Support separate GitHub token for Terraform GitHub provider #3144
Description
Feature Overview
Support for using a separate GitHub token for Terraform GitHub provider while using tfaction.
Currently, the github_token parameter passed to terraform-plan and terraform-apply actions is set as the GITHUB_TOKEN environment variable internally. This overwrites any GITHUB_TOKEN environment variable set at the workflow level, making it impossible to use a different token for the Terraform GitHub provider.
Why is the feature needed?
When managing GitHub resources with Terraform using tfaction, we often need to use different GitHub tokens for different purposes:
- tfaction operations (fetching workflows, updating PRs, etc.) - requires specific permissions like
contents: write,actions:read,pull-requests:write, etc - Terraform GitHub provider (managing GitHub resources) - requires different permissions like
administration:write,etc.
Using separate GitHub Apps for each purpose follows the principle of least privilege and better security practices.
Example Code
GitHub Actions
- uses: suzuki-shunsuke/tfaction/[email protected]
with:
github_token: ${{ steps.tfaction_token.outputs.token }}
env:
GITHUB_TOKEN: ${{ steps.github_provider_token.outputs.token }} # Should not be overwrittentfaction-root.yaml
tfaction.yaml
Note
Current implementation reference:
- sets
tfaction/terraform-plan/action.yaml
Line 60 in b06bafe
GITHUB_TOKEN: ${{ inputs.github_token }} - also sets
tfaction/terraform-apply/action.yaml
Line 46 in b06bafe
GITHUB_TOKEN: ${{ inputs.github_token }}
Possible solutions:
- Use a different environment variable name for tfaction's internal use (e.g.,
TFACTION_GITHUB_TOKEN(similar toTFCMT_GITHUB_TOKENin https://github.com/suzuki-shunsuke/tfcmt)) - Add a new input parameter like
terraform_github_tokenthat sets GITHUB_TOKEN for Terraform - Only set GITHUB_TOKEN if it's not already set at the workflow level