luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

ci: pull secrets from Vault in nomad-enterprise (#17841)

This commit is contained in:
Daniel Bennett 2023-07-07 14:27:12 -05:00 committed by GitHub
parent 4452f0623b
commit 30a99926dc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 84 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.github/actions/vault-secrets/action.yml vendored Normal file
View File

@ -0,0 +1,23 @@
name: vault-secrets
description: 'pull secrets from CI Vault into environment vars'
inputs:
paths:
description: 'vault-action secrets input'
required: true
runs:
using: composite
steps:
- name: Authenticate to Vault
if: endsWith(github.repository, '-enterprise')
id: vault-auth
run: vault-auth
shell: bash
- name: Retrieve Vault-hosted Secrets
if: endsWith(github.repository, '-enterprise')
id: vault
uses: hashicorp/vault-action@v2.4.3
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
secrets: ${{ inputs.paths }}

9
.github/workflows/backport.yml vendored
View File

@ -38,6 +38,11 @@ jobs:
if: always() && needs.backport.result == 'failure' if: always() && needs.backport.result == 'failure'
runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-latest' }} runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-latest' }}
steps: steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: ./.github/actions/vault-secrets
with:
paths: |-
kv/data/teams/nomad/slack-webhooks feed-nomad | SLACK_FEED_NOMAD ;
- name: Send slack notification on failure - name: Send slack notification on failure
uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0
with: with:
@ -70,8 +75,8 @@ jobs:
] ]
} }
env: env:
SLACK_WEBHOOK_URL: ${{ secrets.BACKPORT_ASSISTANT_FAILURE_SLACK }} SLACK_WEBHOOK_URL: ${{ env.SLACK_FEED_NOMAD || secrets.BACKPORT_ASSISTANT_FAILURE_SLACK }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
permissions: permissions:
contents: read contents: read
id-token: write

9
.github/workflows/build.yml vendored
View File

@ -247,6 +247,14 @@ jobs:
with: with:
ref: ${{ github.event.inputs.build-ref }} ref: ${{ github.event.inputs.build-ref }}
- uses: ./.github/actions/vault-secrets
with:
paths: |-
kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ;
- name: Git config token
if: endsWith(github.repository, '-enterprise')
run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
- name: Setup go - name: Setup go
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
with: with:
@ -324,3 +332,4 @@ jobs:
permissions: permissions:
contents: read contents: read
id-token: write

8
.github/workflows/checks.yaml vendored
View File

@ -26,6 +26,13 @@ jobs:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
with: with:
fetch-depth: 0 # needs tags for checkproto fetch-depth: 0 # needs tags for checkproto
- uses: ./.github/actions/vault-secrets
with:
paths: |-
kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ;
- name: Git config token
if: endsWith(github.repository, '-enterprise')
run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
- uses: hashicorp/setup-golang@v1 - uses: hashicorp/setup-golang@v1
- name: Run make check - name: Run make check
run: | run: |
@ -34,3 +41,4 @@ jobs:
make check make check
permissions: permissions:
contents: read contents: read
id-token: write

15
.github/workflows/release.yml vendored
View File

@ -53,11 +53,15 @@ jobs:
exit 1 exit 1
fi fi
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- name: Setup Git - uses: ./.github/actions/vault-secrets
with:
paths: |-
kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ;
- name: Git config token
if: endsWith(github.repository, '-enterprise')
run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
- name: Git config user/name
run: |- run: |-
if [ -n "${{ secrets.ELEVATED_GITHUB_TOKEN }}" ]; then
git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com/".insteadOf "https://github.com"
fi
git config --global user.email "github-team-nomad-core@hashicorp.com" git config --global user.email "github-team-nomad-core@hashicorp.com"
git config --global user.name "hc-github-team-nomad-core" git config --global user.name "hc-github-team-nomad-core"
@ -141,7 +145,7 @@ jobs:
- name: Invoke build workflow - name: Invoke build workflow
id: invoke-build id: invoke-build
env: env:
GH_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }} GH_TOKEN: ${{ env.ELEVATED_GITHUB_TOKEN || secrets.ELEVATED_GITHUB_TOKEN }}
run: | run: |
gh workflow run build.yml --ref ${{ github.ref_name }} --field build-ref=${{ steps.commit-change-push.outputs.build-ref }} --field make-prerelease=false gh workflow run build.yml --ref ${{ github.ref_name }} --field build-ref=${{ steps.commit-change-push.outputs.build-ref }} --field make-prerelease=false
@ -205,3 +209,4 @@ jobs:
permissions: permissions:
contents: write contents: write
id-token: write

8
.github/workflows/test-core.yaml vendored
View File

@ -53,6 +53,13 @@ jobs:
timeout-minutes: 10 timeout-minutes: 10
steps: steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: ./.github/actions/vault-secrets
with:
paths: |-
kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ;
- name: Git config token
if: endsWith(github.repository, '-enterprise')
run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
- uses: hashicorp/setup-golang@v1 - uses: hashicorp/setup-golang@v1
- name: Get Go modules - name: Get Go modules
run: | run: |
@ -120,3 +127,4 @@ jobs:
sudo -E env "PATH=$PATH" make test-nomad sudo -E env "PATH=$PATH" make test-nomad
permissions: permissions:
contents: read contents: read
id-token: write

8
.github/workflows/test-e2e.yml vendored
View File

@ -39,9 +39,17 @@ jobs:
runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-latest' }} runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-latest' }}
steps: steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: ./.github/actions/vault-secrets
with:
paths: |-
kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ;
- name: Git config token
if: endsWith(github.repository, '-enterprise')
run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
- uses: hashicorp/setup-golang@v1 - uses: hashicorp/setup-golang@v1
- run: make deps - run: make deps
- run: make integration-test - run: make integration-test
- run: make e2e-test - run: make e2e-test
permissions: permissions:
contents: read contents: read
id-token: write

13
.github/workflows/test-ui.yml vendored
View File

@ -72,9 +72,13 @@ jobs:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: ./.github/actions/setup-js - uses: ./.github/actions/setup-js
- uses: browser-actions/setup-chrome@c485fa3bab6be59dce18dbc18ef6ab7cbc8ff5f1 # v1.2.0 - uses: browser-actions/setup-chrome@c485fa3bab6be59dce18dbc18ef6ab7cbc8ff5f1 # v1.2.0
- uses: ./.github/actions/vault-secrets
with:
paths: |-
kv/data/teams/nomad/ui PERCY_TOKEN ;
- name: ember exam - name: ember exam
env: env:
PERCY_TOKEN: ${{ secrets.PERCY_TOKEN }} PERCY_TOKEN: ${{ env.PERCY_TOKEN || secrets.PERCY_TOKEN }}
PERCY_PARALLEL_NONCE: ${{ needs.pre-test.outputs.nonce }} PERCY_PARALLEL_NONCE: ${{ needs.pre-test.outputs.nonce }}
run: yarn exam:parallel --split=${{ matrix.split }} --partition=${{ matrix.partition }} run: yarn exam:parallel --split=${{ matrix.split }} --partition=${{ matrix.partition }}
@ -90,10 +94,15 @@ jobs:
steps: steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: ./.github/actions/setup-js - uses: ./.github/actions/setup-js
- uses: ./.github/actions/vault-secrets
with:
paths: |-
kv/data/teams/nomad/ui PERCY_TOKEN ;
- name: finalize - name: finalize
env: env:
PERCY_TOKEN: ${{ secrets.PERCY_TOKEN }} PERCY_TOKEN: ${{ env.PERCY_TOKEN || secrets.PERCY_TOKEN }}
PERCY_PARALLEL_NONCE: ${{ needs.pre-test.outputs.nonce }} PERCY_PARALLEL_NONCE: ${{ needs.pre-test.outputs.nonce }}
run: yarn percy build:finalize run: yarn percy build:finalize
permissions: permissions:
contents: read contents: read
id-token: write