In this tutorial, you will set up Digger to automate terraform pull requests using Github Actions and GCP.

Prerequisites

Create Action Secrets

In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:

  • GCP_CREDENTIALS - contents of your GCP Service Account Key json file
  • DIGGER_TOKEN - your Digger token (cloud or self-hosted)

Create digger.yml

This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your terraform code is in the prod directory:

projects:
- name: production
  dir: prod

Create Github Actions workflow file

Place it at .github/workflows/digger_workflow.yml (name is important!)

name: Digger

on:
  workflow_dispatch:
    inputs:
      id:
        description: 'run identifier'
        required: false
      job:
        required: true
      comment_id:
        required: true
jobs:
  digger-job:
    name: Digger
    runs-on: ubuntu-latest
    permissions:    
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      statuses: write      # required to validate combined PR status
    steps:
    - uses: actions/checkout@v4
    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
        create_credentials_file: true
    - name: 'Set up Cloud SDK'
      uses: 'google-github-actions/setup-gcloud@v1'
    - name: 'Use gcloud CLI'
      run: 'gcloud info'
    - name: digger run
        uses: diggerhq/digger@latest
        with:
          setup-aws: false
          disable-locking: true
          digger-hostname: 'https://cloud.digger.dev'
          digger-organisation: 'digger'
          digger-token: ${{ secrets.DIGGER_TOKEN }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This file defines a workflow with 5 steps:

  • Checkout repository using Github’s official Checkout action
  • Authenticate into GCP using Google’s official Auth action. Note the create_credentials_file: true option; without it, subsequent steps that rely Application Default Credentials will not work.
  • Set up Google Cloud SDK for use in the subsequent steps via Google’s official Setup-gcloud action
  • Verify that GCP is configured correctly by running gcloud info
  • Run Digger. Note that DIGGER_TOKEN needs to be set as a secret in Actions (either repository secret, or environment secret)

Create a PR to verify that it works

Make any change to your terraform code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of Terraform Plan added as a comment to your PR:

Terraform will perform the following actions:

  # google_compute_instance.vm_instance will be created
  + resource "google_compute_instance" "vm_instance" {
      + can_ip_forward       = false
      + cpu_platform         = (known after apply)
      + current_status       = (known after apply)
      + deletion_protection  = false
      + guest_accelerator    = (known after apply)
      + id                   = (known after apply)
      
 ... (further content omitted)

Then you can add a comment like digger apply and shortly after apply output will be added as comment too.

In this tutorial, you will set up Digger to automate terraform pull requests using Github Actions and GCP.

Prerequisites

Create Action Secrets

In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:

  • GCP_CREDENTIALS - contents of your GCP Service Account Key json file
  • DIGGER_TOKEN - your Digger token (cloud or self-hosted)

Create digger.yml

This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your terraform code is in the prod directory:

projects:
- name: production
  dir: prod

Create Github Actions workflow file

Place it at .github/workflows/digger_workflow.yml (name is important!)

name: Digger

on:
  workflow_dispatch:
    inputs:
      id:
        description: 'run identifier'
        required: false
      job:
        required: true
      comment_id:
        required: true
jobs:
  digger-job:
    name: Digger
    runs-on: ubuntu-latest
    permissions:    
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      statuses: write      # required to validate combined PR status
    steps:
    - uses: actions/checkout@v4
    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
        create_credentials_file: true
    - name: 'Set up Cloud SDK'
      uses: 'google-github-actions/setup-gcloud@v1'
    - name: 'Use gcloud CLI'
      run: 'gcloud info'
    - name: digger run
        uses: diggerhq/digger@latest
        with:
          setup-aws: false
          disable-locking: true
          digger-hostname: 'https://cloud.digger.dev'
          digger-organisation: 'digger'
          digger-token: ${{ secrets.DIGGER_TOKEN }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This file defines a workflow with 5 steps:

  • Checkout repository using Github’s official Checkout action
  • Authenticate into GCP using Google’s official Auth action. Note the create_credentials_file: true option; without it, subsequent steps that rely Application Default Credentials will not work.
  • Set up Google Cloud SDK for use in the subsequent steps via Google’s official Setup-gcloud action
  • Verify that GCP is configured correctly by running gcloud info
  • Run Digger. Note that DIGGER_TOKEN needs to be set as a secret in Actions (either repository secret, or environment secret)

Create a PR to verify that it works

Make any change to your terraform code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of Terraform Plan added as a comment to your PR:

Terraform will perform the following actions:

  # google_compute_instance.vm_instance will be created
  + resource "google_compute_instance" "vm_instance" {
      + can_ip_forward       = false
      + cpu_platform         = (known after apply)
      + current_status       = (known after apply)
      + deletion_protection  = false
      + guest_accelerator    = (known after apply)
      + id                   = (known after apply)
      
 ... (further content omitted)

Then you can add a comment like digger apply and shortly after apply output will be added as comment too.