-
Notifications
You must be signed in to change notification settings - Fork 31
118 lines (98 loc) · 3.66 KB
/
terraform.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
name: Configure Terraform
on:
push:
branches:
- main
pull_request:
types: [ labeled, opened, reopened, synchronize ]
branches:
- '*'
workflow_dispatch:
inputs:
debug:
description: 'Debug'
required: false
default: false
type: boolean
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
build:
name: Configure Google Cloud
runs-on: ubuntu-latest
permissions:
pull-requests: 'write'
id-token: write
steps:
# - name: Permissions Monitor
# uses: GitHubSecurityLab/actions-permissions/monitor@v1
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/setup-java@v3
with:
distribution: temurin
java-version: 17
- id: token
uses: tibdex/github-app-token@v2
with:
private_key: ${{ secrets.PRIVATE_KEY }}
app_id: ${{ secrets.APP_ID }}
- id: google_cloud_auth
uses: google-github-actions/auth@v1
with:
workload_identity_provider: ${{ secrets.GOOGLE_WORKLOAD_IDENTITY }}
service_account: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_ID }}
token_format: access_token
- uses: google-github-actions/setup-gcloud@v1
- uses: docker/login-action@v3
with:
username: oauth2accesstoken
password: ${{ steps.google_cloud_auth.outputs.access_token }}
registry: europe-west1-docker.pkg.dev
- uses: gradle/gradle-build-action@v2
- id: containerize
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GOOGLE_PROJECT_API_KEY: ${{ secrets.google_project_api_key }}
GOOGLE_SERVICE_ACCOUNT_ID: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_ID }}
MOBILE_SDK_APP_ID: ${{ secrets.mobile_sdk_app_id }}
PLAYGROUND_API_KEY: ${{ secrets.PLAYGROUND_API_KEY }}
if: ${{ github.ref == 'refs/heads/main' }}
run: |
./gradlew cloud-run:jib \
--image=europe-west1-docker.pkg.dev/${{ steps.google_cloud_auth.outputs.project_id }}/cloud-run-source-deploy/playground.ashdavies.dev \
${{ contains(github.event.pull_request.labels.*.name, 'Dry Run') && '--dry-run' || '' }} \
${{ inputs.debug && '--debug' || '--info' }} \
--no-configuration-cache \
--console=plain \
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.5.7
- id: init
run: terraform -chdir=terraform init
- id: plan
env:
TF_INPUT: 0
TF_LOG: ${{ inputs.debug && 'DEBUG' || 'ERROR' }}
TF_VAR_gh_token: ${{ steps.token.outputs.token }}
if: ${{ github.event_name == 'pull_request' }}
run: |
terraform -chdir=terraform plan >/dev/null -lock-timeout=5m -out=.terraform/terraform.tfplan
terraform -chdir=terraform show .terraform/terraform.tfplan -no-color
- uses: actions/github-script@v6
if: ${{ github.event_name == 'pull_request' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const comments = require('./.github/workflows/scripts/comments.js');
const message = `\`\`\`${{ steps.plan.outputs.stdout }}\`\`\``;
await comments.create(context, github, message);
- id: apply
env:
TF_VAR_gh_token: ${{ steps.token.outputs.token }}
TF_LOG: ${{ inputs.debug && 'DEBUG' || 'ERROR' }}
TF_INPUT: 0
if: ${{ github.ref == 'refs/heads/main' }}
run: terraform -chdir=terraform apply -auto-approve -lock-timeout=5m