feat: add decryption passphrase for encrypted artifacts#762
feat: add decryption passphrase for encrypted artifacts#762alesancor1 wants to merge 3 commits intomainfrom
Conversation
| uses: canonical/oci-factory/.github/actions/crypt-artifact@main | ||
| with: | ||
| mode: decrypt | ||
| input-path: ${{ inputs.artifact_name }}.gpg |
There was a problem hiding this comment.
not just about this PR, but this other occurrence of a name assumption is making me nervous. Why couldn't we just have the crypt-artifact action output the name of the encrypted artifact (in previous workflows), and that would be the {{ inputs.artifcat_name}} passed across multiple workflows?
There was a problem hiding this comment.
What you are suggesting is not really about crypt-artifact action, but about our logic for Build.yaml:
The artifact name is given as an input to Build.yaml, so even if crypt-artifact outputs the name of the encrypted file (which could also be a directory, in which case the output wouldn't be a single .gpg file) you would then need to make Build.yaml output that name so it can get passed down to Test.yaml and this upload-artifact.
This would cause a big regression and impact any workflow using Build.yaml. If we want to do this, we should then first tag our workflows.
There was a problem hiding this comment.
isn't crypt-artifact the one taking in a file name, adding .gpg to it, and then creating the encrypted file? if so, it would be the action's job to tell the step what files it has created.
the challenge here is that the action supports a dir as an input path, thus making the outputs a bit hard to read. i'm ok merging this as is, but IMO it's adding technical depth and I'd like to spend some minutes on it just in case there's an easy solution
There was a problem hiding this comment.
The uploaded artifact name does not necessarily need to be the name of the file to be decrypted, mainly because such artifact can be an entire directory (this is the case for single arch rocks in Build.yaml).
So artifact-name and input-path are two separate things: We could download artifact-name to /foo/bar and the file(s) to be decrypted would be /foo/bar/{artifact-name}.gpg, so the input-path for the script would be /foo/bar.
The real problem and reason why we have to make the assumption that it ends in .gpg is because the encryption happens in a separate workflow (Build.yaml) and the name of the file (the one ended in .gpg) is not outputted by it.
This also happens in Test.yaml:
oci-factory/.github/workflows/Test-Rock.yaml
Line 113 in 5876dfa
The correct solution here would be to have Build.yaml set the output of what is the name of the artifact that was uploaded (if it's a directory, it would remain the same, if it's a single file it would contain .gpg) so you can pass that name to the other workflows. Having crypt-artifact output the name of the encrypted file/dir is just a step towards this.
There was a problem hiding this comment.
I think I need a live walkthrough of this. can u pls schedule one?
In the meantime, let's start by looking at
oci-factory/.github/workflows/Build-Rock.yaml
Lines 323 to 336 in 5876dfa
- you pass
${{ inputs.oci-archive-name }}into the action, to be encrypted - the action, afaiu, creates a
${{ inputs.oci-archive-name }}.gpgfiles and deletes the original${{ inputs.oci-archive-name }} - the final "upload" step tries to upload
${{ inputs.oci-archive-name }}, but hasn't this been deleted?${{ inputs.oci-archive-name }}*
Then:
oci-factory/.github/workflows/Image.yaml
Line 192 in 5876dfa
as you say, here you could use needs.build-rock.outputs.oci-archive-name
There was a problem hiding this comment.
Note the glob path: ${{ inputs.oci-archive-name }}* - that would take both .gpg and non .gpg files. This comes from #706 (comment)
There was a problem hiding this comment.
If crypt-artifact set the .gpg as the output, then we'd use that for upload, but we'd find trouble afterwards in other jobs Test, upload-rock when internally downloading and decrypting the artifact
2 participants
Ping the @canonical/rocks team.
Description
Allow the
upload-rockaction to be passed the decryption passphrase for encrypted artifacts.