Skip to content

Bump actions/github-script from 6 to 7 (#33) #109

Bump actions/github-script from 6 to 7 (#33)

Bump actions/github-script from 6 to 7 (#33) #109

Workflow file for this run

name: CI
on:
pull_request:
branches:
- main
push:
branches:
- main
workflow_dispatch:
jobs:
pre-commit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v4
- uses: terraform-linters/setup-tflint@v4
- uses: pre-commit/[email protected]
with:
extra_args: "-a"
validate:
name: Validate
needs: [pre-commit]
runs-on: ubuntu-latest
permissions:
pull-requests: write
strategy:
fail-fast: true
matrix:
tf-version: ["1.0", "1.1", "1.2", "1.3", "1.4", "1.5", "latest"]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ matrix.tf-version }}
- name: Terraform Init
run: |
terraform init -backend=false -upgrade -reconfigure
- name: Terraform FMT
run: |
terraform fmt -check -recursive
- name: Terraform Validate
run: |
terraform validate
- name: Terraform Version / Providers
run: |
terraform version
terraform providers
- name: Example Complete Validate
run: |
cd examples/complete
terraform init -backend=false -upgrade -reconfigure
terraform validate
- name: Example Remote Validate
run: |
cd examples/remote
terraform init -backend=false -upgrade -reconfigure
terraform validate
tfsec:
name: tfsec
if: contains(github.event_name, 'pull_request')
runs-on: ubuntu-latest
permissions:
pull-requests: write
needs: [validate]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: tfsec
id: tfsec
uses: aquasecurity/[email protected]
with:
github_token: ${{ github.token }}
tfsec_args: "--force-all-dirs --concise-output --code-theme=dark --no-color"
tfsec_version: "latest"
caller-identity-check:
if: contains(github.event_name, 'pull_request')
runs-on: ubuntu-latest
name: Return the IAM user
needs: [validate, tfsec]
permissions:
contents: read
id-token: write
steps:
- name: Configure AWS credentials
uses: aws-actions/[email protected]
with:
aws-region: ${{ secrets.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions
role-session-name: ${{ github.event.repository.name }}-${{ github.ref_type }}
- run: |
aws sts get-caller-identity
auto-approve:
if: contains(github.event_name, 'pull_request')
runs-on: ubuntu-latest
needs: [validate, tfsec, caller-identity-check]
steps:
- name: Auto Approve PR
uses: actions/github-script@v7
with:
github-token: ${{ github.token }}
script: |
github.rest.pulls.createReview({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
event: "APPROVE"
})