From 6ff447bb30b869e973055b5535c142fefe1170d8 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Wed, 10 Sep 2025 18:04:05 -0600 Subject: [PATCH 1/5] Add commit-locks --- .github/workflows/pipelines-commit-locks.yml | 158 +++++++++++++++++++ 1 file changed, 158 insertions(+) create mode 100644 .github/workflows/pipelines-commit-locks.yml diff --git a/.github/workflows/pipelines-commit-locks.yml b/.github/workflows/pipelines-commit-locks.yml new file mode 100644 index 0000000..e1b0471 --- /dev/null +++ b/.github/workflows/pipelines-commit-locks.yml @@ -0,0 +1,158 @@ +name: Pipelines +run-name: Commit Locks +on: + workflow_call: + inputs: + # This field can be overriden to customize the runner used for pipelines + # workflows. + # + # IMPORTANT: To use self-hosted runners this workflow must be hosted in + # the same GitHub organization as your infra-live repository. + # See https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-self-hosted-runners + # + # The value must be an escaped JSON string that will be decoded to the + # jobs.runs-on field + # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on + # + # For example: + # - A simple github runner: "\"ubuntu-22.04\"" + # - A list of labels: "[\"self-hosted\", \"linux\"]" + # - A map: "{group: \"ubuntu-runners\", labels: \"ubuntu-20.04-16core\"}" + runner: + type: string + default: '"ubuntu-latest"' + api_base_url: + type: string + default: "https://api.prod.app.gruntwork.io/api/v1" + pipelines_binary_url: + type: string + default: "" + description: "Override where we fetch pipelines from, used for internal testing" + pipelines_cli_version: + type: string + default: "v0.40.0-rc22" + description: "For Gruntwork internal testing - the version of the pipelines CLI to use" + pipelines_actions_ref: + type: string + default: "main" + description: "For Gruntwork internal testing - the ref of the pipelines actions to use" + pipelines_credentials_ref: + type: string + default: "v1" + description: "For Gruntwork internal testing - the ref of the pipelines credentials to use" + + secrets: + PIPELINES_READ_TOKEN: + required: false + PR_CREATE_TOKEN: + required: false +env: + PIPELINES_CLI_VERSION: ${{ inputs.pipelines_cli_version }} + PIPELINES_ACTIONS_REF: ${{ inputs.pipelines_actions_ref }} + PIPELINES_CREDENTIALS_REF: ${{ inputs.pipelines_credentials_ref }} + BOILERPLATE_VERSION: v0.5.16 + GRUNTWORK_INSTALLER_VERSION: v0.0.40 + +jobs: + pipelines_commit_locks: + name: Pipelines Commit Locks + runs-on: ${{ fromJSON(inputs.runner) }} + steps: + - name: Record workflow env vars + env: + PIPELINES_BINARY_URL: ${{ inputs.pipelines_binary_url }} + run: | + time_now=$(date -u +"%s") + echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV + echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + + - name: Fetch Gruntwork Read Token + id: pipelines-gruntwork-read-token + uses: ./pipelines-credentials + with: + PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Read Token + id: pipelines-customer-org-read-token + uses: ./pipelines-credentials + with: + PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Create PR Token + id: pipelines-propose-infra-change-token + uses: gruntwork-io/pipelines-credentials@v1 + with: + PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Checkout Pipelines Actions + uses: actions/checkout@v4 + with: + path: pipelines-actions + repository: gruntwork-io/pipelines-actions + ref: ${{ env.PIPELINES_ACTIONS_REF }} + token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + + - name: Check out repo code + uses: actions/checkout@v4 + with: + path: infra-live-repo + fetch-depth: 0 + token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + + - name: Install Mise + id: mise-toml + uses: jdx/mise-action@v2 + with: + install: true + cache: true + version: 2024.10.8 + working_directory: "./infra-live-repo" + + - name: Install Pipelines CLI + uses: ./pipelines-actions/.github/actions/pipelines-install + with: + version: ${{ env.PIPELINES_CLI_VERSION }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + + - name: Configure code auth + uses: ./pipelines-actions/.github/actions/pipelines-code-auth + with: + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + + - name: Create Locks + id: create-locks + working-directory: ./infra-live-repo + env: + TG_AUTH_PROVIDER_CMD: "pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd . --disk-cache-duration-minutes 10" + run: | + terragrunt run --all --provider-cache --queue-exclude-dir=. -- providers lock -platform=linux_amd64 + + - name: Commit Locks + id: commit-locks + working-directory: ./infra-live-repo + env: + GH_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + AUTHOR_NAME: ${{ github.actor }} + AUTHOR_EMAIL: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com + ACTION_PATH: ${{ github.action_path }} + run: | + pipelines scm propose-infra-change \ + --working-directory "$WORKING_DIRECTORY" \ + --change-request-branch-name "pipelines-update-locks" \ + --commit-message "Terraform Lock File Update" \ + --title "Terraform Lock File Update" \ + --author-name "$AUTHOR_NAME" \ + --author-email "$AUTHOR_EMAIL" \ No newline at end of file From 8db3560e68ef7831348c02f193d1956793432a10 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Wed, 10 Sep 2025 18:09:52 -0600 Subject: [PATCH 2/5] Add GH_TOKEN for auth command --- .github/workflows/pipelines-commit-locks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipelines-commit-locks.yml b/.github/workflows/pipelines-commit-locks.yml index e1b0471..da937cf 100644 --- a/.github/workflows/pipelines-commit-locks.yml +++ b/.github/workflows/pipelines-commit-locks.yml @@ -136,6 +136,7 @@ jobs: id: create-locks working-directory: ./infra-live-repo env: + GH_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} TG_AUTH_PROVIDER_CMD: "pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd . --disk-cache-duration-minutes 10" run: | terragrunt run --all --provider-cache --queue-exclude-dir=. -- providers lock -platform=linux_amd64 From 66ea616be92859fd9328f2bb44ceaf4997de42a4 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Wed, 10 Sep 2025 18:23:21 -0600 Subject: [PATCH 3/5] Use pipelines for exec --- .github/workflows/pipelines-commit-locks.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pipelines-commit-locks.yml b/.github/workflows/pipelines-commit-locks.yml index da937cf..7ab1838 100644 --- a/.github/workflows/pipelines-commit-locks.yml +++ b/.github/workflows/pipelines-commit-locks.yml @@ -135,11 +135,17 @@ jobs: - name: Create Locks id: create-locks working-directory: ./infra-live-repo + continue-on-error: true env: GH_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} TG_AUTH_PROVIDER_CMD: "pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd . --disk-cache-duration-minutes 10" + COMMAND: "run --all --provider-cache --queue-exclude-dir=. --queue-ignore-errors -- providers lock -platform=linux_amd64" run: | - terragrunt run --all --provider-cache --queue-exclude-dir=. -- providers lock -platform=linux_amd64 + pipelines execute terragrunt \ + --command "$COMMAND" \ + --infra-live-repo "." \ + --working-directory "." \ + --infra-live-repo-branch "$GITHUB_REF_NAME" - name: Commit Locks id: commit-locks From e06c35e453f0108e31aa34f456997b4b3d106807 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Wed, 10 Sep 2025 18:31:22 -0600 Subject: [PATCH 4/5] Fix token --- .github/workflows/pipelines-commit-locks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipelines-commit-locks.yml b/.github/workflows/pipelines-commit-locks.yml index 7ab1838..23eacc0 100644 --- a/.github/workflows/pipelines-commit-locks.yml +++ b/.github/workflows/pipelines-commit-locks.yml @@ -151,7 +151,7 @@ jobs: id: commit-locks working-directory: ./infra-live-repo env: - GH_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + GH_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} AUTHOR_NAME: ${{ github.actor }} AUTHOR_EMAIL: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com ACTION_PATH: ${{ github.action_path }} From 94adc8984dc6c1cae1ad847c056f7a9278af2a8e Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Wed, 10 Sep 2025 18:40:44 -0600 Subject: [PATCH 5/5] Add fixme comment --- .github/workflows/pipelines-commit-locks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipelines-commit-locks.yml b/.github/workflows/pipelines-commit-locks.yml index 23eacc0..9a53657 100644 --- a/.github/workflows/pipelines-commit-locks.yml +++ b/.github/workflows/pipelines-commit-locks.yml @@ -156,6 +156,7 @@ jobs: AUTHOR_EMAIL: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com ACTION_PATH: ${{ github.action_path }} run: | + # FIXME: Plumb through a filter to only commit .terraform.lock.hcl pipelines scm propose-infra-change \ --working-directory "$WORKING_DIRECTORY" \ --change-request-branch-name "pipelines-update-locks" \