shared-workflows/.github/workflows/opentofu.yml at 4abfe16ed55d0fc43379723d3a2c4cd955b6c1cf · makeitworkcloud/shared-workflows · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: OpenTofu

on:
  workflow_call:
    inputs:
      environment:
        description: Environment for apply job
        type: string
        default: production
      runs-on:
        description: Runner label
        type: string
        default: arc-tf
      setup-ssh:
        description: Whether to setup SSH keys
        type: boolean
        default: false
    secrets:
      SOPS_AGE_KEY:
        required: true
      SSH_PRIVATE_KEY:
        required: false
      SSH_KNOWN_HOSTS:
        required: false

permissions:
  contents: read
  pull-requests: write

jobs:
  test:
    name: Pre-commit Tests
    runs-on: ${{ inputs.runs-on }}
    env:
      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install SSH key
        if: ${{ inputs.setup-ssh }}
        uses: shimataro/ssh-key-action@v2
        with:
          key: ${{ secrets.SSH_PRIVATE_KEY }}
          known_hosts: ${{ secrets.SSH_KNOWN_HOSTS }}

      - name: Fetch canonical pre-commit config
        run: |
          curl -sSL -o .pre-commit-config.yaml \
            https://raw.githubusercontent.com/makeitworkcloud/images/main/tfroot-runner/pre-commit-config.yaml

      - name: Initialize OpenTofu
        run: tofu init -backend=false

      - name: Run tests
        run: SKIP=no-commit-to-branch pre-commit run -a

  plan:
    name: OpenTofu Plan
    runs-on: ${{ inputs.runs-on }}
    if: github.event_name == 'pull_request'
    needs: [test]
    env:
      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install SSH key
        if: ${{ inputs.setup-ssh }}
        uses: shimataro/ssh-key-action@v2
        with:
          key: ${{ secrets.SSH_PRIVATE_KEY }}
          known_hosts: ${{ secrets.SSH_KNOWN_HOSTS }}

      - name: OpenTofu Plan
        id: plan
        run: |
          make plan || true

          sed -n '/OpenTofu will perform the following actions:/,$p' plan-output.txt > plan-filtered.txt

          if [ ! -s plan-filtered.txt ]; then
            grep -A 2 "No changes" plan-output.txt > plan-filtered.txt || echo "No plan output found" > plan-filtered.txt
          fi

          tail -n 1000 plan-filtered.txt > plan-filtered-truncated.txt
          mv plan-filtered-truncated.txt plan-filtered.txt

      - name: prepare-comment
        run: |
          {
            echo '<!-- opentofu-plan -->'
            echo '#### OpenTofu Plan'
            echo '```'
            cat plan-filtered.txt
            echo '```'
          } > comment-body.md

      - name: comment
        uses: johanwulf/replace-comment@v1.0.0
        with:
          issue-number: ${{ github.event.pull_request.number }}
          body-includes: '<!-- opentofu-plan -->'
          body-path: comment-body.md

  apply:
    name: OpenTofu Apply
    runs-on: ${{ inputs.runs-on }}
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    needs: [test]
    environment: ${{ inputs.environment }}
    env:
      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install SSH key
        if: ${{ inputs.setup-ssh }}
        uses: shimataro/ssh-key-action@v2
        with:
          key: ${{ secrets.SSH_PRIVATE_KEY }}
          known_hosts: ${{ secrets.SSH_KNOWN_HOSTS }}

      - name: OpenTofu Apply
        run: make apply