Skip to content

Commit 8ea0cd9

Browse files
Enhance PR verification workflow: update job conditions and add terraform plan and deploy steps for Development environment
1 parent 8ac250b commit 8ea0cd9

1 file changed

Lines changed: 64 additions & 18 deletions

File tree

.github/workflows/pr-verify.yml

Lines changed: 64 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,15 @@
11
name: PR Verify
22

33
# Label-based workflow control:
4-
# - 'run-dev-plan': Enables dev Terraform plan for copilot/* branches (always runs for other branches)
5-
# - 'run-prd-plan': Enables prd Terraform plan for any branch
6-
# - copilot/* branches: Require 'run-dev-plan' label to run dev plan, and both 'run-dev-plan' + 'run-prd-plan' labels to run prd plan
7-
# - Non-copilot branches: Dev plan runs automatically, prd plan requires 'run-prd-plan' label
8-
# - dependabot PRs: Terraform plans are always skipped
4+
# - Always run Terraform plan against Development when Terraform exists (skips drafts/dependabot)
5+
# - 'deploy-dev': Runs Terraform plan+apply and deploys the app to Development (skips drafts/dependabot)
6+
# - 'run-prd-plan': Runs Terraform plan against Production (skips drafts/dependabot)
97

108
on:
119
pull_request:
1210
branches:
1311
- main
14-
types: [opened, synchronize, reopened, ready_for_review]
12+
types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
1513

1614
permissions: {}
1715

@@ -29,15 +27,11 @@ jobs:
2927
dotnet-version: 9.0.x
3028
src-folder: "src"
3129

32-
# Dev Terraform Plan:
33-
# - Runs automatically for feature/bugfix/hotfix branches (non-copilot, non-dependabot)
34-
# - Skipped for copilot/* branches unless 'run-dev-plan' label is added
35-
# - Always skipped for dependabot PRs
3630
terraform-plan-dev:
3731
permissions:
3832
contents: read
3933
id-token: write
40-
if: github.event.pull_request.draft == false && github.actor != 'dependabot[bot]' && (!startsWith(github.head_ref, 'copilot/') || contains(github.event.pull_request.labels.*.name, 'run-dev-plan'))
34+
if: github.event.pull_request.draft == false && github.event.pull_request.user.login != 'dependabot[bot]' && !contains(github.event.pull_request.labels.*.name, 'deploy-dev')
4135
needs: build-and-test
4236
environment: Development
4337
runs-on: ubuntu-latest
@@ -53,17 +47,69 @@ jobs:
5347
AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
5448
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
5549

56-
# Prd Terraform Plan:
57-
# Label requirements for this job:
58-
# - Non-copilot branches: require 'run-prd-plan' label only
59-
# - copilot/* branches: require both 'run-dev-plan' and 'run-prd-plan' labels
60-
# - Always skipped for dependabot PRs
50+
terraform-plan-and-apply-dev:
51+
permissions:
52+
contents: read
53+
id-token: write
54+
if: github.event.pull_request.draft == false && github.event.pull_request.user.login != 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'deploy-dev')
55+
needs: build-and-test
56+
environment: Development
57+
runs-on: ubuntu-latest
58+
concurrency:
59+
group: ${{ github.repository }}-dev
60+
steps:
61+
- uses: frasermolyneux/actions/terraform-plan-and-apply@main
62+
with:
63+
terraform-folder: "terraform"
64+
terraform-var-file: "tfvars/dev.tfvars"
65+
terraform-backend-file: "backends/dev.backend.hcl"
66+
AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
67+
AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
68+
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
69+
70+
- id: terraform-output
71+
shell: bash
72+
run: |
73+
cd terraform
74+
echo "function_app_name=$(terraform output -raw function_app_name)" >> $GITHUB_OUTPUT
75+
echo "resource_group_name=$(terraform output -raw resource_group_name)" >> $GITHUB_OUTPUT
76+
env:
77+
ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
78+
ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
79+
ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
80+
ARM_USE_AZUREAD: true
81+
ARM_USE_OIDC: true
82+
83+
outputs:
84+
function_app_name: ${{ steps.terraform-output.outputs.function_app_name }}
85+
resource_group_name: ${{ steps.terraform-output.outputs.resource_group_name }}
86+
87+
function-app-deploy-dev:
88+
permissions:
89+
contents: read
90+
id-token: write
91+
if: github.event.pull_request.draft == false && github.event.pull_request.user.login != 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'deploy-dev')
92+
environment: Development
93+
needs: [build-and-test, terraform-plan-and-apply-dev]
94+
runs-on: ubuntu-latest
95+
concurrency:
96+
group: ${{ github.repository }}-dev
97+
steps:
98+
- uses: frasermolyneux/actions/deploy-function-app@main
99+
with:
100+
function-app-artifact-name: "XtremeIdiots.Portal.Repository.App"
101+
function-app-name: ${{ needs.terraform-plan-and-apply-dev.outputs.function_app_name }}
102+
function-app-resource-group: ${{ needs.terraform-plan-and-apply-dev.outputs.resource_group_name }}
103+
AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
104+
AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
105+
AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
106+
61107
terraform-plan-prd:
62108
permissions:
63109
contents: read
64110
id-token: write
65-
if: github.event.pull_request.draft == false && github.actor != 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'run-prd-plan') && (!startsWith(github.head_ref, 'copilot/') || contains(github.event.pull_request.labels.*.name, 'run-dev-plan'))
66-
needs: terraform-plan-dev
111+
if: github.event.pull_request.draft == false && github.event.pull_request.user.login != 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'run-prd-plan')
112+
needs: build-and-test
67113
environment: Production
68114
runs-on: ubuntu-latest
69115
concurrency:

0 commit comments

Comments
 (0)