From 9702b8e4d43a7a92afec07955f09afac7833eda9 Mon Sep 17 00:00:00 2001 From: hc-github-team-nomad-core <82989552+hc-github-team-nomad-core@users.noreply.github.com> Date: Fri, 7 Jul 2023 14:27:42 -0500 Subject: [PATCH] backport of commit bb084acf774fd014aaa0d2e52475e9c0462d4697 (#17846) This pull request was automerged via backport-assistant --- .github/actions/vault-secrets/action.yml | 23 +++++++++++++++++++++++ .github/workflows/backport.yml | 9 +++++++-- .github/workflows/build.yml | 9 +++++++++ .github/workflows/checks.yaml | 8 ++++++++ .github/workflows/release.yml | 15 ++++++++++----- .github/workflows/test-core.yaml | 8 ++++++++ .github/workflows/test-e2e.yml | 8 ++++++++ .github/workflows/test-ui.yml | 13 +++++++++++-- 8 files changed, 84 insertions(+), 9 deletions(-) create mode 100644 .github/actions/vault-secrets/action.yml diff --git a/.github/actions/vault-secrets/action.yml b/.github/actions/vault-secrets/action.yml new file mode 100644 index 00000000000..23f8ca58371 --- /dev/null +++ b/.github/actions/vault-secrets/action.yml @@ -0,0 +1,23 @@ +name: vault-secrets +description: 'pull secrets from CI Vault into environment vars' +inputs: + paths: + description: 'vault-action secrets input' + required: true +runs: + using: composite + steps: + - name: Authenticate to Vault + if: endsWith(github.repository, '-enterprise') + id: vault-auth + run: vault-auth + shell: bash + - name: Retrieve Vault-hosted Secrets + if: endsWith(github.repository, '-enterprise') + id: vault + uses: hashicorp/vault-action@v2.4.3 + with: + url: ${{ steps.vault-auth.outputs.addr }} + caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }} + token: ${{ steps.vault-auth.outputs.token }} + secrets: ${{ inputs.paths }} diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 12655785bb0..1cee01046c2 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -38,6 +38,11 @@ jobs: if: always() && needs.backport.result == 'failure' runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-latest' }} steps: + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: ./.github/actions/vault-secrets + with: + paths: |- + kv/data/teams/nomad/slack-webhooks feed-nomad | SLACK_FEED_NOMAD ; - name: Send slack notification on failure uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 with: @@ -70,8 +75,8 @@ jobs: ] } env: - SLACK_WEBHOOK_URL: ${{ secrets.BACKPORT_ASSISTANT_FAILURE_SLACK }} + SLACK_WEBHOOK_URL: ${{ env.SLACK_FEED_NOMAD || secrets.BACKPORT_ASSISTANT_FAILURE_SLACK }} SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK permissions: contents: read - + id-token: write diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6562eaed61d..20fde6d13e5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -252,6 +252,14 @@ jobs: with: ref: ${{ github.event.inputs.build-ref }} + - uses: ./.github/actions/vault-secrets + with: + paths: |- + kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ; + - name: Git config token + if: endsWith(github.repository, '-enterprise') + run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com' + - name: Setup go uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: @@ -329,3 +337,4 @@ jobs: permissions: contents: read + id-token: write diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 375386b40df..886f0ac84fe 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -26,6 +26,13 @@ jobs: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 # needs tags for checkproto + - uses: ./.github/actions/vault-secrets + with: + paths: |- + kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ; + - name: Git config token + if: endsWith(github.repository, '-enterprise') + run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com' - uses: hashicorp/setup-golang@v1 - name: Run make check run: | @@ -34,3 +41,4 @@ jobs: make check permissions: contents: read + id-token: write diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 93d5bcb4bd8..976d73e8d14 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -53,11 +53,15 @@ jobs: exit 1 fi - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - name: Setup Git + - uses: ./.github/actions/vault-secrets + with: + paths: |- + kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ; + - name: Git config token + if: endsWith(github.repository, '-enterprise') + run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com' + - name: Git config user/name run: |- - if [ -n "${{ secrets.ELEVATED_GITHUB_TOKEN }}" ]; then - git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com/".insteadOf "https://github.com" - fi git config --global user.email "github-team-nomad-core@hashicorp.com" git config --global user.name "hc-github-team-nomad-core" @@ -141,7 +145,7 @@ jobs: - name: Invoke build workflow id: invoke-build env: - GH_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }} + GH_TOKEN: ${{ env.ELEVATED_GITHUB_TOKEN || secrets.ELEVATED_GITHUB_TOKEN }} run: | gh workflow run build.yml --ref ${{ github.ref_name }} --field build-ref=${{ steps.commit-change-push.outputs.build-ref }} --field make-prerelease=false @@ -205,3 +209,4 @@ jobs: permissions: contents: write + id-token: write diff --git a/.github/workflows/test-core.yaml b/.github/workflows/test-core.yaml index b5e29781c3a..381a387fa0b 100644 --- a/.github/workflows/test-core.yaml +++ b/.github/workflows/test-core.yaml @@ -53,6 +53,13 @@ jobs: timeout-minutes: 10 steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: ./.github/actions/vault-secrets + with: + paths: |- + kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ; + - name: Git config token + if: endsWith(github.repository, '-enterprise') + run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com' - uses: hashicorp/setup-golang@v1 - name: Get Go modules run: | @@ -120,3 +127,4 @@ jobs: sudo -E env "PATH=$PATH" make test-nomad permissions: contents: read + id-token: write diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index 01fd911329a..94728854ea3 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -39,9 +39,17 @@ jobs: runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-latest' }} steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: ./.github/actions/vault-secrets + with: + paths: |- + kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ; + - name: Git config token + if: endsWith(github.repository, '-enterprise') + run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com' - uses: hashicorp/setup-golang@v1 - run: make deps - run: make integration-test - run: make e2e-test permissions: contents: read + id-token: write diff --git a/.github/workflows/test-ui.yml b/.github/workflows/test-ui.yml index 71703298002..e4578ed49a4 100644 --- a/.github/workflows/test-ui.yml +++ b/.github/workflows/test-ui.yml @@ -72,9 +72,13 @@ jobs: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: ./.github/actions/setup-js - uses: browser-actions/setup-chrome@c485fa3bab6be59dce18dbc18ef6ab7cbc8ff5f1 # v1.2.0 + - uses: ./.github/actions/vault-secrets + with: + paths: |- + kv/data/teams/nomad/ui PERCY_TOKEN ; - name: ember exam env: - PERCY_TOKEN: ${{ secrets.PERCY_TOKEN }} + PERCY_TOKEN: ${{ env.PERCY_TOKEN || secrets.PERCY_TOKEN }} PERCY_PARALLEL_NONCE: ${{ needs.pre-test.outputs.nonce }} run: yarn exam:parallel --split=${{ matrix.split }} --partition=${{ matrix.partition }} @@ -90,10 +94,15 @@ jobs: steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: ./.github/actions/setup-js + - uses: ./.github/actions/vault-secrets + with: + paths: |- + kv/data/teams/nomad/ui PERCY_TOKEN ; - name: finalize env: - PERCY_TOKEN: ${{ secrets.PERCY_TOKEN }} + PERCY_TOKEN: ${{ env.PERCY_TOKEN || secrets.PERCY_TOKEN }} PERCY_PARALLEL_NONCE: ${{ needs.pre-test.outputs.nonce }} run: yarn percy build:finalize permissions: contents: read + id-token: write