Switch from PAT to GitHub App-based authentication for Azure self-hosted runner #1046
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test Terraform modules plan | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| types: [opened, synchronize] | |
| branches: | |
| - main | |
| paths: | |
| - "infra/modules/**" | |
| concurrency: | |
| group: ${{ github.workflow }} | |
| cancel-in-progress: false | |
| env: | |
| ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} | |
| ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} | |
| ARM_USE_OIDC: true | |
| ARM_USE_AZUREAD: true | |
| ARM_STORAGE_USE_AZUREAD: true | |
| ROLE_ARN: ${{ secrets.ROLE_ARN }} | |
| AWS_REGION: ${{ secrets.AWS_REGION }} | |
| TF_IN_AUTOMATION: true | |
| jobs: | |
| detect-modules: | |
| runs-on: ubuntu-latest | |
| name: Detect Modules to Test | |
| permissions: | |
| contents: read | |
| outputs: | |
| modules: ${{ steps.get-all-modules.outputs.resources || steps.get-modified-modules.outputs.resources }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get all modules | |
| id: get-all-modules | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| uses: pagopa/dx/.github/actions/get-all-resources@main | |
| - name: Get modified modules | |
| id: get-modified-modules | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| uses: pagopa/dx/.github/actions/get-modified-resources@main | |
| terraform-test: | |
| runs-on: ubuntu-latest | |
| needs: detect-modules | |
| environment: infra-dev-ci | |
| permissions: | |
| id-token: write | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| module: ${{ fromJSON(needs.detect-modules.outputs.modules) }} | |
| env: | |
| ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Cloud Login | |
| uses: pagopa/dx/actions/csp-login@main | |
| - name: Terraform Setup | |
| id: set-terraform-version | |
| uses: pagopa/dx/.github/actions/terraform-setup@main | |
| - name: Terraform Init | |
| working-directory: infra/modules/${{ matrix.module }} | |
| run: | | |
| set -euo | |
| terraform init -input=false | |
| - name: Terraform Test | |
| working-directory: infra/modules/${{ matrix.module }} | |
| run: | | |
| set -euo pipefail | |
| if [ -f tests/unit.tftest.hcl ]; then | |
| terraform test -filter='tests/unit.tftest.hcl' | |
| else | |
| # legacy tests | |
| terraform test | |
| fi | |
| if [ -f tests/contract.tftest.hcl ]; then | |
| terraform test -filter='tests/contract.tftest.hcl' | |
| else | |
| echo "No contract tests found, skipping" | |
| fi |