chore: add stage-preapproved github env (#27936) #42046
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: terraform-tools | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| workflow_dispatch: | |
| jobs: | |
| trivy: | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 ##v4.2.2 | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf ##v45.0.4 | |
| with: | |
| dir_names: true | |
| dir_names_exclude_current_dir: true | |
| - name: List of changed files | |
| run: | | |
| mkdir -p .trivy | |
| for file in ${{ steps.changed-files.outputs.all_changed_files }}; do | |
| cp -r $file .trivy | true | |
| done | |
| ls .trivy -latr | |
| - uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 ##0.28.0 | |
| with: | |
| scan-type: 'config' | |
| scan-ref: '.trivy' | |
| trivy-config: './config/trivy.yaml' | |
| tfsec: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 ##v4.2.2 | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf ##v45.0.4 | |
| with: | |
| dir_names: true | |
| dir_names_exclude_current_dir: true | |
| - name: List of changed files | |
| run: | | |
| mkdir -p .tfsec | |
| for file in ${{ steps.changed-files.outputs.all_changed_files }}; do | |
| cp -r $file .tfsec | true | |
| done | |
| ls .tfsec -latr | |
| - uses: aquasecurity/tfsec-action@b466648d6e39e7c75324f25d83891162a721f2d6 ##v1.0.3 | |
| with: | |
| working_directory: .tfsec | |
| soft_fail: true | |
| github_token: ${{ github.token }} | |
| additional_args: --force-all-dirs -m=HIGH -e=github-repositories-private,github-branch_protections-require_signed_commits,github-actions-no-plain-text-action-secrets,aws-iam-no-policy-wildcards,aws-ecr-enforce-immutable-repository,aws-rds-enable-performance-insights-encryption,aws-s3-encryption-customer-key,aws-sqs-enable-queue-encryption | |
| tflint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 ##v4.2.2 | |
| - uses: actions/cache@v4 | |
| with: | |
| path: ~/.tflint.d/plugins | |
| key: tflint-${{ hashFiles('.tflint.hcl') }} | |
| - uses: terraform-linters/setup-tflint@8093687ecc9dcbfa88d07c103ad4176739a7287e ##v4.1.0 | |
| - run: tflint --init -c $(realpath .tflint.hcl) | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting | |
| - run: rm -r namespace-resources-cli-template # remove the template from being linted | |
| - run: rm -r cmd/ # remove the templates in the cmd directory from being linted | |
| - run: tflint -c $(realpath .tflint.hcl) -f compact --recursive --only=terraform_comment_syntax --only=terraform_deprecated_index --only=terraform_deprecated_interpolation --only=terraform_documented_outputs --only=terraform_empty_list_equality --only=terraform_module_pinned_source --only=terraform_module_version --only=terraform_required_providers --only=terraform_required_version --only=terraform_unused_required_providers --only=terraform_workspace_remote # enable rules that pass at the current time only, whilst the others are rectified on multiple namespaces (see: https://github.com/terraform-linters/tflint-ruleset-terraform/tree/main/docs/rules) |