-
Notifications
You must be signed in to change notification settings - Fork 0
134 lines (110 loc) · 4.12 KB
/
ci-pipeline.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: CI Pipeline
permissions:
contents: read
pull-requests: write
checks: write
actions: read
on:
push:
branches:
- main
pull_request:
jobs:
build-verification:
name: Build Verification
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.9.3
terraform_wrapper: false
- name: Install Go
uses: actions/setup-go@v1
with:
go-version: 1.21
- name: Terraform Validate
run: |
terraform init -backend=false
terraform validate
working-directory: infrastructure
- name: Run Integration Tests
run: |
terraform init -backend=false
terraform test
working-directory: tests/integration-tests
- name: Run End to End Tests
run: |
go mod tidy
go test -v -timeout 60m
working-directory: tests/end-to-end-tests
env:
GOMAXPROCS: 8
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
TF_STATE_RESOURCE_GROUP: ${{ secrets.TF_STATE_RESOURCE_GROUP }}
TF_STATE_STORAGE_ACCOUNT: ${{ secrets.TF_STATE_STORAGE_ACCOUNT }}
TF_STATE_STORAGE_CONTAINER: ${{ secrets.TF_STATE_STORAGE_CONTAINER }}
static-code-analysis:
name: Static Code Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.9.3
- name: Run Terraform Format
run: terraform fmt -check
working-directory: infrastructure
- name: Run Terraform Lint
uses: terraform-linters/setup-tflint@v1
with:
tflint_version: latest
- run: tflint
- name: Install Checkov
run: sudo apt-get update && sudo apt-get install -y python3-pip && pip3 install checkov
- name: Run Checkov Scan
run: checkov --directory infrastructure --skip-path example --list
- name: Install GitLeaks
run: |
curl -sSL https://github.com/zricethezav/gitleaks/releases/download/v8.2.4/gitleaks_8.2.4_linux_x64.tar.gz | tar -xz
sudo mv gitleaks /usr/local/bin/
- name: Run GitLeaks Scan
run: gitleaks detect --source . --config .gitleaks.toml
- name: Install Trivy
run: |
sudo apt-get update
sudo apt-get install -y wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install -y trivy
- name: Run Trivy Scan
run: trivy filesystem --security-checks vuln,config --exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed .
publishing:
name: Publish Release
runs-on: ubuntu-latest
needs: [build-verification, static-code-analysis]
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false # Disable default GITHUB_TOKEN persistence
- name: Create Semantic Release
uses: cycjimmy/[email protected]
id: semantic-release
env:
GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
- name: Output Release Details
if: steps.semantic-release.outputs.new_release_published == 'true'
run: |
echo ${{ steps.semantic-release.outputs.new_release_version }}
echo ${{ steps.semantic-release.outputs.new_release_major_version }}
echo ${{ steps.semantic-release.outputs.new_release_minor_version }}
echo ${{ steps.semantic-release.outputs.new_release_patch_version }}