From f12e412183f9ced06a610d4759659ebaaf133e2d Mon Sep 17 00:00:00 2001 From: Honest Bot Date: Wed, 18 Dec 2024 03:21:12 +0000 Subject: [PATCH] ci: synced file(s) with honestbank/.github --- .github/workflows/checkov.yaml | 34 ++++++++++++++++++++++++++++++ .github/workflows/semantic-pr.yaml | 6 +++--- .github/workflows/terraform.yaml | 33 +++++++++++++++++++++++++++++ .github/workflows/terratest.yaml | 30 ++++++++++++++++++++++++++ .github/workflows/trivy.yaml | 30 ++++++++++++++++++++++++++ 5 files changed, 130 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/checkov.yaml create mode 100644 .github/workflows/terraform.yaml create mode 100644 .github/workflows/terratest.yaml create mode 100644 .github/workflows/trivy.yaml diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml new file mode 100644 index 0000000..ccec113 --- /dev/null +++ b/.github/workflows/checkov.yaml @@ -0,0 +1,34 @@ +name: "Checkov GitHub Action" +permissions: read-all + +on: + pull_request: + branches: [test, dev, qa, prod, main] + +jobs: + checkov: + name: checkov + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + submodules: "recursive" + token: ${{ secrets.GITHUB_TOKEN }} + - name: Create empty baseline (if needed) + run: | + if [ -f .checkov.baseline ]; then + echo "⏩⏩⏩ Baseline file exists - do nothing." + else + echo "🆕🆕🆕 Baseline file does not exist - creating empty baseline file." + echo "{}" >> .checkov.baseline + fi + - name: Output baseline contents to console + run: | + echo "Checkov baseline file (.checkov.baseline) contents:" + cat .checkov.baseline + - name: Run Checkov + id: checkov + uses: bridgecrewio/checkov-action@master + with: + config_file: ".checkov.yaml" diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml index 41441c9..3627556 100644 --- a/.github/workflows/semantic-pr.yaml +++ b/.github/workflows/semantic-pr.yaml @@ -4,7 +4,7 @@ # Use this workflow for public repos, since public repos cannot access our internal # workflows repo. --- -name: repository-semantic-pr +name: public-semantic-pr permissions: contents: write pull-requests: write @@ -18,8 +18,8 @@ on: - synchronize jobs: - repository-semantic-pr: - name: repository-semantic-pr + public-semantic-pr: + name: public-semantic-pr runs-on: ubuntu-latest steps: - uses: amannn/action-semantic-pull-request@v4 diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml new file mode 100644 index 0000000..cbdc29f --- /dev/null +++ b/.github/workflows/terraform.yaml @@ -0,0 +1,33 @@ +name: "Terraform GitHub Action" +on: + pull_request: + # This workflow is meant for public Terraform module repositories + # which are generally component modules that follow trunk-based development. + branches: [main] +jobs: + terraform: + name: "terraform" + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: "recursive" + - name: Set up Terraform + uses: hashicorp/setup-terraform@v3 + with: + cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + - name: Terraform Format + id: fmt + run: terraform fmt + continue-on-error: true + - name: Terraform Init + id: init + run: terraform init + - name: Terraform Validate + id: validate + run: terraform validate -no-color + - name: Terraform Plan + id: plan + run: terraform plan -no-color + continue-on-error: true diff --git a/.github/workflows/terratest.yaml b/.github/workflows/terratest.yaml new file mode 100644 index 0000000..05041b1 --- /dev/null +++ b/.github/workflows/terratest.yaml @@ -0,0 +1,30 @@ +name: "Terratest GitHub Action" +on: + pull_request: + branches: [test, dev, qa, prod, main] + push: + branches: [test, dev, qa, prod, main] +env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRATEST_AWS_ACCESS_KEY_ID }} + AWS_SECRET_KEY: ${{ secrets.TERRATEST_AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: ${{ secrets.TERRATEST_AWS_REGION }} + AWS_REGION: ${{ secrets.TERRATEST_AWS_REGION }} +jobs: + terratest: + name: terratest + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: true + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: 1.20 + id: go + - name: Run 'go test -v -timeout 60m' + run: | + cd test + go mod download + go test -v -timeout 30m diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 0000000..65b1627 --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,30 @@ +--- +name: Trivy Security Scan + +# permissions required for the action, restricting to read-only for repository contents. +permissions: + contents: read + +on: + pull_request: + branches: + - main + +jobs: + trivy-security-scan: + name: Run Trivy Security Scan + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + submodules: "recursive" # Ensure any submodules are included in the scan. + token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }} + + # Run Trivy Configuration Scan with specified options. + - name: Run Trivy Security Scan + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'config' + trivy-config: 'trivy.yaml'