Trying to get a solid CI/CD flow running for our custom Client App infrastructure. The goal is straightforward: run terraform plan on every pull request to catch drift, and auto-apply on merge to main.
We’re using the official genesyscloud provider in GitHub Actions. The setup looks clean enough. Here’s the relevant snippet from our workflow file:
- name: Terraform Plan
run: |
terraform init
terraform plan -out=tfplan -var-file=var.tfvars
env:
GENESYS_CLOUD_CLIENT_ID: ${{ secrets.GC_CLIENT_ID }}
GENESYS_CLOUD_CLIENT_SECRET: ${{ secrets.GC_CLIENT_SECRET }}
GENESYS_CLOUD_REGION: us-east-1
The problem hits when the PR sits open for more than an hour. The workflow retries the plan step, and suddenly everything fails with a 403 Forbidden error. The debug logs show the OAuth token generated at the start of the job has expired. The provider doesn’t seem to be refreshing the token automatically during the subsequent steps in the same runner environment, or maybe it’s not persisting the refresh token correctly across the matrix jobs.
I’ve tried adding GENESYS_CLOUD_TOKEN_URL manually, but that just breaks the initial auth handshake. We’re on provider version 1.7.32. Is there a specific env var or provider config I’m missing to force token refresh persistence? Or do I need to inject the token generation into a separate reusable workflow that caches the token?
Also, the apply step on merge is failing silently sometimes. No error output, just a status check that stays pending. Anyone else hitting this wall with the webhook-based auth in GH Actions?