search

diggerhq / digger

Digger is an open source IaC orchestration tool. Digger allows you to run IaC in your existing CI pipeline ⚡️
https://digger.dev
Apache License 2.0
2.8k stars 129 forks source link

Gracefully handle insufficient permissions for uploading plan to github #1091

Open vdmkenny opened 5 months ago

vdmkenny commented 5 months ago

Currently it segfaults:

...
 Saved the plan to:
/home/runner/work/terraform-environment/terraform-environment/production/company-terraform-environment#production.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/home/runner/work/terraform-environment/terraform-environment/production/company-terraform-environment#production.tfplan"
Running command: terraform [show -no-color -json /home/runner/work/terraform-environment/terraform-environment/production/company-terraform-environment#production.tfplan]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x1467bc1]

goroutine 1 [running]:
github.com/diggerhq/digger/cli/pkg/digger.run({_, _}, {{0xc000ebc5b0, 0xa}, {0xc000ebc5d0, 0xa}, {0x1ea9f8d, 0x7}, {0xc000eb88b8, 0x12}, ...}, ...)
    /home/runner/work/digger/digger/cli/pkg/digger/digger.go:270 +0xde1
github.com/diggerhq/digger/cli/pkg/digger.RunJobs({0xc000eb5380, 0x1, 0x0?}, {0x24d1e20, 0xc000eb69c0}, {0x24b2a80, 0xc000eb69c0}, {0x24c5090, 0xc00012a810}, {0x24bdf48, ...}, ...)
    /home/runner/work/digger/digger/cli/pkg/digger/digger.go:108 +0xa90
main.gitHubCI({0x24c5090, 0xc00012a810}, {0x24c4d60, 0x351d060}, {0x24c4d90, 0x351d060}, {0x24b29c0?, 0xc000a3c720})
    /home/runner/work/digger/digger/cli/cmd/digger/main.go:327 +0x233e
main.main()
    /home/runner/work/digger/digger/cli/cmd/digger/main.go:852 +0xa5c
Error: Process completed with exit code 2.

Using digger 0.13.18, TF 1.7.1. This happens when enabling plan-persistence in github action.

name: CI

on:
  pull_request:
    branches: ["main"]
    types: [closed, opened, synchronize, reopened]
  issue_comment:
    types: [created]
    if: contains(github.event.comment.body, 'digger')
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest

    permissions:
      id-token: write
      contents: read
      pull-requests: write
      statuses: write

    steps:
      - name: digger run
        uses: diggerhq/digger@v0.3.18
        with:
          no-backend: true
          setup-aws: true
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ap-south-1
          setup-terraform: true
          terraform-version: v1.7.1
+         upload-plan-destination: github
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
kieranbrown commented 5 months ago

Adding actions: write permission fixes this, potentially read is enough but I never got as far as testing that.

vdmkenny commented 5 months ago

@kieranbrown , you're right, this fixes the issue.

Might I suggest catching this error so it doesn't crash, and/or adding it to the documentation? This permission is not present in the current example or the plan-persistence documentation.

ZIJ commented 5 months ago

Docs updated in #1092; I will update the title of this issue to reflect what remains to be done