cyhy_amis/.github/workflows/lock-terraform-providers.yml at 4d51bfcb6bc3e3607054027c1e69b22a4f5c7ef1 · cisagov/cyhy_amis · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
---
name: Lock Terraform providers

on:  # yamllint disable-line rule:truthy
  # We use the default activity types for the pull_request event as specified here:
  # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request
  pull_request:
    paths:
      # Ensure the workflow is run if it has been changed.
      - .github/workflows/lock-terraform-providers.yml
      - terraform/.terraform.lock.hcl

# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,
# nounset, errexit, and pipefail. The `-x` will print all commands as they are
# run. Please see the GitHub Actions documentation for more information:
# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs
defaults:
  run:
    shell: bash -Eueo pipefail -x {0}

jobs:
  diagnostics:
    name: Run diagnostics
    # This job does not need any permissions
    permissions: {}
    runs-on: ubuntu-latest
    steps:
      # Note that a duplicate of this step must be added at the top of
      # each job.
      - name: Apply standard cisagov job preamble
        uses: cisagov/action-job-preamble@v1
        with:
          check_github_status: "true"
          # This functionality is poorly implemented and has been
          # causing problems due to the MITM implementation hogging or
          # leaking memory.  As a result we disable it by default.  If
          # you want to temporarily enable it, simply set
          # monitor_permissions equal to "true".
          #
          # TODO: Re-enable this functionality when practical.  See
          # cisagov/skeleton-generic#207 for more details.
          monitor_permissions: "false"
          output_workflow_context: "true"
          # Use a variable to specify the permissions monitoring
          # configuration. By default this will yield the
          # configuration stored in the cisagov organization-level
          # variable, but if you want to use a different configuration
          # then simply:
          # 1. Create a repository-level variable with the name
          # ACTIONS_PERMISSIONS_CONFIG.
          # 2. Set this new variable's value to the configuration you
          # want to use for this repository.
          #
          # Note in particular that changing the permissions
          # monitoring configuration *does not* require you to modify
          # this workflow.
          permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
  lock-providers:
    # Prevent the workflow from running if the trigger was a previous workflow run that
    # updated the lock file or if the run is from a fork.
    if: >-
      (github.actor != 'github-actions[bot]')
      && (github.event.pull_request.head.repo.full_name == github.repository)
    needs:
      - diagnostics
    permissions:
      # stefanzweifel/git-auto-commit-action needs this to commit changes
      contents: write
    runs-on: ubuntu-latest
    steps:
      - name: Apply standard cisagov job preamble
        uses: cisagov/action-job-preamble@v1
        with:
          # This functionality is poorly implemented and has been
          # causing problems due to the MITM implementation hogging or
          # leaking memory.  As a result we disable it by default.  If
          # you want to temporarily enable it, simply set
          # monitor_permissions equal to "true".
          #
          # TODO: Re-enable this functionality when practical.  See
          # cisagov/skeleton-generic#207 for more details.
          monitor_permissions: "false"
          # Use a variable to specify the permissions monitoring
          # configuration. By default this will yield the
          # configuration stored in the cisagov organization-level
          # variable, but if you want to use a different configuration
          # then simply:
          # 1. Create a repository-level variable with the name
          # ACTIONS_PERMISSIONS_CONFIG.
          # 2. Set this new variable's value to the configuration you
          # want to use for this repository.
          #
          # Note in particular that changing the permissions
          # monitoring configuration *does not* require you to modify
          # this workflow.
          permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
      - id: setup-env
        uses: cisagov/setup-env-github-action@v1
      - uses: actions/checkout@v6
        with:
          # Needed by stefanzweifel/git-auto-commit-action to support the pull_request
          # trigger.
          ref: ${{ github.head_ref }}
          token: ${{ secrets.GHA_AUTO_COMMIT_TOKEN || github.token }}
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: ${{ steps.setup-env.outputs.terraform-version }}
      - name: Initialize the Terraform configuration
        run: terraform init -backend=false
        working-directory: ./terraform
      - name: Lock Terraform providers
        run: >-
          terraform providers lock
          -platform=darwin_amd64
          -platform=darwin_arm64
          -platform=linux_amd64
          -platform=linux_arm64
        working-directory: ./terraform
      - name: Commit changes
        uses: stefanzweifel/git-auto-commit-action@v7
        with:
          commit_message: Lock Terraform providers