fix: grant apply serviceAccountTokenCreator #74
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Push workflow | |
| on: [push] | |
| env: | |
| tofu_version: 1.8.2 | |
| tg_version: 0.67.10 | |
| working_dir: .infra/gcp-gha-gcp-opentofu | |
| jobs: | |
| check-hcl: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - name: Check terragrunt HCL | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| tofu_version: ${{ env.tofu_version }} | |
| tg_version: ${{ env.tg_version }} | |
| tg_dir: . | |
| tg_command: 'hclfmt --terragrunt-check --terragrunt-diff' | |
| check-tf: | |
| runs-on: ubuntu-24.04 | |
| container: | |
| image: ghcr.io/opentofu/opentofu:1.8.2 | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - name: Check OpenTofu .TF | |
| run: tofu fmt -diff -check | |
| plan: | |
| runs-on: ubuntu-24.04 | |
| needs: [ check-hcl, check-tf ] | |
| permissions: | |
| id-token: 'write' # Needed for the google-github-actions/auth step | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - id: auth | |
| name: GCP auth | |
| uses: google-github-actions/[email protected] | |
| with: | |
| export_environment_variables: false | |
| create_credentials_file: false | |
| token_format: access_token | |
| workload_identity_provider: projects/918666231212/locations/global/workloadIdentityPools/github-actions/providers/github-actions | |
| service_account: [email protected] | |
| - name: Terragrunt plan | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| tofu_version: ${{ env.tofu_version }} | |
| tg_version: ${{ env.tg_version }} | |
| tg_dir: ${{ env.working_dir }} | |
| tg_command: plan | |
| env: | |
| GOOGLE_OAUTH_ACCESS_TOKEN: ${{ steps.auth.outputs.access_token }} | |
| apply: | |
| runs-on: ubuntu-24.04 | |
| if: github.ref == 'refs/heads/main' | |
| needs: [ plan ] | |
| permissions: | |
| id-token: 'write' # Needed for the google-github-actions/auth step | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| - id: auth | |
| name: GCP auth | |
| uses: google-github-actions/[email protected] | |
| with: | |
| export_environment_variables: false | |
| create_credentials_file: false | |
| token_format: access_token | |
| workload_identity_provider: projects/918666231212/locations/global/workloadIdentityPools/github-actions/providers/github-actions | |
| service_account: [email protected] | |
| - name: Apply | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| tofu_version: ${{ env.tofu_version }} | |
| tg_version: ${{ env.tg_version }} | |
| tg_dir: ${{ env.working_dir }} | |
| tg_command: 'apply' |