Skip to content

Bump github/codeql-action from 3.26.11 to 3.27.3 #199

Bump github/codeql-action from 3.26.11 to 3.27.3

Bump github/codeql-action from 3.26.11 to 3.27.3 #199

Workflow file for this run

name: Plan and Apply
permissions:
id-token: write
contents: read
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
plan:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
pull-requests: write
outputs:
exitcode: ${{ steps.plan.outputs.exitcode }}
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/plan
aws-region: ${{ vars.AWS_REGION }}
- name: Init
run: |
cd tf
nix shell --inputs-from . nixpkgs#opentofu --command ./tofu-init.sh
- name: Plan
id: plan
run: |
cd tf
set +e
nix shell --inputs-from . nixpkgs#opentofu --command tofu plan -var "repo=$GITHUB_REPOSITORY" -detailed-exitcode -out tfplan
export exitcode=$?
set -e
echo "exitcode=$exitcode" >> "$GITHUB_OUTPUT"
if [ $exitcode -eq 1 ]; then
exit 1
else
exit 0
fi
- name: Publish plan
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
with:
name: tfplan
path: tf/tfplan
apply:
runs-on: ubuntu-latest
needs: [plan]
environment: infra
if: github.ref == 'refs/heads/main' && needs.plan.outputs.exitcode == 2
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/apply
aws-region: ${{ vars.AWS_REGION }}
- name: Download plan
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: tfplan
path: tf
- name: init
run: |
cd tf
nix shell --inputs-from . nixpkgs#opentofu --command ./tofu-init.sh
- name: Apply plan
run: |
cd tf
nix shell --inputs-from . nixpkgs#opentofu --command tofu apply -auto-approve tfplan