Skip to content
Plan all projects

Bump bridgecrewio/checkov-action from 12.2697.0 to 12.2702.0 #131

Sign in to view logs

Bump bridgecrewio/checkov-action from 12.2697.0 to 12.2702.0

Bump bridgecrewio/checkov-action from 12.2697.0 to 12.2702.0 #131

Workflow file for this run

.github/workflows/plan.yml at 060a3ae
name: Plan all projects
on:
push:
paths-ignore:
- "scripts/**"
branches: ["main"]
workflow_dispatch:
env:
TF_VAR_workload_identity_provider_name: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
TF_VAR_workload_identity_pool_id: ${{ secrets.WORKLOAD_IDENTITY_POOL_ID }}
TF_VAR_project_id: ${{ secrets.GCP_PROJECT_ID }}
TF_VAR_sa_email: ${{ secrets.CICD_SA_EMAIL_ADDRESS }}
TF_VAR_local_user: ${{ secrets.LOCAL_USER_EMAIL_ADDRESS }}
TF_IN_AUTOMATION: true
TF_INPUT: false
CLOUDSDK_CORE_PROJECT: ${{ secrets.GCP_PROJECT_ID }}
TF_STATE_BUCKET: ${{ secrets.TERRAFORM_STATE_BUCKET }}
permissions:
id-token: write
jobs:
build-matrix:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build directory matrix
id: build-matrix
run: |
./scripts/build-project-matrix.sh > "${GITHUB_OUTPUT}"
outputs:
project_directories: ${{ steps.build-matrix.outputs.project_directories }}
compliance-scan:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@v12.2702.0
with:
framework: terraform
# we are fine with Google's Keys
# we are fine with basic roles (no org), we are fine with our own module
# TODO: extract to exact line of TF code
skip_check: CKV_GCP_84,CKV_GIT_4,CKV_GCP_117,CKV_TF_1,CKV2_GCP_18
output_format: cli
download_external_modules: true
lint:
runs-on: ubuntu-22.04
needs: build-matrix
strategy:
matrix:
project: ${{ fromJson(needs.build-matrix.outputs.project_directories ) }}
defaults:
run:
working-directory: ${{ matrix.project }}
steps:
- uses: actions/checkout@v4
- uses: terraform-linters/setup-tflint@v4
name: Setting up TFLint
with:
tflint_version: v0.50.3
- name: Initializing TFLint
run: tflint --init
- name: Linting
run: tflint -f compact --disable-rule=terraform_module_pinned_source --recursive
qa:
runs-on: ubuntu-22.04
needs: build-matrix
strategy:
matrix:
project: ${{ fromJson(needs.build-matrix.outputs.project_directories ) }}
defaults:
run:
working-directory: ${{ matrix.project }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Authenticating
uses: google-github-actions/auth@v2.1.2
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.CICD_SA_EMAIL_ADDRESS }}
- name: Setting up GCP environment
uses: google-github-actions/setup-gcloud@v2.1.0
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- name: Terraform Init
run: terraform init -backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}"
- name: Terraform Format
run: terraform fmt -check -recursive
plan:
runs-on: ubuntu-22.04
needs:
- build-matrix
- qa
- lint
- compliance-scan
strategy:
matrix:
project: ${{ fromJson(needs.build-matrix.outputs.project_directories ) }}
defaults:
run:
working-directory: ${{ matrix.project }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Authenticating
uses: google-github-actions/auth@v2.1.2
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.CICD_SA_EMAIL_ADDRESS }}
- name: Setting up GCP environment
uses: google-github-actions/setup-gcloud@v2.1.0
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- name: Terraform Init
run: terraform init -backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}"
- name: Terraform Plan
run: terraform plan -no-color -out=tfplan
- name: Show Terraform Plan as Summary
run: |
{
echo "### Terraform Plan Output";
echo "\`\`\`";
terraform show -no-color tfplan;
echo "\`\`\`";
} > "${GITHUB_STEP_SUMMARY}"