Skip to content

Commit

Permalink
update workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
IMax153 committed Oct 26, 2024
1 parent 10db2d9 commit f0814d1
Show file tree
Hide file tree
Showing 9 changed files with 276 additions and 543 deletions.
20 changes: 20 additions & 0 deletions .github/workflows/check.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Check

on:
workflow_dispatch:
push:
branches: [main]
pull_request:
branches: [main]

jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main
- name: Check
run: nix flake check
31 changes: 0 additions & 31 deletions .github/workflows/pr.yml

This file was deleted.

130 changes: 130 additions & 0 deletions .github/workflows/terraform.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
---
name: OpenTofu Enforcement

on:
push:
branches: [main]
paths: [terraform/**]

pull_request:
branches: [main]
paths: [terraform/**]

jobs:
opentofu_enforcement:
runs-on: ubuntu-latest

strategy:
matrix:
opentofu_module: [aws, github]

permissions:
contents: read
id-token: write
pull-requests: write

steps:
- name: Enforce permission requirement
uses: prince-chrismc/check-actor-permissions-action@v3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
permission: write

- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main

- name: Enable Magic Nix Cache
uses: DeterminateSystems/magic-nix-cache-action@main

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: ${{ secrets.DEFAULT_AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubAction-AssumeRoleWithAction

- name: OpenTofu Init
id: init
working-directory: terraform/${{ matrix.opentofu_module }}
run: nix develop -c tofu init

- name: OpenTofu Format
id: fmt
run: nix develop -c tofu fmt -check

- name: OpenTofu Validate
id: validate
working-directory: terraform/${{ matrix.opentofu_module }}
run: nix develop -c tofu validate

- name: OpenTofu Plan
id: plan
if: github.event_name == 'pull_request'
working-directory: terraform/${{ matrix.opentofu_module }}
run: |
# Capture plan output
plan=$(nix develop -c tofu plan -no-color -input=false)
# Echo the plan so it is still visible in CI
echo "${plan}"
# Handle appending multi-line strings to GitHub Outputs
echo "plan<<EOF"$'\n'"$plan"$'\n'EOF >> $GITHUB_OUTPUT
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
continue-on-error: true

- name: Find Comment
if: github.event_name == 'pull_request'
id: find-comment
uses: peter-evans/find-comment@v3
env:
TERRAFORM_MODULE: ${{ matrix.opentofu_module }}
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: <!-- This comment was auto-generated by GitHub Actions by the Terraform Enforcement action for the ${{ env.TERRAFORM_MODULE }} Terraform module -->

- name: Create Comment
if: github.event_name == 'pull_request'
id: comment
uses: peter-evans/create-or-update-comment@v4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PLAN: "${{ steps.plan.outputs.plan }}"
TERRAFORM_MODULE: ${{ matrix.opentofu_module }}
with:
comment-id: ${{ steps.find-comment.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
edit-mode: replace
body: |
<!-- This comment was auto-generated by GitHub Actions by the Terraform Enforcement action for the ${{ env.TERRAFORM_MODULE }} Terraform module -->
## OpenTofu Enforcement Summary (${{ env.TERRAFORM_MODULE }})
#### OpenTofu Format and Style: 🖌`${{ steps.fmt.outcome }}`
#### OpenTofu Initialization: ⚙️`${{ steps.init.outcome }}`
#### OpenTofu Validation: 🤖`${{ steps.validate.outcome }}`
#### OpenTofu Plan: 📖`${{ steps.plan.outcome }}`
<details><summary>Show Plan</summary>
```
${{ env.PLAN }}
```
</details>
*Pusher: @${{ github.actor }}, Action: `${{ github.event_name }}`, Working Directory: `${{ env.TERRAFORM_MODULE }}`, Workflow: `${{ github.workflow }}`*
- name: OpenTofu Plan Status
if: github.event_name == 'pull_request' && steps.plan.outcome == 'failure'
run: exit 1

- name: OpenTofu Apply
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
working-directory: terraform/${{ matrix.opentofu_module }}
run: nix develop -c tofu apply -auto-approve -input=false
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
133 changes: 0 additions & 133 deletions .github/workflows/tofu.yml

This file was deleted.

3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,6 @@ result
.terraform
terraform.tfstate
terraform.tfstate.*

# Pre-Commit (Auto-Generated by Nix)
.pre-commit-config.yaml
33 changes: 0 additions & 33 deletions .pre-commit-config.yaml

This file was deleted.

Loading

0 comments on commit f0814d1

Please sign in to comment.