Skip to content
ci

fix: update error handling and clean up some of the error messages to be more useful to consumers #800

Sign in to view logs

fix: update error handling and clean up some of the error messages to be more useful to consumers

fix: update error handling and clean up some of the error messages to be more useful to consumers #800

Workflow file for this run

.github/workflows/ci.yml at 93d43e7
name: 'ci'
on:
push:
branches:
- 'main'
pull_request:
branches:
- 'main'
workflow_dispatch:
env:
PROJECT_ID: 'github-token-minter-dev'
REGION: 'us-central1'
SERVICE_NAME: 'github-token-minter-dev'
IMAGE_NAME: 'github-token-minter'
DOCKER_REPO: 'us-docker.pkg.dev/github-token-minter-dev/images'
WIF_PROVIDER: 'projects/576629731635/locations/global/workloadIdentityPools/github-automation/providers/github-provider'
WIF_SERVICE_ACCOUNT: 'github-automation-bot@github-token-minter-dev.iam.gserviceaccount.com'
# Integration test environment variables (used by the deployment job)
INTEGRATION_PROJECT_ID: 'github-token-minter-dev'
INTEGRATION_REGION: 'us-central1'
INTEGRATION_SERVICE_NAME: 'github-token-minter-dev'
INTEGRATION_SERVICE_URL: 'https://github-token-minter-dev-576629731635.us-central1.run.app'
INTEGRATION_SERVICE_AUDIENCE: 'https://github-token-minter-dev-576629731635.us-central1.run.app'
jobs:
build-github-token-minter-server:
runs-on: 'ubuntu-latest'
steps:
- name: 'Checkout'
uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
- name: 'Setup Go'
uses: 'actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a' # ratchet:actions/setup-go@v5
with:
go-version-file: 'go.mod'
- name: 'Build'
run: 'go build ./...'
- name: 'Test'
run: 'go test ./...'
build:
runs-on: 'ubuntu-latest'
env:
TAG_ID: '${{ github.sha }}'
outputs:
image_name: '${{ env.IMAGE_NAME }}'
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: 'Checkout'
uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
with:
workload_identity_provider: '${{ env.WIF_PROVIDER }}'
service_account: '${{ env.WIF_SERVICE_ACCOUNT }}'
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a' # ratchet:google-github-actions/setup-gcloud@v2
- name: 'Authorize Docker'
run: 'gcloud auth configure-docker us-docker.pkg.dev'
- name: 'Build and Push Container'
run: |-
docker build -t "${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}:${{ env.TAG_ID }}-amd64" .
docker push "${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}:${{ env.TAG_ID }}-amd64"
# This job depends on build-github-token-minter-server so that we don't
# deploy a broken server to the dev environment
deploy-gate:
runs-on: 'ubuntu-latest'
needs:
- 'build-github-token-minter-server'
steps:
- run: 'echo build complete'
deployment:
runs-on: 'ubuntu-latest'
needs:
- 'build'
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: 'Checkout'
uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
with:
workload_identity_provider: '${{ vars.WIF_PROVIDER }}'
service_account: '${{ vars.WIF_SERVICE_ACCOUNT }}'
- name: 'Setup gcloud'
uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a' # ratchet:google-github-actions/setup-gcloud@v2
- name: 'Deploy to Cloud Run'
run: |-
gcloud run services update ${{ env.INTEGRATION_SERVICE_NAME }} \
--project="${{ env.INTEGRATION_PROJECT_ID }}" \
--region="${{ env.INTEGRATION_REGION }}" \
--image="${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}:${{ env.DOCKER_TAG }}-amd64" \
--tag="${{ env.TAG_ID }}"
integration-mint-token:
runs-on: 'ubuntu-latest'
needs:
- 'deployment'
permissions:
contents: 'write'
packages: 'write'
id-token: 'write'
steps:
- name: 'Checkout'
uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
- id: 'mint-github-token'
uses: './.github/actions/mint-token'
with:
wif_provider: '${{ vars.WIF_PROVIDER }}'
wif_service_account: '${{ vars.WIF_SERVICE_ACCOUNT }}'
service_audience: '${{ env.INTEGRATION_SERVICE_AUDIENCE }}'
service_url: '${{ env.INTEGRATION_SERVICE_URL }}'
requested_permissions: '{"scope":"integ","repositories":["github-token-minter"],"permissions":{"issues":"read"}}'
- name: 'verify-github-token'
run: |
curl --fail \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ steps.mint-github-token.outputs.token }}"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/abcxyz/github-token-minter/issues/events
integration-minty:
runs-on: 'ubuntu-latest'
needs:
- 'deployment'
permissions:
contents: 'write'
packages: 'write'
id-token: 'write'
steps:
- name: 'Checkout'
uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
with:
create_credentials_file: false
export_environment_variables: false
workload_identity_provider: '${{ vars.WIF_PROVIDER }}'
service_account: '${{ vars.WIF_SERVICE_ACCOUNT }}'
token_format: 'id_token'
id_token_audience: '${{ env.INTEGRATION_SERVICE_AUDIENCE }}'
id_token_include_email: true
- id: 'mint-github-token'
uses: './.github/actions/minty'
with:
id_token: '${{ steps.auth.outputs.id_token }}'
service_url: '${{ env.INTEGRATION_SERVICE_URL }}'
requested_permissions: '{"scope":"integ","repositories":["github-token-minter"],"permissions":{"issues":"read"}}'
- name: 'verify-github-token'
run: |
curl --fail \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ steps.mint-github-token.outputs.token }}"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/abcxyz/github-token-minter/issues/events
integration-gcp-sa:
runs-on: 'ubuntu-latest'
needs:
- 'deployment'
permissions:
contents: 'write'
packages: 'write'
id-token: 'write'
steps:
- name: 'Checkout'
uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
# Generate an id token that impersonates a service account to call the minty endpoint.
# Audience must be set to the integration service in order to call Cloud Run.
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
with:
create_credentials_file: false
export_environment_variables: false
workload_identity_provider: '${{ vars.wif_provider }}'
service_account: '${{ vars.wif_service_account }}'
token_format: 'id_token'
id_token_audience: '${{ env.INTEGRATION_SERVICE_AUDIENCE }}'
id_token_include_email: true
# Generate an id token that impersonates a service account to request access to the minty repository.
# Audience must be set to the relevant repo ('abcxyz/github-token-minter') so minty can lookup the correct config.
- id: 'get-oidc-caller-token'
name: 'Get GCloud Auth Token to use as OIDC token input to token minter'
uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
with:
create_credentials_file: false
export_environment_variables: false
workload_identity_provider: '${{ vars.wif_provider }}'
service_account: '${{ vars.wif_service_account }}'
token_format: 'id_token'
id_token_audience: 'abcxyz/github-token-minter'
id_token_include_email: true
- id: 'mint-and-verify-gcloud-token'
run: |
response=$(curl --fail \
-X POST \
-H "Content-Type: application/json" \
-H "X-OIDC-Token: ${{ steps.get-oidc-caller-token.outputs.id_token }}" \
-H "Authorization: Bearer ${{ steps.auth.outputs.id_token }}" \
-d '{"scope":"integ","org_name":"abcxyz","repositories":["github-token-minter"],"permissions":{"issues":"read"}}' \
${{ env.INTEGRATION_SERVICE_URL }}/token)
# Handle new JSON format {ok: true, result: "token"} or old {token: "token"} or raw "token"
if echo "${response}" | jq -e . >/dev/null 2>&1; then
token=$(echo "${response}" | jq -r 'if .ok then .result else .token // . end')
else
token="${response}"
fi
curl --fail \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer $token"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/abcxyz/github-token-minter/issues/events
verify-prod:
runs-on: 'ubuntu-latest'
needs:
- 'deployment'
permissions:
contents: 'write'
packages: 'write'
id-token: 'write'
steps:
- name: 'Checkout'
uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f' # ratchet:google-github-actions/auth@v2
with:
create_credentials_file: false
export_environment_variables: false
workload_identity_provider: '${{ vars.TOKEN_MINTER_WIF_PROVIDER }}'
service_account: '${{ vars.TOKEN_MINTER_WIF_SERVICE_ACCOUNT }}'
token_format: 'id_token'
id_token_audience: '${{ vars.TOKEN_MINTER_SERVICE_AUDIENCE }}'
id_token_include_email: true
- id: 'mint-prod-github-token'
uses: './.github/actions/minty'
with:
id_token: '${{ steps.auth.outputs.id_token }}'
service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}'
requested_permissions: '{"scope":"integ","repositories":["github-token-minter"],"permissions":{"issues":"read"}}'
- name: 'verify-prod-github-token'
run: |
curl --fail \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ steps.mint-prod-github-token.outputs.token }}"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/abcxyz/github-token-minter/issues/events