.github/workflows/code-review.yml

name: Code Review

on: [pull_request]

jobs:

  # -- LINT -------------------------------------------------------------------
  tflint:
    name: TFLint
    runs-on: ubuntu-latest

    env:
      TF_VAR_tenancy_ocid: ${{secrets.OCI_TENANCY_OCID}}
      TF_VAR_compartment_ocid: ${{secrets.OCI_COMPARTMENT_OCID}}
      TF_VAR_user_ocid: ${{secrets.OCI_USER_OCID}}
      TF_VAR_fingerprint: ${{secrets.OCI_FINGERPRINT}}
      TF_VAR_private_key: ${{secrets.OCI_PRIVATE_KEY}}
      TF_VAR_region: ${{secrets.OCI_REGION}}
      TF_VAR_cf_api_token: ${{secrets.CLOUDFLARE_API_TOKEN}}

    steps:
      - name: Harden GitHub Actions Runner
        uses: step-security/harden-runner@0327a39356be0e062df2bb0bd2a3e036b72a8393
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3

      # Run init to get module code to be able to use `--module`
      - name: Terraform init
        run: terraform init
        working-directory: ./terraform

      # Run TFLint
      - name: Run TFlint with reviewdog output on the PR
        uses: reviewdog/action-tflint@795549fe8b30d50938a5c0787478e89db28f3ba3 # v1.19.1

  # -- SECURITY ---------------------------------------------------------------
  tfsec:
    name: TFSec
    runs-on: ubuntu-latest

    env:
      TF_VAR_tenancy_ocid: ${{secrets.OCI_TENANCY_OCID}}
      TF_VAR_compartment_ocid: ${{secrets.OCI_COMPARTMENT_OCID}}
      TF_VAR_user_ocid: ${{secrets.OCI_USER_OCID}}
      TF_VAR_fingerprint: ${{secrets.OCI_FINGERPRINT}}
      TF_VAR_private_key: ${{secrets.OCI_PRIVATE_KEY}}
      TF_VAR_region: ${{secrets.OCI_REGION}}
      TF_VAR_cf_account_id: ${{secrets.CLOUDFLARE_ACCOUNT_ID}}
      CLOUDFLARE_API_TOKEN: ${{secrets.CLOUDFLARE_API_TOKEN}}

    steps:
      - name: Harden GitHub Actions Runner
        uses: step-security/harden-runner@0327a39356be0e062df2bb0bd2a3e036b72a8393
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      # Run TFSec
      - name: Run TFsec with reviewdog output on the PR
        uses: reviewdog/action-tfsec@edcc519e87c71fb8b02fb58fea31ccc7b99cd88f # v1.16.0