Merge pull request #25 from mineiros-io/lukas/allows-secret-runs-from… #116
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tests | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| types: [opened, synchronize] | |
| pull_request_target: | |
| types: [opened, synchronize] | |
| concurrency: | |
| group: terraform-google-artifact-registry-repository | |
| cancel-in-progress: false | |
| jobs: | |
| pre-commit: | |
| runs-on: ubuntu-latest | |
| name: Static Analysis | |
| steps: | |
| - name: Checkout | |
| # for security reasons we pin commit ids and not tags. | |
| # actions/[email protected] -> 2541b1294d2704b0964813337f33b291d3f8596b | |
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | |
| with: | |
| fetch-depth: 0 | |
| # - name: Setup SSH to Private Modules | |
| # # for security reasons we pin commit ids and not tags. | |
| # # webfactory/[email protected] -> fc49353b67b2b7c1e0e6a600572d01a69f2672dd | |
| # uses: webfactory/ssh-agent@fc49353b67b2b7c1e0e6a600572d01a69f2672dd | |
| # with: | |
| # ssh-private-key: | | |
| # ${{ secrets.DEPLOY_KEY__REPOSITORY_A }} | |
| # ${{ secrets.DEPLOY_KEY__REPOSITORY_B }} | |
| - name: Set up Golang | |
| # for security reasons we pin commit ids and not tags. | |
| # actions/[email protected] -> b22fbbc2921299758641fab08929b4ac52b32923 | |
| uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 | |
| with: | |
| go-version: 1.17.6 | |
| - name: Install terramate | |
| uses: terramate-io/terramate-action@v1 | |
| - name: Set up Terradoc | |
| # for security reasons we pin commit ids and not tags. | |
| # mineiros-io/terradoc@main -> af1a7b3ae3635958adf5ee2f40e0c3e70fd0803a | |
| run: go install github.com/mineiros-io/terradoc/cmd/terradoc@af1a7b3ae3635958adf5ee2f40e0c3e70fd0803a | |
| env: | |
| GOPROXY: direct | |
| - name: Set up Terraform | |
| # for security reasons we pin commit ids and not tags. | |
| # hashicorp/[email protected] -> 17d4c9b8043b238f6f35641cdd8433da1e6f3867 | |
| uses: hashicorp/setup-terraform@17d4c9b8043b238f6f35641cdd8433da1e6f3867 | |
| with: | |
| terraform_version: 1.3.0 | |
| terraform_wrapper: false | |
| - name: Setup TFLint | |
| # for security reasons we pin commit ids and not tags. | |
| # terraform-linters/[email protected] -> 9e653e0f7de0839150e03280e0981e0c25eaf10a | |
| uses: terraform-linters/setup-tflint@9e653e0f7de0839150e03280e0981e0c25eaf10a | |
| with: | |
| tflint_version: v0.41.0 | |
| - name: Setup and run pre-commit | |
| # for security reasons we pin commit ids and not tags. | |
| # pre-commit/[email protected] -> 9b88afc9cd57fd75b655d5c71bd38146d07135fe | |
| uses: pre-commit/action@9b88afc9cd57fd75b655d5c71bd38146d07135fe | |
| unit-tests: | |
| # needs: pre-commit | |
| runs-on: ubuntu-latest | |
| name: Unit Tests | |
| steps: | |
| - name: Get User Permission | |
| id: checkAccess | |
| uses: actions-cool/check-user-permission@956b2e73cdfe3bcb819bb7225e490cb3b18fd76e # v2.2.1 | |
| with: | |
| require: write | |
| username: ${{ github.triggering_actor }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Check User Permission | |
| if: steps.checkAccess.outputs.require-result == 'false' | |
| run: | | |
| echo "${{ github.triggering_actor }} does not have permissions on this repo." | |
| echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}" | |
| echo "Job originally triggered by ${{ github.actor }}" | |
| exit 1 | |
| - name: Checkout | |
| # for security reasons we pin commit ids and not tags. | |
| # actions/[email protected] -> 2541b1294d2704b0964813337f33b291d3f8596b | |
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| # - name: Setup SSH to Private Modules | |
| # # for security reasons we pin commit ids and not tags. | |
| # # webfactory/[email protected] -> fc49353b67b2b7c1e0e6a600572d01a69f2672dd | |
| # uses: webfactory/ssh-agent@fc49353b67b2b7c1e0e6a600572d01a69f2672dd | |
| # with: | |
| # ssh-private-key: | | |
| # ${{ secrets.DEPLOY_KEY__REPOSITORY_A }} | |
| # ${{ secrets.DEPLOY_KEY__REPOSITORY_B }} | |
| - name: Check for Terraform file changes | |
| # for security reasons we pin commit ids and not tags. | |
| # getsentry/[email protected] -> b2feaf19c27470162a626bd6fa8438ae5b263721 | |
| uses: getsentry/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 | |
| id: changes | |
| with: | |
| filters: | | |
| terraform: | |
| - '*.tf' | |
| - 'test/**/*.tf' | |
| - 'test/**/*.go' | |
| - 'test/go.mod' | |
| - 'test/go.sum' | |
| - name: Set up Terraform | |
| if: steps.changes.outputs.terraform == 'true' | |
| # for security reasons we pin commit ids and not tags. | |
| # hashicorp/[email protected] -> 17d4c9b8043b238f6f35641cdd8433da1e6f3867 | |
| uses: hashicorp/setup-terraform@17d4c9b8043b238f6f35641cdd8433da1e6f3867 | |
| with: | |
| terraform_version: 1.2.1 | |
| terraform_wrapper: false | |
| - name: Set up Golang | |
| if: steps.changes.outputs.terraform == 'true' | |
| # for security reasons we pin commit ids and not tags. | |
| # actions/[email protected] -> b22fbbc2921299758641fab08929b4ac52b32923 | |
| uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 | |
| with: | |
| go-version: 1.17.6 | |
| - name: Run Unit Tests | |
| if: steps.changes.outputs.terraform == 'true' | |
| run: make test/unit-tests | |
| env: | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.MINEIROS_TESTING_AWS_SECRET_ACCESS_KEY }} | |
| AWS_ACCESS_KEY_ID: ${{ secrets.MINEIROS_TESTING_AWS_ACCESS_KEY_ID }} | |
| GOOGLE_CREDENTIALS: ${{ secrets.MINEIROS_TESTING_GCP_SA_KEY_FILE }} | |
| TEST_GCP_PROJECT: ${{ secrets.MINEIROS_TESTING_GCP_PROJECT }} | |
| TEST_GCP_ORG_DOMAIN: ${{ secrets.MINEIROS_TESTING_GCP_ORG_DOMAIN }} | |
| TEST_GCP_BILLING_ACCOUNT: ${{ secrets.MINEIROS_TESTING_GCP_BILLING_ACCOUNT }} |