Skip to main content
Use this page to configure your .github/workflows/digger_workflow.yml after your smoke test passes.

1) Authentication for OpenTaco PR automation

Keep these environment variables in your Digger step so OpenTaco can process PR events and post comments:
- uses: diggerhq/digger@vLatest
  with:
    digger-spec: ${{ inputs.spec }}
  env:
    GITHUB_CONTEXT: ${{ toJson(github) }}
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

2) Install the IaC tools you use

Add the relevant setup flags in the Digger action:
- uses: diggerhq/digger@vLatest
  with:
    digger-spec: ${{ inputs.spec }}
    setup-opentofu: true
    opentofu-version: 1.10.3
  env:
    GITHUB_CONTEXT: ${{ toJson(github) }}
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

3) Configure OpenTaco state access (optional)

If your PR automation runs use OpenTaco State Management, configure TFE-compatible credentials in the workflow.
  1. Store your OpenTaco token as a GitHub Actions secret (for example TFE_TOKEN).
  2. Set the TFE hostname input for your IaC engine.
  3. Pass the matching TFE token input for your IaC engine.
- uses: diggerhq/digger@vLatest
  with:
    digger-spec: ${{ inputs.spec }}
    setup-opentofu: true
    opentofu-version: 1.10.3
    # OpenTaco state backend hostname
    opentofu-tfe-hostname: otaco.app
    # Token stored in GitHub Actions secrets
    opentofu-tfe-token: ${{ secrets.TFE_TOKEN }}
  env:
    GITHUB_CONTEXT: ${{ toJson(github) }}
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

4) Authenticate to cloud providers

Use one provider block per workflow.
- uses: diggerhq/digger@vLatest
  with:
    digger-spec: ${{ inputs.spec }}
    setup-aws: true
    # Option A (recommended): OIDC role assumption
    aws-role-to-assume: arn:aws:iam::123456789012:role/digger-gha-role
    aws-region: us-east-1
    # Option B: Static credentials
    # aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    # aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  env:
    GITHUB_CONTEXT: ${{ toJson(github) }}
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Use either static keys or OIDC role assumption in a single workflow config, not both. See OIDC on AWS.

5) Set up caching

Start with default GitHub Actions cache behavior. If your repositories are large, add targeted caching using the guidance in Caching Strategies.

Next step

After updating your workflow, open a PR with a change to at least project and verify plan and digger apply still complete successfully.