Merged Workflows (#777)

Co-authored-by: Benbentwo <14911525+Benbentwo@users.noreply.github.com>
Co-authored-by: Cloud Posse Bot (CI/CD) <bot@cloudposse.com>
Co-authored-by: milldr <14060048+milldr@users.noreply.github.com>

Author: 3 people

examples/snippets/.github/workflows/atmos-components-updater.yml

@@ -9,7 +9,9 @@ on:
 jobs:
   update:
     environment: atmos
-    runs-on: ["self-hosted", "default"]
+    runs-on:
+      - self-hosted
+      - terraform
     steps:
       - name: "Checkout source code at current commit"
         uses: actions/checkout@v4

examples/snippets/.github/workflows/atmos-pro-terraform-apply.yaml

@@ -1,23 +1,64 @@
-name: Atmos Pro Terraform Apply
+name: 👽 Atmos Pro Terraform Apply
+run-name: apply ${{ inputs.component }}/${{ inputs.stack }}/${{ inputs.atmos_pro_run_id}}
 
 on:
-  workflow_call:
+  workflow_dispatch:
     inputs:
+      atmos_pro_run_id:
+        description: "Atmos Pro Run ID"
+        type: string
+      sha:
+        description: "Commit SHA"
+        type: string
+      component:
+        description: "Component"
+        required: true
+        type: string
       stack:
+        description: "Stack"
         required: true
         type: string
-      component:
+      github_environment:
+        description: "GitHub Environment"
         required: true
         type: string
 
+# Avoid running the same stack in parallel mode (from different workflows)
+# This applied to across workflows to both plan and apply
+concurrency:
+  group: "${{ inputs.stack }}-${{ inputs.component }}"
+  cancel-in-progress: false
+
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
+
 jobs:
-  apply:
-    runs-on: ubuntu-latest
+  atmos-apply:
+    name: ${{ inputs.component }}-${{ inputs.stack }}
+
+    # The GitHub environment is defined in Atmos Pro settings.
+    # Typically this is <tenant>-<stage>
+    environment: ${{ inputs.github_environment }}
+
+    runs-on:
+      - "runs-on=${{ github.run_id }}"
+      - "runner=terraform"
+      - "tag=${{ inputs.component }}-${{ inputs.stack }}"
+      - "private=false"
+
     steps:
-      - name: Terraform Apply
-        uses: cloudposse/github-action-atmos-pro-terraform-apply@main
+      - uses: runs-on/action@v1
+      - uses: unfor19/install-aws-cli-action@v1
+
+      - name: Apply Atmos Component
+        uses: cloudposse/github-action-atmos-terraform-apply@v4
         with:
-          workspace-id: ${{ vars.ATMOS_PRO_WORKSPACE_ID }}
-          api-key: ${{ secrets.ATMOS_PRO_API_KEY }}
+          # Atmos Pro args
+          component: ${{ inputs.component }}
           stack: ${{ inputs.stack }}
-          component: ${{ inputs.component }}
+          sha: ${{ inputs.sha }}
+          # Atmos required configuration
+          atmos-version: ${{ vars.ATMOS_VERSION }}
+          atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }}
+

examples/snippets/.github/workflows/atmos-pro-terraform-plan.yaml

@@ -1,23 +1,56 @@
-name: Atmos Pro Terraform Plan
+name: 👽 Atmos Pro Terraform Plan
+run-name: plan ${{ inputs.component }}/${{ inputs.stack }}/${{ inputs.atmos_pro_run_id}}
 
 on:
-  workflow_call:
+  workflow_dispatch:
     inputs:
-      stack:
-        required: true
+      atmos_pro_run_id:
+        description: "Atmos Pro Run ID"
+        type: string
+      sha:
+        description: "Commit SHA"
         type: string
       component:
+        description: "Component"
+        required: true
+        type: string
+      stack:
+        description: "Stack"
         required: true
         type: string
 
+# Avoid running the same stack in parallel mode (from different workflows)
+# This applied to across workflows to both plan and apply
+concurrency:
+  group: "${{ inputs.stack }}-${{ inputs.component }}"
+  cancel-in-progress: false
+
+permissions:
+  id-token: write # This is required for requesting the JWT (OIDC) token
+  contents: read # This is required for actions/checkout
+
 jobs:
-  plan:
-    runs-on: ubuntu-latest
+  atmos-plan:
+    name: ${{ inputs.component }}-${{ inputs.stack }}
+
+    runs-on:
+      - "runs-on=${{ github.run_id }}"
+      - "runner=terraform"
+      - "tag=${{ inputs.component }}-${{ inputs.stack }}"
+      - "private=false"
+
     steps:
-      - name: Terraform Plan
-        uses: cloudposse/github-action-atmos-pro-terraform-plan@main
+      - uses: runs-on/action@v1
+      - uses: unfor19/install-aws-cli-action@v1
+
+      - name: Plan Atmos Component
+        uses: cloudposse/github-action-atmos-terraform-plan@v5
         with:
-          workspace-id: ${{ vars.ATMOS_PRO_WORKSPACE_ID }}
-          api-key: ${{ secrets.ATMOS_PRO_API_KEY }}
+          # Atmos Pro args
+          component: ${{ inputs.component }}
           stack: ${{ inputs.stack }}
-          component: ${{ inputs.component }} 
+          sha: ${{ inputs.sha }}
+          # Atmos required configuration
+          atmos-version: ${{ vars.ATMOS_VERSION }}
+          atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }}
+

examples/snippets/.github/workflows/atmos-pro.yaml

@@ -1,16 +1,83 @@
-name: Atmos Pro
+name: 👽 Atmos Pro Determine Affected Stacks
+run-name: 👽 Atmos Pro Determine Affected Stacks
 
+# Atmos Pro reacts to events defined in the Atmos stack settings
+# and will trigger the appropriate workflows for the given event.
+#
+# For example, pull requests opened, synchronize, and reopened will trigger plan workflows.
+# Whereas pull requests merged will trigger apply workflows
 on:
   pull_request:
-    types: [opened, synchronize, reopened]
-  workflow_dispatch:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - closed
+    branches:
+      - main
+
+# Avoid conflicting workflow triggers.
+# For example, wait to trigger apply until plan has been triggered
+concurrency:
+  group: "${{ github.ref }}"
+  cancel-in-progress: false
+
+permissions:
+  id-token: write # This is required for requesting the JWT (OIDC) token
+  contents: read # This is required for actions/checkout
 
 jobs:
-  describe-affected:
-    runs-on: ubuntu-latest
+  affected:
+    name: Trigger Affected Stacks
+
+    runs-on:
+      - "runs-on=${{ github.run_id }}"
+      - "runner=small"
+      - "tag=affected-stacks"
+      - "private=false"
+
+    # Trigger Atmos Pro for Pull Request plan events and specifically closed PRs that have been merged (not just closed)
+    if: github.event.action != 'closed' || (github.event.action == 'closed' && github.event.pull_request.merged == true)
+
     steps:
-      - name: Describe Affected
-        uses: cloudposse/github-action-atmos-pro-describe-affected@main
+      - uses: runs-on/action@v1
+      - name: Checkout
+        # For merged PRs, we will need to checkout the base branch to get the correct base branch SHA.
+        # This isn't necessary for other events.
+        if: github.event.action == 'closed'
+        uses: actions/checkout@v4
         with:
-          workspace-id: ${{ vars.ATMOS_PRO_WORKSPACE_ID }}
-          api-key: ${{ secrets.ATMOS_PRO_API_KEY }} 
+          fetch-depth: 0 # Fetch all history for all branches and tags
+
+      # For merged PRs, we want to use 1 previous commit from the base branch SHA
+      # This is because by the time this workflow runs, the PR branch has already been merged.
+      # It's critical to use the base branch SHA to get the correct changes, not the previous commit from the PR branch.
+      - name: Determine previous commit on base branch
+        id: get_parent
+        if: github.event.action == 'closed'
+        shell: bash
+        run: |
+          # For squash merges, github.event.pull_request.base.sha represents the state of the base branch
+          # when the PR was created (or last updated). This may be stale compared to the actual commit
+          # on the main branch at the time of the merge. Using 'HEAD~1' after the merge ensures we get
+          # the commit that was the tip of main immediately before the squash merge commit was added.
+          echo "Merge commit: $(git rev-parse HEAD)"
+          PARENT=$(git rev-parse HEAD~1)
+          echo "Parent (base) commit: $PARENT"
+          echo "merge_commit=$MERGE_COMMIT" >> "$GITHUB_OUTPUT"
+          echo "parent_commit=$PARENT" >> "$GITHUB_OUTPUT"
+
+      - name: Determine Affected Stacks
+        id: affected
+        uses: cloudposse/github-action-atmos-affected-stacks@v6
+        env:
+          ATMOS_PRO_WORKSPACE_ID: ${{ vars.ATMOS_PRO_WORKSPACE_ID }}
+        with:
+          atmos-version: ${{ vars.ATMOS_VERSION }}
+          atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }}
+          atmos-pro-upload: true
+          # Compare the head of the PR to the base of the PR if the PR is not merged.
+          # If the PR is merged, compare the head of the PR to 1 previous commit on the base branch.
+          head-ref: ${{ github.event.pull_request.head.sha }}
+          base-ref: ${{ github.event.action == 'closed' && steps.get_parent.outputs.parent_commit || github.event.pull_request.base.sha }}
+

examples/snippets/.github/workflows/atmos-terraform-apply-matrix.yaml

@@ -31,7 +31,9 @@ jobs:
   atmos-apply:
     if: ${{ inputs.stacks != '{include:[]}' }}
     name: ${{ matrix.stack_slug }}
-    runs-on: ["self-hosted", "terraform"]
+    runs-on: 
+      - self-hosted
+      - terraform
     strategy:
       max-parallel: 10
       fail-fast: false # Don't fail fast to avoid locking TF State

examples/snippets/.github/workflows/atmos-terraform-apply.yaml

@@ -34,7 +34,9 @@ jobs:
     name: Determine Affected Stacks
     if: needs.pr.outputs.no-apply == 'false'
     needs: ["pr"]
-    runs-on: ["self-hosted", "terraform"]
+    runs-on: 
+      - self-hosted
+      - terraform
     steps:
       - id: affected
         uses: cloudposse/github-action-atmos-affected-stacks@v4

examples/snippets/.github/workflows/atmos-terraform-dispatch.yaml

@@ -28,7 +28,9 @@ permissions:
 
 jobs:
   dispatch-id:
-    runs-on: ["self-hosted", "terraform"]
+    runs-on: 
+      - self-hosted
+      - terraform
     steps:
       - name: echo Distinct ID ${{ github.event.inputs.distinct_id }}
         run: echo ${{ github.event.inputs.distinct_id }}

examples/snippets/.github/workflows/atmos-terraform-drift-detection.yaml

@@ -17,7 +17,9 @@ permissions:
 jobs:
   select-components:
     name: Select Components
-    runs-on: ["self-hosted", "terraform"]
+    runs-on: 
+      - self-hosted
+      - terraform
     steps:
       - name: Selected Components
         id: components
@@ -52,7 +54,7 @@ jobs:
     needs: ["plan-atmos-components"]
     if: always()
     name: Reconcile issues
-    runs-on: ["self-hosted", "terraform"]
+    runs-on: ['self-hosted', 'terraform']
     steps:
       - name: Drift Detection
         uses: cloudposse/github-action-atmos-terraform-drift-detection@v2

examples/snippets/.github/workflows/atmos-terraform-drift-remediation.yaml

@@ -16,7 +16,9 @@ jobs:
   remediate-drift:
     if: github.event.action == 'labeled' && contains(github.event.issue.labels.*.name, 'apply')
     name: Remediate Drift
-    runs-on: ["self-hosted", "terraform"]
+    runs-on: 
+      - self-hosted
+      - terraform
     steps:
       - uses: unfor19/install-aws-cli-action@v1
       - name: Remediate Drift
@@ -35,7 +37,7 @@ jobs:
       ) &&
       !contains(github.event.issue.labels.*.name, 'remediated')
     name: Discard Drift
-    runs-on: ["self-hosted", "terraform"]
+    runs-on: ['self-hosted', 'terraform']
     steps:
       - name: Discard Drift
         uses: cloudposse/github-action-atmos-terraform-drift-remediation@v2

examples/snippets/.github/workflows/atmos-terraform-plan-matrix.yaml

@@ -41,7 +41,9 @@ jobs:
   atmos-plan:
     if: ${{ inputs.stacks != '{include:[]}' }}
     name: ${{ matrix.stack_slug }}
-    runs-on: ["self-hosted", "terraform"]
+    runs-on: 
+      - self-hosted
+      - terraform
     continue-on-error: ${{ inputs.continue-on-error == 'true' }}
     strategy:
       max-parallel: 10