name: tf-plan on: workflow_call: secrets: gpg-key: required: true tf-api-token: required: true ssh-private-key: required: true ssh-known-hosts: required: true jobs: tf-plan: name: Terraform Plan runs-on: ubuntu-latest steps: - name: Blackbox decrypt uses: .gitea/workflows/sec-blackbox-decrypt.yml@main secrets: gpg-key: ${{ secrets.gpg-key }} - uses: hashicorp/setup-terraform@v2 with: terraform_version: 1.5.7 cli_config_credentials_token: ${{ secrets.tf-api-token }} - name: Clone repo uses: actions/checkout@v4 - name: Setup SSH key uses: benoitchantre/setup-ssh-authentication-action@1.0.1 with: private-key: ${{ secrets.ssh-private-key }} private-key-name: id_ed25519 known-hosts: ${{ secrets.ssh-known-hosts }} - name: Restore terraform cache uses: actions/cache@v3 id: cache-terraform-restore with: path: .terraform key: ${{ github.repository }}-${{ runner.os }}-${{ runner.arch }}-tf - name: Run terraform init shell: bash run: terraform init - name: Run terraform validate shell: bash run: terraform validate - name: Run terraform plan id: tfplan shell: bash run: | terraform plan -detailed-exitcode -out=tfplan.binary -input=false; continue-on-error: true - name: Check if job errored if: ${{ steps.tfplan.outputs.exitcode == 1 }} shell: sh run: exit 1 - name: Upload terraform plan if diffs are detected if: ${{ steps.tfplan.outputs.exitcode == 2 }} uses: actions/upload-artifact@v3 with: name: tfplan path: tfplan.binary - name: Save terraform cache uses: actions/cache/save@v3 id: cache-terraform-save with: path: .terraform key: ${{ steps.cache-terraform-restore.outputs.cache-primary-key }}