fix: update error handling and clean up some of the error messages to be more useful to consumers #799

Workflow file for this run

	name: 'ci'

	on:
	push:
	branches:
	- 'main'
	pull_request:
	branches:
	- 'main'
	workflow_dispatch:

	env:
	DOCKER_REGISTRY: 'us-docker.pkg.dev'
	DOCKER_TAG: '${{ github.sha }}'
	DOCKER_REPO: 'us-docker.pkg.dev/github-token-minter-i-e4ee94/ci-images'
	IMAGE_NAME: 'github-token-minter-server'
	TAG_ID: 'ci-${{ github.run_id }}-${{ github.run_number }}'
	INTEGRATION_SERVICE_NAME: 'github-token-minter-f779'
	INTEGRATION_SERVICE_AUDIENCE: 'https://github-token-minter-f779-zu5h6wwo4q-uc.a.run.app'
	INTEGRATION_SERVICE_URL: 'https://ci-${{ github.run_id }}-${{ github.run_number }}---github-token-minter-f779-zu5h6wwo4q-uc.a.run.app'
	INTEGRATION_PROJECT_ID: 'github-token-minter-i-e4ee94'
	INTEGRATION_REGION: 'us-central1'

	concurrency:
	group: '${{ github.workflow }}-${{ github.head_ref \|\| github.ref }}'
	cancel-in-progress: true

	jobs:
	go_test:
	uses: 'abcxyz/actions/.github/workflows/go-test.yml@main' # ratchet:exclude

	# Build the main github-token-minter server and push to artifact registry
	build-github-token-minter-server:
	runs-on: 'ubuntu-latest'
	needs:
	- 'go_test'
	permissions:
	contents: 'read'
	id-token: 'write'
	steps:
	- name: 'Checkout'
	uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4

	- name: 'Setup Go'
	uses: 'actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a' # ratchet:actions/setup-go@v5
	with:
	go-version-file: 'go.mod'

	- id: 'auth'
	name: 'Authenticate to Google Cloud'
	uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
	with:
	workload_identity_provider: '${{ vars.WIF_PROVIDER }}'
	service_account: '${{ vars.WIF_SERVICE_ACCOUNT }}'
	token_format: 'access_token'

	- name: 'Authenticate to Artifact Registry'
	uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # ratchet:docker/login-action@v3
	with:
	username: 'oauth2accesstoken'
	password: '${{ steps.auth.outputs.access_token }}'
	registry: '${{ env.DOCKER_REGISTRY }}'
	# goreleaser requires a tag to publish images to container registry.
	# We create a local tag to make it happy.
	- run: \|-
	git config user.name "${GITHUB_ACTOR}"
	git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
	git tag -f "$(date "+%Y%m%d%H%M%S")"

	- name: 'Build the server container and push to the registry with goreleaser'
	uses: 'goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf' # ratchet:goreleaser/goreleaser-action@v6
	with:
	version: 'v1.12.3' # Manually pinned
	args: 'release -f .goreleaser.docker.yaml --rm-dist --skip-validate'

	build:
	runs-on: 'ubuntu-latest'
	needs:
	- 'build-github-token-minter-server'
	steps:
	- run: 'echo build complete'

	deployment:
	runs-on: 'ubuntu-latest'
	needs:
	- 'build'
	permissions:
	contents: 'read'
	id-token: 'write'
	steps:
	- name: 'Checkout'
	uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4

	- id: 'auth'
	name: 'Authenticate to Google Cloud'
	uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
	with:
	workload_identity_provider: '${{ vars.WIF_PROVIDER }}'
	service_account: '${{ vars.WIF_SERVICE_ACCOUNT }}'

	- name: 'Setup gcloud'
	uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a' # ratchet:google-github-actions/setup-gcloud@v2

	- name: 'Deploy to Cloud Run'
	run: \|-
	gcloud run services update ${{ env.INTEGRATION_SERVICE_NAME }} \
	--project="${{ env.INTEGRATION_PROJECT_ID }}" \
	--region="${{ env.INTEGRATION_REGION }}" \
	--image="${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}:${{ env.DOCKER_TAG }}-amd64" \
	--tag="${{ env.TAG_ID }}"

	integration-mint-token:
	runs-on: 'ubuntu-latest'
	needs:
	- 'deployment'
	permissions:
	contents: 'write'
	packages: 'write'
	id-token: 'write'
	steps:
	- name: 'Checkout'
	uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4

	- id: 'mint-github-token'
	uses: './.github/actions/mint-token'
	with:
	wif_provider: '${{ vars.WIF_PROVIDER }}'
	wif_service_account: '${{ vars.WIF_SERVICE_ACCOUNT }}'
	service_audience: '${{ env.INTEGRATION_SERVICE_AUDIENCE }}'
	service_url: '${{ env.INTEGRATION_SERVICE_URL }}'
	requested_permissions: '{"scope":"integ","repositories":["github-token-minter"],"permissions":{"issues":"read"}}'

	- name: 'verify-github-token'
	run: \|
	curl --fail \
	-H "Accept: application/vnd.github+json" \
	-H "Authorization: Bearer ${{ steps.mint-github-token.outputs.token }}"\
	-H "X-GitHub-Api-Version: 2022-11-28" \
	https://api.github.com/repos/abcxyz/github-token-minter/issues/events

	integration-minty:
	runs-on: 'ubuntu-latest'
	needs:
	- 'deployment'
	permissions:
	contents: 'write'
	packages: 'write'
	id-token: 'write'
	steps:
	- name: 'Checkout'
	uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4

	- id: 'auth'
	name: 'Authenticate to Google Cloud'
	uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
	with:
	create_credentials_file: false
	export_environment_variables: false
	workload_identity_provider: '${{ vars.WIF_PROVIDER }}'
	service_account: '${{ vars.WIF_SERVICE_ACCOUNT }}'
	token_format: 'id_token'
	id_token_audience: '${{ env.INTEGRATION_SERVICE_AUDIENCE }}'
	id_token_include_email: true

	- id: 'mint-github-token'
	uses: './.github/actions/minty'
	with:
	id_token: '${{ steps.auth.outputs.id_token }}'
	service_url: '${{ env.INTEGRATION_SERVICE_URL }}'
	requested_permissions: '{"scope":"integ","repositories":["github-token-minter"],"permissions":{"issues":"read"}}'

	- name: 'verify-github-token'
	run: \|
	curl --fail \
	-H "Accept: application/vnd.github+json" \
	-H "Authorization: Bearer ${{ steps.mint-github-token.outputs.token }}"\
	-H "X-GitHub-Api-Version: 2022-11-28" \
	https://api.github.com/repos/abcxyz/github-token-minter/issues/events

	integration-gcp-sa:
	runs-on: 'ubuntu-latest'
	needs:
	- 'deployment'
	permissions:
	contents: 'write'
	packages: 'write'
	id-token: 'write'
	steps:
	- name: 'Checkout'
	uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
	# Generate an id token that impersonates a service account to call the minty endpoint.
	# Audience must be set to the integration service in order to call Cloud Run.
	- id: 'auth'
	name: 'Authenticate to Google Cloud'
	uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
	with:
	create_credentials_file: false
	export_environment_variables: false
	workload_identity_provider: '${{ vars.wif_provider }}'
	service_account: '${{ vars.wif_service_account }}'
	token_format: 'id_token'
	id_token_audience: '${{ env.INTEGRATION_SERVICE_AUDIENCE }}'
	id_token_include_email: true

	# Generate an id token that impersonates a service account to request access to the minty repository.
	# Audience must be set to the relevant repo ('abcxyz/github-token-minter') so minty can lookup the correct config.
	- id: 'get-oidc-caller-token'
	name: 'Get GCloud Auth Token to use as OIDC token input to token minter'
	uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
	with:
	create_credentials_file: false
	export_environment_variables: false
	workload_identity_provider: '${{ vars.wif_provider }}'
	service_account: '${{ vars.wif_service_account }}'
	token_format: 'id_token'
	id_token_audience: 'abcxyz/github-token-minter'
	id_token_include_email: true

	- id: 'mint-and-verify-gcloud-token'
	run: \|
	token=$(curl --fail \
	-X POST \
	-H "Content-Type: application/json" \
	-H "X-OIDC-Token: ${{ steps.get-oidc-caller-token.outputs.id_token }}" \
	-H "Authorization: Bearer ${{ steps.auth.outputs.id_token }}" \
	-d '{"scope":"integ","org_name":"abcxyz","repositories":["github-token-minter"],"permissions":{"issues":"read"}}' \
	${{ env.INTEGRATION_SERVICE_URL }}/token)
	curl --fail \
	-H "Accept: application/vnd.github+json" \
	-H "Authorization: Bearer $token"\
	-H "X-GitHub-Api-Version: 2022-11-28" \
	https://api.github.com/repos/abcxyz/github-token-minter/issues/events

	verify-prod:
	runs-on: 'ubuntu-latest'
	needs:
	- 'deployment'
	permissions:
	contents: 'write'
	packages: 'write'
	id-token: 'write'
	steps:
	- name: 'Checkout'
	uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4

	- id: 'auth'
	name: 'Authenticate to Google Cloud'
	uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
	with:
	create_credentials_file: false
	export_environment_variables: false
	workload_identity_provider: '${{ vars.TOKEN_MINTER_WIF_PROVIDER }}'
	service_account: '${{ vars.TOKEN_MINTER_WIF_SERVICE_ACCOUNT }}'
	token_format: 'id_token'
	id_token_audience: '${{ vars.TOKEN_MINTER_SERVICE_AUDIENCE }}'
	id_token_include_email: true

	- id: 'mint-prod-github-token'
	uses: './.github/actions/minty'
	with:
	id_token: '${{ steps.auth.outputs.id_token }}'
	service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}'
	requested_permissions: '{"scope":"integ","repositories":["github-token-minter"],"permissions":{"issues":"read"}}'

	- name: 'verify-prod-github-token'
	run: \|
	curl --fail \
	-H "Accept: application/vnd.github+json" \
	-H "Authorization: Bearer ${{ steps.mint-prod-github-token.outputs.token }}"\
	-H "X-GitHub-Api-Version: 2022-11-28" \
	https://api.github.com/repos/abcxyz/github-token-minter/issues/events

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: update error handling and clean up some of the error messages to be more useful to consumers #799

Workflow file

fix: update error handling and clean up some of the error messages to be more useful to consumers #799

Uh oh!

Jobs

Run details

Workflow file for this run