abcxyz · dcreey · Apr 23, 2025
@@ -0,0 +1,178 @@
+# Copyright 2023 The Authors (see AUTHORS file)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Guardian apply is used to run the Terraform apply commands for a set of
+# directories after a pull request has been merged.
+name: 'guardian_apply'
+run-name: 'guardian_apply - [REF ${{ github.ref_name }}]'
+
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '.github/config/'
+
+# only one apply should run at a time
+concurrency:
+  group: '${{ github.workflow }}'
+
+env:
+  GUARDIAN_VERSION: '2.0.9'
+  GUARDIAN_TERRAFORM_VERSION: '1.10.1'
+
+jobs:
+  init:
+    runs-on: 'ubuntu-latest'
+
+    permissions:
+      contents: 'read'
+      pull-requests: 'write'
+
+    outputs:
+      directories: '${{ steps.dirs.outputs.directories }}'
+    steps:
+      - name: 'Checkout'
+        uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
+        with:
+          fetch-depth: 2 # required to get diff between HEAD and HEAD-1
+
+      - name: 'Setup Guardian'
+        uses: 'abcxyz/actions/.github/actions/setup-binary@main' # ratchet:exclude
+        with:
+          download_url: 'https://github.com/abcxyz/guardian/releases/download/v${{ env.GUARDIAN_VERSION }}/guardian_${{ env.GUARDIAN_VERSION }}_linux_amd64.tar.gz'
+          install_path: '${{ runner.temp }}/.guardian'
+          binary_subpath: 'guardian'
+          cache_key: '${{ runner.os }}_${{ runner.arch }}_guardian_${{ env.GUARDIAN_VERSION }}'
+          add_to_path: true
+
+      - name: 'Guardian Directories'
+        id: 'dirs'
+        shell: 'bash'
+        env:
+          # used to create comments on pull requests (access to only this repo)
+          GUARDIAN_GITHUB_TOKEN: '${{ github.token }}'
+        run: |-
+          DIRECTORIES=$(guardian entrypoints -dir=".github/config/" -detect-changes -source-ref=HEAD~1 -dest-ref=HEAD)
+          echo "entrypoints -> ${DIRECTORIES}"
+          echo "directories=${DIRECTORIES}" >> "${GITHUB_OUTPUT}"
+
+  apply:
+    if: |
+      needs.init.outputs.directories != '[]'
+    needs:
+      - 'init'
+    runs-on: 'ubuntu-latest'
+
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+      pull-requests: 'write'
+
+    strategy:
+      fail-fast: false
+      max-parallel: 6
+      matrix:
+        working_directory: '${{ fromJSON(needs.init.outputs.directories) }}'
+
+    env:
+      DIRECTORY: '${{ matrix.working_directory }}'
+      GITHUB_JOB_NAME: '${{ github.job }} (${{ matrix.working_directory }})'
+
+    steps:
+      - name: 'Checkout'
+        uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
+
+      - id: 'auth'
+        name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
+        with:
+          create_credentials_file: false
+          export_environment_variables: false
+          workload_identity_provider: '${{ vars.TOKEN_MINTER_WIF_PROVIDER }}'
+          service_account: '${{ vars.TOKEN_MINTER_WIF_SERVICE_ACCOUNT }}'
+          token_format: 'id_token'
+          id_token_audience: '${{ vars.TOKEN_MINTER_SERVICE_AUDIENCE }}'
+          id_token_include_email: true
+
+      - name: 'Mint Token'
+        id: 'mint-token'
+        uses: 'abcxyz/github-token-minter/.github/actions/minty@main' # ratchet:exclude
+        with:
+          id_token: '${{ steps.auth.outputs.id_token }}'
+          service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}'
+          requested_permissions: |-
+            {
+              "scope": "actions-repo-guardian",
+              "repositories": ["${{ github.event.repository.name }}"],
+              "permissions": {
+                "administration": "write",
+                "contents": "write",
+                "environments": "read",
+                "secrets": "write"
+              }
+            }
+
+      - name: 'Git Config'
+        run: |-
+          git config --global url."https://x-access-token:${{ steps.mint-token.outputs.token }}@github.com".insteadOf "https://github.com"
+
+      - name: 'Has guardian config'
+        id: 'has-guardian-config'
+        shell: 'bash'
+        run: |-
+          if [[ -f "./.github/config/guardian.yml" ]]; then
+            echo "has-config=true" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: 'Load Guardian Config'
+        uses: 'abcxyz/actions/.github/actions/load-workflow-variables@main' # ratchet:exclude
+        if: |
+          steps.has-guardian-config.outputs.has-config == 'true'
+        with:
+          working_directory: './${{ matrix.working_directory }}'
+          filepath: './.github/config/guardian.yml'
+          fail_on_missing: 'true'
+
+      - name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
+        with:
+          workload_identity_provider: '${{ env.GUARDIAN_WIF_PROVIDER }}'
+          service_account: '${{ env.GUARDIAN_WIF_SERVICE_ACCOUNT }}'
+
+      - name: 'Setup Terraform'
+        uses: 'abcxyz/secure-setup-terraform@main' # ratchet:exclude
+        with:
+          terraform_version: '${{ env.GUARDIAN_TERRAFORM_VERSION }}'
+          terraform_module_location: './${{ matrix.working_directory }}'
+          terraform_lockfile_location: './${{ matrix.working_directory }}'
+          protect_lockfile: false
+          terraform_wrapper: false
+
+      - name: 'Setup Guardian'
+        uses: 'abcxyz/actions/.github/actions/setup-binary@main' # ratchet:exclude
+        with:
+          download_url: 'https://github.com/abcxyz/guardian/releases/download/v${{ env.GUARDIAN_VERSION }}/guardian_${{ env.GUARDIAN_VERSION }}_linux_amd64.tar.gz'
+          install_path: '${{ runner.temp }}/.guardian'
+          binary_subpath: 'guardian'
+          cache_key: '${{ runner.os }}_${{ runner.arch }}_guardian_${{ env.GUARDIAN_VERSION }}'
+          add_to_path: true
+
+      - name: 'Guardian Apply'
+        shell: 'bash'
+        env:
+          # used to create comments on pull requests (access to only this repo)
+          GUARDIAN_GITHUB_TOKEN: '${{ steps.mint-token.outputs.token }}'
+        run: |-
+          guardian apply -dir="${DIRECTORY}" -storage="file:/${{ runner.temp }}}" -allow-lockfile-changes