Update Nix flake inputs #1391
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: ArgoCD Diff Command | |
| on: | |
| issue_comment: | |
| types: [created] | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| argocd-diff: | |
| runs-on: ubuntu-latest | |
| env: | |
| ARGOCD_SERVER: argocd.cow-banjo.ts.net | |
| ARGOCD_OPTS: --grpc-web | |
| steps: | |
| - name: Ensure this is a PR comment | |
| if: github.event_name == 'issue_comment' | |
| env: | |
| PR_URL: ${{ github.event.issue.pull_request.url }} | |
| run: | | |
| if [ -z "$PR_URL" ]; then | |
| echo "Not a PR – skipping" | |
| exit 1 | |
| fi | |
| - name: Check for diff command | |
| if: github.event_name == 'issue_comment' | |
| id: diff | |
| uses: xt0rted/slash-command-action@bf51f8f5f4ea3d58abc7eca58f77104182b23e88 # v2.0.0 | |
| continue-on-error: true | |
| with: | |
| command: diff | |
| permission-level: admin | |
| - name: Checkout PR head | |
| if: steps.diff.outputs.command-name | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| fetch-depth: 0 | |
| ref: ${{ format('refs/pull/{0}/head', github.event.issue.number) }} | |
| - name: Checkout trusted scripts from main branch | |
| if: steps.diff.outputs.command-name | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| fetch-depth: 0 | |
| ref: main | |
| path: trusted-main | |
| - name: Determine base ref | |
| if: steps.diff.outputs.command-name | |
| id: base | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| ISSUE_NUMBER: ${{ github.event.issue.number }} | |
| run: | | |
| # Query PR base dynamically instead of assuming 'main' | |
| BASE=$(gh pr view "$ISSUE_NUMBER" --json baseRefName -q .baseRefName) | |
| echo "base=$BASE" >> $GITHUB_OUTPUT | |
| git fetch origin "$BASE:$BASE" | |
| - name: Get PR head SHA | |
| if: steps.diff.outputs.command-name | |
| id: pr-head | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| ISSUE_NUMBER: ${{ github.event.issue.number }} | |
| run: | | |
| PR_HEAD=$(gh pr view "$ISSUE_NUMBER" --json headRefOid -q .headRefOid) | |
| echo "sha=$PR_HEAD" >> $GITHUB_OUTPUT | |
| - name: Detect Changed Apps | |
| if: steps.diff.outputs.command-name | |
| id: detect | |
| uses: ./trusted-main/.github/actions/detect-apps | |
| with: | |
| base_ref: ${{ steps.base.outputs.base }} | |
| head_ref: ${{ steps.pr-head.outputs.sha }} | |
| pr_number: ${{ github.event.issue.number }} | |
| action_type: diff | |
| event_name: ${{ github.event_name }} | |
| - name: Setup ArgoCD environment | |
| if: steps.diff.outputs.command-name && steps.detect.outputs.apps != '' | |
| id: setup-argocd | |
| uses: ./trusted-main/.github/actions/setup-argocd | |
| with: | |
| tailscale_oauth_client_id: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }} | |
| tailscale_oauth_secret: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }} | |
| - name: Get PR branch name | |
| if: steps.diff.outputs.command-name && steps.detect.outputs.apps != '' | |
| id: pr-branch | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| ISSUE_NUMBER: ${{ github.event.issue.number }} | |
| run: | | |
| PR_BRANCH=$(gh pr view "$ISSUE_NUMBER" --json headRefName -q .headRefName) | |
| echo "branch=$PR_BRANCH" >> $GITHUB_OUTPUT | |
| - name: ArgoCD Diff | |
| if: steps.diff.outputs.command-name && steps.detect.outputs.apps != '' | |
| env: | |
| ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| KUBECTL_EXTERNAL_DIFF: git diff --no-index --no-color | |
| DETECTED_APPS: ${{ steps.detect.outputs.apps }} | |
| PR_BRANCH: ${{ steps.pr-branch.outputs.branch }} | |
| ISSUE_NUMBER: ${{ github.event.issue.number }} | |
| run: |- | |
| set -x | |
| # Split apps into array for processing | |
| IFS=' ' read -ra APPS_ARRAY <<< "$DETECTED_APPS" | |
| echo "🔍 Running ArgoCD diff for apps: $DETECTED_APPS" | |
| echo "Comparing against branch: $PR_BRANCH" | |
| # Create diff output for each app | |
| diff_output="" | |
| for app in "${APPS_ARRAY[@]}"; do | |
| echo "Generating diff for $app..." | |
| # Run argocd diff and capture exit code (disable set -e temporarily) | |
| set +e | |
| app_diff=$(argocd app diff "$app" --revision "$PR_BRANCH" 2>&1) | |
| exit_code=$? | |
| set -e | |
| if [[ $exit_code -eq 0 ]]; then | |
| # No differences found | |
| diff_output="${diff_output}## 📋 $app\n\nNo changes detected.\n\n" | |
| elif [[ $exit_code -eq 1 ]]; then | |
| # Differences found (exit code 1 means diff found) | |
| # ArgoCD should now output unified diff format via KUBECTL_EXTERNAL_DIFF | |
| diff_output="${diff_output}## 📋 $app\n\n\`\`\`diff\n$app_diff\n\`\`\`\n\n" | |
| else | |
| # Actual error occurred (exit code 2 or other) | |
| diff_output="${diff_output}## 📋 $app\n\n❌ Failed to generate diff (exit code $exit_code):\n\`\`\`\n$app_diff\n\`\`\`\n\n" | |
| fi | |
| done | |
| if [[ -n "$diff_output" ]]; then | |
| # Always comment when there are diffs | |
| gh pr comment "$ISSUE_NUMBER" --body "$(echo -e "$diff_output")" | |
| else | |
| # Only slash commands now, always comment | |
| gh pr comment "$ISSUE_NUMBER" --body "📋 No ArgoCD diffs to display." | |
| fi |