GitHub action to comment on PRs with the stack diff.
The cdk-diff-action
handles performing the diff and commenting on the PR. In
order to do so it requires credentials to AWS and the synthesized CDK cloud
assembly (cdk.out). Below is a minimal example
name: diff
on:
pull_request:
branches:
- main
jobs:
Synth:
name: Synthesize
permissions:
contents: read
pull-requests: write
id-token: write
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: 20
- name: Install dependencies
run: yarn install --frozen-lockfile
- name: Synth
run: npx cdk synth
- name: Authenticate Via OIDC Role
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-2
role-duration-seconds: 1800
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::1234567891012:role/cdk_github_actions
role-session-name: github
- name: Diff
uses: corymhall/cdk-diff-action@v1
with:
githubToken: ${{ secrets.GITHUB_TOKEN }}
This action supports semver versioning.
For example, to get the latest v1.x.x
version.
uses: corymhall/cdk-diff-action@v1
Or to get the latest v1.1.x
version.
uses: corymhall/cdk-diff-action@v1.1
You can optionally allow certain resource types to be destroyed without failing the build.
jobs:
Synth:
steps:
- name: Diff
uses: corymhall/cdk-diff-action@v1
with:
allowedDestroyTypes: "AWS::ECS::TaskDefinition,AWS::CloudWatch::Dashboard"
githubToken: ${{ secrets.GITHUB_TOKEN }}
You can disable displaying the diff for certain stages by using noDiffForStages
jobs:
Synth:
steps:
- name: Diff
uses: corymhall/cdk-diff-action@v1
with:
noDiffForStages: "Stage1,Stage2"
githubToken: ${{ secrets.GITHUB_TOKEN }}
If you still want to show the diff for certain stages, but do not want destructive
changes to fail the build, you can use noFailOnDestructiveChanges
.
jobs:
Synth:
steps:
- name: Diff
uses: corymhall/cdk-diff-action@v1
with:
noFailOnDestructiveChanges: "Stage1,Stage2"
githubToken: ${{ secrets.GITHUB_TOKEN }}
If you want to show the diffs, but never want to fail the workflow (even if there are destructive changes) you can disable the workflow failure feature.
jobs:
Synth:
steps:
- name: Diff
uses: corymhall/cdk-diff-action@v1
with:
failOnDestructiveChanges: false
githubToken: ${{ secrets.GITHUB_TOKEN }}