Skip to content

chore(deps): update aquasecurity/trivy-action action to v0.26.0 #512

chore(deps): update aquasecurity/trivy-action action to v0.26.0

chore(deps): update aquasecurity/trivy-action action to v0.26.0 #512

name: plan
on:
pull_request:
branches:
- main
permissions:
contents: read
jobs:
validate:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout Repo
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
show-progress: false
- name: Setup Teraform
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
- name: Prettify
run: terraform fmt -check
continue-on-error: true
- name: Initialise
run: terraform init
- name: Validate
run: terraform validate -no-color
tflint:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout Repo
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
show-progress: false
- name: Cache Plugins
uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
with:
path: ~/.tflint.d/plugins
key: tflint-${{ hashFiles('.tflint.hcl') }}
- name: Setup TFLint
uses: terraform-linters/setup-tflint@19a52fbac37dacb22a09518e4ef6ee234f2d4987 # v4.0.0
with:
tflint_version: v0.50.3
- name: Initialise
run: tflint --init
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Lint
run: tflint -f compact
trivy:
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
env:
trivy_sarif: trivy.sarif
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout Repo
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
show-progress: false
- name: Run with SARIF Output
uses: aquasecurity/trivy-action@a20de5420d57c4102486cdd9578b45609c99d7eb # 0.26.0
with:
scan-type: "fs"
format: "sarif"
output: ${{ env.trivy_sarif }}
- name: Report via GitHub CodeQL
uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
with:
sarif_file: ${{ env.trivy_sarif }}
terraform-cloud-speculative-run:
needs: [validate,tflint,trivy]
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
issues: write
env:
TF_CLOUD_ORGANIZATION: "grendel-consulting"
TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }}
TF_WORKSPACE: "cloud-factory"
CONFIG_DIRECTORY: "./"
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout Repo
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
show-progress: false
- name: Configure Terraform Cloud
uses: hashicorp/tfc-workflows-github/actions/upload-configuration@5bd1031f2e8da1d8db16b35519ecc5b15a99cf20 # v1.3.1
id: upload
with:
workspace: ${{ env.TF_WORKSPACE }}
directory: ${{ env.CONFIG_DIRECTORY }}
speculative: true
- name: Trigger a Terraform Cloud Run
uses: hashicorp/tfc-workflows-github/actions/create-run@5bd1031f2e8da1d8db16b35519ecc5b15a99cf20 # v1.3.1
id: run
with:
workspace: ${{ env.TF_WORKSPACE }}
configuration_version: ${{ steps.upload.outputs.configuration_version_id }}
plan_only: true
- name: Fetch the Plan Output
uses: hashicorp/tfc-workflows-github/actions/plan-output@5bd1031f2e8da1d8db16b35519ecc5b15a99cf20 # v1.3.1
id: plan-output
with:
plan: ${{ steps.run.outputs.plan_id }}
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
if: github.event_name == 'pull_request'
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Terraform Cloud Plan Output')
})
const output = `#### Terraform Cloud Plan Output
Plan: ${{ steps.plan-output.outputs.add }} to add, ${{ steps.plan-output.outputs.change }} to change, ${{ steps.plan-output.outputs.destroy }} to destroy.
[Terraform Cloud Plan](${{ steps.run.outputs.run_link }})
`
// 3. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
} else {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
}