Skip to content

fix(workflows): harden CI workflows to fail-fast on lint, security, and doc-gen errors#393

Open
WilliamBerryiii wants to merge 5 commits intomainfrom
fix/ci-hard-fail-workflow-hardening
Open

fix(workflows): harden CI workflows to fail-fast on lint, security, and doc-gen errors#393
WilliamBerryiii wants to merge 5 commits intomainfrom
fix/ci-hard-fail-workflow-hardening

Conversation

@WilliamBerryiii
Copy link
Copy Markdown
Member

@WilliamBerryiii WilliamBerryiii commented Apr 14, 2026

Description

Converts all CI soft-fail and break-build flags to hard-fail across both PR validation and main branch workflows. Removes the redundant dependency-scan-main job from the main workflow, and aligns the terraformDocsVersion pin to v0.20.0 in both pipelines.

PR Validation (pr-validation.yml)

  • soft-fail: truesoft-fail: false for shell-lint, terraform-lint, and code-quality-lint
  • grype-soft-fail: truegrype-soft-fail: false for security-scan
  • terraformDocsVersion: 'v0.19.0''v0.20.0' for docs-check-terraform

Main Branch (main.yml)

  • break-build: falsebreak-build: true for rust-clippy, docs-check-terraform, and docs-check-bicep
  • Added terraformDocsVersion: 'v0.20.0' for docs-check-terraform
  • Added fail-on-critical: true for security-comprehensive (Grype/Trivy)
  • Removed the dependency-scan-main job (16 lines) — redundant with 5 overlapping security layers: security-comprehensive (Grype + Trivy), security-scan (Grype in PR), CodeQL via GitHub Advanced Security, Dependabot, and GitHub secret scanning

Auto-Generated Side Effects

The terraformDocsVersion bump to v0.20.0 caused minor whitespace changes in auto-generated Terraform README files (051-vm-host/terraform/README.md, modules/virtual-machine/README.md) and a Cargo.lock update.

Related Issue

Related to #374

Type of Change

  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • CI/CD pipeline change
  • Refactoring
  • Infrastructure change

Implementation Details

  1. PR Validation Hard-Fail — Flipped soft-fail from true to false for shell-lint, terraform-lint, and code-quality-lint reusable workflow calls. Flipped grype-soft-fail from true to false for the security-scan job. PRs that introduce lint or security findings will now block merge.

  2. Main Branch Hard-Fail — Flipped break-build from false to true for rust-clippy, docs-check-terraform, and docs-check-bicep. Added fail-on-critical: true for the security-comprehensive job. Main branch runs will now fail visibly on lint, doc-gen, or critical vulnerability findings.

  3. Redundant Job Removal — Deleted the dependency-scan-main job that ran Grype on the main branch. This scan was fully covered by the security-comprehensive job (Grype + Trivy), plus CodeQL, Dependabot, and secret scanning provide additional layers.

  4. Version Pin Alignment — Added explicit terraformDocsVersion: 'v0.20.0' to the main workflow's docs-check-terraform call, matching the pin already present in pr-validation.yml.

Testing Performed

  • Terraform plan/apply
  • Blueprint deployment test
  • Unit tests
  • Integration tests
  • Bug fix includes regression test (see Test Policy)
  • Manual validation
  • Other:

Validation Steps

  1. Verified all soft-fail, break-build, and grype-soft-fail flags are consistently set to their hard-fail values across both workflows.
  2. Confirmed terraformDocsVersion is pinned to v0.20.0 in both pr-validation.yml and main.yml.
  3. Verified the dependency-scan-main job is completely removed and no dangling references remain.
  4. Ran npm run tflint-fix-all and npm run tf-validate locally — all pass.

Checklist

  • I have updated the documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have run terraform fmt on all Terraform code
  • I have run terraform validate on all Terraform code
  • I have run az bicep format on all Bicep code
  • I have run az bicep build to validate all Bicep code
  • I have checked for any sensitive data/tokens that should not be committed
  • Lint checks pass (run applicable linters for changed file types)

Security Review

  • No credentials, secrets, or tokens are hardcoded or logged
  • RBAC and identity changes follow least-privilege principles
  • No new network exposure or public endpoints introduced without justification
  • Dependency additions or updates have been reviewed for known vulnerabilities
  • Container image changes use pinned digests or SHA references

Additional Notes

  • No Terraform or Bicep source files were changed — only CI workflow YAML. The terraform fmt, terraform validate, az bicep format, and az bicep build checklist items are not applicable.
  • The dependency-scan-main removal reduces CI run time on the main branch with no loss in security coverage.
  • Auto-generated README diffs are cosmetic only — caused by terraform-docs version bump whitespace differences.

Screenshots (if applicable)

Bill Berry added 3 commits April 12, 2026 11:01
fix(build): harden CI workflows to hard-fail on errors
6d1a13a 
- flip soft-fail parameters to false in PR validation and main workflows
- remove redundant dependency-scan-main job from main workflow
- add fail-on-critical to security-monitoring job
- bump terraform-docs version to v0.20.0

🔧 - Generated by Copilot
fix(workflows): align terraformDocsVersion pin in main workflow
14763f9 
- add terraformDocsVersion: 'v0.20.0' to docs-check-terraform-main job
- matches the same pin already set in pr-validation workflow

🔧 - Generated by Copilot
Merge remote-tracking branch 'origin/main' into fix/ci-hard-fail-work…
2a886a8 
…flow-hardening
@WilliamBerryiii WilliamBerryiii requested a review from a team as a code owner April 14, 2026 00:55
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 14, 2026

📚 Documentation Health Report

Generated on: 2026-04-14 01:12:41 UTC

📈 Documentation Statistics

Category File Count
Main Documentation 233
Infrastructure Components 196
Blueprints 39
Learning Platform 89
GitHub Resources 49
AI Assistant Guides (Copilot) 17
Total 623

🏗️ Three-Tree Architecture Status

  • ✅ Bicep Documentation Tree: Auto-generated navigation
  • ✅ Terraform Documentation Tree: Auto-generated navigation
  • ✅ README Documentation Tree: Manual README organization

🔍 Quality Metrics

  • Frontmatter Validation:
    success
  • Sidebar Generation: success
  • Link Validation: success
  • Build Test: skipped

This report is automatically generated by the Documentation Automation workflow.

Bill Berry added 2 commits April 14, 2026 13:15
fix(workflows): resolve shell lint and terraform lint CI failures
e559252 
- remove invalid --rcfile flag from shellcheck command in shell-lint.yml
- reformat 80+ shell scripts with shfmt to match .editorconfig 2-space indent
- add --disable-rule=terraform_required_providers to tflint in terraform-lint.yml

🔧 - Generated by Copilot
chore: remove accidentally committed artifacts
60059e4 
- remove shellcheck_output.txt (empty local debug artifact, not used by CI workflow)
- remove LICENSE.txt (HashiCorp BSL license does not belong in this Microsoft repo)

🧹 - Generated by Copilot
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026

📚 Documentation Health Report

Generated on: 2026-04-15 01:34:25 UTC

📈 Documentation Statistics

Category File Count
Main Documentation 233
Infrastructure Components 196
Blueprints 39
Learning Platform 89
GitHub Resources 49
AI Assistant Guides (Copilot) 17
Total 623

🏗️ Three-Tree Architecture Status

  • ✅ Bicep Documentation Tree: Auto-generated navigation
  • ✅ Terraform Documentation Tree: Auto-generated navigation
  • ✅ README Documentation Tree: Manual README organization

🔍 Quality Metrics

  • Frontmatter Validation:
    success
  • Sidebar Generation: success
  • Link Validation: success
  • Build Test: skipped

This report is automatically generated by the Documentation Automation workflow.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026

📚 Documentation Health Report

Generated on: 2026-04-15 03:05:33 UTC

📈 Documentation Statistics

Category File Count
Main Documentation 233
Infrastructure Components 196
Blueprints 39
Learning Platform 89
GitHub Resources 49
AI Assistant Guides (Copilot) 17
Total 623

🏗️ Three-Tree Architecture Status

  • ✅ Bicep Documentation Tree: Auto-generated navigation
  • ✅ Terraform Documentation Tree: Auto-generated navigation
  • ✅ README Documentation Tree: Manual README organization

🔍 Quality Metrics

  • Frontmatter Validation:
    success
  • Sidebar Generation: success
  • Link Validation: success
  • Build Test: skipped

This report is automatically generated by the Documentation Automation workflow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@WilliamBerryiii