.github/workflows/branch-deploy.yml

name: branch-deploy

on:
  issue_comment:
    types: [created]

# Permissions needed for reacting and adding comments for IssueOps commands
permissions:
  pull-requests: write
  deployments: write
  contents: write
  checks: read

jobs:
  deploy:
    environment: production-secrets
    if: ${{ github.event.issue.pull_request }} # only run on pull request comments
    runs-on: ubuntu-latest

    steps:
      - uses: github/branch-deploy@v8.0.0
        id: branch-deploy
        with:
          admins: the-hideout/core-contributors
          admins_pat: ${{ secrets.BRANCH_DEPLOY_ADMINS_PAT }}
          environment_targets: production
          environment_urls: production|https://status.tarkov.dev
          sticky_locks: "true"

      - name: checkout
        if: ${{ steps.branch-deploy.outputs.continue == 'true' }}
        uses: actions/checkout@v4
        with:
          ref: ${{ steps.branch-deploy.outputs.ref }}

      - uses: azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010 # pin@v1
        if: ${{ steps.branch-deploy.outputs.continue == 'true' }}
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      - uses: hashicorp/setup-terraform@ed3a0531877aca392eb870f440d9ae7aba83a6bd # pin@v1
        if: ${{ steps.branch-deploy.outputs.continue == 'true' }}
        with:
          terraform_version: 1.1.7
          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}

      - name: Terraform init
        id: init
        if: ${{ steps.branch-deploy.outputs.continue == 'true' }}
        working-directory: terraform/
        run: terraform init

      ### NOOP DEPLOY ###

      - name: Terraform fmt
        if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop == 'true' }}
        working-directory: terraform/
        id: fmt
        run: terraform fmt -check
        continue-on-error: true

      - name: Terraform validate
        if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop == 'true' }}
        working-directory: terraform/
        id: validate
        run: terraform validate -no-color

      - name: Terraform plan
        if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop == 'true' }}
        working-directory: terraform/
        id: plan
        env:
          TF_VAR_CLIENT_ID: ${{ secrets.CLIENT_ID }}
          TF_VAR_CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
          TF_VAR_SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }}
          TF_VAR_TENANT_ID: ${{ secrets.TENANT_ID }}
        run: terraform plan -no-color
        continue-on-error: true

      # Post comment on PR with development plan info
      - uses: actions/github-script@5d03ada4b0a753e9460b312e61cc4f8fdeacf163 # pin@0.9.0
        if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop == 'true' }}
        env:
          PLAN: "terraform ${{ steps.plan.outputs.stdout }}"
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const output = `### Terraform Plan - Production (noop) 🪐
            - Terraform Format and Style 🖌: \`${{ steps.fmt.outcome }}\`
            - Terraform Initialization ⚙️: \`${{ steps.init.outcome }}\`
            - Terraform Validation 🤖: \`${{ steps.validate.outcome }}\`
            - Terraform Plan 📖: \`${{ steps.plan.outcome }}\`

            <details><summary>Show Plan</summary>

            \`\`\`${process.env.PLAN}\`\`\`

            </details>

            In addition to the plan, the branch: \`${{ steps.branch-deploy.outputs.ref }}\` would have been deployed

            > Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`terraform/\`, Workflow: \`${{ github.workflow }}\``;

            github.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            })

      #####################

      ### BRANCH DEPLOY ###

      - name: Terraform apply
        if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }}
        working-directory: terraform/
        env:
          # Creds
          TF_VAR_CLIENT_ID: ${{ secrets.CLIENT_ID }}
          TF_VAR_CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
          TF_VAR_SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }}
          TF_VAR_TENANT_ID: ${{ secrets.TENANT_ID }}
        run: terraform apply -auto-approve

      - name: SSH Remote Deploy
        if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }}
        uses: appleboy/ssh-action@4a03da89e5c43da56e502053be4bbcb293411883 # pin@v0.1.6
        with:
          host: ${{ secrets.SSH_HOST }}
          username: ${{ secrets.SSH_USERNAME }}
          key: ${{ secrets.SSH_KEY }}
          port: ${{ secrets.SSH_PORT }}
          script_stop: true
          script: ~/status/script/deploy -r="${{ steps.branch-deploy.outputs.ref }}" -f="${{ steps.branch-deploy.outputs.fork_checkout }}" -d="status" -n="${{ steps.branch-deploy.outputs.fork_full_name }}"