javaBin · Alexanderamiri · Mar 16, 2026 · Mar 16, 2026
@@ -104,15 +104,8 @@ jobs:
           path: ${{ env.TF_ROOT }}/lambdas/builds/
           retention-days: 1
 
-      - name: Post plan to PR
-        if: github.event_name == 'pull_request' && steps.changes.outputs.has_infra_changes == 'true'
-        env:
-          GH_TOKEN: ${{ github.token }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: sh scripts/post-plan-comment.sh "${{ env.TF_ROOT }}/plan-output.txt" "${{ steps.plan.outputs.has_changes }}"
-
       # ----------------------------------------------------------------
-      # LLM Plan Review (inline — plan-output.txt already in workspace)
+      # LLM Plan Review (runs before PR comment so both are combined)
       # ----------------------------------------------------------------
       - name: Run LLM review
         id: review
@@ -121,12 +114,12 @@ jobs:
           REVIEW_RESULT_PATH: review-result.json
         run: sh scripts/extract-review-risk.sh scripts/review-plan.py "${{ env.TF_ROOT }}/plan-output.txt"
 
-      - name: Post review to PR
-        if: github.event_name == 'pull_request' && steps.plan.outputs.has_changes == 'true'
+      - name: Post plan + review to PR
+        if: github.event_name == 'pull_request' && steps.changes.outputs.has_infra_changes == 'true'
         env:
           GH_TOKEN: ${{ github.token }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: sh scripts/post-review-comment.sh
+        run: sh scripts/post-plan-comment.sh "${{ env.TF_ROOT }}/plan-output.txt" "${{ steps.plan.outputs.has_changes }}"
 
       - name: Post HIGH risk to Slack
         if: steps.review.outputs.risk_level == 'HIGH' && github.ref == 'refs/heads/main'

@@ -98,15 +98,8 @@ jobs:
         if: steps.plan.outputs.has_changes == 'true'
         run: .platform/scripts/upload-plan.sh "${{ inputs.tf_root }}"
 
-      - name: Post plan to PR
-        if: github.event_name == 'pull_request'
-        env:
-          GH_TOKEN: ${{ github.token }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: sh .platform/scripts/post-plan-comment.sh "${{ inputs.tf_root }}/plan-output.txt" "${{ steps.plan.outputs.has_changes }}"
-
       # ----------------------------------------------------------------
-      # LLM Plan Review (runs in same job — plan-output.txt already here)
+      # LLM Plan Review (runs before PR comment so both are combined)
       # ----------------------------------------------------------------
       - name: Run LLM review
         id: review
@@ -122,12 +115,12 @@ jobs:
           echo '{"level":"${{ steps.review.outputs.risk_level }}","reviewed_at":"'"$(date -u +%Y-%m-%dT%H:%M:%SZ)"'"}' | \
             aws s3 cp - "s3://${PLAN_BUCKET}/${PLAN_DIR}/risk.json" --content-type application/json
 
-      - name: Post review to PR
-        if: github.event_name == 'pull_request' && steps.plan.outputs.has_changes == 'true'
+      - name: Post plan + review to PR
+        if: github.event_name == 'pull_request'
         env:
           GH_TOKEN: ${{ github.token }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: sh .platform/scripts/post-review-comment.sh
+        run: sh .platform/scripts/post-plan-comment.sh "${{ inputs.tf_root }}/plan-output.txt" "${{ steps.plan.outputs.has_changes }}"
 
       - name: Alert Slack on HIGH risk
         if: github.event_name == 'push' && github.ref == 'refs/heads/main' && steps.review.outputs.risk_level == 'HIGH'

@@ -1,24 +1,39 @@
 #!/bin/sh
-# Post terraform plan output as a PR comment.
+# Post terraform plan + LLM review as a single PR comment.
 #
 # Usage: post-plan-comment.sh <plan-output-file> <has_changes>
 #
+# If review-output.txt exists in the current directory, it is appended
+# to the comment. This avoids posting two separate comments.
+#
 # Env: GH_TOKEN (or gh auth), GITHUB_REPOSITORY, PR_NUMBER
 
 set -e
 
 PLAN_FILE="$1"
 HAS_CHANGES="$2"
 
+# --- Extract plan summary line (e.g. "Plan: 5 to add, 2 to change, 0 to destroy") ---
+SUMMARY=$(grep -E '^(Plan:|No changes\.)' "$PLAN_FILE" 2>/dev/null | head -1)
+[ -z "$SUMMARY" ] && SUMMARY="See plan output below."
+
 if [ "$HAS_CHANGES" = "true" ]; then
-  STATUS="**Changes detected** — review required."
+  STATUS=":construction: **Changes detected** — ${SUMMARY}"
 else
-  STATUS="**No changes** — infrastructure is up to date."
+  STATUS=":white_check_mark: **No changes** — infrastructure is up to date."
 fi
 
-PLAN=$(head -c 60000 "$PLAN_FILE" 2>/dev/null || echo "Plan output not available.")
+# --- Filter plan: strip refresh/read noise, keep only the meaningful diff ---
+PLAN_CLEAN_FILE="$(dirname "$PLAN_FILE")/plan-clean.txt"
+if [ -f "$PLAN_CLEAN_FILE" ]; then
+  PLAN=$(head -c 60000 "$PLAN_CLEAN_FILE")
+else
+  # Fallback: filter inline
+  PLAN=$(grep -v -E '^(module\.|data\.|\s+#).*: (Refreshing state|Reading|Read complete)' "$PLAN_FILE" 2>/dev/null | head -c 60000)
+fi
 
-cat > /tmp/plan-comment.md <<EOF
+# --- Build comment ---
+cat > /tmp/plan-comment.md <<ENDOFCOMMENT
 ## Terraform Plan
 
 ${STATUS}
@@ -30,6 +45,19 @@ ${PLAN}
 \`\`\`
 
 </details>
-EOF
+ENDOFCOMMENT
+
+# --- Append LLM review if available ---
+if [ -f review-output.txt ]; then
+  REVIEW=$(cat review-output.txt)
+  cat >> /tmp/plan-comment.md <<ENDOFREVIEW
+
+---
+
+### LLM Review
+
+${REVIEW}
+ENDOFREVIEW
+fi
 
 gh pr comment "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --body-file /tmp/plan-comment.md
@@ -14,6 +14,7 @@
 #
 # The plan binary is written to <working-directory>/tfplan
 # Human-readable output is written to <working-directory>/plan-output.txt
+# A filtered version (no refresh noise) is written to <working-directory>/plan-clean.txt
 
 set -uo pipefail
 
@@ -28,7 +29,11 @@ terraform plan -out=tfplan -detailed-exitcode -no-color "${EXTRA_ARGS[@]}" > pla
 PLAN_EXIT=$?
 set -e
 
-cat plan-output.txt
+# Create filtered output: strip state refresh and data source read lines
+grep -v -E '^(module\.|data\.|\s+#).*: (Refreshing state|Reading|Read complete)' plan-output.txt > plan-clean.txt || true
+
+# Print only the clean output to the CI log (not hundreds of refresh lines)
+cat plan-clean.txt
 
 if [ "$PLAN_EXIT" = "1" ]; then
   echo "Terraform plan failed"