From c919e1eb1b4f5bfab0764aae27afc8ab0bd8ca9e Mon Sep 17 00:00:00 2001 From: Igor Rodionov Date: Tue, 3 Dec 2024 02:03:02 +0300 Subject: [PATCH] Add skip checkout input (#56) * Add skip checkout input * Update action.yml * Update atmos.yaml * Update test.yaml * Rebuild readme --- README.md | 112 ++++++++++++++++++++++++++++--- README.yaml | 109 +++++++++++++++++++++++++++--- action.yml | 9 ++- docs/github-action.md | 10 ++- tests/atmos.yaml | 16 ----- tests/stacks/orgs/test/test.yaml | 3 +- 6 files changed, 217 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index f2adc5f..486aa1f 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,21 @@ raw list of affected stacks as an output as well as a matrix that can be used fu ### Config +> [!IMPORTANT] +> **Please note!** This GitHub Action only works with `atmos >= 1.99.0`. +> If you are using `atmos >= 1.80.0, < 1.99.0` please use `v5` version of this action. +> If you are using `atmos >= 1.63.0, < 1.80.0` please use `v3` or `v4` version of this action. +> If you are using `atmos < 1.63.0` please use `v2` version of this action. + + The action expects the atmos configuration file `atmos.yaml` to be present in the repository. + +The action supports AWS and Azure to store Terraform plan files. +You can read more about plan storage in the [cloudposse/github-action-terraform-plan-storage](https://github.com/cloudposse/github-action-terraform-plan-storage?tab=readme-ov-file#aws-default) documentation. +Depends of cloud provider the following fields should be set in the `atmos.yaml`: + +#### AWS + The config should have the following structure: ```yaml @@ -63,16 +77,63 @@ integrations: role: arn:aws:iam::xxxxxxxxxxxx:role/cptest-core-ue2-auto-gitops-gha role: plan: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops + # Set `apply` empty if you don't want to assume IAM role before terraform apply apply: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops matrix: sort-by: .stack_slug group-by: .stack_slug | split("-") | [.[0], .[2]] | join("-") ``` - + +#### Azure + +The config should have the following structure: + +```yaml +integrations: + github: + gitops: + opentofu-version: 1.7.3 + terraform-version: 1.5.2 + infracost-enabled: false + artifact-storage: + plan-repository-type: azureblob + blob-account-name: tfplans + blob-container-name: plans + metadata-repository-type: cosmos + cosmos-container-name: terraform-plan-storage + cosmos-database-name: terraform-plan-storage + cosmos-endpoint: "https://my-cosmo-account.documents.azure.com:443/" + # We remove the `role` section as it is AWS specific + matrix: + sort-by: .stack_slug + group-by: .stack_slug | split("-") | [.[0], .[2]] | join("-") +``` + +### Stack level configuration + > [!IMPORTANT] -> **Please note!** This GitHub Action only works with `atmos >= 1.80.0`. -> If you are using `atmos >= 1.63.0, < 1.80.0` please use `v3` version of this action. -> If you are using `atmos < 1.63.0` please use `v2` version of this action. +> Wherever it is possible to specify `integration.github.gitops` on stack level +> it is required to define default values in `atmos.yaml` + +It is possible to override integration settings on a stack level by defining `settings.integrations`. + +```yaml +components: + terraform: + foobar: + settings: + integrations: + github: + gitops: + artifact-storage: + bucket: cptest-plat-ue2-auto-gitops + table: cptest-plat-ue2-auto-gitops-plan-storage + role: arn:aws:iam::xxxxxxxxxxxx:role/cptest-plat-ue2-auto-gitops-gha + role: + # Set `plan` empty if you don't want to assume IAM role before terraform plan + plan: arn:aws:iam::yyyyyyyyyyyy:role/cptest-plat-gbl-identity-gitops + apply: arn:aws:iam::yyyyyyyyyyyy:role/cptest-plat-gbl-identity-gitops +``` ### Support OpenTofu @@ -101,8 +162,8 @@ integrations: gitops: opentofu-version: 1.7.3 ... -``` - +``` + ### Workflow example ```yaml @@ -117,10 +178,10 @@ jobs: runs-on: ubuntu-latest steps: - id: affected - uses: cloudposse/github-action-atmos-affected-stacks@v3 + uses: cloudposse/github-action-atmos-affected-stacks@v6 with: atmos-config-path: ./rootfs/usr/local/etc/atmos/ - atmos-version: 1.63.0 + atmos-version: 1.99.0 nested-matrices-count: 1 outputs: @@ -143,13 +204,41 @@ jobs: cancel-in-progress: false steps: - name: Plan Atmos Component - uses: cloudposse/github-action-atmos-terraform-plan@v2 + uses: cloudposse/github-action-atmos-terraform-plan@v4 with: component: ${{ matrix.component }} stack: ${{ matrix.stack }} atmos-config-path: ./rootfs/usr/local/etc/atmos/ - atmos-version: 1.63.0 + atmos-version: 1.99.0 ``` + +### Migrating from `v5` to `v6` + +The notable changes in `v6` are: + +- `v6` works only with `atmos >= 1.99.0` +- `v6` allow to skip internal checkout with `skip-checkout` input + + +The only required migration step is updating atmos version to `>= 1.80.0` + + +### Migrating from `v4` to `v5` + +The notable changes in `v5` are: + +- `v5` works only with `atmos >= 1.80.0` +- `v5` supports atmos templating + +The only required migration step is updating atmos version to `>= 1.80.0` + +### Migrating from `v3` to `v4` + +The notable changes in `v4` are: + +- `v4` perform aws authentication assuming `integrations.github.gitops.role.plan` IAM role + +No special migration steps required ### Migrating from `v2` to `v3` @@ -312,7 +401,7 @@ Which would produce the same behavior as in `v1`, doing this: | atmos-pro-token | The API token to allow Atmos Pro to upload affected stacks | | false | | atmos-pro-upload | Whether to upload affected stacks directly to Atmos Pro | false | false | | atmos-stack | The stack to operate on | | false | -| atmos-version | The version of atmos to install | >= 1.96.0 | false | +| atmos-version | The version of atmos to install | >= 1.99.0 | false | | base-ref | The base ref to checkout. If not provided, the head default branch is used. | N/A | false | | default-branch | The default branch to use for the base ref. | ${{ github.event.repository.default\_branch }} | false | | head-ref | The head ref to checkout. If not provided, the head default branch is used. | ${{ github.sha }} | false | @@ -321,6 +410,7 @@ Which would produce the same behavior as in `v1`, doing this: | jq-force | Whether to force the installation of jq | true | false | | jq-version | The version of jq to install if install-jq is true | 1.7 | false | | nested-matrices-count | Number of nested matrices that should be returned as the output (from 1 to 3) | 2 | false | +| skip-checkout | Disable actions/checkout for head-ref. Useful for when the checkout happens in a previous step and file are modified outside of git through other actions | false | false | ## Outputs diff --git a/README.yaml b/README.yaml index 7f72aff..8b73258 100644 --- a/README.yaml +++ b/README.yaml @@ -46,7 +46,21 @@ usage: |- ### Config + > [!IMPORTANT] + > **Please note!** This GitHub Action only works with `atmos >= 1.99.0`. + > If you are using `atmos >= 1.80.0, < 1.99.0` please use `v5` version of this action. + > If you are using `atmos >= 1.63.0, < 1.80.0` please use `v3` or `v4` version of this action. + > If you are using `atmos < 1.63.0` please use `v2` version of this action. + + The action expects the atmos configuration file `atmos.yaml` to be present in the repository. + + The action supports AWS and Azure to store Terraform plan files. + You can read more about plan storage in the [cloudposse/github-action-terraform-plan-storage](https://github.com/cloudposse/github-action-terraform-plan-storage?tab=readme-ov-file#aws-default) documentation. + Depends of cloud provider the following fields should be set in the `atmos.yaml`: + + #### AWS + The config should have the following structure: ```yaml @@ -63,16 +77,63 @@ usage: |- role: arn:aws:iam::xxxxxxxxxxxx:role/cptest-core-ue2-auto-gitops-gha role: plan: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops + # Set `apply` empty if you don't want to assume IAM role before terraform apply apply: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops matrix: sort-by: .stack_slug group-by: .stack_slug | split("-") | [.[0], .[2]] | join("-") ``` - + + #### Azure + + The config should have the following structure: + + ```yaml + integrations: + github: + gitops: + opentofu-version: 1.7.3 + terraform-version: 1.5.2 + infracost-enabled: false + artifact-storage: + plan-repository-type: azureblob + blob-account-name: tfplans + blob-container-name: plans + metadata-repository-type: cosmos + cosmos-container-name: terraform-plan-storage + cosmos-database-name: terraform-plan-storage + cosmos-endpoint: "https://my-cosmo-account.documents.azure.com:443/" + # We remove the `role` section as it is AWS specific + matrix: + sort-by: .stack_slug + group-by: .stack_slug | split("-") | [.[0], .[2]] | join("-") + ``` + + ### Stack level configuration + > [!IMPORTANT] - > **Please note!** This GitHub Action only works with `atmos >= 1.80.0`. - > If you are using `atmos >= 1.63.0, < 1.80.0` please use `v3` version of this action. - > If you are using `atmos < 1.63.0` please use `v2` version of this action. + > Wherever it is possible to specify `integration.github.gitops` on stack level + > it is required to define default values in `atmos.yaml` + + It is possible to override integration settings on a stack level by defining `settings.integrations`. + + ```yaml + components: + terraform: + foobar: + settings: + integrations: + github: + gitops: + artifact-storage: + bucket: cptest-plat-ue2-auto-gitops + table: cptest-plat-ue2-auto-gitops-plan-storage + role: arn:aws:iam::xxxxxxxxxxxx:role/cptest-plat-ue2-auto-gitops-gha + role: + # Set `plan` empty if you don't want to assume IAM role before terraform plan + plan: arn:aws:iam::yyyyyyyyyyyy:role/cptest-plat-gbl-identity-gitops + apply: arn:aws:iam::yyyyyyyyyyyy:role/cptest-plat-gbl-identity-gitops + ``` ### Support OpenTofu @@ -101,8 +162,8 @@ usage: |- gitops: opentofu-version: 1.7.3 ... - ``` - + ``` + ### Workflow example ```yaml @@ -117,10 +178,10 @@ usage: |- runs-on: ubuntu-latest steps: - id: affected - uses: cloudposse/github-action-atmos-affected-stacks@v3 + uses: cloudposse/github-action-atmos-affected-stacks@v6 with: atmos-config-path: ./rootfs/usr/local/etc/atmos/ - atmos-version: 1.63.0 + atmos-version: 1.99.0 nested-matrices-count: 1 outputs: @@ -143,13 +204,41 @@ usage: |- cancel-in-progress: false steps: - name: Plan Atmos Component - uses: cloudposse/github-action-atmos-terraform-plan@v2 + uses: cloudposse/github-action-atmos-terraform-plan@v4 with: component: ${{ matrix.component }} stack: ${{ matrix.stack }} atmos-config-path: ./rootfs/usr/local/etc/atmos/ - atmos-version: 1.63.0 + atmos-version: 1.99.0 ``` + + ### Migrating from `v5` to `v6` + + The notable changes in `v6` are: + + - `v6` works only with `atmos >= 1.99.0` + - `v6` allow to skip internal checkout with `skip-checkout` input + + + The only required migration step is updating atmos version to `>= 1.80.0` + + + ### Migrating from `v4` to `v5` + + The notable changes in `v5` are: + + - `v5` works only with `atmos >= 1.80.0` + - `v5` supports atmos templating + + The only required migration step is updating atmos version to `>= 1.80.0` + + ### Migrating from `v3` to `v4` + + The notable changes in `v4` are: + + - `v4` perform aws authentication assuming `integrations.github.gitops.role.plan` IAM role + + No special migration steps required ### Migrating from `v2` to `v3` diff --git a/action.yml b/action.yml index 83ba0b4..f752357 100644 --- a/action.yml +++ b/action.yml @@ -9,6 +9,10 @@ inputs: description: The head ref to checkout. If not provided, the head default branch is used. required: false default: ${{ github.sha }} + skip-checkout: + description: "Disable actions/checkout for head-ref. Useful for when the checkout happens in a previous step and file are modified outside of git through other actions" + required: false + default: 'false' default-branch: description: The default branch to use for the base ref. required: false @@ -23,7 +27,7 @@ inputs: atmos-version: description: The version of atmos to install required: false - default: ">= 1.96.0" + default: ">= 1.99.0" atmos-config-path: description: The path to the atmos.yaml file required: true @@ -92,6 +96,7 @@ runs: node-version: 20 - uses: actions/checkout@v4 + if: ${{ inputs.skip-checkout != 'true' }} with: ref: ${{ inputs.head-ref }} @@ -159,7 +164,7 @@ runs: steps.config.outputs.aws-region != 'null' && steps.config.outputs.terraform-plan-role != '' && steps.config.outputs.terraform-plan-role != 'null' }} - uses: aws-actions/configure-aws-credentials@v4.0.2 + uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ steps.config.outputs.aws-region }} role-to-assume: ${{ steps.config.outputs.terraform-plan-role }} diff --git a/docs/github-action.md b/docs/github-action.md index 0ffa9cb..b61f2b3 100644 --- a/docs/github-action.md +++ b/docs/github-action.md @@ -6,16 +6,22 @@ |------|-------------|---------|----------| | atmos-config-path | The path to the atmos.yaml file | N/A | true | | atmos-include-dependents | Whether to include dependents of affected stacks in the output | false | false | +| atmos-include-settings | Include the `settings` section for each affected component | false | false | | atmos-include-spacelift-admin-stacks | Whether to include the Spacelift admin stacks of affected stacks in the output | false | false | -| atmos-version | The version of atmos to install | >= 1.63.0 | false | +| atmos-pro-base-url | The base URL of Atmos Pro | https://app.cloudposse.com | false | +| atmos-pro-token | The API token to allow Atmos Pro to upload affected stacks | | false | +| atmos-pro-upload | Whether to upload affected stacks directly to Atmos Pro | false | false | +| atmos-stack | The stack to operate on | | false | +| atmos-version | The version of atmos to install | >= 1.99.0 | false | | base-ref | The base ref to checkout. If not provided, the head default branch is used. | N/A | false | | default-branch | The default branch to use for the base ref. | ${{ github.event.repository.default\_branch }} | false | | head-ref | The head ref to checkout. If not provided, the head default branch is used. | ${{ github.sha }} | false | | install-atmos | Whether to install atmos | true | false | | install-jq | Whether to install jq | false | false | | jq-force | Whether to force the installation of jq | true | false | -| jq-version | The version of jq to install if install-jq is true | 1.6 | false | +| jq-version | The version of jq to install if install-jq is true | 1.7 | false | | nested-matrices-count | Number of nested matrices that should be returned as the output (from 1 to 3) | 2 | false | +| skip-checkout | Disable actions/checkout for head-ref. Useful for when the checkout happens in a previous step and file are modified outside of git through other actions | false | false | ## Outputs diff --git a/tests/atmos.yaml b/tests/atmos.yaml index 2e0f99a..4904507 100644 --- a/tests/atmos.yaml +++ b/tests/atmos.yaml @@ -263,20 +263,4 @@ integrations: sort-by: .stack_slug group-by: .stack_slug | split("-") | [.[0], .[2]] | join("-") -# Validation schemas (for validating atmos stacks and components) -schemas: - # https://json-schema.org - jsonschema: - # Can also be set using 'ATMOS_SCHEMAS_JSONSCHEMA_BASE_PATH' ENV var, or '--schemas-jsonschema-dir' command-line arguments - # Supports both absolute and relative paths - base_path: "stacks/schemas/jsonschema" - # https://www.openpolicyagent.org - opa: - # Can also be set using 'ATMOS_SCHEMAS_OPA_BASE_PATH' ENV var, or '--schemas-opa-dir' command-line arguments - # Supports both absolute and relative paths - base_path: "stacks/schemas/opa" - # https://cuelang.org - cue: - # Can also be set using 'ATMOS_SCHEMAS_CUE_BASE_PATH' ENV var, or '--schemas-cue-dir' command-line arguments - # Supports both absolute and relative paths base_path: "stacks/schemas/cue" diff --git a/tests/stacks/orgs/test/test.yaml b/tests/stacks/orgs/test/test.yaml index 9d4c1f4..ddb6404 100644 --- a/tests/stacks/orgs/test/test.yaml +++ b/tests/stacks/orgs/test/test.yaml @@ -7,4 +7,5 @@ vars: components: terraform: test: - seed: 1 + vars: + seed: 1