fix: update fork warn workflow #90
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Plan and apply changes to GitHub Teams Membership | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - teams/**.yaml | |
| - tf-config/** | |
| pull_request: | |
| branches: | |
| - main | |
| env: | |
| TOFU_VERSION: 1.11.4 | |
| concurrency: | |
| # Only run one tf job at a time to avoid conflicts and state lock | |
| group: ${{ github.workflow }} | |
| cancel-in-progress: false | |
| jobs: | |
| plan-apply: | |
| runs-on: ubuntu-latest | |
| # Provide GITHUB_TOKEN enough permissions to post a comment to a PR | |
| permissions: | |
| issues: write | |
| pull-requests: write | |
| # Secrets for this workflow are in an environment with extra restrictions | |
| environment: tf-env | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v6 | |
| - name: Authenticate against GCP project with Service Account | |
| uses: google-github-actions/auth@v3 | |
| with: | |
| project_id: "supple-tracker-380219" | |
| credentials_json: "${{ secrets.GCP_SA_CREDS }}" | |
| - name: Install opentofu | |
| uses: opentofu/setup-opentofu@v2 | |
| with: | |
| tofu_version: ${{ env.TOFU_VERSION }} | |
| # This output will be passed to generate-token step so that the generated | |
| # token will have access to all the repos mentioned | |
| - name: List all repos mentioned in teams yaml files | |
| id: list-repos | |
| run: | | |
| repos=$(yq eval '.permissions[].repo' "$(pwd)"/teams/*.yaml | grep -v '^---$' | sort -u | awk '{printf "%s,", $0}' | sed 's/, $//') | |
| echo "$repos" | |
| echo "repo-list=$repos" >> "$GITHUB_OUTPUT" | |
| - name: Generate a token with permission to manage members/teams of the org | |
| id: generate-token | |
| uses: actions/create-github-app-token@v3 | |
| with: | |
| app-id: ${{ vars.APP_ID }} | |
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
| owner: ${{ github.repository_owner }} | |
| repositories: ${{ steps.list-repos.outputs.repo-list }} | |
| - name: Initialise opentofu | |
| working-directory: tf-config | |
| run: tofu init | |
| - name: Select opentofu workspace | |
| working-directory: tf-config | |
| run: tofu workspace select -or-create turing-way | |
| - name: Run plan | |
| working-directory: tf-config | |
| run: tofu plan -out .planfile | |
| env: | |
| TF_VAR_github_token: "${{ steps.generate-token.outputs.token }}" | |
| - name: Post plan as PR comment | |
| uses: borchero/terraform-plan-comment@v3 | |
| with: | |
| expand-comment: true # Ensures the comment is unfolded for review | |
| planfile: .planfile | |
| skip-comment: ${{ github.event_name != 'pull_request' }} | |
| skip-empty: true # Don't post a comment when the plan has no changes | |
| terraform-cmd: tofu | |
| token: "${{ secrets.GITHUB_TOKEN }}" | |
| working-directory: tf-config | |
| - name: Run apply | |
| if: github.event_name != 'pull_request' | |
| working-directory: tf-config | |
| run: tofu apply .planfile | |
| env: | |
| TF_VAR_github_token: "${{ steps.generate-token.outputs.token }}" |