Skip to content
Deploy with Terraform

fix: remove csuf email verification (no longer working) #357

Sign in to view logs

fix: remove csuf email verification (no longer working)

fix: remove csuf email verification (no longer working) #357

Workflow file for this run

.github/workflows/deploy.yml at 6ed1ad7
name: Deploy with Terraform
on:
push:
branches:
- main
workflow_call:
secrets:
GIT_CRYPT_KEY:
required: true
workflow_dispatch:
defaults:
run:
# Use Nix for all of our build commands.
# Doing this will automatically run everything in our devShell.
shell: nix develop -c bash -e -o pipefail {0}
jobs:
deploy:
name: Deploy with Terraform
runs-on: ubuntu-latest
environment: Production
concurrency: Production
outputs:
commit_hash: ${{ steps.git-commit.outputs.commit_hash }}
steps:
- uses: actions/checkout@v4
with:
# Use ref_name instead of ref so we always get the branch to pull our
# latest commit from.
ref: ${{ github.ref_name }}
- uses: nixbuild/nix-quick-install-action@v30
- uses: nix-community/cache-nix-action@v6
with: # see https://github.com/nix-community/cache-nix-action#example-steps
primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
restore-prefixes-first-match: nix-${{ runner.os }}-
gc-max-store-size-linux: 1G
purge: true
purge-prefixes: nix-${{ runner.os }}-
purge-created: 0
purge-primary-key: never
# Add a Nix channel as a workaround for terraform-nixos-ng.
# See https://github.com/Gabriella439/terraform-nixos-ng/issues/11.
#
# TODO: Remove this once terraform-nixos-ng is fixed.
- name: Add NixOS channel
run: |-
nix-channel --add https://nixos.org/channels/nixos-unstable nixpkgs
nix-channel --update
shell: bash
# Task: Initialize development environment
# This step is a no-op. It just forces a first invocation of `nix develop`
# and will let us isolate any issues with the Nix environment.
- name: Initialize development environment
run: true
# Task: Handle Makefiles
# This shouldn't need any secrets.
# Avoid giving it any.
- name: Run all package Makefiles
run: ./scripts/pkg make
- name: Commit changes, if any
uses: stefanzweifel/git-auto-commit-action@v5
with:
branch: ${{ github.ref_name }}
commit_message: Run all Makefiles using GitHub Actions
# Task: Apply Terraform deployment
- name: Decrypt git-crypt secrets
uses: ./.github/actions/git-crypt
with:
key: ${{ secrets.GIT_CRYPT_KEY }}
- name: Initialize Tailscale
uses: tailscale/github-action@v3
with:
oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
tags: tag:server
- name: Initialize Terraform
id: terraform-init
run: |-
chmod 640 secrets/terraform.tfstate*
terraform init
- name: Calculate a Terraform deployment plan
id: terraform-plan
run: |-
set +e
terraform plan --detailed-exitcode --out="/tmp/acm-aws-plan"
status=$?
set -e
if [[ $status == 1 ]]; then
echo "::error::Terraform plan failed, exiting..."
exit 1
fi
# 0 - Succeeded, diff is empty (no changes)
# 1 - Errored
# 2 - Succeeded, there is a diff
echo "status=$status" >> $GITHUB_OUTPUT
- name: Apply Terraform configurations
id: terraform-apply
if: steps.terraform-plan.outputs.status == 2
run: |-
set -o pipefail
terraform apply --auto-approve "/tmp/acm-aws-plan" \
|& tee /tmp/terraform-apply.log \
|& grep -v 'deployment.null_resource.deploy (.*-exec):'
- name: Commit changes, if any
id: git-commit
if: steps.terraform-plan.outputs.status == 2
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: "Update deployment using GitHub Actions"
branch: ${{ github.ref_name }}
- name: Prepare Terraform deployment logs
id: terraform-logs-prepare
if: steps.terraform-plan.outputs.status == 2 && failure()
run: |-
./scripts/encrypt-ssh \
/tmp/terraform-apply.log \
/tmp/terraform-apply.log.enc
- name: Upload Terraform deployment logs
id: terraform-logs-upload
if: steps.terraform-plan.outputs.status == 2 && failure()
uses: actions/upload-artifact@v4
with:
name: terraform-apply.log.enc
path: /tmp/terraform-apply.log.enc