[FEATURE] Add shared OpenTofu reusable workflows#41
Conversation
Port shared-tofu-plan and shared-tofu-apply from the private omf-github-terraform repo to this public repo so zizmor online audits (ref-confusion, impostor-commit) can verify refs without a cross-repo token. Changes vs omf-github-terraform version: - oidc_role_arn is now required with no default; callers must pass the IAM role ARN explicitly - actions/checkout bumped to v4.2.2 (SHA-pinned) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall <john@overturemaps.org>
Overture PRojection ReviewThis PR ports shared OpenTofu reusable workflows from a private repo to enable public ref verification, and updates OIDC role input requirements. ✅ Checks Passed
🚩 Flags
❓ Open Questions
Context Files
No blocking bugs or security issues found. The main process flag is around secret masking logic—please confirm secret formats or update masking as needed. Otherwise, the port and workflow changes are sound. |
- Move permissions from workflow level to job level with explanatory comments (fixes excessive-permissions in apply, undocumented-permissions in plan) - Add persist-credentials: false to checkout steps (fixes artipacked) - Fix template-injection: pass inputs.env and secrets via step env vars instead of direct template expansion; drop echo -e in favour of plain echo - Add ref-version-mismatch to existing zizmor:ignore directives in check-linked-issue and overture-projection actions Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall <john@overturemaps.org>
Zizmor flags missing top-level permissions block as excessive-permissions
(default permissions used). Add permissions: {} at workflow scope so
callers get deny-all by default; job-level grants remain unchanged.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Signed-off-by: John McCall <john@overturemaps.org>
|
There are a couple LF tofu workflows we created that we may want to add here and use: combo plan-and-apply for manual runs so that the CI apply doesn't need workflow-dispatch, and a check-drift job for alerts. |
There was a problem hiding this comment.
Pull request overview
Ports the shared OpenTofu reusable plan/apply workflows into this public workflows repository so zizmor online audits can verify workflow refs without cross-repo GITHUB_TOKEN access constraints.
Changes:
- Added new reusable workflows:
shared-tofu-plan.yamlandshared-tofu-apply.yamlfor standardized OpenTofu plan/apply execution via AWS OIDC. - Updated composite actions to suppress an additional zizmor finding (
ref-version-mismatch) onactions/create-github-app-token. - Adjusted the reusable workflow API so callers must explicitly provide
oidc_role_arn(no implicit default).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| .github/workflows/shared-tofu-plan.yaml | New reusable workflow implementing an OpenTofu “plan” job with AWS OIDC + optional extras (secrets manager, artifacts). |
| .github/workflows/shared-tofu-apply.yaml | New reusable workflow implementing an OpenTofu “apply” job mirroring the plan workflow and adding an Azure-related pre-run hook. |
| .github/actions/overture-projection/action.yml | Adds an extra zizmor ignore annotation on the pinned create-github-app-token action reference. |
| .github/actions/check-linked-issue/action.yml | Adds an extra zizmor ignore annotation on the pinned create-github-app-token action reference. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Lets add em! Those sound great |
Closes #40
Ports shared-tofu-plan.yaml and shared-tofu-apply.yaml from the private omf-github-terraform repo to this public repo.
The root cause: zizmor online audits (ref-confusion, impostor-commit) verify branch/tag refs by calling the GitHub API on the target repo. The GITHUB_TOKEN is always repo-scoped and cannot read a different repo, even with Actions sharing enabled -- those are separate permission systems. Moving the workflows here (public) lets zizmor verify refs without any token.
Notable change: oidc_role_arn is now a required input with no default. The previous default was the Internal Tools OIDC hub role ARN; callers must now pass it explicitly. Existing callers (omf-identity-center-terraform, omf-managed-environments-terraform, etc.) will need a follow-up update to their uses: path and to add the oidc_role_arn input.