From 255158b49849ad0faa9328224219834feb406a69 Mon Sep 17 00:00:00 2001 From: James Armes Date: Fri, 11 Oct 2024 15:09:33 -0400 Subject: [PATCH] ci: Added GitHub Actions workflows. --- .github/workflows/branch.yaml | 46 +++++++++++++ .github/workflows/codeql-analysis.yaml | 47 +++++++++++++ .github/workflows/main.yaml | 46 +++++++++++++ .github/workflows/release.yaml | 95 ++++++++++++++++++++++++++ 4 files changed, 234 insertions(+) create mode 100644 .github/workflows/branch.yaml create mode 100644 .github/workflows/codeql-analysis.yaml create mode 100644 .github/workflows/main.yaml create mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/branch.yaml b/.github/workflows/branch.yaml new file mode 100644 index 0000000..d893dd8 --- /dev/null +++ b/.github/workflows/branch.yaml @@ -0,0 +1,46 @@ +name: Branch Checks + +on: + push: + branches-ignore: + - main + +jobs: + lint: + name: Lint updated files + runs-on: ubuntu-latest + steps: + - name: Checkout source code + uses: actions/checkout@v4 + - uses: actions/cache@v4 + name: Cache plugin directory + with: + path: ~/.tflint.d/plugins + key: tflint-${{ hashFiles('.tflint.hcl') }} + - uses: terraform-linters/setup-tflint@v4 + name: Setup TFLint + - name: Show version + run: tflint --version + - name: Init TFLint + run: tflint --init + - name: Run TFLint + run: tflint --format compact --recursive + + trivy: + name: Run security scan + runs-on: ubuntu-latest + steps: + - name: Checkout source code + uses: actions/checkout@v4 + - name: Run Trivy vulnarability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: config + format: sarif + output: "trivy-results.sarif" + - name: Parse SARIF file + # Always run this step, even if a previous step failed. + if: always() + uses: Ayrx/sarif_to_github_annotations@v0.2.2 + with: + sarif_file: "trivy-results.sarif" diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml new file mode 100644 index 0000000..04ac6d2 --- /dev/null +++ b/.github/workflows/codeql-analysis.yaml @@ -0,0 +1,47 @@ +name: CodeQL + +on: + push: + branches: + - main + pull_request: + branches: + - main + schedule: + - cron: '45 13 * * *' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + # Using "javascript" to scan JSON and YAML files. + language: [ 'javascript' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + queries: security-extended,security-and-quality + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml new file mode 100644 index 0000000..78b68cd --- /dev/null +++ b/.github/workflows/main.yaml @@ -0,0 +1,46 @@ +name: Main Checks + +on: + push: + branches: + - main + +jobs: + lint: + name: Lint updated modules + runs-on: ubuntu-latest + steps: + - name: Checkout source code + uses: actions/checkout@v4 + - uses: actions/cache@v4 + name: Cache plugin directory + with: + path: ~/.tflint.d/plugins + key: tflint-${{ hashFiles('.tflint.hcl') }} + - uses: terraform-linters/setup-tflint@v4 + name: Setup TFLint + - name: Show version + run: tflint --version + - name: Init TFLint + run: tflint --init + - name: Run TFLint + run: tflint --format compact --recursive + + trivy: + name: Run security scan + runs-on: ubuntu-latest + steps: + - name: Checkout source code + uses: actions/checkout@v4 + - name: Run Trivy vulnarability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: config + format: sarif + output: "trivy-results.sarif" + - name: Upload SARIF result + # Always run this step, even if a previous step failed. + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "trivy-results.sarif" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..5745fca --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,95 @@ +name: Release New Version + +on: + push: + branches: + - main + +jobs: + # Builds a new release for the module by bumping the version number and + # generating a changelog entry. Commit the changes and open a pull request. + build-release: + name: Build new release + runs-on: ubuntu-latest + if: ${{ !startsWith(github.event.head_commit.message, 'bump:') }} + steps: + - name: Checkout source code + uses: actions/checkout@v4 + - name: Bump version and create changelog + id: bump + uses: commitizen-tools/commitizen-action@master + with: + push: false + github_token: ${{ secrets.GITHUB_TOKEN }} + git_redirect_stderr: true + - name: Get the commit message + id: message + run: | + MESSAGE=$(git log --format=%B -n 1) + echo "message=${MESSAGE}" >> $GITHUB_OUTPUT + - name: Open a pull request for the release + uses: peter-evans/create-pull-request@v7 + with: + branch: release-${{ steps.bump.outputs.version }} + title: ${{ steps.message.outputs.message }} + + # Creates a new tag and GitHub release for the module. + release: + name: Release module + runs-on: ubuntu-latest + if: startsWith(github.event.head_commit.message, 'bump:') + steps: + - name: Checkout source code + uses: actions/checkout@v4 + - name: Get the module name + id: module_name + run: | + REPO_NAME="${{ github.event.repository.name }}" + REPO_NAME="${REPO_NAME/tofu-modules-/}" + MODULE_NAME="${REPO_NAME//-/_}" + echo "name=${MODULE_NAME}" >> $GITHUB_OUTPUT + - name: Get the version from the commit message + id: version + uses: actions/github-script@v7 + with: + result-encoding: string + # Look for the last version number, expecting it to be in the format: + # `#.#.#-.#` where the suffix is optional. + script: | + const message = '${{ github.event.head_commit.message }}' + const regex = /^bump:.+(?\d+\.\d+\.\d+[\da-z.-]*) \(#\d+\)$/m + const version = message.match(regex).groups.version + console.log(version) + return version + - name: Bundle the module + # We create an empty file first, so that tar doesn't complain about the + # contents changing while it's running. + run: | + touch '${{ steps.module_name.outputs.name }}-${{ steps.version.outputs.result }}.tar.gz' + tar \ + --exclude='.git' \ + --exclude='.gitignore' \ + --exclude='.github' \ + --exclude='.cz.yaml' \ + --exclude='*.tar.gz' \ + --exclude='release.md' \ + --exclude='CODEOWNERS' \ + --exclude='trivy.yaml' \ + --exclude='*.env' \ + -czf '${{ steps.module_name.outputs.name }}-${{ steps.version.outputs.result }}.tar.gz' \ + . + - name: Get changelog entry + id: changelog + uses: artlaman/conventional-changelog-reader-action@v1.1.0 + with: + version: ${{ steps.version.outputs.result }} + - name: Create release + uses: softprops/action-gh-release@v2 + with: + body: | + ## ${{ steps.changelog.outputs.version }} (${{ steps.changelog.outputs.date }}) + + ${{ steps.changelog.outputs.changes }} + tag_name: ${{ steps.version.outputs.result }} + files: | + ${{ steps.module_name.outputs.name }}-${{ steps.version.outputs.result }}.tar.gz