From b76bee6218f2244a77b195e8dae8d90161817278 Mon Sep 17 00:00:00 2001 From: Zach Goldberg Date: Thu, 29 Aug 2024 08:28:08 -0700 Subject: [PATCH 01/25] DEV-378 - Breakout creating PRs from boilerplating for new accounts/repos (#69) * chore: start work on dev-378 * chore: change the definition of post-provision new account to be more narrowly tailored to creating the new account, not the PR * chore: move around some values * chore: wire up data flows * chor: update for api changes * chore: more wiring cleanups --- .github/workflows/pipelines-root.yml | 32 ++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index f9d8a17..deafd4b 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -31,7 +31,7 @@ on: env: PIPELINES_CLI_VERSION: v0.28.0 - PIPELINES_ACTIONS_VERSION: main + PIPELINES_ACTIONS_VERSION: v3-rc1 BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 @@ -155,14 +155,27 @@ jobs: INFRA_ROOT_WRITE_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - - name: "[Baseline]: Post Provision New Account Custom Action" + - name: "[ProvisionAccount]: Post Provision New Account Custom Action" uses: ./pipelines-actions/.github/custom-actions/post-provision-new-account if: ${{ steps.gruntwork_context.outputs.action == 'PROVISION_ACCOUNT' }} with: PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} INFRA_ROOT_WRITE_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - baseline_pull_request_url: ${{ steps.provision_new_account.outputs.pull_request_url }} + baseline_path: ${{ steps.provision_new_account.outputs.baseline_path }} + + - name: "[ProvisionAccount]: Create New Account Pull Request Action" + uses: ./pipelines-actions/.github/actions/pipelines-new-pr-action + if: ${{ steps.gruntwork_context.outputs.action == 'PROVISION_ACCOUNT' }} + with: + GH_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + path: ${{ steps.provision_new_account.outputs.baseline_path }} + new_branch_name: ${{ steps.provision_new_account.outputs.new_branch_name }} + commit_message: ${{ steps.provision_new_account.outputs.commit_message }} + pr_body: ${{ steps.provision_new_account.outputs.pr_body }} + requesting_pr_number: ${{ steps.provision_new_account.outputs.requesting_pr_number }} + step_summary_content: ${{ steps.provision_new_account.outputs.step_summary_content }} + gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - name: "[Baseline]: Pre Baseline Core Account Action" uses: ./pipelines-actions/.github/custom-actions/pre-baseline-core-accounts @@ -377,4 +390,15 @@ jobs: access_control_pull_request_url: ${{ steps.access_control_pr.outputs.pull_request_url }} PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} ORG_REPO_ADMIN_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} - delegated_repo_pull_request_url: ${{ steps.provision_delegated_repo.outputs.pull_request_url }} + + - name: "Create Delegated Repo PR" + uses: ./pipelines-actions/.github/actions/pipelines-new-pr-action + with: + gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} + GH_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} + path: ${{ steps.provision_delegated_repo.outputs.path }} + new_branch_name: ${{ steps.provision_delegated_repo.outputs.new_branch_name }} + commit_message: ${{ steps.provision_delegated_repo.outputs.commit_message }} + pr_body: ${{ steps.provision_delegated_repo.outputs.pr_body }} + requesting_pr_number: ${{ steps.provision_delegated_repo.outputs.requesting_pr_number }} + step_summary_content: ${{ steps.provision_delegated_repo.outputs.step_summary_content }} From 76319dccff05d7939e953fc1e1e7123db04ab469 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Thu, 29 Aug 2024 10:03:14 -0600 Subject: [PATCH 02/25] DEV-408 Use Get Logs URL in jobs (#68) * Update pipelines-root.yml * Update pipelines-root.yml * debugging * Update pipelines-root.yml * JOB_NAME * add job_id * fix missing bracket * fix * Run logs url action * Use 2024-07-19_get-job-id actions * Add actions: read permission * permissions * pass var into next step * permissions * fix input * Dynamic step name * typo * test syntax * test syntax * colons are broken * try other quoting * Add get logs url to other jobs --------- Co-authored-by: Zach Goldberg --- .github/workflows/pipelines-root.yml | 22 ++++++++++++++++++++++ .github/workflows/pipelines.yml | 11 +++++++++++ 2 files changed, 33 insertions(+) diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index deafd4b..1c8f4fe 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -97,6 +97,8 @@ jobs: pipelines_jobs: ${{ steps.orchestrate.outputs.jobs }} pipelines_execute: + env: + JOB_NAME: ${{ contains(matrix.jobs.Action.Command, 'plan') && 'Plan' || 'Apply' }} - ${{ matrix.jobs.ChangeType }} - ${{ matrix.jobs.WorkingDirectory }} name: ${{ contains(matrix.jobs.Action.Command, 'plan') && 'Plan' || 'Apply' }} - ${{ matrix.jobs.ChangeType }} - ${{ matrix.jobs.WorkingDirectory }} needs: [pipelines_orchestrate] runs-on: ${{ fromJSON(inputs.runner) }} @@ -218,6 +220,14 @@ jobs: infra_live_directory: "." deploy_branch_name: ${{ steps.gruntwork_context.outputs.deploy_branch_name }} + - name: Get Logs URL + id: get_logs_url + uses: ./pipelines-actions/.github/actions/pipelines-get-job-logs-url + if: always() + with: + job_name: ${{ env.JOB_NAME }} + step_name_prefix: "${{ steps.gruntwork_context.outputs.action == 'TERRAGRUNT_EXECUTE' && '[TerragruntExecute]:\ Authenticate with AWS and then Invoke Terragrunt' || (steps.gruntwork_context.outputs.action == 'BASELINE_ACCOUNT' && 'Run core accounts baselines' || '[ProvisionAccount]:\ Provision New Account') }}" + - name: Update comment uses: ./pipelines-actions/.github/actions/pipelines-status-update if: always() @@ -228,6 +238,7 @@ jobs: step_details: ${{ steps.terragrunt.outputs.formatted_plan_output }} step_details_extended_log: ${{ steps.terragrunt.outputs.execute_stdout_log }} pull_request_number: ${{ steps.gruntwork_context.outputs.pr_number }} + step_logs_url: ${{ steps.get_logs_url.outputs.step_logs_url }} outputs: account_id: ${{ matrix.jobs.AccountId }} @@ -241,6 +252,8 @@ jobs: delegate_management: ${{ steps.gruntwork_context.outputs.delegate_management }} pipelines_apply_baselines: + env: + JOB_NAME: Baseline Child Account ${{ contains(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Action.Command, 'plan') && 'Plan' || 'Apply' }} - ${{ matrix.jobs.Name }} (${{ matrix.jobs.ID }}) name: Baseline Child Account ${{ contains(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Action.Command, 'plan') && 'Plan' || 'Apply' }} - ${{ matrix.jobs.Name }} (${{ matrix.jobs.ID }}) needs: [pipelines_orchestrate, pipelines_execute] runs-on: ${{ fromJSON(inputs.runner) }} @@ -316,6 +329,14 @@ jobs: job: ${{ toJson(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0]) }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} + - name: Get Logs URL + id: get_logs_url + uses: ./pipelines-actions/.github/actions/pipelines-get-job-logs-url + if: always() + with: + job_name: ${{ env.JOB_NAME }} + step_name_prefix: "[Baseline]: Baseline the Child Account" + - name: Update comment uses: ./pipelines-actions/.github/actions/pipelines-status-update if: always() @@ -325,6 +346,7 @@ jobs: step_details: ${{ steps.baseline_child_account.outputs.formatted_plan_output || 'Check the logs for more details.' }} step_details_extended_log: ${{ steps.baseline_child_account.outputs.execute_stdout_log }} pull_request_number: ${{ needs.pipelines_execute.outputs.pr_number }} + step_logs_url: ${{ steps.get_logs_url.outputs.step_logs_url }} pipelines_setup_delegated_repo: name: "Setup Delegated Repo" diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index e6f25cf..ccf89e7 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -84,6 +84,8 @@ jobs: pipelines_jobs: ${{ steps.orchestrate.outputs.jobs }} pipelines_execute: + env: + JOB_NAME: ${{ contains(matrix.jobs.Action.Command, 'plan') && 'Plan' || 'Apply' }} - ${{ matrix.jobs.ChangeType }} - ${{ matrix.jobs.WorkingDirectory }} name: ${{ contains(matrix.jobs.Action.Command, 'plan') && 'Plan' || 'Apply' }} - ${{ matrix.jobs.ChangeType }} - ${{ matrix.jobs.WorkingDirectory }} needs: [pipelines_orchestrate] runs-on: ${{ fromJSON(inputs.runner) }} @@ -138,6 +140,14 @@ jobs: infra_live_directory: "." deploy_branch_name: ${{ steps.gruntwork_context.outputs.deploy_branch_name }} + - name: Get Logs URL + id: get_logs_url + uses: ./pipelines-actions/.github/actions/pipelines-get-job-logs-url + if: always() + with: + job_name: ${{ env.JOB_NAME }} + step_name_prefix: "Run terragrunt" + - name: Update comment if: always() uses: ./pipelines-actions/.github/actions/pipelines-status-update @@ -148,6 +158,7 @@ jobs: step_details: ${{ steps.terragrunt.outputs.formatted_plan_output }} step_details_extended_log: ${{ steps.terragrunt.outputs.execute_stdout_log }} pull_request_number: ${{ steps.gruntwork_context.outputs.pr_number }} + step_logs_url: ${{ steps.get_logs_url.outputs.step_logs_url }} outputs: account_id: ${{ matrix.jobs.AccountId }} From 8caeb6e52db51e8a06267ff124cc3c110f6a1293 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Thu, 29 Aug 2024 10:04:50 -0600 Subject: [PATCH 03/25] Drift Detection Workflow (#79) * WIP add drift detection * Fix broken if statement * Pass root as working directory to bootstrap * Fix exclude root dir from run-all plan * Fix git change detection * Working dir for later steps * Add parallelism limit 6 * Use 0.26.0-rc4. Remove paralllelism limit * Fix role used for run-all plan * feat: Adding cross runner cache persistence * fix whitespace * Fix missing GH_TOKEN * Use -n for git status check * Pipelines CLI v0.26.1 * Fix missing author for create pr * Pipelines CLI v0.26.2-rc1 * Drift detection 2.0 * Fix command * GH_TOKEN * MACHINE_USER_NAME * Use org repo admin for pr creation * Add org admin token * Allow erroring modules. Always cache providers * Cache auth on disk. Only run first 10. * Pipelines CLI v0.28.0-rc2 * Pipelines CLI v0.28.0-rc3 * Switch to just plan * mkdir planfolder * fix plan folder * fix plan folder for parse plans * Pipelines CLI v0.28.0-rc4 * Pipelines CLI v0.28.0-rc5 * Matrixed drift detection jobs * Inline repo dir * Fix * Fix typo * debug mktemp missing * fix path var * dont override path * pathing * Update pipelines-drift-detection.yml * Update pipelines-root.yml * fix json escape string * fix array slicing * fix json escaping * property quotes * Add first pass pr body content * Fix missing pipelines actions * avoid backtick expansion * avoid backtick expansion * echo pr body * move arg * bash escape newline * try other escape * Use INFRA_ROOT_WRITE_TOKEN * Use INFRA_ROOT_WRITE_TOKEN * Add branch link, switch back to drift-detection branch * Actions @ main * actions @ main * Add error detection * tee to file * EOF * multiline github output * more newlines * fix job url, path * debugging * debugging * debugging * debugging * debugging * debugging * add log url link to top of pr body * remove debug limit of 10 units * Add step summary * Fix json output * try without cred caching * try without color removal * restore color removal, remove echos * Increase line height of drifted items * Remove debug limit * Reset changes to other workflows * Use matching pipelines versions * Use action for determine * Pipelines CLI v0.28.0 * Extract drift detection * Pass args * typo * Pass JOB_NAME and STEP_NAME through * Use merged determine units * Var rename. Remove terraform syntax highlight * Test sort units fix * consolidate jobs action. rename secret * Add branch_name input * Fix actions version * Fix actions version * Use merged action * Update pipelines-drift-detection.yml --------- Co-authored-by: Yousif Akbar <11247449+yhakbar@users.noreply.github.com> Co-authored-by: Oreoluwa Agunbiade <21035422+oredavids@users.noreply.github.com> --- .../workflows/pipelines-drift-detection.yml | 122 ++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 .github/workflows/pipelines-drift-detection.yml diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml new file mode 100644 index 0000000..e413ee3 --- /dev/null +++ b/.github/workflows/pipelines-drift-detection.yml @@ -0,0 +1,122 @@ +name: Pipelines +run-name: Drift Detection +on: + workflow_call: + inputs: + # This field can be overriden to customize the runner used for pipelines + # workflows. + # + # IMPORTANT: To use self-hosted runners this workflow must be hosted in + # the same GitHub organization as your infra-live repository. + # See https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-self-hosted-runners + # + # The value must be an escaped JSON string that will be decoded to the + # jobs.runs-on field + # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idruns-on + # + # For example: + # - A simple github runner: "\"ubuntu-22.04\"" + # - A list of labels: "[\"self-hosted\", \"linux\"]" + # - A map: "{group: \"ubuntu-runners\", labels: \"ubuntu-20.04-16core\"}" + runner: + type: string + default: '"ubuntu-latest"' + branch-name: + type: string + default: "drift-detection" + secrets: + PIPELINES_READ_TOKEN: + required: true + PR_CREATE_TOKEN: + required: true +env: + PIPELINES_CLI_VERSION: v0.28.0 + PIPELINES_ACTIONS_VERSION: main + BOILERPLATE_VERSION: v0.5.16 + GRUNTWORK_INSTALLER_VERSION: v0.0.40 + +jobs: + determine_units: + name: Detect Infrastructure Drift + runs-on: ${{ fromJSON(inputs.runner) }} + outputs: + units: ${{ steps.determine-units.outputs.units }} + steps: + - name: Checkout Pipelines Actions + uses: actions/checkout@v4 + with: + path: pipelines-actions + repository: gruntwork-io/pipelines-actions + ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + token: ${{ secrets.PIPELINES_READ_TOKEN }} + + - name: Check out repo code + uses: actions/checkout@v4 + with: + path: infra-live-repo + fetch-depth: 0 + + - name: Determine Units + id: determine-units + uses: ./pipelines-actions/.github/actions/pipelines-drift-detection-determine-units + + pipelines_drift_detection: + runs-on: ${{ fromJSON(inputs.runner) }} + needs: determine_units + strategy: + fail-fast: false + matrix: + unit: ${{ fromJSON(needs.determine_units.outputs.units) }} + env: + JOB_NAME: Detect Drift in ${{ matrix.unit.path }} + name: Detect Drift in ${{ matrix.unit.path }} + steps: + - name: Checkout Pipelines Actions + uses: actions/checkout@v4 + with: + path: pipelines-actions + repository: gruntwork-io/pipelines-actions + ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + token: ${{ secrets.PIPELINES_READ_TOKEN }} + + - name: Check out repo code + uses: actions/checkout@v4 + with: + path: infra-live-repo + fetch-depth: 0 + + - name: Execute Drift Detection + id: determine-drift + uses: ./pipelines-actions/.github/actions/pipelines-drift-detection-determine-drift + with: + UNIT_ID: ${{ matrix.unit.id }} + UNIT_PATH: ${{ matrix.unit.path }} + PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + JOB_NAME: ${{ env.JOB_NAME }} + STEP_NAME: "Execute Drift Detection" + + consolidate_jobs: + runs-on: ${{ fromJSON(inputs.runner) }} + needs: pipelines_drift_detection + steps: + - name: Checkout Pipelines Actions + uses: actions/checkout@v4 + with: + path: pipelines-actions + repository: gruntwork-io/pipelines-actions + ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + token: ${{ secrets.PIPELINES_READ_TOKEN }} + + - name: Check out repo code + uses: actions/checkout@v4 + with: + path: infra-live-repo + fetch-depth: 0 + + - name: "Consolidate Jobs" + id: consolidate-jobs + uses: ./pipelines-actions/.github/actions/pipelines-drift-detection-consolidate-jobs + with: + PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + PR_CREATE_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} + BRANCH_NAME: ${{ inputs.branch-name }} From 86b08db3fb51c304f2add7b95350449ae46ece18 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Tue, 17 Sep 2024 15:04:06 -0600 Subject: [PATCH 04/25] Support Pipelines as a Gruntwork GitHub App (#82) * Use actions@2024-08-27_gruntcon_githubapp * Use pipelines-cli@v0.29.0-rc1 * Use pipelines-credentials for downloading actions * uses format * Update pipelines-root.yml * Fix correctly use outputs * typo * Try concatenate env * Try github var * Pass tokens to execute * Fix typo * debug cloning * chars * interp * less args * remove debugging * add new tokens to preflight * rename token * chore: baseline needs both tokens * chore: use the new tokens everywhere * chore: fix token thing * Fetch infra root write and org admin, pass to preflight * Switch out admin tokens in root * Disable provisioning temporarily * Fix read token ref * Update unlock to use github app tokens * Bump pipelines CLI to v0.29.0-rc2 * Use top level env GH_TOKEN * Use github app in delegated workflow * Bump pipelines CLI to v0.29.0-rc3 * Try rc3 * Try v0.28.2 * Trace log * v0.28.3-rc2 * v0.28.3-rc3 * v0.28.3-rc5 * v0.29.0-rc5 * fix: Set `api_base_url` * fix: Use `gruntwork-io` for `pipelines-credentials` * feat: Adding dynamicity to API URL * Use customer org token * DEV-519 Integerate drift detection with GitHub App (#86) * Integrate app * Add org read token * Add create pr token * Make secrets not required * Dynamic api_base_url * Use moved action --------- Co-authored-by: Zach Goldberg Co-authored-by: Yousif Akbar <11247449+yhakbar@users.noreply.github.com> --- .../workflows/pipelines-drift-detection.yml | 84 +++++++- .github/workflows/pipelines-root.yml | 179 +++++++++++++++--- .github/workflows/pipelines-unlock.yml | 83 ++++++-- .github/workflows/pipelines.yml | 56 +++++- 4 files changed, 342 insertions(+), 60 deletions(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index e413ee3..735ccb2 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -24,14 +24,17 @@ on: branch-name: type: string default: "drift-detection" + api_base_url: + type: string + default: "https://api.prod.app.gruntwork.io/api/v1" secrets: PIPELINES_READ_TOKEN: - required: true + required: false PR_CREATE_TOKEN: - required: true + required: false env: - PIPELINES_CLI_VERSION: v0.28.0 - PIPELINES_ACTIONS_VERSION: main + PIPELINES_CLI_VERSION: v0.29.0-rc5 + PIPELINES_ACTIONS_VERSION: v3-rc1 BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 @@ -42,19 +45,37 @@ jobs: outputs: units: ${{ steps.determine-units.outputs.units }} steps: + - name: Fetch Gruntwork Read Token + id: pipelines-gruntwork-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + + - name: Fetch Org Read Token + id: pipelines-customer-org-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions uses: actions/checkout@v4 with: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_VERSION }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} + token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code uses: actions/checkout@v4 with: path: infra-live-repo fetch-depth: 0 + token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - name: Determine Units id: determine-units @@ -71,27 +92,45 @@ jobs: JOB_NAME: Detect Drift in ${{ matrix.unit.path }} name: Detect Drift in ${{ matrix.unit.path }} steps: + - name: Fetch Gruntwork Read Token + id: pipelines-gruntwork-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Read Token + id: pipelines-customer-org-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions uses: actions/checkout@v4 with: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_VERSION }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} + token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code uses: actions/checkout@v4 with: path: infra-live-repo fetch-depth: 0 + token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - name: Execute Drift Detection id: determine-drift uses: ./pipelines-actions/.github/actions/pipelines-drift-detection-determine-drift with: + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} UNIT_ID: ${{ matrix.unit.id }} UNIT_PATH: ${{ matrix.unit.path }} - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} JOB_NAME: ${{ env.JOB_NAME }} STEP_NAME: "Execute Drift Detection" @@ -99,24 +138,49 @@ jobs: runs-on: ${{ fromJSON(inputs.runner) }} needs: pipelines_drift_detection steps: + - name: Fetch Gruntwork Read Token + id: pipelines-gruntwork-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Read Token + id: pipelines-customer-org-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Create PR Token + id: pipelines-propose-infra-change-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions uses: actions/checkout@v4 with: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_VERSION }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} + token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code uses: actions/checkout@v4 with: path: infra-live-repo fetch-depth: 0 + token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - name: "Consolidate Jobs" id: consolidate-jobs uses: ./pipelines-actions/.github/actions/pipelines-drift-detection-consolidate-jobs with: - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - PR_CREATE_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PR_CREATE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} BRANCH_NAME: ${{ inputs.branch-name }} diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index 1c8f4fe..4070a22 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -21,6 +21,10 @@ on: runner: type: string default: '"ubuntu-latest"' + api_base_url: + type: string + default: "https://api.prod.app.gruntwork.io/api/v1" + secrets: PIPELINES_READ_TOKEN: required: true @@ -30,7 +34,7 @@ on: required: false env: - PIPELINES_CLI_VERSION: v0.28.0 + PIPELINES_CLI_VERSION: v0.29.0-rc5 PIPELINES_ACTIONS_VERSION: v3-rc1 BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 @@ -49,6 +53,38 @@ jobs: name: Detect Infrastructure Changes runs-on: ${{ fromJSON(inputs.runner) }} steps: + - name: Fetch Gruntwork Read Token + id: pipelines-gruntwork-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Read Token + id: pipelines-customer-org-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Infra Root Write Token + id: pipelines-infra-root-write-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Repo Admin Token + id: pipelines-org-repo-admin-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions id: checkout_actions uses: actions/checkout@v4 @@ -56,7 +92,7 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_VERSION }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} + token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Validate PIPELINES_READ_TOKEN if: always() && steps.checkout_actions.conclusion != 'success' @@ -84,14 +120,17 @@ jobs: with: IS_ROOT: "true" PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - INFRA_ROOT_WRITE_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} - ORG_REPO_ADMIN_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} + INFRA_ROOT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} + ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - name: Pipelines Orchestrate id: orchestrate uses: ./pipelines-actions/.github/actions/pipelines-orchestrate with: - token: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} outputs: pipelines_jobs: ${{ steps.orchestrate.outputs.jobs }} @@ -109,13 +148,37 @@ jobs: matrix: jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs) }} steps: + - name: Fetch Gruntwork Read Token + id: pipelines-gruntwork-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Read Token + id: pipelines-customer-org-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Infra Root Write Token + id: pipelines-infra-root-write-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions uses: actions/checkout@v4 with: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_VERSION }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} + token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code uses: actions/checkout@v4 @@ -127,7 +190,8 @@ jobs: id: gruntwork_context uses: ./pipelines-actions/.github/actions/pipelines-bootstrap with: - token: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} change_type: ${{ matrix.jobs.ChangeType }} branch: ${{ matrix.jobs.Ref }} working_directory: ${{ matrix.jobs.WorkingDirectory }} @@ -144,8 +208,9 @@ jobs: uses: ./pipelines-actions/.github/custom-actions/pre-provision-new-account if: ${{ steps.gruntwork_context.outputs.action == 'PROVISION_ACCOUNT' }} with: - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - INFRA_ROOT_WRITE_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + INFRA_ROOT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - name: "[ProvisionAccount]: Provision New Account" @@ -153,16 +218,18 @@ jobs: if: ${{ steps.gruntwork_context.outputs.action == 'PROVISION_ACCOUNT' }} uses: ./pipelines-actions/.github/actions/pipelines-provision-account-action with: - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - INFRA_ROOT_WRITE_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + INFRA_ROOT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - name: "[ProvisionAccount]: Post Provision New Account Custom Action" uses: ./pipelines-actions/.github/custom-actions/post-provision-new-account if: ${{ steps.gruntwork_context.outputs.action == 'PROVISION_ACCOUNT' }} with: - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - INFRA_ROOT_WRITE_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + INFRA_ROOT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} baseline_path: ${{ steps.provision_new_account.outputs.baseline_path }} @@ -183,7 +250,8 @@ jobs: uses: ./pipelines-actions/.github/custom-actions/pre-baseline-core-accounts if: steps.gruntwork_context.outputs.action == 'BASELINE_ACCOUNT' with: - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} # Run the core accounts baselines(shared, logs, security, etc. to ensure the account is setup correctly) @@ -193,14 +261,16 @@ jobs: # TODO: Rename this as pipelines-apply-core-baselines or something similar uses: ./pipelines-actions/.github/actions/pipelines-baseline-account-action with: - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - name: "[Baseline]: Post Baseline Core Account Action" uses: ./pipelines-actions/.github/custom-actions/post-baseline-core-accounts if: steps.gruntwork_context.outputs.action == 'BASELINE_ACCOUNT' with: - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - name: "[TerragruntExecute]: Authenticate with AWS and then Invoke Terragrunt" @@ -210,7 +280,8 @@ jobs: env: TERRAGRUNT_AUTH_PROVIDER_CMD: "pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd ." with: - token: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} tf_binary: ${{ steps.gruntwork_context.outputs.tf_binary }} working_directory: ${{ steps.gruntwork_context.outputs.working_directory }} terragrunt_command: ${{ steps.gruntwork_context.outputs.terragrunt_command }} @@ -225,6 +296,7 @@ jobs: uses: ./pipelines-actions/.github/actions/pipelines-get-job-logs-url if: always() with: + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} job_name: ${{ env.JOB_NAME }} step_name_prefix: "${{ steps.gruntwork_context.outputs.action == 'TERRAGRUNT_EXECUTE' && '[TerragruntExecute]:\ Authenticate with AWS and then Invoke Terragrunt' || (steps.gruntwork_context.outputs.action == 'BASELINE_ACCOUNT' && 'Run core accounts baselines' || '[ProvisionAccount]:\ Provision New Account') }}" @@ -264,6 +336,22 @@ jobs: matrix: jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts }} steps: + - name: Fetch Gruntwork Read Token + id: pipelines-gruntwork-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Read Token + id: pipelines-customer-org-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions uses: actions/checkout@v4 with: @@ -289,7 +377,8 @@ jobs: id: gruntwork_context uses: ./pipelines-actions/.github/actions/pipelines-bootstrap with: - token: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} change_type: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].ChangeType }} branch: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Ref }} working_directory: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].WorkingDirectory }} @@ -304,7 +393,8 @@ jobs: - name: "[Baseline]: Pre Baseline Child Account Action" uses: ./pipelines-actions/.github/custom-actions/pre-baseline-child-account with: - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} account_id: ${{ matrix.jobs.ID }} account_name: ${{ matrix.jobs.Name }} job: ${{ toJson(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0]) }} @@ -314,7 +404,8 @@ jobs: id: baseline_child_account uses: ./pipelines-actions/.github/actions/pipelines-baseline-child-account-action with: - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} account_id: ${{ matrix.jobs.ID }} account_name: ${{ matrix.jobs.Name }} job: ${{ toJson(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0]) }} @@ -323,7 +414,8 @@ jobs: - name: "[Baseline]: Post Baseline Child Account Action" uses: ./pipelines-actions/.github/custom-actions/post-baseline-child-account with: - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} account_id: ${{ matrix.jobs.ID }} account_name: ${{ matrix.jobs.Name }} job: ${{ toJson(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0]) }} @@ -334,6 +426,7 @@ jobs: uses: ./pipelines-actions/.github/actions/pipelines-get-job-logs-url if: always() with: + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} job_name: ${{ env.JOB_NAME }} step_name_prefix: "[Baseline]: Baseline the Child Account" @@ -355,6 +448,30 @@ jobs: # GHA can't check for length, so we just check if there is an item in the 0 index if: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts[0] != null && needs.pipelines_execute.outputs.delegate_management == 'true' && needs.pipelines_execute.outputs.terragrunt_command == 'run-all apply' }} steps: + - name: Fetch Gruntwork Read Token + id: pipelines-gruntwork-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Read Token + id: pipelines-customer-org-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Repo Admin Token + id: pipelines-org-repo-admin-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions uses: actions/checkout@v4 with: @@ -373,7 +490,8 @@ jobs: id: gruntwork_context uses: ./pipelines-actions/.github/actions/pipelines-bootstrap with: - token: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} change_type: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].ChangeType }} branch: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Ref }} working_directory: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].WorkingDirectory }} @@ -392,8 +510,9 @@ jobs: uses: ./pipelines-actions/.github/actions/pipelines-provision-access-control-action with: gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - ORG_REPO_ADMIN_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }} - name: "Create and bootstrap delegated Repo" id: provision_delegated_repo @@ -401,8 +520,9 @@ jobs: with: gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} access_control_pull_request_url: ${{ steps.access_control_pr.outputs.pull_request_url }} - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - ORG_REPO_ADMIN_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }} # To learn more about customizing Pipelines see our documentation at https://docs.gruntwork.io/pipelines/maintain/extending/ - name: "Post create delegated repo custom actions" @@ -410,14 +530,15 @@ jobs: with: gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} access_control_pull_request_url: ${{ steps.access_control_pr.outputs.pull_request_url }} - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - ORG_REPO_ADMIN_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }} - name: "Create Delegated Repo PR" uses: ./pipelines-actions/.github/actions/pipelines-new-pr-action with: gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - GH_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} + GH_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }} path: ${{ steps.provision_delegated_repo.outputs.path }} new_branch_name: ${{ steps.provision_delegated_repo.outputs.new_branch_name }} commit_message: ${{ steps.provision_delegated_repo.outputs.commit_message }} diff --git a/.github/workflows/pipelines-unlock.yml b/.github/workflows/pipelines-unlock.yml index 1329b55..6d3c3e7 100644 --- a/.github/workflows/pipelines-unlock.yml +++ b/.github/workflows/pipelines-unlock.yml @@ -15,6 +15,9 @@ on: description: "Forcibly reset all locks by deleting the dynamodb table" required: false type: boolean + api_base_url: + type: string + default: "https://api.prod.app.gruntwork.io/api/v1" # This field can be overriden to customize the runner used for pipelines # workflows. @@ -38,8 +41,8 @@ on: PIPELINES_READ_TOKEN: required: true env: - PIPELINES_CLI_VERSION: v0.28.0 - PIPELINES_ACTIONS_VERSION: main + PIPELINES_CLI_VERSION: v0.29.0-rc5 + PIPELINES_ACTIONS_VERSION: v3-rc1 jobs: unlock_one: @@ -47,13 +50,29 @@ jobs: if: ${{ !inputs.unlock_all }} runs-on: ${{ fromJSON(inputs.runner) }} steps: + - name: Fetch Gruntwork Read Token + id: pipelines-gruntwork-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Read Token + id: pipelines-customer-org-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions uses: actions/checkout@v4 with: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_VERSION }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} + token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code uses: actions/checkout@v4 @@ -65,7 +84,8 @@ jobs: id: gruntwork_context uses: ./pipelines-actions/.github/actions/pipelines-bootstrap with: - token: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} working_directory: ${{ inputs.working_directory }} terragrunt_command: "force-unlock -force ${{ inputs.lock_id }}" branch: 'main' @@ -76,7 +96,8 @@ jobs: env: TERRAGRUNT_AUTH_PROVIDER_CMD: "pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd ." with: - token: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} tf_binary: ${{ steps.gruntwork_context.outputs.tf_binary }} working_directory: ${{ steps.gruntwork_context.outputs.working_directory }} terragrunt_command: ${{ steps.gruntwork_context.outputs.terragrunt_command }} @@ -91,13 +112,29 @@ jobs: if: ${{ inputs.unlock_all }} runs-on: ${{ fromJSON(inputs.runner) }} steps: + - name: Fetch Gruntwork Read Token + id: pipelines-gruntwork-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Read Token + id: pipelines-customer-org-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions uses: actions/checkout@v4 with: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_VERSION }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} + token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code uses: actions/checkout@v4 @@ -109,7 +146,8 @@ jobs: id: gruntwork_context uses: ./pipelines-actions/.github/actions/pipelines-bootstrap with: - token: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} working_directory: ${{ inputs.working_directory }} terragrunt_command: "init" branch: 'main' @@ -137,8 +175,7 @@ jobs: shell: bash id: unlock_tables env: - GITHUB_TOKEN: ${{ github.token }} - GH_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + GH_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} run: | set +x set +e @@ -161,7 +198,7 @@ jobs: working_dir="$1" cd $working_dir - pipelinesConfigAuth=$(GH_TOKEN=$GITHUB_TOKEN pipelines config auth) + pipelinesConfigAuth=$(pipelines config auth) ACCOUNTID=$(echo $pipelinesConfigAuth | jq -r ".Authentication.AWSOIDC.AccountID") grep $ACCOUNTID $COMPLETED_ACCOUNTS_FILE > /dev/null @@ -176,7 +213,7 @@ jobs: REGION=$(echo $pipelinesConfigAuth | jq -r ".Authentication.AWSOIDC.Region") - auth=$(GH_TOKEN=$GITHUB_TOKEN pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd .) + auth=$(pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd .) export AWS_DEFAULT_REGION=$REGION export AWS_ACCESS_KEY_ID=$(jq -r '.awsCredentials.ACCESS_KEY_ID' <<< $auth) export AWS_SECRET_ACCESS_KEY=$(jq -r '.awsCredentials.SECRET_ACCESS_KEY' <<< $auth) @@ -223,13 +260,29 @@ jobs: matrix: working_directory: ${{ fromJson(needs.unlock_all.outputs.unlock_folders) }} steps: + - name: Fetch Gruntwork Read Token + id: pipelines-gruntwork-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Read Token + id: pipelines-customer-org-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions uses: actions/checkout@v4 with: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_VERSION }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} + token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code uses: actions/checkout@v4 @@ -241,7 +294,8 @@ jobs: id: gruntwork_context uses: ./pipelines-actions/.github/actions/pipelines-bootstrap with: - token: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} working_directory: ${{ matrix.working_directory }} terragrunt_command: "init" branch: 'main' @@ -252,7 +306,8 @@ jobs: env: TERRAGRUNT_AUTH_PROVIDER_CMD: "pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd ." with: - token: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} tf_binary: ${{ steps.gruntwork_context.outputs.tf_binary }} working_directory: ${{ steps.gruntwork_context.outputs.working_directory }} terragrunt_command: ${{ steps.gruntwork_context.outputs.terragrunt_command }} diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index ccf89e7..78e7f47 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -21,13 +21,17 @@ on: runner: type: string default: '"ubuntu-latest"' + api_base_url: + type: string + default: "https://api.prod.app.gruntwork.io/api/v1" + secrets: PIPELINES_READ_TOKEN: required: true env: - PIPELINES_CLI_VERSION: v0.28.0 - PIPELINES_ACTIONS_VERSION: main + PIPELINES_CLI_VERSION: v0.29.0-rc5 + PIPELINES_ACTIONS_VERSION: v3-rc1 # GitHub Actions tends to hit resource exhaustion and kill running jobs # if we leave parallelism unbounded, so we set the max to 10 for a sane default. @@ -38,6 +42,22 @@ jobs: name: Detect Infrastructure Changes runs-on: ${{ fromJSON(inputs.runner) }} steps: + - name: Fetch Gruntwork Read Token + id: pipelines-gruntwork-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Read Token + id: pipelines-customer-org-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions id: checkout_actions uses: actions/checkout@v4 @@ -45,7 +65,7 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_VERSION }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} + token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Validate PIPELINES_READ_TOKEN if: always() && steps.checkout_actions.conclusion != 'success' @@ -73,12 +93,15 @@ jobs: uses: ./pipelines-actions/.github/actions/pipelines-preflight-action with: PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - name: Pipelines Orchestrate id: orchestrate uses: ./pipelines-actions/.github/actions/pipelines-orchestrate with: - token: ${{ secrets.PIPELINES_READ_TOKEN || secrets.GITHUB_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} outputs: pipelines_jobs: ${{ steps.orchestrate.outputs.jobs }} @@ -96,13 +119,29 @@ jobs: matrix: jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs) }} steps: + - name: Fetch Gruntwork Read Token + id: pipelines-gruntwork-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + + - name: Fetch Org Read Token + id: pipelines-customer-org-read-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions uses: actions/checkout@v4 with: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_VERSION }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} + token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code uses: actions/checkout@v4 @@ -114,7 +153,8 @@ jobs: id: gruntwork_context uses: ./pipelines-actions/.github/actions/pipelines-bootstrap with: - token: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} change_type: ${{ matrix.jobs.ChangeType }} branch: ${{ matrix.jobs.Ref }} working_directory: ${{ matrix.jobs.WorkingDirectory }} @@ -130,7 +170,8 @@ jobs: env: TERRAGRUNT_AUTH_PROVIDER_CMD: "pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd ." with: - token: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} tf_binary: ${{ steps.gruntwork_context.outputs.tf_binary }} working_directory: ${{ steps.gruntwork_context.outputs.working_directory }} terragrunt_command: ${{ steps.gruntwork_context.outputs.terragrunt_command }} @@ -145,6 +186,7 @@ jobs: uses: ./pipelines-actions/.github/actions/pipelines-get-job-logs-url if: always() with: + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} job_name: ${{ env.JOB_NAME }} step_name_prefix: "Run terragrunt" From 5499fd132fabbf87d68ffc8b5c8f042ea98ce22b Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Fri, 20 Sep 2024 11:03:18 -0600 Subject: [PATCH 05/25] Use github app token when creating comments --- .github/workflows/pipelines-root.yml | 11 +++++++++++ .github/workflows/pipelines.yml | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index 4070a22..1c69a19 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -311,6 +311,7 @@ jobs: step_details_extended_log: ${{ steps.terragrunt.outputs.execute_stdout_log }} pull_request_number: ${{ steps.gruntwork_context.outputs.pr_number }} step_logs_url: ${{ steps.get_logs_url.outputs.step_logs_url }} + PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} outputs: account_id: ${{ matrix.jobs.AccountId }} @@ -352,6 +353,14 @@ jobs: FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} + - name: Fetch Create PR Token + id: pipelines-propose-infra-change-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions uses: actions/checkout@v4 with: @@ -372,6 +381,7 @@ jobs: step_name: Baseline Child Account ${{ matrix.jobs.Name }} step_status: "in_progress" pull_request_number: ${{ needs.pipelines_execute.outputs.pr_number }} + PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} - name: Bootstrap Workflow id: gruntwork_context @@ -440,6 +450,7 @@ jobs: step_details_extended_log: ${{ steps.baseline_child_account.outputs.execute_stdout_log }} pull_request_number: ${{ needs.pipelines_execute.outputs.pr_number }} step_logs_url: ${{ steps.get_logs_url.outputs.step_logs_url }} + PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} pipelines_setup_delegated_repo: name: "Setup Delegated Repo" diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 78e7f47..4aeaad5 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -28,6 +28,8 @@ on: secrets: PIPELINES_READ_TOKEN: required: true + PR_CREATE_TOKEN: + required: false env: PIPELINES_CLI_VERSION: v0.29.0-rc5 @@ -135,6 +137,14 @@ jobs: FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} + - name: Fetch Create PR Token + id: pipelines-propose-infra-change-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions uses: actions/checkout@v4 with: @@ -201,6 +211,7 @@ jobs: step_details_extended_log: ${{ steps.terragrunt.outputs.execute_stdout_log }} pull_request_number: ${{ steps.gruntwork_context.outputs.pr_number }} step_logs_url: ${{ steps.get_logs_url.outputs.step_logs_url }} + PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} outputs: account_id: ${{ matrix.jobs.AccountId }} From 27fcfb7d4d65623cd1d4b50d18f7199808319050 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Fri, 20 Sep 2024 11:06:03 -0600 Subject: [PATCH 06/25] Fix checkout repo not using github app token --- .github/workflows/pipelines-root.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index 1c69a19..dcb43c9 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -114,6 +114,7 @@ jobs: with: path: infra-live-repo fetch-depth: 0 + token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - name: Preflight Checks uses: ./pipelines-actions/.github/actions/pipelines-preflight-action From 450e01f2e3fb1969e61579d3146e9b5a381de7ac Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Fri, 20 Sep 2024 11:09:03 -0600 Subject: [PATCH 07/25] Fix token not passed to preflight --- .github/workflows/pipelines-root.yml | 1 + .github/workflows/pipelines.yml | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index dcb43c9..9037f35 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -125,6 +125,7 @@ jobs: ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }} PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} - name: Pipelines Orchestrate id: orchestrate diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 4aeaad5..5248b93 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -60,6 +60,14 @@ jobs: FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} + - name: Fetch Create PR Token + id: pipelines-propose-infra-change-token + uses: gruntwork-io/pipelines-credentials@main + with: + PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} + FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} + api_base_url: ${{ inputs.api_base_url }} + - name: Checkout Pipelines Actions id: checkout_actions uses: actions/checkout@v4 @@ -97,6 +105,7 @@ jobs: PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PR_CREATE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} - name: Pipelines Orchestrate id: orchestrate From 09f6e3020ab44daaf60bd72f1cd427ce114bb6a8 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Fri, 20 Sep 2024 11:24:22 -0600 Subject: [PATCH 08/25] Fix tokens not used --- .github/workflows/pipelines-root.yml | 13 +++++++++---- .github/workflows/pipelines.yml | 3 ++- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index 9037f35..c51fbb2 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -133,6 +133,7 @@ jobs: with: PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} outputs: pipelines_jobs: ${{ steps.orchestrate.outputs.jobs }} @@ -187,6 +188,7 @@ jobs: with: path: infra-live-repo fetch-depth: 0 + token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - name: Bootstrap Workflow id: gruntwork_context @@ -222,7 +224,7 @@ jobs: with: PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - INFRA_ROOT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} + PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - name: "[ProvisionAccount]: Post Provision New Account Custom Action" @@ -239,7 +241,7 @@ jobs: uses: ./pipelines-actions/.github/actions/pipelines-new-pr-action if: ${{ steps.gruntwork_context.outputs.action == 'PROVISION_ACCOUNT' }} with: - GH_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + GH_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} path: ${{ steps.provision_new_account.outputs.baseline_path }} new_branch_name: ${{ steps.provision_new_account.outputs.new_branch_name }} commit_message: ${{ steps.provision_new_account.outputs.commit_message }} @@ -265,6 +267,7 @@ jobs: with: PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - name: "[Baseline]: Post Baseline Core Account Action" @@ -369,13 +372,14 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_VERSION }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} + token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code uses: actions/checkout@v4 with: path: infra-live-repo fetch-depth: 0 + token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - name: Update comment uses: ./pipelines-actions/.github/actions/pipelines-status-update @@ -491,13 +495,14 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_VERSION }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} + token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}] - name: Check out repo code uses: actions/checkout@v4 with: path: infra-live-repo fetch-depth: 0 + token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - name: Bootstrap Workflow id: gruntwork_context diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 5248b93..6133e85 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -105,7 +105,7 @@ jobs: PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - PR_CREATE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} + PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} - name: Pipelines Orchestrate id: orchestrate @@ -113,6 +113,7 @@ jobs: with: PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} outputs: pipelines_jobs: ${{ steps.orchestrate.outputs.jobs }} From fb8d0f64d680121f457566625a79c276e56df513 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Fri, 20 Sep 2024 11:42:48 -0600 Subject: [PATCH 09/25] Fix tokens not used --- .github/workflows/pipelines-unlock.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pipelines-unlock.yml b/.github/workflows/pipelines-unlock.yml index 6d3c3e7..7dbeda8 100644 --- a/.github/workflows/pipelines-unlock.yml +++ b/.github/workflows/pipelines-unlock.yml @@ -79,6 +79,7 @@ jobs: with: path: infra-live-repo fetch-depth: 0 + token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - name: Bootstrap Workflow id: gruntwork_context @@ -141,6 +142,7 @@ jobs: with: path: infra-live-repo fetch-depth: 0 + token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - name: Bootstrap Workflow id: gruntwork_context From d2d00efb221c0442b7b4e5dd186672dbae7b1978 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Fri, 20 Sep 2024 11:55:46 -0600 Subject: [PATCH 10/25] Fix tokens not used --- .github/workflows/pipelines-unlock.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipelines-unlock.yml b/.github/workflows/pipelines-unlock.yml index 7dbeda8..2657bd4 100644 --- a/.github/workflows/pipelines-unlock.yml +++ b/.github/workflows/pipelines-unlock.yml @@ -291,6 +291,7 @@ jobs: with: path: infra-live-repo fetch-depth: 0 + token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - name: Bootstrap Workflow id: gruntwork_context From 828ab0d9cba83a95bea011f370f45f499476d77b Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Fri, 20 Sep 2024 12:34:42 -0600 Subject: [PATCH 11/25] Fix tokens not used --- .github/workflows/pipelines.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 6133e85..41fd1dd 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -98,6 +98,7 @@ jobs: with: path: infra-live-repo fetch-depth: 0 + token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - name: Preflight Checks uses: ./pipelines-actions/.github/actions/pipelines-preflight-action From 5fb87cacc3259bea2d54230983ae2994ba0f30d3 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Fri, 20 Sep 2024 12:39:19 -0600 Subject: [PATCH 12/25] Fix tokens not used --- .github/workflows/pipelines.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 41fd1dd..06b5713 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -169,6 +169,7 @@ jobs: with: path: infra-live-repo fetch-depth: 0 + token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - name: Bootstrap Workflow id: gruntwork_context From 6e554d662899dbf30a42a771c2859334ca4720f0 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Fri, 27 Sep 2024 14:32:20 -0600 Subject: [PATCH 13/25] pipelines-credentials@v1 --- .../workflows/pipelines-drift-detection.yml | 14 +++++----- .github/workflows/pipelines-root.yml | 26 +++++++++---------- .github/workflows/pipelines-unlock.yml | 12 ++++----- .github/workflows/pipelines.yml | 12 ++++----- 4 files changed, 32 insertions(+), 32 deletions(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 735ccb2..579df51 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -47,7 +47,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -56,7 +56,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -94,7 +94,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -102,7 +102,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -140,7 +140,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -148,7 +148,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -156,7 +156,7 @@ jobs: - name: Fetch Create PR Token id: pipelines-propose-infra-change-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index c51fbb2..ec412fd 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -55,7 +55,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -63,7 +63,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -71,7 +71,7 @@ jobs: - name: Fetch Infra Root Write Token id: pipelines-infra-root-write-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} @@ -79,7 +79,7 @@ jobs: - name: Fetch Org Repo Admin Token id: pipelines-org-repo-admin-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} @@ -153,7 +153,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -161,7 +161,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -169,7 +169,7 @@ jobs: - name: Fetch Infra Root Write Token id: pipelines-infra-root-write-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} @@ -344,7 +344,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -352,7 +352,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -360,7 +360,7 @@ jobs: - name: Fetch Create PR Token id: pipelines-propose-infra-change-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} @@ -467,7 +467,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -475,7 +475,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -483,7 +483,7 @@ jobs: - name: Fetch Org Repo Admin Token id: pipelines-org-repo-admin-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} diff --git a/.github/workflows/pipelines-unlock.yml b/.github/workflows/pipelines-unlock.yml index 2657bd4..08fccea 100644 --- a/.github/workflows/pipelines-unlock.yml +++ b/.github/workflows/pipelines-unlock.yml @@ -52,7 +52,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -60,7 +60,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -115,7 +115,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -123,7 +123,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -264,7 +264,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -272,7 +272,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 06b5713..65dac2d 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -46,7 +46,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -54,7 +54,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -62,7 +62,7 @@ jobs: - name: Fetch Create PR Token id: pipelines-propose-infra-change-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} @@ -134,7 +134,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -142,7 +142,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -150,7 +150,7 @@ jobs: - name: Fetch Create PR Token id: pipelines-propose-infra-change-token - uses: gruntwork-io/pipelines-credentials@main + uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} From ef6bf9df229f6ce40419b69e83244c890f5b0f10 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Tue, 1 Oct 2024 14:52:31 -0600 Subject: [PATCH 14/25] Pipelines v0.29.0-rc15 --- .github/workflows/pipelines-drift-detection.yml | 2 +- .github/workflows/pipelines-root.yml | 2 +- .github/workflows/pipelines-unlock.yml | 2 +- .github/workflows/pipelines.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 579df51..6571639 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -33,7 +33,7 @@ on: PR_CREATE_TOKEN: required: false env: - PIPELINES_CLI_VERSION: v0.29.0-rc5 + PIPELINES_CLI_VERSION: v0.29.0-rc15 PIPELINES_ACTIONS_VERSION: v3-rc1 BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index ec412fd..5a57f47 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -34,7 +34,7 @@ on: required: false env: - PIPELINES_CLI_VERSION: v0.29.0-rc5 + PIPELINES_CLI_VERSION: v0.29.0-rc15 PIPELINES_ACTIONS_VERSION: v3-rc1 BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 diff --git a/.github/workflows/pipelines-unlock.yml b/.github/workflows/pipelines-unlock.yml index 08fccea..42165b4 100644 --- a/.github/workflows/pipelines-unlock.yml +++ b/.github/workflows/pipelines-unlock.yml @@ -41,7 +41,7 @@ on: PIPELINES_READ_TOKEN: required: true env: - PIPELINES_CLI_VERSION: v0.29.0-rc5 + PIPELINES_CLI_VERSION: v0.29.0-rc15 PIPELINES_ACTIONS_VERSION: v3-rc1 jobs: diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 65dac2d..9f5a73e 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -32,7 +32,7 @@ on: required: false env: - PIPELINES_CLI_VERSION: v0.29.0-rc5 + PIPELINES_CLI_VERSION: v0.29.0-rc15 PIPELINES_ACTIONS_VERSION: v3-rc1 # GitHub Actions tends to hit resource exhaustion and kill running jobs From 4a471796f8ed4ff2179b4f65b1b630bf5a9b3226 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Tue, 1 Oct 2024 15:55:12 -0600 Subject: [PATCH 15/25] Add path filter --- .github/workflows/pipelines-drift-detection.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 6571639..460100f 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -18,6 +18,9 @@ on: # - A simple github runner: "\"ubuntu-22.04\"" # - A list of labels: "[\"self-hosted\", \"linux\"]" # - A map: "{group: \"ubuntu-runners\", labels: \"ubuntu-20.04-16core\"}" + path: + type: string + default: "" runner: type: string default: '"ubuntu-latest"' @@ -80,6 +83,8 @@ jobs: - name: Determine Units id: determine-units uses: ./pipelines-actions/.github/actions/pipelines-drift-detection-determine-units + with: + PATH_FILTER: ${{ inputs.path }} pipelines_drift_detection: runs-on: ${{ fromJSON(inputs.runner) }} From 852fad6a27853893cc8d56052fa0d747a38f17b0 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Wed, 2 Oct 2024 09:15:26 -0600 Subject: [PATCH 16/25] Add path to PR title --- .github/workflows/pipelines-drift-detection.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 460100f..e4efbf2 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -186,6 +186,7 @@ jobs: id: consolidate-jobs uses: ./pipelines-actions/.github/actions/pipelines-drift-detection-consolidate-jobs with: + PATH: ${{ inputs.path }} PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} PR_CREATE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} BRANCH_NAME: ${{ inputs.branch-name }} From 95f055dba25d641faab2d3a902ac2f8bd5ae3680 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Wed, 2 Oct 2024 09:20:33 -0600 Subject: [PATCH 17/25] Dont use PATH as an env var --- .github/workflows/pipelines-drift-detection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index e4efbf2..2a6d867 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -186,7 +186,7 @@ jobs: id: consolidate-jobs uses: ./pipelines-actions/.github/actions/pipelines-drift-detection-consolidate-jobs with: - PATH: ${{ inputs.path }} + PATH_FILTER: ${{ inputs.path }} PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} PR_CREATE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} BRANCH_NAME: ${{ inputs.branch-name }} From 854afe661f59b32e18e808c7710de5e6666818c6 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Thu, 3 Oct 2024 13:40:18 -0600 Subject: [PATCH 18/25] Pipelines v0.29.0-rc16 --- .github/workflows/pipelines-drift-detection.yml | 2 +- .github/workflows/pipelines-root.yml | 2 +- .github/workflows/pipelines-unlock.yml | 2 +- .github/workflows/pipelines.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 2a6d867..4ab756d 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -36,7 +36,7 @@ on: PR_CREATE_TOKEN: required: false env: - PIPELINES_CLI_VERSION: v0.29.0-rc15 + PIPELINES_CLI_VERSION: v0.29.0-rc16 PIPELINES_ACTIONS_VERSION: v3-rc1 BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index 5a57f47..4a7471c 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -34,7 +34,7 @@ on: required: false env: - PIPELINES_CLI_VERSION: v0.29.0-rc15 + PIPELINES_CLI_VERSION: v0.29.0-rc16 PIPELINES_ACTIONS_VERSION: v3-rc1 BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 diff --git a/.github/workflows/pipelines-unlock.yml b/.github/workflows/pipelines-unlock.yml index 42165b4..381c97f 100644 --- a/.github/workflows/pipelines-unlock.yml +++ b/.github/workflows/pipelines-unlock.yml @@ -41,7 +41,7 @@ on: PIPELINES_READ_TOKEN: required: true env: - PIPELINES_CLI_VERSION: v0.29.0-rc15 + PIPELINES_CLI_VERSION: v0.29.0-rc16 PIPELINES_ACTIONS_VERSION: v3-rc1 jobs: diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 9f5a73e..64a5e95 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -32,7 +32,7 @@ on: required: false env: - PIPELINES_CLI_VERSION: v0.29.0-rc15 + PIPELINES_CLI_VERSION: v0.29.0-rc16 PIPELINES_ACTIONS_VERSION: v3-rc1 # GitHub Actions tends to hit resource exhaustion and kill running jobs From 41c0d021bb3f5bcffc213d86d310c25d2d105860 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Fri, 4 Oct 2024 12:25:53 -0600 Subject: [PATCH 19/25] Pipelines v0.29.0-rc17 --- .github/workflows/pipelines-drift-detection.yml | 2 +- .github/workflows/pipelines-root.yml | 2 +- .github/workflows/pipelines-unlock.yml | 2 +- .github/workflows/pipelines.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 4ab756d..1fdf122 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -36,7 +36,7 @@ on: PR_CREATE_TOKEN: required: false env: - PIPELINES_CLI_VERSION: v0.29.0-rc16 + PIPELINES_CLI_VERSION: v0.29.0-rc17 PIPELINES_ACTIONS_VERSION: v3-rc1 BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index 4a7471c..0da40fe 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -34,7 +34,7 @@ on: required: false env: - PIPELINES_CLI_VERSION: v0.29.0-rc16 + PIPELINES_CLI_VERSION: v0.29.0-rc17 PIPELINES_ACTIONS_VERSION: v3-rc1 BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 diff --git a/.github/workflows/pipelines-unlock.yml b/.github/workflows/pipelines-unlock.yml index 381c97f..991a8fa 100644 --- a/.github/workflows/pipelines-unlock.yml +++ b/.github/workflows/pipelines-unlock.yml @@ -41,7 +41,7 @@ on: PIPELINES_READ_TOKEN: required: true env: - PIPELINES_CLI_VERSION: v0.29.0-rc16 + PIPELINES_CLI_VERSION: v0.29.0-rc17 PIPELINES_ACTIONS_VERSION: v3-rc1 jobs: diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 64a5e95..b18012d 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -32,7 +32,7 @@ on: required: false env: - PIPELINES_CLI_VERSION: v0.29.0-rc16 + PIPELINES_CLI_VERSION: v0.29.0-rc17 PIPELINES_ACTIONS_VERSION: v3-rc1 # GitHub Actions tends to hit resource exhaustion and kill running jobs From 02f971ef3b4fd19d005acc0c217abe5cb2604ea0 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Mon, 7 Oct 2024 12:34:38 -0600 Subject: [PATCH 20/25] Set max-parallel to 18 --- .github/workflows/pipelines-drift-detection.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 1fdf122..702f43d 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -91,6 +91,7 @@ jobs: needs: determine_units strategy: fail-fast: false + max-parallel: 18 matrix: unit: ${{ fromJSON(needs.determine_units.outputs.units) }} env: @@ -140,6 +141,7 @@ jobs: STEP_NAME: "Execute Drift Detection" consolidate_jobs: + name: Consolidate Jobs runs-on: ${{ fromJSON(inputs.runner) }} needs: pipelines_drift_detection steps: From 6f33bcfadf869cd5e2afdcb20de268d5a25d6460 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Mon, 7 Oct 2024 12:53:41 -0600 Subject: [PATCH 21/25] Fix matrix should not try to run if no units are detected --- .github/workflows/pipelines-drift-detection.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 702f43d..20f75a0 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -87,6 +87,7 @@ jobs: PATH_FILTER: ${{ inputs.path }} pipelines_drift_detection: + if: ${{ needs.determine_units.outputs.units[0] != null }} runs-on: ${{ fromJSON(inputs.runner) }} needs: determine_units strategy: From 234c1dfacb1f658295a13eab0d84fe8a4f69e012 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Mon, 7 Oct 2024 13:02:21 -0600 Subject: [PATCH 22/25] Adjust skip logic for empty units --- .github/workflows/pipelines-drift-detection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 20f75a0..313d1a4 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -87,7 +87,7 @@ jobs: PATH_FILTER: ${{ inputs.path }} pipelines_drift_detection: - if: ${{ needs.determine_units.outputs.units[0] != null }} + if: ${{ needs.determine_units.outputs.units != null }} runs-on: ${{ fromJSON(inputs.runner) }} needs: determine_units strategy: From e3e9b4a98ba2d8d8fb60cd9160960da2a35e6fec Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Mon, 7 Oct 2024 13:04:02 -0600 Subject: [PATCH 23/25] Try fromJSON before null check --- .github/workflows/pipelines-drift-detection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 313d1a4..a7a3d46 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -87,7 +87,7 @@ jobs: PATH_FILTER: ${{ inputs.path }} pipelines_drift_detection: - if: ${{ needs.determine_units.outputs.units != null }} + if: ${{ fromJSON(needs.determine_units.outputs.units)[0] != null }} runs-on: ${{ fromJSON(inputs.runner) }} needs: determine_units strategy: From 3162570c35d41e292a31913c38f948f84762a78c Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Tue, 8 Oct 2024 09:50:03 -0600 Subject: [PATCH 24/25] Adjust versions --- .github/workflows/pipelines-drift-detection.yml | 4 ++-- .github/workflows/pipelines-root.yml | 4 ++-- .github/workflows/pipelines-unlock.yml | 4 ++-- .github/workflows/pipelines.yml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index a7a3d46..15d9473 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -36,8 +36,8 @@ on: PR_CREATE_TOKEN: required: false env: - PIPELINES_CLI_VERSION: v0.29.0-rc17 - PIPELINES_ACTIONS_VERSION: v3-rc1 + PIPELINES_CLI_VERSION: v0.29.0 + PIPELINES_ACTIONS_VERSION: v3.0.0 BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index 0da40fe..ecad409 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -34,8 +34,8 @@ on: required: false env: - PIPELINES_CLI_VERSION: v0.29.0-rc17 - PIPELINES_ACTIONS_VERSION: v3-rc1 + PIPELINES_CLI_VERSION: v0.29.0 + PIPELINES_ACTIONS_VERSION: v3.0.0 BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 diff --git a/.github/workflows/pipelines-unlock.yml b/.github/workflows/pipelines-unlock.yml index 991a8fa..98ec502 100644 --- a/.github/workflows/pipelines-unlock.yml +++ b/.github/workflows/pipelines-unlock.yml @@ -41,8 +41,8 @@ on: PIPELINES_READ_TOKEN: required: true env: - PIPELINES_CLI_VERSION: v0.29.0-rc17 - PIPELINES_ACTIONS_VERSION: v3-rc1 + PIPELINES_CLI_VERSION: v0.29.0 + PIPELINES_ACTIONS_VERSION: v3.0.0 jobs: unlock_one: diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index b18012d..9e0c6d3 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -32,8 +32,8 @@ on: required: false env: - PIPELINES_CLI_VERSION: v0.29.0-rc17 - PIPELINES_ACTIONS_VERSION: v3-rc1 + PIPELINES_CLI_VERSION: v0.29.0 + PIPELINES_ACTIONS_VERSION: v3.0.0 # GitHub Actions tends to hit resource exhaustion and kill running jobs # if we leave parallelism unbounded, so we set the max to 10 for a sane default. From 5a3b72e10dcc8d17cca2d1f09dc511d1d106c1fb Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Tue, 8 Oct 2024 11:02:38 -0600 Subject: [PATCH 25/25] Fix runner documentation above wrong input --- .github/workflows/pipelines-drift-detection.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 15d9473..7174b34 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -18,12 +18,12 @@ on: # - A simple github runner: "\"ubuntu-22.04\"" # - A list of labels: "[\"self-hosted\", \"linux\"]" # - A map: "{group: \"ubuntu-runners\", labels: \"ubuntu-20.04-16core\"}" - path: - type: string - default: "" runner: type: string default: '"ubuntu-latest"' + path: + type: string + default: "" branch-name: type: string default: "drift-detection"