chore(deps): update terraform hashicorp/terraform to v1.9.6 #454
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: plan | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| jobs: | |
| validate: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Repo | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| show-progress: false | |
| - name: Setup Teraform | |
| uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} | |
| - name: Prettify | |
| run: terraform fmt -check | |
| continue-on-error: true | |
| - name: Initialise | |
| run: terraform init | |
| - name: Validate | |
| run: terraform validate -no-color | |
| tflint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Repo | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| show-progress: false | |
| - name: Cache Plugins | |
| uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
| with: | |
| path: ~/.tflint.d/plugins | |
| key: tflint-${{ hashFiles('.tflint.hcl') }} | |
| - name: Setup TFLint | |
| uses: terraform-linters/setup-tflint@19a52fbac37dacb22a09518e4ef6ee234f2d4987 # v4.0.0 | |
| with: | |
| tflint_version: v0.50.3 | |
| - name: Initialise | |
| run: tflint --init | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| - name: Lint | |
| run: tflint -f compact | |
| trivy: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Needed to upload the results to code-scanning dashboard. | |
| security-events: write | |
| env: | |
| trivy_sarif: trivy.sarif | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Repo | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| show-progress: false | |
| - name: Run with SARIF Output | |
| uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 | |
| with: | |
| scan-type: "fs" | |
| format: "sarif" | |
| output: ${{ env.trivy_sarif }} | |
| - name: Report via GitHub CodeQL | |
| uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7 | |
| with: | |
| sarif_file: ${{ env.trivy_sarif }} | |
| terraform-cloud-speculative-run: | |
| needs: [validate,tflint,trivy] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| issues: write | |
| env: | |
| TF_CLOUD_ORGANIZATION: "grendel-consulting" | |
| TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }} | |
| TF_WORKSPACE: "cloud-factory" | |
| CONFIG_DIRECTORY: "./" | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout Repo | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| show-progress: false | |
| - name: Configure Terraform Cloud | |
| uses: hashicorp/tfc-workflows-github/actions/upload-configuration@5bd1031f2e8da1d8db16b35519ecc5b15a99cf20 # v1.3.1 | |
| id: upload | |
| with: | |
| workspace: ${{ env.TF_WORKSPACE }} | |
| directory: ${{ env.CONFIG_DIRECTORY }} | |
| speculative: true | |
| - name: Trigger a Terraform Cloud Run | |
| uses: hashicorp/tfc-workflows-github/actions/create-run@5bd1031f2e8da1d8db16b35519ecc5b15a99cf20 # v1.3.1 | |
| id: run | |
| with: | |
| workspace: ${{ env.TF_WORKSPACE }} | |
| configuration_version: ${{ steps.upload.outputs.configuration_version_id }} | |
| plan_only: true | |
| - name: Fetch the Plan Output | |
| uses: hashicorp/tfc-workflows-github/actions/plan-output@5bd1031f2e8da1d8db16b35519ecc5b15a99cf20 # v1.3.1 | |
| id: plan-output | |
| with: | |
| plan: ${{ steps.run.outputs.plan_id }} | |
| - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| if: github.event_name == 'pull_request' | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| // 1. Retrieve existing bot comments for the PR | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| }) | |
| const botComment = comments.find(comment => { | |
| return comment.user.type === 'Bot' && comment.body.includes('Terraform Cloud Plan Output') | |
| }) | |
| const output = `#### Terraform Cloud Plan Output | |
| Plan: ${{ steps.plan-output.outputs.add }} to add, ${{ steps.plan-output.outputs.change }} to change, ${{ steps.plan-output.outputs.destroy }} to destroy. | |
| [Terraform Cloud Plan](${{ steps.run.outputs.run_link }}) | |
| ` | |
| // 3. If we have a comment, update it, otherwise create a new one | |
| if (botComment) { | |
| github.rest.issues.updateComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: botComment.id, | |
| body: output | |
| }) | |
| } else { | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: output | |
| }) | |
| } |