diff --git a/.github/workflows/base-image.yaml b/.github/workflows/base-image.yaml index 22853a8c..7967eb86 100644 --- a/.github/workflows/base-image.yaml +++ b/.github/workflows/base-image.yaml @@ -10,15 +10,20 @@ on: schedule: - cron: 0 1 * * 1 +permissions: + contents: read + jobs: push_image: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Docker Images env: DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Registry login run: | diff --git a/.github/workflows/labels.yaml b/.github/workflows/labels.yaml deleted file mode 100644 index cb60e85c..00000000 --- a/.github/workflows/labels.yaml +++ /dev/null @@ -1,20 +0,0 @@ -name: Update labels - -on: - push: - branches: - - master - paths: - - .github/labels.yml - -jobs: - labeler: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Run Labeler - uses: crazy-max/ghaction-github-labeler@52525cb66833763f651fc34e244e4f73b6e07ff5 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pull_request_review.yaml b/.github/workflows/pull_request_review.yaml index 36b541ac..090e94a4 100644 --- a/.github/workflows/pull_request_review.yaml +++ b/.github/workflows/pull_request_review.yaml @@ -1,17 +1,22 @@ -name: pull_request_review test +name: Test pull_request_review event on: - pull_request_review jobs: apply: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply approved changes on pull_request_review + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -27,8 +32,10 @@ jobs: path: tests/workflows/pull_request_review - name: Verify outputs + env: + OUTPUT_STRING: ${{ steps.output.outputs.output_string }} run: | - if [[ "${{ steps.output.outputs.output_string }}" != "the_string" ]]; then + if [[ "$OUTPUT_STRING" != "the_string" ]]; then echo "::error:: output s not set correctly" exit 1 fi diff --git a/.github/workflows/pull_request_review_trigger.yaml b/.github/workflows/pull_request_review_trigger.yaml deleted file mode 100644 index 067121a3..00000000 --- a/.github/workflows/pull_request_review_trigger.yaml +++ /dev/null @@ -1,27 +0,0 @@ -name: Trigger pull_request_review - -on: - - pull_request - -jobs: - required_version: - runs-on: ubuntu-latest - name: pull_request_review - steps: - - name: Trigger pull_request_review event - run: | - cat >review.json <> "$GITHUB_OUTPUT" - - - name: Release actions - run: | - set -x - - export RELEASE_TAG="${{ github.event.inputs.tag_name }}" - export major=$(echo $RELEASE_TAG | cut -d. -f1) - export minor=$(echo $RELEASE_TAG | cut -d. -f2) - - git config --global user.name "Daniel Flook" - git config --global user.email "daniel@flook.org" - - function prepare_release() { - rsync -r $GITHUB_WORKSPACE/$action/ $HOME/$action - rm -rf $HOME/$action/.github - mkdir $HOME/$action/.github - cp $GITHUB_WORKSPACE/.github/FUNDING.yml $HOME/$action/.github/FUNDING.yml - } - - for action in $(cd $GITHUB_WORKSPACE && find . -name action.yaml -printf "%h\n" | sed 's/^.\///'); do - - if git clone https://dflook:$GITHUB_TOKEN@github.com/dflook/$action.git "$HOME/$action"; then - echo "Releasing dflook/$action@$RELEASE_TAG" - - # git tags that use DockerHub for the image - prepare_release - sed -i 's| image:.*| image: docker://danielflook/terraform-github-actions@${{ steps.image_build.outputs.digest }}|' $HOME/$action/action.yaml - - git -C "$HOME/$action" add -A - git -C "$HOME/$action" commit -m "$RELEASE_TAG" - git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$RELEASE_TAG" - git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major" - git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major.$minor" - git -C "$HOME/$action" push --force - git -C "$HOME/$action" push --force --tags - - # git tags that use GitHub Container Registry for the image - git -C "$HOME/$action" checkout ghcr || git -C "$HOME/$action" checkout -b ghcr - prepare_release - sed -i 's| image:.*| image: docker://ghcr.io/dflook/terraform-github-actions@${{ steps.image_build.outputs.digest }}|' $HOME/$action/action.yaml - - git -C "$HOME/$action" add -A - git -C "$HOME/$action" commit -m "$RELEASE_TAG-ghcr" - git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$RELEASE_TAG-ghcr" - git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major-ghcr" - git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major.$minor-ghcr" - git -C "$HOME/$action" push --set-upstream origin ghcr --force - git -C "$HOME/$action" push --force --tags - - else - echo "Skipping dflook/$action" - fi - done diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 35ccd97e..ab57f5c0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,15 +10,23 @@ on: description: "Tag to release" required: true +permissions: + contents: read + jobs: image: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Release Actions + permissions: + contents: read + packages: write env: GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: true - name: Check tofu actions are up to date run: | @@ -38,14 +46,14 @@ jobs: - name: Build action image id: image_build + env: + RELEASE_TAG: "${{ github.event.release.tag_name }}${{ github.event.inputs.tag_name }}" run: | - RELEASE_TAG="${{ github.event.release.tag_name }}${{ github.event.inputs.tag_name }}" - docker buildx build \ --build-arg FETCH_CHECKSUMS=yes \ --build-arg VERSION="${RELEASE_TAG:1}" \ - --tag danielflook/terraform-github-actions:$RELEASE_TAG \ - --tag ghcr.io/dflook/terraform-github-actions:$RELEASE_TAG \ + --tag "danielflook/terraform-github-actions:$RELEASE_TAG" \ + --tag "ghcr.io/dflook/terraform-github-actions:$RELEASE_TAG" \ --platform linux/amd64,linux/arm64 \ --attest type=provenance,mode=max,builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID \ --push \ @@ -55,29 +63,31 @@ jobs: echo "digest=$(> "$GITHUB_OUTPUT" - name: Release actions + env: + RELEASE_TAG: "${{ github.event.release.tag_name }}${{ github.event.inputs.tag_name }}" + IMAGE_DIGEST: ${{ steps.image_build.outputs.digest }} run: | - export RELEASE_TAG="${{ github.event.release.tag_name }}${{ github.event.inputs.tag_name }}" - export major=$(echo $RELEASE_TAG | cut -d. -f1) - export minor=$(echo $RELEASE_TAG | cut -d. -f2) + export major=$(echo "$RELEASE_TAG" | cut -d. -f1) + export minor=$(echo "$RELEASE_TAG" | cut -d. -f2) git config --global user.name "Daniel Flook" git config --global user.email "daniel@flook.org" function prepare_release() { - rsync -r $GITHUB_WORKSPACE/$action/ $HOME/$action - rm -rf $HOME/$action/.github - mkdir $HOME/$action/.github - cp $GITHUB_WORKSPACE/.github/FUNDING.yml $HOME/$action/.github/FUNDING.yml + rsync -r "$GITHUB_WORKSPACE/$action/" "$HOME/$action" + rm -rf "$HOME/$action/.github" + mkdir "$HOME/$action/.github" + cp "$GITHUB_WORKSPACE/.github/FUNDING.yml" "$HOME/$action/.github/FUNDING.yml" } - for action in $(cd $GITHUB_WORKSPACE && find . -name action.yaml -printf "%h\n" | sed 's/^.\///'); do + for action in $(cd "$GITHUB_WORKSPACE" && find . -name action.yaml -printf "%h\n" | sed 's/^.\///'); do - if git clone https://dflook:$GITHUB_TOKEN@github.com/dflook/$action.git "$HOME/$action"; then + if git clone "https://dflook:$GITHUB_TOKEN@github.com/dflook/$action.git" "$HOME/$action"; then echo "Releasing dflook/$action@$RELEASE_TAG" # git tags that use DockerHub for the image prepare_release - sed -i 's| image:.*| image: docker://danielflook/terraform-github-actions@${{ steps.image_build.outputs.digest }}|' $HOME/$action/action.yaml + sed -i "s| image:.*| image: docker://danielflook/terraform-github-actions@$IMAGE_DIGEST|" "$HOME/$action/action.yaml" git -C "$HOME/$action" add -A git -C "$HOME/$action" commit -m "$RELEASE_TAG" @@ -90,7 +100,7 @@ jobs: # git tags that use GitHub Container Registry for the image git -C "$HOME/$action" checkout ghcr || git -C "$HOME/$action" checkout -b ghcr prepare_release - sed -i 's| image:.*| image: docker://ghcr.io/dflook/terraform-github-actions@${{ steps.image_build.outputs.digest }}|' $HOME/$action/action.yaml + sed -i "s| image:.*| image: docker://ghcr.io/dflook/terraform-github-actions@$IMAGE_DIGEST|" "$HOME/$action/action.yaml" git -C "$HOME/$action" add -A git -C "$HOME/$action" commit -m "$RELEASE_TAG-ghcr" @@ -101,11 +111,11 @@ jobs: git -C "$HOME/$action" push --force --tags # Create the github release - cat $GITHUB_WORKSPACE/.github/release_template.md \ + cat "$GITHUB_WORKSPACE/.github/release_template.md" \ | envsubst \ | jq --slurp --raw-input --arg RELEASE_TAG "$RELEASE_TAG" '{"tag_name": $RELEASE_TAG, "name": $RELEASE_TAG, "body": . }' \ | curl -X POST \ - --user dflook:$GITHUB_TOKEN \ + --user "dflook:$GITHUB_TOKEN" \ --header "Content-Type: application/json" \ --data-binary @- \ "https://api.github.com/repos/dflook/$action/releases" diff --git a/.github/workflows/repository_dispatch.yaml b/.github/workflows/repository_dispatch.yaml index 95b4b5cd..8c0671ce 100644 --- a/.github/workflows/repository_dispatch.yaml +++ b/.github/workflows/repository_dispatch.yaml @@ -1,17 +1,25 @@ -name: Respository Dispatch +name: Repository Dispatch on: [repository_dispatch] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +permissions: + contents: read + jobs: plan: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Create terraform plan + permissions: + contents: read + pull-requests: write steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 + with: + persist-credentials: false - name: terraform plan uses: ./terraform-plan diff --git a/.github/workflows/repository_dispatch_trigger.yaml b/.github/workflows/repository_dispatch_trigger.yaml deleted file mode 100644 index 7965ced3..00000000 --- a/.github/workflows/repository_dispatch_trigger.yaml +++ /dev/null @@ -1,15 +0,0 @@ -name: Create repository_dispatch event - -on: - - pull_request - -jobs: - trigger: - name: Trigger repository_dispatch - runs-on: ubuntu-latest - steps: - - name: Repository Dispatch - uses: peter-evans/repository-dispatch@v2 - with: - event-type: test - client-payload: '{"pull_request": { "url": "${{ github.event.pull_request.url }}" } }' diff --git a/.github/workflows/retain-images.yaml b/.github/workflows/retain-images.yaml index 349a1318..576ae3ab 100644 --- a/.github/workflows/retain-images.yaml +++ b/.github/workflows/retain-images.yaml @@ -3,19 +3,27 @@ name: Retain images on: schedule: - cron: 0 0 1 * * + push: + paths: + - .github/workflows/retain-images.yaml + +permissions: + contents: read jobs: pull_image: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Pull images steps: - name: Checkout uses: actions/checkout@v4 with: + persist-credentials: false fetch-depth: 0 - name: docker pull run: | for tag in $(git tag); do docker pull --quiet danielflook/terraform-github-actions:$tag + docker system prune --all --force done diff --git a/.github/workflows/test-apply.yaml b/.github/workflows/test-apply.yaml index 49c92c64..4777381c 100644 --- a/.github/workflows/test-apply.yaml +++ b/.github/workflows/test-apply.yaml @@ -3,52 +3,64 @@ name: Test terraform-apply on: - pull_request +permissions: + contents: read + jobs: auto_approve: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Auto Approve - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply uses: ./terraform-apply id: output + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} with: path: tests/workflows/test-apply/remote auto_approve: true - name: Verify outputs + env: + MY_STRING: ${{ steps.output.outputs.my_string }} + JSON_PLAN_PATH: ${{ steps.output.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.output.outputs.text_plan_path }} + RUN_ID: ${{ steps.output.outputs.run_id }} run: | - if [[ "${{ steps.output.outputs.my_string }}" != "hello" ]]; then + if [[ "$MY_STRING" != "hello" ]]; then echo "::error:: output my_string not set correctly" exit 1 fi - if [[ $(jq -r .output_changes.my_string.actions[0] "${{ steps.output.outputs.json_plan_path }}") != "create" ]]; then + if [[ $(jq -r .output_changes.my_string.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "No changes" '${{ steps.output.outputs.text_plan_path }}'; then + if ! grep -q "No changes" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.output.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi apply_error: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Auto Approve plan error steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply uses: ./terraform-apply @@ -59,35 +71,44 @@ jobs: auto_approve: true - name: Check failed to apply + env: + OUTCOME: ${{ steps.apply.outcome }} + FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} + JSON_PLAN_PATH: ${{ steps.apply.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.apply.outputs.text_plan_path }} + RUN_ID: ${{ steps.apply.outputs.run_id }} run: | - if [[ "${{ steps.apply.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi - if [[ "${{ steps.apply.outputs.failure-reason }}" != "" ]]; then + if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi - if [[ -n "${{ steps.apply.outputs.json_plan_path }}" ]]; then + if [[ -n "$JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should not be set" exit 1 fi - if [[ -n "${{ steps.apply.outputs.text_plan_path }}" ]]; then + if [[ -n "$TEXT_PLAN_PATH" ]]; then echo "::error:: text_plan_path should not be set" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi apply_apply_error: - runs-on: ubuntu-latest - name: Auto Approve apply phase error + runs-on: ubuntu-24.04 + name: Apply apply phase error + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -95,6 +116,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -111,39 +134,47 @@ jobs: path: tests/workflows/test-apply/apply-error - name: Check failed to apply + env: + OUTCOME: ${{ steps.apply.outcome }} + FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} + JSON_PLAN_PATH: ${{ steps.apply.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.apply.outputs.text_plan_path }} + RUN_ID: ${{ steps.apply.outputs.run_id }} run: | - if [[ "${{ steps.apply.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi - if [[ "${{ steps.apply.outputs.failure-reason }}" != "apply-failed" ]]; then + if [[ "$FAILURE_REASON" != "apply-failed" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi - cat "${{ steps.apply.outputs.json_plan_path }}" - if [[ $(jq -r .format_version "${{ steps.apply.outputs.json_plan_path }}") != "1.2" ]]; then + cat "$JSON_PLAN_PATH" + if [[ $(jq -r .format_version "$JSON_PLAN_PATH") != "1.2" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.apply.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi apply_no_token: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply without token steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply uses: ./terraform-apply @@ -153,30 +184,39 @@ jobs: path: tests/workflows/test-apply/changes - name: Check failed to apply + env: + OUTCOME: ${{ steps.apply.outcome }} + FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} + RUN_ID: ${{ steps.apply.outputs.run_id }} run: | - if [[ "${{ steps.apply.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi - if [[ "${{ steps.apply.outputs.failure-reason }}" != "" ]]; then + if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi apply: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply approved changes + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -192,23 +232,28 @@ jobs: path: tests/workflows/test-apply/changes - name: Verify outputs + env: + OUTPUT_STRING: ${{ steps.first-apply.outputs.output_string }} + JSON_PLAN_PATH: ${{ steps.first-apply.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.first-apply.outputs.text_plan_path }} + RUN_ID: ${{ steps.first-apply.outputs.run_id }} run: | - if [[ "${{ steps.first-apply.outputs.output_string }}" != "the_string" ]]; then - echo "::error:: output s not set correctly" + if [[ "$OUTPUT_STRING" != "the_string" ]]; then + echo "::error:: output output_string not set correctly" exit 1 fi - if [[ $(jq -r .output_changes.output_string.actions[0] "${{ steps.first-apply.outputs.json_plan_path }}") != "create" ]]; then + if [[ $(jq -r .output_changes.output_string.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.first-apply.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.first-apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi @@ -221,35 +266,45 @@ jobs: path: tests/workflows/test-apply/changes - name: Verify outputs + env: + OUTPUT_STRING: ${{ steps.second-apply.outputs.output_string }} + JSON_PLAN_PATH: ${{ steps.second-apply.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.second-apply.outputs.text_plan_path }} + RUN_ID: ${{ steps.second-apply.outputs.run_id }} run: | - if [[ "${{ steps.second-apply.outputs.output_string }}" != "the_string" ]]; then + if [[ "$OUTPUT_STRING" != "the_string" ]]; then echo "::error:: output s not set correctly" exit 1 fi - if [[ $(jq -r .format_version "${{ steps.second-apply.outputs.json_plan_path }}") != "1.2" ]]; then + if [[ $(jq -r .format_version "$JSON_PLAN_PATH") != "1.2" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if [[ ! -f '${{ steps.second-apply.outputs.text_plan_path }}' ]]; then + if [[ ! -f "$TEXT_PLAN_PATH" ]]; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.second-apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi apply_variables: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply approved changes with variables + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -295,45 +350,56 @@ jobs: var_file: tests/workflows/test-apply/test.tfvars - name: Verify outputs + env: + OUTPUT_STRING: ${{ steps.output.outputs.output_string }} + FROM_VAR: ${{ steps.output.outputs.from_var }} + FROM_VARFILE: ${{ steps.output.outputs.from_varfile }} + COMPLEX_OUTPUT: ${{ steps.output.outputs.complex_output }} + JSON_PLAN_PATH: ${{ steps.output.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.output.outputs.text_plan_path }} + RUN_ID: ${{ steps.output.outputs.run_id }} run: | - if [[ "${{ steps.output.outputs.output_string }}" != "the_string" ]]; then + if [[ "$OUTPUT_STRING" != "the_string" ]]; then echo "::error:: output s not set correctly" exit 1 fi - if [[ "${{ steps.output.outputs.from_var }}" != "hello" ]]; then + if [[ "$FROM_VAR" != "hello" ]]; then echo "::error:: output from_var not set correctly" exit 1 fi - if [[ "${{ steps.output.outputs.from_varfile }}" != "monkey" ]]; then + if [[ "$FROM_VARFILE" != "monkey" ]]; then echo "::error:: output from_varfile not set correctly" exit 1 fi - if [[ "${{ steps.output.outputs.complex_output }}" != "2000:3000:udp,4000:5000:tcp" ]]; then + if [[ "$COMPLEX_OUTPUT" != "2000:3000:udp,4000:5000:tcp" ]]; then echo "::error:: output complex_output not set correctly" exit 1 fi - if [[ $(jq -r .output_changes.output_string.actions[0] "${{ steps.output.outputs.json_plan_path }}") != "create" ]]; then + if [[ $(jq -r .output_changes.output_string.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.output.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.output.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi backend_config_12: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: backend_config terraform 12 + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -341,6 +407,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -358,23 +426,28 @@ jobs: backend_config_file: tests/workflows/test-apply/backend_config_12/backend_config - name: Verify outputs + env: + OUTPUT_TEST: ${{ steps.backend_config_file_12.outputs.test }} + JSON_PLAN_PATH: ${{ steps.backend_config_file_12.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.backend_config_file_12.outputs.text_plan_path }} + RUN_ID: ${{ steps.backend_config_file_12.outputs.run_id }} run: | - if [[ "${{ steps.backend_config_file_12.outputs.test }}" != "hello" ]]; then + if [[ "$OUTPUT_TEST" != "hello" ]]; then echo "::error:: output from backend_config file not set correctly" exit 1 fi - if [[ $(jq -r .output_changes.test.actions[0] "${{ steps.backend_config_file_12.outputs.json_plan_path }}") != "create" ]]; then + if [[ $(jq -r .output_changes.test.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "No changes" '${{ steps.backend_config_file_12.outputs.text_plan_path }}'; then + if ! grep -q "No changes" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.backend_config_file_12.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi @@ -401,30 +474,38 @@ jobs: region=eu-west-2 - name: Verify outputs + env: + OUTPUT_TEST: ${{ steps.backend_config_12.outputs.test }} + JSON_PLAN_PATH: ${{ steps.backend_config_12.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.backend_config_12.outputs.text_plan_path }} + RUN_ID: ${{ steps.backend_config_12.outputs.run_id }} run: | - if [[ "${{ steps.backend_config_12.outputs.test }}" != "hello" ]]; then + if [[ "$OUTPUT_TEST" != "hello" ]]; then echo "::error:: Output from backend_config not set correctly" exit 1 fi - if [[ $(jq -r .output_changes.test.actions[0] "${{ steps.backend_config_12.outputs.json_plan_path }}") != "create" ]]; then + if [[ $(jq -r .output_changes.test.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "No changes" '${{ steps.backend_config_file_12.outputs.text_plan_path }}'; then + if ! grep -q "No changes" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.backend_config_12.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi backend_config_13: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: backend_config terraform 13 + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -432,6 +513,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -449,23 +532,28 @@ jobs: backend_config_file: tests/workflows/test-apply/backend_config_13/backend_config - name: Verify outputs + env: + OUTPUT_TEST: ${{ steps.backend_config_file_13.outputs.test }} + JSON_PLAN_PATH: ${{ steps.backend_config_file_13.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.backend_config_file_13.outputs.text_plan_path }} + RUN_ID: ${{ steps.backend_config_file_13.outputs.run_id }} run: | - if [[ "${{ steps.backend_config_file_13.outputs.test }}" != "hello" ]]; then + if [[ "$OUTPUT_TEST" != "hello" ]]; then echo "::error:: output from backend_config file not set correctly" exit 1 fi - if [[ $(jq -r .output_changes.test.actions[0] "${{ steps.backend_config_file_13.outputs.json_plan_path }}") != "create" ]]; then + if [[ $(jq -r .output_changes.test.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "No changes" '${{ steps.backend_config_file_13.outputs.text_plan_path }}'; then + if ! grep -q "No changes" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.backend_config_file_13.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi @@ -492,35 +580,45 @@ jobs: region=eu-west-2 - name: Verify outputs + env: + OUTPUT_TEST: ${{ steps.backend_config_13.outputs.test }} + JSON_PLAN_PATH: ${{ steps.backend_config_13.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.backend_config_13.outputs.text_plan_path }} + RUN_ID: ${{ steps.backend_config_13.outputs.run_id }} run: | - if [[ "${{ steps.backend_config_13.outputs.test }}" != "hello" ]]; then + if [[ "$OUTPUT_TEST" != "hello" ]]; then echo "::error:: Output from backend_config not set correctly" exit 1 fi - if [[ $(jq -r .output_changes.test.actions[0] "${{ steps.backend_config_13.outputs.json_plan_path }}") != "create" ]]; then + if [[ $(jq -r .output_changes.test.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "No changes" '${{ steps.backend_config_13.outputs.text_plan_path }}'; then + if ! grep -q "No changes" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.backend_config_13.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi apply_label: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply approved with a variable and label + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -540,30 +638,38 @@ jobs: var_file: tests/workflows/test-apply/test.tfvars - name: Verify outputs + env: + OUTPUT_STRING: ${{ steps.output.outputs.output_string }} + JSON_PLAN_PATH: ${{ steps.output.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.output.outputs.text_plan_path }} + RUN_ID: ${{ steps.output.outputs.run_id }} run: | - if [[ "${{ steps.output.outputs.output_string }}" != "the_string" ]]; then + if [[ "$OUTPUT_STRING" != "the_string" ]]; then echo "::error:: output s not set correctly" exit 1 fi - if [[ $(jq -r .output_changes.output_string.actions[0] "${{ steps.output.outputs.json_plan_path }}") != "create" ]]; then + if [[ $(jq -r .output_changes.output_string.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.output.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.output.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi apply_no_changes: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply when there are no planned changes + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -571,6 +677,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply uses: ./terraform-apply @@ -579,36 +687,46 @@ jobs: path: tests/workflows/test-apply/remote - name: Verify outputs + env: + MY_STRING: ${{ steps.output.outputs.my_string }} + JSON_PLAN_PATH: ${{ steps.output.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.output.outputs.text_plan_path }} + RUN_ID: ${{ steps.output.outputs.run_id }} run: | - if [[ "${{ steps.output.outputs.my_string }}" != "hello" ]]; then + if [[ "$MY_STRING" != "hello" ]]; then echo "::error:: output my_string not set correctly" exit 1 fi - cat "${{ steps.output.outputs.json_plan_path }}" - if [[ $(jq -r .format_version "${{ steps.output.outputs.json_plan_path }}") != "0.1" ]]; then + cat "$JSON_PLAN_PATH" + if [[ $(jq -r .format_version "$JSON_PLAN_PATH") != "0.1" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "No changes" '${{ steps.output.outputs.text_plan_path }}'; then + if ! grep -q "No changes" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.output.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi apply_no_plan: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply when there is no approved plan + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply uses: ./terraform-apply @@ -618,36 +736,46 @@ jobs: path: tests/workflows/test-apply/no_plan - name: Check failed to apply + env: + OUTCOME: ${{ steps.apply.outcome }} + JSON_PLAN_PATH: ${{ steps.apply.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.apply.outputs.text_plan_path }} + RUN_ID: ${{ steps.apply.outputs.run_id }} run: | - if [[ "${{ steps.apply.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi - cat "${{ steps.apply.outputs.json_plan_path }}" - if [[ $(jq -r .format_version "${{ steps.apply.outputs.json_plan_path }}") != "1.2" ]]; then + cat "$JSON_PLAN_PATH" + if [[ $(jq -r .format_version "$JSON_PLAN_PATH") != "1.2" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.apply.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.output.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi apply_user_token: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply using a personal access token + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.USER_GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -663,35 +791,45 @@ jobs: path: tests/workflows/test-apply/changes - name: Verify outputs + env: + OUTPUT_STRING: ${{ steps.output.outputs.output_string }} + JSON_PLAN_PATH: ${{ steps.output.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.output.outputs.text_plan_path }} + RUN_ID: ${{ steps.output.outputs.run_id }} run: | - if [[ "${{ steps.output.outputs.output_string }}" != "the_string" ]]; then + if [[ "$OUTPUT_STRING" != "the_string" ]]; then echo "::error:: output s not set correctly" exit 1 fi - if [[ $(jq -r .output_changes.output_string.actions[0] "${{ steps.output.outputs.json_plan_path }}") != "create" ]]; then + if [[ $(jq -r .output_changes.output_string.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.output.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.output.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi apply_fine_grained_pat: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply using a fine grained personal access token + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.FINE_PAT_GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -707,36 +845,46 @@ jobs: path: tests/workflows/test-apply/changes - name: Verify outputs + env: + OUTPUT_STRING: ${{ steps.output.outputs.output_string }} + JSON_PLAN_PATH: ${{ steps.output.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.output.outputs.text_plan_path }} + RUN_ID: ${{ steps.output.outputs.run_id }} run: | - if [[ "${{ steps.output.outputs.output_string }}" != "the_string" ]]; then + if [[ "$OUTPUT_STRING" != "the_string" ]]; then echo "::error:: output s not set correctly" exit 1 fi - if [[ $(jq -r .output_changes.output_string.actions[0] "${{ steps.output.outputs.json_plan_path }}") != "create" ]]; then + if [[ $(jq -r .output_changes.output_string.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.output.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.output.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi apply_terraform_actions_github_token: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply using a token in TERRAFORM_ACTIONS_GITHUB_TOKEN + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: No TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -752,35 +900,45 @@ jobs: path: tests/workflows/test-apply/changes - name: Verify outputs + env: + OUTPUT_STRING: ${{ steps.output.outputs.output_string }} + JSON_PLAN_PATH: ${{ steps.output.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.output.outputs.text_plan_path }} + RUN_ID: ${{ steps.output.outputs.run_id }} run: | - if [[ "${{ steps.output.outputs.output_string }}" != "the_string" ]]; then + if [[ "$OUTPUT_STRING" != "the_string" ]]; then echo "::error:: output s not set correctly" exit 1 fi - if [[ $(jq -r .output_changes.output_string.actions[0] "${{ steps.output.outputs.json_plan_path }}") != "create" ]]; then + if [[ $(jq -r .output_changes.output_string.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.output.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.output.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi apply_vars: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply approved changes with deprecated vars + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -798,33 +956,43 @@ jobs: var_file: tests/workflows/test-apply/test.tfvars - name: Verify outputs + env: + OUTPUT_STRING: ${{ steps.output.outputs.output_string }} + FROM_VAR: ${{ steps.output.outputs.from_var }} + FROM_VARFILE: ${{ steps.output.outputs.from_varfile }} + RUN_ID: ${{ steps.output.outputs.run_id }} run: | - if [[ "${{ steps.output.outputs.output_string }}" != "the_string" ]]; then + if [[ "$OUTPUT_STRING" != "the_string" ]]; then echo "::error:: output s not set correctly" exit 1 fi - if [[ "${{ steps.output.outputs.from_var }}" != "this should be overridden" ]]; then + if [[ "$FROM_VAR" != "this should be overridden" ]]; then echo "::error:: output from_var not set correctly" exit 1 fi - if [[ "${{ steps.output.outputs.from_varfile }}" != "monkey" ]]; then + if [[ "$FROM_VARFILE" != "monkey" ]]; then echo "::error:: output from_varfile not set correctly" exit 1 fi - if [[ -n "${{ steps.output.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi apply_refresh: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply changes are refresh + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan 1 uses: ./terraform-plan @@ -849,25 +1017,30 @@ jobs: variables: len=20 - name: Verify outputs + env: + CHANGES: ${{ steps.plan.outputs.changes }} + TO_ADD: ${{ steps.plan.outputs.to_add }} + TO_CHANGE: ${{ steps.plan.outputs.to_change }} + TO_DESTROY: ${{ steps.plan.outputs.to_destroy }} run: | - echo "changes=${{ steps.plan.outputs.changes }}" + echo "changes=$CHANGES" - if [[ "${{ steps.plan.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: output changes not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_add }} -ne 1 ]]; then + if [[ "$TO_ADD" -ne 1 ]]; then echo "::error:: to_add not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_change }} -ne 0 ]]; then + if [[ "$TO_CHANGE" -ne 0 ]]; then echo "::error:: to_change not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_destroy }} -ne 1 ]]; then + if [[ "$TO_DESTROY" -ne 1 ]]; then echo "::error:: to_destroy not set correctly" exit 1 fi @@ -887,8 +1060,11 @@ jobs: variables: len=20 apply_with_pre_run: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply with pre-run script + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TERRAFORM_PRE_RUN: | @@ -897,6 +1073,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -912,20 +1090,27 @@ jobs: path: tests/workflows/test-apply/changes - name: Verify outputs + env: + OUTPUT_STRING: ${{ steps.output.outputs.output_string }} run: | - if [[ "${{ steps.output.outputs.output_string }}" != "the_string" ]]; then + if [[ "$OUTPUT_STRING" != "the_string" ]]; then echo "::error:: output_string not set correctly" exit 1 fi warnings_hash: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply with inconsistent warnings + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -944,13 +1129,18 @@ jobs: path: tests/workflows/test-apply/warnings warnings_text: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply with inconsistent warnings (plan text) + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: dflook/terraform-plan@v1.22.2 @@ -969,13 +1159,18 @@ jobs: path: tests/workflows/test-apply/warnings long_plan: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply a plan that doesn't fit in a comment + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -990,13 +1185,18 @@ jobs: path: tests/workflows/test-apply/long_plan long_plan_changes: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Don't apply a changed plan that doesn't fit in a comment + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -1015,20 +1215,26 @@ jobs: length = 2 - name: Check failed to apply + env: + OUTCOME: ${{ steps.apply.outcome }} + FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} run: | - if [[ "${{ steps.apply.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi - if [[ "${{ steps.apply.outputs.failure-reason }}" != "plan-changed" ]]; then + if [[ "$FAILURE_REASON" != "plan-changed" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi partial_backend_fingerprint: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Get comment using partial fingerprint + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -1036,6 +1242,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: dflook/terraform-plan@v1.31.0 @@ -1052,13 +1260,18 @@ jobs: backend_config: key=${{ github.run_id }}${{ github.run_attempt }} destroy_mode: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Generate and apply a destroy mode plan + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply uses: ./terraform-apply @@ -1079,13 +1292,18 @@ jobs: destroy: true destroy_mode_label: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Generate and apply a destroy mode plan with a label + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply uses: ./terraform-apply @@ -1108,13 +1326,18 @@ jobs: destroy: true apply_opentofu: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply OpenTofu + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.USER_GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -1134,35 +1357,45 @@ jobs: path: tests/workflows/test-apply/changes - name: Verify outputs + env: + OUTPUT_STRING: ${{ steps.output.outputs.output_string }} + JSON_PLAN_PATH: ${{ steps.output.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.output.outputs.text_plan_path }} + RUN_ID: ${{ steps.output.outputs.run_id }} run: | - if [[ "${{ steps.output.outputs.output_string }}" != "the_string" ]]; then + if [[ "$OUTPUT_STRING" != "the_string" ]]; then echo "::error:: output s not set correctly" exit 1 fi - if [[ $(jq -r .output_changes.output_string.actions[0] "${{ steps.output.outputs.json_plan_path }}") != "create" ]]; then + if [[ $(jq -r .output_changes.output_string.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "OpenTofu will perform the following actions" '${{ steps.output.outputs.text_plan_path }}'; then + if ! grep -q "OpenTofu will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.output.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi long_outputs: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply a plan with long outputs + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -1175,13 +1408,18 @@ jobs: path: tests/workflows/test-apply/long_outputs outputs: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply a plan with outputs + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan diff --git a/.github/workflows/test-binary-plan.yaml b/.github/workflows/test-binary-plan.yaml index 38426182..a84dc62e 100644 --- a/.github/workflows/test-binary-plan.yaml +++ b/.github/workflows/test-binary-plan.yaml @@ -1,15 +1,20 @@ -name: Test terraform-binary-plan +name: Test terraform-plan using binary plan on: - pull_request +permissions: + contents: read + jobs: missing_plan_path: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Missing plan steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply uses: ./terraform-apply @@ -21,20 +26,27 @@ jobs: auto_approve: true - name: Verify outputs + env: + OUTCOME: ${{ steps.apply.outcome }} run: | - if [[ "${{ steps.apply.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi apply: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply approved changes + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -52,11 +64,13 @@ jobs: plan_path: ${{ steps.plan.outputs.plan_path }} auto_approve: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply auto approved changes steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -75,13 +89,18 @@ jobs: auto_approve: true plan_changed: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply should fail if the approved plan has changed + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -106,13 +125,16 @@ jobs: plan_path: ${{ steps.plan.outputs.plan_path }} - name: Verify outputs + env: + OUTCOME: ${{ steps.apply.outcome }} + FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} run: | - if [[ "${{ steps.apply.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi - if [[ "${{ steps.apply.outputs.failure-reason }}" != "plan-changed" ]]; then + if [[ "$FAILURE_REASON" != "plan-changed" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi \ No newline at end of file diff --git a/.github/workflows/test-changes-only.yaml b/.github/workflows/test-changes-only.yaml index 65fb8d4a..f804dfc8 100644 --- a/.github/workflows/test-changes-only.yaml +++ b/.github/workflows/test-changes-only.yaml @@ -1,17 +1,25 @@ -name: Test changes-only PR comment +name: Test terraform-apply changes-only PR comment on: - pull_request +permissions: + contents: read + jobs: no_changes: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: changes-only should not create a comment + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan without changes uses: ./terraform-plan @@ -22,10 +30,10 @@ jobs: add_github_comment: changes-only - name: Verify outputs + env: + CHANGES: ${{ steps.plan.outputs.changes }} run: | - echo "changes=${{ steps.plan.outputs.changes }}" - - if [[ "${{ steps.plan.outputs.changes }}" != "false" ]]; then + if [[ "$CHANGES" != "false" ]]; then echo "::error:: output changes not set correctly" exit 1 fi @@ -38,20 +46,27 @@ jobs: path: tests/workflows/test-changes-only - name: Check failure-reason + env: + FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} run: | - if [[ "${{ steps.apply.outputs.failure-reason }}" != "" ]]; then + if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi change_then_no_changes: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: changes-only should still replace a change comment + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan changes uses: ./terraform-plan @@ -64,10 +79,10 @@ jobs: add_github_comment: changes-only - name: Verify changes + env: + CHANGES: ${{ steps.changes-plan.outputs.changes }} run: | - echo "changes=${{ steps.changes-plan.outputs.changes }}" - - if [[ "${{ steps.changes-plan.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: output changes not set correctly" exit 1 fi @@ -83,10 +98,10 @@ jobs: add_github_comment: changes-only - name: Verify no changes + env: + CHANGES: ${{ steps.plan.outputs.changes }} run: | - echo "changes=${{ steps.plan.outputs.changes }}" - - if [[ "${{ steps.plan.outputs.changes }}" != "false" ]]; then + if [[ "$CHANGES" != "false" ]]; then echo "::error:: output changes not set correctly" exit 1 fi @@ -101,20 +116,27 @@ jobs: cause-changes=false - name: Check failure-reason + env: + FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} run: | - if [[ "${{ steps.apply.outputs.failure-reason }}" != "" ]]; then + if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi no_changes_then_changes: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply with changes should fail after a changes-only plan with no changes + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan no changes uses: ./terraform-plan @@ -127,10 +149,10 @@ jobs: add_github_comment: changes-only - name: Verify no changes + env: + CHANGES: ${{ steps.plan.outputs.changes }} run: | - echo "changes=${{ steps.plan.outputs.changes }}" - - if [[ "${{ steps.plan.outputs.changes }}" != "false" ]]; then + if [[ "$CHANGES" != "false" ]]; then echo "::error:: output changes not set correctly" exit 1 fi @@ -146,25 +168,33 @@ jobs: cause-changes=true - name: Check failed to apply + env: + OUTCOME: ${{ steps.apply.outcome }} + FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} run: | - if [[ "${{ steps.apply.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi - if [[ "${{ steps.apply.outputs.failure-reason }}" != "plan-changed" ]]; then + if [[ "$FAILURE_REASON" != "plan-changed" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi apply_when_plan_has_changed: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Apply should fail if the approved plan has changed + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan Changes uses: ./terraform-plan @@ -186,13 +216,17 @@ jobs: len=4 - name: Check failed to apply + env: + OUTCOME: ${{ steps.apply.outcome }} + FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} run: | - if [[ "${{ steps.apply.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi - if [[ "${{ steps.apply.outputs.failure-reason }}" != "plan-changed" ]]; then + if [[ "$FAILURE_REASON" != "plan-changed" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi + diff --git a/.github/workflows/test-check.yaml b/.github/workflows/test-check.yaml index 57527d29..cb3631d2 100644 --- a/.github/workflows/test-check.yaml +++ b/.github/workflows/test-check.yaml @@ -3,13 +3,18 @@ name: Test terraform-check on: - pull_request +permissions: + contents: read + jobs: no_changes: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: No changes steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Check uses: ./terraform-check @@ -18,18 +23,22 @@ jobs: path: tests/workflows/test-check/no_changes - name: Check failure-reason + env: + FAILURE_REASON: ${{ steps.check.outputs.failure-reason }} run: | - if [[ "${{ steps.check.outputs.failure-reason }}" != "" ]]; then + if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi plan_change_comment: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Changes steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Check uses: ./terraform-check @@ -39,13 +48,16 @@ jobs: path: tests/workflows/test-check/changes - name: Check failure-reason + env: + OUTCOME: ${{ steps.check.outcome }} + FAILURE_REASON: ${{ steps.check.outputs.failure-reason }} run: | - if [[ "${{ steps.check.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Check did not fail correctly" exit 1 fi - if [[ "${{ steps.check.outputs.failure-reason }}" != "changes-to-apply" ]]; then + if [[ "$FAILURE_REASON" != "changes-to-apply" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi diff --git a/.github/workflows/test-cloud.yaml b/.github/workflows/test-cloud.yaml index 8483fe64..f40a6ab6 100644 --- a/.github/workflows/test-cloud.yaml +++ b/.github/workflows/test-cloud.yaml @@ -3,10 +3,16 @@ name: Test Terraform cloud on: - pull_request +permissions: + contents: read + jobs: workspaces: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Terraform Cloud + permissions: + contents: read + pull-requests: write strategy: fail-fast: false matrix: @@ -14,6 +20,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create a new workspace with no existing workspaces uses: ./terraform-new-workspace @@ -50,34 +58,40 @@ jobs: from_variables="from_variables" - name: Verify auto_apply terraform outputs + env: + OUTPUT_DEFAULT: ${{ steps.auto_apply.outputs.default }} + FROM_TFVARS: ${{ steps.auto_apply.outputs.from_tfvars }} + FROM_VARIABLES: ${{ steps.auto_apply.outputs.from_variables }} + TEXT_PLAN_PATH: ${{ steps.auto_apply.outputs.text_plan_path }} + JSON_PLAN_PATH: ${{ steps.auto_apply.outputs.json_plan_path }} + RUN_ID: ${{ steps.auto_apply.outputs.run_id }} run: | - if [[ "${{ steps.auto_apply.outputs.default }}" != "default" ]]; then + if [[ "$OUTPUT_DEFAULT" != "default" ]]; then echo "::error:: Variables not set correctly" exit 1 fi - if [[ "${{ steps.auto_apply.outputs.from_tfvars }}" != "from_tfvars" ]]; then + if [[ "$FROM_TFVARS" != "from_tfvars" ]]; then echo "::error:: Variables not set correctly" exit 1 fi - if [[ "${{ steps.auto_apply.outputs.from_variables }}" != "from_variables" ]]; then + if [[ "$FROM_VARIABLES" != "from_variables" ]]; then echo "::error:: Variables not set correctly" exit 1 fi - if [[ -n "${{ steps.auto_apply.outputs.text_plan_path }}" ]]; then + if [[ -n "$TEXT_PLAN_PATH" ]]; then echo "::error:: text_plan_path should not be set" exit 1 fi - if [[ -n "${{ steps.auto_apply.outputs.json_plan_path }}" ]]; then + if [[ -n "$JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should not be set" exit 1 fi - echo '${{ steps.auto_apply.outputs.run_id }}' - if [[ "${{ steps.auto_apply.outputs.run_id }}" != "run-"* ]]; then + if [[ "$RUN_ID" != "run-"* ]]; then echo "::error:: output run_id not set correctly" exit 1 fi @@ -91,19 +105,23 @@ jobs: backend_config: token=${{ secrets.TF_API_TOKEN }} - name: Verify auto_apply terraform outputs with workspace prefix + env: + OUTPUT_DEFAULT: ${{ steps.output.outputs.default }} run: | - if [[ "${{ steps.output.outputs.default }}" != "default" ]]; then + if [[ "$OUTPUT_DEFAULT" != "default" ]]; then echo "::error:: Variables not set correctly" exit 1 fi - name: Setup terraform with workspace name + env: + HEAD_REF: ${{ github.head_ref }} run: | mkdir fixed-workspace-name if [[ "${{ matrix.tf_version }}" == "0.13" ]]; then - sed -e 's/prefix.*/name = "github-actions-0-13-${{ github.head_ref }}-1"/' tests/workflows/test-cloud/${{ matrix.tf_version }}/main.tf > fixed-workspace-name/main.tf + sed -e 's/prefix.*/name = "github-actions-0-13-'"$HEAD_REF"'-1"/' tests/workflows/test-cloud/${{ matrix.tf_version }}/main.tf > fixed-workspace-name/main.tf else - sed -e 's/prefix.*/name = "github-actions-1-1-${{ github.head_ref }}-1"/' tests/workflows/test-cloud/${{ matrix.tf_version }}/main.tf > fixed-workspace-name/main.tf + sed -e 's/prefix.*/name = "github-actions-1-1-'"$HEAD_REF"'-1"/' tests/workflows/test-cloud/${{ matrix.tf_version }}/main.tf > fixed-workspace-name/main.tf fi - name: Get outputs @@ -114,8 +132,10 @@ jobs: backend_config: token=${{ secrets.TF_API_TOKEN }} - name: Verify auto_apply terraform outputs with workspace name + env: + OUTPUT_DEFAULT: ${{ steps.name-output.outputs.default }} run: | - if [[ "${{ steps.name-output.outputs.default }}" != "default" ]]; then + if [[ "$OUTPUT_DEFAULT" != "default" ]]; then echo "::error:: Variables not set correctly" exit 1 fi @@ -145,13 +165,16 @@ jobs: from_variables="Changed!" - name: Verify changes detected + env: + CHECK_OUTCOME: ${{ steps.check.outcome }} + FAILURE_REASON: ${{ steps.check.outputs.failure-reason }} run: | - if [[ "${{ steps.check.outcome }}" != "failure" ]]; then + if [[ "$CHECK_OUTCOME" != "failure" ]]; then echo "Check didn't fail correctly" exit 1 fi - if [[ "${{ steps.check.outputs.failure-reason }}" != "changes-to-apply" ]]; then + if [[ "$FAILURE_REASON" != "changes-to-apply" ]]; then echo "failure-reason not set correctly" exit 1 fi @@ -178,26 +201,29 @@ jobs: from_variables="from_variables" - name: Verify plan outputs + env: + PLAN_CHANGES: ${{ steps.plan.outputs.changes }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }} + RUN_ID: ${{ steps.plan.outputs.run_id }} run: | - if [[ "${{ steps.plan.outputs.changes }}" != "true" ]]; then + if [[ "$PLAN_CHANGES" != "true" ]]; then echo "::error:: output changes not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.plan.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - echo '${{ steps.plan.outputs.run_id }}' - if [[ "${{ steps.plan.outputs.run_id }}" != "run-"* ]]; then + if [[ "$RUN_ID" != "run-"* ]]; then echo "::error:: output run_id not set correctly" exit 1 fi - echo '${{ steps.plan.outputs.json_plan_path }}' - jq .output_changes.from_variables.actions[0] "${{ steps.plan.outputs.json_plan_path }}" - if [[ $(jq -r .output_changes.from_variables.actions[0] "${{ steps.plan.outputs.json_plan_path }}") != "create" ]]; then + jq .output_changes.from_variables.actions[0] "$JSON_PLAN_PATH" + if [[ $(jq -r .output_changes.from_variables.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi @@ -217,34 +243,40 @@ jobs: from_variables="from_variables" - name: Verify apply terraform outputs + env: + OUTPUT_DEFAULT: ${{ steps.apply.outputs.default }} + FROM_TFVARS: ${{ steps.apply.outputs.from_tfvars }} + FROM_VARIABLES: ${{ steps.apply.outputs.from_variables }} + TEXT_PLAN_PATH: ${{ steps.apply.outputs.text_plan_path }} + JSON_PLAN_PATH: ${{ steps.apply.outputs.json_plan_path }} + RUN_ID: ${{ steps.apply.outputs.run_id }} run: | - if [[ "${{ steps.apply.outputs.default }}" != "default" ]]; then + if [[ "$OUTPUT_DEFAULT" != "default" ]]; then echo "::error:: Variables not set correctly" exit 1 fi - if [[ "${{ steps.apply.outputs.from_tfvars }}" != "from_tfvars" ]]; then + if [[ "$FROM_TFVARS" != "from_tfvars" ]]; then echo "::error:: Variables not set correctly" exit 1 fi - if [[ "${{ steps.apply.outputs.from_variables }}" != "from_variables" ]]; then + if [[ "$FROM_VARIABLES" != "from_variables" ]]; then echo "::error:: Variables not set correctly" exit 1 fi - - if ! grep -q "Terraform will perform the following actions" '${{ steps.apply.outputs.text_plan_path }}'; then + + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.apply.outputs.json_plan_path }}" ]]; then + if [[ -n "$JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should not be set" exit 1 fi - - echo '${{ steps.apply.outputs.run_id }}' - if [[ "${{ steps.apply.outputs.run_id }}" != "run-"* ]]; then + + if [[ "$RUN_ID" != "run-"* ]]; then echo "::error:: output run_id not set correctly" exit 1 fi @@ -264,22 +296,30 @@ jobs: path: tests/workflows/test-cloud/${{ matrix.tf_version }} workspace: ${{ github.head_ref }}-1 backend_config: token=${{ secrets.TF_API_TOKEN }} + - name: Check failed to destroy + env: + DESTROY_OUTCOME: ${{ steps.destroy-non-existant-workspace.outcome }} run: | - if [[ "${{ steps.destroy-non-existant-workspace.outcome }}" != "failure" ]]; then + if [[ "$DESTROY_OUTCOME" != "failure" ]]; then echo "Destroy non-existant workspace" exit 1 fi cloud: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Partial cloud config + permissions: + contents: read + pull-requests: write env: TF_CLOUD_ORGANIZATION: flooktech TERRAFORM_CLOUD_TOKENS: app.terraform.io=${{ secrets.TF_API_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create a new workspace with no existing workspaces uses: ./terraform-new-workspace @@ -308,24 +348,28 @@ jobs: auto_approve: true - name: Verify auto_apply terraform outputs + env: + OUTPUT_LEN: ${{ steps.auto_apply.outputs.len }} + TEXT_PLAN_PATH: ${{ steps.auto_apply.outputs.text_plan_path }} + JSON_PLAN_PATH: ${{ steps.auto_apply.outputs.json_plan_path }} + RUN_ID: ${{ steps.auto_apply.outputs.run_id }} run: | - if [[ "${{ steps.auto_apply.outputs.len }}" != "5" ]]; then + if [[ "$OUTPUT_LEN" != "5" ]]; then echo "::error:: output not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.auto_apply.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ ! -f "${{ steps.auto_apply.outputs.json_plan_path }}" ]]; then + if [[ ! -f "$JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should be set" exit 1 fi - echo '${{ steps.auto_apply.outputs.run_id }}' - if [[ "${{ steps.auto_apply.outputs.run_id }}" != "run-"* ]]; then + if [[ "$RUN_ID" != "run-"* ]]; then echo "::error:: output run_id not set correctly" exit 1 fi @@ -338,8 +382,10 @@ jobs: workspace: ${{ github.head_ref }}-cloud-1 - name: Verify terraform-output outputs + env: + OUTPUT_LEN: ${{ steps.output.outputs.len }} run: | - if [[ "${{ steps.output.outputs.len }}" != "5" ]]; then + if [[ "$OUTPUT_LEN" != "5" ]]; then echo "::error:: output not set correctly" exit 1 fi @@ -361,13 +407,16 @@ jobs: length=6 - name: Verify changes detected + env: + CHECK_OUTCOME: ${{ steps.check.outcome }} + FAILURE_REASON: ${{ steps.check.outputs.failure-reason }} run: | - if [[ "${{ steps.check.outcome }}" != "failure" ]]; then + if [[ "$CHECK_OUTCOME" != "failure" ]]; then echo "Check didn't fail correctly" exit 1 fi - if [[ "${{ steps.check.outputs.failure-reason }}" != "changes-to-apply" ]]; then + if [[ "$FAILURE_REASON" != "changes-to-apply" ]]; then echo "failure-reason not set correctly" exit 1 fi @@ -389,24 +438,28 @@ jobs: workspace: ${{ github.head_ref }}-cloud-2 - name: Verify plan outputs + env: + PLAN_CHANGES: ${{ steps.plan.outputs.changes }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }} + RUN_ID: ${{ steps.plan.outputs.run_id }} run: | - if [[ "${{ steps.plan.outputs.changes }}" != "true" ]]; then + if [[ "$PLAN_CHANGES" != "true" ]]; then echo "::error:: output changes not set correctly" exit 1 fi - - if ! grep -q "Terraform will perform the following actions" '${{ steps.plan.outputs.text_plan_path }}'; then + + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ ! -f "${{ steps.auto_apply.outputs.json_plan_path }}" ]]; then + if [[ ! -f "$JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should be set" exit 1 fi - - echo '${{ steps.plan.outputs.run_id }}' - if [[ "${{ steps.plan.outputs.run_id }}" != "run-"* ]]; then + + if [[ "$RUN_ID" != "run-"* ]]; then echo "::error:: output run_id not set correctly" exit 1 fi @@ -422,24 +475,28 @@ jobs: workspace: ${{ github.head_ref }}-cloud-2 - name: Verify apply terraform outputs + env: + OUTPUT_LEN: ${{ steps.apply.outputs.len }} + TEXT_PLAN_PATH: ${{ steps.apply.outputs.text_plan_path }} + JSON_PLAN_PATH: ${{ steps.apply.outputs.json_plan_path }} + RUN_ID: ${{ steps.apply.outputs.run_id }} run: | - if [[ "${{ steps.apply.outputs.len }}" != "5" ]]; then + if [[ "$OUTPUT_LEN" != "5" ]]; then echo "::error:: Variables not set correctly" exit 1 fi - - if ! grep -q "Terraform will perform the following actions" '${{ steps.apply.outputs.text_plan_path }}'; then + + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ ! -f "${{ steps.apply.outputs.json_plan_path }}" ]]; then + if [[ ! -f "$JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should be set" exit 1 fi - echo '${{ steps.apply.outputs.run_id }}' - if [[ "${{ steps.apply.outputs.run_id }}" != "run-"* ]]; then + if [[ "$RUN_ID" != "run-"* ]]; then echo "::error:: output run_id not set correctly" exit 1 fi @@ -465,45 +522,52 @@ jobs: workspace: ${{ github.head_ref }}-cloud-2 - name: Verify apply with no changes + env: + PLAN_CHANGES: ${{ steps.plan-no-changes.outputs.changes }} + APPLY_OUTPUT_LEN: ${{ steps.apply-no-changes.outputs.len }} + PLAN_TEXT_PLAN_PATH: ${{ steps.plan-no-changes.outputs.text_plan_path }} + APPLY_TEXT_PLAN_PATH: ${{ steps.apply-no-changes.outputs.text_plan_path }} + PLAN_JSON_PLAN_PATH: ${{ steps.plan-no-changes.outputs.json_plan_path }} + APPLY_JSON_PLAN_PATH: ${{ steps.apply-no-changes.outputs.json_plan_path }} + PLAN_RUN_ID: ${{ steps.plan-no-changes.outputs.run_id }} + APPLY_RUN_ID: ${{ steps.apply-no-changes.outputs.run_id }} run: | - if [[ "${{ steps.plan-no-changes.outputs.changes }}" != "false" ]]; then + if [[ "$PLAN_CHANGES" != "false" ]]; then echo "::error:: changes output not set correctly" exit 1 fi - if [[ "${{ steps.apply-no-changes.outputs.len }}" != "5" ]]; then + if [[ "$APPLY_OUTPUT_LEN" != "5" ]]; then echo "::error:: Variables not set correctly" exit 1 fi - if ! grep -q "No changes. Your infrastructure matches the configuration." '${{ steps.plan-no-changes.outputs.text_plan_path }}'; then + if ! grep -q "No changes. Your infrastructure matches the configuration." "$PLAN_TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if ! grep -q "No changes. Your infrastructure matches the configuration." '${{ steps.apply-no-changes.outputs.text_plan_path }}'; then + if ! grep -q "No changes. Your infrastructure matches the configuration." "$APPLY_TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ ! -f "${{ steps.plan-no-changes.outputs.json_plan_path }}" ]]; then + if [[ ! -f "$PLAN_JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should be set" exit 1 fi - if [[ ! -f "${{ steps.apply-no-changes.outputs.json_plan_path }}" ]]; then + if [[ ! -f "$APPLY_JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should be set" exit 1 fi - echo '${{ steps.plan-no-changes.outputs.run_id }}' - if [[ "${{ steps.plan-no-changes.outputs.run_id }}" != "run-"* ]]; then + if [[ "$PLAN_RUN_ID}" != "run-"* ]]; then echo "::error:: output run_id not set correctly" exit 1 fi - echo '${{ steps.apply-no-changes.outputs.run_id }}' - if [[ "${{ steps.apply-no-changes.outputs.run_id }}" != "run-"* ]]; then + if [[ "$APPLY_RUN_ID" != "run-"* ]]; then echo "::error:: output run_id not set correctly" exit 1 fi @@ -534,35 +598,40 @@ jobs: length=8 - name: Verify saved apply with changes + env: + SAVED_PLAN_CHANGES: ${{ steps.saved-plan-changes.outputs.changes }} + SAVED_APPLY_OUTPUT_LEN: ${{ steps.saved-apply-changes.outputs.len }} + SAVED_PLAN_TEXT_PLAN_PATH: ${{ steps.saved-plan-changes.outputs.text_plan_path }} + SAVED_PLAN_JSON_PLAN_PATH: ${{ steps.saved-plan-changes.outputs.json_plan_path }} + SAVED_PLAN_RUN_ID: ${{ steps.saved-plan-changes.outputs.run_id }} + SAVED_APPLY_RUN_ID: ${{ steps.saved-apply-changes.outputs.run_id }} run: | - if [[ "${{ steps.saved-plan-changes.outputs.changes }}" != "true" ]]; then + if [[ "$SAVED_PLAN_CHANGES" != "true" ]]; then echo "::error:: changes output not set correctly" exit 1 fi - if [[ "${{ steps.saved-apply-changes.outputs.len }}" != "8" ]]; then + if [[ "$SAVED_APPLY_OUTPUT_LEN" != "8" ]]; then echo "::error:: Variables not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.saved-plan-changes.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" $SAVED_PLAN_TEXT_PLAN_PATH; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ ! -f "${{ steps.saved-plan-changes.outputs.json_plan_path }}" ]]; then + if [[ ! -f "$SAVED_PLAN_JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should be set" exit 1 fi - echo '${{ steps.saved-plan-changes.outputs.run_id }}' - if [[ "${{ steps.saved-plan-changes.outputs.run_id }}" != "run-"* ]]; then + if [[ "$SAVED_PLAN_RUN_ID" != "run-"* ]]; then echo "::error:: output run_id not set correctly" exit 1 fi - echo '${{ steps.saved-apply-changes.outputs.run_id }}' - if [[ "${{ steps.saved-apply-changes.outputs.run_id }}" != "run-"* ]]; then + if [[ "$SAVED_APPLY_RUN_ID" != "run-"* ]]; then echo "::error:: output run_id not set correctly" exit 1 fi @@ -593,35 +662,40 @@ jobs: length=8 - name: Verify saved apply with no changes + env: + SAVED_PLAN_NO_CHANGES: ${{ steps.saved-plan-no-changes.outputs.changes }} + SAVED_APPLY_OUTPUT_LEN: ${{ steps.saved-apply-no-changes.outputs.len }} + SAVED_PLAN_TEXT_PLAN_PATH: ${{ steps.saved-plan-no-changes.outputs.text_plan_path }} + SAVED_PLAN_JSON_PLAN_PATH: ${{ steps.saved-plan-no-changes.outputs.json_plan_path }} + SAVED_PLAN_RUN_ID: ${{ steps.saved-plan-no-changes.outputs.run_id }} + SAVED_APPLY_RUN_ID: ${{ steps.saved-apply-no-changes.outputs.run_id }} run: | - if [[ "${{ steps.saved-plan-no-changes.outputs.changes }}" != "false" ]]; then + if [[ "$SAVED_PLAN_NO_CHANGES" != "false" ]]; then echo "::error:: changes output not set correctly" exit 1 fi - if [[ "${{ steps.saved-apply-no-changes.outputs.len }}" != "8" ]]; then + if [[ "$SAVED_APPLY_OUTPUT_LEN" != "8" ]]; then echo "::error:: Variables not set correctly" exit 1 fi - if ! grep -q "No changes. Your infrastructure matches the configuration." '${{ steps.saved-plan-no-changes.outputs.text_plan_path }}'; then + if ! grep -q "No changes. Your infrastructure matches the configuration." "$SAVED_PLAN_TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ ! -f "${{ steps.saved-plan-no-changes.outputs.json_plan_path }}" ]]; then + if [[ ! -f "$SAVED_PLAN_JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should be set" exit 1 fi - echo '${{ steps.saved-plan-no-changes.outputs.run_id }}' - if [[ "${{ steps.saved-plan-no-changes.outputs.run_id }}" != "run-"* ]]; then + if [[ "$SAVED_PLAN_RUN_ID" != "run-"* ]]; then echo "::error:: output run_id not set correctly" exit 1 fi - echo '${{ steps.saved-apply-no-changes.outputs.run_id }}' - if [[ "${{ steps.saved-apply-no-changes.outputs.run_id }}" != "run-"* ]]; then + if [[ "$SAVED_APPLY_RUN_ID" != "run-"* ]]; then echo "::error:: output run_id not set correctly" exit 1 fi @@ -641,8 +715,10 @@ jobs: workspace: ${{ github.head_ref }}-cloud-1 - name: Check failed to destroy + env: + DESTROY_OUTCOME: ${{ steps.destroy-non-existent-workspace.outcome }} run: | - if [[ "${{ steps.destroy-non-existent-workspace.outcome }}" != "failure" ]]; then + if [[ "$DESTROY_OUTCOME" != "failure" ]]; then echo "Destroy non-existant workspace" exit 1 fi diff --git a/.github/workflows/test-fmt-check.yaml b/.github/workflows/test-fmt-check.yaml index 712c3e14..193762e1 100644 --- a/.github/workflows/test-fmt-check.yaml +++ b/.github/workflows/test-fmt-check.yaml @@ -3,13 +3,18 @@ name: Test terraform-fmt-check on: - pull_request +permissions: + contents: read + jobs: canonical_fmt: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Canonical fmt steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: fmt-check uses: ./terraform-fmt-check @@ -18,19 +23,23 @@ jobs: path: tests/workflows/test-fmt-check/canonical - name: Check valid + env: + FAILURE_REASON: ${{ steps.fmt-check.outputs.failure-reason }} run: | - if [[ "${{ steps.fmt-check.outputs.failure-reason }}" != "" ]]; then + if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi non_canonical_fmt: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Non canonical fmt continue-on-error: true steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: fmt-check uses: ./terraform-fmt-check @@ -40,13 +49,16 @@ jobs: path: tests/workflows/test-fmt-check/non-canonical - name: Check invalid + env: + OUTCOME: ${{ steps.fmt-check.outcome }} + FAILURE_REASON: ${{ steps.fmt-check.outputs.failure-reason }} run: | - if [[ "${{ steps.fmt-check.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "fmt-check did not fail correctly" exit 1 fi - if [[ "${{ steps.fmt-check.outputs.failure-reason }}" != "check-failed" ]]; then + if [[ "$FAILURE_REASON" != "check-failed" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi diff --git a/.github/workflows/test-fmt.yaml b/.github/workflows/test-fmt.yaml index dd78dab3..643984c2 100644 --- a/.github/workflows/test-fmt.yaml +++ b/.github/workflows/test-fmt.yaml @@ -3,13 +3,18 @@ name: Test terraform-fmt on: - pull_request +permissions: + contents: read + jobs: canonical_fmt: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Canonical fmt steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: terraform fmt uses: ./terraform-fmt diff --git a/.github/workflows/test-http.yaml b/.github/workflows/test-http.yaml index 29b380d1..37b8254a 100644 --- a/.github/workflows/test-http.yaml +++ b/.github/workflows/test-http.yaml @@ -1,4 +1,4 @@ -name: Test HTTP Credentials +name: Test terraform-apply using HTTP Credentials on: - pull_request @@ -6,9 +6,12 @@ on: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +permissions: + contents: read + jobs: git_http_full_path_credentials: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: git+http full path creds env: TERRAFORM_HTTP_CREDENTIALS: | @@ -18,6 +21,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply uses: ./terraform-apply @@ -27,14 +32,16 @@ jobs: auto_approve: true - name: Verify outputs + env: + OUTPUT_GIT_HTTPS: ${{ steps.output.outputs.git_https }} run: | - if [[ "${{ steps.output.outputs.git_https }}" != "hello" ]]; then + if [[ "$OUTPUT_GIT_HTTPS" != "hello" ]]; then echo "::error:: output not set correctly" exit 1 fi git_http_partial_path_credentials: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: git+http partial path creds env: TERRAFORM_HTTP_CREDENTIALS: | @@ -44,6 +51,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply uses: ./terraform-apply @@ -53,14 +62,16 @@ jobs: auto_approve: true - name: Verify outputs + env: + OUTPUT_GIT_HTTPS: ${{ steps.output.outputs.git_https }} run: | - if [[ "${{ steps.output.outputs.git_https }}" != "hello" ]]; then + if [[ "$OUTPUT_GIT_HTTPS" != "hello" ]]; then echo "::error:: output not set correctly" exit 1 fi git_http_no_path_credentials: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: git+http no path env: TERRAFORM_HTTP_CREDENTIALS: | @@ -70,6 +81,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply uses: ./terraform-apply @@ -79,18 +92,22 @@ jobs: auto_approve: true - name: Verify outputs + env: + OUTPUT_GIT_HTTPS: ${{ steps.output.outputs.git_https }} run: | - if [[ "${{ steps.output.outputs.git_https }}" != "hello" ]]; then + if [[ "$OUTPUT_GIT_HTTPS" != "hello" ]]; then echo "::error:: output not set correctly" exit 1 fi git_no_credentials: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: git+http no creds steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply uses: ./terraform-apply @@ -101,14 +118,16 @@ jobs: auto_approve: true - name: Check failed + env: + OUTCOME: ${{ steps.apply.outcome }} run: | - if [[ "${{ steps.apply.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "did not fail correctly with no http credentials" exit 1 fi http_credentials: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: http module source env: TERRAFORM_HTTP_CREDENTIALS: | @@ -116,12 +135,16 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create dummy credential file + env: + RUNNER_TEMP_D: ${{ runner.temp }} run: | - mkdir -p ${{ runner.temp }}/_github_home - cp tests/workflows/test-http/http-module/netrc ${{ runner.temp }}/_github_home/.netrc - ls -la ${{ runner.temp }} + mkdir -p "$RUNNER_TEMP_D/_github_home" + cp tests/workflows/test-http/http-module/netrc "$RUNNER_TEMP_D/_github_home/.netrc" + ls -la "$RUNNER_TEMP_D" - name: Apply uses: ./terraform-apply @@ -131,21 +154,26 @@ jobs: auto_approve: true - name: Verify outputs + env: + OUTPUT_HTTPS: ${{ steps.output.outputs.https }} + RUNNER_TEMP_D: ${{ runner.temp }} run: | - if [[ "${{ steps.output.outputs.https }}" != "hello" ]]; then + if [[ "$OUTPUT_HTTPS" != "hello" ]]; then echo "::error:: output not set correctly" exit 1 fi # Check the credential file is as before - diff tests/workflows/test-http/http-module/netrc ${{ runner.temp }}/_github_home/.netrc + diff tests/workflows/test-http/http-module/netrc "$RUNNER_TEMP_D/_github_home/.netrc" http_no_credentials: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: http module source with no credentials steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply uses: ./terraform-apply @@ -156,8 +184,10 @@ jobs: auto_approve: true - name: Check failed + env: + OUTCOME: ${{ steps.apply.outcome }} run: | - if [[ "${{ steps.apply.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "did not fail correctly with no http credentials" exit 1 fi diff --git a/.github/workflows/test-new-workspace.yaml b/.github/workflows/test-new-workspace.yaml index 49acaa3d..6d73e629 100644 --- a/.github/workflows/test-new-workspace.yaml +++ b/.github/workflows/test-new-workspace.yaml @@ -3,9 +3,12 @@ name: Test terraform-new/destroy-workspace on: - pull_request +permissions: + contents: read + jobs: workspace_management: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Workspace management strategy: fail-fast: false @@ -17,6 +20,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup remote backend run: | @@ -81,13 +86,16 @@ jobs: workspace: ${{ github.head_ref }} - name: Verify outputs + env: + FIRST_MY_STRING: ${{ steps.first.outputs.my_string }} + SECOND_MY_STRING: ${{ steps.second.outputs.my_string }} run: | - if [[ "${{ steps.first.outputs.my_string }}" != "hello" ]]; then + if [[ "$FIRST_MY_STRING" != "hello" ]]; then echo "::error:: output my_string not set correctly for first workspace" exit 1 fi - if [[ "${{ steps.second.outputs.my_string }}" != "world" ]]; then + if [[ "$SECOND_MY_STRING" != "world" ]]; then echo "::error:: output my_string not set correctly for second workspace" exit 1 fi diff --git a/.github/workflows/test-output.yaml b/.github/workflows/test-output.yaml index 7427073e..2b1074e8 100644 --- a/.github/workflows/test-output.yaml +++ b/.github/workflows/test-output.yaml @@ -3,17 +3,22 @@ name: Test terraform-output on: - pull_request +permissions: + contents: read + env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} jobs: terraform-output: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: verify outputs steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get outputs uses: ./terraform-output @@ -21,64 +26,63 @@ jobs: with: path: tests/workflows/test-output - - name: Print the outputs - run: | - echo "my_number = ${{ steps.terraform-output.outputs.my_number }}" - echo "my_sensitive_number = ${{ steps.terraform-output.outputs.my_sensitive_number }}" - echo "my_string = ${{ steps.terraform-output.outputs.my_string }}" - echo "my_sensitive_string = ${{ steps.terraform-output.outputs.my_sensitive_string }}" - echo "my_multiline_string = ${{ steps.terraform-output.outputs.my_multiline_string }}" - echo "my_sensitive_multiline_string = ${{ steps.terraform-output.outputs.my_sensitive_multiline_string }}" - echo "my_bool = ${{ steps.terraform-output.outputs.my_bool }}" - echo "my_sensitive_bool = ${{ steps.terraform-output.outputs.my_sensitive_bool }}" - - name: Verify outputs env: + MY_NUMBER: ${{ steps.terraform-output.outputs.my_number }} + MY_SENSITIVE_NUMBER: ${{ steps.terraform-output.outputs.my_sensitive_number }} + MY_STRING: ${{ steps.terraform-output.outputs.my_string }} + MY_SENSITIVE_STRING: ${{ steps.terraform-output.outputs.my_sensitive_string }} + MY_MULTILINE_STRING: ${{ steps.terraform-output.outputs.my_multiline_string }} + MY_SENSITIVE_MULTILINE_STRING: ${{ steps.terraform-output.outputs.my_sensitive_multiline_string }} + MY_BOOL: ${{ steps.terraform-output.outputs.my_bool }} + MY_SENSITIVE_BOOL: ${{ steps.terraform-output.outputs.my_sensitive_bool }} AWKWARD_STRING: ${{ steps.terraform-output.outputs.awkward_string }} AWKWARD_OBJ: ${{ join(fromJson(steps.terraform-output.outputs.awkward_compound_output).nested.thevalue) }} - + MY_OBJECT_FIRST: ${{ fromJson(steps.terraform-output.outputs.my_object).first }} + MY_TUPLE: ${{ join(fromJson(steps.terraform-output.outputs.my_tuple)) }} + MY_SET: ${{ contains(fromJson(steps.terraform-output.outputs.my_set), 'one') }} run: | - if [[ "${{ steps.terraform-output.outputs.my_number }}" != "5" ]]; then + if [[ "$MY_NUMBER" != "5" ]]; then echo "::error:: output my_number not set correctly" exit 1 fi - if [[ "${{ steps.terraform-output.outputs.my_sensitive_number }}" != "6" ]]; then + if [[ "$MY_SENSITIVE_NUMBER" != "6" ]]; then echo "::error:: output my_sensitive_number not set correctly" exit 1 fi - if [[ "${{ steps.terraform-output.outputs.my_string }}" != "hello" ]]; then + if [[ "$MY_STRING" != "hello" ]]; then echo "::error:: output my_string not set correctly" exit 1 fi - if [[ "${{ steps.terraform-output.outputs.my_sensitive_string }}" != "password" ]]; then + if [[ "$MY_SENSITIVE_STRING" != "password" ]]; then echo "::error:: output my_sensitive_string not set correctly" exit 1 fi - if [[ "${{ steps.terraform-output.outputs.my_bool }}" != "true" ]]; then + if [[ "$MY_BOOL" != "true" ]]; then echo "::error:: output my_bool not set correctly" exit 1 fi - if [[ "${{ steps.terraform-output.outputs.my_sensitive_bool }}" != "false" ]]; then + if [[ "$MY_SENSITIVE_BOOL" != "false" ]]; then echo "::error:: output my_number not set correctly" exit 1 fi - if [[ "${{ fromJson(steps.terraform-output.outputs.my_object).first }}" != "one" ]]; then + if [[ "$MY_OBJECT_FIRST" != "one" ]]; then echo "::error:: fromJson(my_object).first not set correctly" exit 1 fi - if [[ "${{ join(fromJson(steps.terraform-output.outputs.my_tuple)) }}" != "one,two" ]]; then + if [[ "$MY_TUPLE" != "one,two" ]]; then echo "::error:: join(fromJson(my_set)) not set correctly" exit 1 fi - if [[ "${{ contains(fromJson(steps.terraform-output.outputs.my_set), 'one') }}" != "true" ]]; then + if [[ "$MY_SET" != "true" ]]; then echo "::error:: contains(fromJson(my_set)) not set correctly" exit 1 fi @@ -97,9 +101,7 @@ jobs: trewptonopce zxicvbnoberg" - actual_sensitive_multiline="${{ steps.terraform-output.outputs.my_sensitive_multiline_string }}" - - if [[ "$expected_sensitive_multiline" != "$actual_sensitive_multiline" ]]; then + if [[ "$expected_sensitive_multiline" != "$MY_SENSITIVE_MULTILINE_STRING" ]]; then echo "::error:: steps.terraform-output.outputs.my_sensitive_multiline_string not set correctly" exit 1 fi @@ -108,9 +110,7 @@ jobs: iyriuytifdcv pydrtdxfgcvj" - actual_multiline="${{ steps.terraform-output.outputs.my_multiline_string }}" - - if [[ "$expected_multiline" != "$actual_multiline" ]]; then + if [[ "$expected_multiline" != "$MY_MULTILINE_STRING" ]]; then echo "::error:: steps.terraform-output.outputs.my_multiline_string not set correctly" exit 1 fi diff --git a/.github/workflows/test-plan.yaml b/.github/workflows/test-plan.yaml index a50de6ef..91cc25ae 100644 --- a/.github/workflows/test-plan.yaml +++ b/.github/workflows/test-plan.yaml @@ -3,15 +3,23 @@ name: Test terraform-plan on: - pull_request +permissions: + contents: read + jobs: no_changes: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: No changes + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -20,31 +28,37 @@ jobs: path: tests/workflows/test-plan/no_changes - name: Verify outputs + env: + CHANGES: ${{ steps.plan.outputs.changes }} + JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + PLAN_PATH: ${{ steps.plan.outputs.plan_path }} + RUN_ID: ${{ steps.apply.outputs.run_id }} run: | - echo "changes=${{ steps.plan.outputs.changes }}" + echo "changes=$CHANGES" - if [[ "${{ steps.plan.outputs.changes }}" != "false" ]]; then + if [[ "$CHANGES" != "false" ]]; then echo "::error:: output changes not set correctly" exit 1 fi - cat '${{ steps.plan.outputs.json_plan_path }}' - if [[ $(jq -r .format_version "${{ steps.plan.outputs.json_plan_path }}") != "1.2" ]]; then + cat "$JSON_PLAN_PATH" + if [[ $(jq -r .format_version "$JSON_PLAN_PATH") != "1.2" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "No changes" '${{ steps.plan.outputs.text_plan_path }}'; then + if ! grep -q "No changes" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if ! [[ -f '${{ steps.plan.outputs.plan_path }}' ]]; then + if ! [[ -f "$PLAN_PATH" ]]; then echo "::error:: plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi @@ -56,13 +70,18 @@ jobs: exit 1 no_changes_no_comment: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: No changes without comment + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -72,31 +91,40 @@ jobs: add_github_comment: false - name: Verify outputs + env: + JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + RUN_ID: ${{ steps.apply.outputs.run_id }} run: | - cat '${{ steps.plan.outputs.json_plan_path }}' - if [[ $(jq -r .format_version "${{ steps.plan.outputs.json_plan_path }}") != "1.2" ]]; then + cat "$JSON_PLAN_PATH" + if [[ $(jq -r .format_version "$JSON_PLAN_PATH") != "1.2" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "No changes" '${{ steps.plan.outputs.text_plan_path }}'; then + if ! grep -q "No changes" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi plan_change_comment_11: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Change terraform 11 + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -105,40 +133,48 @@ jobs: path: tests/workflows/test-plan/plan_11 - name: Verify outputs + env: + CHANGES: ${{ steps.plan.outputs.changes }} + JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + TO_ADD: ${{ steps.plan.outputs.to_add }} + TO_CHANGE: ${{ steps.plan.outputs.to_change }} + TO_DESTROY: ${{ steps.plan.outputs.to_destroy }} + RUN_ID: ${{ steps.plan.outputs.run_id }} run: | - echo "changes=${{ steps.plan.outputs.changes }}" + echo "changes=$CHANGES" - if [[ "${{ steps.plan.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: output changes not set correctly" exit 1 fi - if [[ -n "${{ steps.plan.outputs.json_plan_path }}" ]]; then + if [[ -n "$JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should not be set - not available with terraform 11" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.plan.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_add }} -ne 1 ]]; then + if [[ "$TO_ADD" -ne 1 ]]; then echo "::error:: to_add not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_change }} -ne 0 ]]; then + if [[ "$TO_CHANGE" -ne 0 ]]; then echo "::error:: to_change not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_destroy }} -ne 0 ]]; then + if [[ "$TO_DESTROY" -ne 0 ]]; then echo "::error:: to_destroy not set correctly" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi @@ -150,13 +186,18 @@ jobs: exit 1 plan_change_comment_12: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Change terraform 12 + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -165,41 +206,49 @@ jobs: path: tests/workflows/test-plan/plan_12 - name: Verify outputs + env: + CHANGES: ${{ steps.plan.outputs.changes }} + JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + TO_ADD: ${{ steps.plan.outputs.to_add }} + TO_CHANGE: ${{ steps.plan.outputs.to_change }} + TO_DESTROY: ${{ steps.plan.outputs.to_destroy }} + RUN_ID: ${{ steps.plan.outputs.run_id }} run: | - echo "changes=${{ steps.plan.outputs.changes }}" + echo "changes=$CHANGES" - if [[ "${{ steps.plan.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: output changes not set correctly" exit 1 fi - cat '${{ steps.plan.outputs.json_plan_path }}' - if [[ $(jq -r .output_changes.s.actions[0] "${{ steps.plan.outputs.json_plan_path }}") != "create" ]]; then + cat "$JSON_PLAN_PATH" + if [[ $(jq -r .output_changes.s.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.plan.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_add }} -ne 1 ]]; then + if [[ "$TO_ADD" -ne 1 ]]; then echo "::error:: to_add not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_change }} -ne 0 ]]; then + if [[ "$TO_CHANGE" -ne 0 ]]; then echo "::error:: to_change not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_destroy }} -ne 0 ]]; then + if [[ "$TO_DESTROY" -ne 0 ]]; then echo "::error:: to_destroy not set correctly" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi @@ -211,13 +260,18 @@ jobs: exit 1 plan_change_comment_13: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Change terraform 13 + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -226,41 +280,49 @@ jobs: path: tests/workflows/test-plan/plan_13 - name: Verify outputs + env: + CHANGES: ${{ steps.plan.outputs.changes }} + JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + TO_ADD: ${{ steps.plan.outputs.to_add }} + TO_CHANGE: ${{ steps.plan.outputs.to_change }} + TO_DESTROY: ${{ steps.plan.outputs.to_destroy }} + RUN_ID: ${{ steps.plan.outputs.run_id }} run: | - echo "changes=${{ steps.plan.outputs.changes }}" + echo "changes=$CHANGES" - if [[ "${{ steps.plan.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: output changes not set correctly" exit 1 fi - cat '${{ steps.plan.outputs.json_plan_path }}' - if [[ $(jq -r .output_changes.s.actions[0] "${{ steps.plan.outputs.json_plan_path }}") != "create" ]]; then + cat "$JSON_PLAN_PATH" + if [[ $(jq -r .output_changes.s.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.plan.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_add }} -ne 1 ]]; then + if [[ "$TO_ADD" -ne 1 ]]; then echo "::error:: to_add not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_change }} -ne 0 ]]; then + if [[ "$TO_CHANGE" -ne 0 ]]; then echo "::error:: to_change not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_destroy }} -ne 0 ]]; then + if [[ "$TO_DESTROY" -ne 0 ]]; then echo "::error:: to_destroy not set correctly" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi @@ -272,14 +334,19 @@ jobs: exit 1 plan_change_comment_14: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Change terraform 14 + permissions: + contents: read + pull-requests: write env: TF_PLAN_COLLAPSE_LENGTH: 30 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -288,41 +355,49 @@ jobs: path: tests/workflows/test-plan/plan_14 - name: Verify outputs + env: + CHANGES: ${{ steps.plan.outputs.changes }} + JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + TO_ADD: ${{ steps.plan.outputs.to_add }} + TO_CHANGE: ${{ steps.plan.outputs.to_change }} + TO_DESTROY: ${{ steps.plan.outputs.to_destroy }} + RUN_ID: ${{ steps.plan.outputs.run_id }} run: | - echo "changes=${{ steps.plan.outputs.changes }}" + echo "changes=$CHANGES" - if [[ "${{ steps.plan.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: output changes not set correctly" exit 1 fi - cat '${{ steps.plan.outputs.json_plan_path }}' - if [[ $(jq -r .output_changes.s.actions[0] "${{ steps.plan.outputs.json_plan_path }}") != "create" ]]; then + cat "$JSON_PLAN_PATH" + if [[ $(jq -r .output_changes.s.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.plan.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_add }} -ne 1 ]]; then + if [[ "$TO_ADD" -ne 1 ]]; then echo "::error:: to_add not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_change }} -ne 0 ]]; then + if [[ "$TO_CHANGE" -ne 0 ]]; then echo "::error:: to_change not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_destroy }} -ne 0 ]]; then + if [[ "$TO_DESTROY" -ne 0 ]]; then echo "::error:: to_destroy not set correctly" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi @@ -334,14 +409,19 @@ jobs: exit 1 plan_change_comment_15: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Change terraform 15 + permissions: + contents: read + pull-requests: write env: TF_PLAN_COLLAPSE_LENGTH: 30 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -350,41 +430,49 @@ jobs: path: tests/workflows/test-plan/plan_15 - name: Verify outputs + env: + CHANGES: ${{ steps.plan.outputs.changes }} + JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + TO_ADD: ${{ steps.plan.outputs.to_add }} + TO_CHANGE: ${{ steps.plan.outputs.to_change }} + TO_DESTROY: ${{ steps.plan.outputs.to_destroy }} + RUN_ID: ${{ steps.plan.outputs.run_id }} run: | - echo "changes=${{ steps.plan.outputs.changes }}" + echo "changes=$CHANGES" - if [[ "${{ steps.plan.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: output changes not set correctly" exit 1 fi - cat '${{ steps.plan.outputs.json_plan_path }}' - if [[ $(jq -r .output_changes.s.actions[0] "${{ steps.plan.outputs.json_plan_path }}") != "create" ]]; then + cat "$JSON_PLAN_PATH" + if [[ $(jq -r .output_changes.s.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.plan.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_add }} -ne 1 ]]; then + if [[ "$TO_ADD" -ne 1 ]]; then echo "::error:: to_add not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_change }} -ne 0 ]]; then + if [[ "$TO_CHANGE" -ne 0 ]]; then echo "::error:: to_change not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_destroy }} -ne 0 ]]; then + if [[ "$TO_DESTROY" -ne 0 ]]; then echo "::error:: to_destroy not set correctly" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi @@ -396,13 +484,18 @@ jobs: exit 1 plan_change_comment_15_4: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Change terraform 15.4 + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -411,41 +504,49 @@ jobs: path: tests/workflows/test-plan/plan_15_4 - name: Verify outputs + env: + CHANGES: ${{ steps.plan.outputs.changes }} + JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + TO_ADD: ${{ steps.plan.outputs.to_add }} + TO_CHANGE: ${{ steps.plan.outputs.to_change }} + TO_DESTROY: ${{ steps.plan.outputs.to_destroy }} + RUN_ID: ${{ steps.plan.outputs.run_id }} run: | - echo "changes=${{ steps.plan.outputs.changes }}" + echo "changes=$CHANGES" - if [[ "${{ steps.plan.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: output changes not set correctly" exit 1 fi - cat '${{ steps.plan.outputs.json_plan_path }}' - if [[ $(jq -r .output_changes.s.actions[0] "${{ steps.plan.outputs.json_plan_path }}") != "create" ]]; then + cat "$JSON_PLAN_PATH" + if [[ $(jq -r .output_changes.s.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.plan.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_add }} -ne 1 ]]; then + if [[ "$TO_ADD" -ne 1 ]]; then echo "::error:: to_add not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_change }} -ne 0 ]]; then + if [[ "$TO_CHANGE" -ne 0 ]]; then echo "::error:: to_change not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_destroy }} -ne 0 ]]; then + if [[ "$TO_DESTROY" -ne 0 ]]; then echo "::error:: to_destroy not set correctly" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi @@ -457,13 +558,18 @@ jobs: exit 1 plan_change_comment_latest: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Change latest terraform + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -472,41 +578,49 @@ jobs: path: tests/workflows/test-plan/plan - name: Verify outputs + env: + CHANGES: ${{ steps.plan.outputs.changes }} + JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + TO_ADD: ${{ steps.plan.outputs.to_add }} + TO_CHANGE: ${{ steps.plan.outputs.to_change }} + TO_DESTROY: ${{ steps.plan.outputs.to_destroy }} + RUN_ID: ${{ steps.plan.outputs.run_id }} run: | - echo "changes=${{ steps.plan.outputs.changes }}" + echo "changes=$CHANGES" - if [[ "${{ steps.plan.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: output changes not set correctly" exit 1 fi - cat '${{ steps.plan.outputs.json_plan_path }}' - if [[ $(jq -r .output_changes.s.actions[0] "${{ steps.plan.outputs.json_plan_path }}") != "create" ]]; then + cat "$JSON_PLAN_PATH" + if [[ $(jq -r .output_changes.s.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.plan.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_add }} -ne 1 ]]; then + if [[ "$TO_ADD" -ne 1 ]]; then echo "::error:: to_add not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_change }} -ne 0 ]]; then + if [[ "$TO_CHANGE" -ne 0 ]]; then echo "::error:: to_change not set correctly" exit 1 fi - if [[ ${{ steps.plan.outputs.to_destroy }} -ne 0 ]]; then + if [[ "$TO_DESTROY" -ne 0 ]]; then echo "::error:: to_destroy not set correctly" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi @@ -518,13 +632,18 @@ jobs: exit 1 plan_change_no_comment: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Change without github comment + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -534,31 +653,40 @@ jobs: add_github_comment: false - name: Verify outputs + env: + JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + RUN_ID: ${{ steps.apply.outputs.run_id }} run: | - cat '${{ steps.plan.outputs.json_plan_path }}' - if [[ $(jq -r .output_changes.s.actions[0] "${{ steps.plan.outputs.json_plan_path }}") != "create" ]]; then + cat "$JSON_PLAN_PATH" + if [[ $(jq -r .output_changes.s.actions[0] "$JSON_PLAN_PATH") != "create" ]]; then echo "::error:: json_plan_path not set correctly" exit 1 fi - if ! grep -q "Terraform will perform the following actions" '${{ steps.plan.outputs.text_plan_path }}'; then + if ! grep -q "Terraform will perform the following actions" "$TEXT_PLAN_PATH"; then echo "::error:: text_plan_path not set correctly" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi error: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Error + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -568,23 +696,27 @@ jobs: path: tests/workflows/test-plan/error - name: Check invalid + env: + OUTCOME: ${{ steps.plan.outcome }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + RUN_ID: ${{ steps.apply.outputs.run_id }} run: | - if [[ "${{ steps.plan.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Plan did not fail correctly" exit 1 fi - if [[ -n "${{ steps.plan.outputs.json_plan_path }}" ]]; then + if [[ -n "$JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should not be set" exit 1 fi - if [[ -n "${{ steps.plan.outputs.text_plan_path }}" ]]; then + if [[ -n "$TEXT_PLAN_PATH" ]]; then echo "::error:: text_plan_path should not be set" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi @@ -596,13 +728,18 @@ jobs: exit 1 error_no_comment: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Error without comment + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -613,33 +750,43 @@ jobs: add_github_comment: false - name: Check invalid + env: + OUTCOME: ${{ steps.plan.outcome }} + JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + RUN_ID: ${{ steps.apply.outputs.run_id }} run: | - if [[ "${{ steps.plan.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Plan did not fail correctly" exit 1 fi - if [[ -n "${{ steps.plan.outputs.json_plan_path }}" ]]; then + if [[ -n "$JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should not be set" exit 1 fi - if [[ -n "${{ steps.plan.outputs.text_plan_path }}" ]]; then + if [[ -n "$TEXT_PLAN_PATH" ]]; then echo "::error:: text_plan_path should not be set" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi plan_without_token: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Add comment without token + permissions: + contents: read + pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -649,35 +796,45 @@ jobs: path: tests/workflows/test-plan/error - name: Check invalid + env: + OUTCOME: ${{ steps.plan.outcome }} + JSON_PLAN_PATH: ${{ steps.plan.outputs.json_plan_path }} + TEXT_PLAN_PATH: ${{ steps.plan.outputs.text_plan_path }} + RUN_ID: ${{ steps.apply.outputs.run_id }} run: | - if [[ "${{ steps.plan.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Plan did not fail correctly" exit 1 fi - if [[ -n "${{ steps.plan.outputs.json_plan_path }}" ]]; then + if [[ -n "$JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should not be set" exit 1 fi - if [[ -n "${{ steps.plan.outputs.text_plan_path }}" ]]; then + if [[ -n "$TEXT_PLAN_PATH" ]]; then echo "::error:: text_plan_path should not be set" exit 1 fi - if [[ -n "${{ steps.apply.outputs.run_id }}" ]]; then + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 fi plan_single_variable: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Plan single variable + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -688,13 +845,18 @@ jobs: var_file: tests/workflows/test-plan/test.tfvars plan_single_sensitive_variable: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Plan single sensitive variable + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -705,13 +867,18 @@ jobs: plan_sensitive_variables: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Plan variables some which are sensitive + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -740,13 +907,18 @@ jobs: ] plan_sensitive_var: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Plan using deprecated var and sensitive variable + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -755,13 +927,18 @@ jobs: var: my_sensitive_var=hello plan_change_run_commands: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Change with shell init commands + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -774,13 +951,18 @@ jobs: echo "testing command 2" default_path: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Default path + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Copy run: cp tests/workflows/test-plan/plan/main.tf ./main.tf @@ -791,11 +973,16 @@ jobs: label: test-plan default_path path_does_not_exist: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Error with invalid paths + permissions: + contents: read + pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: path uses: ./terraform-plan @@ -826,30 +1013,39 @@ jobs: add_github_comment: false - name: Check invalid + env: + PATH_OUTCOME: ${{ steps.path.outcome }} + VAR_FILE_OUTCOME: ${{ steps.var_file.outcome }} + BACKEND_CONFIG_FILE_OUTCOME: ${{ steps.backend_config_file.outcome }} run: | - if [[ "${{ steps.path.outcome }}" != "failure" ]]; then + if [[ "$PATH_OUTCOME" != "failure" ]]; then echo "Non existant path did not fail correctly" exit 1 fi - if [[ "${{ steps.var_file.outcome }}" != "failure" ]]; then + if [[ "$VAR_FILE_OUTCOME" != "failure" ]]; then echo "Non existant var_file did not fail correctly" exit 1 fi - if [[ "${{ steps.backend_config_file.outcome }}" != "failure" ]]; then + if [[ "$BACKEND_CONFIG_FILE_OUTCOME" != "failure" ]]; then echo "Non existant backend_config_file did not fail correctly" exit 1 fi test_plan_1_4: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Test plan text on Terraform 1.4 + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply uses: ./terraform-apply @@ -866,11 +1062,16 @@ jobs: # arm64: # runs-on: buildjet-2vcpu-ubuntu-2204-arm # name: Test on arm64 +# permissions: +# contents: read +# pull-requests: write # env: # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # steps: # - name: Checkout # uses: actions/checkout@v4 +# with: +# persist-credentials: false # # - name: Plan # uses: ./terraform-plan @@ -879,13 +1080,18 @@ jobs: # label: arm64 always_new: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: always-new + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan with label uses: ./terraform-plan @@ -912,8 +1118,11 @@ jobs: add_github_comment: always-new colours: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Full colour plan for diff highlighting + permissions: + contents: read + pull-requests: write env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -921,6 +1130,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan with colours uses: ./terraform-plan @@ -930,23 +1141,28 @@ jobs: variables: diff=true - self-hosted: - runs-on: self-hosted - name: Self-hosted runner - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Plan - uses: ./terraform-plan - with: - label: test-plan self-hosted - path: tests/workflows/test-plan/self-hosted - - - name: Plan Again - uses: ./terraform-plan - with: - label: test-plan self-hosted - path: tests/workflows/test-plan/self-hosted +# self-hosted: +# runs-on: self-hosted +# name: Self-hosted runner +# permissions: +# contents: read +# pull-requests: write +# env: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# steps: +# - name: Checkout +# uses: actions/checkout@v4 +# with: +# persist-credentials: false +# +# - name: Plan +# uses: ./terraform-plan +# with: +# label: test-plan self-hosted +# path: tests/workflows/test-plan/self-hosted +# +# - name: Plan Again +# uses: ./terraform-plan +# with: +# label: test-plan self-hosted +# path: tests/workflows/test-plan/self-hosted diff --git a/.github/workflows/test-registry.yaml b/.github/workflows/test-registry.yaml index b895e393..adc19c79 100644 --- a/.github/workflows/test-registry.yaml +++ b/.github/workflows/test-registry.yaml @@ -1,24 +1,34 @@ -name: Test registry +name: Test actions using registry on: - pull_request +permissions: + contents: read + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} jobs: registry_module: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Use registry module + permissions: + contents: read + pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create dummy credential file + env: + RUNNER_TEMP_D: ${{ runner.temp }} run: | - mkdir -p ${{ runner.temp }}/_github_home - cp tests/workflows/test-registry/terraformrc ${{ runner.temp }}/_github_home/.terraformrc - ls -la ${{ runner.temp }} + mkdir -p "$RUNNER_TEMP_D/_github_home" + cp tests/workflows/test-registry/terraformrc "$RUNNER_TEMP_D/_github_home/.terraformrc" + ls -la "$RUNNER_TEMP_D" - name: Plan uses: ./terraform-plan @@ -38,18 +48,24 @@ jobs: TERRAFORM_CLOUD_TOKENS: app.terraform.io=${{ secrets.TF_API_TOKEN }} - name: Verify outputs + env: + WORD: ${{ steps.output.outputs.word }} + RUNNER_TEMP_D: ${{ runner.temp }} run: | - if [[ "${{ steps.output.outputs.word }}" != "hello" ]]; then + if [[ "$WORD" != "hello" ]]; then echo "::error:: output not set correctly" exit 1 fi # Check that terraformrc is as before - diff tests/workflows/test-registry/terraformrc ${{ runner.temp }}/_github_home/.terraformrc + diff tests/workflows/test-registry/terraformrc "$RUNNER_TEMP_D/_github_home/.terraformrc" multiple_registry_module: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Multiple registries + permissions: + contents: read + pull-requests: write env: TERRAFORM_CLOUD_TOKENS: | @@ -59,6 +75,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -74,18 +92,22 @@ jobs: label: test-registry multiple_registry_module - name: Verify outputs + env: + WORD: ${{ steps.output.outputs.word }} run: | - if [[ "${{ steps.output.outputs.word }}" != "hello" ]]; then + if [[ "$WORD" != "hello" ]]; then echo "::error:: output not set correctly" exit 1 fi nonsense_credentials: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Nonsense cloud credentials steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -97,8 +119,10 @@ jobs: path: tests/workflows/test-registry - name: Check failed + env: + OUTCOME: ${{ steps.plan.outcome }} run: | - if [[ "${{ steps.plan.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "did not fail correctly with nonsense credentials" exit 1 fi diff --git a/.github/workflows/test-remote-state.yaml b/.github/workflows/test-remote-state.yaml index b3aea0b6..f368d5ec 100644 --- a/.github/workflows/test-remote-state.yaml +++ b/.github/workflows/test-remote-state.yaml @@ -3,16 +3,21 @@ name: Test terraform-remote-state on: - pull_request +permissions: + contents: read + env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} jobs: terraform-remote-state: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Get remote state uses: ./terraform-remote-state @@ -24,43 +29,41 @@ jobs: key=terraform-remote-state region=eu-west-2 - - name: Print the outputs - run: | - echo "my_number = ${{ steps.terraform-output.outputs.my_number }}" - echo "my_sensitive_number = ${{ steps.terraform-output.outputs.my_sensitive_number }}" - echo "my_string = ${{ steps.terraform-output.outputs.my_string }}" - echo "my_sensitive_string = ${{ steps.terraform-output.outputs.my_sensitive_string }}" - echo "my_bool = ${{ steps.terraform-output.outputs.my_bool }}" - echo "my_sensitive_bool = ${{ steps.terraform-output.outputs.my_sensitive_bool }}" - - name: Verify outputs + env: + MY_NUMBER: ${{ steps.terraform-output.outputs.my_number }} + MY_SENSITIVE_NUMBER: ${{ steps.terraform-output.outputs.my_sensitive_number }} + MY_STRING: ${{ steps.terraform-output.outputs.my_string }} + MY_SENSITIVE_STRING: ${{ steps.terraform-output.outputs.my_sensitive_string }} + MY_BOOL: ${{ steps.terraform-output.outputs.my_bool }} + MY_SENSITIVE_BOOL: ${{ steps.terraform-output.outputs.my_sensitive_bool }} run: | - if [[ "${{ steps.terraform-output.outputs.my_number }}" != "5" ]]; then + if [[ "$MY_NUMBER" != "5" ]]; then echo "::error:: output my_number not set correctly" exit 1 fi - if [[ "${{ steps.terraform-output.outputs.my_sensitive_number }}" != "6" ]]; then + if [[ "$MY_SENSITIVE_NUMBER" != "6" ]]; then echo "::error:: output my_sensitive_number not set correctly" exit 1 fi - if [[ "${{ steps.terraform-output.outputs.my_string }}" != "hello" ]]; then + if [[ "$MY_STRING" != "hello" ]]; then echo "::error:: output my_string not set correctly" exit 1 fi - if [[ "${{ steps.terraform-output.outputs.my_sensitive_string }}" != "password" ]]; then + if [[ "$MY_SENSITIVE_STRING" != "password" ]]; then echo "::error:: output my_sensitive_string not set correctly" exit 1 fi - if [[ "${{ steps.terraform-output.outputs.my_bool }}" != "true" ]]; then + if [[ "$MY_BOOL" != "true" ]]; then echo "::error:: output my_bool not set correctly" exit 1 fi - if [[ "${{ steps.terraform-output.outputs.my_sensitive_bool }}" != "false" ]]; then + if [[ "$MY_SENSITIVE_BOOL" != "false" ]]; then echo "::error:: output my_sensitive_bool not set correctly" exit 1 fi diff --git a/.github/workflows/test-ssh.yaml b/.github/workflows/test-ssh.yaml index 6cf87a3e..df0fdb5d 100644 --- a/.github/workflows/test-ssh.yaml +++ b/.github/workflows/test-ssh.yaml @@ -1,22 +1,28 @@ -name: Test SSH Keys +name: Test actions using SSH Keys on: - pull_request -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +permissions: + contents: read jobs: ssh_key: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Git module source + permissions: + contents: read + pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TERRAFORM_SSH_KEY: ${{ secrets.TERRAFORM_SSH_KEY }} with: path: tests/workflows/test-ssh @@ -26,24 +32,29 @@ jobs: uses: ./terraform-apply id: output env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TERRAFORM_SSH_KEY: ${{ secrets.TERRAFORM_SSH_KEY }} with: path: tests/workflows/test-ssh label: test-ssh ssh_key - name: Verify outputs + env: + WORD: ${{ steps.output.outputs.word }} run: | - if [[ "${{ steps.output.outputs.word }}" != "hello" ]]; then + if [[ "$WORD" != "hello" ]]; then echo "::error:: output not set correctly" exit 1 fi no_ssh_key: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Git module source with no key steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan uses: ./terraform-plan @@ -55,8 +66,10 @@ jobs: add_github_comment: false - name: Check failed + env: + OUTCOME: ${{ steps.plan.outcome }} run: | - if [[ "${{ steps.plan.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "did not fail correctly with no SSH key" exit 1 fi diff --git a/.github/workflows/test-target-replace.yaml b/.github/workflows/test-target-replace.yaml index b601ad72..3753ed83 100644 --- a/.github/workflows/test-target-replace.yaml +++ b/.github/workflows/test-target-replace.yaml @@ -1,18 +1,26 @@ -name: Test plan target and replace +name: Test actions using target and replace on: - pull_request +permissions: + contents: read + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} jobs: plan_targeting: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Plan targeting + permissions: + contents: read + pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Plan with no changes in targets uses: ./terraform-plan @@ -26,8 +34,10 @@ jobs: length = 5 - name: Verify outputs + env: + CHANGES: ${{ steps.plan.outputs.changes }} run: | - if [[ "${{ steps.plan.outputs.changes }}" != "false" ]]; then + if [[ "$CHANGES" != "false" ]]; then echo "::error:: Should not be any changes with this targeted plan" exit 1 fi @@ -43,8 +53,10 @@ jobs: length = 5 - name: Verify outputs + env: + CHANGES: ${{ steps.plan-first-change.outputs.changes }} run: | - if [[ "${{ steps.plan-first-change.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: Targeted plan should have changes" exit 1 fi @@ -60,8 +72,10 @@ jobs: length = 5 - name: Verify outputs + env: + COUNT: ${{ steps.apply-first-change.outputs.count }} run: | - if [[ "${{ steps.apply-first-change.outputs.count }}" == "" ]]; then + if [[ "$COUNT" == "" ]]; then echo "::error:: output count not set correctly" exit 1 fi @@ -77,8 +91,10 @@ jobs: length = 6 - name: Verify outputs + env: + CHANGES: ${{ steps.plan-second-change.outputs.changes }} run: | - if [[ "${{ steps.plan-second-change.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: Targeted plan should have changes" exit 1 fi @@ -94,13 +110,17 @@ jobs: length = 6 - name: Verify outputs + env: + FIRST_COUNT: ${{ steps.apply-first-change.outputs.count }} + SECOND_COUNT: ${{ steps.apply-second-change.outputs.count }} + FOREACH: ${{ steps.apply-second-change.outputs.foreach }} run: | - if [[ "${{ steps.apply-second-change.outputs.foreach }}" == "" ]]; then + if [[ "$FOREACH" == "" ]]; then echo "::error:: output foreach not set correctly" exit 1 fi - if [[ "${{ steps.apply-second-change.outputs.count }}" != "${{ steps.apply-first-change.outputs.count }}" ]]; then + if [[ "$SECOND_COUNT" != "$FIRST_COUNT" ]]; then echo "::error:: Targeted change has affected untargeted resources" exit 1 fi @@ -118,13 +138,18 @@ jobs: auto_approve: true - name: Verify outputs + env: + THIRD_COUNT: ${{ steps.apply-third-change.outputs.count }} + SECOND_COUNT: ${{ steps.apply-second-change.outputs.count }} + THIRD_FOREACH: ${{ steps.apply-third-change.outputs.foreach }} + SECOND_FOREACH: ${{ steps.apply-second-change.outputs.foreach }} run: | - if [[ "${{ steps.apply-third-change.outputs.count }}" == "${{ steps.apply-second-change.outputs.count }}" ]]; then + if [[ "$THIRD_COUNT" == "$SECOND_COUNT" ]]; then echo "::error:: Targeted change has not affected targeted resources" exit 1 fi - if [[ "${{ steps.apply-third-change.outputs.foreach }}" == "${{ steps.apply-second-change.outputs.foreach }}" ]]; then + if [[ "$THIRD_FOREACH" == "$SECOND_FOREACH" ]]; then echo "::error:: Targeted change has not affected targeted resources" exit 1 fi @@ -143,8 +168,10 @@ jobs: length = 10 - name: Verify outputs + env: + CHANGES: ${{ steps.plan-targeted-replacement.outputs.changes }} run: | - if [[ "${{ steps.plan-targeted-replacement.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: Targeted replacement should have changes" exit 1 fi @@ -163,13 +190,18 @@ jobs: length = 10 - name: Verify outputs + env: + THIRD_COUNT: ${{ steps.apply-third-change.outputs.count }} + TARGETED_COUNT: ${{ steps.apply-targeted-replacement.outputs.count }} + THIRD_FOREACH: ${{ steps.apply-third-change.outputs.foreach }} + TARGETED_FOREACH: ${{ steps.apply-targeted-replacement.outputs.foreach }} run: | - if [[ "${{ steps.apply-targeted-replacement.outputs.count }}" != "${{ steps.apply-third-change.outputs.count }}" ]]; then + if [[ "$TARGETED_COUNT" != "$THIRD_COUNT" ]]; then echo "::error:: Targeted replacement has affected non targeted resources" exit 1 fi - if [[ "${{ steps.apply-targeted-replacement.outputs.foreach }}" == "${{ steps.apply-third-change.outputs.foreach }}" ]]; then + if [[ "$TARGETED_FOREACH" == "$THIRD_FOREACH" ]]; then echo "::error:: Targeted replacement has not affected targeted resources" exit 1 fi @@ -186,8 +218,10 @@ jobs: length = 10 - name: Verify outputs + env: + CHANGES: ${{ steps.plan-replacement.outputs.changes }} run: | - if [[ "${{ steps.plan-replacement.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: Replacement should have changes" exit 1 fi @@ -204,23 +238,33 @@ jobs: length = 10 - name: Verify outputs + env: + TARGETED_COUNT: ${{ steps.apply-targeted-replacement.outputs.count }} + REPLACEMENT_COUNT: ${{ steps.apply-replacement.outputs.count }} + TARGETED_FOREACH: ${{ steps.apply-targeted-replacement.outputs.foreach }} + REPLACEMENT_FOREACH: ${{ steps.apply-replacement.outputs.foreach }} run: | - if [[ "${{ steps.apply-replacement.outputs.count }}" == "${{ steps.apply-targeted-replacement.outputs.count }}" ]]; then + if [[ "$REPLACEMENT_COUNT" == "$TARGETED_COUNT" ]]; then echo "::error:: Replacement has not affected targeted resources" exit 1 fi - if [[ "${{ steps.apply-replacement.outputs.foreach }}" == "${{ steps.apply-targeted-replacement.outputs.foreach }}" ]]; then + if [[ "$REPLACEMENT_FOREACH" == "$TARGETED_FOREACH" ]]; then echo "::error:: Replacement has not affected targeted resources" exit 1 fi remote_plan_targeting: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Remote Plan targeting + permissions: + contents: read + pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup remote backend run: | @@ -258,8 +302,10 @@ jobs: backend_config: token=${{ secrets.TF_API_TOKEN }} - name: Verify outputs + env: + CHANGES: ${{ steps.plan.outputs.changes }} run: | - if [[ "${{ steps.plan.outputs.changes }}" != "false" ]]; then + if [[ "$CHANGES" != "false" ]]; then echo "::error:: Should not be any changes with this targeted plan" exit 1 fi @@ -277,8 +323,10 @@ jobs: backend_config: token=${{ secrets.TF_API_TOKEN }} - name: Verify outputs + env: + CHANGES: ${{ steps.plan-first-change.outputs.changes }} run: | - if [[ "${{ steps.plan-first-change.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: Targeted plan should have changes" exit 1 fi @@ -296,8 +344,10 @@ jobs: backend_config: token=${{ secrets.TF_API_TOKEN }} - name: Verify outputs + env: + COUNT: ${{ steps.apply-first-change.outputs.count }} run: | - if [[ "${{ steps.apply-first-change.outputs.count }}" == "" ]]; then + if [[ "$COUNT" == "" ]]; then echo "::error:: output count not set correctly" exit 1 fi @@ -315,8 +365,10 @@ jobs: backend_config: token=${{ secrets.TF_API_TOKEN }} - name: Verify outputs + env: + CHANGES: ${{ steps.plan-second-change.outputs.changes }} run: | - if [[ "${{ steps.plan-second-change.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: Targeted plan should have changes" exit 1 fi @@ -334,13 +386,17 @@ jobs: backend_config: token=${{ secrets.TF_API_TOKEN }} - name: Verify outputs + env: + FIRST_COUNT: ${{ steps.apply-first-change.outputs.count }} + SECOND_COUNT: ${{ steps.apply-second-change.outputs.count }} + FOREACH: ${{ steps.apply-second-change.outputs.foreach }} run: | - if [[ "${{ steps.apply-second-change.outputs.foreach }}" == "" ]]; then + if [[ "$FOREACH" == "" ]]; then echo "::error:: output foreach not set correctly" exit 1 fi - if [[ "${{ steps.apply-second-change.outputs.count }}" != "${{ steps.apply-first-change.outputs.count }}" ]]; then + if [[ "$SECOND_COUNT" != "$FIRST_COUNT" ]]; then echo "::error:: Targeted change has affected untargeted resources" exit 1 fi @@ -360,13 +416,18 @@ jobs: backend_config: token=${{ secrets.TF_API_TOKEN }} - name: Verify outputs + env: + THIRD_COUNT: ${{ steps.apply-third-change.outputs.count }} + SECOND_COUNT: ${{ steps.apply-second-change.outputs.count }} + THIRD_FOREACH: ${{ steps.apply-third-change.outputs.foreach }} + SECOND_FOREACH: ${{ steps.apply-second-change.outputs.foreach }} run: | - if [[ "${{ steps.apply-third-change.outputs.count }}" == "${{ steps.apply-second-change.outputs.count }}" ]]; then + if [[ "$THIRD_COUNT" == "$SECOND_COUNT" ]]; then echo "::error:: Targeted change has not affected targeted resources" exit 1 fi - if [[ "${{ steps.apply-third-change.outputs.foreach }}" == "${{ steps.apply-second-change.outputs.foreach }}" ]]; then + if [[ "$THIRD_FOREACH" == "$SECOND_FOREACH" ]]; then echo "::error:: Targeted change has not affected targeted resources" exit 1 fi @@ -387,8 +448,10 @@ jobs: backend_config: token=${{ secrets.TF_API_TOKEN }} - name: Verify outputs + env: + CHANGES: ${{ steps.plan-targeted-replacement.outputs.changes }} run: | - if [[ "${{ steps.plan-targeted-replacement.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: Targeted replacement should have changes" exit 1 fi @@ -409,13 +472,18 @@ jobs: backend_config: token=${{ secrets.TF_API_TOKEN }} - name: Verify outputs + env: + THIRD_COUNT: ${{ steps.apply-third-change.outputs.count }} + TARGETED_COUNT: ${{ steps.apply-targeted-replacement.outputs.count }} + THIRD_FOREACH: ${{ steps.apply-third-change.outputs.foreach }} + TARGETED_FOREACH: ${{ steps.apply-targeted-replacement.outputs.foreach }} run: | - if [[ "${{ steps.apply-targeted-replacement.outputs.count }}" != "${{ steps.apply-third-change.outputs.count }}" ]]; then + if [[ "$TARGETED_COUNT" != "$THIRD_COUNT" ]]; then echo "::error:: Targeted replacement has affected non targeted resources" exit 1 fi - if [[ "${{ steps.apply-targeted-replacement.outputs.foreach }}" == "${{ steps.apply-third-change.outputs.foreach }}" ]]; then + if [[ "$TARGETED_FOREACH" == "$THIRD_FOREACH" ]]; then echo "::error:: Targeted replacement has not affected targeted resources" exit 1 fi @@ -434,8 +502,10 @@ jobs: backend_config: token=${{ secrets.TF_API_TOKEN }} - name: Verify outputs + env: + CHANGES: ${{ steps.plan-replacement.outputs.changes }} run: | - if [[ "${{ steps.plan-replacement.outputs.changes }}" != "true" ]]; then + if [[ "$CHANGES" != "true" ]]; then echo "::error:: Replacement should have changes" exit 1 fi @@ -454,13 +524,18 @@ jobs: backend_config: token=${{ secrets.TF_API_TOKEN }} - name: Verify outputs + env: + TARGETED_COUNT: ${{ steps.apply-targeted-replacement.outputs.count }} + REPLACEMENT_COUNT: ${{ steps.apply-replacement.outputs.count }} + TARGETED_FOREACH: ${{ steps.apply-targeted-replacement.outputs.foreach }} + REPLACEMENT_FOREACH: ${{ steps.apply-replacement.outputs.foreach }} run: | - if [[ "${{ steps.apply-replacement.outputs.count }}" == "${{ steps.apply-targeted-replacement.outputs.count }}" ]]; then + if [[ "$REPLACEMENT_COUNT" == "$TARGETED_COUNT" ]]; then echo "::error:: Replacement has not affected targeted resources" exit 1 fi - if [[ "${{ steps.apply-replacement.outputs.foreach }}" == "${{ steps.apply-targeted-replacement.outputs.foreach }}" ]]; then + if [[ "$REPLACEMENT_FOREACH" == "$TARGETED_FOREACH" ]]; then echo "::error:: Replacement has not affected targeted resources" exit 1 fi diff --git a/.github/workflows/test-test.yaml b/.github/workflows/test-test.yaml index b67366d0..f74dd8f4 100644 --- a/.github/workflows/test-test.yaml +++ b/.github/workflows/test-test.yaml @@ -3,13 +3,18 @@ name: Test terraform-test on: - pull_request +permissions: + contents: read + jobs: default: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Default inputs steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test uses: ./terraform-test @@ -18,18 +23,22 @@ jobs: path: tests/workflows/test-test/local - name: Check Passed + env: + FAILURE_REASON: ${{ steps.test.outputs.failure-reason }} run: | - if [[ "${{ steps.test.outputs.failure-reason }}" != "" ]]; then + if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi filter: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Default path with a filter steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test uses: ./terraform-test @@ -39,18 +48,22 @@ jobs: test_filter: tests/main.tftest.hcl - name: Check Passed + env: + FAILURE_REASON: ${{ steps.test.outputs.failure-reason }} run: | - if [[ "${{ steps.test.outputs.failure-reason }}" != "" ]]; then + if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi test_dir: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Custom test directory steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test uses: ./terraform-test @@ -63,18 +76,22 @@ jobs: custom-test-dir/a-third.tftest.hcl - name: Check Passed + env: + FAILURE_REASON: ${{ steps.test.outputs.failure-reason }} run: | - if [[ "${{ steps.test.outputs.failure-reason }}" != "" ]]; then + if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi nonexistent_test_dir: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Missing test directory steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test uses: ./terraform-test @@ -85,23 +102,28 @@ jobs: test_directory: i-dont-exist - name: Check failure + env: + OUTCOME: ${{ steps.nonexistent_test_dir.outcome }} + FAILURE_REASON: ${{ steps.nonexistent_test_dir.outputs.failure-reason }} run: | - if [[ "${{ steps.nonexistent_test_dir.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Test did not fail correctly" exit 1 fi - if [[ "${{ steps.nonexistent_test_dir.outputs.failure-reason }}" != "no-tests" ]]; then + if [[ "$FAILURE_REASON" != "no-tests" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi faulty_filter: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Filter matches no tests steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test uses: ./terraform-test @@ -114,23 +136,28 @@ jobs: tests/nor-does-this-one.tftest.hcl - name: Check failure + env: + OUTCOME: ${{ steps.faulty_filter.outcome }} + FAILURE_REASON: ${{ steps.faulty_filter.outputs.failure-reason }} run: | - if [[ "${{ steps.faulty_filter.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Test did not fail correctly" exit 1 fi - if [[ "${{ steps.faulty_filter.outputs.failure-reason }}" != "no-tests" ]]; then + if [[ "$FAILURE_REASON" != "no-tests" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi failing: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: A failing test using variables steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test uses: ./terraform-test @@ -143,13 +170,16 @@ jobs: length = 1 - name: Check failure-reason + env: + OUTCOME: ${{ steps.failing.outcome }} + FAILURE_REASON: ${{ steps.failing.outputs.failure-reason }} run: | - if [[ "${{ steps.failing.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Test did not fail correctly" exit 1 fi - if [[ "${{ steps.failing.outputs.failure-reason }}" != "tests-failed" ]]; then + if [[ "$FAILURE_REASON" != "tests-failed" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi diff --git a/.github/workflows/test-unlock-state.yaml b/.github/workflows/test-unlock-state.yaml index c030ba11..d1ad26a2 100644 --- a/.github/workflows/test-unlock-state.yaml +++ b/.github/workflows/test-unlock-state.yaml @@ -3,17 +3,22 @@ name: Test terraform-unlock-state on: - pull_request +permissions: + contents: read + env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} jobs: default_workspace: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Default workspace steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Check state is not locked uses: ./terraform-apply @@ -34,13 +39,16 @@ jobs: # State is now locked - name: Check apply-failed + env: + OUTCOME: ${{ steps.failed-apply.outcome }} + FAILURE_REASON: ${{ steps.failed-apply.outputs.failure-reason }} run: | - if [[ "${{ steps.failed-apply.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi - if [[ "${{ steps.failed-apply.outputs.failure-reason }}" != "apply-failed" ]]; then + if [[ "$FAILURE_REASON" != "apply-failed" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi @@ -55,20 +63,24 @@ jobs: auto_approve: true - name: Check terraform-apply state locked failure-reason + env: + OUTCOME: ${{ steps.locked-state-apply.outcome }} + FAILURE_REASON: ${{ steps.locked-state-apply.outputs.failure-reason }} + LOCK_INFO: ${{ steps.locked-state-apply.outputs.lock-info }} + LOCK_ID: ${{ fromJson(steps.locked-state-apply.outputs.lock-info).ID }} run: | - if [[ "${{ steps.locked-state-apply.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi - if [[ "${{ steps.locked-state-apply.outputs.failure-reason }}" != "state-locked" ]]; then + if [[ "$FAILURE_REASON" != "state-locked" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi - echo '"${{ steps.locked-state-apply.outputs.lock-info }}"' - - echo 'Lock id is ${{ fromJson(steps.locked-state-apply.outputs.lock-info).ID }}' + echo "$LOCK_INFO" + echo "Lock id is $LOCK_ID" - name: Try using locked state using terraform-destroy uses: ./terraform-destroy @@ -78,20 +90,24 @@ jobs: path: tests/workflows/test-unlock-state - name: Check terraform-destroy state locked failure-reason + env: + OUTCOME: ${{ steps.locked-state-destroy.outcome }} + FAILURE_REASON: ${{ steps.locked-state-destroy.outputs.failure-reason }} + LOCK_INFO: ${{ steps.locked-state-destroy.outputs.lock-info }} + LOCK_ID: ${{ fromJson(steps.locked-state-destroy.outputs.lock-info).ID }} run: | - if [[ "${{ steps.locked-state-destroy.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi - if [[ "${{ steps.locked-state-destroy.outputs.failure-reason }}" != "state-locked" ]]; then + if [[ "$FAILURE_REASON" != "state-locked" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi - echo '"${{ steps.locked-state-destroy.outputs.lock-info }}"' - - echo 'Lock id is ${{ fromJson(steps.locked-state-destroy.outputs.lock-info).ID }}' + echo "$LOCK_INFO" + echo "Lock id is $LOCK_ID" - name: Unlock the state uses: ./terraform-unlock-state @@ -107,11 +123,13 @@ jobs: auto_approve: true nondefault_workspace: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Non Default workspace steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create first workspace uses: ./terraform-new-workspace @@ -140,13 +158,16 @@ jobs: # State is now locked - name: Check apply-failed + env: + OUTCOME: ${{ steps.failed-apply-workspace.outcome }} + FAILURE_REASON: ${{ steps.failed-apply-workspace.outputs.failure-reason }} run: | - if [[ "${{ steps.failed-apply-workspace.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi - if [[ "${{ steps.failed-apply-workspace.outputs.failure-reason }}" != "apply-failed" ]]; then + if [[ "$FAILURE_REASON" != "apply-failed" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi @@ -162,20 +183,24 @@ jobs: auto_approve: true - name: Check state locked failure-reason + env: + OUTCOME: ${{ steps.locked-state-workspace.outcome }} + FAILURE_REASON: ${{ steps.locked-state-workspace.outputs.failure-reason }} + LOCK_INFO: ${{ steps.locked-state-workspace.outputs.lock-info }} + LOCK_ID: ${{ fromJson(steps.locked-state-workspace.outputs.lock-info).ID }} run: | - if [[ "${{ steps.locked-state-workspace.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi - if [[ "${{ steps.locked-state-workspace.outputs.failure-reason }}" != "state-locked" ]]; then + if [[ "$FAILURE_REASON" != "state-locked" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi - echo '"${{ steps.locked-state-workspace.outputs.lock-info }}"' - - echo 'Lock id is ${{ fromJson(steps.locked-state-workspace.outputs.lock-info).ID }}' + echo "$LOCK_INFO" + echo "Lock id is $LOCK_ID" - name: Try using locked state using terraform-destroy-workspace uses: ./terraform-destroy-workspace @@ -186,20 +211,24 @@ jobs: workspace: hello - name: Check terraform-destroy-workspace state locked failure-reason + env: + OUTCOME: ${{ steps.locked-state-destroy-workspace.outcome }} + FAILURE_REASON: ${{ steps.locked-state-destroy-workspace.outputs.failure-reason }} + LOCK_INFO: ${{ steps.locked-state-destroy-workspace.outputs.lock-info }} + LOCK_ID: ${{ fromJson(steps.locked-state-destroy-workspace.outputs.lock-info).ID }} run: | - if [[ "${{ steps.locked-state-destroy-workspace.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" exit 1 fi - if [[ "${{ steps.locked-state-destroy-workspace.outputs.failure-reason }}" != "state-locked" ]]; then + if [[ "$FAILURE_REASON" != "state-locked" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi - echo '"${{ steps.locked-state-destroy-workspace.outputs.lock-info }}"' - - echo 'Lock id is ${{ fromJson(steps.locked-state-destroy-workspace.outputs.lock-info).ID }}' + echo "$LOCK_INFO" + echo "Lock id is $LOCK_ID" - name: Unlock the state uses: ./terraform-unlock-state diff --git a/.github/workflows/test-validate.yaml b/.github/workflows/test-validate.yaml index ab95d099..f7be0418 100644 --- a/.github/workflows/test-validate.yaml +++ b/.github/workflows/test-validate.yaml @@ -3,13 +3,18 @@ name: Test terraform-validate on: - pull_request +permissions: + contents: read + jobs: valid: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: valid steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: validate uses: ./terraform-validate @@ -18,18 +23,22 @@ jobs: path: tests/workflows/test-validate/valid - name: Check valid + env: + FAILURE_REASON: ${{ steps.validate.outputs.failure-reason }} run: | - if [[ "${{ steps.validate.outputs.failure-reason }}" != "" ]]; then + if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi invalid: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Invalid terraform configuration steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: validate uses: ./terraform-validate @@ -39,23 +48,28 @@ jobs: path: tests/workflows/test-validate/invalid - name: Check invalid + env: + OUTCOME: ${{ steps.validate.outcome }} + FAILURE_REASON: ${{ steps.validate.outputs.failure-reason }} run: | - if [[ "${{ steps.validate.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Validate did not fail correctly" exit 1 fi - if [[ "${{ steps.validate.outputs.failure-reason }}" != "validate-failed" ]]; then + if [[ "$FAILURE_REASON" != "validate-failed" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi validate_workspace: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Use workspace name during validation steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: validate prod uses: ./terraform-validate @@ -77,23 +91,28 @@ jobs: path: tests/workflows/test-validate/workspace_eval - name: Check invalid + env: + OUTCOME: ${{ steps.validate.outcome }} + FAILURE_REASON: ${{ steps.validate.outputs.failure-reason }} run: | - if [[ "${{ steps.validate.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Validate did not fail correctly" exit 1 fi - if [[ "${{ steps.validate.outputs.failure-reason }}" != "validate-failed" ]]; then + if [[ "$FAILURE_REASON" != "validate-failed" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi validate_remote_workspace: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Use workspace name during validation steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: validate prod uses: ./terraform-validate @@ -102,11 +121,13 @@ jobs: workspace: prod validate_unterminated_string: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Validate with unterminated string steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: validate uses: ./terraform-validate @@ -116,13 +137,16 @@ jobs: continue-on-error: true - name: Check invalid + env: + OUTCOME: ${{ steps.validate.outcome }} + FAILURE_REASON: ${{ steps.validate.outputs.failure-reason }} run: | - if [[ "${{ steps.validate.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Validate did not fail correctly" exit 1 fi - if [[ "${{ steps.validate.outputs.failure-reason }}" != "validate-failed" ]]; then + if [[ "$FAILURE_REASON" != "validate-failed" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi diff --git a/.github/workflows/test-version.yaml b/.github/workflows/test-version.yaml index 108b6764..61f8dec2 100644 --- a/.github/workflows/test-version.yaml +++ b/.github/workflows/test-version.yaml @@ -3,13 +3,18 @@ name: Test terraform-version on: - pull_request +permissions: + contents: read + jobs: required_version: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: specific required_version steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test terraform-version uses: ./terraform-version @@ -17,22 +22,25 @@ jobs: with: path: tests/workflows/test-version/required_version - - name: Print the version - run: echo "The terraform version was ${{ steps.terraform-version.outputs.terraform }}" - - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} run: | - if [[ "${{ steps.terraform-version.outputs.terraform }}" != "0.12.26" ]]; then + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" + + if [[ "$DETECTED_TERRAFORM_VERSION" != "0.12.26" ]]; then echo "::error:: Terraform version not set from required_version" exit 1 fi required_version_range: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: required_version range steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test terraform-version uses: ./terraform-version @@ -40,22 +48,25 @@ jobs: with: path: tests/workflows/test-version/range - - name: Print the version - run: echo "The terraform version was ${{ steps.terraform-version.outputs.terraform }}" - - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} run: | - if [[ "${{ steps.terraform-version.outputs.terraform }}" != "0.12.5" ]]; then + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" + + if [[ "$DETECTED_TERRAFORM_VERSION" != "0.12.5" ]]; then echo "::error:: Terraform version not set from required_version range" exit 1 fi required_version_v_prefix: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: required_version with a v prefix steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test terraform-version uses: ./terraform-version @@ -63,22 +74,25 @@ jobs: with: path: tests/workflows/test-version/v-prefix - - name: Print the version - run: echo "The terraform version was ${{ steps.terraform-version.outputs.terraform }}" - - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} run: | - if [[ "${{ steps.terraform-version.outputs.terraform }}" != "0.12.26" ]]; then + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" + + if [[ "$DETECTED_TERRAFORM_VERSION" != "0.12.26" ]]; then echo "::error:: Terraform version not set from required_version range" exit 1 fi tfswitch: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: tfswitch steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test terraform-version uses: ./terraform-version @@ -86,22 +100,25 @@ jobs: with: path: tests/workflows/test-version/tfswitch - - name: Print the version - run: echo "The terraform version was ${{ steps.terraform-version.outputs.terraform }}" - - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} run: | - if [[ "${{ steps.terraform-version.outputs.terraform }}" != "1.1.0" ]]; then + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" + + if [[ "$DETECTED_TERRAFORM_VERSION" != "1.1.0" ]]; then echo "::error:: Terraform version not set from .tfswitchrc" exit 1 fi tfenv: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: tfenv steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test terraform-version uses: ./terraform-version @@ -109,22 +126,25 @@ jobs: with: path: tests/workflows/test-version/tfenv - - name: Print the version - run: echo "The terraform version was ${{ steps.terraform-version.outputs.terraform }}" - - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} run: | - if [[ "${{ steps.terraform-version.outputs.terraform }}" != "0.12.17" ]]; then + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" + + if [[ "$DETECTED_TERRAFORM_VERSION" != "0.12.17" ]]; then echo "::error:: Terraform version not set from .terraform-version" exit 1 fi asdf: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: asdf steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test getting version from .tools-versions uses: ./terraform-version @@ -132,12 +152,13 @@ jobs: with: path: tests/workflows/test-version/asdf - - name: Print the version - run: echo "The terraform version was ${{ steps.terraform-version.outputs.terraform }}" - - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} run: | - if [[ "${{ steps.terraform-version.outputs.terraform }}" != "0.12.11" ]]; then + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" + + if [[ "$DETECTED_TERRAFORM_VERSION" != "0.12.11" ]]; then echo "::error:: Terraform version not set from .tool-versions" exit 1 fi @@ -151,18 +172,22 @@ jobs: path: tests/workflows/test-version/asdf - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.root-version.outputs.terraform }} run: | - if [[ "${{ steps.root-version.outputs.terraform }}" != "0.12.11" ]]; then + if [[ "$DETECTED_TERRAFORM_VERSION" != "0.12.11" ]]; then echo "::error:: Terraform version not set from .tool-versions" exit 1 fi env: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: TERRAFORM_VERSION range steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test terraform-version uses: ./terraform-version @@ -172,22 +197,25 @@ jobs: with: path: tests/workflows/test-version/empty - - name: Print the version - run: echo "The terraform version was ${{ steps.terraform-version.outputs.terraform }}" - - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} run: | - if [[ "${{ steps.terraform-version.outputs.terraform }}" != "0.12.5" ]]; then + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" + + if [[ "$DETECTED_TERRAFORM_VERSION" != "0.12.5" ]]; then echo "::error:: Terraform version not set from required_version range" exit 1 fi tfc_workspace: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: TFC Workspace steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create workspace uses: ./terraform-new-workspace @@ -213,21 +241,25 @@ jobs: workspace: test-1 backend_config: token=${{ secrets.TF_API_TOKEN }} - - name: Print the version + - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} run: | - echo "The terraform version was ${{ steps.terraform-version.outputs.terraform }}" + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" - if [[ "${{ steps.terraform-version.outputs.terraform }}" != "0.12.13" ]]; then + if [[ "$DETECTED_TERRAFORM_VERSION" != "0.12.13" ]]; then echo "::error:: Terraform version not set from remote workspace" exit 1 fi tfc_cloud_workspace: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: TFC Cloud Configuration steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create workspace uses: ./terraform-new-workspace @@ -255,21 +287,25 @@ jobs: path: tests/workflows/test-version/cloud workspace: tfc_cloud_workspace-1 - - name: Print the version + - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} run: | - echo "The terraform version was ${{ steps.terraform-version.outputs.terraform }}" + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" - if [[ "${{ steps.terraform-version.outputs.terraform }}" != "1.1.2" ]]; then + if [[ "$DETECTED_TERRAFORM_VERSION" != "1.1.2" ]]; then echo "::error:: Terraform version not set from remote workspace" exit 1 fi tfc_partial_cloud_workspace: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Partial TFC Cloud Configuration steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create workspace uses: ./terraform-new-workspace @@ -300,21 +336,25 @@ jobs: path: tests/workflows/test-version/partial-cloud workspace: tfc_partial_cloud_workspace-1 - - name: Print the version + - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} run: | - echo "The terraform version was ${{ steps.terraform-version.outputs.terraform }}" + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" - if [[ "${{ steps.terraform-version.outputs.terraform }}" != "1.2.1" ]]; then + if [[ "$DETECTED_TERRAFORM_VERSION" != "1.2.1" ]]; then echo "::error:: Terraform version not set from remote workspace" exit 1 fi tfc_partial_cloud_tags_workspace: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Partial TFC Cloud Configuration with tags steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Create workspace uses: ./terraform-new-workspace @@ -345,21 +385,25 @@ jobs: path: tests/workflows/test-version/partial-cloud-tags workspace: tfc_partial_cloud_tags_workspace-1 - - name: Print the version + - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} run: | - echo "The terraform version was ${{ steps.terraform-version.outputs.terraform }}" + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" - if [[ "${{ steps.terraform-version.outputs.terraform }}" != "1.2.1" ]]; then + if [[ "$DETECTED_TERRAFORM_VERSION" != "1.2.1" ]]; then echo "::error:: Terraform version not set from remote workspace" exit 1 fi local_state: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Local State file steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test terraform-version uses: ./terraform-version @@ -367,15 +411,17 @@ jobs: with: path: tests/workflows/test-version/local - - name: Print the version + - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} run: | - if [[ "${{ steps.terraform-version.outputs.terraform }}" != "0.15.4" ]]; then + if [[ "$DETECTED_TERRAFORM_VERSION" != "0.15.4" ]]; then echo "::error:: Terraform version not set from state file" exit 1 fi remote_state: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Remote State file env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -383,6 +429,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Apply default workspace uses: ./terraform-apply @@ -405,11 +453,13 @@ jobs: path: tests/workflows/test-version/state variables: my_variable="goodbye" - - name: Print the version + - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} run: | - echo "The terraform version was ${{ steps.terraform-version.outputs.terraform }}" + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" - if [[ "${{ steps.terraform-version.outputs.terraform }}" != "0.12.9" ]]; then + if [[ "$DETECTED_TERRAFORM_VERSION" != "0.12.9" ]]; then echo "::error:: Terraform version not set from state file" exit 1 fi @@ -444,11 +494,13 @@ jobs: workspace: second variables: my_variable="goodbye" - - name: Print the version + - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version-second.outputs.terraform }} run: | - echo "The terraform version was ${{ steps.terraform-version-second.outputs.terraform }}" + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" - if [[ "${{ steps.terraform-version-second.outputs.terraform }}" != "1.1.0" ]]; then + if [[ "$DETECTED_TERRAFORM_VERSION" != "1.1.0" ]]; then echo "::error:: Terraform version not set from state file" exit 1 fi @@ -483,11 +535,13 @@ jobs: workspace: third variables: my_variable="goodbye" - - name: Print the version + - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version-third.outputs.terraform }} run: | - echo "The terraform version was ${{ steps.terraform-version-third.outputs.terraform }}" + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" - if [[ "${{ steps.terraform-version-third.outputs.terraform }}" != "0.13.0" ]]; then + if [[ "$DETECTED_TERRAFORM_VERSION" != "0.13.0" ]]; then echo "::error:: Terraform version not set from state file" exit 1 fi @@ -499,21 +553,25 @@ jobs: path: tests/workflows/test-version/state workspace: fourth - - name: Print the version + - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version-fourth.outputs.terraform }} run: | - echo "The terraform version was ${{ steps.terraform-version-fourth.outputs.terraform }}" + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" - if [[ "${{ steps.terraform-version-fourth.outputs.terraform }}" != "1."* ]]; then + if [[ "$DETECTED_TERRAFORM_VERSION" != "1."* ]]; then echo "::error:: Terraform version not set to latest when no existing state" exit 1 fi empty_path: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: latest steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test terraform-version uses: ./terraform-version @@ -521,12 +579,13 @@ jobs: with: path: tests/workflows/test-version/empty - - name: Print the version - run: echo "The terraform version was ${{ steps.terraform-version.outputs.terraform }}" - - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} run: | - if [[ "${{ steps.terraform-version.outputs.terraform }}" != *"1.9"* ]]; then + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" + + if [[ "$DETECTED_TERRAFORM_VERSION" != *"1.10"* ]]; then echo "::error:: Latest version was not used" exit 1 fi @@ -541,19 +600,22 @@ jobs: path: tests/workflows/test-version/empty - name: Check failed to download no such version + env: + OUTCOME: ${{ steps.no-such-version.outcome }} run: | - if [[ "${{ steps.no-such-version.outcome }}" != "failure" ]]; then + if [[ "$OUTCOME" != "failure" ]]; then echo "Did not fail correctly" exit 1 fi - provider_versions: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: provider versions steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test terraform-version with 0.12 uses: ./terraform-version @@ -561,20 +623,22 @@ jobs: with: path: tests/workflows/test-version/providers/0.12 - - name: Print the version - run: | - echo "The terraform version was ${{ steps.terraform-version-12.outputs.terraform }}" - echo "The random version was ${{ steps.terraform-version-12.outputs.random }}" - echo "The acme version was ${{ steps.terraform-version-12.outputs.acme }}" - - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version-12.outputs.terraform }} + DETECTED_RANDOM_VERSION: ${{ steps.terraform-version-12.outputs.random }} + DETECTED_ACME_VERSION: ${{ steps.terraform-version-12.outputs.acme }} run: | - if [[ "${{ steps.terraform-version-12.outputs.random }}" != "2.2.0" ]]; then + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" + echo "The random version was $DETECTED_RANDOM_VERSION" + echo "The acme version was $DETECTED_ACME_VERSION" + + if [[ "$DETECTED_RANDOM_VERSION" != "2.2.0" ]]; then echo "::error:: random provider version has not been set" exit 1 fi - if [[ -z "${{ steps.terraform-version-12.outputs.acme }}" ]]; then + if [[ -z "$DETECTED_ACME_VERSION" ]]; then echo "::error:: acme provider version has not been set" exit 1 fi @@ -585,20 +649,22 @@ jobs: with: path: tests/workflows/test-version/providers/0.13 - - name: Print the version + - name: Check versions + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version-13.outputs.terraform }} + DETECTED_RANDOM_VERSION: ${{ steps.terraform-version-13.outputs.random }} + DETECTED_ACME_VERSION: ${{ steps.terraform-version-13.outputs.acme }} run: | - echo "The terraform version was ${{ steps.terraform-version-13.outputs.terraform }}" - echo "The random version was ${{ steps.terraform-version-13.outputs.random }}" - echo "The acme version was ${{ steps.terraform-version-13.outputs.acme }}" + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" + echo "The random version was $DETECTED_RANDOM_VERSION" + echo "The acme version was $DETECTED_ACME_VERSION" - - name: Check the version - run: | - if [[ "${{ steps.terraform-version-13.outputs.random }}" != "2.2.0" ]]; then + if [[ "$DETECTED_RANDOM_VERSION" != "2.2.0" ]]; then echo "::error:: random provider version has not been set" exit 1 fi - if [[ -z "${{ steps.terraform-version-13.outputs.acme }}" ]]; then + if [[ -z "$DETECTED_ACME_VERSION" ]]; then echo "::error:: acme provider version has not been set" exit 1 fi @@ -609,20 +675,22 @@ jobs: with: path: tests/workflows/test-version/providers/0.11 - - name: Print the version + - name: Check versions + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version-11.outputs.terraform }} + DETECTED_RANDOM_VERSION: ${{ steps.terraform-version-11.outputs.random }} + DETECTED_ACME_VERSION: ${{ steps.terraform-version-11.outputs.acme }} run: | - echo "The terraform version was ${{ steps.terraform-version-11.outputs.terraform }}" - echo "The random version was ${{ steps.terraform-version-11.outputs.random }}" - echo "The acme version was ${{ steps.terraform-version-11.outputs.acme }}" + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" + echo "The random version was $DETECTED_RANDOM_VERSION" + echo "The acme version was $DETECTED_ACME_VERSION" - - name: Check the version - run: | - if [[ "${{ steps.terraform-version-11.outputs.random }}" != "2.2.0" ]]; then + if [[ "$DETECTED_RANDOM_VERSION" != "2.2.0" ]]; then echo "::error:: random provider version has not been set" exit 1 fi - if [[ -z "${{ steps.terraform-version-11.outputs.acme }}" ]]; then + if [[ -z "$DETECTED_ACME_VERSION" ]]; then echo "::error:: acme provider version has not been set" exit 1 fi @@ -633,6 +701,8 @@ jobs: # steps: # - name: Checkout # uses: actions/checkout@v4 +# with: +# persist-credentials: false # # - name: Version unsupported on arm # uses: ./terraform-version @@ -672,17 +742,19 @@ jobs: # # - name: Check the version # run: | -# if [[ "${{ steps.terraform-version.outputs.terraform }}" != "1.1.0" ]]; then +# if [[ "$DETECTED_TERRAFORM_VERSION" != "1.1.0" ]]; then # echo "::error:: Terraform version not set from .tfswitchrc" # exit 1 # fi terraform_opentofu_version: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: OPENTOFU_VERSION with terraform action steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test terraform-version uses: ./terraform-version @@ -692,27 +764,31 @@ jobs: with: path: tests/workflows/test-version/empty - - name: Print the version - run: echo "The tofu version was ${{ steps.terraform-version.outputs.tofu }}" - - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.terraform-version.outputs.terraform }} + DETECTED_TOFU_VERSION: ${{ steps.terraform-version.outputs.tofu }} run: | - if [[ "${{ steps.terraform-version.outputs.terraform }}" != "1.6.0" ]]; then + echo "The tofu version was $DETECTED_TOFU_VERSION" + + if [[ "$DETECTED_TERRAFORM_VERSION" != "1.6.0" ]]; then echo "::error:: Terraform version not set from OPENTOFU_VERSION" exit 1 fi - if [[ "${{ steps.terraform-version.outputs.tofu }}" != "1.6.0" ]]; then + if [[ "$DETECTED_TOFU_VERSION" != "1.6.0" ]]; then echo "::error:: Terraform version not set from OPENTOFU_VERSION" exit 1 fi opentofu_version: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: OPENTOFU_VERSION with tofu action steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test terraform-version uses: ./tofu-version @@ -722,29 +798,33 @@ jobs: with: path: tests/workflows/test-version/empty - - name: Print the version - run: echo "The tofu version was ${{ steps.tofu-version.outputs.tofu }}" - - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.tofu-version.outputs.terraform }} + DETECTED_TOFU_VERSION: ${{ steps.tofu-version.outputs.tofu }} run: | - if [[ "${{ steps.tofu-version.outputs.terraform }}" != "1.6.0" ]]; then + echo "The tofu version was $DETECTED_TOFU_VERSION" + + if [[ "$DETECTED_TERRAFORM_VERSION" != "1.6.0" ]]; then echo "::error:: Terraform version not set from OPENTOFU_VERSION" exit 1 fi - - if [[ "${{ steps.tofu-version.outputs.tofu }}" != "1.6.0" ]]; then + + if [[ "$DETECTED_TOFU_VERSION" != "1.6.0" ]]; then echo "::error:: Terraform version not set from OPENTOFU_VERSION" exit 1 fi opentofu_version_pre_release_nosig: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: OPENTOFU_VERSION pre-release with tofu action env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test terraform-version uses: ./tofu-version @@ -754,29 +834,33 @@ jobs: with: path: tests/workflows/test-version/empty - - name: Print the version - run: echo "The tofu version was ${{ steps.tofu-version.outputs.tofu }}" - - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.tofu-version.outputs.terraform }} + DETECTED_TOFU_VERSION: ${{ steps.tofu-version.outputs.tofu }} run: | - if [[ "${{ steps.tofu-version.outputs.terraform }}" != "1.6.0-alpha3" ]]; then + echo "The tofu version was $DETECTED_TOFU_VERSION" + + if [[ "$DETECTED_TERRAFORM_VERSION" != "1.6.0-alpha3" ]]; then echo "::error:: Terraform version not set from OPENTOFU_VERSION" exit 1 fi - if [[ "${{ steps.tofu-version.outputs.tofu }}" != "1.6.0-alpha3" ]]; then + if [[ "$DETECTED_TOFU_VERSION" != "1.6.0-alpha3" ]]; then echo "::error:: Terraform version not set from OPENTOFU_VERSION" exit 1 fi opentofu_old_version: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: Prefer OpenTofu, but only Terraform matches constraints env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Test terraform-version uses: ./tofu-version @@ -786,12 +870,14 @@ jobs: with: path: tests/workflows/test-version/empty - - name: Print the version - run: echo "The terraform version was ${{ steps.tofu-version.outputs.terraform }}" - - name: Check the version + env: + DETECTED_TERRAFORM_VERSION: ${{ steps.tofu-version.outputs.terraform }} + DETECTED_TOFU_VERSION: ${{ steps.tofu-version.outputs.tofu }} run: | - if [[ "${{ steps.tofu-version.outputs.terraform }}" != *"1.5"* ]]; then + echo "The terraform version was $DETECTED_TERRAFORM_VERSION" + + if [[ "$DETECTED_TERRAFORM_VERSION" != *"1.5"* ]]; then echo "::error:: Terraform version not selected" exit 1 fi diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index f0cd5d73..390c9dd9 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -3,13 +3,18 @@ name: Unit test on: - push +permissions: + contents: read + jobs: pytest_amd64: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 name: pytest amd64 steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v4 @@ -40,6 +45,8 @@ jobs: # steps: # - name: Checkout # uses: actions/checkout@v4 +# with: +# persist-credentials: false # # - name: Install dependencies # run: | @@ -58,13 +65,15 @@ jobs: # GNUPGHOME=$HOME/.gnupg PYTHONPATH=image/tools:image/src pytest tests tofu: - runs-on: ubuntu-latest - name: OpenTofu + runs-on: ubuntu-24.04 + name: OpenTofu actions env: GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Check tofu actions are up to date run: | diff --git a/.github/workflows/trigger-test-events.yaml b/.github/workflows/trigger-test-events.yaml new file mode 100644 index 00000000..e48fd564 --- /dev/null +++ b/.github/workflows/trigger-test-events.yaml @@ -0,0 +1,44 @@ +name: Trigger test events + +on: + - pull_request + +permissions: + contents: read + +jobs: + repository_dispatch: + runs-on: ubuntu-24.04 + name: Trigger repository_dispatch event + permissions: + contents: write + steps: + - name: Repository Dispatch + uses: peter-evans/repository-dispatch@v2 + with: + event-type: test + client-payload: '{"pull_request": { "url": "${{ github.event.pull_request.url }}" } }' + + pull_request_review: + runs-on: ubuntu-24.04 + name: Trigger pull_request_review event + steps: + - name: Trigger pull_request_review event + env: + PULL_REQUEST_URL: ${{ github.event.pull_request.url }} + run: | + cat >review.json < Iterable[Version]: """Return the currently available opentofu versions.""" - response = github.get('https://api.github.com/repos/opentofu/opentofu/releases') + response = github.paged_get('https://api.github.com/repos/opentofu/opentofu/releases') - for release in response.json(): + for release in response: yield Version(release['tag_name'].lstrip('v'), 'OpenTofu')