Documentation Index
Fetch the complete documentation index at: https://docs.opentaco.dev/llms.txt
Use this file to discover all available pages before exploring further.
In this tutorial, you will set up Digger to automate OpenTofu pull requests using Github Actions
This guide assumes you completed Configure PR automation and workflows.
Prerequisites
- A GitHub repository with valid OpenTofu code
- Your cloud provider credentials:
Prerequisite: OpenTaco account setup
Prerequisite: GitHub App installed
Create Action Secrets with cloud credentials
In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:
AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY You can also use
OIDC for AWS
authentication.
GCP_CREDENTIALS - contents of your GCP Service Account Key json file You
can also use OIDC for GCP authentication.
AZURE_CLIENT_ID - Your Azure App Registration Client IDAZURE_TENANT_ID - Your Azure Tenant IDAZURE_SUBSCRIPTION_ID - Your Azure Subscription ID
You’ll need to configure OIDC authentication by setting up federated credentials in your Azure App Registration. See Azure OIDC setup for details. Create digger.yml
This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your OpenTofu code is in the prod directory:projects:
- name: production
dir: prod
opentofu: true
Create Github Actions workflow file
Place it at .github/workflows/digger_workflow.yml (name is important!)name: Digger Workflow
on:
workflow_dispatch:
inputs:
spec:
required: true
run_name:
required: false
run-name: '${{inputs.run_name}}'
jobs:
digger-job:
runs-on: ubuntu-latest
permissions:
contents: write # required to merge PRs
actions: write # required for plan persistence
id-token: write # required for workload-identity-federation
pull-requests: write # required to post PR comments
issues: read # required to check if PR number is an issue or not
statuses: write # required to validate combined PR status
steps:
- uses: actions/checkout@v4
- name: ${{ fromJSON(github.event.inputs.spec).job_id }}
run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
- uses: diggerhq/digger@vLatest
with:
digger-spec: ${{ inputs.spec }}
setup-aws: true
setup-opentofu: true
opentofu-version: 1.10.3
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
name: Digger
on:
workflow_dispatch:
inputs:
spec:
required: true
run_name:
required: false
run-name: '${{inputs.run_name}}'
jobs:
digger-job:
name: Digger
runs-on: ubuntu-latest
permissions:
contents: write # required to merge PRs
actions: write # required for plan persistence
id-token: write # required for workload-identity-federation
pull-requests: write # required to post PR comments
issues: read # required to check if PR number is an issue or not
statuses: write # required to validate combined PR status
steps:
- uses: actions/checkout@v4
- name: ${{ fromJSON(github.event.inputs.spec).job_id }}
run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
- id: 'auth'
uses: 'google-github-actions/auth@v1'
with:
credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
create_credentials_file: true
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v1'
- name: 'Use gcloud CLI'
run: 'gcloud info'
- name: digger run
uses: diggerhq/digger@vLatest
with:
digger-spec: ${{ inputs.spec }}
setup-aws: false
setup-opentofu: true
opentofu-version: 1.10.3
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- Authenticate into GCP using Google’s official Auth action. Note the
create_credentials_file: true option; without it, subsequent steps that rely on Application Default Credentials will not work.
- Set up Google Cloud SDK for use in the subsequent steps via Google’s official Setup-gcloud action
- Verify that GCP is configured correctly by running
gcloud info
name: Digger Workflow
on:
workflow_dispatch:
inputs:
spec:
required: true
run_name:
required: false
run-name: '${{inputs.run_name}}'
jobs:
digger-job:
runs-on: ubuntu-latest
permissions:
contents: write # required to merge PRs
actions: write # required for plan persistence
id-token: write # required for workload-identity-federation
pull-requests: write # required to post PR comments
issues: read # required to check if PR number is an issue or not
statuses: write # required to validate combined PR status
steps:
- uses: actions/checkout@v4
- name: ${{ fromJSON(github.event.inputs.spec).job_id }}
run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
- uses: diggerhq/digger@vLatest
with:
digger-spec: ${{ inputs.spec }}
setup-azure: true
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
setup-opentofu: true
opentofu-version: 1.10.3
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- Setting up federated credentials in your Azure App Registration for GitHub Actions
- The
id-token: write permission for workload identity federation
- ARM_* environment variables for the Azure Terraform provider
Create a PR to verify that it works
OpenTofu will run an existing plan against your code.Make any change to your OpenTofu code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of OpenTofu Plan added as a comment to your PR.Then you can add a comment like digger apply and shortly after apply output will be added as comment too.
Demo repositories
