diff --git a/.github/workflows/pipelines-commit-locks.yml b/.github/workflows/pipelines-commit-locks.yml new file mode 100644 index 0000000..9a53657 --- /dev/null +++ b/.github/workflows/pipelines-commit-locks.yml @@ -0,0 +1,166 @@ +name: Pipelines +run-name: Commit Locks +on: + workflow_call: + inputs: + # This field can be overriden to customize the runner used for pipelines + # workflows. + # + # IMPORTANT: To use self-hosted runners this workflow must be hosted in + # the same GitHub organization as your infra-live repository. + # See https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-self-hosted-runners + # + # The value must be an escaped JSON string that will be decoded to the + # jobs.runs-on field + # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on + # + # For example: + # - A simple github runner: "\"ubuntu-22.04\"" + # - A list of labels: "[\"self-hosted\", \"linux\"]" + # - A map: "{group: \"ubuntu-runners\", labels: \"ubuntu-20.04-16core\"}" + runner: + type: string + default: '"ubuntu-latest"' + api_base_url: + type: string + default: "https://api.prod.app.gruntwork.io/api/v1" + pipelines_binary_url: + type: string + default: "" + description: "Override where we fetch pipelines from, used for internal testing" + pipelines_cli_version: + type: string + default: "v0.40.0-rc22" + description: "For Gruntwork internal testing - the version of the pipelines CLI to use" + pipelines_actions_ref: + type: string + default: "main" + description: "For Gruntwork internal testing - the ref of the pipelines actions to use" + pipelines_credentials_ref: + type: string + default: "v1" + description: "For Gruntwork internal testing - the ref of the pipelines credentials to use" + + secrets: + PIPELINES_READ_TOKEN: + required: false + PR_CREATE_TOKEN: + required: false +env: + PIPELINES_CLI_VERSION: ${{ inputs.pipelines_cli_version }} + PIPELINES_ACTIONS_REF: ${{ inputs.pipelines_actions_ref }} + PIPELINES_CREDENTIALS_REF: ${{ inputs.pipelines_credentials_ref }} + BOILERPLATE_VERSION: v0.5.16 + GRUNTWORK_INSTALLER_VERSION: v0.0.40 + +jobs: + pipelines_commit_locks: + name: Pipelines Commit Locks + runs-on: ${{ fromJSON(inputs.runner) }} + steps: + - name: Record workflow env vars + env: + PIPELINES_BINARY_URL: ${{ inputs.pipelines_binary_url }} + run: | + time_now=$(date -u +"%s") + echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV + echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + + - name: Fetch Gruntwork Read Token + id: pipelines-gruntwork-read-token + uses: ./pipelines-credentials + with: + PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Read Token + id: pipelines-customer-org-read-token + uses: ./pipelines-credentials + with: + PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Create PR Token + id: pipelines-propose-infra-change-token + uses: gruntwork-io/pipelines-credentials@v1 + with: + PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Checkout Pipelines Actions + uses: actions/checkout@v4 + with: + path: pipelines-actions + repository: gruntwork-io/pipelines-actions + ref: ${{ env.PIPELINES_ACTIONS_REF }} + token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + + - name: Check out repo code + uses: actions/checkout@v4 + with: + path: infra-live-repo + fetch-depth: 0 + token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + + - name: Install Mise + id: mise-toml + uses: jdx/mise-action@v2 + with: + install: true + cache: true + version: 2024.10.8 + working_directory: "./infra-live-repo" + + - name: Install Pipelines CLI + uses: ./pipelines-actions/.github/actions/pipelines-install + with: + version: ${{ env.PIPELINES_CLI_VERSION }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + + - name: Configure code auth + uses: ./pipelines-actions/.github/actions/pipelines-code-auth + with: + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + + - name: Create Locks + id: create-locks + working-directory: ./infra-live-repo + continue-on-error: true + env: + GH_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + TG_AUTH_PROVIDER_CMD: "pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd . --disk-cache-duration-minutes 10" + COMMAND: "run --all --provider-cache --queue-exclude-dir=. --queue-ignore-errors -- providers lock -platform=linux_amd64" + run: | + pipelines execute terragrunt \ + --command "$COMMAND" \ + --infra-live-repo "." \ + --working-directory "." \ + --infra-live-repo-branch "$GITHUB_REF_NAME" + + - name: Commit Locks + id: commit-locks + working-directory: ./infra-live-repo + env: + GH_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} + AUTHOR_NAME: ${{ github.actor }} + AUTHOR_EMAIL: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com + ACTION_PATH: ${{ github.action_path }} + run: | + # FIXME: Plumb through a filter to only commit .terraform.lock.hcl + pipelines scm propose-infra-change \ + --working-directory "$WORKING_DIRECTORY" \ + --change-request-branch-name "pipelines-update-locks" \ + --commit-message "Terraform Lock File Update" \ + --title "Terraform Lock File Update" \ + --author-name "$AUTHOR_NAME" \ + --author-email "$AUTHOR_EMAIL" \ No newline at end of file