Release Note
Summary
tfaction v2 introduces several breaking changes, and all users will need to update their code.
However, the required changes should not be particularly difficult.
tfaction, which was previously a collection of many actions, has been completely rewritten as a single JavaScript Action.
It now switches between functionalities such as plan, apply, and test using the action input.
This redesign significantly improves both performance and maintainability.
In addition, tfaction v2 includes new features such as the introduction of a template engine, support for customizing Reviewdog, and the official release of the target replacement feature.
⚠️ Breaking Changes
We wrote the upgrade guide.
In this section, we describe additional breaking changes.
Abandon target labels
The feature that allowed CI to run for a specified target by adding a label like target:<target> to a PR—without any code changes—has been removed.
This feature was subtly convenient, and we occasionally used it ourselves.
However, we determined that it poses a governance risk, as it allows terraform apply—and therefore infrastructure changes—to be executed without a code change and without Code Owner review.
💪 Improvement
- Improve Performance
- Improve Maintenability
- Support customizing Reviewdog Settings
- Support
replace_target
- Install aqua automatically
- Support customizing PR title, body, and comment when creating PRs
- Update pull request branches automatically if working directories are changed in base branches
Performance Improvement
Previously, suzuki-shunsuke/tfaction/* (except for suzuki-shunsuke/tfaction/js) consisted of multiple Composite Actions.
In v2, they are consolidated into a single JavaScript Action: suzuki-shunsuke/tfaction.
This significantly reduces the time spent downloading actions and shortens the execution time of the Set up job step, which is always run first in every GitHub Actions job.
Depending on the environment, we observed a reduction of approximately 20–40 seconds.
Rewriting everything as a single JavaScript Action also eliminates the overhead between Composite Action steps.
In addition, replacing external command executions with JavaScript results in further, smaller performance improvements.
The removal of built-in AWS and Google Cloud authentication is also related to performance optimization.
Due to how GitHub Actions works, actions are downloaded during the Set up job step even if the step that uses them is later skipped.
This means that authentication actions such as aws-actions/configure-aws-credentials and google-github-actions/auth would still be downloaded even when they are not needed, resulting in unnecessary overhead.
While it would be possible to embed the functionality of these actions directly into tfaction’s TypeScript code to avoid downloading them, doing so would significantly increase maintenance complexity.
Therefore, this approach was intentionally avoided.
Instead, users are now expected to run these authentication actions only when needed.
This also provides greater flexibility in how authentication is handled compared to previous versions.
Improved Maintainability
Rewriting all the code in TypeScript has significantly improved maintainability.
Previously, tfaction was implemented as a Composite Action, which required passing data between steps via inputs/outputs and environment variables.
However, these interfaces have very limited type support.
Only strings are supported, so data must be serialized.
In addition, it is difficult to catch mistakes in input/output names or types before execution.
There are also size limits on the data that can be passed, which means large data must be handled via temporary files.
By contrast, implementing everything in TypeScript allows us to fully leverage TypeScript’s strong type system and its tight integration with editors.
This makes it much easier to catch mistakes early, benefit from autocompletion, and write unit tests.
🐶 Support for Customizing Reviewdog Configuration
You can now customize the Reviewdog configuration used to report results from tools like trivy and tflint.
One particularly important improvement is that the --filter-mode option is now configurable.
Previously, it was fixed to --filter-mode nofilter, which meant that findings were reported even for code that was not changed in the pull request.
By setting --filter-mode to added, only code modified in the PR will be checked.
Each approach has its pros and cons, and neither is universally better.
However, using nofilter can make initial adoption more difficult, so in some cases added may be the more practical choice.
Official Release of replace_target
replace_target is a feature that allows more flexible replacement from working_directory to target using regular expressions.
This feature has actually existed for some time, but it was treated as unofficial and undocumented because tfaction-go did not support it.
Now that support has been added, replace_target is officially released.
replace:
patterns:
# Replace /services/ to / : e.g. github/services/foo => github/foo
- regexp: /services/
replace: /
# Replace /production$ to /prod
- regexp: /production$
replace: /prod
# Remove the prefix `google-` : e.g. foo/google-users/production => foo/users/prod
- regexp: /google-(.*)/
replace: "/$1/"
flags: gAutomatic Installation of aqua
tfaction now installs aqua automatically, so users no longer need to install aqua themselves.
That said, the aqua version is hard-coded and cannot be changed.
This makes it easier to adopt tfaction even in environments where aqua is not already in use.
Update pull request branches automatically if working directories are changed in base branches
setup action updates pull request branches automatically if working directories are changed in base branches.
No additional setting is necessary.
🐛 Bug Fixes
- Properly catch exceptions in Node.js
- Support Terragrunt v0.88.0 and later
- Fix an issue where the results of
terragrunt plan and terragrunt apply could not be parsed
- Fix an issue where tfaction did not work correctly when tfaction-root.yaml was located in a subdirectory
- Fix an issue where tfaction did not work correctly when the repository was checked out outside of
GITHUB_WORKSPACE
- Fix an issue where
minimum_detection_interval for drift detection could not be set to 0
Support Terragrunt v0.88.0 and later
Fixed an issue where tfaction did not work with Terragrunt v0.88.0.
It should also continue to work with older Terragrunt versions prior to v0.73.0, which do not support terragrunt run.
Fix an issue where the results of terragrunt plan and terragrunt apply could not be parsed
https://suzuki-shunsuke.github.io/tfcmt/terragrunt
Before:
After:
Originally, this issue could be worked around by users setting the TERRAGRUNT_LOG_DISABLE environment variable to true.
tfaction now sets this environment variable automatically.
Others
- Changed generated branch names to replace slashes (
/) with underscores (__)
- Using
/ in branch names can cause issues, so this has been changed
Release Note
Summary
tfaction v2 introduces several breaking changes, and all users will need to update their code.
However, the required changes should not be particularly difficult.
tfaction, which was previously a collection of many actions, has been completely rewritten as a single JavaScript Action.
It now switches between functionalities such as plan, apply, and test using the
actioninput.This redesign significantly improves both performance and maintainability.
In addition, tfaction v2 includes new features such as the introduction of a template engine, support for customizing Reviewdog, and the official release of the target replacement feature.
We wrote the upgrade guide.
In this section, we describe additional breaking changes.
targetlabelsAbandon
targetlabelsThe feature that allowed CI to run for a specified target by adding a label like
target:<target>to a PR—without any code changes—has been removed.This feature was subtly convenient, and we occasionally used it ourselves.
However, we determined that it poses a governance risk, as it allows terraform apply—and therefore infrastructure changes—to be executed without a code change and without Code Owner review.
💪 Improvement
replace_targetPerformance Improvement
Previously,
suzuki-shunsuke/tfaction/*(except forsuzuki-shunsuke/tfaction/js) consisted of multiple Composite Actions.In v2, they are consolidated into a single JavaScript Action:
suzuki-shunsuke/tfaction.This significantly reduces the time spent downloading actions and shortens the execution time of the Set up job step, which is always run first in every GitHub Actions job.
Depending on the environment, we observed a reduction of approximately 20–40 seconds.
Rewriting everything as a single JavaScript Action also eliminates the overhead between Composite Action steps.
In addition, replacing external command executions with JavaScript results in further, smaller performance improvements.
The removal of built-in AWS and Google Cloud authentication is also related to performance optimization.
Due to how GitHub Actions works, actions are downloaded during the Set up job step even if the step that uses them is later skipped.
This means that authentication actions such as
aws-actions/configure-aws-credentialsandgoogle-github-actions/authwould still be downloaded even when they are not needed, resulting in unnecessary overhead.While it would be possible to embed the functionality of these actions directly into tfaction’s TypeScript code to avoid downloading them, doing so would significantly increase maintenance complexity.
Therefore, this approach was intentionally avoided.
Instead, users are now expected to run these authentication actions only when needed.
This also provides greater flexibility in how authentication is handled compared to previous versions.
Improved Maintainability
Rewriting all the code in TypeScript has significantly improved maintainability.
Previously, tfaction was implemented as a Composite Action, which required passing data between steps via inputs/outputs and environment variables.
However, these interfaces have very limited type support.
Only strings are supported, so data must be serialized.
In addition, it is difficult to catch mistakes in input/output names or types before execution.
There are also size limits on the data that can be passed, which means large data must be handled via temporary files.
By contrast, implementing everything in TypeScript allows us to fully leverage TypeScript’s strong type system and its tight integration with editors.
This makes it much easier to catch mistakes early, benefit from autocompletion, and write unit tests.
🐶 Support for Customizing Reviewdog Configuration
You can now customize the Reviewdog configuration used to report results from tools like trivy and tflint.
One particularly important improvement is that the
--filter-modeoption is now configurable.Previously, it was fixed to
--filter-mode nofilter, which meant that findings were reported even for code that was not changed in the pull request.By setting
--filter-modetoadded, only code modified in the PR will be checked.Each approach has its pros and cons, and neither is universally better.
However, using
nofiltercan make initial adoption more difficult, so in some casesaddedmay be the more practical choice.Official Release of
replace_targetreplace_targetis a feature that allows more flexible replacement fromworking_directorytotargetusing regular expressions.This feature has actually existed for some time, but it was treated as unofficial and undocumented because
tfaction-godid not support it.Now that support has been added,
replace_targetis officially released.Automatic Installation of aqua
tfaction now installs aqua automatically, so users no longer need to install aqua themselves.
That said, the aqua version is hard-coded and cannot be changed.
This makes it easier to adopt tfaction even in environments where aqua is not already in use.
Update pull request branches automatically if working directories are changed in base branches
setupaction updates pull request branches automatically if working directories are changed in base branches.No additional setting is necessary.
🐛 Bug Fixes
terragrunt planandterragrunt applycould not be parsedGITHUB_WORKSPACEminimum_detection_intervalfor drift detection could not be set to0Support Terragrunt v0.88.0 and later
Fixed an issue where tfaction did not work with Terragrunt v0.88.0.
It should also continue to work with older Terragrunt versions prior to v0.73.0, which do not support terragrunt run.
Fix an issue where the results of
terragrunt planandterragrunt applycould not be parsedhttps://suzuki-shunsuke.github.io/tfcmt/terragrunt
Before:
After:
Originally, this issue could be worked around by users setting the
TERRAGRUNT_LOG_DISABLEenvironment variable to true.tfaction now sets this environment variable automatically.
Others
/) with underscores (__)/in branch names can cause issues, so this has been changed