Update Images and Instances to include SQLcl #164
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Workflow for validating Infrastructure as Code | |
| # | |
| # This workflow validates syntax, formatting, schema, and security. | |
| # It does NOT validate infrastructure logic or resource creation. | |
| # Manual testing with real OCI credentials is REQUIRED before merging. | |
| # See opentofu/TESTING.md for instructions. | |
| name: Validate Infrastructure as Code | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| - ready_for_review | |
| paths: | |
| - "tests/opentofu/**" | |
| - "opentofu/**" | |
| - ".github/workflows/opentofu.yml" | |
| workflow_dispatch: | |
| # Optimize: Cache terraform providers across all jobs | |
| env: | |
| TF_PLUGIN_CACHE_DIR: ${{ github.workspace }}/.terraform.d/plugin-cache | |
| jobs: | |
| # Job 1: Static analysis (validation, formatting, schema, security) | |
| verify-iac-static: | |
| name: Static Analysis & Security | |
| if: github.event.pull_request.draft == false || github.event_name == 'workflow_dispatch' | |
| runs-on: ubuntu-latest | |
| container: | |
| image: ghcr.io/opentofu/opentofu:latest | |
| permissions: | |
| pull-requests: write | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| # Terraform validation steps | |
| - name: Cache Terraform Providers | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.terraform.d/plugin-cache | |
| key: ${{ runner.os }}-terraform-${{ hashFiles('opentofu/.terraform.lock.hcl') }} | |
| restore-keys: | | |
| ${{ runner.os }}-terraform- | |
| - name: Create Plugin Cache Directory | |
| run: mkdir -p ~/.terraform.d/plugin-cache | |
| - name: Initialize Infrastructure as Code | |
| working-directory: ./opentofu | |
| run: tofu init -backend=false | |
| - name: Validate Infrastructure as Code | |
| working-directory: ./opentofu | |
| run: tofu validate | |
| - name: Check Terraform Formatting | |
| working-directory: ./opentofu | |
| run: tofu fmt -recursive -check | |
| # Schema validation | |
| - name: Install Python and Dependencies | |
| run: | | |
| apk add --no-cache python3 py3-pip | |
| pip3 install --break-system-packages pyyaml jsonschema referencing | |
| - name: Validate Oracle Resource Manager Schema | |
| working-directory: ./tests/opentofu | |
| run: python3 ./validate_omr_schema.py OMRMetaSchema.yaml ../../opentofu/schema.yaml | |
| # Security scanning | |
| - name: Run Trivy Security Scan for IaC | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: "config" | |
| scan-ref: "opentofu" | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| exit-code: "0" | |
| verify-iac-summary: | |
| name: Validation Summary | |
| if: github.event.pull_request.draft == false || github.event_name == 'workflow_dispatch' | |
| runs-on: ubuntu-latest | |
| needs: [verify-iac-static] | |
| steps: | |
| - name: All Validations Passed | |
| run: | | |
| echo "✅ Syntax, formatting, schema, security validated" | |
| echo "⚠️ Does NOT validate infrastructure logic" | |
| echo "📖 See opentofu/TESTING.md for manual testing requirements" |