This action runs tfsec with reviewdog on pull requests to enforce best practices.

By default, with reporter: github-pr-check an annotation is added to the line:

With reporter: github-pr-review a comment is added to the Pull Request Conversation:

Required. Must be in form of github_token: ${{ secrets.github_token }}.

Optional. Directory to run the action on, from the repo root. The default is . ( root of the repository).

Optional. Report level for reviewdog [info,warning,error]. It's same as -level flag of reviewdog. The default is error.

Optional. Name of the tool being used. This controls how it will show up in the GitHub UI. The default is tfsec.

Optional. Reporter of reviewdog command [github-pr-check,github-pr-review]. The default is github-pr-check.

Optional. Filtering for the reviewdog command [added,diff_context,file,nofilter].

The default is added.

See reviewdog documentation for filter mode for details.

Optional. Exit code for reviewdog when errors are found [true,false].

The default is false.

See reviewdog documentation for exit codes for details.

Optional. Additional reviewdog flags. Useful for debugging errors, when it can be set to -tee. The default is ``.

Optional. The version of tfsec to install. The default is latest.

Optional. List of arguments to send to tfsec. For the output to be parsable by reviewdog --format=checkstyle is enforced. The default is ``.

The tfsec command return code.

The reviewdog command return code.

name: tfsec
on: [pull_request]
jobs:
  tfsec:
    name: runner / tfsec
    runs-on: ubuntu-latest # Windows and macOS are also supported

    steps:
      - name: Clone repo
        uses: actions/checkout@v4

      - name: Run tfsec with reviewdog output on the PR
        uses: reviewdog/action-tfsec@master
        with:
          github_token: ${{ secrets.github_token }}
          working_directory: my_directory # Change working directory
          level: info # Get more output from reviewdog
          reporter: github-pr-review # Change reviewdog reporter
          filter_mode: nofilter # Check all files, not just the diff
          fail_on_error: true # Fail action if errors are found
          flags: -tee # Add debug flag to reviewdog
          tfsec_flags: "" # Optional

You can bump version on merging Pull Requests with specific labels (bump:major,bump:minor,bump:patch). Pushing tag manually by yourself also work.

This action updates major/minor release tags on a tag push. e.g. Update v1 and v1.2 tag when released v1.2.3. ref: https://help.github.com/en/articles/about-actions#versioning-your-action

This reviewdog action template itself is integrated with reviewdog to run lints which is useful for Docker container based actions.

Supported linters:

• reviewdog/action-shellcheck
• reviewdog/action-hadolint
• reviewdog/action-misspell

This repository uses haya14busa/action-depup to update reviewdog version.