Skip to content

Commit 8006135

Browse files
authored
fix: simplify CI by skipping terraform_docs in favor of local pre-commit (#52)
* fix: simplify CI by skipping terraform_docs in favor of local pre-commit - Remove terraform_docs from CI checks to eliminate environment parity issues - Skip documentation generation in CI (handled locally via pre-commit hooks) - Remove terraform-docs installation step (no longer needed in CI) - Simplify workflow by removing .md from path filters - Update cache key version to bust stale cache - Upgrade actions/setup-python to v5 and Python to 3.13 - Upgrade actions/cache to v4 - Consolidate push/PR run steps into single conditional step - Streamline pre-commit summary for clarity This approach: - Keeps critical checks in CI: terraform_fmt, terraform_validate, tflint - Relies on local pre-commit for documentation generation - Uses AI review as additional quality gate for documentation accuracy - Eliminates macOS vs Linux environment differences causing CI failures Closes #51 * fix: address security and bug issues in pre-commit workflow - Replace curl|bash tflint install with official terraform-linters/setup-tflint@v4 action (eliminates supply chain attack vector) - Fix file handling by converting newlines to spaces for pre-commit --files argument - Add error handling for git fetch operation (|| exit 1) Addresses feedback from bug hunt review.
1 parent b829c9e commit 8006135

1 file changed

Lines changed: 31 additions & 69 deletions

File tree

.github/workflows/pre-commit.yml

Lines changed: 31 additions & 69 deletions
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,12 @@ on:
66
paths:
77
- '**.tf'
88
- '**.tfvars'
9-
- '**.md'
109
- '.pre-commit-config.yaml'
1110
push:
1211
branches: [master]
1312
paths:
1413
- '**.tf'
1514
- '**.tfvars'
16-
- '**.md'
1715
- '.pre-commit-config.yaml'
1816

1917
jobs:
@@ -31,78 +29,52 @@ jobs:
3129
fetch-depth: 0
3230

3331
- name: Set up Python
34-
uses: actions/setup-python@v4
32+
uses: actions/setup-python@v5
3533
with:
36-
python-version: '3.11'
34+
python-version: '3.13'
3735

3836
- name: Set up Terraform
3937
uses: hashicorp/setup-terraform@v3
4038
with:
4139
terraform_version: '1.3.0'
4240

43-
- name: Cache terraform tools
44-
uses: actions/cache@v3
41+
- name: Setup TFLint
42+
uses: terraform-linters/setup-tflint@v4
4543
with:
46-
path: |
47-
~/.local/bin/terraform-docs
48-
~/.local/bin/tflint
49-
key: terraform-tools-${{ runner.os }}-v1
50-
restore-keys: |
51-
terraform-tools-${{ runner.os }}-
52-
53-
- name: Install terraform-docs
54-
run: |
55-
if [ ! -f ~/.local/bin/terraform-docs ]; then
56-
echo "Installing terraform-docs..."
57-
mkdir -p ~/.local/bin
58-
curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz
59-
tar -xzf terraform-docs.tar.gz
60-
chmod +x terraform-docs
61-
mv terraform-docs ~/.local/bin/
62-
rm terraform-docs.tar.gz
63-
fi
64-
echo "$HOME/.local/bin" >> $GITHUB_PATH
65-
66-
- name: Install tflint
67-
run: |
68-
if ! command -v tflint &> /dev/null; then
69-
echo "Installing tflint..."
70-
curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
71-
fi
44+
tflint_version: v0.54.0
7245

7346
- name: Install pre-commit
7447
run: |
7548
python -m pip install --upgrade pip
7649
pip install pre-commit
7750
7851
- name: Cache pre-commit hooks
79-
uses: actions/cache@v3
52+
uses: actions/cache@v4
8053
with:
8154
path: ~/.cache/pre-commit
82-
key: pre-commit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }}
83-
restore-keys: |
84-
pre-commit-${{ runner.os }}-
55+
key: pre-commit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }}-v2
8556

8657
- name: Install pre-commit hooks
8758
run: pre-commit install-hooks
8859

89-
- name: Run pre-commit on all files (push to master)
90-
if: github.event_name == 'push' && github.ref == 'refs/heads/master'
91-
run: pre-commit run --all-files
92-
93-
- name: Run pre-commit on changed files (pull request)
94-
if: github.event_name == 'pull_request'
60+
# Skip terraform_docs in CI - rely on local pre-commit + AI review
61+
# This eliminates environment parity issues between macOS and Linux
62+
- name: Run pre-commit checks
63+
env:
64+
SKIP: terraform_docs
9565
run: |
96-
# Get the list of changed files
97-
git fetch origin ${{ github.base_ref }}
98-
CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD -- '*.tf' '*.tfvars' '*.md')
99-
100-
if [ -n "$CHANGED_FILES" ]; then
101-
echo "Running pre-commit on changed files:"
102-
echo "$CHANGED_FILES"
103-
pre-commit run --files $CHANGED_FILES
66+
if [ "${{ github.event_name }}" == "push" ]; then
67+
pre-commit run --all-files
10468
else
105-
echo "No relevant files changed, skipping pre-commit checks"
69+
git fetch origin ${{ github.base_ref }} || exit 1
70+
CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD -- '*.tf' '*.tfvars' | tr '\n' ' ')
71+
if [ -n "$CHANGED_FILES" ]; then
72+
echo "Running pre-commit on changed files:"
73+
echo "$CHANGED_FILES"
74+
pre-commit run --files $CHANGED_FILES
75+
else
76+
echo "No Terraform files changed, skipping pre-commit checks"
77+
fi
10678
fi
10779
10880
- name: Pre-commit summary
@@ -114,25 +86,15 @@ jobs:
11486
if [ "${{ job.status }}" == "success" ]; then
11587
echo "✅ All pre-commit checks passed!" >> $GITHUB_STEP_SUMMARY
11688
echo "" >> $GITHUB_STEP_SUMMARY
117-
echo "**Tools verified:**" >> $GITHUB_STEP_SUMMARY
118-
echo "- 🔧 Terraform formatting" >> $GITHUB_STEP_SUMMARY
119-
echo "- ✅ Terraform validation" >> $GITHUB_STEP_SUMMARY
120-
echo "- 📚 Documentation generation" >> $GITHUB_STEP_SUMMARY
121-
echo "- 🔍 TFLint analysis" >> $GITHUB_STEP_SUMMARY
122-
echo "- 🧹 File formatting" >> $GITHUB_STEP_SUMMARY
89+
echo "**Checks performed:**" >> $GITHUB_STEP_SUMMARY
90+
echo "- 🔧 Terraform formatting (terraform_fmt)" >> $GITHUB_STEP_SUMMARY
91+
echo "- ✅ Terraform validation (terraform_validate)" >> $GITHUB_STEP_SUMMARY
92+
echo "- 🔍 TFLint analysis (terraform_tflint)" >> $GITHUB_STEP_SUMMARY
93+
echo "- 🧹 File formatting (trailing-whitespace, end-of-file)" >> $GITHUB_STEP_SUMMARY
94+
echo "" >> $GITHUB_STEP_SUMMARY
95+
echo "**Note:** Documentation (terraform_docs) is handled locally via pre-commit hooks." >> $GITHUB_STEP_SUMMARY
12396
else
12497
echo "❌ Pre-commit checks failed" >> $GITHUB_STEP_SUMMARY
12598
echo "" >> $GITHUB_STEP_SUMMARY
126-
echo "Please check the logs above for specific failures." >> $GITHUB_STEP_SUMMARY
127-
echo "You can run \`pre-commit run --all-files\` locally to fix issues." >> $GITHUB_STEP_SUMMARY
99+
echo "Run \`pre-commit run --all-files\` locally to fix issues." >> $GITHUB_STEP_SUMMARY
128100
fi
129-
130-
echo "" >> $GITHUB_STEP_SUMMARY
131-
echo "**Configured hooks:**" >> $GITHUB_STEP_SUMMARY
132-
echo "- trailing-whitespace" >> $GITHUB_STEP_SUMMARY
133-
echo "- end-of-file-fixer" >> $GITHUB_STEP_SUMMARY
134-
echo "- check-yaml" >> $GITHUB_STEP_SUMMARY
135-
echo "- terraform_fmt" >> $GITHUB_STEP_SUMMARY
136-
echo "- terraform_validate" >> $GITHUB_STEP_SUMMARY
137-
echo "- terraform_docs" >> $GITHUB_STEP_SUMMARY
138-
echo "- terraform_tflint" >> $GITHUB_STEP_SUMMARY

0 commit comments

Comments
 (0)