在另一个工作流成功运行后手动触发 Github Actions 工作流
[英]Manually trigger Github Actions workflow after another workflow successfully runs
问题描述
I'm trying to create CI that does the following:
我正在尝试创建执行以下操作的 CI:
- Run
terraform plan -out=plan.outto generate a Terraform plan.运行terraform plan -out=plan.out生成 Terraform 计划。 - After looking at the Terraform plan output in Github actions, I can manually run another job or workflow that calls
terraform apply plan.outwith the previously generated plan.After looking at the Terraform plan output in Github actions, I can manually run another job or workflow that calls terraform apply plan.outwith the previously generated plan. I want to manually run this automation after the other automation has successfully run, dependent on the previous automation's success, using an artifact from the previous automation.我想在其他自动化成功运行后手动运行此自动化,这取决于先前自动化的成功,使用来自先前自动化的工件。
I've looked online for some examples of this but all the examples of this I can find just run terraform apply without actually allowing someone to verify the plan output.我已经在网上查找了一些示例,但是我可以找到的所有示例都只是运行terraform apply而没有实际允许某人验证计划 output。
Is this something that's possible to do in Github Actions?这是可以在 Github Actions 中做的事情吗?
2 个解决方案
解决方案1
0 2021-12-05 09:56:00
This can be done using protected environments' required reviewers: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#required-reviewers这可以使用受保护环境所需的审阅者来完成: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#required-reviewers
What you would do is setup an environment eg production and add yourself as reviewer.您要做的是设置一个环境,例如production环境并将自己添加为审阅者。
In your workflow, you would then add the environments like so:在您的工作流程中,您将添加如下环境:
jobs:
plan:
steps:
- run: terraform plan
apply:
environment: production
steps:
- run: terraform apply
This means that as soon as the workflow reaches the job apply , it is going to stop and you'll need to manually click a button to approve.这意味着一旦工作流到达 job apply ,它将停止,您需要手动单击按钮进行批准。
解决方案2
0 已采纳 2021-12-10 20:18:07
My solution ended up being the following:我的解决方案最终如下:
When the PR is approved and merged, a Terraform plan is created and pushed to an S3 bucket with the commit hash in the path.当 PR 被批准和合并后,会创建一个 Terraform 计划并推送到路径中提交 hash 的 S3 存储桶。 Then when the apply workflow is triggered via workflow dispatch it looks for a plan for the commit hash of the code it's running and applies it.然后,当通过工作流调度触发应用工作流时,它会查找正在运行的代码的提交 hash 的计划并应用它。
Using pull requests as suggested wasn't the right solution for me because of the following:由于以下原因,按照建议使用拉取请求对我来说不是正确的解决方案:
How do you know that the plan that was run for the pull request was run with the latest changes on the base branch?
你怎么知道为拉取请求运行的计划是在基础分支上使用最新更改运行的? The plan could be invalid in this case.在这种情况下,该计划可能无效。 The way I solved this was by having the plan workflow run on push of a specific branch that corresponds to the environment being Terraformed.我解决这个问题的方法是让计划工作流在推送与被 Terraformed 环境相对应的特定分支时运行。 This way the plan is always generated for the state the Terraform says the specific environment should be in.这种方式总是为 state 生成计划,Terraform 表示应该在特定环境中。How do you know that an apply is applying the exact plan that was generated for the pull request?
您如何知道申请正在应用为拉取请求生成的确切计划? All the examples I saw actually ended up re-running the plan in the apply workflow, which breaks the intended use of Terraform plans.我看到的所有示例实际上最终都在应用工作流中重新运行了计划,这破坏了 Terraform 计划的预期用途。 The way I solved this was by having the apply workflow look for a specific commit hash in cloud storage.我解决这个问题的方法是让应用工作流在云存储中查找特定的提交 hash。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.