ci: extract shared SOPS/tofu steps into composite actions (#135)
Some checks failed
Terraform / Plan (push) Has been cancelled
Terraform / Apply (push) Has been cancelled

The SOPS install + version, the decrypt loop, the OpenTofu version, and
the Backblaze backend-credential extraction were copy-pasted across
terraform.yml (twice), validate-terraform.yml, and _deploy-core.yml.
A version bump meant editing the same string in up to four places and
was easy to do partially.

Pull them into three local composite actions so each is defined once:
  - setup-tofu          (pins OpenTofu version)
  - sops-decrypt        (installs SOPS, decrypts *.enc.* in place)
  - tofu-backend-creds  (exports Backblaze S3 creds to GITHUB_ENV)

Behaviour is unchanged; sops-decrypt also matches *.enc.env everywhere
(previously only _deploy-core did), which is a no-op in terraform/.
This commit is contained in:
Rasmus Wejlgaard 2026-06-18 20:27:54 +01:00 committed by GitHub
parent e9d5f9bc76
commit 87439d47b8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 84 additions and 76 deletions

15
.github/actions/setup-tofu/action.yml vendored Normal file
View file

@ -0,0 +1,15 @@
name: Set up OpenTofu
description: Install a pinned OpenTofu version (single source of truth for the version).
inputs:
version:
description: OpenTofu version to install
required: false
default: "1.9.0"
runs:
using: composite
steps:
- uses: opentofu/setup-opentofu@v2
with:
tofu_version: ${{ inputs.version }}

31
.github/actions/sops-decrypt/action.yml vendored Normal file
View file

@ -0,0 +1,31 @@
name: SOPS decrypt
description: Install SOPS and decrypt all in-repo *.enc.* files in place (single source of truth for the SOPS version).
inputs:
age-key:
description: age private key for SOPS decryption (sets SOPS_AGE_KEY)
required: true
sops-version:
description: SOPS version to install
required: false
default: "3.9.4"
runs:
using: composite
steps:
- name: Install SOPS
shell: bash
run: |
wget -qO /tmp/sops.deb "https://github.com/getsops/sops/releases/download/v${{ inputs.sops-version }}/sops_${{ inputs.sops-version }}_amd64.deb"
sudo dpkg -i /tmp/sops.deb
- name: Decrypt secrets
shell: bash
env:
SOPS_AGE_KEY: ${{ inputs.age-key }}
run: |
find . -name '*.enc.yml' -o -name '*.enc.yaml' -o -name '*.enc.env' | while read f; do
out="${f/.enc/}"
sops -d "$f" > "$out"
echo "Decrypted: $f -> $out"
done

View file

@ -0,0 +1,18 @@
name: Set Terraform backend credentials
description: Export the Backblaze S3 backend credentials from a decrypted secrets.yaml into GITHUB_ENV.
inputs:
working-directory:
description: Directory containing the decrypted secrets.yaml
required: false
default: terraform
runs:
using: composite
steps:
- name: Set backend credentials
shell: bash
working-directory: ${{ inputs.working-directory }}
run: |
echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"

View file

@ -62,23 +62,16 @@ jobs:
ssh-keyscan -H "$HOST_IP" >> ~/.ssh/known_hosts 2>/dev/null || true ssh-keyscan -H "$HOST_IP" >> ~/.ssh/known_hosts 2>/dev/null || true
fi fi
- name: Install tools - name: Install Ansible
run: | run: pip install ansible
pip install ansible
wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
sudo dpkg -i /tmp/sops.deb
- name: Install Ansible collections - name: Install Ansible collections
run: ansible-galaxy install -r ansible/requirements.yml run: ansible-galaxy install -r ansible/requirements.yml
- name: Decrypt secrets - name: Decrypt secrets
env: uses: ./.github/actions/sops-decrypt
SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }} with:
run: | age-key: ${{ secrets.AGE_SECRET_KEY }}
find . -name '*.enc.yml' -o -name '*.enc.yaml' -o -name '*.enc.env' | while read f; do
out="${f/.enc/}"
sops -d "$f" > "$out"
done
- name: Run playbook - name: Run playbook
working-directory: ansible/ working-directory: ansible/

View file

@ -24,31 +24,15 @@ jobs:
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
- name: Install OpenTofu - uses: ./.github/actions/setup-tofu
uses: opentofu/setup-opentofu@v2
with:
tofu_version: 1.9.0
- name: Install SOPS
run: |
wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
sudo dpkg -i /tmp/sops.deb
- name: Decrypt secrets - name: Decrypt secrets
env: uses: ./.github/actions/sops-decrypt
SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }} with:
run: | age-key: ${{ secrets.AGE_SECRET_KEY }}
find . -name '*.enc.yml' -o -name '*.enc.yaml' | while read f; do
out="${f/.enc/}"
sops -d "$f" > "$out"
echo "Decrypted: $f -> $out"
done
- name: Set backend credentials - name: Set backend credentials
working-directory: terraform/ uses: ./.github/actions/tofu-backend-creds
run: |
echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
- name: tofu init - name: tofu init
working-directory: terraform/ working-directory: terraform/
@ -75,31 +59,15 @@ jobs:
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
- name: Install OpenTofu - uses: ./.github/actions/setup-tofu
uses: opentofu/setup-opentofu@v2
with:
tofu_version: 1.9.0
- name: Install SOPS
run: |
wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
sudo dpkg -i /tmp/sops.deb
- name: Decrypt secrets - name: Decrypt secrets
env: uses: ./.github/actions/sops-decrypt
SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }} with:
run: | age-key: ${{ secrets.AGE_SECRET_KEY }}
find . -name '*.enc.yml' -o -name '*.enc.yaml' | while read f; do
out="${f/.enc/}"
sops -d "$f" > "$out"
echo "Decrypted: $f -> $out"
done
- name: Set backend credentials - name: Set backend credentials
working-directory: terraform/ uses: ./.github/actions/tofu-backend-creds
run: |
echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
- name: tofu init - name: tofu init
working-directory: terraform/ working-directory: terraform/

View file

@ -24,10 +24,7 @@ jobs:
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
- name: Install OpenTofu - uses: ./.github/actions/setup-tofu
uses: opentofu/setup-opentofu@v2
with:
tofu_version: 1.9.0
# --- Dependabot: secret-free validation ------------------------------- # --- Dependabot: secret-free validation -------------------------------
- name: Validate (no secrets) - name: Validate (no secrets)
@ -54,29 +51,15 @@ jobs:
tofu validate tofu validate
# --- Human PRs: full plan against real backend ------------------------ # --- Human PRs: full plan against real backend ------------------------
- name: Install SOPS
if: github.actor != 'dependabot[bot]'
run: |
wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
sudo dpkg -i /tmp/sops.deb
- name: Decrypt secrets - name: Decrypt secrets
if: github.actor != 'dependabot[bot]' if: github.actor != 'dependabot[bot]'
env: uses: ./.github/actions/sops-decrypt
SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }} with:
run: | age-key: ${{ secrets.AGE_SECRET_KEY }}
find . -name '*.enc.yml' -o -name '*.enc.yaml' | while read f; do
out="${f/.enc/}"
sops -d "$f" > "$out"
echo "Decrypted: $f -> $out"
done
- name: Set backend credentials - name: Set backend credentials
if: github.actor != 'dependabot[bot]' if: github.actor != 'dependabot[bot]'
working-directory: terraform/ uses: ./.github/actions/tofu-backend-creds
run: |
echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
- name: tofu init - name: tofu init
if: github.actor != 'dependabot[bot]' if: github.actor != 'dependabot[bot]'