Update itzg/minecraft-server Docker digest to 8ed9d04 #969
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform Continuous Integration By Official | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| env: | |
| TF_VAR_WEBHOOK_PATH: ${{secrets.WEBHOOK_PATH}} | |
| TF_VAR_env_files: ${{secrets.ENV_FILES}} | |
| TF_VAR_github_token: ${{ secrets.TF_VAR_github_token }} | |
| HEAD_REF: ${{ github.head_ref }} # "github.head_ref" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions for more details | |
| jobs: | |
| terraform-ci: | |
| name: Terraform CI | |
| permissions: | |
| id-token: write | |
| actions: read | |
| contents: write | |
| pull-requests: write | |
| security-events: write | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| dir: [ | |
| terraform/scheduling, | |
| terraform/keeping | |
| ] | |
| steps: | |
| - name: Checkout code | |
| id: checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.head_ref }} | |
| - name: Check diff | |
| id: diff | |
| uses: technote-space/[email protected] | |
| with: | |
| PATTERNS: | | |
| terraform/modules/**/*.tf | |
| ${{ matrix.dir }}/**/* | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/minecraft-test-github-actions | |
| role-session-name: github-actions-test-session | |
| aws-region: ap-northeast-1 | |
| - name: Set up Python 3.9 | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: 3.9 | |
| - name: Install Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: 1.7.5 | |
| - name: Terraform Format Check | |
| id: check_fmt | |
| working-directory: ${{ matrix.dir }} | |
| run: | | |
| if terraform fmt -check -recursive ; then | |
| echo "result='No changes needed.'" >> "$GITHUB_OUTPUT" | |
| echo "has-changes=false" >> "$GITHUB_ENV" | |
| else | |
| echo "result='Changes needed.'" >> "$GITHUB_OUTPUT" | |
| echo "has-changes=true" >> "$GITHUB_ENV" | |
| fi | |
| continue-on-error: true | |
| - name: Format Terraform files if needed | |
| working-directory: ${{ matrix.dir }} | |
| if: ${{ env.has-changes == 'true' }} | |
| run: | | |
| terraform fmt -recursive | |
| git config --global user.name 'github-actions' | |
| git config --global user.email '[email protected]' | |
| git add -u | |
| git commit -m "Automated Terraform formatting" | |
| git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} | |
| git push origin HEAD:"$HEAD_REF" | |
| continue-on-error: true | |
| - name: Create Mapping Yaml(only scheduling) | |
| if: ${{ matrix.dir == 'terraform/scheduling' }} | |
| working-directory: ${{ matrix.dir }} | |
| run: | | |
| cat << EOF > secrets.yaml | |
| OPS: ${{ secrets.WHITELIST_PLAYERS }} | |
| WHITELIST: ${{ secrets.WHITELIST_PLAYERS }} | |
| WEBHOOK_PATH: ${{ secrets.WEBHOOK_PATH }} | |
| S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }} | |
| S3_PREFIX_NAME: ${{ secrets.S3_PREFIX_NAME }} | |
| FILTERING_STRINGS: ${{ secrets.FILTERING_STRINGS }} | |
| EOF | |
| - name: Initialize | |
| id: init | |
| if: steps.diff.outputs.diff | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const { exec: execCommand } = require('child_process'); | |
| const path = `${{ matrix.dir }}`; | |
| execCommand(`cd ${path} && terraform init -no-color -lock=false -upgrade`, (error, stdout, stderr) => { | |
| core.setOutput('output', stdout); | |
| core.setOutput('exit_code', error ? error.code.toString() : '0'); | |
| if (error) { | |
| core.setOutput('output', stderr); | |
| core.setFailed(`Terraform validate failed: ${stderr}`); | |
| } | |
| }); | |
| continue-on-error: false | |
| - name: Download modules | |
| if: steps.diff.outputs.diff | |
| run: terraform get | |
| working-directory: ${{ matrix.dir }} | |
| - name: Validate | |
| id: validate | |
| if: steps.diff.outputs.diff | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const { exec: execCommand } = require('child_process'); | |
| const path = `${{ matrix.dir }}`; | |
| execCommand(`cd ${path} && terraform validate -no-color`, (error, stdout, stderr) => { | |
| core.setOutput('output', stdout); | |
| core.setOutput('exit_code', error ? error.code.toString() : '0'); | |
| if (error) { | |
| core.setOutput('output', stderr); | |
| core.setFailed(`Terraform validate failed: ${stderr}`); | |
| } | |
| }); | |
| continue-on-error: false | |
| - name: Plan | |
| if: steps.diff.outputs.diff | |
| id: plan | |
| run: terraform plan -no-color -lock=false | |
| working-directory: ${{ matrix.dir }} | |
| continue-on-error: true | |
| - name: Comment | |
| if: steps.diff.outputs.diff | |
| uses: actions/[email protected] | |
| env: | |
| PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const output = `## \`${{ matrix.dir }}\` | |
| #### Terraform Format and Style 🖌\`${{ steps.check_fmt.outputs.result }}\` | |
| #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` | |
| <details><summary>Show Plan</summary> | |
| \`\`\`${process.env.PLAN}\`\`\` | |
| </details>`; | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: output | |
| }) | |
| - name: TFLint | |
| uses: reviewdog/action-tflint@master | |
| with: | |
| github_token: ${{ secrets.github_token }} | |
| working_directory: ./terraform | |
| reporter: github-pr-review | |
| filter_mode: nofilter | |
| fail_on_error: true | |
| tflint_version: "v0.24.0" | |
| - name: tfsec-commenter | |
| uses: aquasecurity/[email protected] | |
| with: | |
| working_directory: '' | |
| github_token: ${{ github.token }} | |
| - name: tfsec | |
| uses: aquasecurity/[email protected] | |
| with: | |
| sarif_file: tfsec.sarif | |
| tfsec_args: --minimum-severity HIGH | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| # Path to SARIF file relative to the root of the repository | |
| sarif_file: tfsec.sarif | |
| - name: Post Terraform Error Comment | |
| if: always() && steps.init.outputs.exit_code != '0' || steps.validate.outputs.exit_code != '0' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| let comment = '### Terraform Errors in ' + `${{ matrix.dir }}` + '\n'; | |
| if ('${{ steps.init.outputs.exit_code }}' != '0') { | |
| comment += '**Init Error:**\n```\n' + `${{ steps.init.outputs.output }}` + '\n```\n'; | |
| } | |
| if ('${{ steps.validate.outputs.exit_code }}' != '0') { | |
| comment += '**Validate Error:**\n```\n' + `${{ steps.validate.outputs.output }}` + '\n```\n'; | |
| } | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: comment | |
| }); |