From cf0a275a7f3ae60f6c3933eabbd7e10f10f30c56 Mon Sep 17 00:00:00 2001 From: jcpitre <106176106+jcpitre@users.noreply.github.com> Date: Mon, 11 Nov 2024 14:54:24 +0100 Subject: [PATCH] feat: Use a github variable containing 1password secret references (#1921) Use use a github variable containing 1password secret references. --- .../extract-1password-secret/action.yml | 51 +++++++++++++++++++ .github/workflows/publish_assets.yml | 22 ++++---- .github/workflows/stg_web_svc_merge.yml | 12 ++--- .github/workflows/web_release.yml | 11 ++-- build.gradle | 8 +-- 5 files changed, 78 insertions(+), 26 deletions(-) create mode 100644 .github/actions/extract-1password-secret/action.yml diff --git a/.github/actions/extract-1password-secret/action.yml b/.github/actions/extract-1password-secret/action.yml new file mode 100644 index 0000000000..4428bd2afa --- /dev/null +++ b/.github/actions/extract-1password-secret/action.yml @@ -0,0 +1,51 @@ +name: 'Extract secrets from 1Password' +description: 'Extracts secrets from 1Password using a Github variable containing multiple secret references' +inputs: + VARIABLES_TO_EXTRACT: + description: 'A list of comma separated secrets to extract' + required: true + type: string + ONE_PASSWORD_SECRET_REFERENCES: + description: 'The contents of the ONE_PASSWORD_SECRET_REFERENCES variable, containing key-value pairs of secret references' + required: true + type: string + OP_SERVICE_ACCOUNT_TOKEN: + description: 'The 1Password service account token' + required: true + type: string + +runs: + using: 'composite' + steps: + - name: Extract 1password secret references for specific variables + id: extract_secret_references + shell: bash + # One possible error is that the specified variable name does not exist in the ONE_PASSWORD_SECRET_REFERENCES variable. + # In that case just go over it + continue-on-error: true + run: | + # Replace commas with spaces so it's easier to iterate over the key-value pairs + keys=$(echo "${{ inputs.VARIABLES_TO_EXTRACT }}" | tr ',' ' ') + for key in $keys; do + # Remove leading and trailing spaces + variable_name=$(echo "$key" | sed 's/^ *//;s/ *$//') + value=$(echo "${{ inputs.ONE_PASSWORD_SECRET_REFERENCES }}" | grep "^$variable_name *=" | cut -d'=' -f2- | sed 's/^ *//;s/[ \r]*$//') + # For each variable to extract create an env variable with the secret reference as a value + echo "$variable_name=$value" >> $GITHUB_ENV + echo "$variable_name=$value" + done + + - name: Load secrets from 1Password + id: onepw_secrets + uses: 1password/load-secrets-action@v2.0.0 + with: + export-env: true # Export loaded secrets as environment variables + env: + # 1password/load-secrets-action will take any defined env variable and try to get the secret value from 1Password + # I think it does this only for variables that start with op:// + # That means all variables defined in the previous step will be loaded from 1Password if they exist. + OP_SERVICE_ACCOUNT_TOKEN: ${{ inputs.OP_SERVICE_ACCOUNT_TOKEN }} # This is required to connect to the vault in our 1Password account. + +# After the previous step all variables specified in VARIABLES_TO_EXTRACT should have an env variable with the +# secret as a value. If they don't exist in 1Password they will be left as is, meaning that will still contain the +# secret reference. \ No newline at end of file diff --git a/.github/workflows/publish_assets.yml b/.github/workflows/publish_assets.yml index aed9529fd6..0d6ba3be65 100644 --- a/.github/workflows/publish_assets.yml +++ b/.github/workflows/publish_assets.yml @@ -11,10 +11,16 @@ jobs: steps: - uses: actions/checkout@v3 - + # Get the version from the commit. This will depend on the trigger of the workflow + # If the trigger is release, the version will be the tag on the commit. + # If the trigger is a workflow_dispatch, the version will be the branch name, which is + # not really useful. - id: get_version uses: battila7/get-version-action@v2 + - name: printVersion + run: echo "The version extracted from github.ref is ${{ steps.get_version.outputs.version }}" + - name: Set up JDK 17 uses: actions/setup-java@v3 with: @@ -83,19 +89,15 @@ jobs: - name: Load secrets from 1Password id: onepw_secrets - uses: 1password/load-secrets-action@v2.0.0 + uses: ./.github/actions/extract-1password-secret with: - export-env: true # Export loaded secrets as environment variables - env: OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} # This is required to connect to the vault in our 1Password account. - MAVEN_GPG_PRIVATE_KEY: "op://rbiv7rvkkrsdlpcrz3bmv7nmcu/yztcx47yzp4vizjyaq7ulvkgoi/Private Key" - MAVEN_GPG_PASSPHRASE: "op://rbiv7rvkkrsdlpcrz3bmv7nmcu/yztcx47yzp4vizjyaq7ulvkgoi/password" + VARIABLES_TO_EXTRACT: 'MAVEN_GPG_PASSPHRASE, MAVEN_GPG_PRIVATE_KEY, SONATYPE_TOKEN_USERNAME, SONATYPE_TOKEN_PASSWORD' + ONE_PASSWORD_SECRET_REFERENCES: ${{ vars.ONE_PASSWORD_SECRET_REFERENCES }} - name: Build and Publish to Sonatype run: | # The gradle java verifying plugin does not work with java 17. # Don't verify since it has already been done when the PR was created. - ./gradlew publish -x verifyGoogleJavaFormat - env: - SONATYPE_USERNAME: ${{secrets.SONATYPE_USERNAME}} - SONATYPE_PASSWORD: ${{secrets.SONATYPE_PASSWORD}} + ./gradlew publish --rerun-tasks -x verifyGoogleJavaFormat + diff --git a/.github/workflows/stg_web_svc_merge.yml b/.github/workflows/stg_web_svc_merge.yml index 4875b47bbb..115347612b 100644 --- a/.github/workflows/stg_web_svc_merge.yml +++ b/.github/workflows/stg_web_svc_merge.yml @@ -56,16 +56,16 @@ jobs: - name: Load secrets from 1Password to be used for sending notification id: onepw_secrets - uses: 1password/load-secrets-action@v2.0.0 + uses: ./.github/actions/extract-1password-secret with: - export-env: true # Export loaded secrets as environment variables - env: - OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - CREDENTIALS: "op://rbiv7rvkkrsdlpcrz3bmv7nmcu/ifkeehu5gzi7wy5ub5qvwkaire/credential" + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} # This is required to connect to the vault in our 1Password account. + VARIABLES_TO_EXTRACT: 'GITHUB_GENERIC_ACTION_CREDENTIALS' + ONE_PASSWORD_SECRET_REFERENCES: ${{ vars.ONE_PASSWORD_SECRET_REFERENCES }} + - name: Send a notification to mobility-feed-api uses: peter-evans/repository-dispatch@v2 with: - token: ${{ env.CREDENTIALS }} + token: ${{ env.GITHUB_GENERIC_ACTION_CREDENTIALS }} repository: MobilityData/mobility-feed-api event-type: gtfs-validator-update-stg diff --git a/.github/workflows/web_release.yml b/.github/workflows/web_release.yml index 953fe4f87d..fe748ccecd 100644 --- a/.github/workflows/web_release.yml +++ b/.github/workflows/web_release.yml @@ -54,16 +54,15 @@ jobs: - name: Load secrets from 1Password to be used for sending notification id: onepw_secrets - uses: 1password/load-secrets-action@v2.0.0 + uses: ./.github/actions/extract-1password-secret with: - export-env: true # Export loaded secrets as environment variables - env: - OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - CREDENTIALS: "op://rbiv7rvkkrsdlpcrz3bmv7nmcu/ifkeehu5gzi7wy5ub5qvwkaire/credential" + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} # This is required to connect to the vault in our 1Password account. + VARIABLES_TO_EXTRACT: 'GITHUB_GENERIC_ACTION_CREDENTIALS' + ONE_PASSWORD_SECRET_REFERENCES: ${{ vars.ONE_PASSWORD_SECRET_REFERENCES }} - name: Send a notification to mobility-feed-api uses: peter-evans/repository-dispatch@v2 with: - token: ${{ env.CREDENTIALS }} + token: ${{ env.GITHUB_GENERIC_ACTION_CREDENTIALS }} repository: MobilityData/mobility-feed-api event-type: gtfs-validator-release diff --git a/build.gradle b/build.gradle index 2025f48341..af20fe914f 100644 --- a/build.gradle +++ b/build.gradle @@ -17,8 +17,8 @@ * A note about publishing and signing. * Maven central requires that artifacts be signed. And upload is done to Sonatype. * To publish you will need these environment variables defined: - * SONATYPE_USERNAME - * SONATYPE_PASSWORD + * SONATYPE_TOKEN_USERNAME + * SONATYPE_TOKEN_PASSWORD * MAVEN_GPG_PRIVATE_KEY * MAVEN_GPG_PASSPHRASE * Suggestion is to put these in a shell script with restricted read permissions, then source it before calling @@ -119,8 +119,8 @@ subprojects { maven { url = 'https://s01.oss.sonatype.org/service/local/staging/deploy/maven2' credentials { - username System.getenv("SONATYPE_USERNAME") - password System.getenv("SONATYPE_PASSWORD") + username System.getenv("SONATYPE_TOKEN_USERNAME") + password System.getenv("SONATYPE_TOKEN_PASSWORD") } } }