ci: replace terraform-docs Docker action with binary install#22
Merged
Conversation
The terraform-docs/gh-actions@v1 action runs as a Docker container (image: docker://quay.io/terraform-docs/gh-actions:1.4.1). On the containerized self-hosted runner, the host docker daemon can't see the runner's /_work mount path, so the bind-mount becomes an empty directory and the action operates on no files. Same mechanism that broke gosec/docs in terraform-provider-turingpi; same fix applied here. Replace 8 separate per-module action invocations with a single actions/setup-go + go install terraform-docs@v0.20.0 + shell loop. v0.20.0 is the version that terraform-docs/gh-actions@v1.4.1 was shipping, so generated READMEs match what the prior workflow would have produced. Includes the README regeneration that the workflow would otherwise have written on its next successful run (version-constraint drift from `>= 1.0` → `1.3.10` across 6 modules — the .tf files moved on but the workflow couldn't update the docs). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The v0.34.0 install script fails on the containerized self-hosted runner with "Process completed with exit code 1" right after detecting the v0.69.1 Linux/ARM64 binary — likely a permissions issue with the target path /root/.local/bin/trivy-bin. v0.35.0 (already used in terraform-provider-turingpi/.github/workflows/security.yml) works. Bumps three references (security.yml × 2, validate.yml × 1) to the same SHA-pinned v0.35.0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 17, 2026
jfreed-dev
added a commit
that referenced
this pull request
May 18, 2026
…ission Two related fixes: 1. PR #22's committed READMEs had provider versions pinned to resolved numbers (e.g. `turingpi 1.3.10`) because terraform-docs was run with a `.terraform.lock.hcl` present locally. CI runs terraform-docs without init, so it reads from required_providers and produces the constraint form (`turingpi >= 1.0`). The constraint form is what CI emits, and every PR triggered the docs auto-commit to "fix" the drift. Commit the constraint form across all 9 modules so the loop stabilises. 2. The auto-commit step at the end of docs.yml was failing with "Permission to push denied to github-actions[bot] (403)" because the workflow had no explicit permissions block and inherited the default read-only token. Add `permissions: contents: write` at workflow scope so future regenerations can self-commit. Net: docs.yml will be a no-op on this PR's next trigger (READMEs already match), and any future drift will be self-healing.
jfreed-dev
added a commit
that referenced
this pull request
May 18, 2026
) * ci: extend validate + docs coverage to talos-image and cert-manager The validate.yml matrix and docs.yml loop both covered 8 modules but the repo has had 10 since 2026-01 — `modules/talos-image` and `modules/addons/cert-manager` were missing from both. Net effect: those two modules have never been format-checked or validated in CI, and their READMEs haven't been auto-regenerated. Adds both to: - validate.yml: matrix.module list (alphabetized addons for legibility) - docs.yml: for-loop over modules Also commits the regenerated READMEs that the next docs.yml run would have produced on its own (terraform-docs v0.20.0). 4 additional input lines in cert-manager's README, 1 in talos-image's. No functional .tf changes. * fix: declare local provider in talos-image, purge leaked CLI config in validate Two fixes surfaced by extending the validate matrix: 1. modules/talos-image used `data "local_file"` but its required_providers didn't declare hashicorp/local. tflint flagged it (terraform_required_providers warning treated as failure). Add the declaration mirroring how other modules declare `local` (>= 2.0). 2. The matrix's terraform init failed on modules that reference the freed-dev-llc/turingpi provider, with "could not read package directory /_work/.../provider-bin: no such file or directory". Root cause: the sister terraform-provider-turingpi repo's cli-smoketest job writes dev_overrides into the runner's ~/.terraformrc that point at a per-job $RUNNER_TEMP path. Self-hosted runners persist $HOME across jobs, so the leaked config breaks other workflows. Add a defensive step that removes ~/.terraformrc + ~/.tofurc before each matrix entry runs. A separate fix in the provider repo will stop the leak at the source. * fix(docs): regenerate READMEs from required_providers, add write permission Two related fixes: 1. PR #22's committed READMEs had provider versions pinned to resolved numbers (e.g. `turingpi 1.3.10`) because terraform-docs was run with a `.terraform.lock.hcl` present locally. CI runs terraform-docs without init, so it reads from required_providers and produces the constraint form (`turingpi >= 1.0`). The constraint form is what CI emits, and every PR triggered the docs auto-commit to "fix" the drift. Commit the constraint form across all 9 modules so the loop stabilises. 2. The auto-commit step at the end of docs.yml was failing with "Permission to push denied to github-actions[bot] (403)" because the workflow had no explicit permissions block and inherited the default read-only token. Add `permissions: contents: write` at workflow scope so future regenerations can self-commit. Net: docs.yml will be a no-op on this PR's next trigger (READMEs already match), and any future drift will be self-healing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
terraform-docs/gh-actions@v1(used 8x indocs.yml, once per module) fails on the containerized self-hosted runner because workspace bind-mounts don't resolve in the host docker daemon. Same root cause as the gosec/docs failures interraform-provider-turingpi; same fix.actions/setup-go+go install terraform-docs@v0.20.0+ shell loop. v0.20.0 is the version thatterraform-docs/gh-actions@v1.4.1was shipping, so output is identical to what the prior workflow would have produced.>= 1.0→1.3.10across 6 modules (the.tffiles moved on but the workflow couldn't keep docs in sync).Local verification
go install github.com/terraform-docs/terraform-docs@v0.20.0(already validated for the provider repo)Test plan
**.tfwill exercise docs.yml end-to-end and confirm the new flow completes without the docker-mount failure.Note on coverage
Two existing modules are intentionally NOT included in the loop (matching the pre-existing workflow behavior, not changed in this PR):
modules/talos-image— not generated by docs.yml todaymodules/addons/cert-manager— not in the docs.yml loop todayIf those should also get auto-generated READMEs, that's a separate follow-up.
🤖 Generated with Claude Code