Skip to content
PR Validation

fix(build): add granular grype-soft-fail for PR validation #470

Sign in to view logs

fix(build): add granular grype-soft-fail for PR validation

fix(build): add granular grype-soft-fail for PR validation #470

Workflow file for this run

.github/workflows/pr-validation.yml at d28342d
# Pull Request Validation Workflow
#
# Purpose:
# This workflow runs the CI/CD pipeline for pull requests to maintain code quality,
# validate infrastructure changes, and ensure readiness for merging to main branch.
#
# Functionality:
# - Detects changed files in the pull request to determine required validation steps
# - Runs per-tool lint workflows for static code analysis across multiple languages
# - Validates Terraform configurations using init, validate, plan, and test operations
# - Checks Azure IoT Operations component versions against latest published releases
# - Ensures consistent documentation standards
# - Tests resource provider scripts in PowerShell and bash
#
# Parameters:
# None - This workflow is triggered automatically on pull requests to protected branches
#
# Output Variables:
# None - Results are provided as GitHub checks, annotations, and artifacts
#
# Usage Examples:
# This workflow is automatically triggered on pull requests and doesn't need manual invocation.
#
# This comprehensive validation workflow helps maintain code quality and prevents
# problematic code from being merged into the main branch.
---
name: PR Validation
permissions:
contents: read
on: # yamllint disable-line rule:truthy
pull_request:
# Only run on PRs targeting the main branch
branches:
- main
types: [opened, synchronize, reopened]
workflow_dispatch:
inputs:
includeIaCFolders:
description: 'Include all Infrastructure as Code folders in the matrix check'
required: true
default: false
type: boolean
jobs:
# CodeQL Analysis job for PR code security scanning
codeql-analysis:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
strategy:
fail-fast: false
matrix:
language: ['javascript', 'python', 'typescript', 'csharp', 'rust']
# CodeQL supports these languages: https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout Repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Initialize CodeQL
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
languages: ${{ matrix.language }}
build-mode: none
- name: Autobuild
uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
category: "/language:${{matrix.language}}"
# Dependency scanning job for PRs
dependency-scan:
name: Dependency Scan
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout Repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Dependency Review
uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
with:
fail-on-severity: high
warn-on-openssf-scorecard-level: 3
comment-summary-in-pr: on-failure
# Shell script linting
shell-lint:
name: Shell Lint
permissions:
contents: read
uses: ./.github/workflows/shell-lint.yml
with:
soft-fail: true
# Terraform linting
terraform-lint:
name: Terraform Lint
permissions:
contents: read
uses: ./.github/workflows/terraform-lint.yml
with:
soft-fail: true
# Bicep linting
bicep-lint:
name: Bicep Lint
permissions:
contents: read
uses: ./.github/workflows/bicep-lint.yml
# Documentation linting
docs-lint:
name: Documentation Lint
permissions:
contents: read
uses: ./.github/workflows/docs-lint.yml
# Code quality checks
code-quality-lint:
name: Code Quality Lint
permissions:
contents: read
uses: ./.github/workflows/code-quality-lint.yml
with:
soft-fail: true
# PowerShell linting
powershell-lint:
name: PowerShell Lint
permissions:
contents: read
uses: ./.github/workflows/powershell-lint.yml
# Security scanning
security-scan:
name: Security Scan
permissions:
contents: read
security-events: write
uses: ./.github/workflows/security-scan.yml
with:
grype-soft-fail: true
# YAML and container linting
yaml-lint:
name: YAML Lint
permissions:
contents: read
uses: ./.github/workflows/yaml-lint.yml
# Documentation automation validation for PRs
docs-automation:
name: Documentation Automation
uses: ./.github/workflows/docs-automation.yml
permissions:
contents: write
pull-requests: write
actions: read
issues: write
with:
force_regenerate: false
secrets: inherit
# Call docs-check-terraform for PR validation
docs-check-terraform:
name: Terraform Documentation Check
permissions:
contents: read
uses: ./.github/workflows/docs-check-terraform.yml
with:
break_build: true
terraformDocsVersion: 'v0.19.0'
secrets: inherit
# Call docs-check-bicep workflow
docs-check-bicep:
name: Bicep Documentation Check
permissions:
contents: read
uses: ./.github/workflows/docs-check-bicep.yml
with:
break_build: true
secrets: inherit
# AIO version checks for PRs
aio-version-check:
name: AIO Version Check
permissions:
contents: read
uses: ./.github/workflows/aio-version-checker.yml
with:
iac-type: all
break-build: false
# Rust clippy lint check for PRs
rust-clippy:
name: Rust Clippy Lint Check
permissions:
contents: read
uses: ./.github/workflows/rust-clippy.yml
with:
break-build: true
secrets: inherit
# Use reusable workflow to detect detailed changes and create folder matrix
matrix-changes:
name: Detect Matrix Changes
needs: [docs-automation]
uses: ./.github/workflows/matrix-folder-check.yml
permissions:
contents: read
actions: read
with:
displayName: 'Detect component changes for PR validation'
includeIaCFolders: ${{ github.event_name == 'workflow_dispatch' && inputs.includeIaCFolders || false }}
includeApplications: false
# PowerShell Resource Provider Tests for PRs
pwsh-provider-tests:
name: PowerShell Provider Tests
permissions:
contents: read
uses: ./.github/workflows/resource-provider-pwsh-tests.yml
with:
working-directory: 'src/azure-resource-providers'
test-results-output: 'PWSH-TEST-RESULTS.xml'
# Terraform variable compliance check for PRs
terraform-var-compliance:
name: Terraform Variable Compliance
needs: [matrix-changes]
permissions:
contents: read
uses: ./.github/workflows/variable-compliance-terraform.yml
with:
break_build: false
secrets: inherit
# Terraform tests using matrix for each changed module
terraform-module-tests:
name: Terraform Module Tests
needs: [matrix-changes]
if: needs.matrix-changes.outputs.changesInTfInstall == 'true' && fromJson(needs.matrix-changes.outputs.changedTfFolders).folderName[0] != null
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.matrix-changes.outputs.changedTfFolders) }}
permissions:
contents: read
uses: ./.github/workflows/cluster-test-terraform.yml
with:
working-directory: ${{ matrix.folderName }}
terraform-version: '1.9.8'
test-apply: false
secrets: inherit
# Application matrix builds for each changed application
application-matrix-builds:
name: Application Matrix Builds
needs: [matrix-changes]
if: needs.matrix-changes.outputs.changesInApplications == 'true' && fromJson(needs.matrix-changes.outputs.changedApplicationFolders).folderName[0] != null
uses: ./.github/workflows/application-matrix-builds.yml
permissions:
contents: read
packages: write
id-token: write
actions: read
security-events: write
with:
applicationMatrix: ${{ needs.matrix-changes.outputs.changedApplicationFolders }}
registryName: ${{ vars.REGISTRY_NAME || 'ghcr.io' }}
buildConfig: |
{
"dockerComposeVersion": "2.24.5"
}
securityConfig: |
{
"pushImages": false,
"enableSLSA": false,
"enableSecurityScan": true,
"securityThreshold": "high"
}
secrets: inherit