PR setup for non-terraform files

[chris3ware]

Hi, I've used this action to deploy resources to multiple environments with a matrix and a merge queue (using the example as a starting point) and it works really well. 👍🏻

I'm using the paths filter on the PR so, if a PR does not have any tf file changes, the action does not run - this is the desired behaviour; not every PR is terraform related after all. But, when the PR is added to the merge queue, the apply workflow triggers, because it does not support the paths filter, and fails as expected because the plan does not exist. The merge queue reverts back to the PR.

This can be prevented by using admin permissions to merge - bypassing the rule set and the merge queue.

I wonder if there is a different solution, perhaps using different branches, and therefore rules? I'm trying to avoid having multiple long lived branches (but if that is the way - that is the way 😉 )

[rdhar]

Excellent question, and I was just wondering about the broader adoption of merge queues within provisioning pipelines!

As it happens, my current team is all-in on merge queues (hence the idea for sharing the merge_group and matrix examples) and the status check problem of non-TF pull requests was the first one to be tackled.

It might help to know a bit more about your use case and workflow structure to cater the solution. For example, my repo has an "envs" folder for each environment's IaC, next to a "docs" folder as shown below.

.
├── docs
└── envs
    ├── dev
    ├── prod
    └── qa

As a result, I want TF to run within each of the "envs" directory where changes is introduced—up to all 3 in parallel. So my first "Target" job is responsible for creating the matrix list for subsequent job ingestion.

    outputs:
      targets: ${{ steps.process.outputs.directories }}

    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Check changed directories
        id: directories
        uses: tj-actions/changed-files@c3a1bb2c992d77180ae65be6ae6c166cf40f857c # v45.0.3
        with:
          dir_names: true
          dir_names_max_depth: 2
          files: envs/**
          matrix: true

The targets output gets passed into the second "Provision" job's matrix strategy. Note the if condition to skip this job if targets is empty. This is the crux to your question.

    if: ${{ needs.Target.outputs.targets != '[]' }}
    needs: [Target]

    strategy:
      fail-fast: false
      matrix:
        targets: ${{ fromJSON(needs.Target.outputs.targets) }}

Finally, I have the third "Notify" job which lets me know if any prior job(s) failed and produces the appropriate exit status.

    if: ${{ !cancelled() }}
    needs: [Target, Provision]

    steps:
      - name: Notify Slack
        if: ${{ github.event_name == 'merge_group' && contains(needs.*.result, 'failure') }}
        uses: gamesight/slack-workflow-status@68bf00d0dbdbcb206c278399aa1ef6c14f74347a # v1.3.0
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

      - name: Exit status
        run: exit ${{ contains(needs.*.result, 'failure') && 1 || 0 }}

Pros

• Avoids additional overhead on the user's part, shifting the load entirely on the workflow instead.
• Compatible with matrix strategy (in fact, designed for it!) and scalable for any change which may or may not be TF related.
• Not only does "Notify" let me know when/where it failed, but I can add it as a required status check to pass before merging.

Cons

• Every change triggers a minimum of 2 jobs in the workflow, therefore 2 minutes of runner usage.
  • Can be reduced to 1 "Target" job by short-circuiting out of the workflow if ${{ steps.process.outputs.directories }} is empty, but no longer able to have required status check on "Notify".

Keen to know how you get along (and if you have better suggestions!)

Aside, I just shared a post on Reddit, in case you'd like to ask/share with a broader audience.

[chris3ware]

Thanks for the great suggestion. I was using changed-files previously to define the matrix, but removed it in favour of using the environments. It's working great.