In this tutorial, you will set up Digger to automate terraform pull requests using Github Actions and GCP.

Prerequisites

Create Action Secrets

In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:

  • GCP_CREDENTIALS - contents of your GCP Service Account Key json file
  • DIGGER_TOKEN - your Digger token (cloud or self-hosted)

Create digger.yml

This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your terraform code is in the prod directory:

projects:
- name: production
  dir: prod

Create Github Actions workflow file

Place it at .github/workflows/digger_workflow.yml (name is important!)

name: Digger

on:
  workflow_dispatch:
    inputs:
      id:
        description: 'run identifier'
        required: false
      job:
        required: true
      comment_id:
        required: true
jobs:
  digger-job:
    name: Digger
    runs-on: ubuntu-latest
    permissions:    
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      statuses: write      # required to validate combined PR status
    steps:
    - uses: actions/checkout@v4
    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
        create_credentials_file: true
    - name: 'Set up Cloud SDK'
      uses: 'google-github-actions/setup-gcloud@v1'
    - name: 'Use gcloud CLI'
      run: 'gcloud info'
    - name: digger run
        uses: diggerhq/digger@latest
        with:
          setup-aws: false
          disable-locking: true
          digger-hostname: 'https://cloud.digger.dev'
          digger-organisation: 'digger'
          digger-token: ${{ secrets.DIGGER_TOKEN }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This file defines a workflow with 5 steps:

  • Checkout repository using Github’s official Checkout action
  • Authenticate into GCP using Google’s official Auth action. Note the create_credentials_file: true option; without it, subsequent steps that rely Application Default Credentials will not work.
  • Set up Google Cloud SDK for use in the subsequent steps via Google’s official Setup-gcloud action
  • Verify that GCP is configured correctly by running gcloud info
  • Run Digger. Note that DIGGER_TOKEN needs to be set as a secret in Actions (either repository secret, or environment secret)

Create a PR to verify that it works

Make any change to your terraform code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of Terraform Plan added as a comment to your PR:

Terraform will perform the following actions:

  # google_compute_instance.vm_instance will be created
  + resource "google_compute_instance" "vm_instance" {
      + can_ip_forward       = false
      + cpu_platform         = (known after apply)
      + current_status       = (known after apply)
      + deletion_protection  = false
      + guest_accelerator    = (known after apply)
      + id                   = (known after apply)
      
 ... (further content omitted)

Then you can add a comment like digger apply and shortly after apply output will be added as comment too.