We’ve got a custom agent desktop config repo where I’m trying to set up a GitHub Actions workflow. The goal is to run terraform plan on pull requests to catch drift before it hits production, then terraform apply only when the branch merges into main. The tricky part is managing the state lock since both steps target the same S3 backend. Right now, the plan job acquires the lock, finishes, but doesn’t seem to release it cleanly before the apply job on merge tries to grab it, causing a Error acquiring the state lock on the merge pipeline.
I’ve tried using terraform force-unlock in the workflow, but that feels like a band-aid and risks corrupting the state if a plan is still running. Here’s the snippet from the workflow file where I’m passing the workspace and backend config:
- name: Terraform Plan
run: |
terraform init -backend-config=backend.hcl
terraform plan -var-file=vars.tfvars -out=tfplan
Is there a standard pattern for ensuring the lock releases between the PR check and the merge apply, or should I be using separate state files for staging vs prod?