infra/.github/workflows/argocd-diff.yml at c804f09e44e833cd778db1207da36c3774b1a791 · claytono/infra · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
---
name: ArgoCD Diff Command

on:
  issue_comment:
    types: [created]

permissions:
  contents: read
  pull-requests: write

jobs:
  argocd-diff:
    runs-on: ubuntu-latest
    env:
      ARGOCD_SERVER: argocd.cow-banjo.ts.net
      ARGOCD_OPTS: --grpc-web

    steps:
    - name: Ensure this is a PR comment
      if: github.event_name == 'issue_comment'
      env:
        PR_URL: ${{ github.event.issue.pull_request.url }}
      run: |
        if [ -z "$PR_URL" ]; then
          echo "Not a PR – skipping"
          exit 1
        fi

    - name: Check for diff command
      if: github.event_name == 'issue_comment'
      id: diff
      uses: xt0rted/slash-command-action@bf51f8f5f4ea3d58abc7eca58f77104182b23e88  # v2.0.0
      continue-on-error: true
      with:
        command: diff
        permission-level: admin

    - name: Checkout PR head
      if: steps.diff.outputs.command-name
      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
      with:
        persist-credentials: false
        fetch-depth: 0
        ref: ${{ format('refs/pull/{0}/head', github.event.issue.number) }}

    - name: Checkout trusted scripts from main branch
      if: steps.diff.outputs.command-name
      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
      with:
        persist-credentials: false
        fetch-depth: 0
        ref: main
        path: trusted-main

    - name: Determine base ref
      if: steps.diff.outputs.command-name
      id: base
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        ISSUE_NUMBER: ${{ github.event.issue.number }}
      run: |
        # Query PR base dynamically instead of assuming 'main'
        BASE=$(gh pr view "$ISSUE_NUMBER" --json baseRefName -q .baseRefName)
        echo "base=$BASE" >> $GITHUB_OUTPUT
        git fetch origin "$BASE:$BASE"

    - name: Get PR head SHA
      if: steps.diff.outputs.command-name
      id: pr-head
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        ISSUE_NUMBER: ${{ github.event.issue.number }}
      run: |
        PR_HEAD=$(gh pr view "$ISSUE_NUMBER" --json headRefOid -q .headRefOid)
        echo "sha=$PR_HEAD" >> $GITHUB_OUTPUT

    - name: Detect Changed Apps
      if: steps.diff.outputs.command-name
      id: detect
      uses: ./trusted-main/.github/actions/detect-apps
      with:
        base_ref: ${{ steps.base.outputs.base }}
        head_ref: ${{ steps.pr-head.outputs.sha }}
        pr_number: ${{ github.event.issue.number }}
        action_type: diff
        event_name: ${{ github.event_name }}

    - name: Setup ArgoCD environment
      if: steps.diff.outputs.command-name && steps.detect.outputs.apps != ''
      id: setup-argocd
      uses: ./trusted-main/.github/actions/setup-argocd
      with:
        tailscale_oauth_client_id: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}
        tailscale_oauth_secret: ${{ secrets.TAILSCALE_OAUTH_CLIENT_SECRET }}

    - name: Get PR branch name
      if: steps.diff.outputs.command-name && steps.detect.outputs.apps != ''
      id: pr-branch
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        ISSUE_NUMBER: ${{ github.event.issue.number }}
      run: |
        PR_BRANCH=$(gh pr view "$ISSUE_NUMBER" --json headRefName -q .headRefName)
        echo "branch=$PR_BRANCH" >> $GITHUB_OUTPUT

    - name: ArgoCD Diff
      if: steps.diff.outputs.command-name && steps.detect.outputs.apps != ''
      env:
        ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }}
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        KUBECTL_EXTERNAL_DIFF: git diff --no-index --no-color
        DETECTED_APPS: ${{ steps.detect.outputs.apps }}
        PR_BRANCH: ${{ steps.pr-branch.outputs.branch }}
        ISSUE_NUMBER: ${{ github.event.issue.number }}
      run: |-
        set -x
        # Split apps into array for processing
        IFS=' ' read -ra APPS_ARRAY <<< "$DETECTED_APPS"

        echo "🔍 Running ArgoCD diff for apps: $DETECTED_APPS"
        echo "Comparing against branch: $PR_BRANCH"

        # Create diff output for each app
        diff_output=""
        for app in "${APPS_ARRAY[@]}"; do
          echo "Generating diff for $app..."

          # Run argocd diff and capture exit code (disable set -e temporarily)
          set +e
          app_diff=$(argocd app diff "$app" --revision "$PR_BRANCH" 2>&1)
          exit_code=$?
          set -e

          if [[ $exit_code -eq 0 ]]; then
            # No differences found
            diff_output="${diff_output}## 📋 $app\n\nNo changes detected.\n\n"
          elif [[ $exit_code -eq 1 ]]; then
            # Differences found (exit code 1 means diff found)
            # ArgoCD should now output unified diff format via KUBECTL_EXTERNAL_DIFF
            diff_output="${diff_output}## 📋 $app\n\n\`\`\`diff\n$app_diff\n\`\`\`\n\n"
          else
            # Actual error occurred (exit code 2 or other)
            diff_output="${diff_output}## 📋 $app\n\n❌ Failed to generate diff (exit code $exit_code):\n\`\`\`\n$app_diff\n\`\`\`\n\n"
          fi
        done

        if [[ -n "$diff_output" ]]; then
          # Always comment when there are diffs
          gh pr comment "$ISSUE_NUMBER" --body "$(echo -e "$diff_output")"
        else
          # Only slash commands now, always comment
          gh pr comment "$ISSUE_NUMBER" --body "📋 No ArgoCD diffs to display."
        fi