Fix pullpreview enterprise token injection#21
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This refactors the PullPreview workflows to stop transporting the OpenProject enterprise token through
chart_setand instead render it through a checked-in Helm values template. The dispatch and scheduled workflows now share a singlepullpreview/stack-values.yaml.gotmplfile, and the dispatch workflow passes only its optional override values as environment variables into the PullPreview action.Root Cause
The original setup relied on
chart_setto carry the enterprise token into the preview deployment. In PullPreview,chart_setis parsed as a comma-separated list and then translated into Helm--setarguments, which is a bad transport for a large opaque token payload.The chart already supports seeding
OPENPROJECT_SEED__ENTERPRISE__TOKENthrough the generated OpenProject environment secret, so the safer path is to render that value into a Helm values file and let the chart consume it normally.What Changed
pullpreview/actionto65df5209b58f360444525f1167f9e14803521fed, which includes local*.gotmplrendering support forchart_valuesand the rebuiltdistbundle.pullpreview/stack-values.yaml.gotmpl.openproject.environment.OPENPROJECT_SEED__ENTERPRISE__TOKENinside that shared template.chart_settoken injection entirely.OPENPROJECT_VERSIONandINTEGRATION_OPENPROJECT_VERSIONinstead ofINPUT_*names.Validation
.github/workflows/pullpreview.ymland.github/workflows/pullpreview-dispatch.ymlsuccessfully after each refactor step.INPUT_references in the workflow/template path.main; no code-level regression stood out in the current branch.Follow-up Validation
PullPreviewdeployment.pullpreview-dispatch.ymldeployment fromopenproject-e2e.