |
with: | |
sarif_file: tfsec.sarif | |
plan: | |
name: Plan | |
runs-on: ubuntu-latest | |
steps: | |
# checkout | |
- uses: actions/checkout@v4 | |
# setup taskfile | |
- uses: arduino/setup-task@v1 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
# setup terraform | |
- uses: hashicorp/setup-terraform@v3 | |
with: | |
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} | |
# init terraform | |
- name: Init Terraform | |
id: init | |
run: task tf:init | |
# validate terraform | |
- name: Validate Terraform | |
id: validate | |
run: task tf:validate -- -no-color | |
# plan | |
- name: Terraform Plan | |
id: plan | |
if: github.event_name == 'pull_request' | |
run: task tf:plan -- -no-color | |
continue-on-error: true | |
# update comment with plan | |
- uses: actions/github-script@v7 | |
if: github.event_name == 'pull_request' | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
// get comments | |
const { owner, repo } = context.repo | |
const { number: issue_number } = context.issue | |
const { data: comments } = await github.rest.issues.listComments({ owner, repo, issue_number }) | |
// find possible existing comment | |
const comment = comments.find(c => c.user.type === 'Bot' && c.body.includes('Terraform Initialization')) | |
// prepare comment | |
const content = ` | |
#### Terraform Initialization ⚙️ \`${{ steps.init.outcome }}\` | |
#### Terraform Validation ✅ \`${{ steps.validate.outcome }}\` | |
<details><summary>Validation Output</summary> | |
\`\`\`\n | |
${{ steps.validate.outputs.stdout }} | |
\`\`\` | |
</details> | |
#### Terraform Plan 📖 \`${{ steps.plan.outcome }}\` | |
<details><summary>Show Plan</summary> | |
\`\`\`\n | |
${{ steps.plan.outputs.stdout }} | |
\`\`\` | |
</details> | |
*Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Workflow: \`${{ github.workflow }}\`* | |
`; | |
// update existing comment or create a new one | |
if (comment) { | |
github.rest.issues.updateComment({ owner, repo, comment_id: comment.id, body: content.trim() }) | |
} else { | |
github.rest.issues.createComment({ owner, repo, issue_number, body: content.trim() }) | |
} | |
# plan status | |
- name: Terraform Plan Status | |
if: steps.plan.outcome == 'failure' | |
run: exit 1 | |
# apply | |
- name: Terraform Apply | |
if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
run: task tf:apply -- --auto-approve |