feat: CCA, container build fix, mass merge chore PR #250

Workflow file for this run

.github/workflows/governance-test.yml at 2f1de79

	---
	name: governance - test

	on:
	pull_request:
	branches:
	- main
	paths:
	- .github/workflows/governance-test.yml
	- container/**
	- porch-configs/**
	- grept-policies/**
	- managed-files/root/**
	- mapotf-configs/**
	- Makefile
	- tflint-configs/**
	- tests/**
	workflow_dispatch:
	inputs:
	conftest-aprl-url:
	description: The go-getter URL for the Azure Proactive Resiliency Library policies.
	required: false
	default: 'git::https://github.com/Azure/policy-library-avm.git//policy/Azure-Proactive-Resiliency-Library-v2?ref=main'
	type: string
	conftest-avmsec-url:
	description: The go-getter URL for the Azure AVMSec policies.
	required: false
	default: 'git::https://github.com/Azure/policy-library-avm.git//policy/avmsec?ref=main'
	type: string
	conftest-exceptions-url:
	description: The go-getter URL for the Azure AVM Exceptions policies.
	required: false
	default: 'https://raw.githubusercontent.com/Azure/policy-library-avm/main/policy/avmsec/avm_exceptions.rego.bak'
	type: string

	concurrency:
	group: governance-test-${{ github.ref }}
	cancel-in-progress: true

	env:
	CONTAINER_IMAGE: avm:test
	FORCE_COLOR: 1

	jobs:
	build-image:
	runs-on: ubuntu-latest
	# Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
	permissions:
	contents: read
	environment: avm
	steps:
	- name: Checkout repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- uses: juliangruber/read-file-action@02bbba9876a8f870efd4ad64e3b9088d3fb94d4b # v1.1.6
	id: readenv
	with:
	path: ./container/version.env

	- name: Create GitHub App Token
	id: app-token
	uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
	with:
	app-id: ${{ secrets.AVM_APP_CLIENT_ID }}
	private-key: ${{ secrets.AVM_APP_PRIVATE_KEY }}

	# This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
	- name: Extract metadata (tags, labels)
	id: meta
	uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
	with:
	images: \|
	avm
	tags: \|
	type=raw,value=test

	- name: Set up Buildx
	uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
	with:
	version: latest

	- name: Concat Dockerfiles
	run: \|
	cat Dockerfile.build Dockerfile.avm > Dockerfile
	rm -f Dockerfile.*
	working-directory: ./container

	# This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
	# It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see [Usage](https://github.com/docker/build-push-action#usage) in the README of the `docker/build-push-action` repository.
	# It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
	- name: Build image
	id: push
	uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
	with:
	context: ./container
	push: false
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	build-args: \|
	${{ steps.readenv.outputs.content }}
	outputs: type=docker
	cache-from: type=gha
	cache-to: type=gha,mode=max
	github-token: ${{ steps.app-token.outputs.token }}

	- name: Export image
	run: \|
	docker image save --output ${{ runner.temp }}/test.tar ${{ env.CONTAINER_IMAGE }}

	- name: Upload artifact
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: image
	path: ${{ runner.temp }}/test.tar
	retention-days: 2

	- name: Run Trivy vulnerability scanner
	id: trivy
	uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
	with:
	image-ref: ${{ env.CONTAINER_IMAGE }}
	exit-code: 0
	ignore-unfixed: true
	hide-progress: true
	scanners: vuln
	output: trivy.txt

	- name: Publish Trivy Output to Summary
	run: \|
	if [[ -s trivy.txt ]]; then
	{
	echo "## Trivy Output"
	echo "<details><summary>Click to expand</summary>"
	echo ""
	echo '```terraform'
	cat trivy.txt
	echo '```'
	echo "</details>"
	} >> $GITHUB_STEP_SUMMARY
	fi

	test-governance:
	runs-on: ubuntu-latest
	needs: build-image
	environment: avm
	permissions:
	contents: write
	id-token: write
	env:
	CONTAINER_PULL_POLICY: never
	ARM_USE_OIDC: "true"
	ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
	ARM_SUBSCRIPTION_ID: ${{ secrets.TARGET_SUBSCRIPTION_ID }}
	ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}


	defaults:
	run:
	working-directory: ${{ matrix.module }}
	strategy:
	fail-fast: false
	matrix:
	module:
	- tests/terraform-azure-avm-res-mock
	- tests/terraform-azurerm-avm-res-mock

	steps:
	- name: Checkout repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 1
	ref: ${{ github.head_ref }} # Checkout the branch of the PR, not the default sha

	- name: Create GitHub App Token
	id: app-token
	uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
	with:
	app-id: ${{ secrets.AVM_APP_CLIENT_ID }}
	private-key: ${{ secrets.AVM_APP_PRIVATE_KEY }}
	owner: ${{ github.repository_owner }}

	- name: Download artifact
	uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
	with:
	name: image
	path: ${{ runner.temp }}

	- name: Load image
	run: \|
	docker image load --input ${{ runner.temp }}/test.tar

	- name: Set env vars
	run: \|
	REF=$(git rev-parse HEAD)
	echo "AVM_GREPT_URL=git::https://github.com/Azure/avm-terraform-governance.git//grept-policies?ref=${REF}" >> $GITHUB_ENV
	echo "AVM_MAKEFILE_REF=${REF}" >> $GITHUB_ENV
	echo "AVM_MANAGED_FILES_REF=${REF}" >> $GITHUB_ENV
	echo "AVM_MPTF_URL=git::https://github.com/Azure/avm-terraform-governance.git//mapotf-configs/pre-commit?ref=${REF}" >> $GITHUB_ENV
	echo "AVM_PORCH_REF=${REF}" >> $GITHUB_ENV
	echo "AVM_TFLINT_CONFIG_URL=https://raw.githubusercontent.com/Azure/avm-terraform-governance/${REF}/tflint-configs" >> $GITHUB_ENV

	- name: Set conftest URLs (if workflow_dispatch)
	if: ${{ github.event_name == 'workflow_dispatch' }}
	run: \|
	echo "AVM_CONFTEST_APRL_URL=${{ github.event.inputs.conftest-aprl-url }}" >> $GITHUB_ENV
	echo "AVM_CONFTEST_AVMSEC_URL=${{ github.event.inputs.conftest-avmsec-url }}" >> $GITHUB_ENV
	echo "AVM_CONFTEST_EXCEPTIONS_URL=${{ github.event.inputs.conftest-exceptions-url }}" >> $GITHUB_ENV

	- name: Set OIDC env vars
	run: \|
	echo "ARM_OIDC_REQUEST_TOKEN=$ACTIONS_ID_TOKEN_REQUEST_TOKEN" >> $GITHUB_ENV
	echo "ARM_OIDC_REQUEST_URL=$ACTIONS_ID_TOKEN_REQUEST_URL" >> $GITHUB_ENV

	- name: pre-commit
	run: \|
	./avm pre-commit
	git status --porcelain
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: commit and pr to this branch if changes
	id: pr
	run: \|
	if [ -z "$(git status --porcelain)" ]; then
	echo "No changes to commit."
	exit 0
	fi
	git config --global user.name "${{ vars.AVM_APP_GIT_USER_NAME }}"
	git config --global user.email "${{ vars.AVM_APP_GIT_USER_EMAIL }}"
	git checkout -b ${{ matrix.module }}${{ github.run_id }}
	git add .
	git commit -m "avm test run ${{ github.run_id }}"

	git push --set-upstream origin ${{ matrix.module }}${{ github.run_id }}
	PR_URL=$(gh pr create \
	--title "test: update mock module \`${{ matrix.module }}\` (${{ github.ref_name }})" \
	--body "This PR was created by the AVM governance test workflow after pre-commit was run. Please review if the changes should be made to the mock modules: <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}>" \
	--base ${{ github.head_ref }} \
	--repo ${{ github.repository }})
	echo "number=$(gh pr view $PR_URL --json number \| jq -r '.number')" >> "$GITHUB_OUTPUT"
	env:
	GH_TOKEN: ${{ steps.app-token.outputs.token }}

	- name: close and comment out of date prs
	if: steps.pr.outputs.number
	run: \|
	PULL_REQUESTS=$(gh pr list --base ${{ github.head_ref }} --search "test: update mock module \`${{ matrix.module }}\`" --json number,headRefName)
	echo "$PULL_REQUESTS" \| jq -r '.[] \| select(.number != ${{ steps.pr.outputs.number }}) \| .number' \| xargs -I {} gh pr close {} --delete-branch --comment "Supersceeded by #${{ steps.pr.outputs.number }}"
	env:
	GH_TOKEN: ${{ steps.app-token.outputs.token }}

	- name: Comment this PR
	if: steps.pr.outputs.number
	run: \|
	gh pr comment ${{ github.event.pull_request.number }} --body "This test run generated changes to the mock modules in this PR. Please review the changes and merge if appropriate, see #${{ steps.pr.outputs.number }}."
	env:
	GH_TOKEN: ${{ steps.app-token.outputs.token }}

	- name: pr-check
	run: \|
	./avm pr-check
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: test-examples
	run: \|
	./avm test-examples
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: terraform test (unit)
	run: \|
	./avm tf-test-unit
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: CCA, container build fix, mass merge chore PR #250

Workflow file

feat: CCA, container build fix, mass merge chore PR #250

Uh oh!

Jobs

Run details

Workflow file for this run