diff --git a/.github/scripts/load-public-vars.sh b/.github/scripts/load-public-vars.sh index e194818fe..56b32b598 100644 --- a/.github/scripts/load-public-vars.sh +++ b/.github/scripts/load-public-vars.sh @@ -26,6 +26,8 @@ function cleanup { } trap cleanup EXIT +docker pull ghcr.io/opensource-observer/oso-public-vars:latest + # Download the public vars docker container create --name public-vars ghcr.io/opensource-observer/oso-public-vars:latest /bin/sh @@ -35,9 +37,9 @@ docker cp public-vars:/public/. "${temp_dir}" docker rm public-vars -export $(cat "${temp_dir}/vars.env" | xargs) set_if_not_exists() { + export $(cat "${temp_dir}/vars.env" | xargs) var_name=$1 dest=$2 public_var_name="PUBLIC_${var_name}" diff --git a/.github/workflows/ci-default.yml b/.github/workflows/ci-default.yml index 5811c3f8a..2fc99a800 100644 --- a/.github/workflows/ci-default.yml +++ b/.github/workflows/ci-default.yml @@ -75,7 +75,8 @@ jobs: NEXT_PUBLIC_FEEDBACK_FARM_ID \ GOOGLE_TEST_DUMMY_CREDENTIALS_JSON \ X_GITHUB_GRAPHQL_API \ - GOOGLE_PROJECT_ID + GOOGLE_PROJECT_ID \ + PUBLIC_VARS_TEST - name: Setup pnpm uses: pnpm/action-setup@v2 diff --git a/.github/workflows/refresh-test-credentials.yml b/.github/workflows/refresh-test-credentials.yml index 9e360ac5f..d5ef23b71 100644 --- a/.github/workflows/refresh-test-credentials.yml +++ b/.github/workflows/refresh-test-credentials.yml @@ -53,7 +53,7 @@ jobs: shell: bash run: | cd ops/external-prs && - gcloud iam service-accounts keys create dummy.json --iam-account=oso-test-dummy@oso-pull-requests.iam.gserviceaccount.com && + bash scripts/rotate-service-account.sh oso-test-dummy@oso-pull-requests.iam.gserviceaccount.com dummy.json && pnpm tools refresh-gcp-credentials --secret=false ${{ github.repository }} testing dummy.json GOOGLE_TEST_DUMMY_CREDENTIALS_JSON # These credentials are intended to be secret @@ -61,17 +61,18 @@ jobs: shell: bash run: | cd ops/external-prs && - gcloud iam service-accounts keys create bigquery-admin.json --iam-account=bigquery-admin@oso-pull-requests.iam.gserviceaccount.com && + bash scripts/rotate-service-account.sh bigquery-admin@oso-pull-requests.iam.gserviceaccount.com bigquery-admin.json && pnpm tools refresh-gcp-credentials ${{ github.repository }} external-prs-app bigquery-admin.json GOOGLE_BQ_ADMIN_CREDENTIALS_JSON rebuild-docker-public-vars: name: rebuild-docker-public-vars environment: testing runs-on: ubuntu-latest + permissions: packages: write + env: - DOCKER_PLATFORM: "amd64" # Frontend variables NODE_ENV: ${{ vars.NODE_ENV }} PLASMIC_PROJECT_ID: ${{ vars.PLASMIC_PROJECT_ID }} @@ -86,12 +87,20 @@ jobs: # Indexer variables X_GITHUB_GRAPHQL_API: ${{ vars.X_GITHUB_GRAPHQL_API }} GOOGLE_PROJECT_ID: "opensource-observer" + PUBLIC_VARS_TEST: "THISISATEST" steps: - name: Checkout code uses: actions/checkout@v3 with: fetch-depth: 1 + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Write public vars run: | bash .github/scripts/save-public-vars.sh ${{ github.sha }} \ @@ -104,4 +113,5 @@ jobs: NEXT_PUBLIC_FEEDBACK_FARM_ID \ GOOGLE_TEST_DUMMY_CREDENTIALS_JSON \ X_GITHUB_GRAPHQL_API \ - GOOGLE_PROJECT_ID \ No newline at end of file + GOOGLE_PROJECT_ID \ + PUBLIC_VARS_TEST \ No newline at end of file diff --git a/ops/external-prs/scripts/rotate-service-account.sh b/ops/external-prs/scripts/rotate-service-account.sh new file mode 100644 index 000000000..44c9fd00e --- /dev/null +++ b/ops/external-prs/scripts/rotate-service-account.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +set -euo pipefail +# This would have been a javascript script but it's non-trivial there compared to +# bash. + +iam_account=$1 +output_file=$2 + +temp_dir=`mktemp -d` + + +list_keys() { + iam_account=$1 + gcloud iam service-accounts keys list --format=json --iam-account="${iam_account}" +} + +create_key() { + iam_account=$1 + output_path=$2 + gcloud iam service-accounts keys create --iam-account="${iam_account}" "${output_path}" +} + +delete_key() { + iam_account=$1 + key_id=$2 + gcloud iam service-accounts keys delete -q --iam-account="${iam_account}" "${key_id}" +} + +parse_user_managed() { + jq -r '.[] | select(.keyType=="USER_MANAGED" and .validBeforeTime<="'"$(date +'%Y-%m-%dT%H:%M:%S')"'").name | split("/")[5]' +} + +# Check for old keys +old_keys=$(list_keys "${iam_account}" | parse_user_managed) + +# Delete any old keys +if [[ ! -z "$old_keys" ]]; then + echo "${old_keys}" | while read line ; do + echo "Deleting $line" + delete_key "${iam_account}" "${line}" + done +fi + +# Create a new key +create_key "${iam_account}" "${output_file}" \ No newline at end of file