Skip to content
This repository was archived by the owner on Jun 2, 2026. It is now read-only.

Repository Sync For App #682

Repository Sync For App

Repository Sync For App #682

---
name: Repository Sync For App
on:
workflow_dispatch:
inputs:
repositories:
description: 'Override the target repositories, use a comma separated list. Leave as All to run on all repositories.'
default: 'All'
type: string
first_run:
description: 'Whether to run in first run mode'
default: false
type: boolean
plan_only:
description: 'Whether to only plan the changes'
default: true
type: boolean
schedule:
- cron: '0 0,4,8,12,16,20 * * *'
permissions:
id-token: write
contents: read
jobs:
generate-matrix:
name: Generate Matrix
runs-on: ubuntu-latest
environment: avm-updates
outputs:
matrix: ${{ steps.matrix.outputs.matrix }}
matrixParallel: ${{ steps.matrix.outputs.matrixParallel }}
steps:
- name: Checkout Bootstrap Modules
uses: actions/checkout@v4
- name: Create GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1.11.0
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
- name: Generate Matrix
id: matrix
run: |
$triggerType = "${{ github.event_name }}"
$repositories = "All"
$firstRun = $false
if($triggerType -eq "workflow_dispatch") {
$repositories = "${{ inputs.repositories }}"
$firstRun = "${{ inputs.first_run }}".ToLower() -eq "true"
}
$matrixParallel = 5
if($firstRun) {
$matrixParallel = 1
}
Write-Output "matrixParallel=$matrixParallel" >> $env:GITHUB_OUTPUT
if($repositories -eq "All") {
$repositories = @()
} else {
$repositories = $repositories -split ','
}
$matrix = @(./scripts/Invoke-RepoSyncGenerateMatrix.ps1 -repoFilter $repositories)
$matrixJson = ConvertTo-Json $matrix -Depth 10 -Compress
Write-Host (ConvertTo-Json $matrix -Depth 10)
Write-Output "matrix=$matrixJson" >> $env:GITHUB_OUTPUT
shell: pwsh
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
- name: Upload Repo Logs Json
if: always() && hashFiles('warning.log.json') != ''
uses: actions/upload-artifact@v4
with:
name: warning.log.json
path: warning.log.json
- name: Repo Error
if: always() && hashFiles('warning.log.json') != ''
run: |
$issueLogJson = Get-Content -Path "warning.log.json" -Raw
$issueLog = ConvertFrom-Json $issueLogJson
$issueLog | ForEach-Object {
echo "::error title=$($_.repoId) has issues::$($_.message)"
}
shell: pwsh
run-sync:
name: ${{ matrix.repoId }} (${{ matrix.repoUrl }})
runs-on: ubuntu-latest
environment: avm-updates
needs: generate-matrix
strategy:
fail-fast: false
max-parallel: ${{ fromJson(needs.generate-matrix.outputs.matrixParallel) }}
matrix:
include: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: latest
terraform_wrapper: false
- name: Create GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1.11.0
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
- name: Download Labels CSV File
run: |
./scripts/Invoke-AvmLabelsCsvDownload.ps1
shell: pwsh
- name: Run Sync for ${{ matrix.repoId }}
run: |
$triggerType = "${{ github.event_name }}"
$firstRun = $false
$planOnly = $false
if($triggerType -eq "workflow_dispatch") {
$firstRun = "${{ inputs.first_run }}".ToLower() -eq "true"
$planOnly = "${{ inputs.plan_only }}".ToLower() -eq "true"
}
Write-Output "Token: $env:GH_TOKEN"
Write-Output "Repositories: $repositories"
Write-Output "First Run: $firstRun"
Write-Output "Plan Only: $planOnly"
Write-Host "Authenticating gh cli"
gh auth login -h "GitHub.com"
Write-Host "Running repo sync"
./scripts/Invoke-RepoSyncForSingleRepo.ps1 `
-firstRun $firstRun `
-planOnly $planOnly `
-stateStorageAccountName "${{ secrets.STORAGE_ACCOUNT_NAME }}" `
-stateResourceGroupName "${{ secrets.STORAGE_ACCOUNT_RESOURCE_GROUP_NAME }}" `
-stateContainerName "${{ secrets.STORAGE_ACCOUNT_CONTAINER_NAME }}" `
-targetSubscriptionId "${{ secrets.TARGET_SUBSCRIPTION_ID }}" `
-identityResourceGroupName "${{ secrets.IDENTITY_RESOURCE_GROUP_NAME }}" `
-repoId "${{ matrix.repoId }}" `
-repoUrl "${{ matrix.repoUrl }}" `
-repoType "${{ matrix.repoType }}" `
-repoSubType "${{ matrix.repoSubType }}" `
-repoOwnerTeam "${{ matrix.repoOwnerTeam }}" `
-repoContributorTeam "${{ matrix.repoContributorTeam }}" `
-repoIsProtected ("${{ matrix.repoIsProtected }}" -eq "true")
shell: pwsh
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_USE_AZUREAD: true
ARM_USE_OIDC: true
- name: Upload Issue Logs Json
if: always() && hashFiles('issue.log.json') != ''
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.repoId }}.issue.log.json
path: issue.log.json
- name: Issue Error
if: always() && hashFiles('issue.log.json') != ''
run: |
$issueLogJson = Get-Content -Path "issue.log.json" -Raw
$issueLog = ConvertFrom-Json $issueLogJson
$issueLog | ForEach-Object {
echo "::error title=${{ matrix.repoId }} has issues::$($_.message) Check the log file artifact for ${{ matrix.repoId }} to see the full details."
}
exit 1
shell: pwsh