Skip to content

make tim an owner of the github org. (#46) #85

make tim an owner of the github org. (#46)

make tim an owner of the github org. (#46) #85

Workflow file for this run

---
name: OpenTofu Enforcement
on:
push:
branches: [main]
paths: [terraform/**]
pull_request:
branches: [main]
paths: [terraform/**]
jobs:
opentofu_enforcement:
runs-on: ubuntu-latest
strategy:
matrix:
opentofu_module: [aws, github]
permissions:
contents: read
id-token: write
pull-requests: write
steps:
- name: Enforce permission requirement
uses: prince-chrismc/check-actor-permissions-action@v3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
permission: write
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
- name: Enable Magic Nix Cache
uses: DeterminateSystems/magic-nix-cache-action@main
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: ${{ secrets.DEFAULT_AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubAction-AssumeRoleWithAction
- name: OpenTofu Init
id: init
working-directory: terraform/${{ matrix.opentofu_module }}
run: nix develop -c tofu init
- name: OpenTofu Format
id: fmt
run: nix develop -c tofu fmt -check
- name: OpenTofu Validate
id: validate
working-directory: terraform/${{ matrix.opentofu_module }}
run: nix develop -c tofu validate
- name: OpenTofu Plan
id: plan
if: github.event_name == 'pull_request'
working-directory: terraform/${{ matrix.opentofu_module }}
run: |
# Capture plan output
plan=$(nix develop -c tofu plan -no-color -input=false)
# Echo the plan so it is still visible in CI
echo "${plan}"
# Handle appending multi-line strings to GitHub Outputs
echo "plan<<EOF"$'\n'"$plan"$'\n'EOF >> $GITHUB_OUTPUT
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
continue-on-error: true
- name: Find Comment
if: github.event_name == 'pull_request'
id: find-comment
uses: peter-evans/find-comment@v3
env:
TERRAFORM_MODULE: ${{ matrix.opentofu_module }}
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: <!-- This comment was auto-generated by GitHub Actions by the Terraform Enforcement action for the ${{ env.TERRAFORM_MODULE }} Terraform module -->
- name: Create Comment
if: github.event_name == 'pull_request'
id: comment
uses: peter-evans/create-or-update-comment@v4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PLAN: "${{ steps.plan.outputs.plan }}"
TERRAFORM_MODULE: ${{ matrix.opentofu_module }}
with:
comment-id: ${{ steps.find-comment.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
edit-mode: replace
body: |
<!-- This comment was auto-generated by GitHub Actions by the Terraform Enforcement action for the ${{ env.TERRAFORM_MODULE }} Terraform module -->
## OpenTofu Enforcement Summary (${{ env.TERRAFORM_MODULE }})
#### OpenTofu Format and Style: 🖌`${{ steps.fmt.outcome }}`
#### OpenTofu Initialization: ⚙️`${{ steps.init.outcome }}`
#### OpenTofu Validation: 🤖`${{ steps.validate.outcome }}`
#### OpenTofu Plan: 📖`${{ steps.plan.outcome }}`
<details><summary>Show Plan</summary>
```
${{ env.PLAN }}
```
</details>
*Pusher: @${{ github.actor }}, Action: `${{ github.event_name }}`, Working Directory: `${{ env.TERRAFORM_MODULE }}`, Workflow: `${{ github.workflow }}`*
- name: OpenTofu Plan Status
if: github.event_name == 'pull_request' && steps.plan.outcome == 'failure'
run: exit 1
- name: OpenTofu Apply
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
working-directory: terraform/${{ matrix.opentofu_module }}
run: nix develop -c tofu apply -auto-approve -input=false
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}