Skip to content

Merge pull request #14 from Homebrew/dependabot-update #24

Merge pull request #14 from Homebrew/dependabot-update

Merge pull request #14 from Homebrew/dependabot-update #24

Workflow file for this run

name: Check
on:
push:
branches:
- main
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
opentofu:
name: OpenTofu
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
env:
TFC_AWS_RUN_ROLE_ARN: ${{ secrets.amazon_role }}
steps:
- uses: actions/checkout@v4
- uses: opentofu/setup-opentofu@v1
- name: OpenTofu fmt
id: fmt
run: tofu fmt -check
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.amazon_role }}
- name: OpenTofu Init
id: init
run: tofu init
- name: OpenTofu Validate
id: validate
run: tofu validate -no-color
- name: OpenTofu Plan
env:
GITHUB_TOKEN: ${{ secrets.TF_GH_TOKEN }}
DNSIMPLE_ACCOUNT: ${{ secrets.TF_DNSIMPLE_ACCOUNT }}
DNSIMPLE_TOKEN: ${{ secrets.TF_DNSIMPLE_TOKEN }}
run: |
tofu plan -no-color -detailed-exitcode \
-var-file .tfvars \
-var='email_overrides=${{ secrets.email_overrides }}'
trivy:
name: Trivy
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
with:
scan-type: config
format: table
hide-progress: true
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
output: trivy.txt
exit-code: '1'
- name: Publish Trivy Output to Summary
if: always()
run: |
if [[ -s trivy.txt ]]; then
{
echo "### Security Output"
echo "<details><summary>Click to expand</summary>"
echo ""
echo '```terraform'
cat trivy.txt
echo '```'
echo "</details>"
} >> $GITHUB_STEP_SUMMARY
fi