-
-
Notifications
You must be signed in to change notification settings - Fork 0
86 lines (75 loc) · 2.06 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
name: Check
on:
push:
branches:
- main
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
opentofu:
name: OpenTofu
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
env:
TFC_AWS_RUN_ROLE_ARN: ${{ secrets.amazon_role }}
steps:
- uses: actions/checkout@v4
- uses: opentofu/setup-opentofu@v1
- name: OpenTofu fmt
id: fmt
run: tofu fmt -check
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.amazon_role }}
- name: OpenTofu Init
id: init
run: tofu init
- name: OpenTofu Validate
id: validate
run: tofu validate -no-color
- name: OpenTofu Plan
env:
GITHUB_TOKEN: ${{ secrets.TF_GH_TOKEN }}
DNSIMPLE_ACCOUNT: ${{ secrets.TF_DNSIMPLE_ACCOUNT }}
DNSIMPLE_TOKEN: ${{ secrets.TF_DNSIMPLE_TOKEN }}
run: tofu plan -no-color -var-file .tfvars -detailed-exitcode
trivy:
name: Trivy
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
with:
scan-type: config
format: table
hide-progress: true
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
output: trivy.txt
exit-code: '1'
- name: Publish Trivy Output to Summary
if: always()
run: |
if [[ -s trivy.txt ]]; then
{
echo "### Security Output"
echo "<details><summary>Click to expand</summary>"
echo ""
echo '```terraform'
cat trivy.txt
echo '```'
echo "</details>"
} >> $GITHUB_STEP_SUMMARY
fi