Github Actions + GCP
In this tutorial, you will set up Digger to automate terraform pull requests using Github Actions and GCP.
Prerequisites
- A GitHub repository with valid terraform code. Here’s a demo repo for inspiration.
- A GCP Service Account Key json file. See Hashicorp’s GCP tutorial
- Digger token from cloud.digger.dev. You can also self-host Digger
Create Action Secrets
In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:
GCP_CREDENTIALS
- contents of your GCP Service Account Key json fileDIGGER_TOKEN
- your Digger token (cloud or self-hosted)
Create digger.yml
This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your terraform code is in the prod
directory:
projects:
- name: production
dir: prod
Create Github Actions workflow file
Place it at .github/workflows/digger_workflow.yml
(name is important!)
name: Digger
on:
workflow_dispatch:
inputs:
id:
description: 'run identifier'
required: false
job:
required: true
comment_id:
required: true
jobs:
digger-job:
name: Digger
runs-on: ubuntu-latest
permissions:
contents: write # required to merge PRs
actions: write # required for plan persistence
id-token: write # required for workload-identity-federation
pull-requests: write # required to post PR comments
statuses: write # required to validate combined PR status
steps:
- uses: actions/checkout@v4
- id: 'auth'
uses: 'google-github-actions/auth@v1'
with:
credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
create_credentials_file: true
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v1'
- name: 'Use gcloud CLI'
run: 'gcloud info'
- name: digger run
uses: diggerhq/digger@latest
with:
setup-aws: false
disable-locking: true
digger-hostname: 'https://cloud.digger.dev'
digger-organisation: 'digger'
digger-token: ${{ secrets.DIGGER_TOKEN }}
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
This file defines a workflow with 5 steps:
- Checkout repository using Github’s official Checkout action
- Authenticate into GCP using Google’s official Auth action. Note the
create_credentials_file: true
option; without it, subsequent steps that rely Application Default Credentials will not work. - Set up Google Cloud SDK for use in the subsequent steps via Google’s official Setup-gcloud action
- Verify that GCP is configured correctly by running
gcloud info
- Run Digger. Note that
DIGGER_TOKEN
needs to be set as a secret in Actions (either repository secret, or environment secret)
Create a PR to verify that it works
Make any change to your terraform code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of Terraform Plan added as a comment to your PR:
Terraform will perform the following actions:
# google_compute_instance.vm_instance will be created
+ resource "google_compute_instance" "vm_instance" {
+ can_ip_forward = false
+ cpu_platform = (known after apply)
+ current_status = (known after apply)
+ deletion_protection = false
+ guest_accelerator = (known after apply)
+ id = (known after apply)
... (further content omitted)
Then you can add a comment like digger apply
and shortly after apply output will be added as comment too.