fix postsubmit job

Author: cpanato

.github/workflows/.terraform.yaml

@@ -31,6 +31,19 @@ on:
         default: ''
         type: string
         description: 'The Octo STS identity name'
+      slack_channel:
+        required: false
+        type: string
+        default: ''
+        description: Slack channel to post failure alert to. Will alert only when non-empty channel specified.
+
+    secrets:
+      SLACK_WEBHOOK:
+        required: false
+        description: Secret for accessing Slack
+
+permissions:
+  contents: read
 
 jobs:
   terraform:
@@ -45,10 +58,11 @@ jobs:
       PROJECT_ID: ${{ inputs.project_id }}
       TF_PLAN_BIN: 'plan.tmp'
       TF_PLAN_OUT: 'plan.out'
+      WORKING_DIR: ${{ inputs.working_directory }}
 
     defaults:
       run:
-        working-directory: "${{ inputs.working_directory }}"
+        working-directory: "${{ env.WORKING_DIR }}"
 
     steps:
       - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@@ -86,7 +100,7 @@ jobs:
       - name: Setup terraform
         uses: 'hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36' # v3.0.0
         with:
-          terraform_version: 1.6
+          terraform_version: 1.9
 
       - name: Terraform fmt
         id: fmt
@@ -214,3 +228,16 @@ jobs:
       - name: Terraform Apply
         if: github.ref == 'refs/heads/main' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch')
         run: terraform apply -auto-approve -input=false "${{ env.TF_PLAN_BIN }}"
+
+      - uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # v2.3.2
+        if: ${{ failure() }}
+        env:
+          SLACK_ICON: http://github.com/chainguard-dev.png?size=48
+          SLACK_USERNAME: guardian
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+          SLACK_CHANNEL: 'octo-sts-alerts' # Use a channel
+          SLACK_COLOR: '#8E1600'
+          MSG_MINIMAL: 'true'
+          SLACK_TITLE: Deploying OctoSTS to Cloud Run failed
+          SLACK_MESSAGE: |
+            For detailed logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

.github/workflows/deploy.yaml

@@ -15,31 +15,16 @@ concurrency:
 
 jobs:
   deploy:
-    runs-on: ubuntu-latest
-
     if: github.repository == 'octo-sts/app'
-
+    uses: ./.github/workflows/.terraform.yaml
     permissions:
       contents: read  # clone the repository contents
       id-token: write # federates with GCP
-
-    steps:
-      - uses: ./.github/workflows/.terraform.yaml
-        with:
-          project_id: 'octo-sts'
-          workload_identity_provider: 'projects/96355665038/locations/global/workloadIdentityPools/github-pool/providers/github-provider'
-          service_account: '[email protected]'
-          working_directory: ./iac
-
-      - uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # v2.3.2
-        if: ${{ failure() }}
-        env:
-          SLACK_ICON: http://github.com/chainguard-dev.png?size=48
-          SLACK_USERNAME: guardian
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-          SLACK_CHANNEL: 'octo-sts-alerts' # Use a channel
-          SLACK_COLOR: '#8E1600'
-          MSG_MINIMAL: 'true'
-          SLACK_TITLE: Deploying OctoSTS to Cloud Run failed
-          SLACK_MESSAGE: |
-            For detailed logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+    with:
+      project_id: 'octo-sts'
+      workload_identity_provider: 'projects/96355665038/locations/global/workloadIdentityPools/github-pool/providers/github-provider'
+      service_account: '[email protected]'
+      working_directory: ./iac
+      slack_channel: 'octo-sts-alerts'
+    secrets:
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}