Check

Merge pull request #28 from Homebrew/dependabot/github_actions/github… #78

Summary
Jobs
- OpenTofu
- Trivy
Run details
- Usage
- Workflow file

Workflow file for this run

	name: Check
	on:
	push:
	branches:
	- main
	pull_request:

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	jobs:
	opentofu:
	name: OpenTofu
	runs-on: ubuntu-latest
	permissions:
	contents: read
	id-token: write
	env:
	TFC_AWS_RUN_ROLE_ARN: ${{ secrets.amazon_role }}
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- uses: opentofu/setup-opentofu@592200bd4b9bbf4772ace78f887668b1aee8f716 # v1.0.5

	- name: OpenTofu fmt
	id: fmt
	run: tofu fmt -check

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
	with:
	aws-region: us-east-1
	role-to-assume: ${{ secrets.amazon_role }}

	- name: OpenTofu Init
	id: init
	run: tofu init

	- name: OpenTofu Validate
	id: validate
	env:
	GITHUB_APP_ID: ${{ secrets.TF_GH_APP }}
	GITHUB_APP_INSTALLATION_ID: ${{ secrets.TF_GH_APP_INSTALL }}
	GITHUB_APP_PEM_FILE: ${{ secrets.TF_GH_APP_PEM }}
	DNSIMPLE_ACCOUNT: ${{ secrets.TF_DNSIMPLE_ACCOUNT }}
	DNSIMPLE_TOKEN: ${{ secrets.TF_DNSIMPLE_TOKEN }}
	run: tofu validate -no-color

	- name: OpenTofu Plan
	env:
	GITHUB_APP_ID: ${{ secrets.TF_GH_APP }}
	GITHUB_APP_INSTALLATION_ID: ${{ secrets.TF_GH_APP_INSTALL }}
	GITHUB_APP_PEM_FILE: ${{ secrets.TF_GH_APP_PEM }}
	DNSIMPLE_ACCOUNT: ${{ secrets.TF_DNSIMPLE_ACCOUNT }}
	DNSIMPLE_TOKEN: ${{ secrets.TF_DNSIMPLE_TOKEN }}
	run: \|
	tofu plan -no-color -detailed-exitcode \
	-var-file .tfvars \
	-var='email_overrides=${{ secrets.email_overrides }}'

	trivy:
	name: Trivy
	runs-on: ubuntu-latest
	permissions:
	contents: read
	actions: read
	pull-requests: write
	steps:
	- name: Checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Run Trivy vulnerability scanner in IaC mode
	uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # v0.30.0
	with:
	scan-type: config
	format: sarif
	output: trivy-results.sarif
	hide-progress: true
	severity: 'CRITICAL,HIGH'
	exit-code: '1'

	- name: Upload Trivy scan results to GitHub Security tab
	uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
	with:
	name: trivy-results.sarif
	path: trivy-results.sarif

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #28 from Homebrew/dependabot/github_actions/github… #78

Workflow file

Merge pull request #28 from Homebrew/dependabot/github_actions/github… #78

Jobs

Run details

Workflow file for this run