#211 - feat: CI pipeline targeted apply — module-aware plan and apply - forgejo_admin/pal-e-platform

forgejo_admin commented

2026-03-28 00:17:33 +00:00

Owner

Summary

Add module-aware targeted tofu plan and tofu apply to the Woodpecker CI pipeline
When only terraform/modules/X/ files change, the pipeline runs -target=module.X instead of a full plan/apply
Falls back to full plan/apply when root terraform files change or no module changes are detected

Changes

.woodpecker.yaml — clone step: increased fetch depth from 1 to 2 so HEAD~1 is available for push-event diffing
.woodpecker.yaml — plan step: added module detection block that diffs PR branch against target branch, extracts changed module names, builds -target=module.X arguments; PR comment now indicates targeted vs full with module list
.woodpecker.yaml — apply step: added same module detection logic using HEAD~1..HEAD diff, builds targeted apply command, preserves lock retry for both targeted and full paths
.woodpecker.yaml — apply step: fixed inconsistent $ vs $$ escaping in lock retry block (Woodpecker requires $$ for literal $)

Test Plan

Open a PR touching only terraform/modules/monitoring/ — verify plan comment says "targeted: monitoring"
Open a PR touching terraform/main.tf — verify plan comment says "full"
Open a PR touching two modules — verify plan comment lists both
Merge a module-only change to main — verify Woodpecker logs show targeted apply
Merge a root-file change to main — verify full apply runs
Verify lock retry still triggers on state lock errors
Verify cross-pillar-review step unchanged and still fires
Verify all 15+ secret env vars preserved in both plan and apply steps
Verify IPv6 disable runs in all steps

Review Checklist

Passed automated review-fix loop
No secrets committed
No unnecessary file changes
Commit messages are descriptive

Closes #198
Parent: #197 (Terraform state splitting / modularization)
Root symptom: #196 (MinIO blocking full applies)
project-pal-e-platform

## Summary - Add module-aware targeted `tofu plan` and `tofu apply` to the Woodpecker CI pipeline - When only `terraform/modules/X/` files change, the pipeline runs `-target=module.X` instead of a full plan/apply - Falls back to full plan/apply when root terraform files change or no module changes are detected ## Changes - `.woodpecker.yaml` — clone step: increased fetch depth from 1 to 2 so `HEAD~1` is available for push-event diffing - `.woodpecker.yaml` — plan step: added module detection block that diffs PR branch against target branch, extracts changed module names, builds `-target=module.X` arguments; PR comment now indicates targeted vs full with module list - `.woodpecker.yaml` — apply step: added same module detection logic using `HEAD~1..HEAD` diff, builds targeted apply command, preserves lock retry for both targeted and full paths - `.woodpecker.yaml` — apply step: fixed inconsistent `$` vs `$$` escaping in lock retry block (Woodpecker requires `$$` for literal `$`) ## Test Plan - [ ] Open a PR touching only `terraform/modules/monitoring/` — verify plan comment says "targeted: monitoring" - [ ] Open a PR touching `terraform/main.tf` — verify plan comment says "full" - [ ] Open a PR touching two modules — verify plan comment lists both - [ ] Merge a module-only change to main — verify Woodpecker logs show targeted apply - [ ] Merge a root-file change to main — verify full apply runs - [ ] Verify lock retry still triggers on state lock errors - [ ] Verify cross-pillar-review step unchanged and still fires - [ ] Verify all 15+ secret env vars preserved in both plan and apply steps - [ ] Verify IPv6 disable runs in all steps ## Review Checklist - [ ] Passed automated review-fix loop - [ ] No secrets committed - [ ] No unnecessary file changes - [ ] Commit messages are descriptive ## Related Notes - Closes #198 - Parent: #197 (Terraform state splitting / modularization) - Root symptom: #196 (MinIO blocking full applies) - `project-pal-e-platform`

forgejo_admin added 1 commit

2026-03-28 00:17:33 +00:00

feat: CI pipeline targeted apply — module-aware plan and apply steps

ci/woodpecker/push/woodpecker Pipeline was successful

Details

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

64bbdbf477

Detect which terraform/modules/X/ changed and run tofu plan/apply with
-target=module.X instead of full plan/apply. Falls back to full
plan/apply when root terraform files (main.tf, variables.tf, etc.)
change or when no module changes are detected.

For PRs, diffs against the target branch to capture all PR changes.
For push-to-main, diffs HEAD~1..HEAD (clone depth increased to 2).
Plan PR comments now indicate whether the run was targeted or full,
and which modules were included. Lock retry logic preserved for both
targeted and full apply paths.

Closes #198

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin added 1 commit

2026-03-28 00:19:29 +00:00

fix: run git diff before cd terraform to avoid wrong pathspec context

ci/woodpecker/push/woodpecker Pipeline was successful

Details

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful

Details

9769b48624

Woodpecker concatenates all commands into a single shell script, so
cd terraform persists across subsequent commands. The git diff calls
need repo-root-relative paths, so module detection must run before
cd terraform. Reorder: kubeconfig -> module detection -> cd terraform
-> tofu init -> tofu plan/apply.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>