Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI: refer to repo secrets in an early secret step #17690

Closed
wants to merge 3 commits into from
Closed

CI: refer to repo secrets in an early secret step #17690

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bcb922f
refer to repo secrets in an early secret step
gulducat Jun 22, 2023
11eca48
checkout so defaults:run:working-directory exists
gulducat Jun 22, 2023
a60b207
do it how consul did it instead
gulducat Jun 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 37 additions & 3 deletions .github/workflows/backport.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,23 @@ jobs:
runs-on: ubuntu-latest
container: hashicorpdev/backport-assistant:0.2.3
steps:
# retrieve secrets from Vault (ENT-only right now)
- name: Authenticate to Vault
if: endsWith(github.repository, '-enterprise')
id: vault-auth
run: vault-auth
- name: Fetch Secrets
if: endsWith(github.repository, '-enterprise')
id: secrets
uses: hashicorp/[email protected]
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
exportEnv: false
secrets: |
kv/data/github/hashicorp/${{ github.repository }}/gha ELEVATED_GITHUB_TOKEN ;

- name: Backport changes to stable-website
run: |
backport-assistant backport -merge-method=squash -automerge
Expand All @@ -21,7 +38,7 @@ jobs:
BACKPORT_TARGET_TEMPLATE: "stable-{{.target}}"
# Enabling this option increased the number of backport failures.
BACKPORT_MERGE_COMMIT: false
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ endswith(github.repository, '-enterprise') && steps.secrets.outputs.ELEVATED_GITHUB_TOKEN || secrets.ELEVATED_GITHUB_TOKEN }}
- name: Backport changes to targeted release branch
run: |
backport-assistant backport -merge-method=squash -automerge
Expand All @@ -30,13 +47,30 @@ jobs:
BACKPORT_TARGET_TEMPLATE: "release/{{.target}}"
# Enabling this option increased the number of backport failures.
BACKPORT_MERGE_COMMIT: false
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ endswith(github.repository, '-enterprise') && steps.secrets.outputs.ELEVATED_GITHUB_TOKEN || secrets.ELEVATED_GITHUB_TOKEN }}
handle-failure:
needs:
- backport
if: always() && needs.backport.result == 'failure'
runs-on: ubuntu-latest
steps:
# retrieve secrets from Vault (ENT-only right now)
- name: Authenticate to Vault
if: endsWith(github.repository, '-enterprise')
id: vault-auth
run: vault-auth
- name: Fetch Secrets
if: endsWith(github.repository, '-enterprise')
id: secrets
uses: hashicorp/[email protected]
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
exportEnv: false
secrets: |
kv/data/teams/nomad/slack-webhooks feed-nomad | SLACK_FEED_NOMAD ;

- name: Send slack notification on failure
uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0
with:
Expand Down Expand Up @@ -69,7 +103,7 @@ jobs:
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.BACKPORT_ASSISTANT_FAILURE_SLACK }}
SLACK_WEBHOOK_URL: ${{ endswith(github.repository, '-enterprise') && steps.secrets.outputs.SLACK_FEED_NOMAD || secrets.BACKPORT_ASSISTANT_FAILURE_SLACK }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
permissions:
contents: read
Expand Down
26 changes: 22 additions & 4 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,27 @@ jobs:
echo "::error::Workflow not allowed to run from ${{ github.ref_name }}"
exit 1

# retrieve secrets from Vault (ENT-only right now)
- name: Authenticate to Vault
if: endsWith(github.repository, '-enterprise')
id: vault-auth
run: vault-auth
- name: Fetch Secrets
if: endsWith(github.repository, '-enterprise')
id: secrets
uses: hashicorp/[email protected]
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
exportEnv: false
secrets: |
kv/data/github/hashicorp/${{ github.repository }}/gha ELEVATED_GITHUB_TOKEN ;
- name: Setup git (ent)
if: endsWith(github.repository, '-enterprise')
run: |-
git config --global url."https://${{ steps.secrets.outputs.ELEVATED_GITHUB_TOKEN }}:@github.com/".insteadOf "https://github.com"

- name: Print release info
run: |-
echo "::notice::Release v${{ github.event.inputs.version }} from branch ${{ github.ref_name }}"
Expand All @@ -55,9 +76,6 @@ jobs:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- name: Setup Git
run: |-
if [ -n "${{ secrets.ELEVATED_GITHUB_TOKEN }}" ]; then
git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com/".insteadOf "https://github.com"
fi
git config --global user.email "[email protected]"
git config --global user.name "hc-github-team-nomad-core"

Expand Down Expand Up @@ -141,7 +159,7 @@ jobs:
- name: Invoke build workflow
id: invoke-build
env:
GH_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
GH_TOKEN: ${{ endswith(github.repository, '-enterprise') && steps.secrets.outputs.ELEVATED_GITHUB_TOKEN || secrets.ELEVATED_GITHUB_TOKEN }}
run: |
gh workflow run build.yml --field build-ref=${{ steps.commit-change-push.outputs.build-ref }} --field make-prerelease=false

Expand Down
38 changes: 36 additions & 2 deletions .github/workflows/test-ui.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,12 +70,29 @@ jobs:
partition: [1, 2, 3, 4]
split: [4]
steps:
# retrieve secrets from Vault (ENT-only right now)
- name: Authenticate to Vault
if: endsWith(github.repository, '-enterprise')
id: vault-auth
run: vault-auth
- name: Fetch Secrets
if: endsWith(github.repository, '-enterprise')
id: secrets
uses: hashicorp/[email protected]
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
exportEnv: false
secrets: |
kv/data/teams/nomad/ui PERCY_TOKEN ;

- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- name: yarn install
run: yarn install --frozen-lockfile
- name: ember exam
env:
PERCY_TOKEN: ${{ secrets.PERCY_TOKEN }}
PERCY_TOKEN: ${{ endswith(github.repository, '-enterprise') && steps.secrets.outputs.PERCY_TOKEN || secrets.PERCY_TOKEN }}
PERCY_PARALLEL_NONCE: ${{ needs.pre-test.outputs.nonce }}
run: yarn exam:parallel --split=${{ matrix.split }} --partition=${{ matrix.partition }}
finalize:
Expand All @@ -88,12 +105,29 @@ jobs:
- pre-test
- tests
steps:
# retrieve secrets from Vault (ENT-only right now)
- name: Authenticate to Vault
if: endsWith(github.repository, '-enterprise')
id: vault-auth
run: vault-auth
- name: Fetch Secrets
if: endsWith(github.repository, '-enterprise')
id: secrets
uses: hashicorp/[email protected]
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
exportEnv: false
secrets: |
kv/data/teams/nomad/ui PERCY_TOKEN ;

- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- name: yarn install
run: yarn install --frozen-lockfile
- name: finalize
env:
PERCY_TOKEN: ${{ secrets.PERCY_TOKEN }}
PERCY_TOKEN: ${{ endswith(github.repository, '-enterprise') && steps.secrets.outputs.PERCY_TOKEN || secrets.PERCY_TOKEN }}
PERCY_PARALLEL_NONCE: ${{ needs.pre-test.outputs.nonce }}
run: yarn percy build:finalize
permissions:
Expand Down