name: Infrastructure on: pull_request: branches: - main paths: - infra/**playbook.yaml - .github/workflows/infra.yaml push: branches: - main env: DEPLOY: ${{ github.ref == 'refs/heads/main' && ((startsWith(github.event.head_commit.message, '[deploy-all]') && 'all') || ('some')) || 'none' }} # DEPLOY: all jobs: ansible-playbooks: name: Check and run Ansbile playbooks runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v3 with: fetch-depth: ${{ env.DEPLOY == 'some' && 2 || 1 }} - name: Install dependencies run: | apt update apt install -y python3-pip pip3 install -r requirements.txt ansible-galaxy collection install community.general infisical.vault - name: Check playbooks run: | for file in $(find . -wholename "*/infra/*playbook.yaml" -type f); do ansible-playbook --inventory ./inventory --syntax-check "$file" done - name: Get changed playbooks id: files if: env.DEPLOY == 'some' uses: tj-actions/changed-files@v38 with: files: infra/**/*playbook.yaml - name: Get playbooks id: playbooks if: env.DEPLOY != 'none' run: | if [[ "${{ env.DEPLOY }}" == "some" ]]; then export TO_RUN="${{ steps.files.outputs.all_changed_files }}" else export TO_RUN="$(find . -wholename './infra/*playbook.yaml' -type f)" fi export TO_RUN="$( echo -n $TO_RUN | tr ' ' '\n' | sort | tr '\n' ' ' )" # run things in order :) echo "will run playbooks: $TO_RUN" echo "to_run=$TO_RUN" >> "$GITHUB_OUTPUT" - name: Setup environment if: env.DEPLOY != 'none' && steps.playbooks.outputs.to_run != '' run: | mkdir -p -m 700 ~/.ssh echo "${{ secrets.SSH_PRIVATE }}" > ~/.ssh/id_rsa chmod 600 ~/.ssh/id_rsa - name: Run playbooks if: env.DEPLOY != 'none' && steps.playbooks.outputs.to_run != '' env: PROXMOX_HOST: ${{ secrets.PROXMOX_HOST }} PROXMOX_USER: ${{ secrets.PROXMOX_USER }} PROXMOX_TOKEN_ID: ${{ secrets.PROXMOX_TOKEN_ID }} PROXMOX_TOKEN_SECRET: ${{ secrets.PROXMOX_TOKEN_SECRET }} SSH_PUBLIC: ${{ secrets.SSH_PUBLIC }} SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }} UNIVERSAL_AUTH_MACHINE_IDENTITY_CLIENT_ID: ${{ secrets.INFISICAL_CLIENT_ID }} UNIVERSAL_AUTH_MACHINE_IDENTITY_CLIENT_SECRET: ${{ secrets.INFISICAL_CLIENT_SECRET }} INFISICAL_URL: https://secrets.koval.net run: ansible-playbook --inventory ./inventory ${{ steps.playbooks.outputs.to_run }} -vv