Ensure get-jfrog-credentials is re-runnable (#45)

JackPGreen · web-flow · commit f72e5fe11a8d · 2026-01-20T11:40:30.000Z
The "quasi-unique" workaround described in: https://github.com/hazelcast/docker-actions/blob/e5b499f5d05ce65d27616deffcb30fcb596e6a64/get-jfrog-credentials/action.yml#L24-L30 Does not work when the action is invoked [more than once in the same job](https://github.com/hazelcast/hazelcast-docker/actions/runs/21168691327): > Error: Failed to fetch secret: 'JFROG'. Error: Error: The environment name 'GET_JFROG_CREDENTIALS_JFROG_URL' is already in use. Please use an alias to ensure that each secret has a unique environment name.
diff --git a/.github/workflows/test-get-jfrog-credentials.yml b/.github/workflows/test-get-jfrog-credentials.yml
@@ -12,6 +12,12 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v6
 
+        # Run it twice to ensure no env name collisions
+      - uses: ./get-jfrog-credentials
+        with:
+          aws-role-to-assume: ${{ secrets.AWS_HAZELCAST_OIDC_GITHUB_ACTIONS_ROLE_ARN }}
+          jfrog-oidc-provider-name: ${{ github.repository_owner }}-snapshot-internal
+
       - uses: ./get-jfrog-credentials
         id: jfrog
         with:
diff --git a/get-jfrog-credentials/action.yml b/get-jfrog-credentials/action.yml
@@ -21,22 +21,28 @@ runs:
         role-to-assume: ${{ inputs.aws-role-to-assume }}
         aws-region: 'us-east-1'
 
+      # GitHub has no way of uniquely identifying steps within a job, so we must generate a random ID for this invocation
+    - id: get-random-id
+      shell: bash
+      run: |
+        echo "id=${RANDOM}" >> ${GITHUB_OUTPUT}
+
     - uses: aws-actions/aws-secretsmanager-get-secrets@v2
       with:
         # Make them quasi-unique to avoid overlapping with other secrets that may exist in the calling workflow
         # Workaround lack of https://github.com/aws-actions/aws-secretsmanager-get-secrets/issues/14
         secret-ids: |
-          GET_JFROG_CREDENTIALS_JFROG,JFROG
+          GET_JFROG_CREDENTIALS_${{ steps.get-random-id.outputs.id }}_JFROG,JFROG
         parse-json-secrets: true
 
     - id: get-url
       shell: bash
       run: |
-        echo "url=${GET_JFROG_CREDENTIALS_JFROG_URL}" >> ${GITHUB_OUTPUT}
+        echo "url=${GET_JFROG_CREDENTIALS_${{ steps.get-random-id.outputs.id }}_JFROG_URL}" >> ${GITHUB_OUTPUT}
 
     - id: jfrog
       uses: jfrog/setup-jfrog-cli@v4
       env:
-        JF_URL: https://${{ env.GET_JFROG_CREDENTIALS_JFROG_URL }}
+        JF_URL: https://${{ steps.get-url.outputs.url }}
       with:
         oidc-provider-name: ${{ inputs.jfrog-oidc-provider-name }}
