-
Notifications
You must be signed in to change notification settings - Fork 1
161 lines (154 loc) · 4.98 KB
/
policy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
---
name: policy
on:
pull_request:
push:
branches:
# This is run on merge queue branches as there are jobs listed in this
# action that are often required in branch protection rules. Due to guards
# below certain jobs may not run in merge queue branches but will still
# return a status indicating a pass.
- gh-readonly-queue/**
- master
jobs:
check-merge-commits:
if: github.event_name == 'pull_request'
name: Check merge commits
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- run: |
git config --global --add safe.directory /github/workspace
merge_commits=$(git rev-list --merges "origin/$GITHUB_BASE_REF".."origin/$GITHUB_HEAD_REF")
if [ -n "$merge_commits" ]; then
echo "Error: merge commits found in $GITHUB_BASE_REF..$GITHUB_HEAD_REF"
for merge_commit in $merge_commits; do
echo "$merge_commit"
done
exit 1
fi
commit-message-style:
if: github.event_name == 'pull_request' && github.triggering_actor != 'dependabot[bot]'
name: Check commit message style
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: 19.x
- name: Install base config
run: npm install @commitlint/config-conventional
- name: Validate commit messages
run: npx commitlint --from ${{ github.event.pull_request.base.sha }} --to HEAD --verbose
markdown-style:
name: Check markdown style
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: 19.x
- name: Validate markdown
run: npx markdownlint-cli2 **/*.md
terraform:
name: Check Terraform configuration style
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
env:
TF_IN_AUTOMATION: 1
TF_INPUT: 0
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.4.7
- name: Check Terraform configuration
id: fmt
run: terraform fmt -check -recursive -diff
- name: Initialise Terraform configuration
id: init
run: terraform init -backend=false
- name: Validate Terraform configuration
id: validate
run: terraform validate -no-color
- uses: actions/github-script@v7
if: github.event_name == 'pull_request'
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
// Retrieve existing bot comments for the PR.
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
});
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Terraform Format and Style')
});
const formatSummary = `${{ steps.fmt.outputs.stdout }}`.trim() || 'No difference';
// Prepare format of the comment.
const output = `| Step | Result |
|------|--------|
| Terraform Format and Style | \`${{ steps.fmt.outcome }}\` |
| Terraform Initialization | \`${{ steps.init.outcome }}\` |
| Terraform Validation | \`${{ steps.validate.outcome }}\` |
<details>
<summary><strong>Formatting Output</strong></summary>
\`\`\`diff
${formatSummary}
\`\`\`
</details>
<details>
<summary><strong>Validation Output</strong></summary>
\`\`\`
${{ steps.validate.outputs.stdout }}
\`\`\`
</details>`;
// If we have a comment, update it, otherwise create a new one.
if (botComment) {
github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output,
});
} else {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output,
});
}
tfsec:
name: Scan Terraform code for security vulnerabilities
needs: terraform
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/[email protected]
with:
github_token: ${{ github.token }}
yaml-style:
name: Check YAML style
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Install yamllint
run: pip install --user yamllint
- name: Validate YAML
run: yamllint .