Skip to main content
In this tutorial, you will set up Digger to automate terraform pull requests using Github Actions This guide assumes you completed Configure PR automation and workflows. Prerequisites
1

Prerequisite: OpenTaco account setup

Complete Set up your OpenTaco account before continuing.
2

Prerequisite: GitHub App installed

Complete Set up GitHub App before continuing.
3

Create Action Secrets with cloud credentials

In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:
  • AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY You can also use OIDC for AWS authentication.
From the repository root (with GitHub CLI installed):
# Set AWS credentials as repository Action secrets
gh secret set AWS_ACCESS_KEY_ID --body "$AWS_ACCESS_KEY_ID"
gh secret set AWS_SECRET_ACCESS_KEY --body "$AWS_SECRET_ACCESS_KEY"
4

Create digger.yml

This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your terraform code is in the prod directory:
projects:
- name: production
  dir: prod
5

Create Github Actions workflow file

Place it at .github/workflows/digger_workflow.yml (name is important!)
name: Digger Workflow

on:
  workflow_dispatch:
    inputs:
      spec:
        required: true
      run_name:
        required: false

run-name: '${{inputs.run_name}}'

jobs:
  digger-job:
    runs-on: ubuntu-latest
    permissions:
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      issues: read         # required to check if PR number is an issue or not
      statuses: write      # required to validate combined PR status

    steps:
      - uses: actions/checkout@v4
      - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
        run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
      - uses: diggerhq/digger@vLatest
        with:
          digger-spec: ${{ inputs.spec }}
          setup-aws: true
          setup-terraform: true
          terraform-version: 1.5.5
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6

Create a PR to verify that it works

Terraform will run an existing plan against your code.Make any change to your terraform code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of Terraform Plan added as a comment to your PR.
If you forked one of the demo repositories you will need to enable Actions in your repository.
Then you can add a comment like digger apply and shortly after apply output will be added as comment too.