Skip to content

add deploy token to stön #30

add deploy token to stön

add deploy token to stön #30

Workflow file for this run

name: Apply OpenTofu plan
on:
workflow_dispatch: # manual trigger
push:
branches:
- main
permissions:
contents: read
pull-requests: write
jobs:
apply:
runs-on: ubuntu-latest
name: Apply pre-prepared plan
env:
GITHUB_TOKEN: ${{ secrets.TF_GITHUB_TOKEN }}
NOMAD_ADDR: ${{ vars.NOMAD_ADDR }}
NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }}
# to access state db
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# dflook/tofu-* actions run inside a debian:bullseye container,
# so we cannot use another action to prep the environment
TERRAFORM_PRE_RUN: |
# install nix
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --no-confirm --init none
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
ln -s $(which nix) /bin/nix
# allow accessing host-owned repo files inside container
git config --global --add safe.directory '*'
steps:
- name: checkout
uses: actions/checkout@v4
- name: add ssh key
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.TF_SSH_PRIVATE_KEY }}
- name: tofu apply
uses: dflook/[email protected]
with:
label: dsekt-infra
variables: |
ssh_user = "${{ vars.TF_SSH_USER }}"
hcloud_token = "${{ secrets.TF_HCLOUD_TOKEN }}"
cloudflare_api_token = "${{ secrets.TF_CLOUDFLARE_TOKEN }}"
vault_db_password = "${{ secrets.TF_VAULT_DB_PASSWORD }}"