mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
ci: extract shared SOPS/tofu steps into composite actions (#135)
The SOPS install + version, the decrypt loop, the OpenTofu version, and the Backblaze backend-credential extraction were copy-pasted across terraform.yml (twice), validate-terraform.yml, and _deploy-core.yml. A version bump meant editing the same string in up to four places and was easy to do partially. Pull them into three local composite actions so each is defined once: - setup-tofu (pins OpenTofu version) - sops-decrypt (installs SOPS, decrypts *.enc.* in place) - tofu-backend-creds (exports Backblaze S3 creds to GITHUB_ENV) Behaviour is unchanged; sops-decrypt also matches *.enc.env everywhere (previously only _deploy-core did), which is a no-op in terraform/.
This commit is contained in:
parent
e9d5f9bc76
commit
87439d47b8
6 changed files with 84 additions and 76 deletions
15
.github/actions/setup-tofu/action.yml
vendored
Normal file
15
.github/actions/setup-tofu/action.yml
vendored
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
name: Set up OpenTofu
|
||||
description: Install a pinned OpenTofu version (single source of truth for the version).
|
||||
|
||||
inputs:
|
||||
version:
|
||||
description: OpenTofu version to install
|
||||
required: false
|
||||
default: "1.9.0"
|
||||
|
||||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
- uses: opentofu/setup-opentofu@v2
|
||||
with:
|
||||
tofu_version: ${{ inputs.version }}
|
||||
31
.github/actions/sops-decrypt/action.yml
vendored
Normal file
31
.github/actions/sops-decrypt/action.yml
vendored
Normal file
|
|
@ -0,0 +1,31 @@
|
|||
name: SOPS decrypt
|
||||
description: Install SOPS and decrypt all in-repo *.enc.* files in place (single source of truth for the SOPS version).
|
||||
|
||||
inputs:
|
||||
age-key:
|
||||
description: age private key for SOPS decryption (sets SOPS_AGE_KEY)
|
||||
required: true
|
||||
sops-version:
|
||||
description: SOPS version to install
|
||||
required: false
|
||||
default: "3.9.4"
|
||||
|
||||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
- name: Install SOPS
|
||||
shell: bash
|
||||
run: |
|
||||
wget -qO /tmp/sops.deb "https://github.com/getsops/sops/releases/download/v${{ inputs.sops-version }}/sops_${{ inputs.sops-version }}_amd64.deb"
|
||||
sudo dpkg -i /tmp/sops.deb
|
||||
|
||||
- name: Decrypt secrets
|
||||
shell: bash
|
||||
env:
|
||||
SOPS_AGE_KEY: ${{ inputs.age-key }}
|
||||
run: |
|
||||
find . -name '*.enc.yml' -o -name '*.enc.yaml' -o -name '*.enc.env' | while read f; do
|
||||
out="${f/.enc/}"
|
||||
sops -d "$f" > "$out"
|
||||
echo "Decrypted: $f -> $out"
|
||||
done
|
||||
18
.github/actions/tofu-backend-creds/action.yml
vendored
Normal file
18
.github/actions/tofu-backend-creds/action.yml
vendored
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
name: Set Terraform backend credentials
|
||||
description: Export the Backblaze S3 backend credentials from a decrypted secrets.yaml into GITHUB_ENV.
|
||||
|
||||
inputs:
|
||||
working-directory:
|
||||
description: Directory containing the decrypted secrets.yaml
|
||||
required: false
|
||||
default: terraform
|
||||
|
||||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
- name: Set backend credentials
|
||||
shell: bash
|
||||
working-directory: ${{ inputs.working-directory }}
|
||||
run: |
|
||||
echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
|
||||
echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
|
||||
17
.github/workflows/_deploy-core.yml
vendored
17
.github/workflows/_deploy-core.yml
vendored
|
|
@ -62,23 +62,16 @@ jobs:
|
|||
ssh-keyscan -H "$HOST_IP" >> ~/.ssh/known_hosts 2>/dev/null || true
|
||||
fi
|
||||
|
||||
- name: Install tools
|
||||
run: |
|
||||
pip install ansible
|
||||
wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
|
||||
sudo dpkg -i /tmp/sops.deb
|
||||
- name: Install Ansible
|
||||
run: pip install ansible
|
||||
|
||||
- name: Install Ansible collections
|
||||
run: ansible-galaxy install -r ansible/requirements.yml
|
||||
|
||||
- name: Decrypt secrets
|
||||
env:
|
||||
SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}
|
||||
run: |
|
||||
find . -name '*.enc.yml' -o -name '*.enc.yaml' -o -name '*.enc.env' | while read f; do
|
||||
out="${f/.enc/}"
|
||||
sops -d "$f" > "$out"
|
||||
done
|
||||
uses: ./.github/actions/sops-decrypt
|
||||
with:
|
||||
age-key: ${{ secrets.AGE_SECRET_KEY }}
|
||||
|
||||
- name: Run playbook
|
||||
working-directory: ansible/
|
||||
|
|
|
|||
52
.github/workflows/terraform.yml
vendored
52
.github/workflows/terraform.yml
vendored
|
|
@ -24,31 +24,15 @@ jobs:
|
|||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
|
||||
- name: Install OpenTofu
|
||||
uses: opentofu/setup-opentofu@v2
|
||||
with:
|
||||
tofu_version: 1.9.0
|
||||
|
||||
- name: Install SOPS
|
||||
run: |
|
||||
wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
|
||||
sudo dpkg -i /tmp/sops.deb
|
||||
- uses: ./.github/actions/setup-tofu
|
||||
|
||||
- name: Decrypt secrets
|
||||
env:
|
||||
SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}
|
||||
run: |
|
||||
find . -name '*.enc.yml' -o -name '*.enc.yaml' | while read f; do
|
||||
out="${f/.enc/}"
|
||||
sops -d "$f" > "$out"
|
||||
echo "Decrypted: $f -> $out"
|
||||
done
|
||||
uses: ./.github/actions/sops-decrypt
|
||||
with:
|
||||
age-key: ${{ secrets.AGE_SECRET_KEY }}
|
||||
|
||||
- name: Set backend credentials
|
||||
working-directory: terraform/
|
||||
run: |
|
||||
echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
|
||||
echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
|
||||
uses: ./.github/actions/tofu-backend-creds
|
||||
|
||||
- name: tofu init
|
||||
working-directory: terraform/
|
||||
|
|
@ -75,31 +59,15 @@ jobs:
|
|||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
|
||||
- name: Install OpenTofu
|
||||
uses: opentofu/setup-opentofu@v2
|
||||
with:
|
||||
tofu_version: 1.9.0
|
||||
|
||||
- name: Install SOPS
|
||||
run: |
|
||||
wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
|
||||
sudo dpkg -i /tmp/sops.deb
|
||||
- uses: ./.github/actions/setup-tofu
|
||||
|
||||
- name: Decrypt secrets
|
||||
env:
|
||||
SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}
|
||||
run: |
|
||||
find . -name '*.enc.yml' -o -name '*.enc.yaml' | while read f; do
|
||||
out="${f/.enc/}"
|
||||
sops -d "$f" > "$out"
|
||||
echo "Decrypted: $f -> $out"
|
||||
done
|
||||
uses: ./.github/actions/sops-decrypt
|
||||
with:
|
||||
age-key: ${{ secrets.AGE_SECRET_KEY }}
|
||||
|
||||
- name: Set backend credentials
|
||||
working-directory: terraform/
|
||||
run: |
|
||||
echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
|
||||
echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
|
||||
uses: ./.github/actions/tofu-backend-creds
|
||||
|
||||
- name: tofu init
|
||||
working-directory: terraform/
|
||||
|
|
|
|||
27
.github/workflows/validate-terraform.yml
vendored
27
.github/workflows/validate-terraform.yml
vendored
|
|
@ -24,10 +24,7 @@ jobs:
|
|||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
|
||||
- name: Install OpenTofu
|
||||
uses: opentofu/setup-opentofu@v2
|
||||
with:
|
||||
tofu_version: 1.9.0
|
||||
- uses: ./.github/actions/setup-tofu
|
||||
|
||||
# --- Dependabot: secret-free validation -------------------------------
|
||||
- name: Validate (no secrets)
|
||||
|
|
@ -54,29 +51,15 @@ jobs:
|
|||
tofu validate
|
||||
|
||||
# --- Human PRs: full plan against real backend ------------------------
|
||||
- name: Install SOPS
|
||||
if: github.actor != 'dependabot[bot]'
|
||||
run: |
|
||||
wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
|
||||
sudo dpkg -i /tmp/sops.deb
|
||||
|
||||
- name: Decrypt secrets
|
||||
if: github.actor != 'dependabot[bot]'
|
||||
env:
|
||||
SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}
|
||||
run: |
|
||||
find . -name '*.enc.yml' -o -name '*.enc.yaml' | while read f; do
|
||||
out="${f/.enc/}"
|
||||
sops -d "$f" > "$out"
|
||||
echo "Decrypted: $f -> $out"
|
||||
done
|
||||
uses: ./.github/actions/sops-decrypt
|
||||
with:
|
||||
age-key: ${{ secrets.AGE_SECRET_KEY }}
|
||||
|
||||
- name: Set backend credentials
|
||||
if: github.actor != 'dependabot[bot]'
|
||||
working-directory: terraform/
|
||||
run: |
|
||||
echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
|
||||
echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
|
||||
uses: ./.github/actions/tofu-backend-creds
|
||||
|
||||
- name: tofu init
|
||||
if: github.actor != 'dependabot[bot]'
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue