Skip to content

Bump actions/checkout from 3 to 4 (#26) #70

Bump actions/checkout from 3 to 4 (#26)

Bump actions/checkout from 3 to 4 (#26) #70

Workflow file for this run

name: CI
on:
pull_request:
branches:
- main
push:
branches:
- main
workflow_dispatch:
jobs:
pre-commit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v4
- uses: terraform-linters/setup-tflint@v3
- uses: pre-commit/action@v3.0.0
with:
extra_args: "-a"
validate:
name: Validate
needs: [pre-commit]
runs-on: ubuntu-latest
permissions:
pull-requests: write
strategy:
fail-fast: true
matrix:
tf-version: ["1.0", "1.1", "1.2", "1.3", "1.4", "latest"]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ matrix.tf-version }}
- name: Terraform Init
run: |
terraform init -backend=false -upgrade -reconfigure
- name: Terraform FMT
run: |
terraform fmt -check -recursive
- name: Terraform Validate
run: |
terraform validate
- name: Terraform Version / Providers
run: |
terraform version
terraform providers
- name: Examples Complete Validate
run: |
cd examples/complete
terraform init -backend=false -upgrade -reconfigure
terraform validate
- name: Exmaple Remote Validate
run: |
cd examples/remote
terraform init -backend=false -upgrade -reconfigure
terraform validate
tfsec:
name: tfsec
runs-on: ubuntu-latest
permissions:
pull-requests: write
needs: [validate]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: tfsec
uses: aquasecurity/tfsec-action@v1.0.3
with:
additional_args: "--force-all-dirs --concise-output --code-theme=dark"
version: "latest"
github_token: ${{ github.token }}
caller-identity-check:
if: contains(github.event_name, 'pull_request')
name: Return the IAM user
needs: [validate, tfsec]
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v3.0.1
with:
aws-region: ${{ secrets.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions
role-session-name: ${{ github.event.repository.name }}-${{ github.ref_type }}
- run: |
aws sts get-caller-identity
auto-approve:
if: contains(github.event_name, 'pull_request')
runs-on: ubuntu-latest
needs: [validate, tfsec, caller-identity-check]
steps:
- name: Auto Approve PR
uses: actions/github-script@v6
with:
github-token: ${{ github.token }}
script: |
github.rest.pulls.createReview({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
event: "APPROVE"
})