add github_branch_protection for next-* #66
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Terraform Enforcement | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - terraform/** | |
| pull_request: | |
| branches: | |
| - main | |
| paths: | |
| - terraform/** | |
| # Allows for running this workflow manually from the GitHub Actions UI | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| id-token: write | |
| pull-requests: write | |
| jobs: | |
| terraform_enforcement: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| terraform_module: [aws, github] | |
| defaults: | |
| run: | |
| shell: bash | |
| working-directory: terraform/${{ matrix.terraform_module }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v2 | |
| with: | |
| aws-region: ${{ secrets.DEFAULT_AWS_REGION }} | |
| role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubAction-AssumeRoleWithAction | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| with: | |
| terraform_version: 1.5.0 | |
| - name: Terraform Init | |
| id: init | |
| run: terraform init | |
| - name: Terraform Format | |
| id: fmt | |
| run: terraform fmt -check | |
| - name: Terraform Validate | |
| id: validate | |
| run: terraform validate | |
| - name: Terraform Plan | |
| id: plan | |
| if: github.event_name == 'pull_request' | |
| run: terraform plan -no-color -input=false | |
| env: | |
| SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} | |
| continue-on-error: true | |
| - uses: actions/github-script@v6 | |
| if: github.event_name == 'pull_request' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" | |
| TERRAFORM_MODULE: ${{ matrix.terraform_module }} | |
| with: | |
| script: | | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| }) | |
| const botComment = comments.find(comment => | |
| comment.user.type === 'Bot' && | |
| comment.body.includes('Terraform Enforcement Summary (${{ env.TERRAFORM_MODULE }})') | |
| ) | |
| const output = `## Terraform Enforcement Summary (${{ env.TERRAFORM_MODULE }}) | |
| #### Terraform Format and Style: 🖌\`${{ steps.fmt.outcome }}\` | |
| #### Terraform Initialization: ⚙️\`${{ steps.init.outcome }}\` | |
| #### Terraform Validation: 🤖\`${{ steps.validate.outcome }}\` | |
| #### Terraform Plan: 📖\`${{ steps.plan.outcome }}\` | |
| <details><summary>Show Plan</summary> | |
| \`\`\`\n | |
| ${process.env.PLAN} | |
| \`\`\` | |
| </details> | |
| *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.TERRAFORM_MODULE }}\`, Workflow: \`${{ github.workflow }}\`*`; | |
| if (botComment) { | |
| github.rest.issues.updateComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: botComment.id, | |
| body: output | |
| }) | |
| } else { | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: output | |
| }) | |
| } | |
| - name: Terraform Plan Status | |
| if: steps.plan.outcome == 'failure' | |
| run: exit 1 | |
| - name: Terraform Apply | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| env: | |
| SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} | |
| run: terraform apply -auto-approve -input=false |