From a932a0215b0cc24564d269816298aff2cec1e052 Mon Sep 17 00:00:00 2001
From: j4y <36337+j4y@users.noreply.github.com>
Date: Sun, 31 May 2026 09:23:05 -0400
Subject: [PATCH] chore(ci): auto-commit module terraform lockfile and remove
 live lockfile

- add CI step to automatically commit updated .terraform.lock.hcl in module
- remove incorrect lockfile from terragrunt/live/website
- ensure init --upgrade no longer produces drift in live folders
- maintain deterministic deploys while allowing provider upgrades
---
 .github/workflows/deploy.yml                | 18 ++++++++++++++++++
 terragrunt/live/website/.terraform.lock.hcl | 19 -------------------
 2 files changed, 18 insertions(+), 19 deletions(-)
 delete mode 100644 terragrunt/live/website/.terraform.lock.hcl

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 18c39f1..360111a 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -89,6 +89,22 @@ jobs:
     - name: Invalidate Cloudfront
       run: aws cloudfront create-invalidation --distribution-id ${{ steps.terragrunt_output.outputs.distribution_id }} --paths "/*"
 
+    - name: Auto-commit updated Terraform lockfile
+      run: |
+        git config --global user.email "actions@github.com"
+        git config --global user.name "GitHub Actions"
+
+        # Only commit the module lockfile — live lockfiles must never exist
+        git add terragrunt/modules/website/.terraform.lock.hcl
+
+        if git diff --cached --quiet; then
+          echo "No lockfile changes to commit."
+        else
+          echo "Committing updated lockfile..."
+          git commit -m "chore(terraform): update provider lock file"
+          git push
+        fi
+
     - name: Check for uncommitted changes
       run: |
         git config --global --add safe.directory "$GITHUB_WORKSPACE"
@@ -110,6 +126,8 @@ jobs:
           echo "✅ No uncommitted changes after deploy."
         fi
 
+
+
     - name: Upload lock files on failure
       if: failure()
       uses: actions/upload-artifact@v7
diff --git a/terragrunt/live/website/.terraform.lock.hcl b/terragrunt/live/website/.terraform.lock.hcl
deleted file mode 100644
index 8e031df..0000000
--- a/terragrunt/live/website/.terraform.lock.hcl
+++ /dev/null
@@ -1,19 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "6.28.0"
-  constraints = "6.28.0"
-  hashes = [
-    "h1:tcau98fkhZ2RhbPHo8LdiiUk2RGpZUgT/t06sdMLids=",
-    "zh:38d58305206953783c150fb96d5c4f3ea5fe0b9e0987d927c884a6b0f2adf7a9",
-    "zh:43fd483251165f98b7a44360b41b437d309b007ef2bfff818eedcf3730e3f5cb",
-    "zh:4753decc5a718cb74b08244a02d00c150f0ddd6ebf2e1227f6a985c647c03ce9",
-    "zh:5956525650554bd3fbc4b695eb5250193f0ebf94c45862a7730457ab6a315069",
-    "zh:76d98fa1146750c01f607bae4421952ee9cd14ed3a4a59deb7136749adb9e0ae",
-    "zh:792c29e5ec91356baddb6219ac7f6f1df09c251cbe4ab6e089fc25d64270b22a",
-    "zh:856424380caa7c1536dc00515d12beac2693db1a8425da654eed5530abeb17d9",
-    "zh:e8982ec2bc692efa7236e3565e7094a09f52c5b71d8860a570a36fb31a40f27f",
-    "zh:f5e7ff825dc3f7356fb80936bfe7bb1b54a728ccf429cb753cfe590932f0403b",
-  ]
-}