name: Build Infra (Opentofu) on: push: branches: - master paths: - '**.tf' jobs: opentofu: if: github.repository == 'comprofix/opentofu-homelab' name: Opentofu Build runs-on: self-hosted container: image: node:20-bullseye env: PG_CONN_STR: ${{ secrets.PG_CONN_STR }} # PostgreSQL backend connection string steps: # 1. Checkout code - name: Checkout code uses: actions/checkout@v5 with: fetch-depth: 0 # 2. Generate dynamic Terraform/Opentofu vars from secrets - name: Generate Dynamic Vars (Secrets) run: | cat < terraform.auto.tfvars ci_user = "${{ secrets.CI_USER }}" ci_password = "${{ secrets.CI_PASSWORD }}" proxmox_api_url = "${{ secrets.PVE_API_URL }}" proxmox_api_token_id = "${{ secrets.PVE_API_TOKEN_ID }}" proxmox_api_token_secret = "${{ secrets.PVE_API_TOKEN_SECRET }}" ssh_key = "${{ secrets.SSH_PRIVATE_KEY }}" passphrase = "${{ secrets.SSH_PASSPHRASE }}" EOF # 3. Setup Opentofu CLI - name: Setup Opentofu uses: opentofu/setup-opentofu@v1 # 4. Format the secrets/vars file (required by tofu fmt) - name: Format vars file run: tofu fmt terraform.auto.tfvars # 5. Initialize Opentofu backend and providers - name: Opentofu Init run: tofu init # 6. Full formatting/lint check for all files - name: Opentofu Format Check run: tofu fmt -check -recursive # 7. Validate configuration - name: Opentofu Validate run: tofu validate # 8. Plan changes - name: Opentofu Plan id: plan run: | tofu plan -out=tfplan -detailed-exitcode # 9. Apply changes only if previous steps succeed - name: Opentofu Apply if: success() run: tofu apply -auto-approve tfplan