Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Public Vars still not getting loaded #1080

Merged
merged 8 commits into from
Mar 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/scripts/load-public-vars.sh
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ function cleanup {
}
trap cleanup EXIT

docker pull ghcr.io/opensource-observer/oso-public-vars:latest

# Download the public vars
docker container create --name public-vars ghcr.io/opensource-observer/oso-public-vars:latest /bin/sh

Expand All @@ -35,9 +37,9 @@ docker cp public-vars:/public/. "${temp_dir}"

docker rm public-vars

export $(cat "${temp_dir}/vars.env" | xargs)

set_if_not_exists() {
export $(cat "${temp_dir}/vars.env" | xargs)
var_name=$1
dest=$2
public_var_name="PUBLIC_${var_name}"
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/ci-default.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,8 @@ jobs:
NEXT_PUBLIC_FEEDBACK_FARM_ID \
GOOGLE_TEST_DUMMY_CREDENTIALS_JSON \
X_GITHUB_GRAPHQL_API \
GOOGLE_PROJECT_ID
GOOGLE_PROJECT_ID \
PUBLIC_VARS_TEST

- name: Setup pnpm
uses: pnpm/action-setup@v2
Expand Down
18 changes: 14 additions & 4 deletions .github/workflows/refresh-test-credentials.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,25 +53,26 @@ jobs:
shell: bash
run: |
cd ops/external-prs &&
gcloud iam service-accounts keys create dummy.json --iam-account=[email protected] &&
bash scripts/rotate-service-account.sh [email protected] dummy.json &&
pnpm tools refresh-gcp-credentials --secret=false ${{ github.repository }} testing dummy.json GOOGLE_TEST_DUMMY_CREDENTIALS_JSON

# These credentials are intended to be secret
- name: Refresh credentials for the bigquery-admin user on the external-prs-app environment
shell: bash
run: |
cd ops/external-prs &&
gcloud iam service-accounts keys create bigquery-admin.json --iam-account=[email protected] &&
bash scripts/rotate-service-account.sh [email protected] bigquery-admin.json &&
pnpm tools refresh-gcp-credentials ${{ github.repository }} external-prs-app bigquery-admin.json GOOGLE_BQ_ADMIN_CREDENTIALS_JSON

rebuild-docker-public-vars:
name: rebuild-docker-public-vars
environment: testing
runs-on: ubuntu-latest

permissions:
packages: write

env:
DOCKER_PLATFORM: "amd64"
# Frontend variables
NODE_ENV: ${{ vars.NODE_ENV }}
PLASMIC_PROJECT_ID: ${{ vars.PLASMIC_PROJECT_ID }}
Expand All @@ -86,12 +87,20 @@ jobs:
# Indexer variables
X_GITHUB_GRAPHQL_API: ${{ vars.X_GITHUB_GRAPHQL_API }}
GOOGLE_PROJECT_ID: "opensource-observer"
PUBLIC_VARS_TEST: "THISISATEST"
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 1

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Write public vars
run: |
bash .github/scripts/save-public-vars.sh ${{ github.sha }} \
Expand All @@ -104,4 +113,5 @@ jobs:
NEXT_PUBLIC_FEEDBACK_FARM_ID \
GOOGLE_TEST_DUMMY_CREDENTIALS_JSON \
X_GITHUB_GRAPHQL_API \
GOOGLE_PROJECT_ID
GOOGLE_PROJECT_ID \
PUBLIC_VARS_TEST
46 changes: 46 additions & 0 deletions ops/external-prs/scripts/rotate-service-account.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
#!/bin/bash

set -euo pipefail
# This would have been a javascript script but it's non-trivial there compared to
# bash.

iam_account=$1
output_file=$2

temp_dir=`mktemp -d`


list_keys() {
iam_account=$1
gcloud iam service-accounts keys list --format=json --iam-account="${iam_account}"
}

create_key() {
iam_account=$1
output_path=$2
gcloud iam service-accounts keys create --iam-account="${iam_account}" "${output_path}"
}

delete_key() {
iam_account=$1
key_id=$2
gcloud iam service-accounts keys delete -q --iam-account="${iam_account}" "${key_id}"
}

parse_user_managed() {
jq -r '.[] | select(.keyType=="USER_MANAGED" and .validBeforeTime<="'"$(date +'%Y-%m-%dT%H:%M:%S')"'").name | split("/")[5]'
}

# Check for old keys
old_keys=$(list_keys "${iam_account}" | parse_user_managed)

# Delete any old keys
if [[ ! -z "$old_keys" ]]; then
echo "${old_keys}" | while read line ; do
echo "Deleting $line"
delete_key "${iam_account}" "${line}"
done
fi

# Create a new key
create_key "${iam_account}" "${output_file}"
Loading