-
Notifications
You must be signed in to change notification settings - Fork 0
149 lines (142 loc) · 3.95 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: ci
on:
pull_request:
branches:
- main
push:
branches:
- main
schedule:
- cron: 0 0 * * *
jobs:
tofu-fmt:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup OpenTofu
uses: opentofu/setup-opentofu@v1
- name: Tofu format
run: |
tofu fmt -check -recursive
release-please:
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
outputs:
releases_created: ${{ steps.release-please.outputs.releases_created }}
tag_name: ${{ steps.release-please.outputs.tag_name }}
permissions:
contents: write
pull-requests: write
steps:
- id: release-please
name: Release please
uses: googleapis/release-please-action@v4
with:
release-type: terraform-module
build-docs:
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
permissions:
contents: read
pages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: 3.x
- name: Install dependencies
run: |
pip install -U pip -r requirements.txt
- name: Install Terraform docs
run: |
curl -Lo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.19.0/terraform-docs-v0.19.0-$(uname)-amd64.tar.gz
tar -xzf terraform-docs.tar.gz
chmod +x terraform-docs
mv terraform-docs /usr/local/bin/terraform-docs
- name: Prepare the docs
run: ./scripts/build-docs.sh
- name: Build the docs
run: mkdocs build
- name: Setup Pages
uses: actions/configure-pages@v5
- name: Upload artifact
uses: actions/upload-pages-artifact@v3
with:
path: mkdocs
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4
trivy:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
scan-type:
- fs
- config
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: ${{ matrix.scan-type }}
scan-ref: "."
trivy-config: trivy.yaml
format: "sarif"
output: "trivy-results.sarif"
- if: always()
name: Upload Trivy results to Github Artifacts
uses: actions/upload-artifact@v4
with:
name: trivy-results-${{ matrix.scan-type }}
path: trivy-results.sarif
kubescape:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- uses: kubescape/github-action@main
continue-on-error: true
with:
frameworks: AllControls
outputFile: results.sarif
format: sarif
- uses: actions/upload-artifact@v4
with:
name: kubescape-results
path: results.sarif
if-no-files-found: warn
retention-days: 7
compression-level: 6
overwrite: true
labeler:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
permissions:
contents: read
pull-requests: write
issues: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: PR Labeler
uses: srvaroa/labeler@master
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
with:
config_path: .github/labeler.yml
use_local_config: false
fail_on_error: false