feat(terraform): update terraform cloudflare to 4.47.0 (#4670) #121
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: "Publish Terraform as OCI" | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: ["main"] | |
| paths: ["terraform/**"] | |
| env: | |
| IMAGE_REGISTRY: ghcr.io | |
| jobs: | |
| changed-files: | |
| name: Generate Build Matrix | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - name: Generate Token | |
| uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # v1.9.0 | |
| id: generate-token | |
| with: | |
| app_id: "${{ secrets.BOT_APP_ID }}" | |
| private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| token: "${{ steps.generate-token.outputs.token }}" | |
| fetch-depth: 0 | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c # v44.5.7 | |
| with: | |
| dir_names: true | |
| dir_names_max_depth: 2 | |
| json: true | |
| files: | | |
| terraform/** | |
| - name: List all changed files | |
| run: | | |
| echo '${{ steps.changed-files.outputs.all_changed_files }}' | |
| - id: set-matrix | |
| run: echo "matrix={\"project\":${{ steps.changed-files.outputs.all_changed_files }}}" >> "${GITHUB_OUTPUT}" | |
| publish-terraform: | |
| name: Publish OCI | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| id-token: write | |
| needs: [changed-files] | |
| strategy: | |
| matrix: ${{ fromJSON(needs.changed-files.outputs.matrix) }} | |
| steps: | |
| - name: Generate Token | |
| uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # v1.9.0 | |
| id: generate-token | |
| with: | |
| app_id: "${{ secrets.BOT_APP_ID }}" | |
| private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| token: "${{ steps.generate-token.outputs.token }}" | |
| - name: Setup Homebrew | |
| uses: Homebrew/actions/setup-homebrew@master | |
| - name: Setup Tools | |
| run: | | |
| brew install cosign fluxcd/tap/flux | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate OCI tag | |
| id: generate-tag | |
| run: echo "tag=${{ env.IMAGE_REGISTRY }}/${{ github.repository_owner }}/terraform-$(basename ${{ matrix.project }})-oci:$(git rev-parse --short HEAD)" >> "${GITHUB_OUTPUT}" | |
| - name: Publish OCI | |
| run: | | |
| flux push artifact oci://${{ steps.generate-tag.outputs.tag }} \ | |
| --path="./${{ matrix.project }}" \ | |
| --source="$(git config --get remote.origin.url)" \ | |
| --revision="$(git branch --show-current)/$(git rev-parse HEAD)" | |
| - name: Tag OCI | |
| run: flux tag artifact oci://${{ steps.generate-tag.outputs.tag }} --tag main | |
| - name: Sign the OCI artifact | |
| run: cosign sign ${{ steps.generate-tag.outputs.tag }} | |
| env: | |
| COSIGN_EXPERIMENTAL: 1 | |
| - name: Verify the pushed tags | |
| run: cosign verify ${{ steps.generate-tag.outputs.tag }} | |
| env: | |
| COSIGN_EXPERIMENTAL: 1 |