Skip to content

chore(deps): update dependency suzuki-shunsuke/github-comment to v6.3… #1641

chore(deps): update dependency suzuki-shunsuke/github-comment to v6.3…

chore(deps): update dependency suzuki-shunsuke/github-comment to v6.3… #1641

Workflow file for this run

---
name: apply
on:
push:
branches: [main]
env:
TFACTION_IS_APPLY: "true"
jobs:
setup:
timeout-minutes: 30
runs-on: ubuntu-latest
permissions:
contents: read # For checkout a private repository
pull-requests: write # For ci-info and github-comment
outputs:
targets: ${{ steps.list-targets.outputs.targets }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- uses: aquaproj/aqua-installer@f13c5d2f0357708d85477aabe50fd3f725528745 # v3.1.0
with:
aqua_version: v2.40.0
- uses: suzuki-shunsuke/tfaction/list-targets@cf44a60e11fae9acf1ab973dff4af3e4761d91f7 # v1.13.5
id: list-targets
apply:
timeout-minutes: 30
name: "apply (${{matrix.target.target}})"
runs-on: ${{matrix.target.runs_on}}
needs: setup
# if services is empty, the build job is skipped
if: "join(fromJSON(needs.setup.outputs.targets), '') != ''"
strategy:
fail-fast: false
matrix:
target: ${{fromJSON(needs.setup.outputs.targets)}}
env:
TFACTION_TARGET: ${{matrix.target.target}}
TFACTION_WORKING_DIR: ${{matrix.target.working_directory}}
TFACTION_JOB_TYPE: ${{matrix.target.job_type}}
permissions:
id-token: write # For OIDC
contents: read # To checkout a private repository
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Generate token for aqua-installer
# CHECK: Maybe you can replace this with ${{github.token}}.
# It's up to you.
id: aqua_installer_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
permissions: >-
{
"contents": "read"
}
repositories: >-
[
"${{github.event.repository.name}}"
]
- uses: aquaproj/aqua-installer@f13c5d2f0357708d85477aabe50fd3f725528745 # v3.1.0
with:
aqua_version: v2.40.0
env:
AQUA_GITHUB_TOKEN: ${{ steps.aqua_installer_token.outputs.token }}
# - uses: suzuki-shunsuke/tfaction/export-secrets@v1.12.0
# with:
# # If this action doesn't export secrets as you expect, please check if secrets are passed to this action properly.
# # If you use reusable workflows, maybe secrets aren't passed to the reusable workflow.
# # If so, please pass secrets properly.
# #
# # - https://docs.github.com/en/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow
# # - https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsecrets
# secrets: ${{ toJSON(secrets) }}
- name: Generate token to download private Terraform Modules
# CHECK: You can remove this step if you don't use private modules
id: gh_setup_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
# If you use private registries, contents:read is required
permissions: >-
{
"contents": "read"
}
# CHECK: Private repositories hosting private modules. Please fix this properly.
repositories: >-
[
"${{github.event.repository.name}}"
]
- name: Set up git to checkout private Terraform Modules
run: gh auth setup-git
# CHECK: This is required to download private modules in `terraform init`
# You can remove this step if you don't use private modules
env:
GITHUB_TOKEN: ${{steps.gh_setup_token.outputs.token}}
- name: Generate token to update drift issues
# CHECK: You can remove this step if you don't use drift detection
id: drift_issue_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
# issues:write - Create and update drift issues
permissions: >-
{
"issues": "write"
}
# GitHub Repository where Drift Detection issues are hosted
# https://suzuki-shunsuke.github.io/tfaction/docs/feature/drift-detection
repositories: >-
[
"${{github.event.repository.name}}"
]
- run: tfaction get-or-create-drift-issue
# CHECK: You can remove this step if you don't use drift detection
shell: bash
env:
GITHUB_TOKEN: ${{ steps.drift_issue_token.outputs.token }}
- name: Generate token for setup
id: setup_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
# pull_requests:write - Post comments
# issues:write - Update drift issues
permissions: >-
{
"pull_requests": "write",
"issues": "write"
}
repositories: >-
[
"${{github.event.repository.name}}"
]
- name: Set up
uses: suzuki-shunsuke/tfaction/setup@cf44a60e11fae9acf1ab973dff4af3e4761d91f7 # v1.13.5
with:
github_token: ${{ steps.setup_token.outputs.token }}
ssh_key: ${{ secrets.TERRAFORM_PRIVATE_MODULE_SSH_KEY }} # This isn't needed if you don't use SSH key to checkout private Terraform Modules
env:
TF_TOKEN_app_terraform_io: ${{secrets.TFE_TOKEN}}
- uses: suzuki-shunsuke/lock-action@c610af3122da5e5b3cfa5ddfd580f037c7b529f3 # v0.1.5
# CHECK: You can remove this step if you don't want lock mechanism
id: check-lock
with:
mode: check # If you want to acquire lock, please check this to `lock`
key: ${{env.TFACTION_WORKING_DIR}}
- run: |
github-comment post \
-k already-locked \
-var "actor:$ACTOR" \
-var "message:$MESSAGE" \
-var "workflow_url:$WORKFLOW_URL" \
-var "datetime:$DATETIME" \
-var "tfaction_target:${TFACTION_TARGET}"
exit 1
if: steps.check-lock.outputs.already_locked == 'true'
env:
RESULT: ${{steps.check-lock.outputs.result}}
GITHUB_TOKEN: ${{steps.setup_token.outputs.token}}
- name: Generate token for apply
id: apply_token
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
# pull_requests:write - Post comments
# actions:read - Download plan files
# issues:write - Update drift issues
# contents:write - Update related pull requests
permissions: >-
{
"pull_requests": "write",
"actions": "read",
"contents": "write",
"issues": "write"
}
repositories: >-
[
"${{github.event.repository.name}}"
]
- name: Apply
uses: suzuki-shunsuke/tfaction/apply@cf44a60e11fae9acf1ab973dff4af3e4761d91f7 # v1.13.5
with:
github_token: ${{ steps.apply_token.outputs.token }}
env:
TF_TOKEN_app_terraform_io: ${{secrets.TFE_TOKEN}} # For Hashicorp Cloud Backend
TFE_TOKEN: ${{secrets.TFE_TOKEN}} # For tfe provider
- name: Generate token for creating follow up pr
id: follow_up_pr_token
if: failure()
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
# contents:write - Push commits
# pull_requests:write - Create a pull request
permissions: >-
{
"contents": "write",
"pull_requests": "write"
}
repositories: >-
[
"${{github.event.repository.name}}"
]
- uses: suzuki-shunsuke/tfaction/create-follow-up-pr@cf44a60e11fae9acf1ab973dff4af3e4761d91f7 # v1.13.5
if: failure()
with:
github_token: ${{steps.follow_up_pr_token.outputs.token}}
- uses: suzuki-shunsuke/tfaction/update-drift-issue@cf44a60e11fae9acf1ab973dff4af3e4761d91f7 # v1.13.5
# CHECK: You can remove this step if you don't use drift detection
if: always()
with:
status: ${{job.status}}
github_token: ${{steps.drift_issue_token.outputs.token}}