mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
Bumps the github-actions group with 2 updates in the / directory: [ansible/ansible-lint](https://github.com/ansible/ansible-lint) and [actions/github-script](https://github.com/actions/github-script). Updates `ansible/ansible-lint` from 25 to 26 - [Release notes](https://github.com/ansible/ansible-lint/releases) - [Commits](https://github.com/ansible/ansible-lint/compare/v25...v26) Updates `actions/github-script` from 7 to 9 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/v7...v9) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: '9' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: ansible/ansible-lint dependency-version: '26' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
129 lines
4.5 KiB
YAML
129 lines
4.5 KiB
YAML
name: Validate Terraform
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- "terraform/**"
|
|
- ".github/workflows/validate-terraform.yml"
|
|
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
|
|
# Requires these repository secrets:
|
|
# AGE_SECRET_KEY — age private key for SOPS decryption
|
|
#
|
|
# Dependabot PRs run with no access to these secrets and a read-only token,
|
|
# so they take a lightweight, secret-free path (init + validate, no plan/
|
|
# comment). Provider-version bumps are still resolved and validated.
|
|
|
|
jobs:
|
|
plan:
|
|
name: tofu plan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
|
|
- name: Install OpenTofu
|
|
uses: opentofu/setup-opentofu@v2
|
|
with:
|
|
tofu_version: 1.9.0
|
|
|
|
# --- Dependabot: secret-free validation -------------------------------
|
|
- name: Validate (no secrets)
|
|
if: github.actor == 'dependabot[bot]'
|
|
working-directory: terraform/
|
|
run: |
|
|
# secrets.yaml is decrypted from SOPS at plan time and can't be
|
|
# produced here, so stub the keys the config reads (kept in sync by
|
|
# deriving them from the actual secrets["..."] references).
|
|
grep -rhoE 'secrets\["[^"]+"\]' . \
|
|
| sed -E 's/.*secrets\["([^"]+)"\].*/\1: "stub"/' \
|
|
| sort -u > secrets.yaml
|
|
tofu init -backend=false
|
|
tofu validate
|
|
|
|
# --- Human PRs: full plan against real backend ------------------------
|
|
- name: Install SOPS
|
|
if: github.actor != 'dependabot[bot]'
|
|
run: |
|
|
wget -qO /tmp/sops.deb https://github.com/getsops/sops/releases/download/v3.9.4/sops_3.9.4_amd64.deb
|
|
sudo dpkg -i /tmp/sops.deb
|
|
|
|
- name: Decrypt secrets
|
|
if: github.actor != 'dependabot[bot]'
|
|
env:
|
|
SOPS_AGE_KEY: ${{ secrets.AGE_SECRET_KEY }}
|
|
run: |
|
|
find . -name '*.enc.yml' -o -name '*.enc.yaml' | while read f; do
|
|
out="${f/.enc/}"
|
|
sops -d "$f" > "$out"
|
|
echo "Decrypted: $f -> $out"
|
|
done
|
|
|
|
- name: Set backend credentials
|
|
if: github.actor != 'dependabot[bot]'
|
|
working-directory: terraform/
|
|
run: |
|
|
echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
|
|
echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
|
|
|
|
- name: tofu init
|
|
if: github.actor != 'dependabot[bot]'
|
|
working-directory: terraform/
|
|
run: tofu init
|
|
|
|
- name: tofu validate
|
|
if: github.actor != 'dependabot[bot]'
|
|
working-directory: terraform/
|
|
run: tofu validate
|
|
|
|
- name: tofu plan
|
|
id: plan
|
|
if: github.actor != 'dependabot[bot]'
|
|
working-directory: terraform/
|
|
continue-on-error: true
|
|
run: |
|
|
set -o pipefail
|
|
tofu plan -no-color 2>&1 | tee plan_output.txt
|
|
|
|
- name: Post plan as PR comment
|
|
if: github.actor != 'dependabot[bot]'
|
|
uses: actions/github-script@v9
|
|
with:
|
|
script: |
|
|
const fs = require('fs');
|
|
const raw = fs.readFileSync('terraform/plan_output.txt', 'utf8');
|
|
const filtered = raw.split('\n').filter(l => !l.includes(': Refreshing state...')).join('\n');
|
|
const truncated = filtered.length > 65000
|
|
? filtered.slice(0, 65000) + '\n\n...(output truncated)'
|
|
: filtered;
|
|
const outcome = '${{ steps.plan.outcome }}';
|
|
const header = outcome === 'failure' ? '## Terraform Plan — FAILED' : '## Terraform Plan';
|
|
const body = `${header}\n\`\`\`\n${truncated}\n\`\`\``;
|
|
|
|
const { data: comments } = await github.rest.issues.listComments({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: context.issue.number,
|
|
});
|
|
const existing = comments.find(c => c.body.startsWith('## Terraform Plan'));
|
|
if (existing) {
|
|
await github.rest.issues.updateComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
comment_id: existing.id,
|
|
body,
|
|
});
|
|
} else {
|
|
await github.rest.issues.createComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: context.issue.number,
|
|
body,
|
|
});
|
|
}
|
|
|
|
- name: Fail if plan failed
|
|
if: github.actor != 'dependabot[bot]' && steps.plan.outcome == 'failure'
|
|
run: exit 1
|