92 lines
2.2 KiB
YAML
92 lines
2.2 KiB
YAML
name: Infrastructure CI/CD
|
|
|
|
on:
|
|
push:
|
|
branches: [ main, develop ]
|
|
paths:
|
|
- 'infrastructure/**'
|
|
- '.gitea/workflows/infrastructure.yml'
|
|
pull_request:
|
|
branches: [ main ]
|
|
paths:
|
|
- 'infrastructure/**'
|
|
|
|
jobs:
|
|
validate:
|
|
runs-on: ubuntu-latest
|
|
name: Validate Infrastructure
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup OpenTofu
|
|
uses: opentofu/setup-opentofu@v1
|
|
with:
|
|
tofu_version: 1.10.6
|
|
|
|
- name: Validate OpenTofu configurations
|
|
run: |
|
|
for dir in infrastructure/providers/*/; do
|
|
if [ -d "$dir" ]; then
|
|
echo "Validating $dir"
|
|
cd "$dir"
|
|
tofu init -backend=false
|
|
tofu validate
|
|
cd - > /dev/null
|
|
fi
|
|
done
|
|
|
|
- name: Check formatting
|
|
run: |
|
|
tofu fmt -check -recursive infrastructure/
|
|
|
|
- name: Security scan
|
|
run: |
|
|
# 这里可以添加 tfsec 或 checkov 扫描
|
|
echo "Security scan placeholder"
|
|
|
|
plan:
|
|
runs-on: ubuntu-latest
|
|
name: Plan Infrastructure
|
|
needs: validate
|
|
if: github.event_name == 'pull_request'
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup OpenTofu
|
|
uses: opentofu/setup-opentofu@v1
|
|
with:
|
|
tofu_version: 1.10.6
|
|
|
|
- name: Plan infrastructure changes
|
|
run: |
|
|
cd infrastructure/environments/dev
|
|
tofu init
|
|
tofu plan -var-file="terraform.tfvars" -out=tfplan
|
|
env:
|
|
# 这里需要配置云服务商的环境变量
|
|
TF_VAR_environment: dev
|
|
|
|
apply:
|
|
runs-on: ubuntu-latest
|
|
name: Apply Infrastructure
|
|
needs: validate
|
|
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup OpenTofu
|
|
uses: opentofu/setup-opentofu@v1
|
|
with:
|
|
tofu_version: 1.10.6
|
|
|
|
- name: Apply infrastructure changes
|
|
run: |
|
|
cd infrastructure/environments/dev
|
|
tofu init
|
|
tofu apply -var-file="terraform.tfvars" -auto-approve
|
|
env:
|
|
TF_VAR_environment: dev
|