Use updated actions for comments (#125)

* Use updated actions for comments

* Update actions version

* Set dependency for pipelines_status job

* Pass CLI version to tg-comment update

* Bump pipelines version

* Update pipelines.yml

* Checkout repo in finalize job

* Get customer token

* Use pipelines-cli v0.40.0-rc5

* Use renamed actions

* Use updated binary

* Use rc7 binary

* Update to pipelines v0.40.0-rc8

* Update to use latest actions

* Use Pipelines binary rc9

* Update to pipelines binary rc10

* Remove deprecated step

* Set artifact token correctly on finalize request

* Set working directory for Pipelines status step

Author: oredavids

.github/workflows/pipelines-drift-detection.yml

@@ -31,13 +31,13 @@ on:
         type: string
         default: "https://api.prod.app.gruntwork.io/api/v1"
     secrets:
-        PIPELINES_READ_TOKEN:
-          required: false
-        PR_CREATE_TOKEN:
-          required: false
+      PIPELINES_READ_TOKEN:
+        required: false
+      PR_CREATE_TOKEN:
+        required: false
 env:
-  PIPELINES_CLI_VERSION: v0.39.0
-  PIPELINES_ACTIONS_VERSION: v3.6.4
+  PIPELINES_CLI_VERSION: v0.40.0-rc10
+  PIPELINES_ACTIONS_VERSION: ore/dev-927-rework-pipelines-status-update-action
   BOILERPLATE_VERSION: v0.5.16
   GRUNTWORK_INSTALLER_VERSION: v0.0.40
 
@@ -56,7 +56,6 @@ jobs:
           FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
           api_base_url: ${{ inputs.api_base_url }}
 
-
       - name: Fetch Org Read Token
         id: pipelines-customer-org-read-token
         uses: gruntwork-io/pipelines-credentials@v1

.github/workflows/pipelines-root.yml

@@ -38,8 +38,8 @@ on:
         required: false
 
 env:
-  PIPELINES_CLI_VERSION: v0.39.0
-  PIPELINES_ACTIONS_VERSION: v3.6.4
+  PIPELINES_CLI_VERSION: v0.40.0-rc10
+  PIPELINES_ACTIONS_VERSION: ore/dev-927-rework-pipelines-status-update-action
   BOILERPLATE_VERSION: v0.5.16
   GRUNTWORK_INSTALLER_VERSION: v0.0.40
 
@@ -107,7 +107,7 @@ jobs:
           ref: ${{ env.PIPELINES_ACTIONS_VERSION }}
           token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
 
-      - name: Validate PIPELINES_READ_TOKEN
+      - name: Report error if token with access to gruntwork repos is invalid
         if: always() && steps.checkout_actions.conclusion != 'success'
         env:
           GH_TOKEN: ${{ github.token }}
@@ -117,7 +117,7 @@ jobs:
         run: |
           logs_url="https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
           msg=$(printf "<h2>❌ Plan for $PR_HEAD_SHA</h2>❌ Gruntwork Pipelines was unable to checkout the <code>pipelines-actions</code> repository. Please ensure the <code>PIPELINES_READ_TOKEN</code> is valid and unexpired. <a href=\"https://docs.gruntwork.io/pipelines/security/machine-users#ci-read-only-user\">Learn More</a><br><br><br><a href=\"$logs_url\">View full logs</a>")
-          echo "::error:: $msg"
+          echo "::error:: $msg" # Results in step failure but rest of logic in this step will still run
           echo "$msg" >> "$GITHUB_STEP_SUMMARY"
           pull_number=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")
           gh pr comment $pull_number -b "$msg" -R $GITHUB_ORG || true # || true incase this fails on a non-PR run
@@ -129,13 +129,19 @@ jobs:
           fetch-depth: 0
           token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
 
+      - name: Install Pipelines CLI
+        uses: ./pipelines-actions/.github/actions/pipelines-install
+        with:
+          version: ${{ env.PIPELINES_CLI_VERSION }}
+          PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
+
       - name: Preflight Checks
         uses: ./pipelines-actions/.github/actions/pipelines-preflight-action
         with:
           IS_ROOT: "true"
           PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
           INFRA_ROOT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }}
-          ORG_REPO_ADMIN_TOKEN:  ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }}
+          ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }}
           PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
           PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
           PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }}
@@ -196,6 +202,14 @@ jobs:
           FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }}
           api_base_url: ${{ inputs.api_base_url }}
 
+      - name: Fetch Propose Infra Change Token
+        id: pipelines-propose-infra-change-token
+        uses: gruntwork-io/pipelines-credentials@v1
+        with:
+          PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }}
+          FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }}
+          api_base_url: ${{ inputs.api_base_url }}
+
       - name: Checkout Pipelines Actions
         uses: actions/checkout@v4
         with:
@@ -211,11 +225,16 @@ jobs:
           fetch-depth: 0
           token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
 
+      - name: Install Pipelines CLI
+        uses: ./pipelines-actions/.github/actions/pipelines-install
+        with:
+          version: ${{ env.PIPELINES_CLI_VERSION }}
+          PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
+
       - name: Bootstrap Workflow
         id: gruntwork_context
         uses: ./pipelines-actions/.github/actions/pipelines-bootstrap
         with:
-          PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
           PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
           change_type: ${{ matrix.jobs.ChangeType }}
           branch: ${{ matrix.jobs.Ref }}
@@ -299,7 +318,7 @@ jobs:
           PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
           gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
 
-      - name: "[TerragruntExecute]: Authenticate with AWS and then Invoke Terragrunt"
+      - name: "[TerragruntExecute]: Run terragrunt ${{ steps.gruntwork_context.outputs.terragrunt_command }} in ${{ steps.gruntwork_context.outputs.working_directory }}"
         id: terragrunt
         if: ${{ steps.gruntwork_context.outputs.action == 'TERRAGRUNT_EXECUTE' }}
         uses: ./pipelines-actions/.github/actions/pipelines-execute
@@ -318,27 +337,18 @@ jobs:
           deploy_branch_name: ${{ steps.gruntwork_context.outputs.deploy_branch_name }}
           stack_paths: ${{ toJson(matrix.jobs.StackPaths) }}
 
-      - name: Get Logs URL
-        id: get_logs_url
-        uses: ./pipelines-actions/.github/actions/pipelines-get-job-logs-url
-        if: always()
-        with:
-          PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
-          job_name: ${{ env.JOB_NAME }}
-          step_name_prefix: "${{ steps.gruntwork_context.outputs.action == 'TERRAGRUNT_EXECUTE' && '[TerragruntExecute]:\ Authenticate with AWS and then Invoke Terragrunt' || (steps.gruntwork_context.outputs.action == 'BASELINE_ACCOUNT' && 'Run core accounts baselines' || '[ProvisionAccount]:\ Provision New Account') }}"
-
       - name: Update comment
-        uses: ./pipelines-actions/.github/actions/pipelines-status-update
         if: always()
+        uses: ./pipelines-actions/.github/actions/pipelines-comment-job-update
         with:
+          PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }}
           step_name: ${{ matrix.jobs.ChangeType }}
           step_working_directory: ${{ matrix.jobs.WorkingDirectory }}
+          step_terragrunt_command: ${{ matrix.jobs.Action.Command }}
           step_status: ${{ (steps.provision_new_account.conclusion == 'success' || steps.terragrunt.conclusion == 'success' || steps.core_accounts_baselines.conclusion == 'success') && 'success' || 'failed' }}
-          step_details: ${{ steps.terragrunt.outputs.formatted_plan_output }}
-          step_details_extended_log: ${{ steps.terragrunt.outputs.execute_stdout_log }}
-          pull_request_number: ${{ steps.gruntwork_context.outputs.pr_number }}
-          step_logs_url: ${{ steps.get_logs_url.outputs.step_logs_url }}
-          PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }}
+          plan_apply_log_file_path: ${{ steps.terragrunt.outputs.plan_folder }}
+          extended_log_file_path: ${{ steps.terragrunt.outputs.execute_stdout_log }}
+          job_name: ${{ env.JOB_NAME }}
 
     outputs:
       account_id: ${{ matrix.jobs.AccountId }}
@@ -403,19 +413,28 @@ jobs:
           fetch-depth: 0
           token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
 
-      - name: Update comment
-        uses: ./pipelines-actions/.github/actions/pipelines-status-update
+      - name: Install Pipelines CLI
+        uses: ./pipelines-actions/.github/actions/pipelines-install
         with:
-          step_name: Baseline Child Account ${{ matrix.jobs.Name }}
-          step_status: "in_progress"
-          pull_request_number: ${{ needs.pipelines_execute.outputs.pr_number }}
-          PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }}
+          version: ${{ env.PIPELINES_CLI_VERSION }}
+          PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
+
+      - name: Update comment
+        shell: bash
+        working-directory: ./infra-live-repo
+        env:
+          GH_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }}
+          ACTION: "Baseline Child Account ${{ matrix.jobs.Name }}"
+        run: |
+          pipelines scm create-change-request-comment \
+            --working-directory "." \
+            --auto-header \
+            --comment "🔄 $ACTION..."
 
       - name: Bootstrap Workflow
         id: gruntwork_context
         uses: ./pipelines-actions/.github/actions/pipelines-bootstrap
         with:
-          PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
           PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
           change_type: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].ChangeType }}
           branch: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Ref }}
@@ -459,26 +478,17 @@ jobs:
           job: ${{ toJson(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0]) }}
           gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }}
 
-      - name: Get Logs URL
-        id: get_logs_url
-        uses: ./pipelines-actions/.github/actions/pipelines-get-job-logs-url
-        if: always()
-        with:
-          PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
-          job_name: ${{ env.JOB_NAME }}
-          step_name_prefix: "[Baseline]: Baseline the Child Account"
-
       - name: Update comment
-        uses: ./pipelines-actions/.github/actions/pipelines-status-update
-        if: always()
-        with:
-          step_name: Baseline Child Account ${{ matrix.jobs.Name }}
-          step_status: ${{ steps.baseline_child_account.conclusion == 'success' && 'success' || 'failed' }}
-          step_details: ${{ steps.baseline_child_account.outputs.formatted_plan_output || 'Check the logs for more details.' }}
-          step_details_extended_log: ${{ steps.baseline_child_account.outputs.execute_stdout_log }}
-          pull_request_number: ${{ needs.pipelines_execute.outputs.pr_number }}
-          step_logs_url: ${{ steps.get_logs_url.outputs.step_logs_url }}
-          PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }}
+        shell: bash
+        working-directory: ./infra-live-repo
+        env:
+          GH_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }}
+          ACTION: "Baseline Child Account ${{ matrix.jobs.Name }}"
+        run: |
+          pipelines scm create-change-request-comment \
+            --working-directory "." \
+            --auto-header \
+            --comment "✅ $ACTION\nCheck the logs for more details."
 
   pipelines_setup_delegated_repo:
     name: "Setup Delegated Repo"
@@ -526,11 +536,16 @@ jobs:
           fetch-depth: 0
           token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
 
+      - name: Install Pipelines CLI
+        uses: ./pipelines-actions/.github/actions/pipelines-install
+        with:
+          version: ${{ env.PIPELINES_CLI_VERSION }}
+          PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
+
       - name: Bootstrap Workflow
         id: gruntwork_context
         uses: ./pipelines-actions/.github/actions/pipelines-bootstrap
         with:
-          PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
           PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
           change_type: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].ChangeType }}
           branch: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Ref }}
@@ -585,3 +600,88 @@ jobs:
           pr_body: ${{ steps.provision_delegated_repo.outputs.pr_body }}
           requesting_pr_number: ${{ steps.provision_delegated_repo.outputs.requesting_pr_number }}
           step_summary_content: ${{ steps.provision_delegated_repo.outputs.step_summary_content }}
+
+  pipelines_status_check:
+    name: "Pipelines Status Check"
+    runs-on: ${{ fromJSON(inputs.runner) }}
+    needs: [pipelines_orchestrate, pipelines_execute]
+    if: always() && fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0] != null
+    steps:
+      - name: Record workflow env vars
+        env:
+          PIPELINES_BINARY_URL: ${{ inputs.pipelines_binary_url }}
+        run: |
+          time_now=$(date -u +"%s")
+          echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV
+          echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV
+
+      - name: Fetch Gruntwork Read Token
+        id: pipelines-gruntwork-read-token
+        uses: gruntwork-io/pipelines-credentials@v1
+        with:
+          PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io"
+          FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
+          api_base_url: ${{ inputs.api_base_url }}
+
+      - name: Fetch Org Read Token
+        id: pipelines-customer-org-read-token
+        uses: gruntwork-io/pipelines-credentials@v1
+        with:
+          PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }}
+          FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
+          api_base_url: ${{ inputs.api_base_url }}
+
+      - name: Fetch Create PR Token
+        id: pipelines-propose-infra-change-token
+        uses: gruntwork-io/pipelines-credentials@v1
+        with:
+          PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }}
+          FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }}
+          api_base_url: ${{ inputs.api_base_url }}
+
+      - name: Checkout Pipelines Actions
+        uses: actions/checkout@v4
+        with:
+          path: pipelines-actions
+          repository: gruntwork-io/pipelines-actions
+          ref: ${{ env.PIPELINES_ACTIONS_VERSION }}
+          token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
+
+      - name: Check out repo code
+        uses: actions/checkout@v4
+        with:
+          path: infra-live-repo
+          fetch-depth: 0
+          token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }}
+
+      - name: Install Pipelines CLI
+        uses: ./pipelines-actions/.github/actions/pipelines-install
+        with:
+          version: ${{ env.PIPELINES_CLI_VERSION }}
+          PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
+
+      - name: Check Status
+        shell: bash
+        working-directory: ./infra-live-repo
+        env:
+          PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }}
+        run: |
+          GH_TOKEN="$PR_COMMENT_WRITE_TOKEN" \
+            GH_ARTIFACT_TOKEN="$PR_COMMENT_WRITE_TOKEN" \
+            pipelines status-update finalize \
+            --working-directory . \
+            --ci github-actions >/tmp/finalize-output.json
+
+          pipeline_status=$(jq -r '.status' </tmp/finalize-output.json)
+
+          cat /tmp/finalize-output.json
+
+          printf '%.s─' $(seq 1 "$(tput -T dumb cols)")
+          echo " "
+          if [[ "$pipeline_status" == "success" ]]; then
+            echo -e "✅ \033[1;32mPipeline Passed\033[0m"
+            exit 0
+          else
+            echo -e "❌ \033[1;31mPipeline Failed\033[0m"
+            exit 1
+          fi