Enhancement Proposal
The generate_terraform_docs.yaml reusable workflow hardcodes secrets.GITHUB_TOKEN for the canonical/create-pull-request step:
- name: Create pull request
uses: canonical/create-pull-request@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}GitHub prevents workflows from being triggered by commits or PRs created using GITHUB_TOKEN. This means that when terraform-docs opens or updates a PR, no CI workflows run against it.
The fix is to add an optional github-token input that defaults to secrets.GITHUB_TOKEN for backwards compatibility, but allows callers to pass a PAT:
on:
workflow_call:
inputs:
github-token:
type: string
description: Token used to create the pull request. Use a PAT to allow CI to trigger on the resulting PR.
default: ""Then in the step:
github-token: ${{ inputs.github-token || secrets.GITHUB_TOKEN }}This is a non-breaking change. Existing callers without github-token continue to work as before.
Encountered while setting up generate_terraform_docs.yaml in canonical/landscape-saas-terraform.
Impact
Medium
Impact Rationale
Without this, CI does not run on terraform-docs PRs, which is the primary reason for automating documentation updates in CI.
Enhancement Proposal
The
generate_terraform_docs.yamlreusable workflow hardcodessecrets.GITHUB_TOKENfor thecanonical/create-pull-requeststep:GitHub prevents workflows from being triggered by commits or PRs created using
GITHUB_TOKEN. This means that when terraform-docs opens or updates a PR, no CI workflows run against it.The fix is to add an optional
github-tokeninput that defaults tosecrets.GITHUB_TOKENfor backwards compatibility, but allows callers to pass a PAT:Then in the step:
This is a non-breaking change. Existing callers without
github-tokencontinue to work as before.Encountered while setting up
generate_terraform_docs.yamlincanonical/landscape-saas-terraform.Impact
Medium
Impact Rationale
Without this, CI does not run on terraform-docs PRs, which is the primary reason for automating documentation updates in CI.