feat: image attachments — model, API, GCS service, tests, Terraform #46
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform | |
| on: | |
| pull_request: | |
| paths: | |
| - "terraform/**" | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - "terraform/**" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| id-token: write | |
| pull-requests: write | |
| env: | |
| GCP_PROJECT_ID: bible-research-489314 | |
| TF_VAR_region: europe-west3 | |
| WIF_PROVIDER: projects/670506724494/locations/global/workloadIdentityPools/github-actions/providers/github | |
| DEPLOY_SA: github-deployer@bible-research-489314.iam.gserviceaccount.com | |
| # One Terraform job at a time so parallel runs do not fight over the GCS state lock. | |
| concurrency: | |
| group: terraform-${{ github.repository }} | |
| cancel-in-progress: false | |
| jobs: | |
| terraform: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: terraform | |
| shell: bash | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| workload_identity_provider: ${{ env.WIF_PROVIDER }} | |
| service_account: ${{ env.DEPLOY_SA }} | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_wrapper: false | |
| - name: Terraform fmt | |
| run: terraform fmt -check -recursive | |
| - name: Terraform init | |
| run: terraform init -input=false | |
| - name: Terraform validate | |
| run: terraform validate | |
| - name: Terraform plan (manual) | |
| if: github.event_name == 'workflow_dispatch' | |
| run: terraform plan -input=false -no-color -lock-timeout=15m | |
| - name: Terraform plan (PR) | |
| id: tfplan | |
| if: github.event_name == 'pull_request' | |
| # ``-refresh=false`` lets the PR plan succeed when the CI | |
| # service account lacks the IAM read permissions needed to | |
| # refresh pre-existing resources (specifically: | |
| # iam.serviceAccounts.getIamPolicy on the appspot SA and | |
| # iam.workloadIdentityPools.get on the github-actions pool, | |
| # granted only by IAM bindings that some PRs themselves | |
| # add). The diff is computed against the GCS-locked state | |
| # file, which is still the source of truth since Terraform | |
| # is the only writer. ``terraform apply`` on main still | |
| # refreshes normally so real drift is caught at deploy time. | |
| run: | | |
| set -o pipefail | |
| terraform plan -input=false -no-color -lock-timeout=15m -refresh=false 2>&1 | tee plan.txt | |
| - name: Comment plan on PR | |
| if: github.event_name == 'pull_request' && success() | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const plan = fs.readFileSync('terraform/plan.txt', 'utf8').slice(0, 60000); | |
| await github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: '## Terraform plan\n\n```\n' + plan + '\n```', | |
| }); | |
| - name: Terraform apply (main) | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| run: terraform apply -auto-approve -input=false -lock-timeout=15m |