This repository has been archived by the owner on Aug 4, 2023. It is now read-only.
chore(deps): bump golang.org/x/crypto from 0.0.0-20210513164829-c07d793c2f9a to 0.1.0 #1171
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Terraform Code Quality" | |
on: | |
pull_request: | |
push: | |
jobs: | |
discover_stages: | |
name: Discover | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
# here we create the json, we need the "id:" so we can use it in "outputs" below | |
- id: set-matrix | |
# find tf files in all folders, trim to path, store as array, remove any empty. | |
run: echo "::set-output name=matrix::$(find stages -name *.tf | sed 's:[^/]*$::' | sort -u | jq -R -s -c 'split("\n") | map(select(length > 0))')" | |
outputs: | |
matrix: ${{ steps.set-matrix.outputs.matrix }} | |
terraform_validate: | |
name: Validate | |
runs-on: ubuntu-latest | |
needs: discover_stages | |
strategy: | |
# ↓ create dynamic matrix from the json | |
matrix: | |
validate: ${{ fromJson(needs.discover_stages.outputs.matrix) }} | |
fail-fast: false | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
- name: Setup | |
uses: hashicorp/setup-terraform@v1 | |
# Checks that all Terraform configuration is syntactically valid and internally consistent, regardless of any provided variables or existing state. | |
- name: Validate | |
env: | |
FOLDER: ${{ matrix.validate }} | |
run: | | |
cd $FOLDER | |
if [ ! -f ".terraform.lock.hcl" ]; then | |
echo "Terraform lockfile doesn't exist in this root module. Please create one using \"terraform init -backend=false\"" | |
exit 1 | |
fi | |
terraform init -backend=false | |
terraform validate | |
- name: tfsec | |
uses: aquasecurity/tfsec-sarif-action@v0.1.3 | |
with: | |
sarif_file: tfsec.sarif | |
working_directory: ${{ matrix.validate }} | |
tfsec_args: "-e general-secrets-sensitive-in-variable,general-secrets-sensitive-in-local,general-secrets-sensitive-in-attribute" | |
- name: Upload SARIF file | |
if: always() | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: tfsec.sarif | |
- name: Run tflint with reviewdog | |
uses: reviewdog/action-tflint@v1.17.0 | |
if: always() | |
with: | |
working_directory: ${{ matrix.validate }} | |
github_token: ${{ secrets.github_token }} | |
fail_on_error: "true" | |
filter_mode: "nofilter" | |
reporter: github-pr-review | |
tflint_version: v0.39.3 | |
terraform_format: | |
name: Format | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v1 | |
# Checks that all Terraform configuration files adhere to a canonical format | |
- name: Terraform Format | |
run: terraform fmt -check --recursive |