Homelab/.forgejo/workflows/ci.yml

name: CI - Validation

on:
  push:
    branches:
      - '**'
      - '!main'  # Exclude main branch (CD workflow handles it)
  pull_request:
  workflow_call:  # Allow this workflow to be called by other workflows

jobs:
  ci-terraform:
    name: Terraform Validation
    runs-on: self-hosted
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup OpenTofu
        run: |
          if ! command -v tofu &> /dev/null; then
            curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash -s -- --install-method standalone --opentofu-version 1.10.7
          fi

      - name: Terraform Format Check
        run: |
          cd terraform
          tofu fmt -check -recursive
        continue-on-error: false

      - name: Terraform Validate
        run: |
          for dir in terraform/pve*; do
            if [ -d "$dir" ]; then
              echo "--- Validating $dir ---"
              (cd "$dir" && tofu init -backend=false && tofu validate)
            fi
          done

      - name: Terraform Plan
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        run: |
          for dir in terraform/pve*; do
            if [ -d "$dir" ]; then
              echo "--- Planning $dir ---"
              (
                cd "$dir" && \
                tofu init && \
                tofu plan -out="tfplan-$(basename $dir)" || echo "WARNING: Plan failed for $(basename $dir) - node may be unavailable"
              )
            fi
          done
        env:
          TF_VAR_proxmox_api_url: "https://192.168.100.10:8006/api2/json"
          TF_VAR_proxmox_token_id: ${{ secrets.PROXMOX_TOKEN_ID }}
          TF_VAR_proxmox_token_secret: ${{ secrets.PROXMOX_TOKEN_SECRET }}
          TF_VAR_proxmox_tls_insecure: "true"
          TF_VAR_ssh_public_key: ${{ secrets.SSH_PUBLIC_KEY }}
          TF_VAR_forgejo_token: ${{ secrets.GIT_TOKEN }}
          TF_VAR_forgejo_repo_url: ${{ secrets.GIT_REPO_URL }}
          TF_VAR_k3s_version: "v1.28.5+k3s1"
          TF_VAR_ubuntu_template: "ubuntu-2404-cloudinit"
          TF_VAR_storage_pool: "linstor_storage"
          TF_VAR_snippets_storage: "local"
          TF_VAR_k3s_network_bridge: "k3s"
          TF_VAR_k3s_gateway: "10.100.20.1"
          TF_VAR_k3s_dns: '["10.100.20.1", "1.1.1.1"]'
          TF_VAR_k3s_server_1_config: '{ ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "100G" }'
          TF_VAR_k3s_server_2_config: '{ ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "100G" }'
          TF_VAR_etcd_witness_config: '{ ip = "10.100.20.30/24", cores = 2, memory = 2048, disk_size = "20G" }'

      - name: Upload Terraform Plan
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        uses: actions/upload-artifact@v3
        with:
          name: tfplans
          path: terraform/pve*/tfplan-*
          retention-days: 1

  ci-ansible:
    name: Ansible Validation
    runs-on: self-hosted
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install Ansible
        run: |
          if ! command -v ansible &> /dev/null; then
            apt-get update
            apt-get install -y ansible python3-pip
          fi

      - name: Ansible Syntax Check
        run: |
          ansible-playbook ansible/site.yml --syntax-check

      - name: Ansible Lint
        run: |
          if ! command -v ansible-lint &> /dev/null; then
            pip3 install --break-system-packages ansible-lint
          fi
          ansible-lint ansible/ || true
        continue-on-error: true

      - name: YAML Lint
        run: |
          if ! command -v yamllint &> /dev/null; then
            pip3 install --break-system-packages yamllint
          fi
          yamllint ansible/ || true
        continue-on-error: true

  ci-kubernetes:
    name: Kubernetes Validation
    runs-on: self-hosted
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install kubectl
        run: |
          if ! command -v kubectl &> /dev/null; then
            curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
            install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
          fi


      - name: Install kubeconform
        run: |
          if ! command -v kubeconform &> /dev/null; then
            wget https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz
            tar xf kubeconform-linux-amd64.tar.gz
            mv kubeconform /usr/local/bin/
          fi

      - name: Kubeconform Validation
        run: |
          kubeconform -strict -ignore-missing-schemas kubernetes/ || true
        continue-on-error: true

  security-scan:
    name: Security Scan
    runs-on: self-hosted
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install Trivy
        run: |
          if ! command -v trivy &> /dev/null; then
            apt-get update
            apt-get install -y lsb-release
            wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add -
            echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list
            apt-get update
            apt-get install -y trivy
          fi

      - name: Run Trivy IaC Scan
        run: |
          trivy config . --exit-code 0 --severity HIGH,CRITICAL
        continue-on-error: true