make tim an owner of the github org. (#46) #85
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: OpenTofu Enforcement | |
on: | |
push: | |
branches: [main] | |
paths: [terraform/**] | |
pull_request: | |
branches: [main] | |
paths: [terraform/**] | |
jobs: | |
opentofu_enforcement: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
opentofu_module: [aws, github] | |
permissions: | |
contents: read | |
id-token: write | |
pull-requests: write | |
steps: | |
- name: Enforce permission requirement | |
uses: prince-chrismc/check-actor-permissions-action@v3 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
permission: write | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Nix | |
uses: DeterminateSystems/nix-installer-action@main | |
- name: Enable Magic Nix Cache | |
uses: DeterminateSystems/magic-nix-cache-action@main | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v2 | |
with: | |
aws-region: ${{ secrets.DEFAULT_AWS_REGION }} | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubAction-AssumeRoleWithAction | |
- name: OpenTofu Init | |
id: init | |
working-directory: terraform/${{ matrix.opentofu_module }} | |
run: nix develop -c tofu init | |
- name: OpenTofu Format | |
id: fmt | |
run: nix develop -c tofu fmt -check | |
- name: OpenTofu Validate | |
id: validate | |
working-directory: terraform/${{ matrix.opentofu_module }} | |
run: nix develop -c tofu validate | |
- name: OpenTofu Plan | |
id: plan | |
if: github.event_name == 'pull_request' | |
working-directory: terraform/${{ matrix.opentofu_module }} | |
run: | | |
# Capture plan output | |
plan=$(nix develop -c tofu plan -no-color -input=false) | |
# Echo the plan so it is still visible in CI | |
echo "${plan}" | |
# Handle appending multi-line strings to GitHub Outputs | |
echo "plan<<EOF"$'\n'"$plan"$'\n'EOF >> $GITHUB_OUTPUT | |
env: | |
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} | |
continue-on-error: true | |
- name: Find Comment | |
if: github.event_name == 'pull_request' | |
id: find-comment | |
uses: peter-evans/find-comment@v3 | |
env: | |
TERRAFORM_MODULE: ${{ matrix.opentofu_module }} | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
comment-author: 'github-actions[bot]' | |
body-includes: <!-- This comment was auto-generated by GitHub Actions by the Terraform Enforcement action for the ${{ env.TERRAFORM_MODULE }} Terraform module --> | |
- name: Create Comment | |
if: github.event_name == 'pull_request' | |
id: comment | |
uses: peter-evans/create-or-update-comment@v4 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
PLAN: "${{ steps.plan.outputs.plan }}" | |
TERRAFORM_MODULE: ${{ matrix.opentofu_module }} | |
with: | |
comment-id: ${{ steps.find-comment.outputs.comment-id }} | |
issue-number: ${{ github.event.pull_request.number }} | |
edit-mode: replace | |
body: | | |
<!-- This comment was auto-generated by GitHub Actions by the Terraform Enforcement action for the ${{ env.TERRAFORM_MODULE }} Terraform module --> | |
## OpenTofu Enforcement Summary (${{ env.TERRAFORM_MODULE }}) | |
#### OpenTofu Format and Style: 🖌`${{ steps.fmt.outcome }}` | |
#### OpenTofu Initialization: ⚙️`${{ steps.init.outcome }}` | |
#### OpenTofu Validation: 🤖`${{ steps.validate.outcome }}` | |
#### OpenTofu Plan: 📖`${{ steps.plan.outcome }}` | |
<details><summary>Show Plan</summary> | |
``` | |
${{ env.PLAN }} | |
``` | |
</details> | |
*Pusher: @${{ github.actor }}, Action: `${{ github.event_name }}`, Working Directory: `${{ env.TERRAFORM_MODULE }}`, Workflow: `${{ github.workflow }}`* | |
- name: OpenTofu Plan Status | |
if: github.event_name == 'pull_request' && steps.plan.outcome == 'failure' | |
run: exit 1 | |
- name: OpenTofu Apply | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
working-directory: terraform/${{ matrix.opentofu_module }} | |
run: nix develop -c tofu apply -auto-approve -input=false | |
env: | |
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} |