feat(tf): use GitHub API to commit tf-state in CI

nrdxp · nrdxp · commit a504a2ea1210 · 2023-01-09T08:57:06.000-07:00
If we are running a terraform apply from CI, the GH API will sign the
commit for us and provide the correct identity.
diff --git a/modules/terraform/tf-options.nix b/modules/terraform/tf-options.nix
@@ -298,9 +298,24 @@
           # Git commit encrypted state
           echo "  Committing encrypted state       ..."
           git -C "$WORKTREE" add "$WORKTREE/$ENC_STATE_PATH" &>> "$WORKLOG"
-          commitPrompt
-          git -C "$WORKTREE" commit --no-verify -m "$(echo -e "$(printf '%s' "''${MSG[@]}")")" &>> "$WORKLOG"
-          git -C "$WORKTREE" push -u "$REMOTE" "$TF_BRANCH" &>> "$WORKLOG"
+          MESSAGE="$(echo -e "$(printf '%s' "''${MSG[@]}")")"
+          if [[ -v CI && $CI == true ]] && type gh &>/dev/null; then
+            SHA=$(git rev-parse "$TF_BRANCH:$ENC_STATE_PATH")
+
+            base64 -w 0 "$WORKTREE/$ENC_STATE_PATH" \
+            | jq -R '{content: ., $message, $branch, $sha, encoding: "base64"}' \
+              --arg message "$MESSAGE" \
+              --arg sha "$SHA" \
+              --arg branch "$TF_BRANCH" \
+            | GH_TOKEN=$GITHUB_TOKEN gh api --method PUT "/repos/{owner}/{repo}/contents/$ENC_STATE_PATH" \
+              --input /dev/stdin &>> "$WORKLOG" \
+            && git -C "$WORKTREE" restore --staged . &>> "$WORKLOG" \
+            && git -C "$WORKTREE" checkout . &>> "$WORKLOG"
+          else
+            commitPrompt
+            git -C "$WORKTREE" commit --no-verify -m "$MESSAGE" &>> "$WORKLOG"
+            git -C "$WORKTREE" push -u "$REMOTE" "$TF_BRANCH" &>> "$WORKLOG"
+          fi
           echo "  ...done"
           echo
 
