name: CI - Validation on: push: branches: ['**'] # All branches pull_request: jobs: ci-terraform: name: Terraform Validation runs-on: self-hosted steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup OpenTofu run: | if ! command -v tofu &> /dev/null; then curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash -s -- --install-method standalone --opentofu-version 1.10.7 fi - name: Terraform Format Check run: | cd terraform tofu fmt -check -recursive continue-on-error: false - name: Terraform Validate run: | for dir in terraform/pve*; do if [ -d "$dir" ]; then echo "--- Validating $dir ---" (cd "$dir" && tofu init -backend=false && tofu validate) fi done - name: Terraform Plan if: github.event_name == 'push' && github.ref == 'refs/heads/main' run: | for dir in terraform/pve*; do if [ -d "$dir" ]; then echo "--- Planning $dir ---" ( cd "$dir" && \ cp ../terraform.tfvars.example terraform.tfvars && \ tofu init && \ tofu plan -out="tfplan-$(basename $dir)" || echo "WARNING: Plan failed for $(basename $dir) - node may be unavailable" ) fi done env: TF_VAR_proxmox_token_id: ${{ secrets.PROXMOX_TOKEN_ID }} TF_VAR_proxmox_token_secret: ${{ secrets.PROXMOX_TOKEN_SECRET }} TF_VAR_ssh_public_key: ${{ secrets.SSH_PUBLIC_KEY }} TF_VAR_forgejo_token: ${{ secrets.GIT_TOKEN }} - name: Upload Terraform Plan if: github.event_name == 'push' && github.ref == 'refs/heads/main' uses: actions/upload-artifact@v3 with: name: tfplans path: terraform/pve*/tfplan-* retention-days: 1 ci-ansible: name: Ansible Validation runs-on: self-hosted steps: - name: Checkout code uses: actions/checkout@v4 - name: Install Ansible run: | if ! command -v ansible &> /dev/null; then apt-get update apt-get install -y ansible python3-pip fi - name: Ansible Syntax Check run: | ansible-playbook ansible/site.yml --syntax-check - name: Ansible Lint run: | if ! command -v ansible-lint &> /dev/null; then pip3 install --break-system-packages ansible-lint fi ansible-lint ansible/ || true continue-on-error: true - name: YAML Lint run: | if ! command -v yamllint &> /dev/null; then pip3 install --break-system-packages yamllint fi yamllint ansible/ || true continue-on-error: true ci-kubernetes: name: Kubernetes Validation runs-on: self-hosted steps: - name: Checkout code uses: actions/checkout@v4 - name: Install kubectl run: | if ! command -v kubectl &> /dev/null; then curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl fi - name: Install kubeconform run: | if ! command -v kubeconform &> /dev/null; then wget https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz tar xf kubeconform-linux-amd64.tar.gz mv kubeconform /usr/local/bin/ fi - name: Kubeconform Validation run: | kubeconform -strict -ignore-missing-schemas kubernetes/ || true continue-on-error: true security-scan: name: Security Scan runs-on: self-hosted steps: - name: Checkout code uses: actions/checkout@v4 - name: Install Trivy run: | if ! command -v trivy &> /dev/null; then apt-get update apt-get install -y lsb-release wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add - echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list apt-get update apt-get install -y trivy fi - name: Run Trivy IaC Scan run: | trivy config . --exit-code 0 --severity HIGH,CRITICAL continue-on-error: true