chore(deps): update dependency aquaproj/aqua-registry to v4.286.0 (tf… #1654
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: apply | |
on: | |
push: | |
branches: [main] | |
env: | |
TFACTION_IS_APPLY: "true" | |
jobs: | |
setup: | |
timeout-minutes: 30 | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read # For checkout a private repository | |
pull-requests: write # For ci-info and github-comment | |
outputs: | |
targets: ${{ steps.list-targets.outputs.targets }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
- uses: aquaproj/aqua-installer@f13c5d2f0357708d85477aabe50fd3f725528745 # v3.1.0 | |
with: | |
aqua_version: v2.40.0 | |
- uses: suzuki-shunsuke/tfaction/list-targets@cf44a60e11fae9acf1ab973dff4af3e4761d91f7 # v1.13.5 | |
id: list-targets | |
apply: | |
timeout-minutes: 30 | |
name: "apply (${{matrix.target.target}})" | |
runs-on: ${{matrix.target.runs_on}} | |
needs: setup | |
# if services is empty, the build job is skipped | |
if: "join(fromJSON(needs.setup.outputs.targets), '') != ''" | |
strategy: | |
fail-fast: false | |
matrix: | |
target: ${{fromJSON(needs.setup.outputs.targets)}} | |
env: | |
TFACTION_TARGET: ${{matrix.target.target}} | |
TFACTION_WORKING_DIR: ${{matrix.target.working_directory}} | |
TFACTION_JOB_TYPE: ${{matrix.target.job_type}} | |
permissions: | |
id-token: write # For OIDC | |
contents: read # To checkout a private repository | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
- name: Generate token for aqua-installer | |
# CHECK: Maybe you can replace this with ${{github.token}}. | |
# It's up to you. | |
id: aqua_installer_token | |
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 | |
with: | |
app_id: ${{ secrets.APP_ID }} | |
private_key: ${{ secrets.APP_PRIVATE_KEY }} | |
permissions: >- | |
{ | |
"contents": "read" | |
} | |
repositories: >- | |
[ | |
"${{github.event.repository.name}}" | |
] | |
- uses: aquaproj/aqua-installer@f13c5d2f0357708d85477aabe50fd3f725528745 # v3.1.0 | |
with: | |
aqua_version: v2.40.0 | |
env: | |
AQUA_GITHUB_TOKEN: ${{ steps.aqua_installer_token.outputs.token }} | |
# - uses: suzuki-shunsuke/tfaction/export-secrets@v1.12.0 | |
# with: | |
# # If this action doesn't export secrets as you expect, please check if secrets are passed to this action properly. | |
# # If you use reusable workflows, maybe secrets aren't passed to the reusable workflow. | |
# # If so, please pass secrets properly. | |
# # | |
# # - https://docs.github.com/en/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow | |
# # - https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsecrets | |
# secrets: ${{ toJSON(secrets) }} | |
- name: Generate token to download private Terraform Modules | |
# CHECK: You can remove this step if you don't use private modules | |
id: gh_setup_token | |
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 | |
with: | |
app_id: ${{ secrets.APP_ID }} | |
private_key: ${{ secrets.APP_PRIVATE_KEY }} | |
# If you use private registries, contents:read is required | |
permissions: >- | |
{ | |
"contents": "read" | |
} | |
# CHECK: Private repositories hosting private modules. Please fix this properly. | |
repositories: >- | |
[ | |
"${{github.event.repository.name}}" | |
] | |
- name: Set up git to checkout private Terraform Modules | |
run: gh auth setup-git | |
# CHECK: This is required to download private modules in `terraform init` | |
# You can remove this step if you don't use private modules | |
env: | |
GITHUB_TOKEN: ${{steps.gh_setup_token.outputs.token}} | |
- name: Generate token to update drift issues | |
# CHECK: You can remove this step if you don't use drift detection | |
id: drift_issue_token | |
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 | |
with: | |
app_id: ${{ secrets.APP_ID }} | |
private_key: ${{ secrets.APP_PRIVATE_KEY }} | |
# issues:write - Create and update drift issues | |
permissions: >- | |
{ | |
"issues": "write" | |
} | |
# GitHub Repository where Drift Detection issues are hosted | |
# https://suzuki-shunsuke.github.io/tfaction/docs/feature/drift-detection | |
repositories: >- | |
[ | |
"${{github.event.repository.name}}" | |
] | |
- run: tfaction get-or-create-drift-issue | |
# CHECK: You can remove this step if you don't use drift detection | |
shell: bash | |
env: | |
GITHUB_TOKEN: ${{ steps.drift_issue_token.outputs.token }} | |
- name: Generate token for setup | |
id: setup_token | |
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 | |
with: | |
app_id: ${{ secrets.APP_ID }} | |
private_key: ${{ secrets.APP_PRIVATE_KEY }} | |
# pull_requests:write - Post comments | |
# issues:write - Update drift issues | |
permissions: >- | |
{ | |
"pull_requests": "write", | |
"issues": "write" | |
} | |
repositories: >- | |
[ | |
"${{github.event.repository.name}}" | |
] | |
- name: Set up | |
uses: suzuki-shunsuke/tfaction/setup@cf44a60e11fae9acf1ab973dff4af3e4761d91f7 # v1.13.5 | |
with: | |
github_token: ${{ steps.setup_token.outputs.token }} | |
ssh_key: ${{ secrets.TERRAFORM_PRIVATE_MODULE_SSH_KEY }} # This isn't needed if you don't use SSH key to checkout private Terraform Modules | |
env: | |
TF_TOKEN_app_terraform_io: ${{secrets.TFE_TOKEN}} | |
- uses: suzuki-shunsuke/lock-action@c610af3122da5e5b3cfa5ddfd580f037c7b529f3 # v0.1.5 | |
# CHECK: You can remove this step if you don't want lock mechanism | |
id: check-lock | |
with: | |
mode: check # If you want to acquire lock, please check this to `lock` | |
key: ${{env.TFACTION_WORKING_DIR}} | |
- run: | | |
github-comment post \ | |
-k already-locked \ | |
-var "actor:$ACTOR" \ | |
-var "message:$MESSAGE" \ | |
-var "workflow_url:$WORKFLOW_URL" \ | |
-var "datetime:$DATETIME" \ | |
-var "tfaction_target:${TFACTION_TARGET}" | |
exit 1 | |
if: steps.check-lock.outputs.already_locked == 'true' | |
env: | |
RESULT: ${{steps.check-lock.outputs.result}} | |
GITHUB_TOKEN: ${{steps.setup_token.outputs.token}} | |
- name: Generate token for apply | |
id: apply_token | |
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 | |
with: | |
app_id: ${{ secrets.APP_ID }} | |
private_key: ${{ secrets.APP_PRIVATE_KEY }} | |
# pull_requests:write - Post comments | |
# actions:read - Download plan files | |
# issues:write - Update drift issues | |
# contents:write - Update related pull requests | |
permissions: >- | |
{ | |
"pull_requests": "write", | |
"actions": "read", | |
"contents": "write", | |
"issues": "write" | |
} | |
repositories: >- | |
[ | |
"${{github.event.repository.name}}" | |
] | |
- name: Apply | |
uses: suzuki-shunsuke/tfaction/apply@cf44a60e11fae9acf1ab973dff4af3e4761d91f7 # v1.13.5 | |
with: | |
github_token: ${{ steps.apply_token.outputs.token }} | |
env: | |
TF_TOKEN_app_terraform_io: ${{secrets.TFE_TOKEN}} # For Hashicorp Cloud Backend | |
TFE_TOKEN: ${{secrets.TFE_TOKEN}} # For tfe provider | |
- name: Generate token for creating follow up pr | |
id: follow_up_pr_token | |
if: failure() | |
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 | |
with: | |
app_id: ${{ secrets.APP_ID }} | |
private_key: ${{ secrets.APP_PRIVATE_KEY }} | |
# contents:write - Push commits | |
# pull_requests:write - Create a pull request | |
permissions: >- | |
{ | |
"contents": "write", | |
"pull_requests": "write" | |
} | |
repositories: >- | |
[ | |
"${{github.event.repository.name}}" | |
] | |
- uses: suzuki-shunsuke/tfaction/create-follow-up-pr@cf44a60e11fae9acf1ab973dff4af3e4761d91f7 # v1.13.5 | |
if: failure() | |
with: | |
github_token: ${{steps.follow_up_pr_token.outputs.token}} | |
- uses: suzuki-shunsuke/tfaction/update-drift-issue@cf44a60e11fae9acf1ab973dff4af3e4761d91f7 # v1.13.5 | |
# CHECK: You can remove this step if you don't use drift detection | |
if: always() | |
with: | |
status: ${{job.status}} | |
github_token: ${{steps.drift_issue_token.outputs.token}} |