My GitHub Actions workflow with OctoDNS

issue_comment.yml

name: Check comments for /commands

on:
  issue_comment:
    types: [created]

jobs:
  deploy:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      pull-requests: write
      deployments: write

    steps:
      - name: Check for /deploy command
        uses: xt0rted/[email protected]
        id: command
        continue-on-error: true
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          command: deploy
          reaction: true
          reaction-type: rocket
          allow-edits: false
          permission-level: admin

      - name: Get pull request branch
        uses: xt0rted/[email protected]
        if: steps.command.outputs.command-name == 'deploy'
        id: comment-branch

      - name: Start deployment
        uses: bobheadxi/[email protected]
        if: steps.command.outputs.command-name == 'deploy'
        with:
          step: start
          token: ${{ secrets.DEPLOYMENT_TOKEN }} # a PAT is required for the `deployment` workflow to be triggered
          env: production
          no_override: false
          ref: ${{ steps.comment-branch.outputs.head_ref }}

octodns-sync.yml

name: Deploy

on:
  deployment

env:
  AZURE_APPLICATION_ID: ${{ secrets.AZURE_APPLICATION_ID }}
  AZURE_AUTHENTICATION_KEY: ${{ secrets.AZURE_AUTHENTICATION_KEY }}
  AZURE_DIRECTORY_ID: ${{ secrets.AZURE_DIRECTORY_ID }}
  AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
  AZURE_SUBSCRIPTION_ID_LETSPLANTIT: ${{ secrets.AZURE_SUBSCRIPTION_ID_LETSPLANTIT }}
  CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}

jobs:
  publish:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      deployments: write

    steps:
      - name: Checkout repository
        uses: actions/[email protected]

      - name: Starting deployment
        uses: bobheadxi/[email protected]
        with:
          step: start
          token: ${{ secrets.GITHUB_TOKEN }}
          deployment_id: ${{ github.event.deployment.id }}
          env: ${{ github.event.deployment.environment }}

      - name: Run octodns-sync --doit
        uses: solvaholic/[email protected]
        with:
          config_path: ${{ github.event.deployment.environment }}.yaml
          doit: --doit

      - name: Finished deployment
        uses: bobheadxi/[email protected]
        if: always()
        with:
          step: finish
          token: ${{ secrets.GITHUB_TOKEN }}
          env_url: ${{ github.server_url }}/${{ github.repository }}/tree/${{ github.sha }}
          deployment_id: ${{ github.event.deployment.id }}
          status: ${{ job.status }}

octodns-validate.yml

name: Validate

on:
  pull_request_target:
  push:
    branches: [main]

env:
  AZURE_APPLICATION_ID: ${{ secrets.AZURE_APPLICATION_ID }}
  AZURE_AUTHENTICATION_KEY: ${{ secrets.AZURE_AUTHENTICATION_KEY }}
  AZURE_DIRECTORY_ID: ${{ secrets.AZURE_DIRECTORY_ID }}
  AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
  AZURE_SUBSCRIPTION_ID_LETSPLANTIT: ${{ secrets.AZURE_SUBSCRIPTION_ID_LETSPLANTIT }}
  CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}

jobs:
  linting:
    runs-on: ubuntu-latest

    permissions:
      contents: read

    steps:
      - name: Checkout repository
        uses: actions/[email protected]
        with:
          ref: ${{ github.event.pull_request.head.sha || github.sha }}

      - name: Run yamllint
        run: yamllint .

  validate:
    needs: linting

    if: github.event_name == 'pull_request_target'

    runs-on: ubuntu-latest

    permissions:
      contents: read
      deployments: write
      pull-requests: write

    steps:
      - name: Checkout repository
        uses: actions/[email protected]
        with:
          ref: ${{ github.event.pull_request.head.sha }}

      - name: Run octodns-sync
        uses: solvaholic/[email protected]
        with:
          config_path: production.yaml

      - name: Get plan output
        id: meta
        run: |
          # Parse plan output into $_plan
          _plan="$(cat ${GITHUB_WORKSPACE}/octodns-sync.plan)"
          _plan="${_plan//'%'/'%25'}"
          _plan="${_plan//$'\n'/'%0A'}"
          _plan="${_plan//$'\r'/'%0D'}"
          # Set output 'plan' to $_plan
          echo "::set-output name=plan::${_plan}"
          # Set $_sha to the first 7 char of PR head SHA
          _sha="$(echo "${{ github.event.pull_request.head.sha }}" | cut -c 1-7)"
          # Set output 'sha' to $_sha
          echo "::set-output name=sha::${_sha}"

      - name: Find comment
        uses: peter-evans/[email protected]
        id: fc
        with:
          issue-number: ${{ github.event.pull_request.number }}
          comment-author: github-actions[bot]
          body-includes: Automatically generated by octodns-sync

      - name: Add or update PR comment
        uses: peter-evans/[email protected]
        with:
          issue-number: ${{ github.event.pull_request.number }}
          comment-id: ${{ steps.fc.outputs.comment-id }}
          body: |
            ## OctoDNS Plan for `${{ steps.meta.outputs.sha }}`

            ${{ steps.meta.outputs.plan }}

            Automatically generated by octodns-sync
          edit-mode: replace

pull-request-labels.yml

name: Labels

on:
  pull_request_target

permissions:
  contents: read
  pull-requests: write

jobs:
  label:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}

# My labeler.yml
#
# zones:
#   - zones/**
#   - production.yaml