terraform.yml

---
name: Terraform

on: # yamllint disable-line rule:truthy
  pull_request:
    branches:
      - main
    paths:
      - .github/workflows/terraform.yml
      - terraform/**
  push:
    branches:
      - main
    paths:
      - .github/workflows/terraform.yml
      - terraform/**

permissions: read-all

jobs:
  detect-changes:
    name: Detect Changes
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
    outputs:
      components: ${{ steps.detect_changes.outputs.changes }}
    steps:
      - name: Checkout
        id: checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Build path-filters file
        id: build_path_filters
        run: bash scripts/path-filter/configuration-generator.sh terraform

      - name: Detect changes
        id: detect_changes
        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        with:
          filters: .github/path-filter/terraform.yml

  terraform-workflow:
    if: ${{ needs.detect-changes.outputs.components != '[]' }}
    needs: [detect-changes]
    name: Reusable Workflow
    permissions:
      contents: read
      id-token: write
      security-events: write
      pull-requests: write
    strategy:
      fail-fast: false
      matrix:
        component: ${{ fromJson(needs.detect-changes.outputs.components) }}
    uses: ./.github/workflows/reusable-workflow-terraform.yml
    with:
      component: ${{ matrix.component }}
    secrets: inherit