Apply

sync@28310689000 #500

Workflow file for this run

	name: Apply

	on:
	push:
	branches:
	- master # we want this to be executed on the default branch only
	workflow_dispatch:

	jobs:
	prepare:
	if: github.event.repository.is_template == false
	permissions:
	contents: read
	issues: read
	pull-requests: read
	name: Prepare
	runs-on: ubuntu-latest
	environment: read
	outputs:
	workspaces: ${{ steps.workspaces.outputs.this }}
	sha: ${{ steps.sha.outputs.result }}
	defaults:
	run:
	shell: bash
	steps:
	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- name: Discover workspaces
	id: workspaces
	run: echo "this=$(ls github \| jq --raw-input '[.[0:-4]]' \| jq -sc add)" >> $GITHUB_OUTPUT
	- name: Install pnpm
	uses: pnpm/action-setup@91ab88e2619ed1f46221f0ba42d1492c02baf788 # v6.0.6
	with:
	version: 10
	- name: Use Node.js lts/*
	uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
	with:
	node-version: lts/*
	cache: ''
	- run: pnpm install --frozen-lockfile && pnpm run build
	working-directory: scripts
	- name: Find sha for plan
	id: sha
	env:
	GITHUB_APP_ID: ${{ secrets.RO_GITHUB_APP_ID }}
	GITHUB_APP_INSTALLATION_ID: ${{ secrets[format('RO_GITHUB_APP_INSTALLATION_ID_{0}', matrix.workspace)] \|\| secrets.RO_GITHUB_APP_INSTALLATION_ID }}
	GITHUB_APP_PEM_FILE: ${{ secrets.RO_GITHUB_APP_PEM_FILE }}
	run: node lib/actions/find-sha-for-plan.js
	working-directory: scripts
	apply:
	needs: [prepare]
	if: needs.prepare.outputs.sha != '' && needs.prepare.outputs.workspaces != ''
	permissions:
	actions: read
	contents: read
	strategy:
	fail-fast: false
	matrix:
	workspace: ${{ fromJson(needs.prepare.outputs.workspaces) }}
	name: Apply
	runs-on: ubuntu-latest
	environment: write
	env:
	TF_IN_AUTOMATION: 1
	TF_INPUT: 0
	TF_WORKSPACE: ${{ matrix.workspace }}
	AWS_ACCESS_KEY_ID: ${{ secrets.RW_AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.RW_AWS_SECRET_ACCESS_KEY }}
	GITHUB_APP_ID: ${{ secrets.RW_GITHUB_APP_ID }}
	GITHUB_APP_INSTALLATION_ID: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', matrix.workspace)] \|\| secrets.RW_GITHUB_APP_INSTALLATION_ID }}
	GITHUB_APP_PEM_FILE: ${{ secrets.RW_GITHUB_APP_PEM_FILE }}
	TF_VAR_write_delay_ms: 300
	defaults:
	run:
	shell: bash
	working-directory: terraform
	steps:
	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- name: Setup terraform
	uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
	with:
	terraform_version: 1.12.0
	terraform_wrapper: false
	- name: Initialize terraform
	run: terraform init
	- name: Download reviewed terraform plan
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	SHA: ${{ needs.prepare.outputs.sha }}
	run: gh run download -n "${TF_WORKSPACE}_${SHA}.tfplan" --repo "${GITHUB_REPOSITORY}"
	- name: Replan merged commit
	run: \|
	terraform show -json > $TF_WORKSPACE.tfstate.json
	terraform plan -refresh=false -lock=false -out="${TF_WORKSPACE}.merged.tfplan" -no-color
	- name: Compare reviewed and merged plans
	run: \|
	terraform show -no-color "${TF_WORKSPACE}.tfplan" > "${TF_WORKSPACE}.reviewed.txt"
	terraform show -no-color "${TF_WORKSPACE}.merged.tfplan" > "${TF_WORKSPACE}.merged.txt"
	diff -u "${TF_WORKSPACE}.reviewed.txt" "${TF_WORKSPACE}.merged.txt"
	- name: Terraform Apply
	run: \|
	terraform apply -lock-timeout=0s -no-color "${TF_WORKSPACE}.merged.tfplan"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

sync@28310689000 #500

Workflow file

sync@28310689000 #500

Uh oh!

Workflow file for this run