github-workflows

Shared GitHub workflows, to be referenced by other Padok projects.

The following reusable workflows are available in .github/workflows:

Name	Description	Must have
release	Configure Release Please to automate GitHub release creation	⭐
semantic-check	Check that pull requests follow Conventional Commits
terraform-docs	Update Terraform module documentation using terraform-docs
terraform-quality	Run several linter and static analysis tools on Terraform code	⭐

Usage

To use these workflows in your project, copy files from the folders listed below, and paste them in the .github/workflows/ folder in your own repo.

• global: for all your projects
• terraform: useful for Terraform modules and starters

Your repo should have the following structure:

.
├── .github
│   ├── CODEOWNERS
│   └── workflows
│       ├── release.yml
│       ├── semantic-check.yml
│       ├── terraform-docs.yml
│       └── terraform-quality.yml
├── .gitignore
├── LICENSE
├── main.tf
├── README.md
├── renovate.json
└── ... (other files)

Workflow Designs

terraform-quality workflow

There are several tools to ensure that Terraform code is secure and follows best practices. We selected the following ones:

• tfswitch make sure that the correct version of Terraform is used
• terraform fmt to check the basic formatting of Terraform code
• terraform validate to check the validity of Terraform code
• tflint to check for code quality issues
• checkov to check for security issues

The following tools were considered but ultimately not included:

• tfsec is redundant with checkov, and from Padok's experience, the latter is more reliable
• terrascan has not been tested by Padok yet
• terraform docs is delegated to another workflow, since it could add a commit to the pull request

Feel free to suggest other tools to add to this workflow!

License