Tellsanguis/Homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Homelab/.forgejo/workflows/ci.yml
Tellsanguis 801e130679
Some checks are pending
CD - Deploy Infrastructure / ci (push) Waiting to run
Details
CD - Deploy Infrastructure / Deploy on pve1 (push) Blocked by required conditions
Details
CD - Deploy Infrastructure / Deploy on pve2 (push) Blocked by required conditions
Details
CD - Deploy Infrastructure / Deploy on pve3 (push) Blocked by required conditions
Details
CD - Deploy Infrastructure / Validate K3s Cluster (push) Blocked by required conditions
Details
CD - Deploy Infrastructure / Deployment Notification (push) Blocked by required conditions
Details
fix(ci): Exclude main branch from CI workflow 
CI workflow now runs only on feature branches and PRs. On main, only CD workflow runs (which internally calls CI). This prevents duplicate CI runs.
2025-11-13 19:52:52 +01:00

162 lines
5.3 KiB
YAML
Raw Blame History

name: CI - Validation
on:
push:
branches:
- '**'
- '!main' # Exclude main branch (CD workflow handles it)
pull_request:
jobs:
ci-terraform:
name: Terraform Validation
runs-on: self-hosted
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup OpenTofu
run: |
if ! command -v tofu &> /dev/null; then
curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash -s -- --install-method standalone --opentofu-version 1.10.7
fi
- name: Terraform Format Check
run: |
cd terraform
tofu fmt -check -recursive
continue-on-error: false
- name: Terraform Validate
run: |
for dir in terraform/pve*; do
if [ -d "$dir" ]; then
echo "--- Validating $dir ---"
(cd "$dir" && tofu init -backend=false && tofu validate)
fi
done
- name: Terraform Plan
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
run: |
for dir in terraform/pve*; do
if [ -d "$dir" ]; then
echo "--- Planning $dir ---"
(
cd "$dir" && \
tofu init && \
tofu plan -out="tfplan-$(basename $dir)" || echo "WARNING: Plan failed for $(basename $dir) - node may be unavailable"
)
fi
done
env:
TF_VAR_proxmox_api_url: "https://192.168.100.10:8006/api2/json"
TF_VAR_proxmox_token_id: ${{ secrets.PROXMOX_TOKEN_ID }}
TF_VAR_proxmox_token_secret: ${{ secrets.PROXMOX_TOKEN_SECRET }}
TF_VAR_proxmox_tls_insecure: "true"
TF_VAR_ssh_public_key: ${{ secrets.SSH_PUBLIC_KEY }}
TF_VAR_forgejo_token: ${{ secrets.GIT_TOKEN }}
TF_VAR_forgejo_repo_url: ${{ secrets.GIT_REPO_URL }}
TF_VAR_k3s_version: "v1.28.5+k3s1"
TF_VAR_ubuntu_template: "ubuntu-2404-cloudinit"
TF_VAR_storage_pool: "linstor_storage"
TF_VAR_snippets_storage: "local"
TF_VAR_k3s_network_bridge: "k3s"
TF_VAR_k3s_gateway: "10.100.20.1"
TF_VAR_k3s_dns: '["10.100.20.1", "1.1.1.1"]'
TF_VAR_k3s_server_1_config: '{ ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "100G" }'
TF_VAR_k3s_server_2_config: '{ ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "100G" }'
TF_VAR_etcd_witness_config: '{ ip = "10.100.20.30/24", cores = 2, memory = 2048, disk_size = "20G" }'
- name: Upload Terraform Plan
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: actions/upload-artifact@v3
with:
name: tfplans
path: terraform/pve*/tfplan-*
retention-days: 1
ci-ansible:
name: Ansible Validation
runs-on: self-hosted
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Ansible
run: |
if ! command -v ansible &> /dev/null; then
apt-get update
apt-get install -y ansible python3-pip
fi
- name: Ansible Syntax Check
run: |
ansible-playbook ansible/site.yml --syntax-check
- name: Ansible Lint
run: |
if ! command -v ansible-lint &> /dev/null; then
pip3 install --break-system-packages ansible-lint
fi
ansible-lint ansible/ || true
continue-on-error: true
- name: YAML Lint
run: |
if ! command -v yamllint &> /dev/null; then
pip3 install --break-system-packages yamllint
fi
yamllint ansible/ || true
continue-on-error: true
ci-kubernetes:
name: Kubernetes Validation
runs-on: self-hosted
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install kubectl
run: |
if ! command -v kubectl &> /dev/null; then
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
fi
- name: Install kubeconform
run: |
if ! command -v kubeconform &> /dev/null; then
wget https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz
tar xf kubeconform-linux-amd64.tar.gz
mv kubeconform /usr/local/bin/
fi
- name: Kubeconform Validation
run: |
kubeconform -strict -ignore-missing-schemas kubernetes/ || true
continue-on-error: true
security-scan:
name: Security Scan
runs-on: self-hosted
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Trivy
run: |
if ! command -v trivy &> /dev/null; then
apt-get update
apt-get install -y lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list
apt-get update
apt-get install -y trivy
fi
- name: Run Trivy IaC Scan
run: |
trivy config . --exit-code 0 --severity HIGH,CRITICAL
continue-on-error: true
Reference in a new issue View git blame Copy permalink