diff --git a/.github/workflows/base-image.yaml b/.github/workflows/base-image.yaml index 8b437a82..4cc4e8f0 100644 --- a/.github/workflows/base-image.yaml +++ b/.github/workflows/base-image.yaml @@ -3,7 +3,7 @@ name: Update base image on: push: branches: - - main + - trixie paths: - image/Dockerfile-base - .github/workflows/base-image.yaml @@ -25,7 +25,7 @@ jobs: url: https://hub.docker.com/r/danielflook/terraform-github-actions-base/tags?name=${{ github.run_id }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -36,18 +36,18 @@ jobs: echo "$DOCKER_TOKEN" | docker login --username danielflook --password-stdin - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Base image id: build-and-push run: | - BASE_DIGEST=$(docker buildx imagetools inspect "debian:bookworm-slim" --format '{{json .}}' | jq -r '.manifest.digest') + BASE_DIGEST=$(docker buildx imagetools inspect "debian:trixie-slim" --format '{{json .}}' | jq -r '.manifest.digest') - sed -i "s|FROM debian:bookworm-slim|FROM debian:bookworm-slim@$BASE_DIGEST|" "image/Dockerfile-base" + sed -i "s|FROM debian:trixie-slim|FROM debian:trixie-slim@$BASE_DIGEST|" "image/Dockerfile-base" docker buildx build \ --tag "danielflook/terraform-github-actions-base:$GITHUB_RUN_ID" \ - --tag danielflook/terraform-github-actions-base:latest \ + --tag danielflook/terraform-github-actions-base:trixie \ --platform linux/amd64,linux/arm64 \ --attest "type=provenance,mode=max,builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" \ --annotation "index,manifest:org.opencontainers.image.created=$(date '+%Y-%m-%dT%H:%M:%S%z')" \ @@ -58,7 +58,7 @@ jobs: --annotation "index:org.opencontainers.image.ref.name=docker.io/danielflook/terraform-github-actions-base:$GITHUB_RUN_ID" \ --annotation "index,manifest:builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" \ --annotation "index,manifest:ref.tag=$GITHUB_RUN_ID" \ - --annotation "index,manifest:org.opencontainers.image.base.name=docker.io/debian:bookworm-slim" \ + --annotation "index,manifest:org.opencontainers.image.base.name=docker.io/debian:trixie-slim" \ --annotation "index,manifest:base.manifest.digest=$BASE_DIGEST" \ --file image/Dockerfile-base \ --push \ @@ -68,7 +68,7 @@ jobs: echo "digest=$(> "$GITHUB_OUTPUT" - name: Generate image attestation - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-name: index.docker.io/danielflook/terraform-github-actions-base subject-digest: ${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/pull_request_review.yaml b/.github/workflows/pull_request_review.yaml index 62239326..86d72c40 100644 --- a/.github/workflows/pull_request_review.yaml +++ b/.github/workflows/pull_request_review.yaml @@ -17,7 +17,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/pull_request_target.yaml b/.github/workflows/pull_request_target.yaml index 94a06760..66da8752 100644 --- a/.github/workflows/pull_request_target.yaml +++ b/.github/workflows/pull_request_target.yaml @@ -29,13 +29,13 @@ jobs: EOF - name: Plan - uses: dflook/terraform-plan@v1 + uses: dflook/terraform-plan@7878bff63e2099cdc9be9a6f33cbbbf687f8f0fe # v2.2.3 with: label: pull_request_target path: test-module - name: Apply - uses: dflook/terraform-apply@v1 + uses: dflook/terraform-apply@5489b988934a50bf1489d5b7c5253b46520a7dca # v2.2.3 id: output with: label: pull_request_target diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 050ff879..195f43c2 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -25,7 +25,7 @@ jobs: base-digest: ${{ steps.image_build.outputs.base-digest }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -43,7 +43,7 @@ jobs: echo "$DOCKER_TOKEN" | docker login --username danielflook --password-stdin - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Build action image id: image_build @@ -85,13 +85,13 @@ jobs: echo "base-digest=$BASE_DIGEST" >> "$GITHUB_OUTPUT" - name: Dockerhub ref attestation - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-name: index.docker.io/danielflook/terraform-github-actions subject-digest: ${{ steps.image_build.outputs.digest }} - name: GHCR ref attestation - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-name: ghcr.io/dflook/terraform-github-actions subject-digest: ${{ steps.image_build.outputs.digest }} @@ -106,7 +106,7 @@ jobs: url: https://github.com/dflook/terraform-github-actions/releases/tag/${{ github.event.release.tag_name }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false @@ -206,7 +206,7 @@ jobs: echo "$DOCKER_TOKEN" | docker login --username danielflook --password-stdin - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Tag and push base image with release version env: diff --git a/.github/workflows/repository_dispatch.yaml b/.github/workflows/repository_dispatch.yaml index 13ad72c8..dcceb755 100644 --- a/.github/workflows/repository_dispatch.yaml +++ b/.github/workflows/repository_dispatch.yaml @@ -18,7 +18,7 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/retain-images.yaml b/.github/workflows/retain-images.yaml index 26e5beb1..184cc8b3 100644 --- a/.github/workflows/retain-images.yaml +++ b/.github/workflows/retain-images.yaml @@ -16,7 +16,7 @@ jobs: name: Pull images steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false fetch-depth: 0 diff --git a/.github/workflows/test-apply.yaml b/.github/workflows/test-apply.yaml index 1c35165e..50852eb9 100644 --- a/.github/workflows/test-apply.yaml +++ b/.github/workflows/test-apply.yaml @@ -12,7 +12,7 @@ jobs: name: Auto Approve steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -58,7 +58,7 @@ jobs: name: Auto Approve plan error steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -74,6 +74,7 @@ jobs: env: OUTCOME: ${{ steps.apply.outcome }} FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.apply.outputs.failure_reason }} JSON_PLAN_PATH: ${{ steps.apply.outputs.json_plan_path }} TEXT_PLAN_PATH: ${{ steps.apply.outputs.text_plan_path }} RUN_ID: ${{ steps.apply.outputs.run_id }} @@ -88,6 +89,11 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + if [[ -n "$JSON_PLAN_PATH" ]]; then echo "::error:: json_plan_path should not be set" exit 1 @@ -115,7 +121,7 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -137,6 +143,7 @@ jobs: env: OUTCOME: ${{ steps.apply.outcome }} FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.apply.outputs.failure_reason }} JSON_PLAN_PATH: ${{ steps.apply.outputs.json_plan_path }} TEXT_PLAN_PATH: ${{ steps.apply.outputs.text_plan_path }} RUN_ID: ${{ steps.apply.outputs.run_id }} @@ -151,6 +158,11 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + cat "$JSON_PLAN_PATH" if [[ $(jq -r .format_version "$JSON_PLAN_PATH") != "1.2" ]]; then echo "::error:: json_plan_path not set correctly" @@ -172,7 +184,7 @@ jobs: name: Apply without token steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -187,6 +199,7 @@ jobs: env: OUTCOME: ${{ steps.apply.outcome }} FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.apply.outputs.failure_reason }} RUN_ID: ${{ steps.apply.outputs.run_id }} run: | if [[ "$OUTCOME" != "failure" ]]; then @@ -199,6 +212,11 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + if [[ -n "$RUN_ID" ]]; then echo "::error:: run_id should not be set" exit 1 @@ -214,7 +232,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -302,7 +320,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -406,7 +424,7 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -512,7 +530,7 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -616,7 +634,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -676,7 +694,7 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -724,7 +742,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -773,7 +791,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.USER_GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -827,7 +845,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.FINE_PAT_GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -882,7 +900,7 @@ jobs: TERRAFORM_ACTIONS_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -936,7 +954,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -969,7 +987,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1051,7 +1069,7 @@ jobs: echo "testing command 2" steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1087,7 +1105,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1117,12 +1135,12 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Plan - uses: dflook/terraform-plan@v1.22.2 + uses: dflook/terraform-plan@1547271e3127df7ad5b667eeed17e8e3a77a76a0 # v1.22.2 with: label: test-apply warnings_text path: tests/workflows/test-apply/warnings @@ -1147,7 +1165,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1173,7 +1191,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1197,6 +1215,7 @@ jobs: env: OUTCOME: ${{ steps.apply.outcome }} FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.apply.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" @@ -1208,6 +1227,11 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + partial_backend_fingerprint: runs-on: ubuntu-24.04 name: Get comment using partial fingerprint @@ -1220,12 +1244,12 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Plan - uses: dflook/terraform-plan@v1.31.0 + uses: dflook/terraform-plan@cf2c225e3088d0cbd3bedc68690c216033e3013a # v1.31.0 with: path: tests/workflows/test-apply/partial_backend backend_config_file: tests/workflows/test-apply/partial_backend/backend_config @@ -1248,7 +1272,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1280,7 +1304,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1314,7 +1338,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.USER_GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1372,7 +1396,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1396,7 +1420,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1420,7 +1444,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1512,7 +1536,7 @@ jobs: name: Apply with multiple var files steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/test-binary-plan.yaml b/.github/workflows/test-binary-plan.yaml index bf920a1d..1db5d5a4 100644 --- a/.github/workflows/test-binary-plan.yaml +++ b/.github/workflows/test-binary-plan.yaml @@ -12,7 +12,7 @@ jobs: name: Missing plan steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -44,7 +44,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -68,7 +68,7 @@ jobs: name: Apply auto approved changes steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -98,7 +98,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -128,6 +128,7 @@ jobs: env: OUTCOME: ${{ steps.apply.outcome }} FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.apply.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" @@ -138,3 +139,8 @@ jobs: echo "::error:: failure-reason not set correctly" exit 1 fi + + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi diff --git a/.github/workflows/test-changes-only.yaml b/.github/workflows/test-changes-only.yaml index b5e26a33..222ba8e8 100644 --- a/.github/workflows/test-changes-only.yaml +++ b/.github/workflows/test-changes-only.yaml @@ -17,7 +17,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -48,12 +48,18 @@ jobs: - name: Check failure-reason env: FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.apply.outputs.failure_reason }} run: | if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + change_then_no_changes: runs-on: ubuntu-24.04 name: changes-only should still replace a change comment @@ -64,7 +70,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -118,12 +124,18 @@ jobs: - name: Check failure-reason env: FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.apply.outputs.failure_reason }} run: | if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + no_changes_then_changes: runs-on: ubuntu-24.04 name: Apply with changes should fail after a changes-only plan with no changes @@ -134,7 +146,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -171,6 +183,7 @@ jobs: env: OUTCOME: ${{ steps.apply.outcome }} FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.apply.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" @@ -182,6 +195,11 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + apply_when_plan_has_changed: runs-on: ubuntu-24.04 name: Apply should fail if the approved plan has changed @@ -192,7 +210,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -219,6 +237,7 @@ jobs: env: OUTCOME: ${{ steps.apply.outcome }} FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.apply.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" @@ -229,3 +248,8 @@ jobs: echo "::error:: failure-reason not set correctly" exit 1 fi + + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi diff --git a/.github/workflows/test-check.yaml b/.github/workflows/test-check.yaml index cb3631d2..b9cb4e1b 100644 --- a/.github/workflows/test-check.yaml +++ b/.github/workflows/test-check.yaml @@ -12,7 +12,7 @@ jobs: name: No changes steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -25,18 +25,24 @@ jobs: - name: Check failure-reason env: FAILURE_REASON: ${{ steps.check.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.check.outputs.failure_reason }} run: | if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + plan_change_comment: runs-on: ubuntu-24.04 name: Changes steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -51,6 +57,7 @@ jobs: env: OUTCOME: ${{ steps.check.outcome }} FAILURE_REASON: ${{ steps.check.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.check.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "Check did not fail correctly" @@ -61,3 +68,8 @@ jobs: echo "::error:: failure-reason not set correctly" exit 1 fi + + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi diff --git a/.github/workflows/test-cloud.yaml b/.github/workflows/test-cloud.yaml index 7c44d600..8dcf5eaf 100644 --- a/.github/workflows/test-cloud.yaml +++ b/.github/workflows/test-cloud.yaml @@ -19,7 +19,7 @@ jobs: tf_version: ['0.13', '1.0'] steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -168,6 +168,7 @@ jobs: env: CHECK_OUTCOME: ${{ steps.check.outcome }} FAILURE_REASON: ${{ steps.check.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.check.outputs.failure_reason }} run: | if [[ "$CHECK_OUTCOME" != "failure" ]]; then echo "Check didn't fail correctly" @@ -179,6 +180,11 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + - name: Destroy workspace uses: ./terraform-destroy-workspace with: @@ -317,7 +323,7 @@ jobs: TERRAFORM_CLOUD_TOKENS: app.terraform.io=${{ secrets.TF_API_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -410,6 +416,7 @@ jobs: env: CHECK_OUTCOME: ${{ steps.check.outcome }} FAILURE_REASON: ${{ steps.check.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.check.outputs.failure_reason }} run: | if [[ "$CHECK_OUTCOME" != "failure" ]]; then echo "Check didn't fail correctly" @@ -421,6 +428,11 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + - name: Destroy workspace uses: ./terraform-destroy-workspace with: diff --git a/.github/workflows/test-early-eval.yaml b/.github/workflows/test-early-eval.yaml index cfe10274..6dfbc49c 100644 --- a/.github/workflows/test-early-eval.yaml +++ b/.github/workflows/test-early-eval.yaml @@ -19,7 +19,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/test-fmt-check.yaml b/.github/workflows/test-fmt-check.yaml index 193762e1..4b1e6157 100644 --- a/.github/workflows/test-fmt-check.yaml +++ b/.github/workflows/test-fmt-check.yaml @@ -12,7 +12,7 @@ jobs: name: Canonical fmt steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -25,19 +25,25 @@ jobs: - name: Check valid env: FAILURE_REASON: ${{ steps.fmt-check.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.fmt-check.outputs.failure_reason }} run: | if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + non_canonical_fmt: runs-on: ubuntu-24.04 name: Non canonical fmt continue-on-error: true steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -52,6 +58,7 @@ jobs: env: OUTCOME: ${{ steps.fmt-check.outcome }} FAILURE_REASON: ${{ steps.fmt-check.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.fmt-check.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "fmt-check did not fail correctly" @@ -62,3 +69,8 @@ jobs: echo "::error:: failure-reason not set correctly" exit 1 fi + + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi diff --git a/.github/workflows/test-fmt.yaml b/.github/workflows/test-fmt.yaml index 643984c2..9752cac4 100644 --- a/.github/workflows/test-fmt.yaml +++ b/.github/workflows/test-fmt.yaml @@ -12,7 +12,7 @@ jobs: name: Canonical fmt steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/test-http.yaml b/.github/workflows/test-http.yaml index 2b0e4e04..6e7c04a5 100644 --- a/.github/workflows/test-http.yaml +++ b/.github/workflows/test-http.yaml @@ -20,7 +20,7 @@ jobs: github.com/dflook/terraform-github-actions-dev.git=dflook:${{ secrets.USER_GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -50,7 +50,7 @@ jobs: github.com/dflook=dflook:${{ secrets.USER_GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -80,7 +80,7 @@ jobs: github.com=dflook:${{ secrets.USER_GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -105,7 +105,7 @@ jobs: name: git+http no creds steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -134,7 +134,7 @@ jobs: 5qcb7mjppk.execute-api.eu-west-2.amazonaws.com=dflook:hello steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -171,7 +171,7 @@ jobs: name: http module source with no credentials steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/test-new-workspace.yaml b/.github/workflows/test-new-workspace.yaml index 0e85e1dd..99a99b93 100644 --- a/.github/workflows/test-new-workspace.yaml +++ b/.github/workflows/test-new-workspace.yaml @@ -19,7 +19,7 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/test-output.yaml b/.github/workflows/test-output.yaml index 05fc79f8..ce4d67e5 100644 --- a/.github/workflows/test-output.yaml +++ b/.github/workflows/test-output.yaml @@ -16,7 +16,7 @@ jobs: name: verify outputs steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/test-plan.yaml b/.github/workflows/test-plan.yaml index e7e5c63b..cbebafdf 100644 --- a/.github/workflows/test-plan.yaml +++ b/.github/workflows/test-plan.yaml @@ -17,7 +17,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -79,7 +79,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -122,7 +122,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -195,7 +195,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -269,7 +269,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -344,7 +344,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -419,7 +419,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -493,7 +493,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -567,7 +567,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -641,7 +641,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -684,7 +684,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -737,7 +737,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -784,7 +784,7 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -832,7 +832,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -854,7 +854,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -876,7 +876,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -897,7 +897,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -937,7 +937,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -968,7 +968,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -992,7 +992,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1012,7 +1012,7 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1075,7 +1075,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1101,7 +1101,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1121,7 +1121,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -1161,7 +1161,7 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/test-refresh.yaml b/.github/workflows/test-refresh.yaml index 589c80e7..a3e3eb2f 100644 --- a/.github/workflows/test-refresh.yaml +++ b/.github/workflows/test-refresh.yaml @@ -17,7 +17,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -119,6 +119,7 @@ jobs: env: OUTCOME: ${{ steps.apply.outcome }} FAILURE_REASON: ${{ steps.apply.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.apply.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" @@ -130,6 +131,11 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + - name: Apply without refresh uses: ./terraform-apply with: diff --git a/.github/workflows/test-registry.yaml b/.github/workflows/test-registry.yaml index 4f585360..fb76a823 100644 --- a/.github/workflows/test-registry.yaml +++ b/.github/workflows/test-registry.yaml @@ -18,7 +18,7 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -74,7 +74,7 @@ jobs: app.terraform.io = ${{ secrets.TF_API_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -105,7 +105,7 @@ jobs: name: Nonsense cloud credentials steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/test-remote-state.yaml b/.github/workflows/test-remote-state.yaml index f368d5ec..d459a40d 100644 --- a/.github/workflows/test-remote-state.yaml +++ b/.github/workflows/test-remote-state.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/test-ssh.yaml b/.github/workflows/test-ssh.yaml index df0fdb5d..de5ef384 100644 --- a/.github/workflows/test-ssh.yaml +++ b/.github/workflows/test-ssh.yaml @@ -15,7 +15,7 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -52,7 +52,7 @@ jobs: name: Git module source with no key steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/test-target-replace-exclude.yaml b/.github/workflows/test-target-replace-exclude.yaml index 048ef2bf..c506c36d 100644 --- a/.github/workflows/test-target-replace-exclude.yaml +++ b/.github/workflows/test-target-replace-exclude.yaml @@ -18,7 +18,7 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -262,7 +262,7 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -557,7 +557,7 @@ jobs: pull-requests: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/test-test.yaml b/.github/workflows/test-test.yaml index 35796418..d5515c9e 100644 --- a/.github/workflows/test-test.yaml +++ b/.github/workflows/test-test.yaml @@ -12,7 +12,7 @@ jobs: name: Default inputs steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -27,24 +27,36 @@ jobs: - name: Check Passed env: FAILURE_REASON: ${{ steps.test.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.test.outputs.failure_reason }} JUNIT_XML_PATH: ${{ steps.test.outputs.junit-xml-path }} + JUNIT_XML_PATH_UNDERSCORE: ${{ steps.test.outputs.junit_xml_path }} run: | if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + if [[ "$JUNIT_XML_PATH" != "" ]]; then echo "::error:: junit-xml-path should not be set" exit 1 fi + if [[ "$JUNIT_XML_PATH_UNDERSCORE" != "$JUNIT_XML_PATH" ]]; then + echo "::error:: junit_xml_path not set correctly" + exit 1 + fi + junit: runs-on: ubuntu-24.04 name: Junit support steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -59,18 +71,30 @@ jobs: - name: Check Passed env: FAILURE_REASON: ${{ steps.test.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.test.outputs.failure_reason }} JUNIT_XML_PATH: ${{ steps.test.outputs.junit-xml-path }} + JUNIT_XML_PATH_UNDERSCORE: ${{ steps.test.outputs.junit_xml_path }} run: | if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + if [[ "$JUNIT_XML_PATH" == "" ]]; then echo "::error:: junit-xml-path should be set" exit 1 fi + if [[ "$JUNIT_XML_PATH_UNDERSCORE" != "$JUNIT_XML_PATH" ]]; then + echo "::error:: junit_xml_path not set correctly" + exit 1 + fi + # Check the output looks right if [[ ! -f "$JUNIT_XML_PATH" ]]; then echo "::error:: junit-xml-path does not point to a file" @@ -87,7 +111,7 @@ jobs: name: Default path with a filter steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -101,18 +125,24 @@ jobs: - name: Check Passed env: FAILURE_REASON: ${{ steps.test.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.test.outputs.failure_reason }} run: | if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + test_dir: runs-on: ubuntu-24.04 name: Custom test directory steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -129,18 +159,24 @@ jobs: - name: Check Passed env: FAILURE_REASON: ${{ steps.test.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.test.outputs.failure_reason }} run: | if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + nonexistent_test_dir: runs-on: ubuntu-24.04 name: Missing test directory steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -156,6 +192,7 @@ jobs: env: OUTCOME: ${{ steps.nonexistent_test_dir.outcome }} FAILURE_REASON: ${{ steps.nonexistent_test_dir.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.nonexistent_test_dir.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "Test did not fail correctly" @@ -167,12 +204,17 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + faulty_filter: runs-on: ubuntu-24.04 name: Filter matches no tests steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -190,6 +232,7 @@ jobs: env: OUTCOME: ${{ steps.faulty_filter.outcome }} FAILURE_REASON: ${{ steps.faulty_filter.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.faulty_filter.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "Test did not fail correctly" @@ -201,12 +244,17 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + failing: runs-on: ubuntu-24.04 name: A failing test using variables steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -224,6 +272,7 @@ jobs: env: OUTCOME: ${{ steps.failing.outcome }} FAILURE_REASON: ${{ steps.failing.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.failing.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "Test did not fail correctly" @@ -234,3 +283,8 @@ jobs: echo "::error:: failure-reason not set correctly" exit 1 fi + + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi diff --git a/.github/workflows/test-unlock-state.yaml b/.github/workflows/test-unlock-state.yaml index f9761b0b..1d1eeac8 100644 --- a/.github/workflows/test-unlock-state.yaml +++ b/.github/workflows/test-unlock-state.yaml @@ -16,7 +16,7 @@ jobs: name: Default workspace steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -42,6 +42,7 @@ jobs: env: OUTCOME: ${{ steps.failed-apply.outcome }} FAILURE_REASON: ${{ steps.failed-apply.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.failed-apply.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" @@ -53,6 +54,11 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + # Check state-locked - name: Try using locked state using terraform-apply uses: ./terraform-apply @@ -66,7 +72,9 @@ jobs: env: OUTCOME: ${{ steps.locked-state-apply.outcome }} FAILURE_REASON: ${{ steps.locked-state-apply.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.locked-state-apply.outputs.failure_reason }} LOCK_INFO: ${{ steps.locked-state-apply.outputs.lock-info }} + LOCK_INFO_UNDERSCORE: ${{ steps.locked-state-apply.outputs.lock_info }} LOCK_ID: ${{ fromJson(steps.locked-state-apply.outputs.lock-info).ID }} run: | if [[ "$OUTCOME" != "failure" ]]; then @@ -79,6 +87,16 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + + if [[ "$LOCK_INFO_UNDERSCORE" != "$LOCK_INFO" ]]; then + echo "::error:: lock_info not set correctly" + exit 1 + fi + echo "$LOCK_INFO" echo "Lock id is $LOCK_ID" @@ -93,7 +111,9 @@ jobs: env: OUTCOME: ${{ steps.locked-state-destroy.outcome }} FAILURE_REASON: ${{ steps.locked-state-destroy.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.locked-state-destroy.outputs.failure_reason }} LOCK_INFO: ${{ steps.locked-state-destroy.outputs.lock-info }} + LOCK_INFO_UNDERSCORE: ${{ steps.locked-state-destroy.outputs.lock_info }} LOCK_ID: ${{ fromJson(steps.locked-state-destroy.outputs.lock-info).ID }} run: | if [[ "$OUTCOME" != "failure" ]]; then @@ -106,6 +126,16 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + + if [[ "$LOCK_INFO_UNDERSCORE" != "$LOCK_INFO" ]]; then + echo "::error:: lock_info not set correctly" + exit 1 + fi + echo "$LOCK_INFO" echo "Lock id is $LOCK_ID" @@ -127,7 +157,7 @@ jobs: name: Non Default workspace steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -161,6 +191,7 @@ jobs: env: OUTCOME: ${{ steps.failed-apply-workspace.outcome }} FAILURE_REASON: ${{ steps.failed-apply-workspace.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.failed-apply-workspace.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "Apply did not fail correctly" @@ -172,6 +203,11 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + # Check state-locked - name: Try using locked state uses: ./terraform-apply @@ -186,7 +222,9 @@ jobs: env: OUTCOME: ${{ steps.locked-state-workspace.outcome }} FAILURE_REASON: ${{ steps.locked-state-workspace.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.locked-state-workspace.outputs.failure_reason }} LOCK_INFO: ${{ steps.locked-state-workspace.outputs.lock-info }} + LOCK_INFO_UNDERSCORE: ${{ steps.locked-state-workspace.outputs.lock_info }} LOCK_ID: ${{ fromJson(steps.locked-state-workspace.outputs.lock-info).ID }} run: | if [[ "$OUTCOME" != "failure" ]]; then @@ -199,6 +237,16 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + + if [[ "$LOCK_INFO_UNDERSCORE" != "$LOCK_INFO" ]]; then + echo "::error:: lock_info not set correctly" + exit 1 + fi + echo "$LOCK_INFO" echo "Lock id is $LOCK_ID" @@ -214,7 +262,9 @@ jobs: env: OUTCOME: ${{ steps.locked-state-destroy-workspace.outcome }} FAILURE_REASON: ${{ steps.locked-state-destroy-workspace.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.locked-state-destroy-workspace.outputs.failure_reason }} LOCK_INFO: ${{ steps.locked-state-destroy-workspace.outputs.lock-info }} + LOCK_INFO_UNDERSCORE: ${{ steps.locked-state-destroy-workspace.outputs.lock_info }} LOCK_ID: ${{ fromJson(steps.locked-state-destroy-workspace.outputs.lock-info).ID }} run: | if [[ "$OUTCOME" != "failure" ]]; then @@ -227,6 +277,16 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + + if [[ "$LOCK_INFO_UNDERSCORE" != "$LOCK_INFO" ]]; then + echo "::error:: lock_info not set correctly" + exit 1 + fi + echo "$LOCK_INFO" echo "Lock id is $LOCK_ID" diff --git a/.github/workflows/test-validate.yaml b/.github/workflows/test-validate.yaml index f7be0418..e871407b 100644 --- a/.github/workflows/test-validate.yaml +++ b/.github/workflows/test-validate.yaml @@ -12,7 +12,7 @@ jobs: name: valid steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -25,18 +25,24 @@ jobs: - name: Check valid env: FAILURE_REASON: ${{ steps.validate.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.validate.outputs.failure_reason }} run: | if [[ "$FAILURE_REASON" != "" ]]; then echo "::error:: failure-reason not set correctly" exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + invalid: runs-on: ubuntu-24.04 name: Invalid terraform configuration steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -51,6 +57,7 @@ jobs: env: OUTCOME: ${{ steps.validate.outcome }} FAILURE_REASON: ${{ steps.validate.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.validate.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "Validate did not fail correctly" @@ -62,12 +69,17 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + validate_workspace: runs-on: ubuntu-24.04 name: Use workspace name during validation steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -94,6 +106,7 @@ jobs: env: OUTCOME: ${{ steps.validate.outcome }} FAILURE_REASON: ${{ steps.validate.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.validate.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "Validate did not fail correctly" @@ -105,12 +118,17 @@ jobs: exit 1 fi + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi + validate_remote_workspace: runs-on: ubuntu-24.04 name: Use workspace name during validation steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -125,7 +143,7 @@ jobs: name: Validate with unterminated string steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -140,6 +158,7 @@ jobs: env: OUTCOME: ${{ steps.validate.outcome }} FAILURE_REASON: ${{ steps.validate.outputs.failure-reason }} + FAILURE_REASON_UNDERSCORE: ${{ steps.validate.outputs.failure_reason }} run: | if [[ "$OUTCOME" != "failure" ]]; then echo "Validate did not fail correctly" @@ -150,3 +169,8 @@ jobs: echo "::error:: failure-reason not set correctly" exit 1 fi + + if [[ "$FAILURE_REASON_UNDERSCORE" != "$FAILURE_REASON" ]]; then + echo "::error:: failure_reason not set correctly" + exit 1 + fi diff --git a/.github/workflows/test-version.yaml b/.github/workflows/test-version.yaml index 37cc15da..d8398e63 100644 --- a/.github/workflows/test-version.yaml +++ b/.github/workflows/test-version.yaml @@ -12,7 +12,7 @@ jobs: name: specific required_version steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -38,7 +38,7 @@ jobs: name: required_version range steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -64,7 +64,7 @@ jobs: name: required_version with a v prefix steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -90,7 +90,7 @@ jobs: name: tfswitch steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -116,7 +116,7 @@ jobs: name: tfenv steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -142,7 +142,7 @@ jobs: name: tofuenv steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -168,7 +168,7 @@ jobs: name: asdf steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -211,7 +211,7 @@ jobs: name: TERRAFORM_VERSION range steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -239,7 +239,7 @@ jobs: name: TFC Workspace steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -283,7 +283,7 @@ jobs: name: TFC Cloud Configuration steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -329,7 +329,7 @@ jobs: name: Partial TFC Cloud Configuration steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -378,7 +378,7 @@ jobs: name: Partial TFC Cloud Configuration with tags steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -427,7 +427,7 @@ jobs: name: Local State file steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -454,7 +454,7 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -595,7 +595,7 @@ jobs: name: latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -642,7 +642,7 @@ jobs: name: provider versions steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -729,7 +729,7 @@ jobs: name: Version detection on arm steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -802,7 +802,7 @@ jobs: name: OPENTOFU_VERSION with terraform action steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -836,7 +836,7 @@ jobs: name: OPENTOFU_VERSION with tofu action steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -872,7 +872,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -908,7 +908,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -937,7 +937,7 @@ jobs: name: Get version constraint from hard to parse file steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index a1eb5816..8405621f 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -12,12 +12,12 @@ jobs: name: pytest amd64 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.9 @@ -43,12 +43,12 @@ jobs: needs: pytest_amd64 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.9 @@ -73,7 +73,7 @@ jobs: name: Check documentation steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -87,7 +87,7 @@ jobs: name: Linting steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -98,7 +98,7 @@ jobs: ./actionlint example_workflows/*.yaml - name: Install the latest version of uv - uses: astral-sh/setup-uv@f94ec6bedd8674c4426838e6b50417d36b6ab231 # v5.3.1 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - name: Actions Security Check env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -106,13 +106,13 @@ jobs: uvx zizmor --format plain . - name: Lint CHANGELOG - uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265 # v19 + uses: DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 # v22.0.0 with: config: '.config/changelog.markdownlint.yaml' globs: 'CHANGELOG.md' - name: Lint Other Markdown - uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265 # v19 + uses: DavidAnson/markdownlint-cli2-action@07035fd053f7be764496c0f8d8f9f41f98305101 # v22.0.0 with: config: '.config/.markdownlint.yaml' globs: | @@ -120,13 +120,13 @@ jobs: **/README.md - name: Lint Dockerfile - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 + uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 with: dockerfile: ./image/Dockerfile - name: Lint Dockerfile-base - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 + uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 with: dockerfile: ./image/Dockerfile-base @@ -142,6 +142,6 @@ jobs: V8R_CONFIG_FILE=.config/.v8rrc.yaml npx v8r --ignore-errors - - uses: astral-sh/ruff-action@57714a7c8a2e59f32539362ba31877a1957dded1 # v3.5.1 + - uses: astral-sh/ruff-action@4919ec5cf1f49eff0871dbcea0da843445b837e6 # v3.6.1 with: args: --config=.config/ruff.toml check diff --git a/.github/workflows/trigger-test-events.yaml b/.github/workflows/trigger-test-events.yaml index f85207fd..eefd3e7a 100644 --- a/.github/workflows/trigger-test-events.yaml +++ b/.github/workflows/trigger-test-events.yaml @@ -14,7 +14,7 @@ jobs: contents: write steps: - name: Repository Dispatch - uses: peter-evans/repository-dispatch@bf47d102fdb849e755b0b0023ea3e81a44b6f570 # v2 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: event-type: test client-payload: '{"pull_request": { "url": "${{ github.event.pull_request.url }}" } }' diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 81a51310..39d1b180 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,7 +1,3 @@ rules: - unpinned-uses: - config: - policies: - dflook/terraform-apply: ref-pin - dflook/terraform-plan: ref-pin - actions/*: ref-pin + secrets-outside-env: + disable: true diff --git a/docs-gen/action.py b/docs-gen/action.py index 40c14706..2102bd82 100644 --- a/docs-gen/action.py +++ b/docs-gen/action.py @@ -187,10 +187,10 @@ def assert_ordering(self): "plan_path", "json_plan_path", "text_plan_path", - "junit-xml-path", + "junit_xml_path", "to_add", - "failure-reason", - "lock-info", + "failure_reason", + "lock_info", "run_id", "terraform", "tofu", diff --git a/docs-gen/actions/apply.py b/docs-gen/actions/apply.py index d6739157..ffa08ed5 100644 --- a/docs-gen/actions/apply.py +++ b/docs-gen/actions/apply.py @@ -344,7 +344,7 @@ - name: Retry failed apply uses: dflook/$ToolName-apply@v2 - if: ${{ steps.first_try.outputs.failure-reason == 'apply-failed' }} + if: ${{ steps.first_try.outputs.failure_reason == 'apply-failed' }} with: path: $ToolName auto_approve: true diff --git a/docs-gen/actions/check.py b/docs-gen/actions/check.py index a941f516..e0657392 100644 --- a/docs-gen/actions/check.py +++ b/docs-gen/actions/check.py @@ -99,7 +99,7 @@ path: my-$ToolName-configuration - name: Changes detected - if: ${{ failure() && steps.check.outputs.failure-reason == 'changes-to-apply' }} + if: ${{ failure() && steps.check.outputs.failure_reason == 'changes-to-apply' }} run: echo "There are outstanding changes to apply" ``` ''' diff --git a/docs-gen/actions/destroy.py b/docs-gen/actions/destroy.py index 7d6f2f96..f413ae89 100644 --- a/docs-gen/actions/destroy.py +++ b/docs-gen/actions/destroy.py @@ -109,7 +109,7 @@ - name: Retry failed destroy uses: dflook/$ToolName-destroy@v2 - if: ${{ steps.first_try.outputs.failure-reason == 'destroy-failed' }} + if: ${{ steps.first_try.outputs.failure_reason == 'destroy-failed' }} with: path: my-$ToolName-config workspace: ${{ github.head_ref }} diff --git a/docs-gen/actions/destroy_workspace.py b/docs-gen/actions/destroy_workspace.py index b18748f8..35d0d6e0 100644 --- a/docs-gen/actions/destroy_workspace.py +++ b/docs-gen/actions/destroy_workspace.py @@ -108,7 +108,7 @@ - name: Retry failed destroy uses: dflook/$ToolName-destroy-workspace@v2 - if: ${{ steps.first_try.outputs.failure-reason == 'destroy-failed' }} + if: ${{ steps.first_try.outputs.failure_reason == 'destroy-failed' }} with: path: my-$ToolName-config workspace: ${{ github.head_ref }} diff --git a/docs-gen/actions/fmt_check.py b/docs-gen/actions/fmt_check.py index fbd9a7b7..4f43e074 100644 --- a/docs-gen/actions/fmt_check.py +++ b/docs-gen/actions/fmt_check.py @@ -99,7 +99,7 @@ path: my-$ToolName-config - name: Wrong formatting found - if: ${{ failure() && steps.fmt-check.outputs.failure-reason == 'check-failed' }} + if: ${{ failure() && steps.fmt-check.outputs.failure_reason == 'check-failed' }} run: echo "formatting check failed" ``` ''' diff --git a/docs-gen/actions/validate.py b/docs-gen/actions/validate.py index 5b58324f..e21b8063 100644 --- a/docs-gen/actions/validate.py +++ b/docs-gen/actions/validate.py @@ -100,7 +100,7 @@ path: my-$ToolName-config - name: Validate failed - if: ${{ failure() && steps.validate.outputs.failure-reason == 'validate-failed' }} + if: ${{ failure() && steps.validate.outputs.failure_reason == 'validate-failed' }} run: echo "$ToolName validate failed" ``` ''' diff --git a/docs-gen/environment_variables/TERRAFORM_PRE_RUN.py b/docs-gen/environment_variables/TERRAFORM_PRE_RUN.py index 88624b17..d6003788 100644 --- a/docs-gen/environment_variables/TERRAFORM_PRE_RUN.py +++ b/docs-gen/environment_variables/TERRAFORM_PRE_RUN.py @@ -7,7 +7,7 @@ The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. -The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. +The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: diff --git a/docs-gen/outputs/failure_reason.py b/docs-gen/outputs/failure_reason.py index 8a6557fe..53747953 100644 --- a/docs-gen/outputs/failure_reason.py +++ b/docs-gen/outputs/failure_reason.py @@ -1,7 +1,8 @@ from action import Output failure_reason = Output( - name='failure-reason', + name='failure_reason', + aliases=['failure-reason'], type='string', description=''' When the job outcome is `failure` because of a known reason, this will be set to that reason. diff --git a/docs-gen/outputs/junit_xml.py b/docs-gen/outputs/junit_xml.py index 3dff3895..d592f6ec 100644 --- a/docs-gen/outputs/junit_xml.py +++ b/docs-gen/outputs/junit_xml.py @@ -1,7 +1,8 @@ from action import Output, Terraform junit_xml_path = Output( - name='junit-xml-path', + name='junit_xml_path', + aliases=['junit-xml-path'], type='string', description=''' A test report in JUnit XML format. diff --git a/docs-gen/outputs/lock_info.py b/docs-gen/outputs/lock_info.py index 2a1d6223..220d4521 100644 --- a/docs-gen/outputs/lock_info.py +++ b/docs-gen/outputs/lock_info.py @@ -1,10 +1,11 @@ from action import Output lock_info = Output( - name='lock-info', + name='lock_info', + aliases=['lock-info'], type='string', description=''' -When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. +When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: diff --git a/docs/custom_tools.md b/docs/custom_tools.md index b81cffe4..24d239a4 100644 --- a/docs/custom_tools.md +++ b/docs/custom_tools.md @@ -6,7 +6,7 @@ These are the options available to you. ## Using the released actions The published actions run Terraform/OpenTofu in a container using a pre-prepared image. -The image is based on `debian:bookworm-slim` and is designed to be as small as possible. +The image is based on `debian:trixie-slim` and is designed to be as small as possible. It is possible to use the `TERRAFORM_PRE_RUN` environment variable to customise the environment before running Terraform. The command is run using `bash -xeo pipefail`. diff --git a/image/Dockerfile b/image/Dockerfile index 1c215b17..129303f8 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -1,16 +1,22 @@ # hadolint ignore=DL3007 -FROM danielflook/terraform-github-actions-base:latest +FROM danielflook/terraform-github-actions-base:trixie ARG TARGETARCH ARG FETCH_CHECKSUMS ARG VERSION=99.0.0 +RUN python3 -m venv /opt/venv +ENV PATH="/opt/venv/bin:$PATH" + +RUN --mount=type=bind,source=requirements.txt,target=/tmp/requirements.txt \ + pip install --no-cache-dir --require-hashes -r /tmp/requirements.txt + COPY src/ /tmp/src/ COPY setup.py /tmp RUN sed -i "s|version='.*'|version=\'${VERSION}\'|" /tmp/setup.py \ - && pip install --break-system-packages --no-cache-dir /tmp \ - && rm -rf /tmp/src /tmp/setup.py + && pip install --no-cache-dir --no-deps /tmp \ + && rm -rf /tmp/src /tmp/setup.py /tmp/build /tmp/pip-* RUN if [ "$FETCH_CHECKSUMS" = "yes" ]; then \ TERRAFORM_BIN_CHECKSUM_DIR="/var/terraform" get-terraform-checksums; \ @@ -21,10 +27,12 @@ fi RUN if [ "$TARGETARCH" = "amd64" ]; then \ TERRAFORM_BIN_CACHE_DIR="/var/terraform" TERRAFORM_BIN_CHECKSUM_DIR="/var/terraform" terraform-version 0.9.0 \ && TERRAFORM_BIN_CACHE_DIR="/var/terraform" TERRAFORM_BIN_CHECKSUM_DIR="/var/terraform" terraform-version 0.12.0; \ -fi +fi \ + && rm -rf /tmp/terraform_* /usr/local/bin/terraform /usr/local/bin/tofu RUN if [ "$TARGETARCH" = "arm64" ]; then \ TERRAFORM_BIN_CACHE_DIR="/var/terraform" TERRAFORM_BIN_CHECKSUM_DIR="/var/terraform" terraform-version 0.13.5; \ -fi +fi \ + && rm -rf /tmp/terraform_* /usr/local/bin/terraform /usr/local/bin/tofu COPY entrypoints/ /entrypoints/ COPY actions.sh /usr/local/actions.sh diff --git a/image/Dockerfile-base b/image/Dockerfile-base index bea7769c..abd98ded 100644 --- a/image/Dockerfile-base +++ b/image/Dockerfile-base @@ -7,7 +7,7 @@ RUN git clone https://github.com/cloudposse/tfmask.git \ && make \ && make go/build -FROM debian:bookworm-slim AS terraform-github-actions-base +FROM debian:trixie-slim AS terraform-github-actions-base # Terraform environment variables ENV CHECKPOINT_DISABLE=true @@ -29,8 +29,8 @@ RUN < None: - if not isinstance(value, str): - value = str(value) + return ''.join(secrets.choice(string.ascii_lowercase) for _ in range(20)) +def _write_output(name: str, value: str) -> None: if 'GITHUB_OUTPUT' in os.environ and Path(os.environ['GITHUB_OUTPUT']).is_file(): with open(os.environ['GITHUB_OUTPUT'], 'a') as f: if len(value.splitlines()) > 1: @@ -27,6 +24,16 @@ def output(name: str, value: Any) -> None: else: sys.stdout.write(f'::set-output name={name}::{value}\n') +def output(name: str, value: Any) -> None: + if not isinstance(value, str): + value = str(value) + + _write_output(name, value) + + underscore_name = name.replace('-', '_') + if underscore_name != name: + _write_output(underscore_name, value) + def mask(value: str) -> None: for line in value.splitlines(): sys.stdout.write(f'::add-mask::{line}\n') diff --git a/image/src/github_pr_comment/comment.py b/image/src/github_pr_comment/comment.py index b58df988..2fa342ae 100644 --- a/image/src/github_pr_comment/comment.py +++ b/image/src/github_pr_comment/comment.py @@ -12,11 +12,11 @@ except (ValueError, KeyError): collapse_threshold = 10 -from pkg_resources import get_distribution, DistributionNotFound +from importlib.metadata import version as get_version, PackageNotFoundError try: - version = get_distribution('terraform-github-actions').version -except DistributionNotFound: + version = get_version('terraform-github-actions') +except PackageNotFoundError: version = '0.0.0' class TerraformComment: @@ -398,13 +398,13 @@ def hide_comment( response = github.post( graphql_url, json={ - 'query': ''' - mutation { - minimizeComment(input: {subjectId: "''' + comment.node_id + '''", classifier: ''' + classifier + '''}) { - clientMutationId - } + 'query': 'mutation($input: MinimizeCommentInput!) { minimizeComment(input: $input) { clientMutationId } }', + 'variables': { + 'input': { + 'subjectId': comment.node_id, + 'classifier': classifier } - ''' + } } ) debug(f'graphql response: {response.content}') diff --git a/image/src/opentofu/download.py b/image/src/opentofu/download.py index 0fc0bec0..08f45142 100644 --- a/image/src/opentofu/download.py +++ b/image/src/opentofu/download.py @@ -65,7 +65,7 @@ def get_checksums(version: Version, checksum_dir: Path) -> Path: if signature_path.exists(): try: subprocess.run( - ['gpg', '--verify', signature_path, checksums_path], + ['gpg', '--assert-signer', 'E3E6E43D84CB852EADB0051D0C0AF313E5FD9F80', '--verify', signature_path, checksums_path], check=True, env={'GNUPGHOME': '/root/.gnupg'} | os.environ ) @@ -181,6 +181,6 @@ def get_executable(version: Version) -> Path: executable_path = Path(executable_dir, 'tofu') - os.chmod(executable_path, 755) + os.chmod(executable_path, 0o755) return executable_path diff --git a/image/src/terraform/download.py b/image/src/terraform/download.py index 7e97785b..22b936c6 100644 --- a/image/src/terraform/download.py +++ b/image/src/terraform/download.py @@ -98,7 +98,7 @@ def get_checksums(version: Version, checksum_dir: Path) -> Path: try: subprocess.run( - ['gpg', '--verify', signature_path, checksums_path], + ['gpg', '--assert-signer', 'C874011F0AB405110D02105534365D9472D7468F', '--verify', signature_path, checksums_path], check=True, env={'GNUPGHOME': '/root/.gnupg'} | os.environ ) @@ -214,6 +214,6 @@ def get_executable(version: Version) -> Path: executable_path = Path(executable_dir, 'terraform') - os.chmod(executable_path, 755) + os.chmod(executable_path, 0o755) return executable_path diff --git a/image/src/terraform_version/__main__.py b/image/src/terraform_version/__main__.py index 69a4776e..00b40712 100644 --- a/image/src/terraform_version/__main__.py +++ b/image/src/terraform_version/__main__.py @@ -114,14 +114,14 @@ def switch(version: Version) -> None: target_path = get_executable(version) link_path = '/usr/local/bin/terraform' - if os.path.exists(link_path): + if os.path.lexists(link_path): os.remove(link_path) os.symlink(target_path, link_path) if version.product == 'OpenTofu': link_path = '/usr/local/bin/tofu' - if os.path.exists(link_path): + if os.path.lexists(link_path): os.remove(link_path) os.symlink(target_path, link_path) diff --git a/image/tools/compact_plan.py b/image/tools/compact_plan.py index 7edc8eac..46f5581c 100755 --- a/image/tools/compact_plan.py +++ b/image/tools/compact_plan.py @@ -1,4 +1,4 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 import sys diff --git a/image/tools/convert_output.py b/image/tools/convert_output.py index 5430d29d..3df258ac 100755 --- a/image/tools/convert_output.py +++ b/image/tools/convert_output.py @@ -1,4 +1,4 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 import json import sys diff --git a/image/tools/convert_validate_report.py b/image/tools/convert_validate_report.py index ebccd19e..18f5395c 100755 --- a/image/tools/convert_validate_report.py +++ b/image/tools/convert_validate_report.py @@ -1,4 +1,4 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 import json import os.path diff --git a/image/tools/convert_version.py b/image/tools/convert_version.py index 7d7aac6e..0f355834 100755 --- a/image/tools/convert_version.py +++ b/image/tools/convert_version.py @@ -1,4 +1,4 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 import json import os diff --git a/image/tools/format_tf_credentials.py b/image/tools/format_tf_credentials.py index c8c3a31d..e00f44f0 100755 --- a/image/tools/format_tf_credentials.py +++ b/image/tools/format_tf_credentials.py @@ -1,4 +1,4 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 import os import re @@ -13,8 +13,10 @@ def format_credentials(input): match = re.search(r'(?P.+?)\s*=\s*(?P.+)', line.strip()) if match: + BACKSLASH = '\\' + token = match.group('token').replace(BACKSLASH, BACKSLASH + BACKSLASH).replace('"', BACKSLASH + '"') yield f'''credentials "{match.group('host')}" {{ - token = "{match.group('token')}" + token = "{token}" }} ''' else: diff --git a/image/tools/github_comment_react.py b/image/tools/github_comment_react.py index 016d1f21..fee64e2b 100755 --- a/image/tools/github_comment_react.py +++ b/image/tools/github_comment_react.py @@ -1,4 +1,4 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 import datetime import json diff --git a/image/tools/workspace_exists.py b/image/tools/workspace_exists.py index 35d8a4d0..5de023c0 100755 --- a/image/tools/workspace_exists.py +++ b/image/tools/workspace_exists.py @@ -1,4 +1,4 @@ -#!/usr/bin/python3 +#!/usr/bin/env python3 import sys diff --git a/image/workflow_commands.sh b/image/workflow_commands.sh index 4ac44e9b..56827bba 100644 --- a/image/workflow_commands.sh +++ b/image/workflow_commands.sh @@ -73,6 +73,15 @@ function set_output() { else echo "::set-output name=${name}::${value}" fi + + local underscore_name="${name//-/_}" + if [[ "$underscore_name" != "$name" ]]; then + if [[ -v GITHUB_OUTPUT && -f "$GITHUB_OUTPUT" ]]; then + echo "${underscore_name}=${value}" >> "$GITHUB_OUTPUT" + else + echo "::set-output name=${underscore_name}::${value}" + fi + fi } ## @@ -117,5 +126,5 @@ function disable_workflow_commands() { } function generate_command_token() { - python3 -c "import random; import string; print(''.join(random.choice(string.ascii_lowercase) for i in range(64)))" + python3 -c "import secrets; import string; print(''.join(secrets.choice(string.ascii_lowercase) for i in range(64)))" } diff --git a/terraform-apply/README.md b/terraform-apply/README.md index 53f2d948..4fe08d08 100644 --- a/terraform-apply/README.md +++ b/terraform-apply/README.md @@ -230,6 +230,7 @@ These input values must be the same as any [`dflook/terraform-plan`](https://git - Type: string +* `failure_reason` * `failure-reason` When the job outcome is `failure`, this output may be set. The value may be one of: @@ -243,9 +244,10 @@ These input values must be the same as any [`dflook/terraform-plan`](https://git - Type: string +* `lock_info` * `lock-info` - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: @@ -439,7 +441,7 @@ These input values must be the same as any [`dflook/terraform-plan`](https://git The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: @@ -671,7 +673,7 @@ jobs: - name: Retry failed apply uses: dflook/terraform-apply@v2 - if: ${{ steps.first_try.outputs.failure-reason == 'apply-failed' }} + if: ${{ steps.first_try.outputs.failure_reason == 'apply-failed' }} with: path: terraform auto_approve: true diff --git a/terraform-apply/action.yaml b/terraform-apply/action.yaml index 5c71fb1f..18cd2c6c 100644 --- a/terraform-apply/action.yaml +++ b/terraform-apply/action.yaml @@ -111,6 +111,16 @@ outputs: This is the path to the generated plan in a human-readable format. The path is relative to the Actions workspace. This won't be set if `auto_approve` is true while using a `remote` backend. + failure_reason: + description: | + When the job outcome is `failure`, this output may be set. The value may be one of: + + - `apply-failed` - The Terraform apply operation failed. + - `plan-changed` - The approved plan is no longer accurate, so the apply will not be attempted. + - `state-locked` - The Terraform state lock could not be obtained because it was already locked. + + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run steps. failure-reason: description: | When the job outcome is `failure`, this output may be set. The value may be one of: @@ -121,9 +131,26 @@ outputs: If the job fails for any other reason this will not be set. This can be used with the Actions expression syntax to conditionally run steps. + lock_info: + description: | + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. + + It is a json object containing any available state lock information and typically has the form: + + ```json + { + "ID": "838fbfde-c5cd-297f-84a4-d7578b4a4880", + "Path": "terraform-github-actions/test-unlock-state", + "Operation": "OperationTypeApply", + "Who": "root@e9d43b0c6478", + "Version": "1.3.7", + "Created": "2023-01-28 00:16:41.560904373 +0000 UTC", + "Info": "" + } + ``` lock-info: description: | - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: diff --git a/terraform-check/README.md b/terraform-check/README.md index 3363f9f5..6c46f187 100644 --- a/terraform-check/README.md +++ b/terraform-check/README.md @@ -93,6 +93,7 @@ This is intended to run on a schedule to notify if manual changes to your infras ## Outputs +* `failure_reason` * `failure-reason` When the job outcome is `failure` because the there are outstanding changes to apply, this will be set to 'changes-to-apply'. @@ -184,7 +185,7 @@ This is intended to run on a schedule to notify if manual changes to your infras The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: @@ -251,6 +252,6 @@ jobs: path: my-terraform-configuration - name: Changes detected - if: ${{ failure() && steps.check.outputs.failure-reason == 'changes-to-apply' }} + if: ${{ failure() && steps.check.outputs.failure_reason == 'changes-to-apply' }} run: echo "There are outstanding changes to apply" ``` diff --git a/terraform-check/action.yaml b/terraform-check/action.yaml index 96f4c2af..802a0890 100644 --- a/terraform-check/action.yaml +++ b/terraform-check/action.yaml @@ -38,6 +38,11 @@ inputs: default: "0" outputs: + failure_reason: + description: | + When the job outcome is `failure` because the there are outstanding changes to apply, this will be set to 'changes-to-apply'. + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run a step when there are changes to apply. failure-reason: description: | When the job outcome is `failure` because the there are outstanding changes to apply, this will be set to 'changes-to-apply'. diff --git a/terraform-destroy-workspace/README.md b/terraform-destroy-workspace/README.md index f076439b..cb24af4e 100644 --- a/terraform-destroy-workspace/README.md +++ b/terraform-destroy-workspace/README.md @@ -90,6 +90,7 @@ This action uses the `terraform destroy` command to destroy all resources in a T ## Outputs +* `failure_reason` * `failure-reason` When the job outcome is `failure`, this output may be set. The value may be one of: @@ -102,9 +103,10 @@ This action uses the `terraform destroy` command to destroy all resources in a T - Type: string +* `lock_info` * `lock-info` - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: @@ -205,7 +207,7 @@ This action uses the `terraform destroy` command to destroy all resources in a T The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: @@ -275,7 +277,7 @@ jobs: - name: Retry failed destroy uses: dflook/terraform-destroy-workspace@v2 - if: ${{ steps.first_try.outputs.failure-reason == 'destroy-failed' }} + if: ${{ steps.first_try.outputs.failure_reason == 'destroy-failed' }} with: path: my-terraform-config workspace: ${{ github.head_ref }} diff --git a/terraform-destroy-workspace/action.yaml b/terraform-destroy-workspace/action.yaml index c21af2f9..43bb6057 100644 --- a/terraform-destroy-workspace/action.yaml +++ b/terraform-destroy-workspace/action.yaml @@ -37,6 +37,15 @@ inputs: default: "0" outputs: + failure_reason: + description: | + When the job outcome is `failure`, this output may be set. The value may be one of: + + - `destroy-failed` - The Terraform destroy operation failed. + - `state-locked` - The Terraform state lock could not be obtained because it was already locked. + + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run a steps. failure-reason: description: | When the job outcome is `failure`, this output may be set. The value may be one of: @@ -46,9 +55,26 @@ outputs: If the job fails for any other reason this will not be set. This can be used with the Actions expression syntax to conditionally run a steps. + lock_info: + description: | + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. + + It is a json object containing any available state lock information and typically has the form: + + ```json + { + "ID": "838fbfde-c5cd-297f-84a4-d7578b4a4880", + "Path": "terraform-github-actions/test-unlock-state", + "Operation": "OperationTypeApply", + "Who": "root@e9d43b0c6478", + "Version": "1.3.7", + "Created": "2023-01-28 00:16:41.560904373 +0000 UTC", + "Info": "" + } + ``` lock-info: description: | - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: diff --git a/terraform-destroy/README.md b/terraform-destroy/README.md index 504cee3d..77635416 100644 --- a/terraform-destroy/README.md +++ b/terraform-destroy/README.md @@ -94,6 +94,7 @@ and [dflook/terraform-apply](https://github.com/dflook/terraform-github-actions/ ## Outputs +* `failure_reason` * `failure-reason` When the job outcome is `failure`, this output may be set. The value may be one of: @@ -106,9 +107,10 @@ and [dflook/terraform-apply](https://github.com/dflook/terraform-github-actions/ - Type: string +* `lock_info` * `lock-info` - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: @@ -209,7 +211,7 @@ and [dflook/terraform-apply](https://github.com/dflook/terraform-github-actions/ The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: @@ -279,7 +281,7 @@ jobs: - name: Retry failed destroy uses: dflook/terraform-destroy@v2 - if: ${{ steps.first_try.outputs.failure-reason == 'destroy-failed' }} + if: ${{ steps.first_try.outputs.failure_reason == 'destroy-failed' }} with: path: my-terraform-config workspace: ${{ github.head_ref }} diff --git a/terraform-destroy/action.yaml b/terraform-destroy/action.yaml index 8fdbe803..5cc5e72a 100644 --- a/terraform-destroy/action.yaml +++ b/terraform-destroy/action.yaml @@ -38,6 +38,15 @@ inputs: default: "0" outputs: + failure_reason: + description: | + When the job outcome is `failure`, this output may be set. The value may be one of: + + - `destroy-failed` - The Terraform destroy operation failed. + - `state-locked` - The Terraform state lock could not be obtained because it was already locked. + + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run a steps. failure-reason: description: | When the job outcome is `failure`, this output may be set. The value may be one of: @@ -47,9 +56,26 @@ outputs: If the job fails for any other reason this will not be set. This can be used with the Actions expression syntax to conditionally run a steps. + lock_info: + description: | + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. + + It is a json object containing any available state lock information and typically has the form: + + ```json + { + "ID": "838fbfde-c5cd-297f-84a4-d7578b4a4880", + "Path": "terraform-github-actions/test-unlock-state", + "Operation": "OperationTypeApply", + "Who": "root@e9d43b0c6478", + "Version": "1.3.7", + "Created": "2023-01-28 00:16:41.560904373 +0000 UTC", + "Info": "" + } + ``` lock-info: description: | - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: diff --git a/terraform-fmt-check/README.md b/terraform-fmt-check/README.md index 1e2addba..e89c8a84 100644 --- a/terraform-fmt-check/README.md +++ b/terraform-fmt-check/README.md @@ -55,6 +55,7 @@ If any files are not correctly formatted a failing GitHub check will be added fo ## Outputs +* `failure_reason` * `failure-reason` When the job outcome is `failure` because the format check failed, this will be set to 'check-failed'. @@ -145,6 +146,6 @@ jobs: path: my-terraform-config - name: Wrong formatting found - if: ${{ failure() && steps.fmt-check.outputs.failure-reason == 'check-failed' }} + if: ${{ failure() && steps.fmt-check.outputs.failure_reason == 'check-failed' }} run: echo "formatting check failed" ``` diff --git a/terraform-fmt-check/action.yaml b/terraform-fmt-check/action.yaml index af21add0..0d5dcd65 100644 --- a/terraform-fmt-check/action.yaml +++ b/terraform-fmt-check/action.yaml @@ -28,6 +28,11 @@ inputs: default: "" outputs: + failure_reason: + description: | + When the job outcome is `failure` because the format check failed, this will be set to 'check-failed'. + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run a step when the format check fails. failure-reason: description: | When the job outcome is `failure` because the format check failed, this will be set to 'check-failed'. diff --git a/terraform-new-workspace/README.md b/terraform-new-workspace/README.md index 1c1565ee..05ee0ac3 100644 --- a/terraform-new-workspace/README.md +++ b/terraform-new-workspace/README.md @@ -129,7 +129,7 @@ Creates a new Terraform workspace. If the workspace already exists, succeeds wit The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: diff --git a/terraform-output/README.md b/terraform-output/README.md index f2856a3e..f0638cce 100644 --- a/terraform-output/README.md +++ b/terraform-output/README.md @@ -181,7 +181,7 @@ Retrieve the root-level outputs from a Terraform configuration. The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: diff --git a/terraform-plan/README.md b/terraform-plan/README.md index baccb74b..9d34d186 100644 --- a/terraform-plan/README.md +++ b/terraform-plan/README.md @@ -360,7 +360,7 @@ The [dflook/terraform-apply](https://github.com/dflook/terraform-github-actions/ The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: diff --git a/terraform-refresh/README.md b/terraform-refresh/README.md index e937c6c5..eed94fdf 100644 --- a/terraform-refresh/README.md +++ b/terraform-refresh/README.md @@ -107,6 +107,7 @@ This will synchronise the Terraform state with the actual resources, but will no ## Outputs +* `failure_reason` * `failure-reason` When the job outcome is `failure`, this output may be set. The value may be one of: @@ -119,9 +120,10 @@ This will synchronise the Terraform state with the actual resources, but will no - Type: string +* `lock_info` * `lock-info` - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: @@ -228,7 +230,7 @@ This will synchronise the Terraform state with the actual resources, but will no The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: diff --git a/terraform-refresh/action.yaml b/terraform-refresh/action.yaml index 938730ca..fc577faf 100644 --- a/terraform-refresh/action.yaml +++ b/terraform-refresh/action.yaml @@ -44,6 +44,15 @@ inputs: default: "0" outputs: + failure_reason: + description: | + When the job outcome is `failure`, this output may be set. The value may be one of: + + - `refresh-failed` - The Terraform apply operation failed. + - `state-locked` - The Terraform state lock could not be obtained because it was already locked. + + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run steps. failure-reason: description: | When the job outcome is `failure`, this output may be set. The value may be one of: @@ -53,9 +62,26 @@ outputs: If the job fails for any other reason this will not be set. This can be used with the Actions expression syntax to conditionally run steps. + lock_info: + description: | + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. + + It is a json object containing any available state lock information and typically has the form: + + ```json + { + "ID": "838fbfde-c5cd-297f-84a4-d7578b4a4880", + "Path": "terraform-github-actions/test-unlock-state", + "Operation": "OperationTypeApply", + "Who": "root@e9d43b0c6478", + "Version": "1.3.7", + "Created": "2023-01-28 00:16:41.560904373 +0000 UTC", + "Info": "" + } + ``` lock-info: description: | - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: diff --git a/terraform-test/README.md b/terraform-test/README.md index 9f868072..dab49aa6 100644 --- a/terraform-test/README.md +++ b/terraform-test/README.md @@ -81,6 +81,7 @@ If the tests fail, the job will stop with a failure status. ## Outputs +* `junit_xml_path` * `junit-xml-path` A test report in JUnit XML format. @@ -91,6 +92,7 @@ If the tests fail, the job will stop with a failure status. - Type: string +* `failure_reason` * `failure-reason` When the job outcome is `failure`, this output may be set. The value may be one of: @@ -186,7 +188,7 @@ If the tests fail, the job will stop with a failure status. The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: diff --git a/terraform-test/action.yaml b/terraform-test/action.yaml index c4881c93..3302b6d8 100644 --- a/terraform-test/action.yaml +++ b/terraform-test/action.yaml @@ -31,6 +31,13 @@ inputs: required: false outputs: + junit_xml_path: + description: | + A test report in JUnit XML format. + + The path is relative to the Actions workspace. + + This will only be available when using Terraform 1.11.0 or later. junit-xml-path: description: | A test report in JUnit XML format. @@ -38,6 +45,15 @@ outputs: The path is relative to the Actions workspace. This will only be available when using Terraform 1.11.0 or later. + failure_reason: + description: | + When the job outcome is `failure`, this output may be set. The value may be one of: + + - `no-tests` - No tests were found to run. + - `tests-failed` - One or more tests failed. + + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run steps. failure-reason: description: | When the job outcome is `failure`, this output may be set. The value may be one of: diff --git a/terraform-unlock-state/README.md b/terraform-unlock-state/README.md index edc0de2c..7c77a67e 100644 --- a/terraform-unlock-state/README.md +++ b/terraform-unlock-state/README.md @@ -137,7 +137,7 @@ Force unlocks a Terraform remote state. The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: diff --git a/terraform-validate/README.md b/terraform-validate/README.md index 84231da5..ae355b39 100644 --- a/terraform-validate/README.md +++ b/terraform-validate/README.md @@ -65,6 +65,7 @@ If the Terraform configuration is not valid, the build is failed. ## Outputs +* `failure_reason` * `failure-reason` When the job outcome is `failure` because the validation failed, this will be set to 'validate-failed'. @@ -156,7 +157,7 @@ If the Terraform configuration is not valid, the build is failed. The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: @@ -215,6 +216,6 @@ jobs: path: my-terraform-config - name: Validate failed - if: ${{ failure() && steps.validate.outputs.failure-reason == 'validate-failed' }} + if: ${{ failure() && steps.validate.outputs.failure_reason == 'validate-failed' }} run: echo "terraform validate failed" ``` diff --git a/terraform-validate/action.yaml b/terraform-validate/action.yaml index 98b35036..d615be17 100644 --- a/terraform-validate/action.yaml +++ b/terraform-validate/action.yaml @@ -32,6 +32,11 @@ inputs: default: "" outputs: + failure_reason: + description: | + When the job outcome is `failure` because the validation failed, this will be set to 'validate-failed'. + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run a step when the validate fails. failure-reason: description: | When the job outcome is `failure` because the validation failed, this will be set to 'validate-failed'. diff --git a/terraform-version/README.md b/terraform-version/README.md index 58ad92a2..7fa63d62 100644 --- a/terraform-version/README.md +++ b/terraform-version/README.md @@ -187,7 +187,7 @@ outputs yourself. The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: diff --git a/tests/test_write_credentials.py b/tests/test_write_credentials.py index 4f1ef02d..4b59ac57 100644 --- a/tests/test_write_credentials.py +++ b/tests/test_write_credentials.py @@ -34,11 +34,11 @@ def test_multiple_creds(): def test_unrecognised_lines(): input = """ - - app.terraform.io=xxxxxx.atlasv1.zzzzzzzzzzzzz - + + app.terraform.io=xxxxxx.atlasv1.zzzzzzzzzzzzz + This doesn't look anything like a credential - + """ try: @@ -47,3 +47,36 @@ def test_unrecognised_lines(): pass else: assert False, 'Should have raised an exception' + +def test_token_with_quotes(): + input = 'app.terraform.io=token"with"quotes' + + expected_output = r'''credentials "app.terraform.io" { + token = "token\"with\"quotes" +} +''' + + output = ''.join(format_credentials(input)) + assert output == expected_output + +def test_token_with_backslashes(): + input = r'app.terraform.io=token\with\backslashes' + + expected_output = r'''credentials "app.terraform.io" { + token = "token\\with\\backslashes" +} +''' + + output = ''.join(format_credentials(input)) + assert output == expected_output + +def test_token_with_backslash_and_quote(): + input = r'app.terraform.io=token\"mixed' + + expected_output = r'''credentials "app.terraform.io" { + token = "token\\\"mixed" +} +''' + + output = ''.join(format_credentials(input)) + assert output == expected_output diff --git a/tofu-apply/README.md b/tofu-apply/README.md index 6b8b4645..d0c2e5b5 100644 --- a/tofu-apply/README.md +++ b/tofu-apply/README.md @@ -247,6 +247,7 @@ These input values must be the same as any [`dflook/tofu-plan`](https://github.c - Type: string +* `failure_reason` * `failure-reason` When the job outcome is `failure`, this output may be set. The value may be one of: @@ -260,9 +261,10 @@ These input values must be the same as any [`dflook/tofu-plan`](https://github.c - Type: string +* `lock_info` * `lock-info` - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: @@ -456,7 +458,7 @@ These input values must be the same as any [`dflook/tofu-plan`](https://github.c The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: @@ -688,7 +690,7 @@ jobs: - name: Retry failed apply uses: dflook/tofu-apply@v2 - if: ${{ steps.first_try.outputs.failure-reason == 'apply-failed' }} + if: ${{ steps.first_try.outputs.failure_reason == 'apply-failed' }} with: path: tofu auto_approve: true diff --git a/tofu-apply/action.yaml b/tofu-apply/action.yaml index 77468d06..cf95e51f 100644 --- a/tofu-apply/action.yaml +++ b/tofu-apply/action.yaml @@ -119,6 +119,16 @@ outputs: This is the path to the generated plan in a human-readable format. The path is relative to the Actions workspace. This won't be set if `auto_approve` is true while using a `remote` backend. + failure_reason: + description: | + When the job outcome is `failure`, this output may be set. The value may be one of: + + - `apply-failed` - The Terraform apply operation failed. + - `plan-changed` - The approved plan is no longer accurate, so the apply will not be attempted. + - `state-locked` - The Terraform state lock could not be obtained because it was already locked. + + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run steps. failure-reason: description: | When the job outcome is `failure`, this output may be set. The value may be one of: @@ -129,9 +139,26 @@ outputs: If the job fails for any other reason this will not be set. This can be used with the Actions expression syntax to conditionally run steps. + lock_info: + description: | + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. + + It is a json object containing any available state lock information and typically has the form: + + ```json + { + "ID": "838fbfde-c5cd-297f-84a4-d7578b4a4880", + "Path": "terraform-github-actions/test-unlock-state", + "Operation": "OperationTypeApply", + "Who": "root@e9d43b0c6478", + "Version": "1.3.7", + "Created": "2023-01-28 00:16:41.560904373 +0000 UTC", + "Info": "" + } + ``` lock-info: description: | - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: diff --git a/tofu-check/README.md b/tofu-check/README.md index 60b9c4bb..b556eb0e 100644 --- a/tofu-check/README.md +++ b/tofu-check/README.md @@ -93,6 +93,7 @@ This is intended to run on a schedule to notify if manual changes to your infras ## Outputs +* `failure_reason` * `failure-reason` When the job outcome is `failure` because the there are outstanding changes to apply, this will be set to 'changes-to-apply'. @@ -184,7 +185,7 @@ This is intended to run on a schedule to notify if manual changes to your infras The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: @@ -251,6 +252,6 @@ jobs: path: my-tofu-configuration - name: Changes detected - if: ${{ failure() && steps.check.outputs.failure-reason == 'changes-to-apply' }} + if: ${{ failure() && steps.check.outputs.failure_reason == 'changes-to-apply' }} run: echo "There are outstanding changes to apply" ``` diff --git a/tofu-check/action.yaml b/tofu-check/action.yaml index 66d69e74..31e67acf 100644 --- a/tofu-check/action.yaml +++ b/tofu-check/action.yaml @@ -38,6 +38,11 @@ inputs: default: "0" outputs: + failure_reason: + description: | + When the job outcome is `failure` because the there are outstanding changes to apply, this will be set to 'changes-to-apply'. + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run a step when there are changes to apply. failure-reason: description: | When the job outcome is `failure` because the there are outstanding changes to apply, this will be set to 'changes-to-apply'. diff --git a/tofu-destroy-workspace/README.md b/tofu-destroy-workspace/README.md index 5d2cfe79..bb9f4cf0 100644 --- a/tofu-destroy-workspace/README.md +++ b/tofu-destroy-workspace/README.md @@ -90,6 +90,7 @@ This action uses the `tofu destroy` command to destroy all resources in an OpenT ## Outputs +* `failure_reason` * `failure-reason` When the job outcome is `failure`, this output may be set. The value may be one of: @@ -102,9 +103,10 @@ This action uses the `tofu destroy` command to destroy all resources in an OpenT - Type: string +* `lock_info` * `lock-info` - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: @@ -205,7 +207,7 @@ This action uses the `tofu destroy` command to destroy all resources in an OpenT The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: @@ -275,7 +277,7 @@ jobs: - name: Retry failed destroy uses: dflook/tofu-destroy-workspace@v2 - if: ${{ steps.first_try.outputs.failure-reason == 'destroy-failed' }} + if: ${{ steps.first_try.outputs.failure_reason == 'destroy-failed' }} with: path: my-tofu-config workspace: ${{ github.head_ref }} diff --git a/tofu-destroy-workspace/action.yaml b/tofu-destroy-workspace/action.yaml index 55f0a937..321037e2 100644 --- a/tofu-destroy-workspace/action.yaml +++ b/tofu-destroy-workspace/action.yaml @@ -37,6 +37,15 @@ inputs: default: "0" outputs: + failure_reason: + description: | + When the job outcome is `failure`, this output may be set. The value may be one of: + + - `destroy-failed` - The OpenTofu destroy operation failed. + - `state-locked` - The OpenTofu state lock could not be obtained because it was already locked. + + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run a steps. failure-reason: description: | When the job outcome is `failure`, this output may be set. The value may be one of: @@ -46,9 +55,26 @@ outputs: If the job fails for any other reason this will not be set. This can be used with the Actions expression syntax to conditionally run a steps. + lock_info: + description: | + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. + + It is a json object containing any available state lock information and typically has the form: + + ```json + { + "ID": "838fbfde-c5cd-297f-84a4-d7578b4a4880", + "Path": "terraform-github-actions/test-unlock-state", + "Operation": "OperationTypeApply", + "Who": "root@e9d43b0c6478", + "Version": "1.3.7", + "Created": "2023-01-28 00:16:41.560904373 +0000 UTC", + "Info": "" + } + ``` lock-info: description: | - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: diff --git a/tofu-destroy/README.md b/tofu-destroy/README.md index 600f4357..c41dff40 100644 --- a/tofu-destroy/README.md +++ b/tofu-destroy/README.md @@ -94,6 +94,7 @@ and [dflook/tofu-apply](https://github.com/dflook/terraform-github-actions/tree/ ## Outputs +* `failure_reason` * `failure-reason` When the job outcome is `failure`, this output may be set. The value may be one of: @@ -106,9 +107,10 @@ and [dflook/tofu-apply](https://github.com/dflook/terraform-github-actions/tree/ - Type: string +* `lock_info` * `lock-info` - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: @@ -209,7 +211,7 @@ and [dflook/tofu-apply](https://github.com/dflook/terraform-github-actions/tree/ The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: @@ -279,7 +281,7 @@ jobs: - name: Retry failed destroy uses: dflook/tofu-destroy@v2 - if: ${{ steps.first_try.outputs.failure-reason == 'destroy-failed' }} + if: ${{ steps.first_try.outputs.failure_reason == 'destroy-failed' }} with: path: my-tofu-config workspace: ${{ github.head_ref }} diff --git a/tofu-destroy/action.yaml b/tofu-destroy/action.yaml index b762fa3c..f47c74dd 100644 --- a/tofu-destroy/action.yaml +++ b/tofu-destroy/action.yaml @@ -38,6 +38,15 @@ inputs: default: "0" outputs: + failure_reason: + description: | + When the job outcome is `failure`, this output may be set. The value may be one of: + + - `destroy-failed` - The OpenTofu destroy operation failed. + - `state-locked` - The OpenTofu state lock could not be obtained because it was already locked. + + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run a steps. failure-reason: description: | When the job outcome is `failure`, this output may be set. The value may be one of: @@ -47,9 +56,26 @@ outputs: If the job fails for any other reason this will not be set. This can be used with the Actions expression syntax to conditionally run a steps. + lock_info: + description: | + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. + + It is a json object containing any available state lock information and typically has the form: + + ```json + { + "ID": "838fbfde-c5cd-297f-84a4-d7578b4a4880", + "Path": "terraform-github-actions/test-unlock-state", + "Operation": "OperationTypeApply", + "Who": "root@e9d43b0c6478", + "Version": "1.3.7", + "Created": "2023-01-28 00:16:41.560904373 +0000 UTC", + "Info": "" + } + ``` lock-info: description: | - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: diff --git a/tofu-fmt-check/README.md b/tofu-fmt-check/README.md index a7760305..fd35757f 100644 --- a/tofu-fmt-check/README.md +++ b/tofu-fmt-check/README.md @@ -88,6 +88,7 @@ If any files are not correctly formatted a failing GitHub check will be added fo ## Outputs +* `failure_reason` * `failure-reason` When the job outcome is `failure` because the format check failed, this will be set to 'check-failed'. @@ -178,6 +179,6 @@ jobs: path: my-tofu-config - name: Wrong formatting found - if: ${{ failure() && steps.fmt-check.outputs.failure-reason == 'check-failed' }} + if: ${{ failure() && steps.fmt-check.outputs.failure_reason == 'check-failed' }} run: echo "formatting check failed" ``` diff --git a/tofu-fmt-check/action.yaml b/tofu-fmt-check/action.yaml index 1fa24661..bbb677f2 100644 --- a/tofu-fmt-check/action.yaml +++ b/tofu-fmt-check/action.yaml @@ -38,6 +38,11 @@ inputs: default: "" outputs: + failure_reason: + description: | + When the job outcome is `failure` because the format check failed, this will be set to 'check-failed'. + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run a step when the format check fails. failure-reason: description: | When the job outcome is `failure` because the format check failed, this will be set to 'check-failed'. diff --git a/tofu-new-workspace/README.md b/tofu-new-workspace/README.md index 056ae32b..bd68f1fc 100644 --- a/tofu-new-workspace/README.md +++ b/tofu-new-workspace/README.md @@ -163,7 +163,7 @@ Creates a new OpenTofu workspace. If the workspace already exists, succeeds with The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: diff --git a/tofu-output/README.md b/tofu-output/README.md index ee7c7a89..7f90ac66 100644 --- a/tofu-output/README.md +++ b/tofu-output/README.md @@ -215,7 +215,7 @@ Retrieve the root-level outputs from an OpenTofu configuration. The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: diff --git a/tofu-plan/README.md b/tofu-plan/README.md index 787ed381..871a2d81 100644 --- a/tofu-plan/README.md +++ b/tofu-plan/README.md @@ -377,7 +377,7 @@ The [dflook/tofu-apply](https://github.com/dflook/terraform-github-actions/tree/ The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: diff --git a/tofu-refresh/README.md b/tofu-refresh/README.md index 8827132b..525d2aa5 100644 --- a/tofu-refresh/README.md +++ b/tofu-refresh/README.md @@ -124,6 +124,7 @@ This will synchronise the OpenTofu state with the actual resources, but will not ## Outputs +* `failure_reason` * `failure-reason` When the job outcome is `failure`, this output may be set. The value may be one of: @@ -136,9 +137,10 @@ This will synchronise the OpenTofu state with the actual resources, but will not - Type: string +* `lock_info` * `lock-info` - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: @@ -245,7 +247,7 @@ This will synchronise the OpenTofu state with the actual resources, but will not The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: diff --git a/tofu-refresh/action.yaml b/tofu-refresh/action.yaml index b748a37c..78712e65 100644 --- a/tofu-refresh/action.yaml +++ b/tofu-refresh/action.yaml @@ -52,6 +52,15 @@ inputs: default: "0" outputs: + failure_reason: + description: | + When the job outcome is `failure`, this output may be set. The value may be one of: + + - `refresh-failed` - The OpenTofu apply operation failed. + - `state-locked` - The Terraform state lock could not be obtained because it was already locked. + + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run steps. failure-reason: description: | When the job outcome is `failure`, this output may be set. The value may be one of: @@ -61,9 +70,26 @@ outputs: If the job fails for any other reason this will not be set. This can be used with the Actions expression syntax to conditionally run steps. + lock_info: + description: | + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. + + It is a json object containing any available state lock information and typically has the form: + + ```json + { + "ID": "838fbfde-c5cd-297f-84a4-d7578b4a4880", + "Path": "terraform-github-actions/test-unlock-state", + "Operation": "OperationTypeApply", + "Who": "root@e9d43b0c6478", + "Version": "1.3.7", + "Created": "2023-01-28 00:16:41.560904373 +0000 UTC", + "Info": "" + } + ``` lock-info: description: | - When the job outcome is `failure` and the failure-reason is `state-locked`, this output will be set. + When the job outcome is `failure` and the failure_reason is `state-locked`, this output will be set. It is a json object containing any available state lock information and typically has the form: diff --git a/tofu-test/README.md b/tofu-test/README.md index 7f828085..5be38275 100644 --- a/tofu-test/README.md +++ b/tofu-test/README.md @@ -81,6 +81,7 @@ If the tests fail, the job will stop with a failure status. ## Outputs +* `failure_reason` * `failure-reason` When the job outcome is `failure`, this output may be set. The value may be one of: @@ -176,7 +177,7 @@ If the tests fail, the job will stop with a failure status. The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: diff --git a/tofu-test/action.yaml b/tofu-test/action.yaml index a1c0e804..14cfaca6 100644 --- a/tofu-test/action.yaml +++ b/tofu-test/action.yaml @@ -31,6 +31,15 @@ inputs: required: false outputs: + failure_reason: + description: | + When the job outcome is `failure`, this output may be set. The value may be one of: + + - `no-tests` - No tests were found to run. + - `tests-failed` - One or more tests failed. + + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run steps. failure-reason: description: | When the job outcome is `failure`, this output may be set. The value may be one of: diff --git a/tofu-unlock-state/README.md b/tofu-unlock-state/README.md index b8d9d7b8..246ecdc1 100644 --- a/tofu-unlock-state/README.md +++ b/tofu-unlock-state/README.md @@ -137,7 +137,7 @@ Force unlocks an OpenTofu remote state. The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: diff --git a/tofu-validate/README.md b/tofu-validate/README.md index 0c4464ee..0fa618a5 100644 --- a/tofu-validate/README.md +++ b/tofu-validate/README.md @@ -65,6 +65,7 @@ If the OpenTofu configuration is not valid, the build is failed. ## Outputs +* `failure_reason` * `failure-reason` When the job outcome is `failure` because the validation failed, this will be set to 'validate-failed'. @@ -156,7 +157,7 @@ If the OpenTofu configuration is not valid, the build is failed. The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: @@ -215,6 +216,6 @@ jobs: path: my-tofu-config - name: Validate failed - if: ${{ failure() && steps.validate.outputs.failure-reason == 'validate-failed' }} + if: ${{ failure() && steps.validate.outputs.failure_reason == 'validate-failed' }} run: echo "tofu validate failed" ``` diff --git a/tofu-validate/action.yaml b/tofu-validate/action.yaml index 1d479ebb..0cf9a178 100644 --- a/tofu-validate/action.yaml +++ b/tofu-validate/action.yaml @@ -32,6 +32,11 @@ inputs: default: "" outputs: + failure_reason: + description: | + When the job outcome is `failure` because the validation failed, this will be set to 'validate-failed'. + If the job fails for any other reason this will not be set. + This can be used with the Actions expression syntax to conditionally run a step when the validate fails. failure-reason: description: | When the job outcome is `failure` because the validation failed, this will be set to 'validate-failed'. diff --git a/tofu-version/README.md b/tofu-version/README.md index 60714cbf..d8a369cf 100644 --- a/tofu-version/README.md +++ b/tofu-version/README.md @@ -190,7 +190,7 @@ outputs yourself. The runtime environment for these actions is subject to change in minor version releases. If using this environment variable, specify the minor version of the action to use. - The runtime image is currently based on `debian:bookworm`, with the command run using `bash -xeo pipefail`. + The runtime image is currently based on `debian:trixie`, with the command run using `bash -xeo pipefail`. For example: