Bump bridgecrewio/checkov-action from 12.2717.0 to 12.2726.0 #146
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Plan all projects | |
on: | |
push: | |
paths-ignore: | |
- "scripts/**" | |
branches: ["main"] | |
workflow_dispatch: | |
env: | |
TF_VAR_workload_identity_provider_name: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} | |
TF_VAR_workload_identity_pool_id: ${{ secrets.WORKLOAD_IDENTITY_POOL_ID }} | |
TF_VAR_project_id: ${{ secrets.GCP_PROJECT_ID }} | |
TF_VAR_sa_email: ${{ secrets.CICD_SA_EMAIL_ADDRESS }} | |
TF_VAR_local_user: ${{ secrets.LOCAL_USER_EMAIL_ADDRESS }} | |
TF_IN_AUTOMATION: true | |
TF_INPUT: false | |
CLOUDSDK_CORE_PROJECT: ${{ secrets.GCP_PROJECT_ID }} | |
TF_STATE_BUCKET: ${{ secrets.TERRAFORM_STATE_BUCKET }} | |
permissions: | |
id-token: write | |
jobs: | |
build-matrix: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Build directory matrix | |
id: build-matrix | |
run: | | |
./scripts/build-project-matrix.sh > "${GITHUB_OUTPUT}" | |
outputs: | |
project_directories: ${{ steps.build-matrix.outputs.project_directories }} | |
compliance-scan: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Run Checkov action | |
id: checkov | |
uses: bridgecrewio/checkov-action@v12.2726.0 | |
with: | |
framework: terraform | |
# we are fine with Google's Keys | |
# we are fine with basic roles (no org), we are fine with our own module | |
# TODO: extract to exact line of TF code | |
skip_check: CKV_GCP_84,CKV_GIT_4,CKV_GCP_117,CKV_TF_1,CKV2_GCP_18 | |
output_format: cli | |
download_external_modules: true | |
lint: | |
runs-on: ubuntu-22.04 | |
needs: build-matrix | |
strategy: | |
matrix: | |
project: ${{ fromJson(needs.build-matrix.outputs.project_directories ) }} | |
defaults: | |
run: | |
working-directory: ${{ matrix.project }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: terraform-linters/setup-tflint@v4 | |
name: Setting up TFLint | |
with: | |
tflint_version: v0.50.3 | |
- name: Initializing TFLint | |
run: tflint --init | |
- name: Linting | |
run: tflint -f compact --disable-rule=terraform_module_pinned_source --recursive | |
qa: | |
runs-on: ubuntu-22.04 | |
needs: build-matrix | |
strategy: | |
matrix: | |
project: ${{ fromJson(needs.build-matrix.outputs.project_directories ) }} | |
defaults: | |
run: | |
working-directory: ${{ matrix.project }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Authenticating | |
uses: google-github-actions/auth@v2.1.2 | |
with: | |
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} | |
service_account: ${{ secrets.CICD_SA_EMAIL_ADDRESS }} | |
- name: Setting up GCP environment | |
uses: google-github-actions/setup-gcloud@v2.1.0 | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: "~> 1.8.0" | |
- name: Terraform Init | |
run: terraform init -backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}" | |
- name: Terraform Format | |
run: terraform fmt -check -recursive | |
plan: | |
runs-on: ubuntu-22.04 | |
needs: | |
- build-matrix | |
strategy: | |
matrix: | |
project: ${{ fromJson(needs.build-matrix.outputs.project_directories ) }} | |
defaults: | |
run: | |
working-directory: ${{ matrix.project }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Authenticating | |
uses: google-github-actions/auth@v2.1.2 | |
with: | |
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }} | |
service_account: ${{ secrets.CICD_SA_EMAIL_ADDRESS }} | |
- name: Setting up GCP environment | |
uses: google-github-actions/setup-gcloud@v2.1.0 | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: "~> 1.8.0" | |
- name: Terraform Init | |
run: terraform init -backend-config="bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}" | |
- name: Terraform Plan | |
run: terraform plan -no-color -out=tfplan | |
- name: Show Terraform Plan as Summary | |
run: | | |
{ | |
echo "### Terraform Plan Output"; | |
echo "\`\`\`"; | |
terraform show -no-color tfplan; | |
echo "\`\`\`"; | |
} > "${GITHUB_STEP_SUMMARY}" |