Update suzuki-shunsuke/tfaction action to v0.7.3 (.github/workflows)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
suzuki-shunsuke/tfaction	action	minor	v0.6.9 -> v0.7.3

---

Release Notes

suzuki-shunsuke/tfaction (suzuki-shunsuke/tfaction)

v0.7.3

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v0.7.2...v0.7.3 | Base revision

Overview

• Features
  • #​902 #​1272 Support disabling to update related pull requests per pull request by pull request label
  • #​223 #​1275 Support merging jobs for tfmigrate and terraform

Features

Support disabling to update related pull requests per pull request by pull request label

#​902 #​1272

https://suzuki-shunsuke.github.io/tfaction/docs/feature/auto-update-related-prs

tfaction updates related pull requests when the remote state is updated.
From this release, you can exclude specific pull requests by adding the pull request label tfaction:disable-auto-update.

Support merging jobs for tfmigrate and terraform

#​223 #​1275

New actions plan and apply were added.
You can replace actions terraform-plan and tfmigrate-plan with plan, and can replace terraform-apply and tfmigrate-apply with apply.
You can merge jobs for tfmigrate with jobs for terraform.
You can simplify workflows.

This pull request keeps the compatibility.

How to merge jobs

1. Fix outputs of setup job
2. Remove jobs for tfmigrate
3. (Optional) Rename jobs terraform-plan and terraform-apply to plan and apply
4. Fix TFACTION_JOB_TYPE
5. Replace actions terraform-plan and terraform-apply with plan and apply

Please see the example too.

1. Fix outputs of setup job

Before

    outputs:
      tfmigrate_targets: ${{ steps.list-targets.outputs.tfmigrate_targets }}
      terraform_targets: ${{ steps.list-targets.outputs.terraform_targets }}

      matrix:
        target: ${{fromJSON(needs.setup.outputs.terraform_targets)}}

    if: "join(fromJSON(needs.setup.outputs.terraform_targets), '') != ''"

After

    outputs:
      targets: ${{ steps.list-targets.outputs.targets }}

      matrix:
        target: ${{fromJSON(needs.setup.outputs.targets)}}

    if: "join(fromJSON(needs.setup.outputs.targets), '') != ''"

4. Fix TFACTION_JOB_TYPE

Before

TFACTION_JOB_TYPE: terraform

After

TFACTION_JOB_TYPE: ${{matrix.target.job_type}}

5. Replace actions terraform-plan and terraform-apply with plan and apply

You don't need to change inputs.

Before

     - uses: suzuki-shunsuke/tfaction/[email protected]

     - uses: suzuki-shunsuke/tfaction/[email protected]

After

     - uses: suzuki-shunsuke/tfaction/[email protected]

     - uses: suzuki-shunsuke/tfaction/[email protected]

v0.7.2

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v0.7.1...v0.7.2 | Base revision

Bug Fixes

#​1242 #​1246 test, test-module: Fix a bug that the test succeeds even if tflint, trivy, or tfsec fails

• https://github.com/suzuki-shunsuke/github-action-tflint/pull/683
• https://github.com/suzuki-shunsuke/github-action-tfsec/pull/658
• https://github.com/suzuki-shunsuke/trivy-config-action/pull/48

The root cause of the bug was the bug of reviewdog.

• https://github.com/reviewdog/reviewdog/issues/1408

v0.7.1

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v0.7.0...v0.7.1 | Base revision

Features

#​1233 setup: Support pull_request_target

tfaction works with pull_request_target event.

v0.7.0

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v0.6.9...v0.7.0 | Base revision

💡 This release includes significant security improvements, so we strongly recommend upgrading to v0.7.0 or later as soon as possible.

Overview

• Breaking Changes
  • #​1175 The setting plan_workflow_name is required in tfaction-root.yaml
  • #​1175 terraform-apply action's github_token input, which is the GitHub Actions' token ${{github.token}} by default, requires the additional permission actions: read
• Features
  • #​1175 Change the storage of plan files from S3 or GCS to GitHub Actions' Artifacts
  • #​1174 Validate pull request workflow run's commit hash if it is same with the hash of the pull request HEAD

⚠️ Breaking Changes

#​1175 The setting plan_workflow_name is required in tfaction-root.yaml.

plan_workflow_name: <GitHub Actions Workflow name running terraform-plan action>

e.g.

plan_workflow_name: test

#​1175 terraform-apply action's github_token input, which is the GitHub Actions' token ${{github.token}} by default, requires the additional permission actions: read.

How to upgrade

• 1. Create a pull request to upgrade tfaction
  • Update tfaction
  • Add the setting plan_workflow_name to tfaction-root.yaml
  • Remove unnecessary settings s3_bucket_name_plan_file and gcs_bucket_name_plan_file from tfaction-root.yaml and tfaction.yaml
  • Add the permission actions: read to terraform-apply action's github_token input, which is the GitHub Actions' token ${{github.token}} by default
    • If you use GitHub App or personal access token, please add the permission actions:read to the token or App
    • 📝 The permission is necessary to download plan files from GitHub Actions Artifacts before running terraform apply: ref
• 2. Verify the upgrade with a working directory in the upgrade pull request
• 3. If CI works well, merge the pull request
• 4. Update all pull request branches to create plan files at GitHub Actions Artifacts

This is an example script to update pull request branches.

#!/usr/bin/env bash

set -euo pipefail

while read -r pr_number; do
	echo "===> Update PR $pr_number" >&2
	gh api -X PUT "repos/{owner}/{repo}/pulls/${pr_number}/update-branch" || :
done < <(gh pr list --json number -L 100 -q ".[].number")

If you merge a pull request without updating the pull request branch, apply would fail because the plan file wouldn't found at GitHub Actions Artifacts. In that case, please merge a follow up pull request, then the issue would be solved.

• 5. Remove unnecessary resources such as S3 or GCS buckets for plan files and permissions to access plan files
  • If you use terraform-aws-tfaction, please update it to v0.2.0 or later
  • ⚠️ To delete a non empty S3 bucket, please see s3_bucket#force_destroy

Features

#​1175 Change the storage of plan files from S3 or GCS to GitHub Actions' Artifacts
#​1174 Validate pull request workflow run's commit hash if it is same with the hash of the pull request HEAD

Change the storage of plan files from S3 or GCS to GitHub Actions' Artifacts

#​1175

tfaction ever stored plan files to S3 or GCS, but tfaction v0.7.0 migrats them to GitHub Actions Artifacts.
By this change you don't have to create and manage S3 or GCS.
Furthermore, S3 or GCS had security risks that plan files could be tampered.
GitHub Actions Artifacts can be uploaded files only in the associated workflow run and can't be tampered from outside of the workflow run.

GitHub Actions Artifacts has the retention period so plan files are removed after the retension period.
The default retention period is 90 days, and we think it is enough.

Validate pull request workflow run's commit hash if it is same with the hash of the pull request HEAD

If the workflow run's commit hash is old, the workflow run would fail.
Retrying old workflow run confuses you because old workflow run's results are posted to the pull request as if the latest result.
This validation prevents old workflow run from being retried and resolves the issue.

Thank you for your support ❤️

We really appreciate your support.
We couldn't release v0.7.0 without your support.

We called for testers for this release, then many people helped us!

• #​1199 Call for Testers of v0.7.0
• https://twitter.com/szkdash/status/1711540248264761588

They conducted tests with the prerelease version. Thank you a lot!

@​kyontan
@​ponkio-o
@​rrreeeyyy

And thank you everyone who reposted my post!

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.