Skip to content

Update terraform workflow#2485

Open
SalmaSamy wants to merge 2 commits intomasterfrom
update-terraform-workflow
Open

Update terraform workflow#2485
SalmaSamy wants to merge 2 commits intomasterfrom
update-terraform-workflow

Conversation

@SalmaSamy
Copy link
Contributor

@SalmaSamy SalmaSamy commented Mar 3, 2026

  • Fixed branch name main -> master
  • Allows only project MEMBER, OWNER, or COLLABORATOR roles to trigger the Terraform engine
  • Added a step to automatically post the terraform plan output as a comment on the Pull Request, making it easier to review changes before merging.
  • Switched from mutable version tags (like @v4) to immutable commit SHAs (like @11bd719...) to protect against compromised third-party actions.
  • Configured the workflow to use the TF_VAR_ prefix for secrets, which works with the sensitive = true flag to ensure tokens are never leaked in logs or comments.

@meteorcloudy
Copy link
Member

meteorcloudy commented Mar 3, 2026

@fweikert @ted-xie Can you help review terraform related PRs?

ted-xie
ted-xie reviewed Mar 3, 2026
View reviewed changes
.github/workflows/terraform.yml
- uses: actions/checkout@v4
- uses: dorny/paths-filter@v3
- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Copy link
Contributor

@ted-xie ted-xie Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mentioned in the PR description that using explicit commits rather than verison numbers is supposed to protect us against compromised action versions, but I don't quite understand. If an action is compromised at some git tag for some git commit, wouldn't both the version tag and the commit be tainted? Are you concerned about the case where a bad actor could overwrite a tag to a different commit?

.github/workflows/terraform.yml
})

- name: Terraform Apply
if: github.ref == 'refs/heads/master' && github.event_name == 'push'
Copy link
Contributor

@ted-xie ted-xie Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clarification for github.event_name == 'push': does this mean the PR is getting merged?

buildkite/terraform/bazel-testing/main.tf
}
}

variable "buildkite_api_token" {
Copy link
Contributor

@ted-xie ted-xie Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where do we tell github actions where to find the buildkite API token?

.github/workflows/terraform.yml
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Path Filter
uses: dorny/paths-filter@de90cc6fb38fc0963ad727459f9a1755dc9ad150 # v3.0.2
Copy link
Contributor

@ted-xie ted-xie Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just FYI, the last release from this action was 2 years ago, and there appear to be infrequent commits since then. We might consider adopting a more actively-maintained action dependency, or making some of the underlying workflows smarter instead of relying on external deps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ted-xie ted-xie ted-xie left review comments

@fweikert fweikert Awaiting requested review from fweikert fweikert is a code owner

@meteorcloudy meteorcloudy Awaiting requested review from meteorcloudy meteorcloudy is a code owner

@Wyverald Wyverald Awaiting requested review from Wyverald Wyverald is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SalmaSamy @meteorcloudy @ted-xie