Tellsanguis/Homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Homelab/.forgejo/workflows/ci.yml
Tellsanguis dc5fc28ff1 fix(ci): Exclusion branche main du workflow CI 
Workflow CI s'exécute maintenant uniquement sur branches feature et PRs. Sur main, seul le workflow CD s'exécute (qui appelle CI en interne). Ceci évite les exécutions CI dupliquées.
2025-11-13 19:52:52 +01:00

162 lines
5.3 KiB
YAML
Raw Blame History

name: CI - Validation
on:
push:
branches:
- '**'
- '!main' # Exclude main branch (CD workflow handles it)
pull_request:
jobs:
ci-terraform:
name: Terraform Validation
runs-on: self-hosted
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup OpenTofu
run: |
if ! command -v tofu &> /dev/null; then
curl -fsSL https://get.opentofu.org/install-opentofu.sh | bash -s -- --install-method standalone --opentofu-version 1.10.7
fi
- name: Terraform Format Check
run: |
cd terraform
tofu fmt -check -recursive
continue-on-error: false
- name: Terraform Validate
run: |
for dir in terraform/pve*; do
if [ -d "$dir" ]; then
echo "--- Validating $dir ---"
(cd "$dir" && tofu init -backend=false && tofu validate)
fi
done
- name: Terraform Plan
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
run: |
for dir in terraform/pve*; do
if [ -d "$dir" ]; then
echo "--- Planning $dir ---"
(
cd "$dir" && \
tofu init && \
tofu plan -out="tfplan-$(basename $dir)" || echo "WARNING: Plan failed for $(basename $dir) - node may be unavailable"
)
fi
done
env:
TF_VAR_proxmox_api_url: "https://192.168.100.10:8006/api2/json"
TF_VAR_proxmox_token_id: ${{ secrets.PROXMOX_TOKEN_ID }}
TF_VAR_proxmox_token_secret: ${{ secrets.PROXMOX_TOKEN_SECRET }}
TF_VAR_proxmox_tls_insecure: "true"
TF_VAR_ssh_public_key: ${{ secrets.SSH_PUBLIC_KEY }}
TF_VAR_forgejo_token: ${{ secrets.GIT_TOKEN }}
TF_VAR_forgejo_repo_url: ${{ secrets.GIT_REPO_URL }}
TF_VAR_k3s_version: "v1.28.5+k3s1"
TF_VAR_ubuntu_template: "ubuntu-2404-cloudinit"
TF_VAR_storage_pool: "linstor_storage"
TF_VAR_snippets_storage: "local"
TF_VAR_k3s_network_bridge: "k3s"
TF_VAR_k3s_gateway: "10.100.20.1"
TF_VAR_k3s_dns: '["10.100.20.1", "1.1.1.1"]'
TF_VAR_k3s_server_1_config: '{ ip = "10.100.20.10/24", cores = 6, memory = 12288, disk_size = "100G" }'
TF_VAR_k3s_server_2_config: '{ ip = "10.100.20.20/24", cores = 6, memory = 12288, disk_size = "100G" }'
TF_VAR_etcd_witness_config: '{ ip = "10.100.20.30/24", cores = 2, memory = 2048, disk_size = "20G" }'
- name: Upload Terraform Plan
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: actions/upload-artifact@v3
with:
name: tfplans
path: terraform/pve*/tfplan-*
retention-days: 1
ci-ansible:
name: Ansible Validation
runs-on: self-hosted
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Ansible
run: |
if ! command -v ansible &> /dev/null; then
apt-get update
apt-get install -y ansible python3-pip
fi
- name: Ansible Syntax Check
run: |
ansible-playbook ansible/site.yml --syntax-check
- name: Ansible Lint
run: |
if ! command -v ansible-lint &> /dev/null; then
pip3 install --break-system-packages ansible-lint
fi
ansible-lint ansible/ || true
continue-on-error: true
- name: YAML Lint
run: |
if ! command -v yamllint &> /dev/null; then
pip3 install --break-system-packages yamllint
fi
yamllint ansible/ || true
continue-on-error: true
ci-kubernetes:
name: Kubernetes Validation
runs-on: self-hosted
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install kubectl
run: |
if ! command -v kubectl &> /dev/null; then
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
fi
- name: Install kubeconform
run: |
if ! command -v kubeconform &> /dev/null; then
wget https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz
tar xf kubeconform-linux-amd64.tar.gz
mv kubeconform /usr/local/bin/
fi
- name: Kubeconform Validation
run: |
kubeconform -strict -ignore-missing-schemas kubernetes/ || true
continue-on-error: true
security-scan:
name: Security Scan
runs-on: self-hosted
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Trivy
run: |
if ! command -v trivy &> /dev/null; then
apt-get update
apt-get install -y lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list
apt-get update
apt-get install -y trivy
fi
- name: Run Trivy IaC Scan
run: |
trivy config . --exit-code 0 --severity HIGH,CRITICAL
continue-on-error: true
Reference in a new issue View git blame Copy permalink