Skip to content

Allow mage-os-ci user to push to remote bypassing branch protections #127

Allow mage-os-ci user to push to remote bypassing branch protections

Allow mage-os-ci user to push to remote bypassing branch protections #127

name: "Terraform plan"
concurrency: terraform-ci
on:
issue_comment:
types: [created]
jobs:
terraform-plan:
name: "Terraform plan"
# This conditional acts as an access control list to prevent exposing
# secrets to untrusted pull requests.
if: |
github.event.issue.pull_request &&
github.event.comment.body == '/plan' &&
(
github.event.comment.user.login == 'Vinai' ||
github.event.comment.user.login == 'sprankhub'
)
runs-on: ubuntu-latest
env:
# Google Cloud Storage state backend
GOOGLE_APPLICATION_CREDENTIALS_DATA: ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS_DATA }}
GOOGLE_APPLICATION_CREDENTIALS: '/tmp/tf-google-application-credentials.json'
# GitHub provider
TF_VAR_app_node_id: ${{ secrets.TF_VAR_APP_NODE_ID }}
TF_VAR_github_app_id: ${{ secrets.GH_APP_ID }}
TF_VAR_github_app_installation_id: ${{ secrets.GH_APP_INSTALLATION_ID }}
TF_VAR_github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
steps:
- name: Write GCS credentials
run: echo $GOOGLE_APPLICATION_CREDENTIALS_DATA > $GOOGLE_APPLICATION_CREDENTIALS
- name: Get pull request ref
id: ref
uses: actions/github-script@v7
with:
result-encoding: string
script: |
const { number } = context.issue;
return `refs/pull/${context.issue.number}/merge`;
- uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: "@${{ github.actor }} Starting Terraform plan ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
})
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ steps.ref.outputs.result }}
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- name: Terraform init
id: init
run: terraform init
- name: Terraform plan
id: plan
run: terraform plan -no-color
continue-on-error: true
- uses: actions/github-script@v7
env:
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const output = `#### Terraform Plan \`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${process.env.PLAN}
\`\`\`
</details>
Issuer: @${{ github.actor }}, Action: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
- name: Terraform plan status
if: steps.plan.outcome == 'failure'
run: exit 1