Skip to content

Commit 23f99b3

Browse files
saidsefsaidsef
authored
Updated CI workflow and dependabot (#8)
1 parent 95cad94 commit 23f99b3

File tree

3 files changed

+55
-5
lines changed

3 files changed

+55
-5
lines changed

.github/dependabot.yaml renamed to .github/dependabot.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
version: 2
22
updates:
3-
- package-ecosystem: "gitlab-actions"
3+
- package-ecosystem: "github-actions"
44
directory: "/"
55
schedule:
66
interval: "weekly"

.github/workflows/ci.yaml

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ jobs:
1212
validate:
1313
name: Validate
1414
runs-on: ubuntu-latest
15+
permissions:
16+
pull-requests: write
1517
strategy:
1618
fail-fast: true
1719
matrix:
@@ -50,6 +52,8 @@ jobs:
5052
tflint:
5153
name: tflint
5254
runs-on: ubuntu-latest
55+
permissions:
56+
pull-requests: write
5357
needs: [validate]
5458
steps:
5559
- name: Checkout code
@@ -62,7 +66,7 @@ jobs:
6266
- uses: terraform-linters/setup-tflint@v2
6367
name: Setup TFLint
6468
with:
65-
github_token: ${{ secrets.GITHUB_TOKEN }}
69+
github_token: ${{ github.token }}
6670
tflint_version: latest
6771
- name: Run TFLint
6872
run: |
@@ -72,6 +76,8 @@ jobs:
7276
tfsec:
7377
name: tfsec
7478
runs-on: ubuntu-latest
79+
permissions:
80+
pull-requests: write
7581
needs: [validate]
7682
steps:
7783
- name: Checkout code
@@ -83,13 +89,13 @@ jobs:
8389
version: "latest"
8490

8591
caller-identity-check:
86-
if: ${{ github.event_name == 'pull_request' }}
92+
if: contains(github.event_name, 'pull_request')
93+
runs-on: ubuntu-latest
8794
name: Return the IAM user
8895
needs: [validate, tflint, tfsec]
8996
permissions:
9097
contents: read
9198
id-token: write
92-
runs-on: ubuntu-latest
9399
steps:
94100
- name: Configure AWS credentials
95101
uses: aws-actions/configure-aws-credentials@v1
@@ -100,13 +106,14 @@ jobs:
100106
aws sts get-caller-identity
101107
102108
auto-approve:
103-
if: ${{ github.event_name == 'pull_request' }}
109+
if: contains(github.event_name, 'pull_request')
104110
runs-on: ubuntu-latest
105111
needs: [validate, tfsec, caller-identity-check]
106112
steps:
107113
- name: Auto Approve PR
108114
uses: actions/github-script@v6
109115
with:
116+
github-token: ${{ github.token }}
110117
script: |
111118
github.rest.pulls.createReview({
112119
owner: context.repo.owner,

.github/workflows/tfsec.yaml

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
name: tfsec
2+
3+
on:
4+
push:
5+
branches: [ "main" ]
6+
pull_request:
7+
branches: [ "main" ]
8+
schedule:
9+
- cron: '33 21 * * 1'
10+
11+
jobs:
12+
tfsec:
13+
name: Run tfsec sarif report
14+
runs-on: ubuntu-latest
15+
permissions:
16+
actions: read
17+
contents: read
18+
security-events: write
19+
steps:
20+
- name: Clone repo
21+
uses: actions/checkout@v3
22+
- name: Run tfsec
23+
uses: aquasecurity/tfsec-sarif-action@master
24+
with:
25+
sarif_file: tfsec.sarif
26+
- name: Upload SARIF file
27+
uses: github/codeql-action/upload-sarif@v2
28+
with:
29+
sarif_file: tfsec.sarif
30+
31+
remote:
32+
name: Remote exmaple test
33+
runs-on: ubuntu-latest
34+
steps:
35+
- name: Clone repo
36+
uses: actions/checkout@v3
37+
- name: Setup Terraform
38+
uses: hashicorp/setup-terraform@v2
39+
- name: Exmaple Remote Validate
40+
run: |
41+
cd exmaples/remote
42+
terraform init -backend=false -upgrade -reconfigure
43+
terraform validate

0 commit comments

Comments
 (0)