terraform-aws-backup/.github/workflows/pre-commit.yml at master · lgallard/terraform-aws-backup · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
name: Pre-commit

on:
  pull_request:
    branches: [master]
    paths:
      - '**.tf'
      - '**.tfvars'
      - '.pre-commit-config.yaml'
  push:
    branches: [master]
    paths:
      - '**.tf'
      - '**.tfvars'
      - '.pre-commit-config.yaml'

jobs:
  pre-commit:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
      pull-requests: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.13'

      - name: Set up Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: '1.3.0'

      - name: Install tflint
        run: |
          TFLINT_VERSION="v0.54.0"
          curl -sL "https://github.com/terraform-linters/tflint/releases/download/${TFLINT_VERSION}/tflint_linux_amd64.zip" -o tflint.zip
          unzip -q tflint.zip
          sudo mv tflint /usr/local/bin/
          rm tflint.zip
          tflint --version

      - name: Install pre-commit
        run: |
          python -m pip install --upgrade pip
          pip install pre-commit

      - name: Cache pre-commit hooks
        uses: actions/cache@v5
        with:
          path: ~/.cache/pre-commit
          key: pre-commit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }}-v3

      - name: Install pre-commit hooks
        run: pre-commit install-hooks

      # Skip terraform_docs in CI - rely on local pre-commit + AI review
      # This eliminates environment parity issues between macOS and Linux
      - name: Run pre-commit checks
        env:
          SKIP: terraform_docs
        run: |
          if [ "${{ github.event_name }}" == "push" ]; then
            pre-commit run --all-files
          else
            git fetch origin ${{ github.base_ref }} --depth=100
            git status
            CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD -- '*.tf' '*.tfvars' '.pre-commit-config.yaml')
            if [ -n "$CHANGED_FILES" ]; then
              echo "Running pre-commit on changed files:"
              echo "$CHANGED_FILES"
              pre-commit run --files $CHANGED_FILES
            else
              echo "No Terraform files changed, skipping pre-commit checks"
            fi
          fi

      - name: Pre-commit summary
        if: always()
        run: |
          echo "## Pre-commit Results" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY

          if [ "${{ job.status }}" == "success" ]; then
            echo "All pre-commit checks passed!" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "**Checks performed:**" >> $GITHUB_STEP_SUMMARY
            echo "- Terraform formatting (terraform_fmt)" >> $GITHUB_STEP_SUMMARY
            echo "- Terraform validation (terraform_validate)" >> $GITHUB_STEP_SUMMARY
            echo "- TFLint analysis (terraform_tflint)" >> $GITHUB_STEP_SUMMARY
            echo "- File formatting (trailing-whitespace, end-of-file)" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "**Note:** Documentation (terraform_docs) is handled locally via pre-commit hooks." >> $GITHUB_STEP_SUMMARY
          else
            echo "Pre-commit checks failed" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "Run \`pre-commit run --all-files\` locally to fix issues." >> $GITHUB_STEP_SUMMARY
          fi