feat: add support for backup vault access policies #61
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pre-commit | |
| on: | |
| pull_request: | |
| branches: [master] | |
| paths: | |
| - '**.tf' | |
| - '**.tfvars' | |
| - '.pre-commit-config.yaml' | |
| push: | |
| branches: [master] | |
| paths: | |
| - '**.tf' | |
| - '**.tfvars' | |
| - '.pre-commit-config.yaml' | |
| jobs: | |
| pre-commit: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.13' | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: '1.3.0' | |
| - name: Install tflint | |
| run: | | |
| TFLINT_VERSION="v0.54.0" | |
| curl -sL "https://github.com/terraform-linters/tflint/releases/download/${TFLINT_VERSION}/tflint_linux_amd64.zip" -o tflint.zip | |
| unzip -q tflint.zip | |
| sudo mv tflint /usr/local/bin/ | |
| rm tflint.zip | |
| tflint --version | |
| - name: Install pre-commit | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install pre-commit | |
| - name: Cache pre-commit hooks | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cache/pre-commit | |
| key: pre-commit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }}-v3 | |
| - name: Install pre-commit hooks | |
| run: pre-commit install-hooks | |
| # Skip terraform_docs in CI - rely on local pre-commit + AI review | |
| # This eliminates environment parity issues between macOS and Linux | |
| - name: Run pre-commit checks | |
| env: | |
| SKIP: terraform_docs | |
| run: | | |
| if [ "${{ github.event_name }}" == "push" ]; then | |
| pre-commit run --all-files | |
| else | |
| git fetch origin ${{ github.base_ref }} --depth=100 | |
| git status | |
| CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD -- '*.tf' '*.tfvars' '.pre-commit-config.yaml') | |
| if [ -n "$CHANGED_FILES" ]; then | |
| echo "Running pre-commit on changed files:" | |
| echo "$CHANGED_FILES" | |
| pre-commit run --files $CHANGED_FILES | |
| else | |
| echo "No Terraform files changed, skipping pre-commit checks" | |
| fi | |
| fi | |
| - name: Pre-commit summary | |
| if: always() | |
| run: | | |
| echo "## Pre-commit Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| if [ "${{ job.status }}" == "success" ]; then | |
| echo "All pre-commit checks passed!" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "**Checks performed:**" >> $GITHUB_STEP_SUMMARY | |
| echo "- Terraform formatting (terraform_fmt)" >> $GITHUB_STEP_SUMMARY | |
| echo "- Terraform validation (terraform_validate)" >> $GITHUB_STEP_SUMMARY | |
| echo "- TFLint analysis (terraform_tflint)" >> $GITHUB_STEP_SUMMARY | |
| echo "- File formatting (trailing-whitespace, end-of-file)" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "**Note:** Documentation (terraform_docs) is handled locally via pre-commit hooks." >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "Pre-commit checks failed" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "Run \`pre-commit run --all-files\` locally to fix issues." >> $GITHUB_STEP_SUMMARY | |
| fi |