ci: make terraform validation work on dependabot PRs

Dependabot PRs run with no access to repository secrets and a read-only
token, so the SOPS decrypt step (and the PR-comment step) fail. Give
Dependabot a secret-free path: stub the secrets.yaml keys it reads and
run init -backend=false + validate, skipping decrypt/plan/comment. Human
PRs are unchanged and still get a full plan.
This commit is contained in:
Rasmus Wejlgaard 2026-06-03 19:27:22 +01:00
parent da7a911d4f
commit ba21b33c81

View file

@ -12,6 +12,10 @@ permissions:
# Requires these repository secrets: # Requires these repository secrets:
# AGE_SECRET_KEY — age private key for SOPS decryption # AGE_SECRET_KEY — age private key for SOPS decryption
#
# Dependabot PRs run with no access to these secrets and a read-only token,
# so they take a lightweight, secret-free path (init + validate, no plan/
# comment). Provider-version bumps are still resolved and validated.
jobs: jobs:
plan: plan:
@ -25,12 +29,29 @@ jobs:
with: with:
tofu_version: 1.9.0 tofu_version: 1.9.0
# --- Dependabot: secret-free validation -------------------------------
- name: Validate (no secrets)
if: github.actor == 'dependabot[bot]'
working-directory: terraform/
run: |
# secrets.yaml is decrypted from SOPS at plan time and can't be
# produced here, so stub the keys the config reads (kept in sync by
# deriving them from the actual secrets["..."] references).
grep -rhoE 'secrets\["[^"]+"\]' . \
| sed -E 's/.*secrets\["([^"]+)"\].*/\1: "stub"/' \
| sort -u > secrets.yaml
tofu init -backend=false
tofu validate
# --- Human PRs: full plan against real backend ------------------------
- name: Install SOPS - name: Install SOPS
if: github.actor != 'dependabot[bot]'
run: | run: |
wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
sudo dpkg -i /tmp/sops.deb sudo dpkg -i /tmp/sops.deb
- name: Decrypt secrets - name: Decrypt secrets
if: github.actor != 'dependabot[bot]'
env: env:
SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }} SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}
run: | run: |
@ -41,21 +62,25 @@ jobs:
done done
- name: Set backend credentials - name: Set backend credentials
if: github.actor != 'dependabot[bot]'
working-directory: terraform/ working-directory: terraform/
run: | run: |
echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV" echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV" echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
- name: tofu init - name: tofu init
if: github.actor != 'dependabot[bot]'
working-directory: terraform/ working-directory: terraform/
run: tofu init run: tofu init
- name: tofu validate - name: tofu validate
if: github.actor != 'dependabot[bot]'
working-directory: terraform/ working-directory: terraform/
run: tofu validate run: tofu validate
- name: tofu plan - name: tofu plan
id: plan id: plan
if: github.actor != 'dependabot[bot]'
working-directory: terraform/ working-directory: terraform/
continue-on-error: true continue-on-error: true
run: | run: |
@ -63,6 +88,7 @@ jobs:
tofu plan -no-color 2>&1 | tee plan_output.txt tofu plan -no-color 2>&1 | tee plan_output.txt
- name: Post plan as PR comment - name: Post plan as PR comment
if: github.actor != 'dependabot[bot]'
uses: actions/github-script@v7 uses: actions/github-script@v7
with: with:
script: | script: |
@ -99,5 +125,5 @@ jobs:
} }
- name: Fail if plan failed - name: Fail if plan failed
if: steps.plan.outcome == 'failure' if: github.actor != 'dependabot[bot]' && steps.plan.outcome == 'failure'
run: exit 1 run: exit 1