Skip to content

Bump github/codeql-action from 3.24.5 to 3.24.9 #59

Bump github/codeql-action from 3.24.5 to 3.24.9

Bump github/codeql-action from 3.24.5 to 3.24.9 #59

Workflow file for this run

name: Plan and Apply
permissions:
id-token: write
contents: read
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
plan:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
pull-requests: write
outputs:
exitcode: ${{ steps.plan.outputs.exitcode }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: DeterminateSystems/nix-installer-action@cd46bde16ab981b0a7b2dce0574509104543276e # v9
- uses: DeterminateSystems/magic-nix-cache-action@eeabdb06718ac63a7021c6132129679a8e22d0c7 # v3
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/plan
aws-region: ${{ vars.AWS_REGION }}
- name: Init
run: |
cd tf
nix shell --inputs-from . nixpkgs#opentofu --command ./tofu-init.sh
- name: Plan
id: plan
run: |
cd tf
set +e
nix shell --inputs-from . nixpkgs#opentofu --command tofu plan -var "repo=$GITHUB_REPOSITORY" -detailed-exitcode -out tfplan
export exitcode=$?
set -e
echo "exitcode=$exitcode" >> "$GITHUB_OUTPUT"
if [ $exitcode -eq 1 ]; then
exit 1
else
exit 0
fi
- name: Publish plan
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4
with:
name: tfplan
path: tf/tfplan
apply:
runs-on: ubuntu-latest
needs: [plan]
environment: infra
if: github.ref == 'refs/heads/main' && needs.plan.outputs.exitcode == 2
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: DeterminateSystems/nix-installer-action@cd46bde16ab981b0a7b2dce0574509104543276e # v9
- uses: DeterminateSystems/magic-nix-cache-action@eeabdb06718ac63a7021c6132129679a8e22d0c7 # v3
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/apply
aws-region: ${{ vars.AWS_REGION }}
- name: Download plan
uses: actions/download-artifact@87c55149d96e628cc2ef7e6fc2aab372015aec85 # v4
with:
name: tfplan
path: tf
- name: init
run: |
cd tf
nix shell --inputs-from . nixpkgs#opentofu --command ./tofu-init.sh
- name: Apply plan
run: |
cd tf
nix shell --inputs-from . nixpkgs#opentofu --command tofu apply -auto-approve tfplan