Skip to content
CI-Deploy

chore(deps): bump the terraform-providers group across 2 directories with 1 update #188

Sign in to view logs

chore(deps): bump the terraform-providers group across 2 directories with 1 update

chore(deps): bump the terraform-providers group across 2 directories with 1 update #188

Workflow file for this run

.github/workflows/azure-dev.yml at 01e3c53
name: "CI-Deploy"
on:
workflow_dispatch:
inputs:
azd_environment_name:
description: "Name of the AZD Environment"
required: true
default: "CICD"
azure_location:
description: "Azure location for the environment"
required: true
default: "eastus"
run_azd_down:
description: "Run AZD Down to destroy the deployed resources."
type: boolean
required: true
default: false
push:
# Run when commits are pushed to mainline branch
# Set this to the mainline branch you are using
branches:
- main
pull_request:
# Run when pull requests are opened or updated
branches:
- main
# GitHub Actions workflow to deploy to Azure using azd
# Ensure only one deployment runs at a time to prevent conflicts
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: false
permissions:
actions: read # Needed for uploading SARIF reports
security-events: write # Needed for uploading SARIF reports
id-token: write # Needed for OIDC Authentication
contents: read
jobs:
build:
runs-on: ${{ fromJson(vars.ACTIONS_RUNNER_NAME || '["ubuntu-latest"]') }}
env:
AZURE_ENV_NAME: ${{ github.event.inputs.azd_environment_name || (github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number)) || 'CICD' }}
AZURE_LOCATION: ${{ github.event.inputs.azure_location || 'eastus' }}
steps:
- name: Checkout code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install azd
uses: Azure/setup-azd@cf638ffd167fc81e1851241a478a723c05fa9cb3 # v2.2.0
with:
version: '1.20.0' # Specify your desired azd version here
- name: Setup Node.js
uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
with:
node-version: '18.x'
- name: Install Terraform
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_version: 1.13.3
- name: Install TFLint
uses: terraform-linters/setup-tflint@acd1575d3c037258ce5b2dd01379dc49ce24c6b7 # v6.2.0
with:
tflint_version: v0.58.1
github_token: ${{ secrets.GITHUB_TOKEN }} # Used to avoid rate
- name: Install GitLeaks
run: |
curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.28.0/gitleaks_8.28.0_linux_x64.tar.gz -o gitleaks.tar.gz
tar -xzf gitleaks.tar.gz
chmod +x gitleaks
sudo mv gitleaks /usr/local/bin/
rm gitleaks.tar.gz
gitleaks version
- name: Run GitLeaks Scan
env:
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
run: |
gitleaks detect \
--verbose \
--max-archive-depth 50 \
--report-format sarif \
--report-path ./gitleaks-report.sarif \
--source . \
--exit-code 0 || true
echo "GitLeaks scan completed"
- name: Setup .NET SDK
shell: bash
run: |
# Install .NET SDK to temp directory for self-hosted runners to avoid permission issues
DOTNET_INSTALL_DIR="${{ runner.temp }}/dotnet"
mkdir -p "$DOTNET_INSTALL_DIR"
# Download and run the dotnet-install script
curl -sSL https://dot.net/v1/dotnet-install.sh -o dotnet-install.sh
chmod +x dotnet-install.sh
./dotnet-install.sh --channel 9.0 --install-dir "$DOTNET_INSTALL_DIR"
rm dotnet-install.sh
# Add to PATH for subsequent steps
echo "$DOTNET_INSTALL_DIR" >> $GITHUB_PATH
echo "DOTNET_ROOT=$DOTNET_INSTALL_DIR" >> $GITHUB_ENV
- name: Install Power Platform Tools
uses: microsoft/powerplatform-actions/actions-install@6c7b538671a040d11afd8ab94d77bfe3b3ed87e6 # v1.9.1
with:
add-tools-to-path: true
- name: Install Power Platform CLI
run: |
pac help
- name: Set Up Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # 6.0.0
with:
python-version: "3.x"
- name: Install Checkov
run: pip install checkov
- name: Login to Azure with Federated Identity
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Provision Infrastructure
env:
POWER_PLATFORM_USE_OIDC: "true"
POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
ARM_USE_AZUREAD: "true"
ARM_STORAGE_USE_AZUREAD: "true"
ARM_USE_OIDC: "true"
ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }}
RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }}
RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }}
RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }}
RESOURCE_TAGS: ${{ vars.RESOURCE_TAGS }}
GITHUB_PAT: ${{ secrets.MCS_RUNNER }}
GITHUB_REPO_OWNER: ${{ github.repository_owner }}
GITHUB_REPO_NAME: ${{ github.event.repository.name }}
GITHUB_RUNNER_IMAGE_NAME: "github-runner"
GITHUB_RUNNER_IMAGE_TAG: "latest"
GITHUB_RUNNER_IMAGE_BRANCH: ${{ github.ref_name }}
shell: bash
run: |
azd config set auth.useAzCliAuth "true"
azd env new "$AZURE_ENV_NAME" --location "$AZURE_LOCATION" --no-prompt
azd env set RESOURCE_SHARE_USER "$RESOURCE_SHARE_USER"
azd env set RESOURCE_TAGS "$RESOURCE_TAGS"
azd env set RS_STORAGE_ACCOUNT "$RS_STORAGE_ACCOUNT"
azd env set RS_CONTAINER_NAME "$RS_CONTAINER_NAME"
azd env set RS_RESOURCE_GROUP "$RS_RESOURCE_GROUP"
azd env set GITHUB_PAT "$GITHUB_PAT"
azd env set GITHUB_REPO_OWNER "$GITHUB_REPO_OWNER"
azd env set GITHUB_REPO_NAME "$GITHUB_REPO_NAME"
azd env set GITHUB_RUNNER_IMAGE_NAME "$GITHUB_RUNNER_IMAGE_NAME"
azd env set GITHUB_RUNNER_IMAGE_TAG "$GITHUB_RUNNER_IMAGE_TAG"
azd env set GITHUB_RUNNER_IMAGE_BRANCH "$GITHUB_RUNNER_IMAGE_BRANCH"
azd provision --no-prompt
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
if: success() || failure()
with:
name: sarif-reports
path: |
./gitleaks-report.sarif
./checkov-results.sarif/results_sarif.sarif
- name: Upload Gitleaks SARIF report to Github
uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1
with:
sarif_file: ./gitleaks-report.sarif
- name: Upload Checkov SARIF Report to GitHub
uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1
with:
sarif_file: ./checkov-results.sarif/results_sarif.sarif
- name: Destroy Infrastructure
if: ${{ github.event.inputs.run_azd_down == 'true' || github.event_name == 'pull_request' }}
env:
POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
POWER_PLATFORM_USE_OIDC: "true"
ARM_USE_AZUREAD: "true"
ARM_STORAGE_USE_AZUREAD: "true"
ARM_USE_OIDC: "true"
ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }}
RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }}
RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }}
RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }}
RESOURCE_TAGS: ${{ vars.RESOURCE_TAGS }}
shell: bash
run: |
azd env set RS_STORAGE_ACCOUNT "$RS_STORAGE_ACCOUNT"
azd env set RS_CONTAINER_NAME "$RS_CONTAINER_NAME"
azd env set RS_RESOURCE_GROUP "$RS_RESOURCE_GROUP"
azd env set RESOURCE_SHARE_USER "$RESOURCE_SHARE_USER"
azd env set RESOURCE_TAGS "$RESOURCE_TAGS"
azd env select "$AZURE_ENV_NAME"
azd down --no-prompt --force --purge