From 6a96d46ee736b95a5df1a5d89c193189f0562388 Mon Sep 17 00:00:00 2001 From: chrispsheehan Date: Fri, 1 May 2026 12:14:30 +0100 Subject: [PATCH 1/5] chore: try fix mise/node sec issue --- .github/actions/terragrunt/README.md | 2 +- .github/actions/terragrunt/action.yml | 11 ++++++++--- .github/docs/README.md | 4 ++-- .github/workflows/pull_request.yml | 10 +++++++--- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/.github/actions/terragrunt/README.md b/.github/actions/terragrunt/README.md index 5267bffb..ffd5d51f 100644 --- a/.github/actions/terragrunt/README.md +++ b/.github/actions/terragrunt/README.md @@ -5,7 +5,7 @@ This GitHub Action sets up **Terraform** and **Terragrunt** and runs a specified ## Features - Installs pinned versions of Terraform and Terragrunt -- Installs Terragrunt through `gruntwork-io/terragrunt-action@v3` +- Installs Terragrunt through `jdx/mise-action@v3` - Uses AWS credentials already configured earlier in the same job when needed - Optionally passes Terragrunt variables via JSON tfvars - Supports `plan` mode for producing local saved plan files diff --git a/.github/actions/terragrunt/action.yml b/.github/actions/terragrunt/action.yml index 92716ec0..0601cba9 100644 --- a/.github/actions/terragrunt/action.yml +++ b/.github/actions/terragrunt/action.yml @@ -40,10 +40,15 @@ runs: terraform_wrapper: false - name: Install Terragrunt - uses: gruntwork-io/terragrunt-action@v3 + uses: jdx/mise-action@v3 with: - tg_version: ${{ inputs.tg_version }} - tf_path: terraform + tool_versions: | + terragrunt ${{ inputs.tg_version }} + github_token: ${{ github.token }} + + - name: Verify Terragrunt installation + shell: bash + run: terragrunt --version - name: Normalize and write override_tg_vars if: inputs.tg_action == 'apply' || inputs.tg_action == 'plan' || inputs.tg_action == 'destroy' diff --git a/.github/docs/README.md b/.github/docs/README.md index 6fd7f4c2..62a8909b 100644 --- a/.github/docs/README.md +++ b/.github/docs/README.md @@ -51,7 +51,7 @@ If you are unsure, the live `aws/oidc` stack in the target environment is the so - `release.yml` Creates release tags, prepares shared CI artifacts, builds release outputs, and publishes the GitHub release. Version bumps come from a repo-local action that scans commit subjects since the latest semver tag and matches configurable major/minor/patch prefixes. - `pull_request.yml` - Provides fast validation for workflow syntax, Terraform formatting/linting, changed runtime builds, and a direct execution check of the repo-local `get-next-version` Docker action. The version preview job classifies the PR title, so it reflects the version that would be implied if that PR title lands on `main`. Its `check` job runs the repo-local `get-changes` Docker action directly, using the PR base SHA for a PR-style `base...HEAD` diff. When `.github/actions/**` changed, the workflow reuses `shared_directories_get.yml` to discover action directories with `Dockerfile`s and runs a Docker unit-test matrix for them after the GitHub formatting job. The Lambda naming check only runs when Lambda sources changed, and the ECS task/service pair check runs when container sources or Terragrunt live-stack directories changed; each is an explicit prerequisite for the corresponding build job. Terragrunt installation in that workflow now uses `gruntwork-io/terragrunt-action@v3`. + Provides fast validation for workflow syntax, Terraform formatting/linting, changed runtime builds, and a direct execution check of the repo-local `get-next-version` Docker action. The version preview job classifies the PR title, so it reflects the version that would be implied if that PR title lands on `main`. Its `check` job runs the repo-local `get-changes` Docker action directly, using the PR base SHA for a PR-style `base...HEAD` diff. When `.github/actions/**` changed, the workflow reuses `shared_directories_get.yml` to discover action directories with `Dockerfile`s and runs a Docker unit-test matrix for them after the GitHub formatting job. The Lambda naming check only runs when Lambda sources changed, and the ECS task/service pair check runs when container sources or Terragrunt live-stack directories changed; each is an explicit prerequisite for the corresponding build job. Terragrunt installation in that workflow now uses `jdx/mise-action@v3`. The local version action can also be tested outside GitHub Actions, either by running the Python entrypoint directly or through its dedicated Docker image. @@ -145,7 +145,7 @@ Run these checks on every CI, workflow, or deploy-contract change. - `./.github/actions/terragrunt` always uploads per-stack plan artifacts on `plan` and always downloads them on `apply_plan`, using the caller-provided `PLAN_ARTIFACT_S3_PREFIX` environment variable, so graph executors like `shared_infra.yml` do not need separate `./.github/actions/just` steps for those transfers - both repo-local composite actions, `./.github/actions/just` and `./.github/actions/terragrunt`, now assume AWS credentials are already configured in the current job when they need AWS access. The repo pattern is to run `aws-actions/configure-aws-credentials` at the top of each AWS-using job and then call the local actions without extra auth inputs - `./.github/actions/just` installs the requested `just` version through `extractions/setup-crate@v2` in the same minimal composite-action shape as `extractions/setup-just`, rather than depending on `extractions/setup-just` itself -- `./.github/actions/terragrunt` installs the requested Terragrunt version through `gruntwork-io/terragrunt-action@v3`, passing `tf_path: terraform` so the repo keeps using the separately pinned Terraform binary from `hashicorp/setup-terraform` +- `./.github/actions/terragrunt` installs the requested Terragrunt version through `jdx/mise-action@v3`, while Terraform stays pinned separately through `hashicorp/setup-terraform` - saved infra-plan storage is intentionally split into two levels: - one run-level metadata file at `/infra-plan-metadata/plan-metadata.json` - one per-stack plan bundle under `/terragrunt-plan-/` diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index bec000fd..77c0d742 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -152,10 +152,14 @@ jobs: steps: - uses: actions/checkout@v6 - uses: hashicorp/setup-terraform@v4 - - uses: gruntwork-io/terragrunt-action@v3 + - uses: jdx/mise-action@v3 with: - tg_version: 0.45.10 - tf_path: terraform + tool_versions: | + terragrunt 0.45.10 + github_token: ${{ github.token }} + + - name: Verify Terragrunt installation + run: terragrunt --version - name: Terraform fmt check run: terraform fmt -check -recursive From 09fc0e668da48c08dd73c04d17317ce474034f2e Mon Sep 17 00:00:00 2001 From: chrispsheehan Date: Fri, 1 May 2026 12:18:46 +0100 Subject: [PATCH 2/5] chore: pr manual dispatch override --- .github/docs/README.md | 2 +- .github/workflows/pull_request.yml | 41 ++++++++++++++++++++++-------- 2 files changed, 32 insertions(+), 11 deletions(-) diff --git a/.github/docs/README.md b/.github/docs/README.md index 62a8909b..6d491356 100644 --- a/.github/docs/README.md +++ b/.github/docs/README.md @@ -51,7 +51,7 @@ If you are unsure, the live `aws/oidc` stack in the target environment is the so - `release.yml` Creates release tags, prepares shared CI artifacts, builds release outputs, and publishes the GitHub release. Version bumps come from a repo-local action that scans commit subjects since the latest semver tag and matches configurable major/minor/patch prefixes. - `pull_request.yml` - Provides fast validation for workflow syntax, Terraform formatting/linting, changed runtime builds, and a direct execution check of the repo-local `get-next-version` Docker action. The version preview job classifies the PR title, so it reflects the version that would be implied if that PR title lands on `main`. Its `check` job runs the repo-local `get-changes` Docker action directly, using the PR base SHA for a PR-style `base...HEAD` diff. When `.github/actions/**` changed, the workflow reuses `shared_directories_get.yml` to discover action directories with `Dockerfile`s and runs a Docker unit-test matrix for them after the GitHub formatting job. The Lambda naming check only runs when Lambda sources changed, and the ECS task/service pair check runs when container sources or Terragrunt live-stack directories changed; each is an explicit prerequisite for the corresponding build job. Terragrunt installation in that workflow now uses `jdx/mise-action@v3`. + Provides fast validation for workflow syntax, Terraform formatting/linting, changed runtime builds, and a direct execution check of the repo-local `get-next-version` Docker action. The version preview job classifies the PR title, so it reflects the version that would be implied if that PR title lands on `main`. Its `check` job normally runs the repo-local `get-changes` Docker action directly, using the PR base SHA for a PR-style `base...HEAD` diff, but manual `workflow_dispatch` runs now force every change flag on and rerun the full validation surface without a PR diff. When `.github/actions/**` changed, the workflow reuses `shared_directories_get.yml` to discover action directories with `Dockerfile`s and runs a Docker unit-test matrix for them after the GitHub formatting job. The Lambda naming check only runs when Lambda sources changed, and the ECS task/service pair check runs when container sources or Terragrunt live-stack directories changed; each is an explicit prerequisite for the corresponding build job. Terragrunt installation in that workflow now uses `jdx/mise-action@v3`. The local version action can also be tested outside GitHub Actions, either by running the Python entrypoint directly or through its dedicated Docker image. diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 77c0d742..d46fd974 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -11,13 +11,20 @@ on: ready_for_review, edited, ] + workflow_dispatch: + inputs: + pr_title: + description: "PR title to validate and use for version preview when running manually" + required: false + type: string + default: "chore: manual workflow dispatch" jobs: check-pr-title: name: PR Title runs-on: ubuntu-latest env: - PR_TITLE: ${{ github.event.pull_request.title }} + PR_TITLE: ${{ github.event.pull_request.title || inputs.pr_title }} ALLOWED_PREFIXES: "breaking: feat: patch: fix: minor: chore: docs:" steps: - name: Fail if PR title does not start with an allowed prefix @@ -40,13 +47,13 @@ jobs: pull-requests: read contents: read outputs: - actions: ${{ steps.filter.outputs.actions }} - terraform: ${{ steps.filter.outputs.terraform }} - terragrunt: ${{ steps.filter.outputs.terragrunt }} - github: ${{ steps.filter.outputs.github }} - frontend: ${{ steps.filter.outputs.frontend }} - lambdas: ${{ steps.filter.outputs.lambdas }} - containers: ${{ steps.filter.outputs.containers }} + actions: ${{ steps.force_all.outputs.actions || steps.filter.outputs.actions }} + terraform: ${{ steps.force_all.outputs.terraform || steps.filter.outputs.terraform }} + terragrunt: ${{ steps.force_all.outputs.terragrunt || steps.filter.outputs.terragrunt }} + github: ${{ steps.force_all.outputs.github || steps.filter.outputs.github }} + frontend: ${{ steps.force_all.outputs.frontend || steps.filter.outputs.frontend }} + lambdas: ${{ steps.force_all.outputs.lambdas || steps.filter.outputs.lambdas }} + containers: ${{ steps.force_all.outputs.containers || steps.filter.outputs.containers }} steps: - name: Checkout repository uses: actions/checkout@v6 @@ -54,12 +61,26 @@ jobs: ref: ${{ github.sha }} fetch-depth: 0 + - name: Force all change flags for manual dispatch + id: force_all + if: ${{ github.event_name == 'workflow_dispatch' }} + shell: bash + run: | + echo "actions=true" >> "$GITHUB_OUTPUT" + echo "terraform=true" >> "$GITHUB_OUTPUT" + echo "terragrunt=true" >> "$GITHUB_OUTPUT" + echo "github=true" >> "$GITHUB_OUTPUT" + echo "frontend=true" >> "$GITHUB_OUTPUT" + echo "lambdas=true" >> "$GITHUB_OUTPUT" + echo "containers=true" >> "$GITHUB_OUTPUT" + - name: Detect changed files + if: ${{ github.event_name != 'workflow_dispatch' }} id: filter uses: ./.github/actions/get-changes with: ref: ${{ github.sha }} - base_ref: ${{ github.event.pull_request.base.sha }} + base_ref: ${{ github.event.pull_request.base.sha || github.sha }} - shell: bash run: echo "actions changes - ${{ steps.filter.outputs.actions }}" @@ -92,7 +113,7 @@ jobs: id: get_next_version uses: ./.github/actions/get-next-version with: - subjects: ${{ github.event.pull_request.title }} + subjects: ${{ github.event.pull_request.title || inputs.pr_title }} - name: Show action outputs run: | From 8f8ff4f715dd591caaa2954520426b6377d72508 Mon Sep 17 00:00:00 2001 From: chrispsheehan Date: Fri, 1 May 2026 12:20:19 +0100 Subject: [PATCH 3/5] debug: trigger --- .github/workflows/pull_request.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index d46fd974..97ba385e 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -1,4 +1,4 @@ -name: PR +name: Pull Request on: pull_request: @@ -18,6 +18,9 @@ on: required: false type: string default: "chore: manual workflow dispatch" + push: + branches: + - fix-terragrunt-mise-node-dep jobs: check-pr-title: From 8c9e31466410456c6b8028165cb2b2e0cf729dee Mon Sep 17 00:00:00 2001 From: chrispsheehan Date: Fri, 1 May 2026 12:21:11 +0100 Subject: [PATCH 4/5] chore: trigger --- .github/workflows/pull_request.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 97ba385e..9bf4d198 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -21,6 +21,7 @@ on: push: branches: - fix-terragrunt-mise-node-dep + - this jobs: check-pr-title: From 273b3e5baa83c465980e56a97f4c63800c4566cf Mon Sep 17 00:00:00 2001 From: chrispsheehan Date: Fri, 1 May 2026 12:22:16 +0100 Subject: [PATCH 5/5] chore: rm debug trigger --- .github/workflows/pull_request.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 9bf4d198..430a925b 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -18,10 +18,6 @@ on: required: false type: string default: "chore: manual workflow dispatch" - push: - branches: - - fix-terragrunt-mise-node-dep - - this jobs: check-pr-title: