use de system permission #286
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 'Validate PR' | |
on: | |
- pull_request_target | |
concurrency: terraform | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
jobs: | |
terraform: | |
name: 'Terraform' | |
runs-on: ubuntu-latest | |
env: | |
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
ARM_USE_OIDC: true | |
GITHUB_TOKEN: ${{ secrets.GH_AUTOMATION_PAT }} | |
GITHUB_OWNER: kedacore | |
GRAFANA_CLOUD_API_KEY: ${{ secrets.GRAFANA_CLOUD_API_KEY }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Checkout Pull Request | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
id: checkout | |
run: | | |
gh pr checkout ${{ github.event.number }} | |
- name: Log into Azure using OIDC | |
uses: azure/login@v2 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: Log into AWS using OIDC | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
aws-region: eu-west-2 | |
- name: Log into GCP using OIDC | |
uses: google-github-actions/auth@v2 | |
with: | |
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
- name: Setup Terraform | |
uses: hashicorp/[email protected] | |
- name: Setup TFLint | |
uses: terraform-linters/setup-tflint@v4 | |
- name: Terraform Format | |
id: fmt | |
run: terraform fmt -recursive -check | |
continue-on-error: true | |
working-directory: terraform | |
- name: Init TFLint | |
run: tflint --init | |
working-directory: terraform | |
- name: Run TFLint | |
run: tflint -f compact | |
id: lint | |
continue-on-error: true | |
working-directory: terraform | |
- name: Terraform Init | |
id: init | |
run: | | |
terraform init \ | |
-backend-config=storage_account_name=${{ secrets.BACKEND_STORAGE_ACCOUNT_NAME}} \ | |
-backend-config=container_name=${{ secrets.BACKEND_STORAGE_CONTAINER_NAME}} \ | |
-backend-config=resource_group_name=${{ secrets.BACKEND_STORAGE_RESOURCE_GROUP_NAME}} \ | |
-backend-config=subscription_id="$ARM_SUBSCRIPTION_ID" | |
working-directory: terraform | |
- name: Terraform Validate | |
id: validate | |
run: terraform validate -no-color | |
working-directory: terraform | |
- name: Terraform Plan | |
id: plan | |
run: terraform plan -no-color -input=false | |
continue-on-error: true | |
working-directory: terraform | |
- name: Create the plan summary | |
uses: actions/github-script@v7 | |
if: always() | |
id: summary | |
env: | |
PLAN: '${{ steps.plan.outputs.stdout }}' | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
// 1. Prep the output | |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` | |
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` | |
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` | |
<details><summary>Validation Output</summary> | |
\`\`\`\n | |
${{ steps.validate.outputs.stdout }} | |
\`\`\` | |
</details> | |
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\` | |
<details><summary>Show Plan</summary> | |
\`\`\`\n | |
${process.env.PLAN} | |
\`\`\` | |
</details> | |
*Pusher: @${{ github.actor }}*`; | |
// 2. Set the output variable | |
const fs = require('fs'); | |
fs.writeFileSync('summary.md', output); | |
core.setOutput('summary', output); | |
- name: Write the step summary | |
if: always() | |
run: cat summary.md >> $GITHUB_STEP_SUMMARY | |
- name: Terraform Format Status | |
if: steps.fmt.outcome == 'failure' | |
run: exit 1 | |
- name: Terraform Lint Status | |
if: steps.lint.outcome == 'failure' | |
run: exit 1 | |
- name: Terraform Plan Status | |
if: steps.plan.outcome == 'failure' | |
run: exit 1 |