-
Notifications
You must be signed in to change notification settings - Fork 9
210 lines (202 loc) · 7.2 KB
/
test.yml
File metadata and controls
210 lines (202 loc) · 7.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
# Terraform Provider testing workflow.
name: Tests
# This GitHub action runs your tests for each pull request and push.
# Optionally, you can turn it on using a schedule for regular testing.
on:
pull_request:
branches:
- main
push:
branches:
- main
jobs:
build:
name: Build
runs-on: github-hosted-small
permissions:
contents: read
actions: read
security-events: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version-file: 'go.mod'
cache: true
- name: Initialize CodeQL
uses: github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
with:
languages: go
build-mode: manual # go build must be run between this step and the analysis step
queries: security-extended,security-and-quality
- run: go mod download
- run: go build -v .
- run: go vet ./...
- run: go tool staticcheck ./...
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
with:
category: "/language:go"
- name: Archive Build
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: build
path: |
terraform-provider-quicknode
pr-scan:
uses: circlefin/circle-public-github-workflows/.github/workflows/pr-scan.yaml@v1
trivy-scan:
name: Trivy Scan
runs-on: github-hosted-small
permissions:
actions: read
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# setup-trivy's install.sh downloads from get.trivy.dev; some runners cannot resolve it (curl exit 6).
- name: Install Trivy from GitHub releases
shell: bash
env:
TRIVY_VERSION: '0.69.3'
RUNNER_ARCH: ${{ runner.arch }}
run: |
set -euo pipefail
case "$RUNNER_ARCH" in
X64) suffix='Linux-64bit' ;;
ARM64) suffix='Linux-ARM64' ;;
*) echo "unsupported runner.arch=$RUNNER_ARCH"; exit 1 ;;
esac
ver="v${TRIVY_VERSION}"
name="trivy_${TRIVY_VERSION}_${suffix}.tar.gz"
curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/${ver}/${name}" -o trivy.tgz
tar -xzf trivy.tgz trivy
mkdir -p "$HOME/bin"
install -m 0755 trivy "$HOME/bin/trivy"
echo "$HOME/bin" >> "$GITHUB_PATH"
rm -f trivy trivy.tgz
# No upload-sarif: org repo may not expose GitHub Code Scanning UI (GHAS). Artifact + summary below.
# scanners=vuln: dependency CVEs only (secret scanner often false-positives on fixtures/docs).
- name: Trivy Scan
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
skip-setup-trivy: true
version: v0.69.3
scan-type: fs
scan-ref: '.'
scanners: vuln
exit-code: '1'
output: trivy-results.sarif
format: sarif
# On public repos, workflow artifacts are world-readable; SARIF is low-risk (same as go.mod+CVE DB)
# but we only attach it for private repos. Public: table in job summary only.
- name: Upload Trivy SARIF artifact
if: always() && github.event.repository.private
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: trivy-results
path: trivy-results.sarif
if-no-files-found: warn
- name: Trivy table (job summary)
if: always()
shell: bash
run: |
{
echo '### Trivy filesystem scan (vulnerabilities only)'
echo ''
if [[ "${{ github.event.repository.private }}" == "true" ]]; then
echo 'Full SARIF: workflow artifact **trivy-results** (private repo only).'
else
echo 'Public repo: no SARIF artifact (artifacts are public). Table below matches dependency scan.'
fi
echo ''
echo '```'
trivy fs --scanners vuln --format table --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --exit-code 0 .
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
generate:
runs-on: github-hosted-small
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version-file: 'go.mod'
cache: true
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_wrapper: false
- run: make generate
- name: git diff
run: |
git diff --compact-summary --exit-code || \
(echo; echo "Unexpected difference in directories after code generation. Run 'make generate' command and commit."; exit 1)
- name: setup goreleaser
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
with:
install-only: true
- run: make validate
test:
name: Terraform Provider Unit Tests
needs: build
runs-on: github-hosted-small
timeout-minutes: 5
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version-file: 'go.mod'
cache: true
- run: go mod download
- run: go test -v -cover ./... -run Test -skip TestAcc
# Run acceptance tests in a matrix with Terraform CLI versions
acctest:
# skip when triggered by dependabot, due to no access to secrets
if: ${{ github.actor != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
name: Terraform Provider Acceptance Tests
needs: build
runs-on: github-hosted-small
timeout-minutes: 15
strategy:
fail-fast: false
matrix:
# list whatever Terraform versions here you would like to support
terraform:
- '1.8.*'
- '1.9.*'
- '1.10.*'
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
with:
go-version-file: 'go.mod'
cache: true
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_version: ${{ matrix.terraform }}
terraform_wrapper: false
- run: go mod download
- env:
TF_ACC: "1"
QUICKNODE_APIKEY: ${{ secrets.QUICKNODE_APIKEY }}
run: go test -v -cover ./... -run TestAcc
timeout-minutes: 10
rollup:
name: Success Rollup
if: always()
needs:
- build
- pr-scan
- trivy-scan
- generate
- test
- acctest
runs-on: github-hosted-small
permissions: {}
steps:
- run: exit 1
if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}