github-mgmt/.github/workflows/sync.yml at master · ipfs-examples/github-mgmt · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: Sync

on:
  schedule:
    - cron: 0 0 * * 0
  workflow_dispatch:
    inputs:
      workspaces:
        description: Space separated list of workspaces to sync (leave blank to sync all)
        required: false
      lock:
        description: Whether to acquire terraform state lock during sync
        required: false
        default: "true"
      refresh:
        description: Refresh terraform state before sync
        required: false
        default: "false"

jobs:
  prepare:
    name: Prepare
    runs-on: ubuntu-latest
    outputs:
      workspaces: ${{ steps.workspaces.outputs.this }}
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout
        uses: actions/checkout@v5
      - name: Discover workspaces
        id: workspaces
        env:
          WORKSPACES: ${{ github.event.inputs.workspaces }}
        run: |
          if [[ -z "${WORKSPACES}" ]]; then
            workspaces="$(ls github | jq --raw-input '[.[0:-4]]' | jq -sc add)"
          else
            workspaces="$(echo "${WORKSPACES}" | jq --raw-input 'split(" ")')"
          fi
          echo "this=${workspaces}" >> $GITHUB_OUTPUT
  sync:
    needs: [prepare]
    if: needs.prepare.outputs.workspaces != ''
    permissions:
      contents: write
    strategy:
      fail-fast: false
      matrix:
        workspace: ${{ fromJson(needs.prepare.outputs.workspaces) }}
    name: Sync
    runs-on: ubuntu-latest
    env:
      TF_IN_AUTOMATION: 1
      TF_INPUT: 0
      TF_LOCK: ${{ github.event.inputs.lock }}
      TF_WORKSPACE_OPT: ${{ matrix.workspace }}
      AWS_ACCESS_KEY_ID: ${{ secrets.RW_AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.RW_AWS_SECRET_ACCESS_KEY }}
      GITHUB_APP_ID: ${{ secrets.RW_GITHUB_APP_ID }}
      GITHUB_APP_INSTALLATION_ID: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', matrix.workspace)] || secrets.RW_GITHUB_APP_INSTALLATION_ID }}
      GITHUB_APP_PEM_FILE: ${{ secrets.RW_GITHUB_APP_PEM_FILE }}
      TF_VAR_write_delay_ms: 300
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout
        uses: actions/checkout@v5
      - name: Setup terraform
        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
        with:
          terraform_version: 1.12.0
          terraform_wrapper: false
      - name: Initialize terraform
        run: terraform init -upgrade
        working-directory: terraform
      - name: Select terraform workspace
        run: |
          terraform workspace select "${TF_WORKSPACE_OPT}" || terraform workspace new "${TF_WORKSPACE_OPT}"
          echo "TF_WORKSPACE=${TF_WORKSPACE_OPT}" >> $GITHUB_ENV
        working-directory: terraform
      - name: Refresh terraform state
        if: ${{ github.event.inputs.refresh == 'true' }}
        run: |
          echo "{}" > $TF_WORKSPACE.tfstate.json
          terraform apply -refresh-only -auto-approve -lock=$TF_LOCK
        working-directory: terraform
      - name: Pull terraform state
        run: |
          terraform show -json > $TF_WORKSPACE.tfstate.json
        working-directory: terraform
      - name: Install pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 10
      - name: Use Node.js lts/*
        uses: actions/setup-node@v6
        with:
          node-version: lts/*
          cache: ''
      - name: Sync
        run: |
          pnpm install --frozen-lockfile
          pnpm run build
          pnpm run main
        working-directory: scripts
      - uses: ./.github/actions/git-config-user
      - env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git_branch="${GITHUB_REF_NAME}-sync-${TF_WORKSPACE}"
          git checkout -B "${git_branch}"
          git add --all
          git diff-index --quiet HEAD || git commit --message="sync@${GITHUB_RUN_ID} ${TF_WORKSPACE}"
          git push origin "${git_branch}" --force
  push:
    needs: [prepare, sync]
    if: needs.prepare.outputs.workspaces != ''
    name: Push
    runs-on: ubuntu-latest
    defaults:
      run:
        shell: bash
    steps:
      - name: Generate app token
        id: token
        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
        with:
          app_id: ${{ secrets.RW_GITHUB_APP_ID }}
          installation_retrieval_mode: id
          installation_retrieval_payload: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', github.repository_owner)] || secrets.RW_GITHUB_APP_INSTALLATION_ID }}
          private_key: ${{ secrets.RW_GITHUB_APP_PEM_FILE }}
      - name: Checkout
        uses: actions/checkout@v5
        with:
          token: ${{ steps.token.outputs.token }}
      - uses: ./.github/actions/git-config-user
      - env:
          WORKSPACES: ${{ needs.prepare.outputs.workspaces }}
        run: |
          echo "${GITHUB_RUN_ID}" > .sync
          git add .sync
          git commit --message="sync@${GITHUB_RUN_ID}"
          while read workspace; do
            workspace_branch="${GITHUB_REF_NAME}-sync-${workspace}"
            git fetch origin "${workspace_branch}"
            git merge --strategy-option=theirs "origin/${workspace_branch}"
            git push origin --delete "${workspace_branch}"
          done <<< "$(jq -r '.[]' <<< "${WORKSPACES}")"
      - run: git push origin "${GITHUB_REF_NAME}" --force