Skip to content

Unintended cross-project execution when using multiple projects in digger.yml and separate jobs in GitHub Actions #1970

New issue
New issue
Closed
Closed
Unintended cross-project execution when using multiple projects in digger.yml and separate jobs in GitHub Actions#1970
@spider-man-tm

Description

@spider-man-tm
spider-man-tm
opened on Jun 5, 2025

Situation

I'm using digger.yml with multiple projects defined like this:

projects:
  - name: dev
    dir: terraform/environments/dev
    workflow: dev
    include_patterns:
      - terraform/environments/dev/**
      - terraform/modules/**
  - name: prod
    dir: terraform/environments/prod
    workflow: prod
    include_patterns:
      - terraform/environments/prod/**
      - terraform/modules/**

I also have a single GitHub Actions workflow with two jobs, one for dev and one for prod, each using the official diggerhq/digger action:

jobs:
  digger-dev:
    environment: dev
    steps:
      - name: Run Digger
        uses: diggerhq/digger@v0.6.100
        with:
          no-backend: true
          disable-locking: true
          cache-dependencies: true
          terraform-version: ${{ steps.tfversion.outputs.TF_VERSION }}
          google-lock-bucket: 'gcp'
          upload-plan-destination-gcp-bucket: ${{ secrets.GCP_DIGGER_BUCKET }}
          setup-google-cloud: false
          setup-terraform: true
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN:   ${{ secrets.GITHUB_TOKEN }}

  digger-prod:
    environment: prod
    steps:
      - name: Run Digger
        uses: diggerhq/digger@v0.6.100
        with:
          no-backend: true
          disable-locking: true
          cache-dependencies: true
          terraform-version: ${{ steps.tfversion.outputs.TF_VERSION }}
          google-lock-bucket: 'gcp'
          upload-plan-destination-gcp-bucket: ${{ secrets.GCP_DIGGER_BUCKET }}
          setup-google-cloud: false
          setup-terraform: true
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN:   ${{ secrets.GITHUB_TOKEN }}

Problem

When only files in terraform/modules/** are changed, both dev and prod projects match the include_patterns, and both get executed — even inside the digger-dev job.

This leads to errors such as:

  • digger-dev job tries to execute prod project and fails with a 403 (due to missing permissions).
  • digger-prod job tries to execute dev project and fails the same way.

This happens even though the GitHub Actions job is clearly meant for only one environment (e.g. dev or prod).
In our setup, each environment is deployed to a separate GCP project with its own service account and access scope.
So unintended cross-project execution results in permission errors, especially when a job for one environment tries to apply resources in the other.

Question

Is there a way to restrict each GitHub Actions job to run only the intended project, based on the workflow mapping defined in digger.yml?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions