gruntwork-io · Resonance1584 · Sep 11, 2025 · Sep 11, 2025 · Sep 11, 2025 · Sep 11, 2025
diff --git a/.github/workflows/pipelines-commit-locks.yml b/.github/workflows/pipelines-commit-locks.yml
@@ -0,0 +1,166 @@
+name: Pipelines
+run-name: Commit Locks
+on:
+  workflow_call:
+    inputs:
+      # This field can be overriden to customize the runner used for pipelines
+      # workflows.
+      #
+      # IMPORTANT: To use self-hosted runners this workflow must be hosted in
+      # the same GitHub organization as your infra-live repository.
+      # See https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-self-hosted-runners
+      #
+      # The value must be an escaped JSON string that will be decoded to the
+      # jobs.runs-on field
+      # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on
+      #
+      # For example:
+      # - A simple github runner: "\"ubuntu-22.04\""
+      # - A list of labels: "[\"self-hosted\", \"linux\"]"
+      # - A map: "{group: \"ubuntu-runners\", labels: \"ubuntu-20.04-16core\"}"
+      runner:
+        type: string
+        default: '"ubuntu-latest"'
+      api_base_url:
+        type: string
+        default: "https://api.prod.app.gruntwork.io/api/v1"
+      pipelines_binary_url:
+        type: string
+        default: ""
+        description: "Override where we fetch pipelines from, used for internal testing"
+      pipelines_cli_version:
+        type: string
+        default: "v0.40.0-rc22"
+        description: "For Gruntwork internal testing - the version of the pipelines CLI to use"
+      pipelines_actions_ref:
+        type: string
+        default: "main"
+        description: "For Gruntwork internal testing - the ref of the pipelines actions to use"
+      pipelines_credentials_ref:
+        type: string
+        default: "v1"
+        description: "For Gruntwork internal testing - the ref of the pipelines credentials to use"
+
+    secrets:
+      PIPELINES_READ_TOKEN:
+        required: false
+      PR_CREATE_TOKEN:
+        required: false
+env:
+  PIPELINES_CLI_VERSION: ${{ inputs.pipelines_cli_version }}
+  PIPELINES_ACTIONS_REF: ${{ inputs.pipelines_actions_ref }}
+  PIPELINES_CREDENTIALS_REF: ${{ inputs.pipelines_credentials_ref }}
+  BOILERPLATE_VERSION: v0.5.16
+  GRUNTWORK_INSTALLER_VERSION: v0.0.40
+
+jobs:
+  pipelines_commit_locks:
+    name: Pipelines Commit Locks
+    runs-on: ${{ fromJSON(inputs.runner) }}
+    steps:
+      - name: Record workflow env vars
+        env:
+          PIPELINES_BINARY_URL: ${{ inputs.pipelines_binary_url }}
+        run: |
+          time_now=$(date -u +"%s")
+          echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV
+          echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV
+      - name: Checkout Pipelines Credentials
+        uses: actions/checkout@v4
+        with:
+          path: pipelines-credentials
+          repository: gruntwork-io/pipelines-credentials
+          ref: ${{ env.PIPELINES_CREDENTIALS_REF }}
+
+      - name: Fetch Gruntwork Read Token
+        id: pipelines-gruntwork-read-token
+        uses: ./pipelines-credentials
+        with:
+          PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io"
+          FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
+          api_base_url: ${{ inputs.api_base_url }}
+
+      - name: Fetch Org Read Token
+        id: pipelines-customer-org-read-token
+        uses: ./pipelines-credentials
+        with:
+          PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }}
+          FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
+          api_base_url: ${{ inputs.api_base_url }}
+
+      - name: Fetch Create PR Token
+        id: pipelines-propose-infra-change-token
+        uses: gruntwork-io/pipelines-credentials@v1
+        with:
+          PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }}
+          FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }}
+          api_base_url: ${{ inputs.api_base_url }}
+
+      - name: Checkout Pipelines Actions
+        uses: actions/checkout@v4
+        with:
+          path: pipelines-actions
+          repository: gruntwork-io/pipelines-actions
+          ref: ${{ env.PIPELINES_ACTIONS_REF }}
+          token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
+
+      - name: Check out repo code
+        uses: actions/checkout@v4
+        with:
+          path: infra-live-repo
+          fetch-depth: 0
+          token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
+
+      - name: Install Mise
+        id: mise-toml
+        uses: jdx/mise-action@v2
+        with:
+          install: true
+          cache: true
+          version: 2024.10.8
+          working_directory: "./infra-live-repo"
+
+      - name: Install Pipelines CLI
+        uses: ./pipelines-actions/.github/actions/pipelines-install
+        with:
+          version: ${{ env.PIPELINES_CLI_VERSION }}
+          PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
+
+      - name: Configure code auth
+        uses: ./pipelines-actions/.github/actions/pipelines-code-auth
+        with:
+          PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
+          PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
+
+      - name: Create Locks
+        id: create-locks
+        working-directory: ./infra-live-repo
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
+          TG_AUTH_PROVIDER_CMD: "pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd . --disk-cache-duration-minutes 10"
+          COMMAND: "run --all --provider-cache --queue-exclude-dir=. --queue-ignore-errors -- providers lock -platform=linux_amd64"
+        run: |
+          pipelines execute terragrunt \
+            --command "$COMMAND" \
+            --infra-live-repo "." \
+            --working-directory "." \
+            --infra-live-repo-branch "$GITHUB_REF_NAME"
+
+      - name: Commit Locks
+        id: commit-locks
+        working-directory: ./infra-live-repo
+        env:
+          GH_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }}
+          AUTHOR_NAME: ${{ github.actor }}
+          AUTHOR_EMAIL: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com
+          ACTION_PATH: ${{ github.action_path }}
+        run: |
+          # FIXME: Plumb through a filter to only commit .terraform.lock.hcl
+          pipelines scm propose-infra-change \
+              --working-directory "$WORKING_DIRECTORY" \
+              --change-request-branch-name "pipelines-update-locks" \
+              --commit-message "Terraform Lock File Update" \
+              --title "Terraform Lock File Update" \
+              --author-name "$AUTHOR_NAME" \
+              --author-email "$AUTHOR_EMAIL"