
A GitHub Action that either logs into Terminus via machine token or securely restores from a previously-authenticated Terminus session

GitHub Action for caching Terminus session

Caching and reusing the authenticated Terminus session between jobs helps prevent login errors due to Auth0 rate limiting during parallel jobs all trying to authenticate at the same time.


If you use DDEV in GitHub Actions, you can pass "ddev: true" to authenticate Terminus inside the DDEV container instead of the host (GitHub Actions job runner). Before calling this action with "ddev: true", install and start DDEV with one of these actions:

Example: Caching a session token before matrix'd jobs

Make sure a Terminus session is stored in cache before attempting to run jobs in parallel. We can accomplish this by adding a "needs" dependency on a preliminary job that refreshes the Terminus session token:

name: Example workflow demonstrating how to authenticate Terminus before
  dispatching jobs in parallel
      - 'main'
    runs-on: ubuntu-22.04
    # Always store production secrets in a GitHub "Environment" that restricts
    # which branches can deploy to it, and protect those branches with rules
    # including code reviews and security tests.
    # @see https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment
    # environment: <environment-name>
    environment: Pantheon
      - name: Populate a new Terminus session in cache before dispatching the
          matrix'd job
        uses: lullabot/terminus-auth-with-session-cache@v2
          pantheon-machine-token: ${{ secrets.PANTHEON_MACHINE_TOKEN }}
          # Note: DDEV is never needed for this step since we're just trying to
          # generate and cache the session token for later jobs (which may use
          # DDEV).
          # ddev: false
    # This "needs" dependency makes sure the session is cached before starting
    # these parallel jobs.
    needs: [TerminusGetSession]
    runs-on: ubuntu-22.04
    environment: Pantheon
      matrix: ['site-a', 'site-b', 'site-c']
      - name: Log in to Terminus by restoring existing session or initiating new
        uses: lullabot/terminus-auth-with-session-cache@v2
          pantheon-machine-token: ${{ secrets.PANTHEON_MACHINE_TOKEN }}
          # Set 'ddev: true' if using DDEV in GitHub Actions.
          # ddev: true
      - name: Example step, clear caches on each site
        run: ddev terminus drush ${{ matrix.site-name }}.live -- cache:rebuild
        shell: bash

Example: Refresh Terminus sessions during off-peak hours

If you have many workflows running simultaneously, you may opt for generating new Terminus sessions during off-peak hours, so an old session doesn't expire at a random moment when concurrent jobs are running.

name: Refresh 24h Dev and Prod Terminus sessions during off-peak hours
    # 8am UTC is 3am US Central Time
    - cron:  '0 8 * * *'
    runs-on: ubuntu-22.04
      - name: Refresh the Development Terminus session in cache
        uses: lullabot/terminus-auth-with-session-cache@v2
          # Development token secret may be repository-wide.
          pantheon-machine-token: ${{ secrets.PANTHEON_MACHINE_TOKEN_DEV }}
          # Tell the action to grab a fresh session and ignore any existing
          # cache.
          force-new-session: true
    runs-on: ubuntu-22.04
    # environment: <environment-name>
    environment: Pantheon
      - name: Refresh the Production Terminus session in cache
        uses: lullabot/terminus-auth-with-session-cache@v2
          # Production token secret should be protected behind an Environment.
          pantheon-machine-token: ${{ secrets.PANTHEON_MACHINE_TOKEN_PRODUCTION }}
          # Tell the action to grab a fresh session and ignore any existing
          # cache.
          force-new-session: true

Pantheon documentation

The related Pantheon documentation lives here: Authenticate Terminus in a GitHub Actions Pipeline. It currently recommends a different approach but hopefully will be updated soon to reference this action or an equivalent one.