feat: distributable GitHub Action for dbt Cloud YAML schema validation (#27)

Copilot · trouze · web-flow · commit e2eefdf4188b · 2026-04-09T13:47:25.000-05:00
* Initial plan * feat: add distributable validate GitHub Action for YAML schema validation Agent-Logs-Url: https://github.com/dbt-labs/terraform-dbtcloud-as-yaml/sessions/bdf0be0a-5268-4e3c-9985-40618cd9f2da Co-authored-by: trouze <44027587+trouze@users.noreply.github.com> * docs: add yaml-validation guide page for the validate GitHub Action Agent-Logs-Url: https://github.com/dbt-labs/terraform-dbtcloud-as-yaml/sessions/fb4dfe1a-7c77-4a09-ad63-e24b40b804c6 Co-authored-by: trouze <44027587+trouze@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: trouze <44027587+trouze@users.noreply.github.com>
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -0,0 +1,48 @@
+# validate.yml — tests the validate GitHub Action on every PR and push to main
+# that touches the action definition, schema, or test fixtures.
+
+name: Validate Action
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "validate/**"
+      - "schemas/**"
+      - ".github/workflows/validate.yml"
+  pull_request:
+    paths:
+      - "validate/**"
+      - "schemas/**"
+      - ".github/workflows/validate.yml"
+
+permissions:
+  contents: read
+
+jobs:
+  test-valid:
+    name: Valid YAML passes
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: ./validate
+        with:
+          file: validate/tests/valid.yml
+
+  test-invalid:
+    name: Invalid YAML is rejected
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - id: validate
+        uses: ./validate
+        with:
+          file: validate/tests/invalid.yml
+        continue-on-error: true
+      - name: Assert validation failed
+        run: |
+          if [ "${{ steps.validate.outcome }}" != "failure" ]; then
+            echo "Expected validation to fail for invalid.yml, but it did not."
+            exit 1
+          fi
+          echo "Validation correctly rejected invalid.yml."
diff --git a/README.md b/README.md
@@ -284,6 +284,38 @@ schedule_hours: [6, 18]            # UTC
 
 ---
 
+## Validate your YAML in CI (GitHub Action)
+
+Use the bundled `validate` action to check your `dbt-config.yml` against the
+JSON schema **before** running Terraform or supplying any dbt Cloud credentials.
+This catches typos and structural errors early in your pull-request workflow.
+
+```yaml
+# .github/workflows/dbt-cloud-validate.yml
+name: Validate dbt Cloud YAML
+
+on: [push, pull_request]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dbt-labs/terraform-dbtcloud-as-yaml/validate@v1  # pin to a release tag or commit SHA
+        with:
+          file: dbt-config.yml   # default; omit if your file is named dbt-config.yml
+```
+
+| Input | Default | Description |
+|---|---|---|
+| `file` | `dbt-config.yml` | Path to the YAML file to validate (relative to the workspace root). |
+
+The action exits with code `1` and prints a structured error report when the
+file does not conform to the schema, so your CI run fails fast without needing
+Terraform credentials.
+
+---
+
 ## Requirements
 
 - Terraform >= 1.0
diff --git a/docs/guides/yaml-validation.md b/docs/guides/yaml-validation.md
@@ -0,0 +1,154 @@
+# YAML Validation Action
+
+Validate your `dbt-config.yml` against the dbt Cloud Terraform YAML schema **before** running Terraform or supplying any dbt Cloud credentials. This catches typos, missing required fields, and structural errors early in your pull-request workflow.
+
+## Overview
+
+The `validate` action is a composite GitHub Action shipped inside this repository. It uses [`check-jsonschema`](https://check-jsonschema.readthedocs.io/) to validate your YAML file against [`schemas/v1.json`](https://raw.githubusercontent.com/dbt-labs/terraform-dbtcloud-as-yaml/main/schemas/v1.json).
+
+- **No Terraform required** — no `terraform init`, no provider downloads
+- **No dbt Cloud credentials required** — purely structural validation
+- **Fast** — typically completes in under 30 seconds
+- **Clear error messages** — reports every violation with a JSON path so you know exactly what to fix
+
+---
+
+## Quick Start
+
+```yaml title=".github/workflows/validate.yml"
+name: Validate dbt Cloud YAML
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dbt-labs/terraform-dbtcloud-as-yaml/validate@v1
+        with:
+          file: dbt-config.yml   # optional — this is the default
+```
+
+The job exits with code `1` and prints a structured error report when the file does not conform to the schema, causing your CI run to fail immediately — before any Terraform or credential steps run.
+
+---
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `file` | No | `dbt-config.yml` | Path to the dbt Cloud YAML configuration file to validate, relative to the repository root. |
+
+---
+
+## Example: Validate before Terraform Plan
+
+Add the validation step at the top of your existing Terraform CI workflow so bad YAML is caught before Terraform even initialises:
+
+```yaml title=".github/workflows/ci.yml"
+name: CI — Validate and Plan
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - "dbt-config.yml"
+      - "**.tf"
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  validate:
+    name: Validate YAML
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dbt-labs/terraform-dbtcloud-as-yaml/validate@v1
+        with:
+          file: dbt-config.yml
+
+  plan:
+    name: Terraform Plan
+    runs-on: ubuntu-latest
+    needs: validate   # only runs when YAML is valid
+    env:
+      TF_VAR_dbt_account_id: ${{ secrets.DBT_ACCOUNT_ID }}
+      TF_VAR_dbt_token: ${{ secrets.DBT_TOKEN }}
+      TF_VAR_dbt_host_url: "https://cloud.getdbt.com"
+      TF_VAR_environment_credentials: ${{ secrets.ENVIRONMENT_CREDENTIALS }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+      - run: terraform init
+      - run: terraform plan -no-color
+```
+
+---
+
+## Example Error Output
+
+When a YAML file fails validation the action prints a structured report and exits with code `1`:
+
+```
+Validating 'dbt-config.yml' against dbt Cloud YAML schema v1...
+Schema validation errors were encountered.
+  dbt-config.yml::$: 'version' is a required property
+  dbt-config.yml::$.account: 'host_url' is a required property
+  dbt-config.yml::$.projects[0].environments[0].credential: 'token_name' is a required property
+Error: Process completed with exit code 1.
+```
+
+Each line identifies the exact JSON path where the violation occurred, making it straightforward to find and fix the issue.
+
+---
+
+## Versioning
+
+Pin the action to a release tag or commit SHA to avoid unexpected breaking changes:
+
+```yaml
+# Pin to a release tag (recommended)
+- uses: dbt-labs/terraform-dbtcloud-as-yaml/validate@v1
+
+# Pin to a specific commit SHA for maximum reproducibility
+- uses: dbt-labs/terraform-dbtcloud-as-yaml/validate@2bb4e9e
+```
+
+Avoid `@main` in production workflows — it tracks the development branch and may change at any time.
+
+---
+
+## Next Steps
+
+<div class="grid cards" markdown>
+
+-   :material-pipe:{ .lg .middle } **CI/CD Integration**
+
+    ---
+
+    Full CI and CD pipeline examples for GitHub Actions, GitLab, and Azure DevOps
+
+    [:octicons-arrow-right-24: CI/CD Guide](cicd.md)
+
+-   :material-file-code:{ .lg .middle } **YAML Schema Reference**
+
+    ---
+
+    Full field reference for `dbt-config.yml`
+
+    [:octicons-arrow-right-24: YAML Schema](../configuration/yaml-schema.md)
+
+-   :material-security:{ .lg .middle } **Best Practices**
+
+    ---
+
+    Secure and reliable deployments
+
+    [:octicons-arrow-right-24: Best Practices](best-practices.md)
+
+</div>
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -76,6 +76,7 @@ nav:
       - Project Repository: reference/module-project_repository.md
   - Guides:
     - CI/CD Integration: guides/cicd.md
+    - YAML Validation Action: guides/yaml-validation.md
     - Best Practices: guides/best-practices.md
     - Troubleshooting: guides/troubleshooting.md
 
diff --git a/validate/action.yml b/validate/action.yml
@@ -0,0 +1,41 @@
+name: "Validate dbt Cloud YAML"
+description: >
+  Validates a dbt Cloud YAML configuration file against the dbt Cloud
+  Terraform YAML schema (v1) before running Terraform or requiring any
+  dbt Cloud credentials.
+
+branding:
+  icon: check-circle
+  color: green
+
+inputs:
+  file:
+    description: "Path to the dbt Cloud YAML configuration file to validate."
+    required: false
+    default: "dbt-config.yml"
+
+runs:
+  using: composite
+  steps:
+    - name: Set up Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+      with:
+        python-version: "3.x"
+
+    - name: Install check-jsonschema
+      shell: bash
+      run: pip install --quiet "check-jsonschema==0.37.1"
+
+    - name: Validate YAML against schema
+      shell: bash
+      env:
+        INPUT_FILE: ${{ inputs.file }}
+      run: |
+        SCHEMA="${{ github.action_path }}/../schemas/v1.json"
+        if [ ! -f "${SCHEMA}" ]; then
+          echo "Error: schema file not found at '${SCHEMA}'."
+          exit 1
+        fi
+        echo "Validating '${INPUT_FILE}' against dbt Cloud YAML schema v1..."
+        check-jsonschema --schemafile "${SCHEMA}" "${INPUT_FILE}"
+        echo "Validation passed."
diff --git a/validate/tests/invalid.yml b/validate/tests/invalid.yml
@@ -0,0 +1,6 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/dbt-labs/terraform-dbtcloud-as-yaml/refs/heads/main/schemas/v1.json
+# Invalid dbt Cloud YAML: missing required 'version' field and account.host_url.
+# Used to test that the validate GitHub Action correctly rejects bad input.
+
+account:
+  name: Broken-Account
diff --git a/validate/tests/valid.yml b/validate/tests/valid.yml
@@ -0,0 +1,47 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/dbt-labs/terraform-dbtcloud-as-yaml/refs/heads/main/schemas/v1.json
+# Minimal valid dbt Cloud YAML used to test the validate GitHub Action.
+
+version: 1
+account:
+  name: Test-Account
+  host_url: https://cloud.getdbt.com
+
+globals:
+  connections:
+    - key: test_wh
+      name: Test-Warehouse
+      type: snowflake
+      protected: true
+      details:
+        account: xy12345
+        database: ANALYTICS
+        warehouse: COMPUTE_WH
+
+projects:
+  - name: MyTestProject
+    key: my_project
+    repository:
+      remote_url: acme/analytics
+    environments:
+      - name: Production
+        key: prod
+        type: deployment
+        protected: true
+        connection: test_wh
+        credential:
+          token_name: SNOWFLAKE_PASSWORD
+          schema: ANALYTICS
+    jobs:
+      - name: Daily-Run
+        key: daily_run
+        environment_key: prod
+        execute_steps:
+          - dbt build
+        triggers:
+          schedule: true
+          github_webhook: false
+          git_provider_webhook: false
+          on_merge: false
+        schedule_type: days_of_week
+        schedule_days: [0, 1, 2, 3, 4]
+        schedule_hours: [6]
