From 72284c1df74778bb9e09cc7746ff111eeb1a6658 Mon Sep 17 00:00:00 2001 From: Alexander Amiri Date: Tue, 17 Mar 2026 23:37:22 +0100 Subject: [PATCH] Fix tf-plan step order: checkout platform scripts before broker invocation The broker step runs invoke-ci-broker.sh from .platform/scripts/ but the platform checkout happened 3 steps later. Move GitHub App token generation + platform checkout before the OIDC assumption + broker call. --- .github/workflows/tf-plan.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/tf-plan.yml b/.github/workflows/tf-plan.yml index 9e288fa..484ee54 100644 --- a/.github/workflows/tf-plan.yml +++ b/.github/workflows/tf-plan.yml @@ -58,19 +58,6 @@ jobs: terraform_version: "1.7" terraform_wrapper: false - - name: Assume broker role via OIDC - uses: aws-actions/configure-aws-credentials@v6 - with: - role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-app-broker - aws-region: ${{ inputs.aws_region }} - role-session-name: ${{ env.SESSION_NAME }} - - - name: Get team credentials from broker - id: broker - env: - PROJECT: javabin - run: sh .platform/scripts/invoke-ci-broker.sh plan - - name: Generate GitHub App token id: app-token uses: actions/create-github-app-token@v2 @@ -87,6 +74,19 @@ jobs: path: .platform sparse-checkout: scripts + - name: Assume broker role via OIDC + uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-app-broker + aws-region: ${{ inputs.aws_region }} + role-session-name: ${{ env.SESSION_NAME }} + + - name: Get team credentials from broker + id: broker + env: + PROJECT: javabin + run: sh .platform/scripts/invoke-ci-broker.sh plan + - name: Ensure Terraform boilerplate env: AWS_ACCOUNT_ID: ${{ inputs.aws_account_id }}