-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
100 lines (81 loc) · 3.63 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
name: Pipelines Credentials
description: Fetch Pipelines Credentials
inputs:
PIPELINES_TOKEN_PATH:
required: true
FALLBACK_TOKEN:
required: true
api_base_url:
default: "https://api.prod.app.gruntwork.io/api/v1"
outputs:
PIPELINES_TOKEN:
value: ${{ steps.get_token.outputs.PIPELINES_TOKEN }}
runs:
using: composite
steps:
- name: Fetch Pipelines Token
id: get_token
uses: actions/github-script@v7
env:
FALLBACK_TOKEN: ${{ inputs.FALLBACK_TOKEN }}
PIPELINES_TOKEN_PATH: ${{ inputs.PIPELINES_TOKEN_PATH }}
API_BASE_URL: ${{ inputs.api_base_url }}
with:
script: |
try {
const aud = "https://api.prod.app.gruntwork.io"
const apiBaseURL = process.env.API_BASE_URL
const idToken = await core.getIDToken(aud)
const isRetryableError = (response) => {
return response.status >= 500 || response.status === 429
}
const loginWithRetries = async (tries) => {
const providerTokenResponse = await fetch(`${apiBaseURL}/tokens/auth/login`, {
method: "POST",
headers: {
"Authorization": `Bearer ${idToken}`
}
})
if (providerTokenResponse.ok) {
return providerTokenResponse
} else {
if (tries > 0 && isRetryableError(providerTokenResponse)) {
console.log(`Failed to get provider token: ${providerTokenResponse.status} ${providerTokenResponse.statusText}. Retrying...`)
// Random backoff between 0 and 3 seconds
await new Promise(resolve => setTimeout(resolve, Math.floor(Math.random() * 3000)))
return loginWithRetries(tries - 1)
} else {
return providerTokenResponse
}
}
}
const providerTokenResponse = await loginWithRetries(3)
if (providerTokenResponse.ok) {
const providerTokenJson = await providerTokenResponse.json()
const pipelinesTokenResponse = await fetch(`${apiBaseURL}/tokens/pat/${process.env.PIPELINES_TOKEN_PATH}`, {
method: "GET",
headers: {
"Authorization": `Bearer ${providerTokenJson.token}`
}
})
if (pipelinesTokenResponse.ok) {
const pipelinesTokenJson = await pipelinesTokenResponse.json()
console.log("Setting PIPELINES_TOKEN to GitHubApp token")
core.setOutput('PIPELINES_TOKEN', pipelinesTokenJson.token)
return
} else {
console.log(`Failed to get pipelines token: ${pipelinesTokenResponse.status} ${pipelinesTokenResponse.statusText}`)
}
} else {
console.log(`Failed to get provider token: ${providerTokenResponse.status} ${providerTokenResponse.statusText}`)
}
} catch (error) {
console.log(`Failed to get pipelines token: ${error}`)
}
console.log("Setting PIPELINES_TOKEN to fallback token")
if (! process.env.FALLBACK_TOKEN) {
const errMsg = "The pipelines-credentials GitHub Action was unable to dynamically fetch credentials using the Gruntwork.io GitHub App, and no FALLBACK_TOKEN was provided. Ensure that the Gruntwork.io app is installed, or that a FALLBACK_TOKEN is provided."
core.setFailed(errMsg)
throw new Error(errMsg)
}
core.setOutput('PIPELINES_TOKEN', process.env.FALLBACK_TOKEN.trim())