shared-services-infra/.github/workflows/pull-request.yaml at a2f2d827c9ae3ae1c4f763386f0ab3cf004ba98d · codeforamerica/shared-services-infra · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
name: Pull request checks

on:
  pull_request:

jobs:
  configs:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout source code
        uses: actions/checkout@v4
      - name: Find changed OpenTofu modules
        id: modified
        uses: ./.github/actions/changed-modules
        with:
          working-directory: tofu/configs
      - name: Strip prefix from modified configs
        id: configs
        uses: actions/github-script@v7
        with:
          script: |
            const modules = ${{ steps.modified.outputs.modules }}
            const configs = modules.map(m => m.replace(/^tofu\/configs\//, ''))
            core.setOutput('configs', configs)
      - name: Show modified configs
        run: |
          echo "${{ steps.configs.outputs.configs }}"
    outputs:
      configs: ${{ steps.configs.outputs.configs }}

  plan:
    uses: ./.github/workflows/plan.yaml
    needs: configs
    permissions:
      contents: read
      id-token: write
    strategy:
      matrix:
        config: ${{ fromJson(needs.configs.outputs.configs) }}
    with:
      environment: development
      config: ${{ matrix.config }}
    secrets:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
      TF_VAR_PRIVATE_SUBNET_CIDRS: ${{ secrets.TF_VAR_PRIVATE_SUBNET_CIDRS }}
      TF_VAR_PUBLIC_SUBNET_CIDRS: ${{ secrets.TF_VAR_PUBLIC_SUBNET_CIDRS }}
      TF_VAR_VPC_CIDR: ${{ secrets.TF_VAR_VPC_CIDR }}

  comment:
    runs-on: ubuntu-latest
    needs:
      - configs
      - plan
    permissions:
      contents: read
      pull-requests: write
    strategy:
      matrix:
        config: ${{ fromJson(needs.configs.outputs.configs) }}
    steps:
      - name: Download plan file
        uses: actions/download-artifact@v4
        with:
          name: ${{ matrix.config }}-tfplan
      - uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            // Retrieve existing bot comments for the pull request.
            const { data: comments } = await github.rest.issues.listComments({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.issue.number,
            })
            const botComment = comments.find(comment => {
              return comment.user.type === 'Bot' && comment.body.includes('## Plan output for ${{ matrix.config }} config')
            })

            // Read the contents of the plan.
            const fs = require('fs');
            const plan = fs.readFileSync('./plan.txt', 'utf8');

            // Prepare the format of the comment.
            const output = `## Plan output for ${{ matrix.config }} config\n\n\`\`\`\n${plan}\n\`\`\``

            // If we have a comment, update it. Otherwise, create a new one.
            if (botComment) {
              github.rest.issues.updateComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                comment_id: botComment.id,
                body: output
              })
            } else {
              github.rest.issues.createComment({
                issue_number: context.issue.number,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body: output
              })
            }