terraform_apply.yaml

name: "Terraform Apply"
on:
  workflow_dispatch:
  push:
    branches:
      - main
    paths:
      - hosting/terraform/grafana/*.tf
      - hosting/terraform/grafana/dashboards/*.json
jobs:
  apply:
    if: ${{github.repository == 'ymgyt/syndicationd'}}
    runs-on: ubuntu-latest
    timeout-minutes: 60
    permissions:
      contents: read
      # For posting terraform output to PR
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          github_access_token: ${{ secrets.GITHUB_TOKEN }}
      - uses: cachix/cachix-action@v15
        with:
          name: syndicationd
          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
      - name: terraform init
        run: nix develop .#ci --accept-flake-config --command just tf grafana init
        env:
          TF_TOKEN_app_terraform_io: "${{secrets.TF_TOKEN_APP_TERRAFORM_IO}}"
      - name: terraform apply
        id: apply
        continue-on-error: true
        run: nix develop .#ci --accept-flake-config --command just tf grafana apply -no-color -auto-approve
        env:
          TF_TOKEN_app_terraform_io: "${{secrets.TF_TOKEN_APP_TERRAFORM_IO}}"
          TF_VAR_grafana_sa_token: "${{secrets.GRAFANA_SA_TOKEN}}"
      - name: Post apply output to github PR
        uses: actions/github-script@v7
        env:
          APPLY_RESULT: ${{steps.apply.outcome}}
          APPLY_STDOUT: ${{steps.apply.outputs.stdout}}
        with:
          script: |
            const { APPLY_RESULT, APPLY_STDOUT } = process.env

            const body = `terraform apply: ${APPLY_RESULT}
            <details>
            <summary>apply output</summary>
            \`\`\`\n
            ${APPLY_STDOUT}
            \`\`\`
            </details>`

            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body,
            })