Sync #205
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sync | |
| on: | |
| schedule: | |
| - cron: 0 0 * * 0 | |
| workflow_dispatch: | |
| inputs: | |
| workspaces: | |
| description: Space separated list of workspaces to sync (leave blank to sync all) | |
| required: false | |
| lock: | |
| description: Whether to acquire terraform state lock during sync | |
| required: false | |
| default: "true" | |
| refresh: | |
| description: Refresh terraform state before sync | |
| required: false | |
| default: "false" | |
| jobs: | |
| prepare: | |
| name: Prepare | |
| runs-on: ubuntu-latest | |
| outputs: | |
| workspaces: ${{ steps.workspaces.outputs.this }} | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| - name: Discover workspaces | |
| id: workspaces | |
| env: | |
| WORKSPACES: ${{ github.event.inputs.workspaces }} | |
| run: | | |
| if [[ -z "${WORKSPACES}" ]]; then | |
| workspaces="$(ls github | jq --raw-input '[.[0:-4]]' | jq -sc add)" | |
| else | |
| workspaces="$(echo "${WORKSPACES}" | jq --raw-input 'split(" ")')" | |
| fi | |
| echo "this=${workspaces}" >> $GITHUB_OUTPUT | |
| sync: | |
| needs: [prepare] | |
| if: needs.prepare.outputs.workspaces != '' | |
| permissions: | |
| contents: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| workspace: ${{ fromJson(needs.prepare.outputs.workspaces) }} | |
| name: Sync | |
| runs-on: ubuntu-latest | |
| env: | |
| TF_IN_AUTOMATION: 1 | |
| TF_INPUT: 0 | |
| TF_LOCK: ${{ github.event.inputs.lock }} | |
| TF_WORKSPACE_OPT: ${{ matrix.workspace }} | |
| AWS_ACCESS_KEY_ID: ${{ secrets.RW_AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.RW_AWS_SECRET_ACCESS_KEY }} | |
| GITHUB_APP_ID: ${{ secrets.RW_GITHUB_APP_ID }} | |
| GITHUB_APP_INSTALLATION_ID: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', matrix.workspace)] || secrets.RW_GITHUB_APP_INSTALLATION_ID }} | |
| GITHUB_APP_PEM_FILE: ${{ secrets.RW_GITHUB_APP_PEM_FILE }} | |
| TF_VAR_write_delay_ms: 300 | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| - name: Setup terraform | |
| uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| terraform_version: 1.12.0 | |
| terraform_wrapper: false | |
| - name: Initialize terraform | |
| run: terraform init -upgrade | |
| working-directory: terraform | |
| - name: Select terraform workspace | |
| run: | | |
| terraform workspace select "${TF_WORKSPACE_OPT}" || terraform workspace new "${TF_WORKSPACE_OPT}" | |
| echo "TF_WORKSPACE=${TF_WORKSPACE_OPT}" >> $GITHUB_ENV | |
| working-directory: terraform | |
| - name: Refresh terraform state | |
| if: ${{ github.event.inputs.refresh == 'true' }} | |
| run: | | |
| echo "{}" > $TF_WORKSPACE.tfstate.json | |
| terraform apply -refresh-only -auto-approve -lock=$TF_LOCK | |
| working-directory: terraform | |
| - name: Pull terraform state | |
| run: | | |
| terraform show -json > $TF_WORKSPACE.tfstate.json | |
| working-directory: terraform | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@v4 | |
| with: | |
| version: 10 | |
| - name: Use Node.js lts/* | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: lts/* | |
| cache: '' | |
| - name: Sync | |
| run: | | |
| pnpm install --frozen-lockfile | |
| pnpm run build | |
| pnpm run main | |
| working-directory: scripts | |
| - uses: ./.github/actions/git-config-user | |
| - env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| git_branch="${GITHUB_REF_NAME}-sync-${TF_WORKSPACE}" | |
| git checkout -B "${git_branch}" | |
| git add --all | |
| git diff-index --quiet HEAD || git commit --message="sync@${GITHUB_RUN_ID} ${TF_WORKSPACE}" | |
| git push origin "${git_branch}" --force | |
| push: | |
| needs: [prepare, sync] | |
| if: needs.prepare.outputs.workspaces != '' | |
| name: Push | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - name: Generate app token | |
| id: token | |
| uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 | |
| with: | |
| app_id: ${{ secrets.RW_GITHUB_APP_ID }} | |
| installation_retrieval_mode: id | |
| installation_retrieval_payload: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', github.repository_owner)] || secrets.RW_GITHUB_APP_INSTALLATION_ID }} | |
| private_key: ${{ secrets.RW_GITHUB_APP_PEM_FILE }} | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| with: | |
| token: ${{ steps.token.outputs.token }} | |
| - uses: ./.github/actions/git-config-user | |
| - env: | |
| WORKSPACES: ${{ needs.prepare.outputs.workspaces }} | |
| run: | | |
| echo "${GITHUB_RUN_ID}" > .sync | |
| git add .sync | |
| git commit --message="sync@${GITHUB_RUN_ID}" | |
| while read workspace; do | |
| workspace_branch="${GITHUB_REF_NAME}-sync-${workspace}" | |
| git fetch origin "${workspace_branch}" | |
| git merge --strategy-option=theirs "origin/${workspace_branch}" | |
| git push origin --delete "${workspace_branch}" | |
| done <<< "$(jq -r '.[]' <<< "${WORKSPACES}")" | |
| - run: git push origin "${GITHUB_REF_NAME}" --force |