From db1647bb314c7ceb3ec135bc90d8c04609544db6 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Fri, 17 Oct 2025 10:29:55 +1100
Subject: [PATCH] feat: add build job

- add build job that runs `make plan`
- enable provider caching
---
 .gitea/workflows/build.yaml | 33 +++++++++++++++++++++++++++++++++
 Makefile                    |  5 +++--
 2 files changed, 36 insertions(+), 2 deletions(-)
 create mode 100644 .gitea/workflows/build.yaml

diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml
new file mode 100644
index 0000000..d610b2a
--- /dev/null
+++ b/.gitea/workflows/build.yaml
@@ -0,0 +1,33 @@
+---
+name: Build
+
+on:
+  pull_request:
+
+jobs:
+  build:
+    runs-on: almalinux-8
+    container:
+      image: git.unkin.net/unkin/almalinux9-actionsdind:latest
+      options: --privileged
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Fetch master branch
+        run: |
+          git fetch origin master:master
+
+      - name: Show changed files
+        run: |
+          git diff --name-only master
+
+      - name: Run Terraform Plan
+        env:
+          VAULT_ROLEID: ${{ secrets.TERRAFORM_INCUS_VAULT_ROLEID }}
+        run: |
+          ls -lh ~/.config/incus
+          make plan
diff --git a/Makefile b/Makefile
index e42187b..db3f486 100644
--- a/Makefile
+++ b/Makefile
@@ -5,12 +5,13 @@ ENV_DIR = environments/$(ENVIRONMENT)
 .PHONY: clean init plan apply venv hiera output
 
 define vault_env
-	@export VAULT_ADDR="https://vault.service.consul:8200" && \
+	export VAULT_ADDR="https://vault.service.consul:8200" && \
 	export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID) && \
 	export PUPPET_CERT_CA=$$(vault kv get -field=public_key kv/service/puppet/certificates/ca) && \
 	export PUPPET_CERT_PUB=$$(vault kv get -field=public_key kv/service/puppet/certificates/terraform) && \
 	export PUPPET_CERT_PRIV=$$(vault kv get -field=private_key kv/service/puppet/certificates/terraform) && \
 	export TG_QUEUE_EXCLUDE_DIR="templates/base" && \
+	export TG_PROVIDER_CACHE=1 && \
 	export $$(vault read -format=json kv/data/service/terraform/incus | jq -r '.data.data | to_entries[] | "\(.key)=\(.value)"')
 endef
 
@@ -22,7 +23,7 @@ clean:
 	@rm -rf .venv
 
 init:
-	@$(call vault_env) && \
+	$(call vault_env) && \
 	terragrunt run --all --non-interactive init -- -upgrade
 
 plan: init