mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 23:56:16 +00:00
Compare commits
No commits in common. "7b2552fea57261d61821968599c4a019d64915b5" and "65090ca9d6c43f12b662c611fad17068e5f86174" have entirely different histories.
7b2552fea5
...
65090ca9d6
2 changed files with 1 additions and 64 deletions
37
.github/dependabot.yml
vendored
37
.github/dependabot.yml
vendored
|
|
@ -1,37 +0,0 @@
|
||||||
version: 2
|
|
||||||
updates:
|
|
||||||
# GitHub Actions used across all workflows
|
|
||||||
- package-ecosystem: github-actions
|
|
||||||
directory: /
|
|
||||||
schedule:
|
|
||||||
interval: weekly
|
|
||||||
groups:
|
|
||||||
github-actions:
|
|
||||||
patterns:
|
|
||||||
- "*"
|
|
||||||
|
|
||||||
# Terraform root and provider modules
|
|
||||||
- package-ecosystem: terraform
|
|
||||||
directories:
|
|
||||||
- /terraform
|
|
||||||
- /terraform/grafana
|
|
||||||
- /terraform/hetzner
|
|
||||||
- /terraform/pagerduty
|
|
||||||
schedule:
|
|
||||||
interval: weekly
|
|
||||||
groups:
|
|
||||||
terraform:
|
|
||||||
patterns:
|
|
||||||
- "*"
|
|
||||||
|
|
||||||
# Docker images in service compose files and dotfile Dockerfiles
|
|
||||||
- package-ecosystem: docker
|
|
||||||
directories:
|
|
||||||
- /ansible/services/*
|
|
||||||
- /ansible/dotfiles
|
|
||||||
schedule:
|
|
||||||
interval: weekly
|
|
||||||
groups:
|
|
||||||
docker:
|
|
||||||
patterns:
|
|
||||||
- "*"
|
|
||||||
28
.github/workflows/validate-terraform.yml
vendored
28
.github/workflows/validate-terraform.yml
vendored
|
|
@ -12,10 +12,6 @@ permissions:
|
||||||
|
|
||||||
# Requires these repository secrets:
|
# Requires these repository secrets:
|
||||||
# AGE_SECRET_KEY — age private key for SOPS decryption
|
# AGE_SECRET_KEY — age private key for SOPS decryption
|
||||||
#
|
|
||||||
# Dependabot PRs run with no access to these secrets and a read-only token,
|
|
||||||
# so they take a lightweight, secret-free path (init + validate, no plan/
|
|
||||||
# comment). Provider-version bumps are still resolved and validated.
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
plan:
|
plan:
|
||||||
|
|
@ -29,29 +25,12 @@ jobs:
|
||||||
with:
|
with:
|
||||||
tofu_version: 1.9.0
|
tofu_version: 1.9.0
|
||||||
|
|
||||||
# --- Dependabot: secret-free validation -------------------------------
|
|
||||||
- name: Validate (no secrets)
|
|
||||||
if: github.actor == 'dependabot[bot]'
|
|
||||||
working-directory: terraform/
|
|
||||||
run: |
|
|
||||||
# secrets.yaml is decrypted from SOPS at plan time and can't be
|
|
||||||
# produced here, so stub the keys the config reads (kept in sync by
|
|
||||||
# deriving them from the actual secrets["..."] references).
|
|
||||||
grep -rhoE 'secrets\["[^"]+"\]' . \
|
|
||||||
| sed -E 's/.*secrets\["([^"]+)"\].*/\1: "stub"/' \
|
|
||||||
| sort -u > secrets.yaml
|
|
||||||
tofu init -backend=false
|
|
||||||
tofu validate
|
|
||||||
|
|
||||||
# --- Human PRs: full plan against real backend ------------------------
|
|
||||||
- name: Install SOPS
|
- name: Install SOPS
|
||||||
if: github.actor != 'dependabot[bot]'
|
|
||||||
run: |
|
run: |
|
||||||
wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
|
wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
|
||||||
sudo dpkg -i /tmp/sops.deb
|
sudo dpkg -i /tmp/sops.deb
|
||||||
|
|
||||||
- name: Decrypt secrets
|
- name: Decrypt secrets
|
||||||
if: github.actor != 'dependabot[bot]'
|
|
||||||
env:
|
env:
|
||||||
SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}
|
SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}
|
||||||
run: |
|
run: |
|
||||||
|
|
@ -62,25 +41,21 @@ jobs:
|
||||||
done
|
done
|
||||||
|
|
||||||
- name: Set backend credentials
|
- name: Set backend credentials
|
||||||
if: github.actor != 'dependabot[bot]'
|
|
||||||
working-directory: terraform/
|
working-directory: terraform/
|
||||||
run: |
|
run: |
|
||||||
echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
|
echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
|
||||||
echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
|
echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
|
||||||
|
|
||||||
- name: tofu init
|
- name: tofu init
|
||||||
if: github.actor != 'dependabot[bot]'
|
|
||||||
working-directory: terraform/
|
working-directory: terraform/
|
||||||
run: tofu init
|
run: tofu init
|
||||||
|
|
||||||
- name: tofu validate
|
- name: tofu validate
|
||||||
if: github.actor != 'dependabot[bot]'
|
|
||||||
working-directory: terraform/
|
working-directory: terraform/
|
||||||
run: tofu validate
|
run: tofu validate
|
||||||
|
|
||||||
- name: tofu plan
|
- name: tofu plan
|
||||||
id: plan
|
id: plan
|
||||||
if: github.actor != 'dependabot[bot]'
|
|
||||||
working-directory: terraform/
|
working-directory: terraform/
|
||||||
continue-on-error: true
|
continue-on-error: true
|
||||||
run: |
|
run: |
|
||||||
|
|
@ -88,7 +63,6 @@ jobs:
|
||||||
tofu plan -no-color 2>&1 | tee plan_output.txt
|
tofu plan -no-color 2>&1 | tee plan_output.txt
|
||||||
|
|
||||||
- name: Post plan as PR comment
|
- name: Post plan as PR comment
|
||||||
if: github.actor != 'dependabot[bot]'
|
|
||||||
uses: actions/github-script@v7
|
uses: actions/github-script@v7
|
||||||
with:
|
with:
|
||||||
script: |
|
script: |
|
||||||
|
|
@ -125,5 +99,5 @@ jobs:
|
||||||
}
|
}
|
||||||
|
|
||||||
- name: Fail if plan failed
|
- name: Fail if plan failed
|
||||||
if: github.actor != 'dependabot[bot]' && steps.plan.outcome == 'failure'
|
if: steps.plan.outcome == 'failure'
|
||||||
run: exit 1
|
run: exit 1
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue