name: Dry Run on: pull_request: paths: - "state/*.json" jobs: dry-run: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Dry-run reconcile for changed environments env: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.sha }} TEST_RECONCILER_TOKEN: ${{ secrets.TEST_RECONCILER_TOKEN }} TEST_RECONCILER_URL: ${{ secrets.TEST_RECONCILER_URL }} DEV_RECONCILER_TOKEN: ${{ secrets.DEV_RECONCILER_TOKEN }} DEV_RECONCILER_URL: ${{ secrets.DEV_RECONCILER_URL }} PROD_RECONCILER_TOKEN: ${{ secrets.PROD_RECONCILER_TOKEN }} PROD_RECONCILER_URL: ${{ secrets.PROD_RECONCILER_URL }} GIT_TOKEN: ${{ secrets.GIT_TOKEN }} GIT_URL: ${{ secrets.GIT_URL }} REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }} run: | python3 <<'SCRIPT' import json, os, subprocess, urllib.request # Detect changed state files diff = subprocess.run( ["git", "diff", "--name-only", os.environ["BASE_SHA"], os.environ["HEAD_SHA"], "--", "state/*.json"], capture_output=True, text=True, check=True, ) envs = [os.path.basename(f).replace(".json", "") for f in diff.stdout.strip().split("\n") if f.strip()] if not envs: print("No state files changed") exit(0) print(f"Changed environments: {envs}") for env in envs: key = env.upper().replace("-", "_") token = os.environ.get(f"{key}_RECONCILER_TOKEN", "") url = os.environ.get(f"{key}_RECONCILER_URL", "") if not token or not url: print(f"[{env}] No secrets configured — skipping") continue # Call reconciler dry-run with open(f"state/{env}.json", "rb") as f: state_data = f.read() req = urllib.request.Request( f"{url}/reconcile?dry_run=true", data=state_data, method="POST", headers={ "Authorization": f"Bearer {token}", "Content-Type": "application/json", }, ) try: resp = urllib.request.urlopen(req) data = json.loads(resp.read()) except Exception as e: print(f"[{env}] Reconciler call failed: {e}") continue # Format as markdown grouped by action ops = data.get("operations", []) summary = data.get("summary", {}) lines = [f"## Reconciliation Plan: `{env}`\n"] if not ops: lines.append("No changes detected.\n") else: groups = {"Create": [], "Update": [], "Delete": []} for op in ops: t = op["type"] if t.startswith("create"): groups["Create"].append(op) elif t.startswith("delete"): groups["Delete"].append(op) else: groups["Update"].append(op) for action, items in groups.items(): if not items: continue emoji = {"Create": "+", "Update": "~", "Delete": "-"}[action] lines.append(f"### {action} ({len(items)})\n") lines.append("| Resource | Name |") lines.append("|----------|------|") for op in items: resource = op["type"].split("_", 1)[1] if "_" in op["type"] else op["type"] lines.append(f"| {resource} | {op['name']} |") lines.append("") c, u, d = summary.get("created", 0), summary.get("updated", 0), summary.get("deleted", 0) lines.append(f"**Total: {c} create, {u} update, {d} delete**") comment = "\n".join(lines) print(comment) # Post PR comment git_token = os.environ.get("GIT_TOKEN", "") git_url = os.environ.get("GIT_URL", "") if git_token and git_url: api_url = f"{git_url}/api/v1/repos/{os.environ['REPO']}/issues/{os.environ['PR_NUMBER']}/comments" body = json.dumps({"body": comment}).encode() req = urllib.request.Request(api_url, data=body, method="POST", headers={ "Authorization": f"token {git_token}", "Content-Type": "application/json", }) urllib.request.urlopen(req) print(f"Posted comment to PR #{os.environ['PR_NUMBER']}") SCRIPT