PR review flow integration: Terraform plan + Ansible dry-run

[arm4b]

This is a good time and repository to show the PR flow with BitOps. https://github.com/bitovi/bitops/issues/325

When using this GH Action, on every PR the terraform should run plan, and ansible should run dry-run, show the result as a GH Status check. Once the PR is approved and merged, - run the actual terraform apply.

Bonus points if we could post the tf plan diff back to the PR as a comment.

See https://github.com/marketplace/actions/terraform-pr-commenter#screenshots as an example:

StackStorm is a complex beast and allowing users to run the proper PR review flow instead of "I'm feeling lucky" apply would prevent users from shooting themselves in the foot and encourage best practices.

[mickmcgrath13]

I think this would need to go into the "caller" repo (or the deployment repo) not the github action itself because it's the caller repo that decides "when" this action is run (i.e. PR event vs commit to base branch, for example).

We should absolutely test it out in a deployment repo and provide the config/docs that someone would have to include, though

[mickmcgrath13]

we could maybe provide the steps in the composite and then just conditionally run them based on "detecting" if it's a PR or not 🤔

[PhillypHenning]

I did some testing on this and I'm not sure if this is possible in the composite.

github-actions-deploy-stackstorm action.yaml

- if: ${{ github.event_name == 'pull_request' && github.event.action == 'opened' }}
      uses: robburger/terraform-pr-commenter@v1
      env:
        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
      with:
        commenter_type: plan
        commenter_input: ${{ format('{0}{1}', steps.deploy.outputs.stdout, steps.deploy.outputs.stderr) }}
        commenter_exitcode: ${{ steps.deploy.outputs.exitcode }}

Operations-Stackstorm .github/workflows/deploy-st2.yaml

on:
  pull_request:
    types: [opened, reopened]
  push:
    branches: [ main ]
  workflow_dispatch: {}

permissions:
  contents: read
  pull-requests: write

Results from opening/reopening PR

 Download action repository 'bitovi/github-actions-deploy-stackstorm@pr-commenter' (SHA:b64982f26ed9b003891c1a6c173a6a7a9e68efde)
Error: bitovi/github-actions-deploy-stackstorm/pr-commenter/action.yaml (Line: 135, Col: 23):
Error: bitovi/github-actions-deploy-stackstorm/pr-commenter/action.yaml (Line: 135, Col: 23): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.GITHUB_TOKEN
Error: GitHub.DistributedTask.ObjectTemplating.TemplateValidationException: The template is not valid. bitovi/github-actions-deploy-stackstorm/pr-commenter/action.yaml (Line: 135, Col: 23): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.GITHUB_TOKEN
   at GitHub.DistributedTask.ObjectTemplating.TemplateValidationErrors.Check()
   at GitHub.Runner.Worker.ActionManifestManager.ConvertRuns(IExecutionContext executionContext, TemplateContext templateContext, TemplateToken inputsToken, String fileRelativePath, MappingToken outputs)
   at GitHub.Runner.Worker.ActionManifestManager.Load(IExecutionContext executionContext, String manifestFile)
Error: Fail to load bitovi/github-actions-deploy-stackstorm/pr-commenter/action.yaml

Related doc / issue

From what I can tell, as this is failing in the setup stage; For whatever reason, the GITHUB_TOKEN that should be generated automatically hasn't been, at least at the point of setup, which is causing the failure.

I can spend more time on this but I'm approaching my timebox 1.5 hours so wanted to bring my results up to the class

[PhillypHenning]

Code can be found in bitovi/github-actions-deploy-stackstorm@pr-commenter branch pr-commenter

[mickmcgrath13]

we'd have to define an input for the composite action like:

inputs:
  github_token:
    description: 'A github token to use for posting PR results'
    required: false

and then in the step, do:

- if: ${{ github.event_name == 'pull_request' && github.event.action == 'opened' }}
      uses: robburger/terraform-pr-commenter@v1
      env:
        GITHUB_TOKEN: "${{ inputs.github_token }}"
      with:
        commenter_type: plan
        commenter_input: ${{ format('{0}{1}', steps.deploy.outputs.stdout, steps.deploy.outputs.stderr) }}
        commenter_exitcode: ${{ steps.deploy.outputs.exitcode }}

(not sure if that indentation is correct).

Also, we should probably provide another input to allow people to turn off PR "plan" comments if they want to.

[PhillypHenning]

The other option would be creating a Secret for the github token.

The benefit would be;

• You'd only need to create the token and the secret, so long as the expiry was long enough it shouldn't need updates for awhile.

The drawbacks being;

• tokens are volatile and for security reasons they should have a living-time

[mickmcgrath13]

I think inputs should be implemented in the action repo and let the user determine where the token comes from when they call the action. Could be secrets. Could be a previous step in their pipeline. Could be the GitHub provided one.