-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathaction.yml
242 lines (218 loc) · 9.59 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
name: 'ZON Baseproject Connector'
description: 'A composite Action that fetches infrastructure config generated by the ZeitOnline baseproject Terraform module.'
inputs:
# Project Name and Environment are mandatory and uniquely identify one
# specific baseproject instance.
project_name:
description: 'The Name (project_name) of the ZON baseproject'
required: true
environment:
description: 'The Environment in which the workflow runs'
required: true
default: 'production'
unique_id:
description: 'The unique TF baseproject identifier'
required: false
default: ''
python_binary:
description: 'Python binary to use'
required: false
default: 'python'
# Authentication-related features to be used in the parent workflow
google_auth:
description: 'Authenticate to Google Cloud'
required: false
default: 'false'
gke_auth:
description: 'Authenticate to GKE (Google Kubernetes Engine)'
required: false
default: 'false'
gcr_auth:
description: 'Authenticate to GCR (Googke Container Registry)'
required: false
default: 'false'
gar_docker_auth:
description: 'Authenticate to Google Artifact Registry for Docker'
required: false
default: 'false'
vault_export_token:
description: 'Get a Vault Token and export it as VAULT_TOKEN'
required: false
default: 'false'
python_registry:
description: 'Setup Auth for the Google Python Artifact Registry'
required: false
default: 'false'
# docker setup, both for convenience and centralization
setup_buildx:
description: 'Setup docker buildx. Enabling gar_docker_auth implies this; set explicitly to "false" to disable'
required: false
default: 'unset'
outputs:
project_name:
value: ${{ steps.baseproject-config.outputs.project_name }}
environment:
value: ${{ steps.baseproject-config.outputs.environment }}
unique_id:
value: ${{ steps.baseproject-config.outputs.unique_id }}
namespace:
value: ${{ steps.baseproject-config.outputs.namespace }}
ci_sa_name:
value: ${{ steps.baseproject-config.outputs.ci_sa_name }}
wi_sa_name:
value: ${{ steps.baseproject-config.outputs.wi_sa_name }}
cluster_name:
value: ${{ steps.baseproject-config.outputs.cluster_name }}
cluster_project:
value: ${{ steps.baseproject-config.outputs.cluster_project }}
cluster_location:
value: ${{ steps.baseproject-config.outputs.cluster_location }}
vault_role:
value: ${{ steps.baseproject-config.outputs.vault_role }}
vault_addr:
value: https://vault.ops.zeit.de
vault_token:
value: ${{ steps.vault_token.outputs.vault_token }}
gha_vault_path:
value: github-actions
gha_vault_role:
value: ${{ steps.baseproject-config.outputs.gha_vault_role }}-${{ steps.repo_without_slash.outputs.result }}
gcloud_access_token:
value: ${{ steps.output_gcloud_token.outputs.gcloud_access_token }}
# Static outputs
gcr_image_registry:
value: eu.gcr.io/zeitonline-210413
python_registry_url:
value: https://europe-west3-python.pkg.dev/zeitonline-engineering/pypi-zon/
runs:
using: "composite"
steps:
- id: vault_path
shell: bash
run: echo "result=zon-v2/data/baseproject/${{ inputs.project_name }}/${{ inputs.environment }}/${{ inputs.unique_id }}/infos" | tr -s / >> $GITHUB_OUTPUT
- name: Retrieve Baseproject Environment Config from Vault
id: raw-config
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
with:
url: https://vault.ops.zeit.de
method: jwt
path: github-actions
role: gha-baseproject
secrets: |
${{ steps.vault_path.outputs.result }} raw;
- id: baseproject-config
shell: bash
# Right now this is the only known way to pass outputs from a JSON value as outputs from
# a composite action (hypothesis: between here and any outputs.xy.value, some JSON auto-
# detection mambo-jambo kicks in and converts the JSON to an internal map-like data
# structure from which it's impossible (or at least unclear) how to get individual fields).
run: |
echo "project_name=${{ inputs.project_name }}" >> $GITHUB_OUTPUT
echo "environment=${{ inputs.environment }}" >> $GITHUB_OUTPUT
echo "namespace=${{ fromJSON(steps.raw-config.outputs.raw).namespace }}" >> $GITHUB_OUTPUT
echo "ci_sa_name=${{ fromJSON(steps.raw-config.outputs.raw).ci-sa-name }}" >> $GITHUB_OUTPUT
echo "wi_sa_name=${{ fromJSON(steps.raw-config.outputs.raw).wi-sa-name }}" >> $GITHUB_OUTPUT
echo "cluster_name=${{ fromJSON(steps.raw-config.outputs.raw).cluster-name }}" >> $GITHUB_OUTPUT
echo "cluster_project=${{ fromJSON(steps.raw-config.outputs.raw).cluster-project }}" >> $GITHUB_OUTPUT
echo "cluster_location=${{ fromJSON(steps.raw-config.outputs.raw).cluster-location }}" >> $GITHUB_OUTPUT
echo "vault_role=${{ fromJSON(steps.raw-config.outputs.raw).vault-role }}" >> $GITHUB_OUTPUT
echo "gha_vault_role=${{ fromJSON(steps.raw-config.outputs.raw).gha-vault-role }}" >> $GITHUB_OUTPUT
- name: Retrieve zon-ops GitHub user GPG key
id: zon-ops-gpg
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
with:
url: https://vault.ops.zeit.de
method: jwt
path: github-actions
role: gha-baseproject
secrets: zon/v1/github/zon-ops gpg_key_private
- name: Import GPG key for zon-ops user
uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6
continue-on-error: true
with:
gpg_private_key: ${{ steps.zon-ops-gpg.outputs.gpg_key_private }}
git_user_signingkey: true
git_commit_gpgsign: true
# git_tag_gpgsign: true
git_config_global: true
- name: GCloud OIDC Auth
id: auth
if: inputs.google_auth == 'true' || inputs.gke_auth == 'true' || inputs.gcr_auth == 'true' || inputs.gar_docker_auth == 'true'
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2
with:
token_format: 'access_token'
workload_identity_provider: projects/161854031382/locations/global/workloadIdentityPools/github-pool/providers/github-actions-provider
service_account: ${{ steps.baseproject-config.outputs.ci_sa_name }}
- name: Set GCloud Access Token as output
id: output_gcloud_token
if: steps.auth.outputs.access_token != ''
shell: bash
run: echo "gcloud_access_token=${{ steps.auth.outputs.access_token }}" >> $GITHUB_OUTPUT
- name: Write GKE Credentials to kubeconfig
if: inputs.gke_auth == 'true'
uses: google-github-actions/get-gke-credentials@9025e8f90f2d8e0c3dafc3128cc705a26d992a6a # v2.3.0
with:
cluster_name: ${{ steps.baseproject-config.outputs.cluster_name }}
project_id: ${{ steps.baseproject-config.outputs.cluster_project }}
location: ${{ steps.baseproject-config.outputs.cluster_location }}
- if: inputs.gke_auth == 'true'
shell: bash
run: kubectl config set-context --current --namespace=${{ steps.baseproject-config.outputs.namespace }}
- name: Login to GCR
if: inputs.gcr_auth == 'true'
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: eu.gcr.io
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Login to Docker GAR
if: inputs.gar_docker_auth == 'true'
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: europe-west3-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- id: repo_without_slash
shell: bash
run: echo "result=${{ github.repository }}" | tr -s / - >> $GITHUB_OUTPUT
- name: Export a Vault token
id: vault-export-token
if: inputs.vault_export_token == 'true'
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
with:
url: https://vault.ops.zeit.de
method: jwt
path: github-actions
role: ${{ steps.baseproject-config.outputs.gha_vault_role }}-${{ steps.repo_without_slash.outputs.result }}
exportToken: true
secrets: sys/auth "token/" # Because the action needs to read something and Token auth is always there
- id: vault_token
run: echo "vault_token=$(echo $VAULT_TOKEN)" >> $GITHUB_OUTPUT
shell: bash
- name: Setup Python Artifact Registry
id: python-registry
if: inputs.python_registry == 'true'
shell: bash
run: |
${{ inputs.python_binary }} -m pip install --upgrade --upgrade-strategy eager setuptools twine keyrings.google-artifactregistry-auth
- name: Parse setup docker buildx input
shell: bash
run: |
setup_buildx="${{ inputs.setup_buildx }}"
if [[ "$setup_buildx" != "false" && "${{ inputs.gar_docker_auth }}" = "true" ]]; then
setup_buildx="true"
fi
echo "setup_buildx=$setup_buildx" >> $GITHUB_ENV
- name: Setup docker buildx container
if: env.setup_buildx == 'true'
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
with:
buildkitd-config-inline: |
debug = true
[registry."docker.io"]
mirrors = ["https://mirror.gcr.io"]
# Support `docker buildx build --cache-[from}to] type=gha` directly,
# and not just via docker/build-push-action.
- name: Setup docker buildx environment
if: env.setup_buildx == 'true'
uses: crazy-max/ghaction-github-runtime@b3a9207c0e1ef41f4cf215303c976869d0c2c1c4 # v3.0.0