pez-infra/.github/workflows/deploy-on-merge.yml
Rasmus Wejlgaard ebe8540ec8 ci: serialize infra runs and enable terraform state locking
Add concurrency guards to the terraform and deploy-on-merge workflows so
two merges in quick succession can't run against the same state or the
same hosts at once (queue, never cancel an in-flight run).

Enable native S3 state locking (use_lockfile) on the Backblaze B2 backend,
which needs OpenTofu 1.10+, so bump the CI tofu version 1.9.0 -> 1.10.10
and the required_version constraint to >= 1.10.0.
2026-06-02 19:29:54 +01:00

44 lines
1.1 KiB
YAML

name: Deploy (on merge)
on:
push:
branches:
- main
paths-ignore:
- "terraform/**"
# Serialize fleet deploys so two quick merges can't run Ansible against the
# same hosts at once. Don't cancel an in-flight deploy mid-run — queue it.
concurrency:
group: deploy-on-merge
cancel-in-progress: false
jobs:
discover:
name: Discover hosts
runs-on: ubuntu-latest
outputs:
hosts: ${{ steps.discover.outputs.hosts }}
steps:
- uses: actions/checkout@v6
- name: Read hosts from inventory
id: discover
run: |
HOSTS=$(grep 'ansible_host=' ansible/inventory/hosts.ini | awk '{print $1}' | jq -R . | jq -cs .)
echo "hosts=$HOSTS" >> "$GITHUB_OUTPUT"
deploy:
needs: discover
strategy:
matrix:
host: ${{ fromJson(needs.discover.outputs.hosts) }}
fail-fast: false
permissions:
id-token: write
uses: ./.github/workflows/_deploy-core.yml
with:
host: ${{ matrix.host }}
playbook: deploy.yml
dry_run: false
secrets: inherit