1- name : Test changes-only PR comment
1+ name : Test terraform-apply changes-only PR comment
22
33on :
44 - pull_request
55
6+ permissions :
7+ contents : read
8+
69jobs :
710 no_changes :
8- runs-on : ubuntu-latest
11+ runs-on : ubuntu-24.04
912 name : changes-only should not create a comment
13+ permissions :
14+ contents : read
15+ pull-requests : write
1016 env :
1117 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
1218 steps :
1319 - name : Checkout
1420 uses : actions/checkout@v4
21+ with :
22+ persist-credentials : false
1523
1624 - name : Plan without changes
1725 uses : ./terraform-plan
@@ -22,10 +30,10 @@ jobs:
2230 add_github_comment : changes-only
2331
2432 - name : Verify outputs
33+ env :
34+ CHANGES : ${{ steps.plan.outputs.changes }}
2535 run : |
26- echo "changes=${{ steps.plan.outputs.changes }}"
27-
28- if [[ "${{ steps.plan.outputs.changes }}" != "false" ]]; then
36+ if [[ "$CHANGES" != "false" ]]; then
2937 echo "::error:: output changes not set correctly"
3038 exit 1
3139 fi
@@ -38,20 +46,27 @@ jobs:
3846 path : tests/workflows/test-changes-only
3947
4048 - name : Check failure-reason
49+ env :
50+ FAILURE_REASON : ${{ steps.apply.outputs.failure-reason }}
4151 run : |
42- if [[ "${{ steps.apply.outputs.failure-reason }} " != "" ]]; then
52+ if [[ "$FAILURE_REASON " != "" ]]; then
4353 echo "::error:: failure-reason not set correctly"
4454 exit 1
4555 fi
4656
4757change_then_no_changes :
48- runs-on : ubuntu-latest
58+ runs-on : ubuntu-24.04
4959 name : changes-only should still replace a change comment
60+ permissions :
61+ contents : read
62+ pull-requests : write
5063 env :
5164 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
5265 steps :
5366 - name : Checkout
5467 uses : actions/checkout@v4
68+ with :
69+ persist-credentials : false
5570
5671 - name : Plan changes
5772 uses : ./terraform-plan
@@ -64,10 +79,10 @@ jobs:
6479add_github_comment : changes-only
6580
6681 - name : Verify changes
82+ env :
83+ CHANGES : ${{ steps.changes-plan.outputs.changes }}
6784 run : |
68- echo "changes=${{ steps.changes-plan.outputs.changes }}"
69-
70- if [[ "${{ steps.changes-plan.outputs.changes }}" != "true" ]]; then
85+ if [[ "$CHANGES" != "true" ]]; then
7186 echo "::error:: output changes not set correctly"
7287 exit 1
7388 fi
@@ -83,10 +98,10 @@ jobs:
8398add_github_comment : changes-only
8499
85100 - name : Verify no changes
101+ env :
102+ CHANGES : ${{ steps.plan.outputs.changes }}
86103 run : |
87- echo "changes=${{ steps.plan.outputs.changes }}"
88-
89- if [[ "${{ steps.plan.outputs.changes }}" != "false" ]]; then
104+ if [[ "$CHANGES" != "false" ]]; then
90105 echo "::error:: output changes not set correctly"
91106 exit 1
92107 fi
@@ -101,20 +116,27 @@ jobs:
101116 cause-changes=false
102117
103118name : Check failure-reason
119+ env :
120+ FAILURE_REASON : ${{ steps.apply.outputs.failure-reason }}
104121 run : |
105- if [[ "${{ steps.apply.outputs.failure-reason }} " != "" ]]; then
122+ if [[ "$FAILURE_REASON " != "" ]]; then
106123 echo "::error:: failure-reason not set correctly"
107124 exit 1
108125 fi
109126
110127no_changes_then_changes :
111- runs-on : ubuntu-latest
128+ runs-on : ubuntu-24.04
112129 name : Apply with changes should fail after a changes-only plan with no changes
130+ permissions :
131+ contents : read
132+ pull-requests : write
113133 env :
114134 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
115135 steps :
116136 - name : Checkout
117137 uses : actions/checkout@v4
138+ with :
139+ persist-credentials : false
118140
119141 - name : Plan no changes
120142 uses : ./terraform-plan
@@ -127,10 +149,10 @@ jobs:
127149add_github_comment : changes-only
128150
129151 - name : Verify no changes
152+ env :
153+ CHANGES : ${{ steps.plan.outputs.changes }}
130154 run : |
131- echo "changes=${{ steps.plan.outputs.changes }}"
132-
133- if [[ "${{ steps.plan.outputs.changes }}" != "false" ]]; then
155+ if [[ "$CHANGES" != "false" ]]; then
134156 echo "::error:: output changes not set correctly"
135157 exit 1
136158 fi
@@ -146,25 +168,33 @@ jobs:
146168 cause-changes=true
147169
148170name : Check failed to apply
171+ env :
172+ OUTCOME : ${{ steps.apply.outcome }}
173+ FAILURE_REASON : ${{ steps.apply.outputs.failure-reason }}
149174 run : |
150- if [[ "${{ steps.apply.outcome }} " != "failure" ]]; then
175+ if [[ "$OUTCOME " != "failure" ]]; then
151176 echo "Apply did not fail correctly"
152177 exit 1
153178 fi
154179
155- if [[ "${{ steps.apply.outputs.failure-reason }} " != "plan-changed" ]]; then
180+ if [[ "$FAILURE_REASON " != "plan-changed" ]]; then
156181 echo "::error:: failure-reason not set correctly"
157182 exit 1
158183 fi
159184
160185apply_when_plan_has_changed :
161- runs-on : ubuntu-latest
186+ runs-on : ubuntu-24.04
162187 name : Apply should fail if the approved plan has changed
188+ permissions :
189+ contents : read
190+ pull-requests : write
163191 env :
164192 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
165193 steps :
166194 - name : Checkout
167195 uses : actions/checkout@v4
196+ with :
197+ persist-credentials : false
168198
169199 - name : Plan Changes
170200 uses : ./terraform-plan
@@ -186,13 +216,16 @@ jobs:
186216 len=4
187217
188218name : Check failed to apply
219+ env :
220+ OUTCOME : ${{ steps.apply.outcome }}
221+ FAILURE_REASON : ${{ steps.apply.outputs.failure-reason }}
189222 run : |
190- if [[ "${{ steps.apply.outcome }} " != "failure" ]]; then
223+ if [[ "$OUTCOME " != "failure" ]]; then
191224 echo "Apply did not fail correctly"
192225 exit 1
193226 fi
194227
195- if [[ "${{ steps.apply.outputs.failure-reason }} " != "plan-changed" ]]; then
228+ if [[ "$FAILURE_REASON " != "plan-changed" ]]; then
196229 echo "::error:: failure-reason not set correctly"
197230 exit 1
198231 fi
0 commit comments