diff --git a/.github/workflows/deploy-on-merge.yml b/.github/workflows/deploy-on-merge.yml index 15db35f..953f952 100644 --- a/.github/workflows/deploy-on-merge.yml +++ b/.github/workflows/deploy-on-merge.yml @@ -7,6 +7,12 @@ on: paths-ignore: - "terraform/**" +# Serialize fleet deploys so two quick merges can't run Ansible against the +# same hosts at once. Don't cancel an in-flight deploy mid-run — queue it. +concurrency: + group: deploy-on-merge + cancel-in-progress: false + jobs: discover: name: Discover hosts diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 7d97dda..1e3071f 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -10,6 +10,13 @@ on: # Requires these repository secrets: # AGE_SECRET_KEY — age private key for SOPS decryption +# Serialize Terraform runs so two merges can't apply against the state +# concurrently. Never cancel an in-flight run (an interrupted apply can +# corrupt state) — queue instead. +concurrency: + group: terraform-state + cancel-in-progress: false + jobs: plan: name: Plan diff --git a/terraform/providers.tf b/terraform/providers.tf index 69f73a5..3260ffe 100644 --- a/terraform/providers.tf +++ b/terraform/providers.tf @@ -24,6 +24,10 @@ terraform { region = "eu-central-003" skip_credentials_validation = true skip_region_validation = true + # NOTE: no state locking — Backblaze B2's S3 API doesn't implement the + # conditional PutObject that OpenTofu's use_lockfile needs (returns 501 + # NotImplemented). Concurrent applies are instead prevented by the + # `concurrency` guard in .github/workflows/terraform.yml. # Credentials read from AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY env vars } }