chore: update Terraform to 1.11.4 #1543
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: dogfood | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - "dogfood/**" | |
| - ".github/workflows/dogfood.yaml" | |
| - "flake.lock" | |
| - "flake.nix" | |
| pull_request: | |
| paths: | |
| - "dogfood/**" | |
| - ".github/workflows/dogfood.yaml" | |
| - "flake.lock" | |
| - "flake.nix" | |
| workflow_dispatch: | |
| permissions: | |
| # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage) | |
| id-token: write | |
| jobs: | |
| build_image: | |
| if: github.actor != 'dependabot[bot]' # Skip Dependabot PRs | |
| runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || 'ubuntu-latest' }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Nix | |
| uses: nixbuild/nix-quick-install-action@5bb6a3b3abe66fd09bbf250dce8ada94f856a703 # v30 | |
| - uses: nix-community/cache-nix-action@c448f065ba14308da81de769632ca67a3ce67cf5 # v6.1.2 | |
| with: | |
| # restore and save a cache using this key | |
| primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }} | |
| # if there's no cache hit, restore a cache by this prefix | |
| restore-prefixes-first-match: nix-${{ runner.os }}- | |
| # collect garbage until Nix store size (in bytes) is at most this number | |
| # before trying to save a new cache | |
| # 1G = 1073741824 | |
| gc-max-store-size-linux: 5G | |
| # do purge caches | |
| purge: true | |
| # purge all versions of the cache | |
| purge-prefixes: nix-${{ runner.os }}- | |
| # created more than this number of seconds ago relative to the start of the `Post Restore` phase | |
| purge-created: 0 | |
| # except the version with the `primary-key`, if it exists | |
| purge-primary-key: never | |
| - name: Get branch name | |
| id: branch-name | |
| uses: tj-actions/branch-names@f44339b51f74753b57583fbbd124e18a81170ab1 # v8.1.0 | |
| - name: "Branch name to Docker tag name" | |
| id: docker-tag-name | |
| run: | | |
| tag=${{ steps.branch-name.outputs.current_branch }} | |
| # Replace / with --, e.g. user/feature => user--feature. | |
| tag=${tag//\//--} | |
| echo "tag=${tag}" >> $GITHUB_OUTPUT | |
| - name: Set up Depot CLI | |
| uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 | |
| - name: Login to DockerHub | |
| if: github.ref == 'refs/heads/main' | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| - name: Build and push Non-Nix image | |
| uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0 | |
| with: | |
| project: b4q6ltmpzh | |
| token: ${{ secrets.DEPOT_TOKEN }} | |
| buildx-fallback: true | |
| context: "{{defaultContext}}:dogfood/coder" | |
| pull: true | |
| save: true | |
| push: ${{ github.ref == 'refs/heads/main' }} | |
| tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest" | |
| - name: Build Nix image | |
| run: nix build .#dev_image | |
| - name: Push Nix image | |
| if: github.ref == 'refs/heads/main' | |
| run: | | |
| docker load -i result | |
| CURRENT_SYSTEM=$(nix eval --impure --raw --expr 'builtins.currentSystem') | |
| docker image tag codercom/oss-dogfood-nix:latest-$CURRENT_SYSTEM codercom/oss-dogfood-nix:${{ steps.docker-tag-name.outputs.tag }} | |
| docker image push codercom/oss-dogfood-nix:${{ steps.docker-tag-name.outputs.tag }} | |
| docker image tag codercom/oss-dogfood-nix:latest-$CURRENT_SYSTEM codercom/oss-dogfood-nix:latest | |
| docker image push codercom/oss-dogfood-nix:latest | |
| deploy_template: | |
| needs: build_image | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup Terraform | |
| uses: ./.github/actions/setup-tf | |
| - name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8 | |
| with: | |
| workload_identity_provider: projects/573722524737/locations/global/workloadIdentityPools/github/providers/github | |
| service_account: coder-ci@coder-dogfood.iam.gserviceaccount.com | |
| - name: Terraform init and validate | |
| run: | | |
| pushd dogfood/ | |
| terraform init | |
| terraform validate | |
| popd | |
| pushd dogfood/coder | |
| terraform init | |
| terraform validate | |
| popd | |
| pushd dogfood/coder-envbuilder | |
| terraform init | |
| terraform validate | |
| popd | |
| - name: Get short commit SHA | |
| if: github.ref == 'refs/heads/main' | |
| id: vars | |
| run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
| - name: Get latest commit title | |
| if: github.ref == 'refs/heads/main' | |
| id: message | |
| run: echo "pr_title=$(git log --format=%s -n 1 ${{ github.sha }})" >> $GITHUB_OUTPUT | |
| - name: "Push template" | |
| if: github.ref == 'refs/heads/main' | |
| run: | | |
| cd dogfood | |
| terraform apply -auto-approve | |
| env: | |
| # Consumed by coderd provider | |
| CODER_URL: https://dev.coder.com | |
| CODER_SESSION_TOKEN: ${{ secrets.CODER_SESSION_TOKEN }} | |
| # Template source & details | |
| TF_VAR_CODER_TEMPLATE_NAME: ${{ secrets.CODER_TEMPLATE_NAME }} | |
| TF_VAR_CODER_TEMPLATE_VERSION: ${{ steps.vars.outputs.sha_short }} | |
| TF_VAR_CODER_TEMPLATE_DIR: ./coder | |
| TF_VAR_CODER_TEMPLATE_MESSAGE: ${{ steps.message.outputs.pr_title }} | |
| TF_LOG: info |