From a0f08c2f69ed0b5fd5015c7b9e8361ecc25c393f Mon Sep 17 00:00:00 2001
From: Max Ghenis <mghenis@gmail.com>
Date: Wed, 13 May 2026 09:25:46 -0400
Subject: [PATCH] Skip Terraform apply when infra is unchanged

---
 .github/workflows/deploy.yml | 30 +++++++++++++++++++++++++++++-
 changelog.d/363.fixed.md     |  1 +
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 changelog.d/363.fixed.md

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 28d4f40..b0ba879 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -152,23 +152,50 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Check Terraform changes
+        id: terraform-changes
+        run: |
+          if [[ "${{ github.event_name }}" != "push" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          BEFORE_SHA="${{ github.event.before }}"
+          if [[ "$BEFORE_SHA" =~ ^0+$ ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          if git diff --quiet "$BEFORE_SHA" "${{ github.sha }}" -- terraform; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+            echo "No Terraform changes detected; skipping Terraform apply."
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Authenticate to Google Cloud
+        if: steps.terraform-changes.outputs.changed == 'true'
         uses: google-github-actions/auth@v3
         with:
           workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
           service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
 
       - name: Setup Terraform
+        if: steps.terraform-changes.outputs.changed == 'true'
         uses: hashicorp/setup-terraform@v4
         with:
-          terraform_version: 1.6.0
+          terraform_version: 1.15.3
 
       - name: Terraform init
+        if: steps.terraform-changes.outputs.changed == 'true'
         working-directory: ./terraform
         run: terraform init -input=false
 
       - name: Terraform plan
+        if: steps.terraform-changes.outputs.changed == 'true'
         working-directory: ./terraform
         env:
           TF_VAR_supabase_url: ${{ secrets.SUPABASE_URL }}
@@ -183,6 +210,7 @@ jobs:
         run: terraform plan -out=tfplan -input=false
 
       - name: Terraform apply
+        if: steps.terraform-changes.outputs.changed == 'true'
         working-directory: ./terraform
         run: terraform apply -input=false tfplan
 
diff --git a/changelog.d/363.fixed.md b/changelog.d/363.fixed.md
new file mode 100644
index 0000000..407fd53
--- /dev/null
+++ b/changelog.d/363.fixed.md
@@ -0,0 +1 @@
+Skip Terraform apply during runtime-only deploys so unchanged infrastructure does not block API releases.