name: Infrastructure CI/CD on: push: branches: [ main, develop ] paths: - 'infrastructure/**' - '.gitea/workflows/infrastructure.yml' pull_request: branches: [ main ] paths: - 'infrastructure/**' jobs: validate: runs-on: ubuntu-latest name: Validate Infrastructure steps: - name: Checkout uses: actions/checkout@v4 - name: Setup OpenTofu uses: opentofu/setup-opentofu@v1 with: tofu_version: 1.10.6 - name: Validate OpenTofu configurations run: | for dir in infrastructure/providers/*/; do if [ -d "$dir" ]; then echo "Validating $dir" cd "$dir" tofu init -backend=false tofu validate cd - > /dev/null fi done - name: Check formatting run: | tofu fmt -check -recursive infrastructure/ - name: Security scan run: | # 这里可以添加 tfsec 或 checkov 扫描 echo "Security scan placeholder" plan: runs-on: ubuntu-latest name: Plan Infrastructure needs: validate if: github.event_name == 'pull_request' steps: - name: Checkout uses: actions/checkout@v4 - name: Setup OpenTofu uses: opentofu/setup-opentofu@v1 with: tofu_version: 1.10.6 - name: Plan infrastructure changes run: | cd infrastructure/environments/dev tofu init tofu plan -var-file="terraform.tfvars" -out=tfplan env: # 这里需要配置云服务商的环境变量 TF_VAR_environment: dev apply: runs-on: ubuntu-latest name: Apply Infrastructure needs: validate if: github.ref == 'refs/heads/main' && github.event_name == 'push' steps: - name: Checkout uses: actions/checkout@v4 - name: Setup OpenTofu uses: opentofu/setup-opentofu@v1 with: tofu_version: 1.10.6 - name: Apply infrastructure changes run: | cd infrastructure/environments/dev tofu init tofu apply -var-file="terraform.tfvars" -auto-approve env: TF_VAR_environment: dev