padok-team / github-workflows Goto Github PK

View Code? Open in Web Editor NEW

1.0 5.0 0.0 77 KB

Reusable GitHub workflows

License: Apache License 2.0

github workflows

github-workflows's Introduction

github-workflows

Shared GitHub workflows, to be referenced by other Padok projects.

The following reusable workflows are available in .github/workflows:

Name	Description	Must have
`release`	Configure Release Please to automate GitHub release creation	⭐
`semantic-check`	Check that pull requests follow Conventional Commits
`terraform-docs`	Update Terraform module documentation using `terraform-docs`
`terraform-quality`	Run several linter and static analysis tools on Terraform code	⭐

Usage

To use these workflows in your project, copy files from the folders listed below, and paste them in the .github/workflows/ folder in your own repo.

global: for all your projects
terraform: useful for Terraform modules and starters

Your repo should have the following structure:

.
├── .github
│   ├── CODEOWNERS
│   └── workflows
│       ├── release.yml
│       ├── semantic-check.yml
│       ├── terraform-docs.yml
│       └── terraform-quality.yml
├── .gitignore
├── LICENSE
├── main.tf
├── README.md
├── renovate.json
└── ... (other files)

Workflow Designs

`terraform-quality` workflow

There are several tools to ensure that Terraform code is secure and follows best practices. We selected the following ones:

tfswitch make sure that the correct version of Terraform is used
terraform fmt to check the basic formatting of Terraform code
terraform validate to check the validity of Terraform code
tflint to check for code quality issues
checkov to check for security issues

The following tools were considered but ultimately not included:

tfsec is redundant with checkov, and from Padok's experience, the latter is more reliable
terrascan has not been tested by Padok yet
terraform docs is delegated to another workflow, since it could add a commit to the pull request

Feel free to suggest other tools to add to this workflow!

License

github-workflows's People

Contributors

Stargazers

Watchers

github-workflows's Issues

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

fix(deps): update google-github-actions/release-please-action digest to e4dc86b

Detected dependencies

github-actions

.github/workflows/release.yml

google-github-actions/release-please-action v4@a37ac6e4f6449ce8b3f7607e4d97d0146028dc0b

actions/checkout v4@0ad4b8fadaa221de15dcec353f45205ec38ea70b

.github/workflows/semantic-check.yml

actions/checkout v4@0ad4b8fadaa221de15dcec353f45205ec38ea70b

actions/setup-node v4@60edb5dd545a775178f52524783378180af0d1f8

.github/workflows/terraform-docs.yml

actions/checkout v4@0ad4b8fadaa221de15dcec353f45205ec38ea70b

terraform-docs/gh-actions v1.1.0@7a62208a0090636af2df1b739da46d27fd90bdc6

.github/workflows/terraform-quality.yml

actions/checkout v4@0ad4b8fadaa221de15dcec353f45205ec38ea70b

terraform-linters/setup-tflint v4@19a52fbac37dacb22a09518e4ef6ee234f2d4987

actions/checkout v4@0ad4b8fadaa221de15dcec353f45205ec38ea70b

bridgecrewio/checkov-action master

Check this box to trigger a request for Renovate to run again on this repository

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: Cannot find preset's package (semanticCommitTypeAll(fix))

Some feedbacks on the current lint action

I think that the ref: part is not useful, it automatically fetch the current ref I believe.

  - name: checkout
    uses: actions/checkout@v3
    with:
      fetch-depth: 0
      ref: ${{ github.event.pull_request.head.ref }}

There is no action to setup it ? Anyway, downloading the "latest", without fixing it may be a bit "dangerous", while useful (auto update, wow). I am quite mixed about this.

- name: tfswitch
run: |
 wget https://raw.githubusercontent.com/warrensbox/terraform-switcher/release/install.sh
 chmod 755 install.sh
 ./install.sh -b `pwd`/.bin
 rm install.sh
 CUSTOMBIN=`pwd`/.bin
 export PATH=$PATH:$CUSTOMBIN
 $CUSTOMBIN/tfswitch -b $CUSTOMBIN/terraform
 terraform -v

I personally don't like action which commits on the same place as human, I prefer only "blocking the PR". Indeed, if you want to iterate again on this PR, you'll have to git pull with the added commit from the workflow. This can be discussed

- name: terraform-docs
  uses: terraform-docs/[email protected]
  with:
    working-dir: .
    output-file: README.md
    output-method: inject
    git-commit-message: "docs: update terraform docs"
    git-push: "true"

More generally, I find this workflow OK for a module, but it would not function for a repo with layers, such as starters.

For example for a project I had a pattern such as

jobs:
  lint:
    runs-on: ubuntu-latest

    strategy:
    # needs a matrix to run it on all layers
      matrix:
        layer:
          - bootstrap
          - preprod-mybarnes
          - preprod-network
          - shared

    defaults:
      run:
        working-directory: terraform/layers/${{ matrix.layer }}

    steps:
      - uses: actions/checkout@v3

      - uses: hashicorp/setup-terraform@v2
        with:

It was not ideal since the layers list is static, but It might be a interesting use case. Does github remote workflows supports this kind of specific usage (custom workdir based on a matrix, dynamic matrix) ?

Watch and/or create tfswitch GitHub Action

warrensbox/terraform-switcher#175

tfswitch step does not working anymore

Ma CI/CD ne fonctionne plus sans aucun changement

name: Terraform quality

on: push

jobs:
  terraform-quality:
    uses: padok-team/github-workflows/.github/workflows/terraform-quality.yml@v1
    with:
      workdir: ./starters/terraform/layers