mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
Bumps the github-actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/cache](https://github.com/actions/cache). Updates `actions/checkout` from 6 to 7 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v6...v7) Updates `actions/cache` from 5 to 6 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/cache dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
84 lines
2 KiB
YAML
84 lines
2 KiB
YAML
name: Terraform
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- "terraform/**"
|
|
- ".github/workflows/terraform.yml"
|
|
|
|
# Requires these repository secrets:
|
|
# AGE_SECRET_KEY — age private key for SOPS decryption
|
|
|
|
# Serialize Terraform runs so two merges can't apply against the state
|
|
# concurrently. Never cancel an in-flight run (an interrupted apply can
|
|
# corrupt state) — queue instead.
|
|
concurrency:
|
|
group: terraform-state
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
plan:
|
|
name: Plan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v7
|
|
|
|
- uses: ./.github/actions/setup-tofu
|
|
|
|
- name: Decrypt secrets
|
|
uses: ./.github/actions/sops-decrypt
|
|
with:
|
|
age-key: ${{ secrets.AGE_SECRET_KEY }}
|
|
|
|
- name: Set backend credentials
|
|
uses: ./.github/actions/tofu-backend-creds
|
|
|
|
- name: tofu init
|
|
working-directory: terraform/
|
|
run: tofu init
|
|
|
|
- name: tofu plan
|
|
working-directory: terraform/
|
|
run: tofu plan -out=tfplan
|
|
|
|
- name: Upload plan
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
uses: actions/upload-artifact@v7
|
|
with:
|
|
name: tfplan
|
|
path: terraform/tfplan
|
|
retention-days: 1
|
|
|
|
apply:
|
|
name: Apply
|
|
needs: plan
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
runs-on: ubuntu-latest
|
|
environment: production
|
|
steps:
|
|
- uses: actions/checkout@v7
|
|
|
|
- uses: ./.github/actions/setup-tofu
|
|
|
|
- name: Decrypt secrets
|
|
uses: ./.github/actions/sops-decrypt
|
|
with:
|
|
age-key: ${{ secrets.AGE_SECRET_KEY }}
|
|
|
|
- name: Set backend credentials
|
|
uses: ./.github/actions/tofu-backend-creds
|
|
|
|
- name: tofu init
|
|
working-directory: terraform/
|
|
run: tofu init
|
|
|
|
- name: Download plan
|
|
uses: actions/download-artifact@v8
|
|
with:
|
|
name: tfplan
|
|
path: terraform/
|
|
|
|
- name: tofu apply
|
|
working-directory: terraform/
|
|
run: tofu apply -auto-approve tfplan
|