Skip to content

fix(tfvalidate): remove harden security restriction for community/enterprise #180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
billyjbryant wants to merge 3 commits into
base: main
Choose a base branch
from
+73 −6
Open

fix(tfvalidate): remove harden security restriction for community/enterprise #180

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3b542f8
fix(tfvalidate): Removes harden security which doesn't allow use with…
billyjbryant Feb 17, 2026
bf1555e
feat(tfvalidate): optional harden runner, PR validation status comment
billyjbryant Feb 19, 2026
3cab963
Updating pinned versions
billyjbryant Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 73 additions & 6 deletions .github/workflows/tfvalidate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@ defaults:

permissions:
contents: read
pull-requests: write

# Set repository variable TFVALIDATE_USE_HARDEN_RUNNER = 'true' to enable step-security/harden-runner; unset or other = skip (forks work without it).
jobs:
listaddons:
name: list terraform addon directories
Expand All @@ -32,11 +34,13 @@ jobs:
matrix: ${{ steps.matrix.outputs.value }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
if: vars.TFVALIDATE_USE_HARDEN_RUNNER == 'true'
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit

- name: Clone repo
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- id: matrix
Expand All @@ -61,20 +65,83 @@ jobs:
terraform_dir: ${{ fromJson(needs.listaddons.outputs.matrix) }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
if: vars.TFVALIDATE_USE_HARDEN_RUNNER == 'true'
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit

- name: Clone repo
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Install terraform
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_version: 1.11.2
terraform_version: 1.14.5
# If we want to test more of these, consider using a matrix. With a matrix of directories, all terraform modules could be fully tested and potentially in parallel.
- name: Validate ${{ matrix.terraform_dir }} module (covers all submodules)
working-directory: ${{ matrix.terraform_dir }}
run: |
terraform init -backend=false
terraform validate

- name: Build validation status comment
if: github.event_name == 'pull_request'
id: comment-body
run: |
run_url="https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
jobs_json=$(gh run view "$GITHUB_RUN_ID" --json jobs)
listaddons_ok=$(echo "$jobs_json" | jq -r '[.jobs[] | select(.name == "list terraform addon directories")] | if length > 0 then (.[0].conclusion // "pending") else "skip" end')
tfvalidate_jobs=$(echo "$jobs_json" | jq -r '.jobs[] | select(.name | startswith("terraform validate")) | "\(.name)|\(.conclusion // "pending")"')
all_ok="true"
[[ "$listaddons_ok" != "success" && "$listaddons_ok" != "skip" ]] && all_ok="false"
while IFS= read -r line; do
[[ -z "$line" ]] && continue
concl="${line#*|}"
[[ "$concl" != "success" ]] && all_ok="false"
done <<< "$tfvalidate_jobs"
if [[ "$all_ok" == "true" && "$listaddons_ok" == "success" ]]; then
emoji="✅"
status="**Terraform validation: success**"
else
emoji="❌"
status="**Terraform validation: failed**"
fi
{
echo "<!-- tfvalidate-status -->"
echo "$emoji $status"
echo ""
echo "| Module / step | Status |"
echo "|---------------|--------|"
if [[ "$listaddons_ok" != "skip" ]]; then
lo_icon=$([[ "$listaddons_ok" == "success" ]] && echo "✅" || echo "❌")
echo "| list addon directories | $lo_icon $listaddons_ok |"
fi
while IFS= read -r line; do
[[ -z "$line" ]] && continue
name="${line%|*}"
dir=$(echo "$name" | sed -n 's/^terraform validate[[:space:]]*(\(.*\))$/\1/p')
[[ -z "$dir" ]] && dir="$name"
concl="${line#*|}"
icon=$([[ "$concl" == "success" ]] && echo "✅" || echo "❌")
echo "| $dir | $icon $concl |"
done <<< "$tfvalidate_jobs"
echo ""
echo "[View run]($run_url)"
} > comment.md

- name: Find existing validation comment
if: github.event_name == 'pull_request'
id: find-comment
uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
with:
issue-number: ${{ github.event.pull_request.number }}
body-includes: "<!-- tfvalidate-status -->"

- name: Comment validation status on PR
if: github.event_name == 'pull_request'
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
with:
comment-id: ${{ steps.find-comment.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body-path: comment.md
edit-mode: replace