Fixes permissions issue with trivy workflow #32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ============================================================================= | |
| # Contract & Consistency Tests | |
| # ============================================================================= | |
| # Lightweight workflow that validates cross-file consistency: version drift, | |
| # Terraform output-to-script contracts, K8s manifest consistency, and schema | |
| # validation. Runs on every push/PR and completes in ~3-5 minutes. | |
| # ============================================================================= | |
| name: Contract & Consistency Tests | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main, develop] | |
| # Cancel in-progress runs when a new commit is pushed to the same branch/PR | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| contract-tests: | |
| name: Contract & Version Consistency | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - name: Install yq | |
| run: | | |
| sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 | |
| sudo chmod +x /usr/local/bin/yq | |
| - name: Install BATS | |
| run: sudo apt-get update && sudo apt-get install -y bats | |
| - name: Run contract tests | |
| run: bats tests/bats/contract-tests.bats | |
| - name: Run version consistency tests | |
| run: bats tests/bats/versions_yaml.bats | |
| terraform-validate: | |
| name: Terraform Validate (offline) | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - uses: hashicorp/setup-terraform@v4.0.0 | |
| - name: Terraform fmt check | |
| run: terraform fmt -check -recursive terraform/ | |
| - name: Terraform init and validate | |
| run: cd terraform && terraform init -backend=false && terraform validate | |
| k8s-manifest-validate: | |
| name: K8s Manifest Schema Validation | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - name: Install kubeconform | |
| run: | | |
| curl -sL https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz | tar xz | |
| sudo mv kubeconform /usr/local/bin/ | |
| - name: Validate K8s manifests | |
| run: | | |
| # Validate manifests that don't use shell variable substitution | |
| # Skip files with ${...} placeholders (credential-rotation templates) | |
| for f in k8s/*.yaml; do | |
| if grep -q '\${' "$f"; then | |
| echo "Skipping template file: $f" | |
| continue | |
| fi | |
| echo "Validating: $f" | |
| kubeconform -strict -summary "$f" || true | |
| done | |
| tflint: | |
| name: TFLint | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - uses: terraform-linters/setup-tflint@v4 | |
| - name: Run TFLint | |
| run: | | |
| cd terraform | |
| tflint --init | |
| tflint --only=terraform_deprecated_interpolation \ | |
| --only=terraform_deprecated_index \ | |
| --only=terraform_unused_declarations \ | |
| --only=terraform_comment_syntax \ | |
| --only=terraform_documented_outputs \ | |
| --only=terraform_documented_variables \ | |
| --only=terraform_typed_variables \ | |
| --only=terraform_naming_convention \ | |
| --only=terraform_required_version \ | |
| --only=terraform_required_providers | |
| full-bats-suite: | |
| name: Full BATS Test Suite | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6.3.0 | |
| with: | |
| go-version: '1.25' | |
| cache-dependency-path: console/go.sum | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update && sudo apt-get install -y bats | |
| sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 | |
| sudo chmod +x /usr/local/bin/yq | |
| - name: Download Go modules | |
| working-directory: console | |
| run: go mod download | |
| - name: Run ALL BATS tests | |
| run: bats tests/bats/*.bats |