Nullplatform Github action for Terraform/Tofu

About

.github Directory

Reusable GitHub Actions workflows that support OpenTofu/Terraform module automation live here. Each workflow is designed to be called from other pipelines via workflow_call.

Available Workflows

Summary Table

Workflow	Category	Description
branch-validation	🔍 CI & Validation	Validates branch names against a regex pattern
changelog-release	📦 Release & Changelog	Generates changelog and creates a new release
conventional-commit	🔍 CI & Validation	Validates commit messages against conventional commit rules
docker-build-push-ecr	🚀 Build & Deploy	Builds and pushes a Docker image to ECR
docker-security-scan	🔒 Security	Scans a Docker image for security vulnerabilities
ecr-security-scan	🔒 Security	Scans ECR images for security vulnerabilities
pre-release	📦 Release & Changelog	Creates a pre-release and generates a changelog preview comment
readme-ai-generator-v2	📚 Documentation	Generates README files using AI
release	📦 Release & Changelog	Creates a new release and updates README versions
tf-docs	📚 Documentation	Generates Terraform documentation
tfsec-security-scan	🔒 Security	Scans Terraform files for security vulnerabilities
tofu-lint	🔍 CI & Validation	Lints OpenTofu configuration
tofu-test	🔍 CI & Validation	Tests OpenTofu modules
update-readme-actions	📚 Documentation	Updates the README with available actions

🔍 CI & Validation

branch-validation

Validates branch names against a regex pattern. Use this workflow to enforce consistent branch naming conventions.

Inputs

Name	Description	Required	Default
pattern	Regex pattern for branch name validation	false	`^(feat

Usage

uses: nullplatform/actions-nullplatform/.github/workflows/branch-validation.yml@main
with:
  pattern: '^(feat|feature|fix|docs|style|refactor|perf|test|build|ci|chore|revert)/.+$'

conventional-commit

Validates commit messages against conventional commit rules. Use this workflow to enforce consistent commit message formatting.

Usage

uses: nullplatform/actions-nullplatform/.github/workflows/conventional-commit.yml@main

tofu-lint

Lints OpenTofu configuration. Use this workflow to ensure consistent and valid OpenTofu configuration.

Usage

uses: nullplatform/actions-nullplatform/.github/workflows/tofu-lint.yml@main

tofu-test

Tests OpenTofu modules. Use this workflow to ensure that OpenTofu modules are functioning correctly.

Inputs

Name	Description	Required	Default
modules	JSON array of module paths to test	true
tofu_version	OpenTofu version to use	false	1.10.6

Usage

uses: nullplatform/actions-nullplatform/.github/workflows/tofu-test.yml@main
with:
  modules: '["module/a", "module/b"]'
  tofu_version: '1.10.6'

🔒 Security

docker-security-scan

Scans a Docker image for security vulnerabilities. Use this workflow to ensure that your Docker images are secure.

Inputs

Name	Description	Required	Default
context	Build context directory	true
dockerfile	Path to Dockerfile relative to context	false	Dockerfile
image_name	Name for the scanned image	true
severity	Minimum severity to report	false	CRITICAL,HIGH
exit_code	Exit code when vulnerabilities are found	false	1
upload_sarif	Upload SARIF results to GitHub Security tab	false	true

Usage

uses: nullplatform/actions-nullplatform/.github/workflows/docker-security-scan.yml@main
with:
  context: .
  dockerfile: Dockerfile
  image_name: my-image
  severity: CRITICAL,HIGH
  exit_code: 1
  upload_sarif: true

ecr-security-scan

Scans ECR images for security vulnerabilities. Use this workflow to ensure that your ECR images are secure.

Inputs

Name	Description	Required	Default
image_names	JSON array of image names to scan	true
ecr_registry	ECR registry URL	false	public.ecr.aws/nullplatform
severity	Minimum severity to report	false	CRITICAL,HIGH
aws_region	AWS region for ECR	false	us-east-1

Secrets required

• aws_role_arn
• slack_webhook_url

Usage

uses: nullplatform/actions-nullplatform/.github/workflows/ecr-security-scan.yml@main
with:
  image_names: '["image1", "image2"]'
  ecr_registry: public.ecr.aws/nullplatform
  severity: CRITICAL,HIGH
  aws_region: us-east-1
secrets:
  aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
  slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

tfsec-security-scan

Scans Terraform files for security vulnerabilities. Use this workflow to ensure that your Terraform configuration is secure.

Inputs

Name	Description	Required	Default
minimum_severity	Minimum severity level to report	false	HIGH
upload_sarif	Upload SARIF results to GitHub Security tab	false	true
post_comment	Post comment on PR if scan fails	false	true

Usage

uses: nullplatform/actions-nullplatform/.github/workflows/tfsec-security-scan.yml@main
with:
  minimum_severity: HIGH
  upload_sarif: true
  post_comment: true

🚀 Build & Deploy

docker-build-push-ecr

Builds and pushes a Docker image to ECR. Use this workflow to build and deploy your Docker images.

Inputs

Name	Description	Required	Default
image_name	Name of the Docker image	true
context	Build context directory	true
dockerfile	Path to Dockerfile relative to context	false	Dockerfile
platforms	Target platforms for multi-arch build	false	linux/amd64,linux/arm64
ecr_registry	ECR registry URL	false	public.ecr.aws/nullplatform
tag	Additional tag for the image	false
aws_region	AWS region for ECR	false	us-east-1

Secrets required

• aws_role_arn

Usage

uses: nullplatform/actions-nullplatform/.github/workflows/docker-build-push-ecr.yml@main
with:
  image_name: my-image
  context: .
  dockerfile: Dockerfile
  platforms: linux/amd64,linux/arm64
  ecr_registry: public.ecr.aws/nullplatform
  tag: latest
  aws_region: us-east-1
secrets:
  aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}

📦 Release & Changelog

changelog-release

Generates changelog and creates a new release. Use this workflow to automate your release process.

Inputs

Name	Description	Required	Default
project-type	Type of project	false	generic
source-dir	Directory containing packages/charts	false	.
version-file	Version file name	false
tag-prefix	Prefix for git tags	false
create-github-release	Create a GitHub Release	false	true
commit-message	Commit message for version bump	false	chore(release): bump version and update changelog [skip ci]

Usage

uses: nullplatform/actions-nullplatform/.github/workflows/changelog-release.yml@main
with:
  project-type: generic
  source-dir: .
  version-file: VERSION
  tag-prefix: v
  create-github-release: true
  commit-message: chore(release): bump version and update changelog [skip ci]

pre-release

Creates a pre-release and generates a changelog preview comment. Use this workflow to automate your pre-release process.

Usage

uses: nullplatform/actions-nullplatform/.github/workflows/pre-release.yml@main

release

Creates a new release and updates README versions. Use this workflow to automate your release process.

Inputs

Name	Description	Required	Default
update_readme_versions	Update version references in README files	false	true

Usage

uses: nullplatform/actions-nullplatform/.github/workflows/release.yml@main
with:
  update_readme_versions: true

📚 Documentation

readme-ai-generator-v2

Generates README files using AI. Use this workflow to automate your README generation process.

Inputs

Name	Description	Required	Default
base_dir	Base directory to search for projects	false	.
generator_type	Force generator type	false
generate_all	Generate README for all projects	false	false
file_patterns	File patterns to detect changes	false	*.tf *.ts *.tsx *.js *.jsx *.py
ai_provider	AI provider to use	false	groq
ai_model	AI model to use	false
run_post_generation	Commands to run after generation	false

Usage

uses: nullplatform/actions-nullplatform/.github/workflows/readme-ai-generator-v2.yml@main
with:
  base_dir: .
  generator_type: terraform
  generate_all: false
  file_patterns: *.tf *.ts *.tsx *.js *.jsx *.py
  ai_provider: groq
  ai_model: 
  run_post_generation: 

tf-docs

Generates Terraform documentation. Use this workflow to automate your Terraform documentation process.

Usage

uses: nullplatform/actions-nullplatform/.github/workflows/tf-docs.yml@main

update-readme-actions

Updates the README with available actions. Use this workflow to automate your README update process.

Inputs

Name	Description	Required	Default
ai_provider	AI provider to use	false	groq
ai_model	AI model to use	false

Usage

uses: nullplatform/actions-nullplatform/.github/workflows/update-readme-actions.yml@main
with:
  ai_provider: groq
  ai_model: 

Notes

AI-Powered Documentation

This README is automatically generated using AI. The update-readme-actions workflow reads all workflow files and generates documentation using your configured AI provider.

Supported Providers

Provider	Secret for API Key	Default Model
groq	GROQ_API_KEY	llama-3.3-70b-versatile
github	GITHUB_TOKEN	gpt-4o
openai	OPENAI_API_KEY	gpt-4o
anthropic	ANTHROPIC_API_KEY	claude-sonnet-4-20250514

Configuration

To configure the AI provider, add these secrets in Settings → Secrets and variables → Actions:

1. AI_PROVIDER - Provider to use: groq, github, openai, or anthropic
2. AI_MODEL - (Optional) Specific model to use
3. The API key secret for your chosen provider (e.g., GROQ_API_KEY)

Example for Groq:

AI_PROVIDER = groq
GROQ_API_KEY = gsk_xxx...

Example for Anthropic Claude:

AI_PROVIDER = anthropic
ANTHROPIC_API_KEY = sk-ant-xxx...

Running Locally

AI_PROVIDER=groq GROQ_API_KEY=xxx node .github/scripts/update-actions-readme.js

---

Contributions

If you want to add or modify a module:

1. Create a feature/ or fix/ branch.
2. Add tests or validations if applicable.
3. Update or generate documentation for the affected module.
4. Open a Pull Request for review.

---