Skip to content

update: lock

update: lock #214

Workflow file for this run

name: "Terraform"
on:
push:
branches:
- 'main'
pull_request:
branches:
- 'main'
workflow_dispatch:
concurrency: push-to-main
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
jobs:
plan:
runs-on: ubuntu-latest
outputs:
diff: ${{ steps.plan.outputs.diff }}
steps:
- name: Checkout
uses: actions/checkout@main
- name: Install nix
uses: cachix/install-nix-action@master
with:
nix_path: nixpkgs=channel:nixos-unstable
extra_nix_config: |
experimental-features = nix-command flakes
- name: Setup cachix
uses: cachix/cachix-action@master
with:
name: dora
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Cache terraform
uses: actions/cache@main
with:
path: terraform/.terraform/providers
key: ${{ runner.os }}-terraform-providers-${{ hashFiles('terraform/.terraform.lock.hcl') }}
- name: Terraform init
run: |
nix develop --command terraform-init
- name: Terraform plan
id: plan
run: |
set +e
nix develop --command terraform-wrapper plan -out="$PWD/terraform/terraform.plan" -detailed-exitcode
exit_code=$?
set -e
if [ "$exit_code" -eq 0 ]; then
# success, empty diff
echo "diff=false" >> $GITHUB_OUTPUT
elif [ "$exit_code" -eq 2 ]; then
# success, non-empty diff
echo "diff=true" >> $GITHUB_OUTPUT
else
exit "$exit_code"
fi
- name: Encrypt plan
if: steps.plan.outputs.diff == 'true'
run: |
nix develop --command bash -c "sops --encrypt terraform/terraform.plan > secrets/terraform.plan"
- name: Upload plan
if: steps.plan.outputs.diff == 'true'
uses: actions/upload-artifact@main
with:
name: plan
path: secrets/terraform.plan
apply:
runs-on: ubuntu-latest
environment: infrastructure
needs: [ plan ]
if: |
needs.plan.outputs.diff == 'true' &&
github.ref == 'refs/heads/main'
steps:
- name: Checkout
uses: actions/checkout@main
- name: Install nix
uses: cachix/install-nix-action@master
with:
install_url: https://github.com/numtide/nix-unstable-installer/releases/latest/download/install
nix_path: nixpkgs=channel:nixos-unstable
extra_nix_config: |
experimental-features = nix-command flakes
- name: Setup cachix
uses: cachix/cachix-action@master
with:
name: dora
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Cache terraform
uses: actions/cache@main
with:
path: terraform/.terraform/providers
key: ${{ runner.os }}-terraform-providers-${{ hashFiles('terraform/.terraform.lock.hcl') }}
- name: Terraform init
run: |
nix develop --command terraform-init
- name: Download plan
uses: actions/download-artifact@main
with:
name: plan
path: secrets # secrets/terraform.plan
- name: Decrypt plan
run: |
nix develop --command sops --decrypt secrets/terraform.plan > terraform/terraform.plan
- name: Terraform apply
run: |
nix develop --command terraform-wrapper apply "$PWD/terraform/terraform.plan"
- name: Terraform update outputs
run: |
nix develop --command terraform-update-outputs
- name: Terraform extract secret and data
run: |
nix develop --command terraform-outputs-extract-secrets
nix develop --command terraform-outputs-extract-data
- name: Format
run: |
nix fmt
- name: Commit and push
run: |
if [ -z "$(git status --porcelain)" ]; then
echo "repository is clean, skip commit and push"
else
git config user.name 'github-actions[bot]'
git config user.email 'github-actions[bot]@users.noreply.github.com'
git add --all
git commit --message "Terraform apply"
git push
fi