From bfdf1269b71348c0923c097f4a485c22ca0418f8 Mon Sep 17 00:00:00 2001 From: lens0021 Date: Sun, 1 Mar 2026 18:20:38 +0900 Subject: [PATCH 1/3] ci(tf): migrate to lens0021/repo-settings-as-code composite action - Move .github/tf/ to .tf/ - Add variable.tf for github_actions variable - Add vulnerability_alerts and security_and_analysis with variable conditional - Replace inline tf.yaml logic with composite action Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/tf.yaml | 67 ++++--------------------- {.github/tf => .tf}/.terraform.lock.hcl | 0 {.github/tf => .tf}/main.tf | 0 {.github/tf => .tf}/repository.tf | 26 +++++++--- {.github/tf => .tf}/ruleset.tf | 0 .tf/variable.tf | 4 ++ 6 files changed, 32 insertions(+), 65 deletions(-) rename {.github/tf => .tf}/.terraform.lock.hcl (100%) rename {.github/tf => .tf}/main.tf (100%) rename {.github/tf => .tf}/repository.tf (73%) rename {.github/tf => .tf}/ruleset.tf (100%) create mode 100644 .tf/variable.tf diff --git a/.github/workflows/tf.yaml b/.github/workflows/tf.yaml index 579536b..9a8e67b 100644 --- a/.github/workflows/tf.yaml +++ b/.github/workflows/tf.yaml @@ -3,78 +3,29 @@ name: Tofu on: pull_request: paths: - - ".github/tf/**" + - ".tf/**" + - .github/workflows/tf.yaml push: branches: - main paths: - - ".github/tf/**" + - ".tf/**" + - .github/workflows/tf.yaml + workflow_dispatch: permissions: {} -defaults: - run: - working-directory: .github/tf - jobs: plan: - if: github.event_name == 'pull_request' runs-on: ubuntu-latest permissions: - contents: read + contents: write + issues: write pull-requests: write steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - uses: opentofu/setup-opentofu@9d84900f3238fab8cd84ce47d658d25dd008be2f # v1.0.8 - - run: tofu init - - run: tofu plan -no-color - id: plan - - name: Comment plan - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - env: - PLAN_OUTPUT: ${{ steps.plan.outputs.stdout }} + - uses: lens0021/repo-settings-as-code@382f2d2dc79977772e993f66a1fd801bfc67e8c3 # v2.0.1 with: - script: | - const output = `#### OpenTofu Plan - \`\`\` - ${process.env.PLAN_OUTPUT} - \`\`\` - `; - const comments = await github.rest.issues.listComments({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - }); - const existing = comments.data.find(c => - c.user.type === 'Bot' && c.body.includes('#### OpenTofu Plan') - ); - if (existing) { - github.rest.issues.updateComment({ - comment_id: existing.id, - owner: context.repo.owner, - repo: context.repo.repo, - body: output, - }); - } else { - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output, - }); - } - - apply: - if: github.event_name == 'push' - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - with: - persist-credentials: false - - uses: opentofu/setup-opentofu@9d84900f3238fab8cd84ce47d658d25dd008be2f # v1.0.8 - - run: tofu init - - run: tofu apply -auto-approve + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/tf/.terraform.lock.hcl b/.tf/.terraform.lock.hcl similarity index 100% rename from .github/tf/.terraform.lock.hcl rename to .tf/.terraform.lock.hcl diff --git a/.github/tf/main.tf b/.tf/main.tf similarity index 100% rename from .github/tf/main.tf rename to .tf/main.tf diff --git a/.github/tf/repository.tf b/.tf/repository.tf similarity index 73% rename from .github/tf/repository.tf rename to .tf/repository.tf index d053b47..ea66c5b 100644 --- a/.github/tf/repository.tf +++ b/.tf/repository.tf @@ -23,17 +23,29 @@ resource "github_repository" "this" { squash_merge_commit_title = "PR_TITLE" topics = ["amber"] visibility = "public" - vulnerability_alerts = true + vulnerability_alerts = var.github_actions ? null : true web_commit_signoff_required = false - security_and_analysis { - secret_scanning { - status = "enabled" - } - secret_scanning_push_protection { - status = "enabled" + dynamic "security_and_analysis" { + for_each = var.github_actions ? [] : [true] + content { + secret_scanning { + status = "enabled" + } + secret_scanning_push_protection { + status = "enabled" + } } } + + lifecycle { + ignore_changes = [ + # Cannot be imported + archive_on_destroy, + # Deprecated + ignore_vulnerability_alerts_during_read, + ] + } } # secrets.GITHUB_TOKEN does not have the permission for this: diff --git a/.github/tf/ruleset.tf b/.tf/ruleset.tf similarity index 100% rename from .github/tf/ruleset.tf rename to .tf/ruleset.tf diff --git a/.tf/variable.tf b/.tf/variable.tf new file mode 100644 index 0000000..ab3140b --- /dev/null +++ b/.tf/variable.tf @@ -0,0 +1,4 @@ +variable "github_actions" { + type = bool + default = false +} From 90f4768add5ad5ea36171045a70c291b5aee6137 Mon Sep 17 00:00:00 2001 From: lens0021 Date: Sun, 1 Mar 2026 18:22:54 +0900 Subject: [PATCH 2/3] bypass_actors --- .tf/ruleset.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.tf/ruleset.tf b/.tf/ruleset.tf index 364c57c..def9cf6 100644 --- a/.tf/ruleset.tf +++ b/.tf/ruleset.tf @@ -8,6 +8,15 @@ resource "github_repository_ruleset" "default" { target = "branch" enforcement = "active" + dynamic "bypass_actors" { + for_each = var.github_actions ? [] : [true] + content { + actor_id = 2 # maintain + actor_type = "RepositoryRole" + bypass_mode = "always" + } + } + conditions { ref_name { include = ["~DEFAULT_BRANCH", ] From d795a29db2203872856c29defd8613be6017f61a Mon Sep 17 00:00:00 2001 From: lens0021 Date: Sun, 1 Mar 2026 18:27:28 +0900 Subject: [PATCH 3/3] Allow update --- .tf/ruleset.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tf/ruleset.tf b/.tf/ruleset.tf index def9cf6..9bbe25c 100644 --- a/.tf/ruleset.tf +++ b/.tf/ruleset.tf @@ -29,7 +29,7 @@ resource "github_repository_ruleset" "default" { non_fast_forward = true required_linear_history = true required_signatures = false - update = true + update = false pull_request { dismiss_stale_reviews_on_push = false