Fix tf-plan step order: checkout platform scripts before broker (#87)

Alexanderamiri · web-flow · commit 1fb0013f3270 · 2026-03-17T22:38:10.000Z
## Summary
The broker invocation step (`invoke-ci-broker.sh`) runs from
`.platform/scripts/` but the platform checkout happened 3 steps later.
This broke app CI when the app repo doesn't have committed TF files (the
test app case after deleting old expanded TF).

Moved GitHub App token generation + platform checkout before the OIDC +
broker steps.

## Test plan
- [ ] Retrigger platform-test-app CI after merge
diff --git a/.github/workflows/tf-plan.yml b/.github/workflows/tf-plan.yml
@@ -58,19 +58,6 @@ jobs:
           terraform_version: "1.7"
           terraform_wrapper: false
 
-      - name: Assume broker role via OIDC
-        uses: aws-actions/configure-aws-credentials@v6
-        with:
-          role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-app-broker
-          aws-region: ${{ inputs.aws_region }}
-          role-session-name: ${{ env.SESSION_NAME }}
-
-      - name: Get team credentials from broker
-        id: broker
-        env:
-          PROJECT: javabin
-        run: sh .platform/scripts/invoke-ci-broker.sh plan
-
       - name: Generate GitHub App token
         id: app-token
         uses: actions/create-github-app-token@v2
@@ -87,6 +74,19 @@ jobs:
           path: .platform
           sparse-checkout: scripts
 
+      - name: Assume broker role via OIDC
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-app-broker
+          aws-region: ${{ inputs.aws_region }}
+          role-session-name: ${{ env.SESSION_NAME }}
+
+      - name: Get team credentials from broker
+        id: broker
+        env:
+          PROJECT: javabin
+        run: sh .platform/scripts/invoke-ci-broker.sh plan
+
       - name: Ensure Terraform boilerplate
         env:
           AWS_ACCOUNT_ID: ${{ inputs.aws_account_id }}
