pull-plan-prod-terraform #3233
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Pull Plan Prod Terraform | |
run-name: pull-plan-prod-terraform | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number }} | |
on: # runs on main | |
pull_request_target: | |
types: [opened, edited, synchronize, reopened, ready_for_review] | |
branches: | |
- main | |
paths: | |
- "**.tf" | |
- "**.tfvars" | |
- "**.yaml" | |
- "**.yml" | |
jobs: | |
pull-plan-prod-terraform: | |
permissions: | |
contents: "read" # needed for gcp_auth | |
id-token: "write" # needed for gcp_auth to create id token | |
issues: "write" # needed for tfcmt to post comments | |
pull-requests: "write" # needed for tfcmt to post comments | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
id: checkout | |
uses: actions/checkout@v4 | |
with: | |
ref: "refs/pull/${{ github.event.number }}/merge" | |
fetch-depth: 50 | |
# Important security check: https://github.com/actions/checkout/issues/518 | |
- name: Sanity check | |
id: sanity-check | |
run: | | |
[[ "$(git rev-parse 'HEAD^1')" == "${{ github.event.pull_request.head.sha }}" || "$(git rev-parse 'HEAD^2')" == "${{ github.event.pull_request.head.sha }}" ]] | |
- name: Wait for other terraform executions | |
id: wait_for_terraform | |
uses: ahmadnassri/action-workflow-queue@0144da6a252d1986d817826d963ad3a9af1e7fdf | |
- name: Authenticate to GCP | |
id: gcp_auth | |
uses: google-github-actions/auth@v2 | |
with: | |
workload_identity_provider: ${{ vars.GH_COM_KYMA_PROJECT_GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER }} | |
service_account: ${{ vars.GCP_TERRAFORM_PLANNER_SERVICE_ACCOUNT_EMAIL }} | |
- name: Retrieve Terraform Planner github PAT | |
id: secrets | |
uses: google-github-actions/get-secretmanager-secrets@v2 | |
with: | |
secrets: |- | |
gh-terraform-planner-token:${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}/${{ vars.GH_TERRAFORM_PLANNER_SECRET_NAME }} | |
# Build tofu CLI from source until setup-opentofu action will become stable | |
- name: Download the tofu source | |
uses: actions/checkout@v4 | |
with: | |
repository: opentofu/opentofu | |
path: opentofu | |
ref: 89ca50f3fe8c5327ec9943e9590bdb7b023fd4eb # v1.6.1 | |
- name: Install tofu tooling | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: opentofu/go.mod | |
cache-dependency-path: opentofu/go.sum | |
- name: Prepare the tofu command | |
working-directory: opentofu | |
run: | | |
go build -ldflags "-w -s -X 'github.com/opentofu/opentofu/version.dev=no'" -o bin/ ./cmd/tofu | |
echo $(pwd)/bin >> $GITHUB_PATH | |
# - name: Setup Terraform | |
# id: setup_terraform | |
# uses: opentofu/setup-opentofu@b06654f7ba51088e987c0a454d042360df3ebe86 | |
- name: Setup GitHub comments | |
id: setup-github-comment | |
uses: shmokmt/actions-setup-github-comment@93d9e7c3ea11e473e3061a8dbed8231faea13dea | |
with: | |
version: v6.0.2 | |
if: ${{ !cancelled() }} | |
- name: setup tfcmt | |
id: setup-tfcmt | |
uses: shmokmt/actions-setup-tfcmt@0d2b0c4cc4b5edc9c2dfdf7eb0c33ee7b23a7c85 | |
with: | |
version: v4.7.1 | |
- name: Terraform Init | |
id: terraform_init | |
run: tofu -chdir=./configs/terraform/environments/prod init -input=false | |
- name: Terraform Plan | |
env: | |
GITHUB_TOKEN: ${{ steps.secrets.outputs.gh-terraform-planner-token }} | |
id: terraform_plan | |
run: tfcmt -owner $GITHUB_REPOSITORY_OWNER -repo ${{ github.event.repository.name }} -pr ${{ github.event.pull_request.number }} -sha ${{ github.event.pull_request.head.sha }} plan -- tofu -chdir=./configs/terraform/environments/prod plan -input=false -no-color -lock-timeout=300s | |
- name: Hide GitHub comment | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
id: hide-github-comment | |
run: github-comment hide --org $GITHUB_REPOSITORY_OWNER --repo ${{ github.event.repository.name }} -pr ${{ github.event.pull_request.number }} -sha1 ${{ github.event.pull_request.head.sha }} | |
if: ${{ !cancelled() }} |