mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
The SOPS install + version, the decrypt loop, the OpenTofu version, and the Backblaze backend-credential extraction were copy-pasted across terraform.yml (twice), validate-terraform.yml, and _deploy-core.yml. A version bump meant editing the same string in up to four places and was easy to do partially. Pull them into three local composite actions so each is defined once: - setup-tofu (pins OpenTofu version) - sops-decrypt (installs SOPS, decrypts *.enc.* in place) - tofu-backend-creds (exports Backblaze S3 creds to GITHUB_ENV) Behaviour is unchanged; sops-decrypt also matches *.enc.env everywhere (previously only _deploy-core did), which is a no-op in terraform/.
18 lines
630 B
YAML
18 lines
630 B
YAML
name: Set Terraform backend credentials
|
|
description: Export the Backblaze S3 backend credentials from a decrypted secrets.yaml into GITHUB_ENV.
|
|
|
|
inputs:
|
|
working-directory:
|
|
description: Directory containing the decrypted secrets.yaml
|
|
required: false
|
|
default: terraform
|
|
|
|
runs:
|
|
using: composite
|
|
steps:
|
|
- name: Set backend credentials
|
|
shell: bash
|
|
working-directory: ${{ inputs.working-directory }}
|
|
run: |
|
|
echo "AWS_ACCESS_KEY_ID=$(yq '.backblaze_keyID' secrets.yaml)" >> "$GITHUB_ENV"
|
|
echo "AWS_SECRET_ACCESS_KEY=$(yq '.backblaze_applicationKey' secrets.yaml)" >> "$GITHUB_ENV"
|