-
Notifications
You must be signed in to change notification settings - Fork 1
146 lines (123 loc) · 4.65 KB
/
terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: Terraform
on: [push]
jobs:
# -- TESTS ------------------------------------------------------------------
tests:
name: Tests
runs-on: ubuntu-latest
env:
TF_VAR_tenancy_ocid: ${{secrets.OCI_TENANCY_OCID}}
TF_VAR_compartment_ocid: ${{secrets.OCI_COMPARTMENT_OCID}}
TF_VAR_user_ocid: ${{secrets.OCI_USER_OCID}}
TF_VAR_fingerprint: ${{secrets.OCI_FINGERPRINT}}
TF_VAR_private_key: ${{secrets.OCI_PRIVATE_KEY}}
TF_VAR_region: ${{secrets.OCI_REGION}}
TF_VAR_cf_account_id: ${{secrets.CLOUDFLARE_ACCOUNT_ID}}
CLOUDFLARE_API_TOKEN: ${{secrets.CLOUDFLARE_API_TOKEN}}
steps:
- name: Harden GitHub Actions Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
checkpoint-api.hashicorp.com:443
registry.terraform.io:443
github.com:443
iaas.uk-london-1.oraclecloud.com:443
identity.uk-london-1.oci.oraclecloud.com:443
objects.githubusercontent.com:443
releases.hashicorp.com:443
api.cloudflare.com:443
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Setup Terraform
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
- name: Terraform Format
id: fmt
run: terraform fmt -check
working-directory: ./terraform
continue-on-error: true
- name: Terraform Init
id: init
working-directory: ./terraform
run: terraform init -upgrade
- name: Terraform Plan
id: plan
working-directory: ./terraform
run: terraform plan
# -- SAST SCAN --------------------------------------------------------------
code-security:
name: Code Security
runs-on: ubuntu-latest
needs: tests
# Skip any PR created by dependabot to avoid permission issues
if: (github.actor != 'dependabot[bot]')
steps:
- name: Harden GitHub Actions Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443
pipelines.actions.githubusercontent.com:443
pypi.org:443
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Perform Scan
uses: ShiftLeftSecurity/scan-action@master
env:
WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SCAN_ANNOTATE_PR: true
- uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3.2.1
with:
name: reports
path: reports
# -- DOCUMENTATION ----------------------------------------------------------
documentation:
name: Documentation
runs-on: ubuntu-latest
needs: tests
steps:
- name: Harden GitHub Actions Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: 'main' # Force checkout of main branch to avoid caching from previous jobs
- name: Terraform Docs
uses: terraform-docs/gh-actions@aeae0038ed47a547e0c0fca5c059d3335f48fb25 # v1.3.0
with:
working-dir: ./terraform
output-file: USAGE.md
output-method: inject
git-push: "true"
git-commit-message: "chore(docs): update Terraform docs"
# -- RELEASE ----------------------------------------------------------------
release:
name: Release
runs-on: ubuntu-latest
needs:
- tests
- code-security
- documentation
if: github.ref == 'refs/heads/main'
steps:
- name: Harden GitHub Actions Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: 'main' # Force checkout of main branch to avoid caching from previous jobs
persist-credentials: false
- name: Semantic Release
uses: cycjimmy/semantic-release-action@8e58d20d0f6c8773181f43eb74d6a05e3099571d # v3.4.2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}