ci: introduce the lock mechanism (#3535)

* ci: introduce the lock mechanism * ci: fix * style: add comment * ci: fail CI if the target is being locked * ci: pass tfaction_target * fix: acquire lock after setup * test
suzuki-shunsuke · Nov 1, 2024 · 8c3a6f9 · 8c3a6f9
1 parent 5350242
commit 8c3a6f9
Show file tree

Hide file tree

Showing 5 changed files with 90 additions and 0 deletions.
diff --git a/.github/workflows/apply.yaml b/.github/workflows/apply.yaml
@@ -36,6 +36,7 @@ jobs:
         target: ${{fromJSON(needs.setup.outputs.targets)}}
     env:
       TFACTION_TARGET: ${{matrix.target.target}}
+      TFACTION_WORKING_DIR: ${{matrix.target.working_directory}}
       TFACTION_JOB_TYPE: ${{matrix.target.job_type}}
     permissions:
       id-token: write # For OIDC
@@ -141,6 +142,19 @@ jobs:
         env:
           TF_TOKEN_app_terraform_io: ${{secrets.TFE_TOKEN}}
 
+      # These steps are optional. If you don't want lock mechanism, please remove them.
+      - uses: suzuki-shunsuke/lock-action@95020dd05b8976fd85ad4d777411a41d2d2928fa # v0.1.1
+        id: check-lock
+        with:
+          mode: check # If you want to acquire lock, please check this to `lock`
+          key: ${{env.TFACTION_WORKING_DIR}}
+      - run: |
+          github-comment post -k already-locked -var "result:$RESULT" -var "tfaction_target:${TFACTION_TARGET}"
+          exit 1
+        if: steps.check-lock.outputs.already_locked == 'true'
+        env:
+          RESULT: ${{steps.check-lock.outputs.result}}
+
       - name: Generate token for apply
         id: apply_token
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0

diff --git a/.github/workflows/lock.yaml b/.github/workflows/lock.yaml
@@ -0,0 +1,50 @@
+---
+# This workflow is optional. If you don't want lock mechanism, please remove this workflow.
+name: Lock / Unlock
+run-name: ${{inputs.action}} ${{inputs.working_dir}}
+on:
+  workflow_dispatch:
+    inputs:
+      action:
+        description: action
+        required: true
+        default: lock
+        type: choice
+        options:
+          - lock
+          - unlock
+          - check
+      working_dir:
+        description: working directory
+        required: true
+      message:
+        description: message
+        required: false
+jobs:
+  lock:
+    name: ${{inputs.action}}
+    timeout-minutes: 15
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: ${{inputs.action}} ${{inputs.working_dir}}
+        uses: suzuki-shunsuke/lock-action@95020dd05b8976fd85ad4d777411a41d2d2928fa # v0.1.1
+        id: lock
+        with:
+          mode: ${{inputs.action}}
+          key: ${{inputs.working_dir}}
+          message: ${{inputs.message}}
+          ignore_already_locked_error: "true"
+      - name: Output the result of check
+        run: |
+          echo "::notice::already_locked: $ALREADY_LOCKED" >&2
+          {
+            echo '```json' 
+            echo "$RESULT"
+            echo '```' 
+          } >> "$GITHUB_STEP_SUMMARY"
+        if: inputs.action == 'check'
+        env:
+          ALREADY_LOCKED: ${{steps.lock.outputs.already_locked}}
+          RESULT: ${{steps.lock.outputs.result}}
diff --git a/.github/workflows/wc-plan.yaml b/.github/workflows/wc-plan.yaml
@@ -27,6 +27,7 @@ jobs:
       contents: read # To checkout private repositories
     env:
       TFACTION_TARGET: ${{matrix.target.target}}
+      TFACTION_WORKING_DIR: ${{matrix.target.working_directory}}
       TFACTION_JOB_TYPE: ${{matrix.target.job_type}}
       GH_COMMENT_SHA1: ${{inputs.ref}}
       TFCMT_SHA: ${{inputs.ref}}
@@ -104,6 +105,19 @@ jobs:
           repositories: >-
             ["${{github.event.repository.name}}"]
 
+      # These steps are optional. If you don't want lock mechanism, please remove them.
+      - uses: suzuki-shunsuke/lock-action@95020dd05b8976fd85ad4d777411a41d2d2928fa # v0.1.1
+        id: check-lock
+        with:
+          mode: check # If you want to acquire lock, please check this to `lock`
+          key: ${{env.TFACTION_WORKING_DIR}}
+      - run: |
+          github-comment post -k already-locked -var "result:$RESULT" -var "tfaction_target:${TFACTION_TARGET}"
+          exit 1
+        if: steps.check-lock.outputs.already_locked == 'true'
+        env:
+          RESULT: ${{steps.check-lock.outputs.result}}
+
       - uses: suzuki-shunsuke/tfaction/setup@9751dd9b04be9d10d643c0a46d3c23ac21075c43 # v1.11.2
         with:
           github_token: ${{steps.generate_token.outputs.token}}

diff --git a/github-comment.yaml b/github-comment.yaml
@@ -3,6 +3,17 @@
 hide:
   default: |
     Comment.HasMeta && Comment.Meta.SHA1 != Commit.SHA1 && ! (Comment.Meta.Program == "tfcmt" && Comment.Meta.Command == "apply")
+post:
+  already-locked:
+    template: |
+      ## :x: This target is being locked {{if .Vars.tfaction_target}}({{.Vars.tfaction_target}}){{end}}
+
+      {{template "link" .}}
+
+      ```json
+      {{.Vars.result}}
+      ```
+
 exec:
   default:
   - when: ExitCode != 0

diff --git a/github/services/foo/main.tf b/github/services/foo/main.tf
@@ -1,3 +1,4 @@
+
 resource "github_issue_label" "foo" {
   repository  = "tfaction-example"
   name        = "foo"