add ecyrbe to org #19
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: OpenTofu Enforcement | |
on: | |
push: | |
branches: | |
- main | |
paths: | |
- terraform/** | |
pull_request: | |
branches: | |
- main | |
paths: | |
- terraform/** | |
# Allows for running this workflow manually from the GitHub Actions UI | |
workflow_dispatch: | |
permissions: | |
contents: read | |
id-token: write | |
pull-requests: write | |
jobs: | |
opentofu_enforcement: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
opentofu_module: [aws, github] | |
defaults: | |
run: | |
shell: bash | |
working-directory: terraform/${{ matrix.opentofu_module }} | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v2 | |
with: | |
aws-region: ${{ secrets.DEFAULT_AWS_REGION }} | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubAction-AssumeRoleWithAction | |
- name: Setup OpenTofu | |
uses: opentofu/setup-opentofu@v1 | |
with: | |
tofu_version: 1.6.0-alpha1 | |
- name: OpenTofu Init | |
id: init | |
run: tofu init | |
- name: OpenTofu Format | |
id: fmt | |
run: tofu fmt -check | |
- name: OpenTofu Validate | |
id: validate | |
run: tofu validate | |
- name: OpenTofu Plan | |
id: plan | |
if: github.event_name == 'pull_request' | |
run: tofu plan -no-color -input=false | |
env: | |
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} | |
continue-on-error: true | |
- uses: actions/github-script@v6 | |
if: github.event_name == 'pull_request' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
PLAN: "tofu\n${{ steps.plan.outputs.stdout }}" | |
TERRAFORM_MODULE: ${{ matrix.opentofu_module }} | |
with: | |
script: | | |
const { data: comments } = await github.rest.issues.listComments({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
issue_number: context.issue.number, | |
}) | |
const botComment = comments.find(comment => | |
comment.user.type === 'Bot' && | |
comment.body.includes('OpenTofu Enforcement Summary (${{ env.TERRAFORM_MODULE }})') | |
) | |
const output = `## OpenTofu Enforcement Summary (${{ env.TERRAFORM_MODULE }}) | |
#### OpenTofu Format and Style: 🖌\`${{ steps.fmt.outcome }}\` | |
#### OpenTofu Initialization: ⚙️\`${{ steps.init.outcome }}\` | |
#### OpenTofu Validation: 🤖\`${{ steps.validate.outcome }}\` | |
#### OpenTofu Plan: 📖\`${{ steps.plan.outcome }}\` | |
<details><summary>Show Plan</summary> | |
\`\`\`\n | |
${process.env.PLAN} | |
\`\`\` | |
</details> | |
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.TERRAFORM_MODULE }}\`, Workflow: \`${{ github.workflow }}\`*`; | |
if (botComment) { | |
github.rest.issues.updateComment({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
comment_id: botComment.id, | |
body: output | |
}) | |
} else { | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: output | |
}) | |
} | |
- name: OpenTofu Plan Status | |
if: steps.plan.outcome == 'failure' | |
run: exit 1 | |
- name: OpenTofu Apply | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
env: | |
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }} | |
run: tofu apply -auto-approve -input=false |