diff options
| author | Seth Flynn <[email protected]> | 2025-02-03 05:18:34 -0500 |
|---|---|---|
| committer | Seth Flynn <[email protected]> | 2025-02-03 05:34:09 -0500 |
| commit | c43746545c4cdc4a04e32a198d971f34dca88f20 (patch) | |
| tree | b5f3e38e34957371152c04bf087a897e8f098a83 | |
| parent | 082ef6167ea188de4a0439fe63baaca41b19b45b (diff) | |
ci: add hclfmt and tflint checks
| -rw-r--r-- | .github/workflows/tflint.yaml | 42 | ||||
| -rw-r--r-- | .tflint.hcl | 4 | ||||
| -rw-r--r-- | flake/ci.nix | 19 |
3 files changed, 64 insertions, 1 deletions
diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yaml new file mode 100644 index 0000000..2ba60c4 --- /dev/null +++ b/.github/workflows/tflint.yaml @@ -0,0 +1,42 @@ +name: tflint + +on: + push: + branches: [ main ] + paths: + - "terraform/**" + - ".github/workflows/tflint.yaml" + pull_request: + paths: + - "terraform/**" + - ".github/workflows/tflint.yaml" + workflow_dispatch: + +jobs: + scan: + name: Scan + + runs-on: ubuntu-latest + + permissions: + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v16 + with: + diagnostic-endpoint: "" + + - name: Build tflint report + id: tflint-run + run: | + echo "sarif-file=$(nix build --no-link --print-build-logs --print-out-paths .#tflint)" >> "$GITHUB_OUTPUT" + + - name: Upload results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.tflint-run.outputs.sarif-file }} + wait-for-processing: true diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..427121c --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,4 @@ +plugin "terraform" { + enabled = true + preset = "recommended" +} diff --git a/flake/ci.nix b/flake/ci.nix index e8a1373..30cbd06 100644 --- a/flake/ci.nix +++ b/flake/ci.nix @@ -8,7 +8,8 @@ { perSystem = - { pkgs, ... }: + { config, pkgs, ... }: + { quickChecks = { actionlint = { @@ -21,6 +22,11 @@ script = "deadnix --fail ${self}"; }; + hclfmt = { + dependencies = [ pkgs.hclfmt ]; + script = "hclfmt -require-no-change ${self}/terraform/*.tf"; + }; + just = { dependencies = [ pkgs.just ]; script = '' @@ -39,6 +45,17 @@ dependencies = [ pkgs.statix ]; script = "statix check ${self}"; }; + + tflint = { + dependencies = [ pkgs.tflint ]; + script = '' + tflint --chdir=${self}/terraform --format=sarif |& tee $out || true + ''; + }; + }; + + legacyPackages = { + tflint = config.quickChecks.tflint.package; }; }; |