mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
chore: fix dependabot PRs (#118)
* chore: add dependabot config Add Dependabot for the three supported ecosystems in this repo: GitHub Actions, Terraform (root + grafana/hetzner/pagerduty modules), and Docker (service compose files + dotfile Dockerfiles). Weekly schedule with per-ecosystem grouping to keep PR noise down. * ci: make terraform validation work on dependabot PRs Dependabot PRs run with no access to repository secrets and a read-only token, so the SOPS decrypt step (and the PR-comment step) fail. Give Dependabot a secret-free path: stub the secrets.yaml keys it reads and run init -backend=false + validate, skipping decrypt/plan/comment. Human PRs are unchanged and still get a full plan.
This commit is contained in:
parent
7e74232d64
commit
7b2552fea5
1 changed files with 27 additions and 1 deletions
28
.github/workflows/validate-terraform.yml
vendored
28
.github/workflows/validate-terraform.yml
vendored
|
|
@ -12,6 +12,10 @@ permissions:
|
|||
|
||||
# Requires these repository secrets:
|
||||
# AGE_SECRET_KEY — age private key for SOPS decryption
|
||||
#
|
||||
# Dependabot PRs run with no access to these secrets and a read-only token,
|
||||
# so they take a lightweight, secret-free path (init + validate, no plan/
|
||||
# comment). Provider-version bumps are still resolved and validated.
|
||||
|
||||
jobs:
|
||||
plan:
|
||||
|
|
@ -25,12 +29,29 @@ jobs:
|
|||
with:
|
||||
tofu_version: 1.9.0
|
||||
|
||||
# --- Dependabot: secret-free validation -------------------------------
|
||||
- name: Validate (no secrets)
|
||||
if: github.actor == 'dependabot[bot]'
|
||||
working-directory: terraform/
|
||||
run: |
|
||||
# secrets.yaml is decrypted from SOPS at plan time and can't be
|
||||
# produced here, so stub the keys the config reads (kept in sync by
|
||||
# deriving them from the actual secrets["..."] references).
|
||||
grep -rhoE 'secrets\["[^"]+"\]' . \
|
||||
| sed -E 's/.*secrets\["([^"]+)"\].*/\1: "stub"/' \
|
||||
| sort -u > secrets.yaml
|
||||
tofu init -backend=false
|
||||
tofu validate
|
||||
|
||||
# --- Human PRs: full plan against real backend ------------------------
|
||||
- name: Install SOPS
|
||||
if: github.actor != 'dependabot[bot]'
|
||||
run: |
|
||||
wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
|
||||
sudo dpkg -i /tmp/sops.deb
|
||||
|
||||
- name: Decrypt secrets
|
||||
if: github.actor != 'dependabot[bot]'
|
||||
env:
|
||||
SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}
|
||||
run: |
|
||||
|
|
@ -41,21 +62,25 @@ jobs:
|
|||
done
|
||||
|
||||
- name: Set backend credentials
|
||||
if: github.actor != 'dependabot[bot]'
|
||||
working-directory: terraform/
|
||||
run: |
|
||||
echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
|
||||
echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
|
||||
|
||||
- name: tofu init
|
||||
if: github.actor != 'dependabot[bot]'
|
||||
working-directory: terraform/
|
||||
run: tofu init
|
||||
|
||||
- name: tofu validate
|
||||
if: github.actor != 'dependabot[bot]'
|
||||
working-directory: terraform/
|
||||
run: tofu validate
|
||||
|
||||
- name: tofu plan
|
||||
id: plan
|
||||
if: github.actor != 'dependabot[bot]'
|
||||
working-directory: terraform/
|
||||
continue-on-error: true
|
||||
run: |
|
||||
|
|
@ -63,6 +88,7 @@ jobs:
|
|||
tofu plan -no-color 2>&1 | tee plan_output.txt
|
||||
|
||||
- name: Post plan as PR comment
|
||||
if: github.actor != 'dependabot[bot]'
|
||||
uses: actions/github-script@v7
|
||||
with:
|
||||
script: |
|
||||
|
|
@ -99,5 +125,5 @@ jobs:
|
|||
}
|
||||
|
||||
- name: Fail if plan failed
|
||||
if: steps.plan.outcome == 'failure'
|
||||
if: github.actor != 'dependabot[bot]' && steps.plan.outcome == 'failure'
|
||||
run: exit 1
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue