Github Action Trunk based development IaC
A path to production using trunk based development for infrastructure as code
Published: Friday, May 24, 2024 Last modified: Wednesday, Oct 2, 2024
We focus on trunk based development on main, with a re-usuable Github workflow hiding the details of the deployment:
name: CI/CD done right
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
deploy-to-dev:
name: Deploy to dev
uses: ./.github/workflows/deploy.yml
permissions:
id-token: write
contents: read
pull-requests: write
with:
environment: dev
test-dev:
uses: ./.github/workflows/test.yml
needs:
- deploy-to-dev
permissions:
id-token: write
contents: read
pull-requests: write
with:
environment: dev
deploy-to-stg:
name: Deploy to stg
needs:
- test-dev
uses: ./.github/workflows/deploy.yml
permissions:
id-token: write
contents: read
pull-requests: write
with:
environment: stg
test-stg:
uses: ./.github/workflows/test.yml
needs:
- deploy-to-stg
permissions:
id-token: write
contents: read
pull-requests: write
with:
environment: stg
Notice dev must succeed before staging (stg) can run. Tests form a safety net before promotion.
oidc-setup/ for GCP and Github Actions
For each environment, we need to bootstrap the OIDC setup for each environment. The repo name is critical and the outputs:
service_account_email
to SVCACCOUNTworkload_identity_provider
maps to the WORKLOAD variable
Approval for production
Use Github’s environment protection rules to ensure we don’t deploy to production without approval.
View the full Terraform example on Github.