Releases: gruntwork-io/pipelines-workflows
v3.0.3
v3.0.2
Contributors
Assets 2
v3.0.1
What's Changed
- Fix syntax error due to bad character by @Resonance1584 in #88
Full Changelog: v3...v3.0.1
Contributors
Assets 2
v3.0.0
🎈 Gruntwork Pipelines v3.0.0 Release Notes
Pipelines version 3 introduces several new features which include a number of breaking changes. The migration guide below should take less than 5 minutes for most teams to complete, but please do make sure to follow it closely. We're providing a checklist here to help teams ensure that steps are not skipped.
- Install and configure the Gruntwork.io GitHub App
- (Alternative) Add
actions:readpermission to PIPELINES_READ_TOKEN - (Alternative) (Enterprise Only) Add PR_CREATE_TOKEN to delegated repository workflows
- (Alternative) Add
- Update to Terragrunt v0.67.16 or later
- (If necessary) Add new actions to GitHub Organization allow list settings
- (Enterprise Only) Install and activate Drift Detection
Migration Guide
Install and configure the Gruntwork.io GitHub App
Pipelines now uses the Gruntwork.io GitHub App for workflow permissions, which simplifies permission management. Follow the GitHub App Installation Instructions to install the Gruntwork.io GitHub App and add your infrastructure-live-root repository to your account.
Using the Gruntwork.io GitHub App is recommended and provides full feature support for pipelines workflows. Alternatively, if you do not wish to install the Gruntwork.io GitHub App you can modify your existing workflows to continue using GitHub secrets, although some features will not be available. Read more about App only features here.
Alternative steps
- Add
actions: readpermissions
Customers explicitly list permissions that Gruntwork Pipelines workflows has by default in the pipelines workflow files in .github/workflows inside their infrastructure repositories. Pipelines v3 now requires actions: read permissions in order to introspect its own runs and provide more helpful logging capabilities.
Customers should make the one-line change to add the actions: read permission in the following files in every repository that uses Gruntwork pipelines (including root, access control and delegated repos). Note, most repositories will have only 1 or two of these workflow files, in which case update what is present and don't worry about the others.
.github/workflows/pipelines.yml.github/workflows/pipelines-drift-detection.yml.github/workflows/pipelines-root.yml.github/workflows/pipelines-unlock.yml
Old Permissions
permissions:
id-token: write
contents: write
pull-requests: writeNew Permissions
permissions:
id-token: write
contents: write
pull-requests: write
actions: read- (Enterprise only) Add PR_CREATE_TOKEN to delegated repository workflows.
Delegated repositories that are not using the Gruntwork.io GitHub App will need to add PR_CREATE_TOKEN: ${{ github.token }} to the secrets in their workflow files:
Old Secrets
secrets:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}New Secrets
secrets:
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
PR_CREATE_TOKEN: ${{ github.token }}Update to Terragrunt v0.67.16
The latest pipelines works best with the latest version of Terragrunt. Recent versions of Terragrunt have much improved logging, performance and correctness improvements in run-all scenarios with pipelines.
Allowlist Actions
This is only for customers who only allow GitHub actions to run if they are on an explicit allowlist
New actions to add
gruntwork-io/pipelines-credentialsgruntwork-io/pipelines-actions/.github/actions/pipelines-drift-detection-consolidate-jobsgruntwork-io/pipelines-actions/.github/actions/pipelines-drift-detection-determine-unitsgruntwork-io/pipelines-actions/.github/actions/pipelines-drift-detection-determine-driftgruntwork-io/pipelines-actions/.github/actions/pipelines-new-pr-actiongruntwork-io/pipelines-actions/.github/actions/pipelines-get-job-logs-url
(Enterprise Only) Install and activate Drift Detection
Pipelines Drift Detection can be installed in your repositories by adding a new workflow file:
- Create a new file at
.github/workflows/pipelines-drift-detection.yml - Add the following content to the file
name: Pipelines Drift Detection
run-name: "[GWP]: Pipelines Drift Detection"
on:
# Uncomment to enable scheduled Drift Detection
# schedule:
# - cron: '15 12 * * 1'
workflow_dispatch:
inputs:
path:
description: (Optional) Path to filter units e.g. "./management/*"
type: string
branch-name:
description: (Optional) branch name to open Drift Detection PRs with
default: drift-detection
type: string
permissions:
id-token: write
jobs:
GruntworkPipelines:
uses: gruntwork-io/pipelines-workflows/.github/workflows/pipelines-drift-detection.yml@v3
with:
path: ${{ inputs.path }}
branch-name: ${{ inputs.branch-name }}New Features
- Pipelines as a GitHub App
- Pipelines Drift Detection (Enterprise Only)
- Improved Account Factory Bootstrap Customization Hooks
- Pipelines Log Link Improvements
- new config options in
config.yamlconsolidate-added-or-changed: allows the pipeline to run as a single parallelized terragrunt instance such that dependencies are respected for deletionsconsolidate-deleted: Enable conslidating ModuleDeleted jobs withrun-allenable-terragrunt-provider-cache: uses the new terragrunt provider cache so that you don't fetch the same 500 meg aws provider binary 20 times
v2.6.1
v2
v2.6.0
2df5012
ZachGoldberg
Zach Goldberg
New Features
- We now allow for specifying arbitrary env values via
config.yml. See the docs for an example of how to set.pipelines.envwith your custom environment values. - An update to the
pipelines-unlockworkflow with an optionalunlock_allflag that iterates over every state file and unlocks all of them. This is useful in the event of a large run, e.g.run-all planthat is cancelled midway leaving many locks stuck.
Enhancements
- Pipelines now detects if the
PIPELINES_READ_TOKENis invalid and posts a more helpful error to logs, the PR comment and the step summary letting you know to ensure the token is valid.
PR Changelog
- Pipelines CLI v0.23.0 by @Resonance1584 in #71
- Pipelines CLI v0.23.1 by @Resonance1584 in #72
- Pipelines CLI v0.24.0 by @Resonance1584 in #74
- Force unlock all by @ZachGoldberg in #77
- feat: detect invalid read tokens by @ZachGoldberg in #80
- chore: Bumping
pipelines-clitov0.28.0by @yhakbar in #81
Full Changelog: v2...v2.6.0
Contributors
Assets 2
v2.5.0
What's Changed
- DEV-427 - Unlock State Workflow by @ZachGoldberg in #64
- chore: Bumping
pipelinestov0.21.2by @yhakbar in #65 - DEV-129: Add additional pipelines preflight checks by @ZachGoldberg in #67
- Fix action reference in account bootstrap job's name by @oredavids in #70
- Bump to version v1.9.0 of pipelines-actions which brings in complementary changes for the above new features (unlocking and preflight) as well as a handful of bug fixes - https://github.com/gruntwork-io/pipelines-actions/releases/tag/v1.9.0
Full Changelog: v2...v2.5.0
Contributors
Assets 2
v2.4.0
What's Changed
This pulls in a change to Pipelines HCL Configuration as Code system to segment the aws_accounts block into an accounts block nested as the aws block.
While this is a breaking change, it is not in use by any customers at the moment, and should be safe to use without modification.
Changelog
Full Changelog: v2.3.3...v2.4.0
Contributors
Assets 2
v2.3.3
What's Changed
This pulls in a rename of the pipelines HCL configuration block for Pipelines to repository via updates to the pipelines-cli.
In addition, it pulls in changes to pipelines-actions which result in a new CATALOG_TAGS value being used during repository vending. This allows for central management of AWS cost allocation tags for delegated repositories.
Some plumbing changes have been done in addition to improve the configurability of the TF_BINARY configuration, making it easier to decide whether you want to use OpenTofu or Terraform.
Changelog
Full Changelog: v2...v2.3.3