digger icon indicating copy to clipboard operation
digger copied to clipboard

Published 20 hours ago verified publisher icon diggerhq

Action job starts but reports "no changes"

Open ZIJ opened this issue 11 months ago • 0 comments

User:

I have been testing Digger with backend, but on every PR ( even with just adding an empty line) a GHA job would run just to tell me No changes in terraform. Also closing a PR or merging would trigger a new GHA job just to unlock the project.

I used the workflow_dispatch provided in the documentation:

on:  
workflow_dispatch:
    inputs:
      id:
        description: 'run identifier'
        required: false
      job:
        required: true
      comment_id:
        required: true

I am using the latest version I suppose

name: Digger Workflow


on:


  workflow_dispatch:
    inputs:
      id:
        description: 'run identifier'
        required: false
      job:
        required: true
      comment_id:
        required: true


jobs:
  digger-job:

    runs-on: ubuntu-latest
    permissions:    
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      statuses: write      # required to validate combined PR status

    steps:
      - uses: actions/checkout@v4

        
      - name: digger run
        uses: diggerhq/[email protected]
        with:
          setup-aws: true
          aws-role-to-assume: arn:aws:sts::{AccountID}:assumed-role/{RoleName}/{FunctionName}
          aws-region: us-east-1
          digger-hostname: 'https://cloud.digger.dev/'
          digger-organisation: 'digger'
          digger-token: ${{ secrets.DIGGER_TOKEN }}
          setup-checkov: true
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Another issue is that the defined workflow in digger.ml is not being detected:

Running 'digger plan' for project 'development' (workflow: )

GitHub context parsed successfully
Error while fetching user teams for CI service: failed to list github teams: GET https://api.github.com/orgs/<orgname>/teams: 403 Resource not accessible by integration []
WARNING: teams failed to be fetched, passing an empty list instead for access policy checks
DEBUG: passing the following input policy: map[action:digger plan approvals:[] organisation:<orngame> planPolicyViolations:[] project:development teams:[] user:<username>] ||| text: 
package digger
default allow = true
allow = (count(input.planPolicyViolations) == 0)
Running 'digger plan' for project 'development' (workflow: )
Error while fetching user teams for CI service: failed to list github teams: GET https://api.github.com/orgs/<orgname>/teams: 403 Resource not accessible by integration []
WARNING: teams failed to be fetched, passing an empty list instead for access policy checks

Digger.yml:

projects:
- name: development
  dir: dev
  workflow: default
- name: sandbox
  dir: test
  workflow: default

workflows:
  default:
    plan:
      steps:
      - init
      - plan
      - run: checkov -d . --framework terraform --soft-fail | tee -a $DIGGER_OUT

Logs from the runner:

With orchestrator backend: Running 'digger plan' for project 'test' (workflow: ) No backend: Running 'digger plan' for project 'test' (workflow: default)

ZIJ avatar Feb 28 '24 17:02 ZIJ