Skip to content

chore(deps): update suzuki-shunsuke/tfaction action to v2 (.github/workflows)#883

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/github/workflows-suzuki-shunsuke-tfaction-2.x
Open

chore(deps): update suzuki-shunsuke/tfaction action to v2 (.github/workflows)#883
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/github/workflows-suzuki-shunsuke-tfaction-2.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 27, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change
suzuki-shunsuke/tfaction action major v1.15.5v2.0.1
suzuki-shunsuke/tfaction action major v1.15.2v2.0.1

Release Notes

suzuki-shunsuke/tfaction (suzuki-shunsuke/tfaction)

v2.0.1

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v2.0.0...v2.0.1 | Base revision

🐛 Bug Fixes

#​4018 Fix outdated documentation links

v2.0.0

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.20.1...v2.0.0 | Base revision

Finally, tfaction v2 is out 🎉

v1.20.1

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.20.0...v1.20.1 | Base revision

🐛 Bug Fixes

#​3164 Fix a bug that update branch is run without Client/Server Model even if Securefix Action is enabled.

If Securefix Action is disabled, you can ignore this update.

tfaction-root.yaml

securefix_action:
  server_repository: securefix-action-server
  pull_request:
    base_branch: main

If Securefix Action is enabled, all commits should be created by Client/Server Model.

[!WARNING]
You need to set up Update Branch Action's server workflow in the same repository with Securefix Action.

v1.20.0

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.19.5...v1.20.0 | Base revision

Features

#​3150 plan, terraform-plan: Add the output skipped. This output is true if terraform plan is skipped

🐛 Bug Fixes

#​3150 plan: Fix a bug that outputs plan_binary_path and plan_json_path are empty if tfmigrate is run

v1.19.5

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.19.4...v1.19.5 | Base revision

🐛 Bug Fixes

#​3062 Fix a bug that list-targets fails if update_local_path_module_caller is true and too many modules are called.

The error Argument list too long occurs.

Error: An error occurred trying to start process '/home/runner/actions-runner/cached/externals/node20/bin/node' with working directory '/home/runner/work/terraform/terraform'. Argument list too long
Cause

list-module-callers passes the list of modules by action's input, but too long input value causes the above error.
We guess this is due to the OS limitation.

Solution

To solve the problem, this pull request changes how to pass the list of modules.
By this change, tfaction passes the list of modules through a temporary file.
tfaction writes the list to a temporary file, then the subsequent step reads it.

v1.19.4

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.19.3...v1.19.4 | Base revision

Features

#​3048 Update the default versions of ci-info, tfcmt, and github-comment to support CodeBuild-hosted GitHub Actions runner

v1.19.3

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.19.2...v1.19.3 | Base revision

Improvement

#​3023 Improve the pull request body of follow-up PRs

Embed the description of the original pull request into the description of follow-up PRs.

v1.19.2

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.19.1...v1.19.2 | Base revision

🐛 Bug Fixes

#​2980 Fix a bug that generate-config-out fails due to checksum inconsistency
#​2983 Fix a bug that list-module-callers if Terragrunt v0.85.0 or later is used

v1.19.1

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.19.0...v1.19.1 | Base revision

🐛 Bug Fixes

#​2953 Fix a bug that replace doesn't work

v1.19.0

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.18.3...v1.19.0 | Base revision

Features

#​2947 Add assignees from the original PR to follow-up PRs

Follow-up PRs should be handled by assignees of the original PR.

v1.18.3

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.18.2...v1.18.3 | Base revision

🐛 Bug Fixes

#​2931 scaffold-working-dir, generate-config-out: Fix a bug that TFACTION_TARGET is empty

v1.18.2

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.18.1...v1.18.2 | Base revision

🐛 Bug Fixes

#​2907 Fix a bug that follow-up PRs aren't created

v1.18.1

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.18.0...v1.18.1 | Base revision

🐛 Bug Fixes

#​2906 Fix a bug that follow-up PRs aren't created

v1.18.0

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.17.0...v1.18.0 | Base revision

Features

#​2777 #​2780 #​2785 #​2789 #​2792 #​2793 #​2794 #​2796 #​2833 #​2838 Support creating commits and pull requests by Securefix Action

You can fix and generate code and create pull requests by Securefix Action.
By default, tfaction fixes and generates code and create pull requests using a GitHub access token passed by the input github_token, so the token requires contents:write permission.

Securefix Action can fix and generate code and create pull requests more securely.
For more details, please see the document of Securefix Action.

Requirements

Securefix Action v0.2.0 or newer is required.
Please set up Securefix Action according to the document.

How to use
  1. Enable this feature by tfaction-root.yaml
securefix:
  server_repository: securefix
  pull_request:
    base_branch: main
  1. Pass Securefix Action Client App id and private key to actions
- uses: suzuki-shunsuke/tfaction/setup@latest
  id: setup
  with:
    github_token: ${{steps.token.outputs.token}}
    securefix_action_app_id: ${{vars.SECUREFIX_ACTION_CLIENT_APP_ID}}
    securefix_action_app_private_key: ${{secrets.SECUREFIX_ACTION_CLIENT_APP_PRIVATE_KEY}}
- uses: suzuki-shunsuke/tfaction/test@latest
  with:
    github_token: ${{steps.token.outputs.token}}
    securefix_action_app_id: ${{vars.SECUREFIX_ACTION_CLIENT_APP_ID}}
    securefix_action_app_private_key: ${{secrets.SECUREFIX_ACTION_CLIENT_APP_PRIVATE_KEY}}
- uses: suzuki-shunsuke/tfaction/plan@latest
  with:
    github_token: ${{steps.token.outputs.token}}
    securefix_action_app_id: ${{vars.SECUREFIX_ACTION_CLIENT_APP_ID}}
    securefix_action_app_private_key: ${{secrets.SECUREFIX_ACTION_CLIENT_APP_PRIVATE_KEY}}
- uses: suzuki-shunsuke/tfaction/create-follow-up-pr@latest
  if: failure()
  with:
    github_token: ${{steps.token.outputs.token}}
    securefix_action_app_id: ${{vars.SECUREFIX_ACTION_CLIENT_APP_ID}}
    securefix_action_app_private_key: ${{secrets.SECUREFIX_ACTION_CLIENT_APP_PRIVATE_KEY}}
- uses: suzuki-shunsuke/tfaction/create-scaffold-pr@latest
  with:
    github_token: ${{steps.token.outputs.token}}
    securefix_action_app_id: ${{vars.SECUREFIX_ACTION_CLIENT_APP_ID}}
    securefix_action_app_private_key: ${{secrets.SECUREFIX_ACTION_CLIENT_APP_PRIVATE_KEY}}
- uses: suzuki-shunsuke/tfaction/scaffold-tfmigrate@latest
  with:
    github_token: ${{steps.token.outputs.token}}
    migration_name: ${{inputs.migration_name}}
    securefix_action_app_id: ${{vars.SECUREFIX_ACTION_CLIENT_APP_ID}}
    securefix_action_app_private_key: ${{secrets.SECUREFIX_ACTION_CLIENT_APP_PRIVATE_KEY}}
- uses: suzuki-shunsuke/tfaction/create-scaffold-module-pr@latest
  with:
    github_token: ${{steps.token.outputs.token}}
    securefix_action_app_id: ${{vars.SECUREFIX_ACTION_CLIENT_APP_ID}}
    securefix_action_app_private_key: ${{secrets.SECUREFIX_ACTION_CLIENT_APP_PRIVATE_KEY}}
- uses: suzuki-shunsuke/tfaction/generate-config-out@latest
  env:
    GITHUB_TOKEN: ${{steps.token.outputs.token}}
  with:
    github_token: ${{steps.token.outputs.token}}
    branch: ${{inputs.branch}}
    file: ${{inputs.file}}
    securefix_action_app_id: ${{vars.SECUREFIX_ACTION_CLIENT_APP_ID}}
    securefix_action_app_private_key: ${{secrets.SECUREFIX_ACTION_CLIENT_APP_PRIVATE_KEY}}
  1. Configuration of Securefix Action Server
entries:
  - client:
      repositories:
        - suzuki-shunsuke/tfaction-example
      branches:
        - main
    push:
      repositories:
        - suzuki-shunsuke/tfaction-example
      branches:
        - "**"
    pull_request:
      base_branches:
        - main
🛡️ Security

Pin actions
Stop removing release branches

Pin actions

tfaction composes of various actions, and they depend on each other.
For example, suzuki-shunsuke/tfaction/plan depends on suzuki-shunsuke/tfaction/terraform-plan, and suzuki-shunsuke/tfaction/terraform-plan depends on suzuki-shunsuke/tfaction/conftest.

Please see https://github.com/suzuki-shunsuke/tfaction/blob/v1.17.0/plan/action.yaml
suzuki-shunsuke/tfaction/plan@​v1.17.0 depends on suzuki-shunsuke/tfaction/terraform-plan@​v1.17.0, but the version of terraform-plan isn't pinned by full length commit SHA.
So even if you pin suzuki-shunsuke/tfaction/plan using full length commit SHA, terraform-plan isn't pinned by full length commit SHA.
This was a security concern when tfaction tags are compromised.

As of this release, the release flow of tfaction was improved and all dependent actions are pinned.
Please see https://github.com/suzuki-shunsuke/tfaction/blob/v1.18.0/plan/action.yaml

Stop removing release branches

When tfaction was released, the release branch was created but it was removed after the release tag was created.
But by removing release branches, the following warning was shown.

Please see https://github.com/suzuki-shunsuke/tfaction/tree/v1.17.0

image

This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

This confused users, and even if commit SHA was compromised using SHA of fork repositories, it was hard to find it.

So we stopped removing release branches.

https://github.com/suzuki-shunsuke/tfaction/tree/v1.18.0

v1.17.0

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.16.1...v1.17.0 | Base revision

Features

#​2744 Support limiting the number of changed working directories and modules in one pull request

Please see the document.

You can limit the number of changed working directories and modules in one pull request.
By default, there is no limit.

image

--

modules

Why is the limit necessary?

You shouldn't change many working directories and modules in one pull request.

  • It's difficult to review many changes. You can miss unexpected changes
  • CI becomes unstable
    • API rate limit
  • Inefficient
    • If you fix a directory, you need to run CI on all changed directories
  • Changes can be blocked due to a directory
    • If a directory has some trouble like drift, you can't merge the pull request
How to limit

tfaction-root.yaml

limit_changed_dirs:
  working_dirs: 5 # The maximum number of changed working directories in one pull request
  modules: 5 # The maximum number of changed modules in one pull request

If working_dirs and modules are less than 1, they are ignored.

How to resolve the failure

If CI fails due to this limit, you have two options:

  1. Split changes to multiple pull requests
  2. Fix tfaction-root.yaml and increase the limit. If you want to disable the limit, remove limit_changed_dirs or change working_dirs and modules to 0
limit_changed_dirs:
  working_dirs: 0 # no limit
  modules: 0 # no limit

v1.16.1

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.16.0...v1.16.1 | Base revision

Bug Fixes

#​2471 create-scaffold-pr: install ghcp

v1.16.0

Compare Source

Issues | Pull Requests | suzuki-shunsuke/tfaction@v1.15.5...v1.16.0 | Base revision

Features

#​2431 Follow-up PR Group Labels

This feature is disabled by default.

You can add pull request labels to group original pull requests and follow-up pull requests.

tfaction-root.yaml:

follow_up_pr_group_label:
  enabled: true # The default is false
  prefix: "tfaction:follow-up-pr-group/"

When the apply workflow fails, a pull request label is created and is added to an original pull request and new follow-up pull requests.
If the apply workflow fails again when a follow-up pull request is merged, a follow-up PR Group label of the follow-up pull request is added to a new follow-up pull request.
For instance, let's say a pull request #100 fails, and a follow-up PR #110 is created.
And a follow-up PR #110 fails, and a follow-up PR #120 is created.
In this case, a follow-up PR group label tfaction:follow-up-pr-group/100 is added to pull requests #100, #110, and #120.
These pull requests are grouped by a label tfaction:follow-up-pr-group/100.
You can search pull requests by label.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/github/workflows-suzuki-shunsuke-tfaction-2.x branch from 66330c2 to 5ba3cf6 Compare May 28, 2026 17:41
@renovate renovate Bot force-pushed the renovate/github/workflows-suzuki-shunsuke-tfaction-2.x branch from 5ba3cf6 to 44aaa19 Compare June 3, 2026 02:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovate-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants