From 3b542f8bc0d36303dd01225bcf11934f5792b38a Mon Sep 17 00:00:00 2001 From: BillyJBryant <3013565+billyjbryant@users.noreply.github.com> Date: Tue, 17 Feb 2026 15:01:13 -0800 Subject: [PATCH 1/3] fix(tfvalidate): Removes harden security which doesn't allow use without a community edition or enterprise agreement --- .github/workflows/tfvalidate.yml | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/.github/workflows/tfvalidate.yml b/.github/workflows/tfvalidate.yml index 76d1762a..5a77d262 100644 --- a/.github/workflows/tfvalidate.yml +++ b/.github/workflows/tfvalidate.yml @@ -31,12 +31,8 @@ jobs: outputs: matrix: ${{ steps.matrix.outputs.value }} steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - name: Clone repo - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - id: matrix @@ -60,18 +56,13 @@ jobs: matrix: terraform_dir: ${{ fromJson(needs.listaddons.outputs.matrix) }} steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - name: Clone repo - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install terraform - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 + uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 with: - terraform_version: 1.11.2 + terraform_version: 1.14.5 # If we want to test more of these, consider using a matrix. With a matrix of directories, all terraform modules could be fully tested and potentially in parallel. - name: Validate ${{ matrix.terraform_dir }} module (covers all submodules) working-directory: ${{ matrix.terraform_dir }} From bf1555e146b7e8026823e6523645971b8e5d2b59 Mon Sep 17 00:00:00 2001 From: BillyJBryant <3013565+billyjbryant@users.noreply.github.com> Date: Wed, 18 Feb 2026 17:01:56 -0800 Subject: [PATCH 2/3] feat(tfvalidate): optional harden runner, PR validation status comment - Make step-security/harden-runner optional via vars.TFVALIDATE_USE_HARDEN_RUNNER - Add PR comment with validation status using peter-evans/find-comment and create-or-update-comment - Build comment body with gh/jq in tfvalidate job step --- .github/workflows/tfvalidate.yml | 76 ++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/.github/workflows/tfvalidate.yml b/.github/workflows/tfvalidate.yml index 5a77d262..227d9c03 100644 --- a/.github/workflows/tfvalidate.yml +++ b/.github/workflows/tfvalidate.yml @@ -23,7 +23,9 @@ defaults: permissions: contents: read + pull-requests: write +# Set repository variable TFVALIDATE_USE_HARDEN_RUNNER = 'true' to enable step-security/harden-runner; unset or other = skip (forks work without it). jobs: listaddons: name: list terraform addon directories @@ -31,6 +33,12 @@ jobs: outputs: matrix: ${{ steps.matrix.outputs.value }} steps: + - name: Harden Runner + if: vars.TFVALIDATE_USE_HARDEN_RUNNER == 'true' + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.7.0 + with: + egress-policy: audit + - name: Clone repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -56,6 +64,12 @@ jobs: matrix: terraform_dir: ${{ fromJson(needs.listaddons.outputs.matrix) }} steps: + - name: Harden Runner + if: vars.TFVALIDATE_USE_HARDEN_RUNNER == 'true' + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.7.0 + with: + egress-policy: audit + - name: Clone repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -69,3 +83,65 @@ jobs: run: | terraform init -backend=false terraform validate + + - name: Build validation status comment + if: github.event_name == 'pull_request' + id: comment-body + run: | + run_url="https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" + jobs_json=$(gh run view "$GITHUB_RUN_ID" --json jobs) + listaddons_ok=$(echo "$jobs_json" | jq -r '[.jobs[] | select(.name == "list terraform addon directories")] | if length > 0 then (.[0].conclusion // "pending") else "skip" end') + tfvalidate_jobs=$(echo "$jobs_json" | jq -r '.jobs[] | select(.name | startswith("terraform validate")) | "\(.name)|\(.conclusion // "pending")"') + all_ok="true" + [[ "$listaddons_ok" != "success" && "$listaddons_ok" != "skip" ]] && all_ok="false" + while IFS= read -r line; do + [[ -z "$line" ]] && continue + concl="${line#*|}" + [[ "$concl" != "success" ]] && all_ok="false" + done <<< "$tfvalidate_jobs" + if [[ "$all_ok" == "true" && "$listaddons_ok" == "success" ]]; then + emoji="✅" + status="**Terraform validation: success**" + else + emoji="❌" + status="**Terraform validation: failed**" + fi + { + echo "" + echo "$emoji $status" + echo "" + echo "| Module / step | Status |" + echo "|---------------|--------|" + if [[ "$listaddons_ok" != "skip" ]]; then + lo_icon=$([[ "$listaddons_ok" == "success" ]] && echo "✅" || echo "❌") + echo "| list addon directories | $lo_icon $listaddons_ok |" + fi + while IFS= read -r line; do + [[ -z "$line" ]] && continue + name="${line%|*}" + dir=$(echo "$name" | sed -n 's/^terraform validate[[:space:]]*(\(.*\))$/\1/p') + [[ -z "$dir" ]] && dir="$name" + concl="${line#*|}" + icon=$([[ "$concl" == "success" ]] && echo "✅" || echo "❌") + echo "| $dir | $icon $concl |" + done <<< "$tfvalidate_jobs" + echo "" + echo "[View run]($run_url)" + } > comment.md + + - name: Find existing validation comment + if: github.event_name == 'pull_request' + id: find-comment + uses: peter-evans/find-comment@v3 + with: + issue-number: ${{ github.event.pull_request.number }} + body-includes: "" + + - name: Comment validation status on PR + if: github.event_name == 'pull_request' + uses: peter-evans/create-or-update-comment@v5 + with: + comment-id: ${{ steps.find-comment.outputs.comment-id }} + issue-number: ${{ github.event.pull_request.number }} + body-path: comment.md + edit-mode: replace From 3cab963d50d162fbf2929961fc80ce7c2632f7d5 Mon Sep 17 00:00:00 2001 From: BillyJBryant <3013565+billyjbryant@users.noreply.github.com> Date: Wed, 18 Feb 2026 17:06:08 -0800 Subject: [PATCH 3/3] Updating pinned versions --- .github/workflows/tfvalidate.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/tfvalidate.yml b/.github/workflows/tfvalidate.yml index 227d9c03..d828c8b8 100644 --- a/.github/workflows/tfvalidate.yml +++ b/.github/workflows/tfvalidate.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Harden Runner if: vars.TFVALIDATE_USE_HARDEN_RUNNER == 'true' - uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.7.0 + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: egress-policy: audit @@ -66,7 +66,7 @@ jobs: steps: - name: Harden Runner if: vars.TFVALIDATE_USE_HARDEN_RUNNER == 'true' - uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.7.0 + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: egress-policy: audit @@ -132,14 +132,14 @@ jobs: - name: Find existing validation comment if: github.event_name == 'pull_request' id: find-comment - uses: peter-evans/find-comment@v3 + uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0 with: issue-number: ${{ github.event.pull_request.number }} body-includes: "" - name: Comment validation status on PR if: github.event_name == 'pull_request' - uses: peter-evans/create-or-update-comment@v5 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: comment-id: ${{ steps.find-comment.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }}