-
Notifications
You must be signed in to change notification settings - Fork 2
/
action.yaml
133 lines (114 loc) · 4.28 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# Copyright 2022 Chainguard, Inc.
# SPDX-License-Identifier: Apache-2.0
name: 'Setup chainctl'
description: |
This action sets up the Chainguard chainctl CLI and authenticates
it against the target environment.
inputs:
environment:
description: |
Determines the environment from which to download the chainctl
binary from.
required: true
default: enforce.dev
identity:
description: |
The id of the identity that this workflow should assume for
performing actions with chainctl.
required: false
audience:
description: |
Specifies the identity token audience to use when creating an
identity token to authenticate with Chainguard.
Defaults to issuer.${environment}
This field is DEPRECATED, use identity instead.
required: false
invite-code:
description: |
Optionally specifies an invite code that allows this workflow
register itself when run for the first time.
Use of invite codes is DEPRECATED, use identity instead.
required: false
verbosity:
description: |
Set the logging verbosity for chainctl. A value of 0 disables
logging output. Valid values are 1-5, increasing in verbosity.
required: false
default: 0
config-path:
description: |
The location of the chainctl config file to use. These values
override the default configuration values in the binary.
required: false
default: ''
runs:
using: "composite"
steps:
- name: Install chainctl
shell: bash
run: |
cd $(mktemp -d)
# Massage GitHub's values to the ones we expect.
# https://docs.github.com/en/actions/learn-github-actions/contexts#runner-context
os=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]')
if [[ "${os}" == "macos" ]]; then
os="darwin"
fi
arch="${{ runner.arch }}"
if [[ "${arch}" == "X64" ]]; then
arch="x86_64"
elif [[ "${arch}" == "ARM64" ]]; then
arch="arm64"
fi
url="https://dl.${{ inputs.environment }}/chainctl/latest/chainctl_${os}_${arch}"
out="chainctl"
if [[ "${os}" == "windows" ]]; then
url="${url}.exe"
out="${out}.exe"
fi
echo "Downloading chainctl from ${url}"
curl -o ./${out} -fsL --retry 5 --retry-delay 1 "${url}"
chmod +x ./${out}
echo "$(pwd)" >> $GITHUB_PATH
- name: Authenticate with Chainguard (assumed identity)
shell: bash
if: ${{ inputs.identity != '' }}
env:
CHAINCTL_DEBUG: "true"
VERBOSITY: ${{ inputs.verbosity }}
IDENTITY: ${{ inputs.identity }}
CHAINCTL_CONFIG: ${{ inputs.config-path }}
run: |
if chainctl auth login --identity "${{ env.IDENTITY }}" -v=${{ env.VERBOSITY }}; then
echo Logged in as ${{ env.IDENTITY }}!
else
echo Unable to assume the identity ${{ env.IDENTITY }}.
exit 1
fi
if ! chainctl auth configure-docker --identity "${{ env.IDENTITY }}" -v=${{ env.VERBOSITY }}; then
echo Unable to register credential helper as ${{ env.IDENTITY }}.
exit 1
fi
- name: Authenticate with Chainguard (DEPRECATED invite-code)
shell: bash
if: ${{ inputs.invite-code != '' }}
env:
CHAINGUARD_INVITE_CODE: ${{ inputs.invite-code }}
CHAINCTL_DEBUG: "true"
VERBOSITY: ${{ inputs.verbosity }}
ENVIRONMENT: ${{ inputs.environment }}
AUDIENCE: ${{ inputs.audience }}
run: |
echo "::warning::The use of invite codes with Github actions is deprecated, use assumed identities instead."
AUDIENCE="${{ env.AUDIENCE }}"
if [[ -z "${AUDIENCE}" ]]; then
AUDIENCE=issuer.${{ env.ENVIRONMENT }}
fi
IDTOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=${AUDIENCE}" | jq -r '.value')
# This will start failing once the invite code expires, which is why we have the login guard.
if chainctl auth login --create-group=false --identity-token "${IDTOKEN}" --invite-code="${CHAINGUARD_INVITE_CODE}" -v=${{ env.VERBOSITY }}; then
echo Logged in!
else
echo Failed to log in with invite code
exit 1
fi