Adjust the workflow that automatically locks Terraform providers#931
Merged
Adjust the workflow that automatically locks Terraform providers#931
Conversation
Provide a PAT when checking out the repository in the `lock-terraform-providers.yml` workflow. This will allow a commit pushed by this workflow to trigger other workflows in the repository.
Include the workflow file in the paths that trigger the `lock-terraform-providers.yml` workflow. This will ensure that changes to the workflow are tested if a PR that modifies the workflow file is made.
Using the stefanzweifel/git-auto-commit-action action in workflow runs for pull requests from a fork is too much effort for something we will be unlikely to need.
mcdonnnj
added
the
improvement
github-actions
bot
added
the
github-actions
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request enhances the Terraform provider locking workflow with improved automation and security features. The changes enable better integration with Dependabot by using a Personal Access Token (PAT) when available, prevent execution on fork PRs for security, and ensure the workflow runs when its own configuration is modified.
Changes:
- Added the workflow file itself to path triggers to validate workflow modifications
- Added fork detection to prevent the workflow from running on pull requests from forked repositories
- Implemented PAT token with fallback to default GitHub token for better workflow triggering capabilities
Files not reviewed (1)
- terraform/.terraform.lock.hcl: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
github-actions
bot
added
the
dependencies
dav3r
approved these changes
Feb 23, 2026
jsf9k
approved these changes
Feb 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🗣 Description
This pull request makes some adjustments to the
lock-terraform-providers.ymlworkflow that automatically locks Terraform providers in pull requests. These changes include:💭 Motivation and context
These are mostly quality of life changes to the functionality of the workflow, but the change to using a PAT will allow Dependabot PRs to automatically lock providers and trigger necessary workflows if a commit is pushed.
🧪 Testing
Automated tests pass. I tested similar changes in cisagov/cyhy-core#137.
✅ Pre-approval checklist