v0.7.0
Issues | Pull Requests | v0.6.9...v0.7.0 | Base revision
💡 This release includes significant security improvements, so we strongly recommend upgrading to v0.7.0 or later as soon as possible.
Overview
- Breaking Changes
- Features
⚠️ Breaking Changes
#1175 The setting plan_workflow_name is required in tfaction-root.yaml.
plan_workflow_name: <GitHub Actions Workflow name running terraform-plan action>e.g.
plan_workflow_name: test#1175 terraform-apply action's github_token input, which is the GitHub Actions' token ${{github.token}} by default, requires the additional permission actions: read.
How to upgrade
1.Create a pull request to upgrade tfaction- Update tfaction
- Add the setting
plan_workflow_nametotfaction-root.yaml - Remove unnecessary settings
s3_bucket_name_plan_fileandgcs_bucket_name_plan_filefrom tfaction-root.yaml and tfaction.yaml - Add the permission
actions: readtoterraform-applyaction'sgithub_tokeninput, which is the GitHub Actions' token${{github.token}}by default- If you use GitHub App or personal access token, please add the permission
actions:readto the token or App - 📝 The permission is necessary to download plan files from GitHub Actions Artifacts before running
terraform apply: ref
- If you use GitHub App or personal access token, please add the permission
2.Verify the upgrade with a working directory in the upgrade pull request3.If CI works well, merge the pull request4.Update all pull request branches to create plan files at GitHub Actions Artifacts
This is an example script to update pull request branches.
#!/usr/bin/env bash
set -euo pipefail
while read -r pr_number; do
echo "===> Update PR $pr_number" >&2
gh api -X PUT "repos/{owner}/{repo}/pulls/${pr_number}/update-branch" || :
done < <(gh pr list --json number -L 100 -q ".[].number")If you merge a pull request without updating the pull request branch, apply would fail because the plan file wouldn't found at GitHub Actions Artifacts. In that case, please merge a follow up pull request, then the issue would be solved.
5.Remove unnecessary resources such as S3 or GCS buckets for plan files and permissions to access plan files- If you use terraform-aws-tfaction, please update it to v0.2.0 or later
⚠️ To delete a non empty S3 bucket, please see s3_bucket#force_destroy
Features
#1175 Change the storage of plan files from S3 or GCS to GitHub Actions' Artifacts
#1174 Validate pull request workflow run's commit hash if it is same with the hash of the pull request HEAD
Change the storage of plan files from S3 or GCS to GitHub Actions' Artifacts
tfaction ever stored plan files to S3 or GCS, but tfaction v0.7.0 migrats them to GitHub Actions Artifacts.
By this change you don't have to create and manage S3 or GCS.
Furthermore, S3 or GCS had security risks that plan files could be tampered.
GitHub Actions Artifacts can be uploaded files only in the associated workflow run and can't be tampered from outside of the workflow run.
GitHub Actions Artifacts has the retention period so plan files are removed after the retension period.
The default retention period is 90 days, and we think it is enough.
Validate pull request workflow run's commit hash if it is same with the hash of the pull request HEAD
If the workflow run's commit hash is old, the workflow run would fail.
Retrying old workflow run confuses you because old workflow run's results are posted to the pull request as if the latest result.
This validation prevents old workflow run from being retried and resolves the issue.
Thank you for your support ❤️
We really appreciate your support.
We couldn't release v0.7.0 without your support.
We called for testers for this release, then many people helped us!
They conducted tests with the prerelease version. Thank you a lot!
And thank you everyone who reposted my post!
