feat(tf): use GitHub API to commit tf state in CI

If we are running a terraform apply from CI, the GH API will sign the
commit for us and provide the correct identity.

Author: nrdxp

modules/terraform/tf-options.nix

@@ -298,9 +298,22 @@
           # Git commit encrypted state
           echo "  Committing encrypted state       ..."
           git -C "$WORKTREE" add "$WORKTREE/$ENC_STATE_PATH" &>> "$WORKLOG"
-          commitPrompt
-          git -C "$WORKTREE" commit --no-verify -m "$(echo -e "$(printf '%s' "''${MSG[@]}")")" &>> "$WORKLOG"
-          git -C "$WORKTREE" push -u "$REMOTE" "$TF_BRANCH" &>> "$WORKLOG"
+          if [[ -v CI && $CI == 'true' ]] && type gh &>/dev/null; then
+            MESSAGE="$(echo -e "$(printf '%s' "''${MSG[@]}")")"
+            SHA="$(git rev-parse "$TF_BRANCH:$ENC_STATE_PATH")"
+
+            base64 -w 0 "$WORKTREE/$ENC_STATE_PATH" \
+            | jq -R '{content: ., $message, $branch, $sha, encoding: "base64"}' \
+              --arg message "$MESSAGE" \
+              --arg sha "$SHA" \
+              --arg branch "$TF_BRANCH" \
+            | GH_TOKEN=$GITHUB_TOKEN gh api --method PUT "/repos/{owner}/{repo}/contents/$ENC_STATE_PATH" \
+              --input /dev/stdin &>> "$WORKLOG"
+          else
+            commitPrompt
+            git -C "$WORKTREE" commit --no-verify -m "$(echo -e "$(printf '%s' "''${MSG[@]}")")" &>> "$WORKLOG"
+            git -C "$WORKTREE" push -u "$REMOTE" "$TF_BRANCH" &>> "$WORKLOG"
+          fi
           echo "  ...done"
           echo