Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FF-] Expose access_token #391

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[FF-] Expose access_token #391

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e8f0165
Expose access_token
vedrani Mar 14, 2025
7275f91
Expose access_token
vedrani Mar 14, 2025
9f24657
Expose access_token
vedrani Mar 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changeset/gentle-llamas-deliver.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
'davinci-github-actions': minor
---

### gsm-secrets

- expose wif access_token in `gsm-secret` action
1 change: 0 additions & 1 deletion build-push-image/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ This is a list of ENV Variables that are used in GH Action:
| name | description |
| -------------------------- | --------------------------------------------------------- |
| `DOCKER_BUILDX_ENDPOINT` | Docker buildx endpoint (Optional if using for GH runners) |
| `GCR_ACCOUNT_KEY` | Necessary token to push image to Google cloud |
| `GITHUB_TOKEN` | GitHub token. Is used to checkout `davinci` branch |
| `TOPTAL_BUILD_BOT_SSH_KEY` | SSH key to access Google cloud |

Expand Down
68 changes: 60 additions & 8 deletions gsm-secrets/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,27 +17,79 @@ outputs:
secrets:
description: 'The secrets retrieved from GSM in JSON format'
value: ${{ toJson(steps.get-secrets.outputs) }}
access_token:
description: 'The access token used to authenticate to Google Cloud'
value: ${{ steps.gcp-auth.outputs.access_token }}
runs:
using: 'composite'
steps:
- name: Information message
run: echo "In order to use exported credentials from auth action (like GOOGLE_APPLICATION_CREDENTIALS), you must add the actions/checkout step before calling auth. Meaning that this action 'gsm-secrets' should be preceded with 'actions/checkout' step."
shell: bash

- name: Authenticate to Google Cloud using WIF
uses: google-github-actions/auth@v2
id: gcp-auth
uses: google-github-actions/[email protected]
with:
# Using access_token format to expose the token for other steps that might need it
token_format: access_token
workload_identity_provider: ${{ inputs.workload_identity_provider }}
service_account: ${{ inputs.service_account }}

- name: Configure Google Cloud SDK
uses: google-github-actions/[email protected]
with:
skip_install: true

- name: Output authenticated account
run: 'gcloud auth list --filter=status:ACTIVE --format="value(account)"'
shell: bash

- name: Get the secrets from GSM
id: get-secrets
uses: google-github-actions/get-secretmanager-secrets@v2
uses: google-github-actions/get-secretmanager-secrets@v2.1.0
with:
secrets: ${{ inputs.secrets_name }}

- name: Remove gha-cred file content
- name: Verify secrets retrieval
shell: bash
run: |-
echo -n "" > "${GOOGLE_GHA_CREDS_PATH}"
run: |
if [ -z "${{ steps.get-secrets.outputs }}" ]; then
echo "::error::No secrets were retrieved from GSM"
exit 1
fi
echo "Successfully retrieved secrets from GSM"

- name: unset GOOGLE_APPLICATION_CREDENTIALS
- name: Catch GSM errors
if: ${{ always() }}
shell: bash
run: |-
echo "GOOGLE_APPLICATION_CREDENTIALS=" >> $GITHUB_ENV
run: |
echo "Catch GSM errors:"
GET_SECRETS_ACTION_STATUS="${{ steps.get-secrets.outcome }}"
AUTH_ACTION_STATUS="${{ steps.gcp-auth.outcome }}"
BOLD="\033[1m"
ON_RED="\033[48;2;55;37;46m"
RESET_BOLD="\033[21m"
EXIT_CODE=0

if [ ${AUTH_ACTION_STATUS} == "failure" ]; then
echo "::error::Process failed on authentication to GCP. Here is what you should do:"
echo -e "${ON_RED}1. Check if GITHUB_TOKEN has all necessary permissions. Info about it can found in our GSM docs:\n${ON_RED}https://toptal-core.atlassian.net/wiki/spaces/CI/pages/3257139253/Google+Secret+Manager+-+Technical+Documentation#How-to-modify-the-GitHub-workflow-to-fetch-secrets-from-GSM"
echo -e "${ON_RED}2. If GITHUB_TOKEN has all necessary permissions and GSM action still fails, please contact ${BOLD}@help-ci${RESET_BOLD} in ${BOLD}#-ci-help${RESET_BOLD}."
EXIT_CODE=1
else
echo "No errors related to GCP authentication."
fi

if [ ${GET_SECRETS_ACTION_STATUS} == "failure" ]; then
echo "::error::Process failed on fetching the secrets. Here is what you should do:"
echo -e "${ON_RED}1. Check if all necessary secrets are available to the repository:\n${ON_RED}https://github.com/toptal/inf-terraform/blob/master/toptal/gsm-permissions/ci/STARTING_LETTER_OF_REPO/gsm-secrets.tf"
echo -e "${ON_RED}2. If secrets are available to the repository and GSM action still fails, please contact ${BOLD}@help-ci${RESET_BOLD} in ${BOLD}#-ci-help.${RESET_BOLD}"
EXIT_CODE=1
else
echo "No errors related to fetching the secrets from GSM."
fi

if [ ${EXIT_CODE} -ne 0 ]; then
exit ${EXIT_CODE}
fi