Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: synced file(s) with honestbank/.github
- Loading branch information
1 parent
33f7582
commit f12e412
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| name: "Checkov GitHub Action" | ||
| permissions: read-all | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: [test, dev, qa, prod, main] | ||
|
|
||
| jobs: | ||
| checkov: | ||
| name: checkov | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| submodules: "recursive" | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Create empty baseline (if needed) | ||
| run: | | ||
| if [ -f .checkov.baseline ]; then | ||
| echo "⏩⏩⏩ Baseline file exists - do nothing." | ||
| else | ||
| echo "🆕🆕🆕 Baseline file does not exist - creating empty baseline file." | ||
| echo "{}" >> .checkov.baseline | ||
| fi | ||
| - name: Output baseline contents to console | ||
| run: | | ||
| echo "Checkov baseline file (.checkov.baseline) contents:" | ||
| cat .checkov.baseline | ||
| - name: Run Checkov | ||
| id: checkov | ||
| uses: bridgecrewio/checkov-action@master | ||
| with: | ||
| config_file: ".checkov.yaml" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| name: "Terraform GitHub Action" | ||
|
Check failure on line 1 in .github/workflows/terraform.yaml
|
||
| on: | ||
| pull_request: | ||
| # This workflow is meant for public Terraform module repositories | ||
| # which are generally component modules that follow trunk-based development. | ||
| branches: [main] | ||
| jobs: | ||
| terraform: | ||
| name: "terraform" | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: "recursive" | ||
| - name: Set up Terraform | ||
| uses: hashicorp/setup-terraform@v3 | ||
| with: | ||
| cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} | ||
| - name: Terraform Format | ||
| id: fmt | ||
| run: terraform fmt | ||
| continue-on-error: true | ||
| - name: Terraform Init | ||
| id: init | ||
| run: terraform init | ||
| - name: Terraform Validate | ||
| id: validate | ||
| run: terraform validate -no-color | ||
| - name: Terraform Plan | ||
| id: plan | ||
| run: terraform plan -no-color | ||
| continue-on-error: true | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| name: "Terratest GitHub Action" | ||
|
Check failure on line 1 in .github/workflows/terratest.yaml
|
||
| on: | ||
| pull_request: | ||
| branches: [test, dev, qa, prod, main] | ||
| push: | ||
| branches: [test, dev, qa, prod, main] | ||
| env: | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.TERRATEST_AWS_ACCESS_KEY_ID }} | ||
| AWS_SECRET_KEY: ${{ secrets.TERRATEST_AWS_SECRET_ACCESS_KEY }} | ||
| AWS_DEFAULT_REGION: ${{ secrets.TERRATEST_AWS_REGION }} | ||
| AWS_REGION: ${{ secrets.TERRATEST_AWS_REGION }} | ||
| jobs: | ||
| terratest: | ||
| name: terratest | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: true | ||
| - name: Set up Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: 1.20 | ||
| id: go | ||
| - name: Run 'go test -v -timeout 60m' | ||
| run: | | ||
| cd test | ||
| go mod download | ||
| go test -v -timeout 30m | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| --- | ||
| name: Trivy Security Scan | ||
|
|
||
| # permissions required for the action, restricting to read-only for repository contents. | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| - main | ||
|
|
||
| jobs: | ||
| trivy-security-scan: | ||
| name: Run Trivy Security Scan | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: "recursive" # Ensure any submodules are included in the scan. | ||
| token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }} | ||
|
|
||
| # Run Trivy Configuration Scan with specified options. | ||
| - name: Run Trivy Security Scan | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| scan-type: 'config' | ||
| trivy-config: 'trivy.yaml' |