138 lines
4 KiB
YAML
138 lines
4 KiB
YAML
name: CI - Validation
|
|
|
|
on:
|
|
push:
|
|
branches: ['**'] # All branches
|
|
pull_request:
|
|
|
|
jobs:
|
|
ci-terraform:
|
|
name: Terraform Validation
|
|
runs-on: self-hosted
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup OpenTofu
|
|
run: |
|
|
if ! command -v tofu &> /dev/null; then
|
|
curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash -s -- --install-method standalone --opentofu-version 1.10.7
|
|
fi
|
|
|
|
- name: Terraform Format Check
|
|
run: |
|
|
cd terraform
|
|
tofu fmt -check -recursive
|
|
continue-on-error: false
|
|
|
|
- name: Terraform Validate
|
|
run: |
|
|
cd terraform
|
|
tofu init -backend=false
|
|
tofu validate
|
|
|
|
- name: Terraform Plan
|
|
if: github.event_name == 'push'
|
|
run: |
|
|
cd terraform
|
|
cp terraform.tfvars.example terraform.tfvars
|
|
tofu init
|
|
tofu plan -out=tfplan
|
|
env:
|
|
TF_VAR_proxmox_token_id: ${{ secrets.PROXMOX_TOKEN_ID }}
|
|
TF_VAR_proxmox_token_secret: ${{ secrets.PROXMOX_TOKEN_SECRET }}
|
|
TF_VAR_ssh_public_key: ${{ secrets.SSH_PUBLIC_KEY }}
|
|
TF_VAR_forgejo_token: ${{ secrets.FORGEJO_TOKEN }}
|
|
|
|
- name: Upload Terraform Plan
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: tfplan
|
|
path: terraform/tfplan
|
|
retention-days: 1
|
|
|
|
ci-ansible:
|
|
name: Ansible Validation
|
|
runs-on: self-hosted
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install Ansible
|
|
run: |
|
|
if ! command -v ansible &> /dev/null; then
|
|
apt-get update
|
|
apt-get install -y ansible python3-pip
|
|
fi
|
|
|
|
- name: Ansible Syntax Check
|
|
run: |
|
|
ansible-playbook ansible/site.yml --syntax-check
|
|
|
|
- name: Ansible Lint
|
|
run: |
|
|
if ! command -v ansible-lint &> /dev/null; then
|
|
pip3 install --break-system-packages ansible-lint
|
|
fi
|
|
ansible-lint ansible/ || true
|
|
continue-on-error: true
|
|
|
|
- name: YAML Lint
|
|
run: |
|
|
if ! command -v yamllint &> /dev/null; then
|
|
pip3 install --break-system-packages yamllint
|
|
fi
|
|
yamllint ansible/ || true
|
|
continue-on-error: true
|
|
|
|
ci-kubernetes:
|
|
name: Kubernetes Validation
|
|
runs-on: self-hosted
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install kubectl
|
|
run: |
|
|
if ! command -v kubectl &> /dev/null; then
|
|
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
|
|
install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
|
|
fi
|
|
|
|
|
|
- name: Install kubeconform
|
|
run: |
|
|
if ! command -v kubeconform &> /dev/null; then
|
|
wget https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz
|
|
tar xf kubeconform-linux-amd64.tar.gz
|
|
mv kubeconform /usr/local/bin/
|
|
fi
|
|
|
|
- name: Kubeconform Validation
|
|
run: |
|
|
kubeconform -strict -ignore-missing-schemas kubernetes/ || true
|
|
continue-on-error: true
|
|
|
|
security-scan:
|
|
name: Security Scan
|
|
runs-on: self-hosted
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install Trivy
|
|
run: |
|
|
if ! command -v trivy &> /dev/null; then
|
|
apt-get update
|
|
apt-get install -y lsb-release
|
|
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add -
|
|
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list
|
|
apt-get update
|
|
apt-get install -y trivy
|
|
fi
|
|
|
|
- name: Run Trivy IaC Scan
|
|
run: |
|
|
trivy config . --exit-code 0 --severity HIGH,CRITICAL
|
|
continue-on-error: true
|