name: tf-plan on: workflow_call: inputs: tofu-version: required: false default: 1.7.1 type: string secrets: gpg-key: required: true type: string tf-api-token: required: true type: string ssh-private-key: required: true type: string ssh-known-hosts: required: true type: string jobs: otf-plan: name: Tofu Plan runs-on: ubuntu-latest steps: - uses: opentofu/setup-opentofu@v1 with: tofu_version: ${{ inputs.tofu-version }} cli_config_credentials_token: ${{ secrets.tf-api-token }} - name: Clone repo uses: actions/checkout@v4 - name: Clone blackbox repo uses: actions/checkout@v4 with: repository: xaked/blackbox path: blackbox ref: master - name: Install blackbox shell: bash run: | cd blackbox || exit 1; make copy-install; cd ${{ github.workspace }}; rm -rf blackbox; - name: Decrypt secrets shell: bash run: | echo ${{ secrets.gpg-key }} | base64 -d | gpg --import; blackbox_decrypt_all_files; - name: Setup SSH key uses: benoitchantre/setup-ssh-authentication-action@1.0.1 with: private-key: ${{ secrets.ssh-private-key }} private-key-name: id_ed25519 known-hosts: ${{ secrets.ssh-known-hosts }} - name: Restore tofu cache uses: actions/cache@v4 id: cache-tofu-restore with: path: .terraform key: ${{ github.repository }}-${{ runner.os }}-${{ runner.arch }}-otf - name: Run tofu init shell: bash run: tofu init - name: Run tofu validate shell: bash run: tofu validate - name: Run tofu plan id: tfplan shell: bash run: tofu plan -detailed-exitcode -out=tfplan.binary -input=false; continue-on-error: true - name: Save exitcode to the artifacts shell: bash run: printf "${{ steps.tfplan.outputs.exitcode }}" > exitcode; - name: Upload artifacts uses: actions/upload-artifact@v5 with: name: artifacts path: | tfplan.binary exitcode - name: Check if job errored shell: bash run: | if [ "$(cat exitcode)" == "1" ]; then exit 1; fi - name: Save tofu cache uses: actions/cache/save@v4 id: cache-tofu-save with: path: .terraform key: ${{ steps.cache-tofu-restore.outputs.cache-primary-key }}