We’re trying to lock down our CX as Code pipeline. The goal is simple: terraform plan runs on every Pull Request, but terraform apply only triggers when that PR gets merged into main.
I’ve got the workflow YAML looking like this:
name: Genesys CD
on:
pull_request:
branches: [ main ]
push:
branches: [ main ]
jobs:
terraform:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
- name: Init
run: terraform init
- name: Plan or Apply
run: |
if [ "${{ github.event_name }}" == 'pull_request' ]; then
terraform plan -out=tfplan
else
terraform apply -auto-approve tfplan
fi
The plan step works fine on PRs. But on merge, it fails because the tfplan file generated during the PR workflow isn’t available in the push job context. Caching it seems messy since the plan output can change. Is there a cleaner way to pass the execution plan between jobs or should I just run a fresh plan before apply on the merge? The state file is remote in S3, so locking isn’t the issue here.