-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[CI] Update workflows to fetch secrets from GSM
- Loading branch information
1 parent
c1e1e42
commit 11627d9
Showing
9 changed files
with
418 additions
and
72 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,31 +17,60 @@ concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | ||
cancel-in-progress: true | ||
|
||
env: | ||
TOPTAL_DEVBOT_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }} | ||
NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
HTTP_PROXY: http://${{ secrets.HTTP_PROXY }} | ||
HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }} | ||
HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }} | ||
JENKINS_USER: ${{ secrets.TOPTAL_TRIGGERBOT_USERNAME }} | ||
JENKINS_BUILD_TOKEN: ${{ secrets.TOPTAL_TRIGGERBOT_BUILD_TOKEN }} | ||
PROXY: http://${{ secrets.HTTP_PROXY }} | ||
|
||
jobs: | ||
build-docker-image: | ||
if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }} | ||
name: Build Picasso docker image | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: write | ||
id-token: write | ||
actions: write | ||
issues: write | ||
pull-requests: write | ||
timeout-minutes: 45 | ||
|
||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
|
||
- name: GSM Secrets | ||
id: secrets_manager | ||
uses: toptal/davinci-github-actions/gsm-secrets@ci-add-gsm-actions-to-public-repos | ||
with: | ||
workload_identity_provider: ${{ secrets.IDENTITY_POOL }} | ||
service_account: ${{ secrets.SA_IDENTITY_POOL }} | ||
secrets_name: |- | ||
GCR_ACCOUNT_KEY:toptal-ci/GCR_ACCOUNT_KEY | ||
HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY | ||
HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET | ||
HTTP_PROXY:toptal-ci/HTTP_PROXY | ||
NPM_TOKEN:toptal-ci/NPM_TOKEN | ||
TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN | ||
TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN | ||
TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME | ||
- name: Parse secrets | ||
id: parse_secrets | ||
uses: toptal/davinci-github-actions/expose-json-outputs@ci-add-gsm-actions-to-public-repos | ||
with: | ||
json: ${{ steps.secrets_manager.outputs.secrets }} | ||
|
||
- name: Set ENV Variables | ||
run: |- | ||
echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV | ||
echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV | ||
echo "HTTP_PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV | ||
echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV | ||
echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV | ||
echo "JENKINS_USER=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }}" >> $GITHUB_ENV | ||
echo "JENKINS_BUILD_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}" >> $GITHUB_ENV | ||
echo "PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV | ||
- uses: toptal/davinci-github-actions/[email protected] | ||
env: | ||
GITHUB_TOKEN: ${{ env.TOPTAL_DEVBOT_TOKEN }} | ||
GCR_ACCOUNT_KEY: ${{ secrets.GCR_ACCOUNT_KEY }} | ||
GCR_ACCOUNT_KEY: ${{ steps.parse_secrets.outputs.GCR_ACCOUNT_KEY }} | ||
with: | ||
sha: ${{ github.event.pull_request.head.sha }} | ||
image-name: picasso | ||
|
@@ -52,6 +81,9 @@ jobs: | |
if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }} | ||
name: Static checks | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
id-token: write | ||
timeout-minutes: 45 | ||
|
||
steps: | ||
|
@@ -60,6 +92,38 @@ jobs: | |
with: | ||
fetch-depth: 0 | ||
|
||
- name: GSM Secrets | ||
id: secrets_manager | ||
uses: toptal/davinci-github-actions/gsm-secrets@ci-add-gsm-actions-to-public-repos | ||
with: | ||
workload_identity_provider: ${{ secrets.IDENTITY_POOL }} | ||
service_account: ${{ secrets.SA_IDENTITY_POOL }} | ||
secrets_name: |- | ||
HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY | ||
HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET | ||
HTTP_PROXY:toptal-ci/HTTP_PROXY | ||
NPM_TOKEN:toptal-ci/NPM_TOKEN | ||
TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN | ||
TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN | ||
TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME | ||
- name: Parse secrets | ||
id: parse_secrets | ||
uses: toptal/davinci-github-actions/expose-json-outputs@ci-add-gsm-actions-to-public-repos | ||
with: | ||
json: ${{ steps.secrets_manager.outputs.secrets }} | ||
|
||
- name: Set ENV Variables | ||
run: |- | ||
echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV | ||
echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV | ||
echo "HTTP_PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV | ||
echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV | ||
echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV | ||
echo "JENKINS_USER=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }}" >> $GITHUB_ENV | ||
echo "JENKINS_BUILD_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}" >> $GITHUB_ENV | ||
echo "PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV | ||
- name: Set up Node.js | ||
uses: actions/setup-node@v4 | ||
with: | ||
|
@@ -104,12 +168,47 @@ jobs: | |
if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }} | ||
name: Storybook Visual Tests | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
id-token: write | ||
needs: [static-checks] | ||
|
||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
|
||
- name: GSM Secrets | ||
id: secrets_manager | ||
uses: toptal/davinci-github-actions/gsm-secrets@ci-add-gsm-actions-to-public-repos | ||
with: | ||
workload_identity_provider: ${{ secrets.IDENTITY_POOL }} | ||
service_account: ${{ secrets.SA_IDENTITY_POOL }} | ||
secrets_name: |- | ||
HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY | ||
HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET | ||
HTTP_PROXY:toptal-ci/HTTP_PROXY | ||
NPM_TOKEN:toptal-ci/NPM_TOKEN | ||
TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN | ||
TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN | ||
TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME | ||
- name: Parse secrets | ||
id: parse_secrets | ||
uses: toptal/davinci-github-actions/expose-json-outputs@ci-add-gsm-actions-to-public-repos | ||
with: | ||
json: ${{ steps.secrets_manager.outputs.secrets }} | ||
|
||
- name: Set ENV Variables | ||
run: |- | ||
echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV | ||
echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV | ||
echo "HTTP_PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV | ||
echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV | ||
echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV | ||
echo "JENKINS_USER=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }}" >> $GITHUB_ENV | ||
echo "JENKINS_BUILD_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}" >> $GITHUB_ENV | ||
echo "PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV | ||
- name: Set up Node.js | ||
uses: actions/setup-node@v4 | ||
with: | ||
|
@@ -128,28 +227,58 @@ jobs: | |
integration-tests: | ||
name: Integration Tests | ||
uses: ./.github/workflows/davinci-integration-tests.yml | ||
secrets: | ||
TOPTAL_DEVBOT_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }} | ||
NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }} | ||
HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }} | ||
|
||
deploy-docs: | ||
if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }} | ||
name: Deploy Picasso docs | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
id-token: write | ||
needs: [build-docker-image] | ||
|
||
steps: | ||
- name: GSM Secrets | ||
id: secrets_manager | ||
uses: toptal/davinci-github-actions/gsm-secrets@ci-add-gsm-actions-to-public-repos | ||
with: | ||
workload_identity_provider: ${{ secrets.IDENTITY_POOL }} | ||
service_account: ${{ secrets.SA_IDENTITY_POOL }} | ||
secrets_name: |- | ||
HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY | ||
HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET | ||
HTTP_PROXY:toptal-ci/HTTP_PROXY | ||
NPM_TOKEN:toptal-ci/NPM_TOKEN | ||
TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN | ||
TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN | ||
TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME | ||
- name: Parse secrets | ||
id: parse_secrets | ||
uses: toptal/davinci-github-actions/expose-json-outputs@ci-add-gsm-actions-to-public-repos | ||
with: | ||
json: ${{ steps.secrets_manager.outputs.secrets }} | ||
|
||
- name: Set ENV Variables | ||
run: |- | ||
echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV | ||
echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV | ||
echo "HTTP_PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV | ||
echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV | ||
echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV | ||
echo "JENKINS_USER=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }}" >> $GITHUB_ENV | ||
echo "JENKINS_BUILD_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}" >> $GITHUB_ENV | ||
echo "PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV | ||
- name: Trigger doc deployment job | ||
uses: toptal/[email protected] | ||
env: | ||
BRANCH: ${{ github.event.pull_request.head.ref }} | ||
PR_ID: ${{ github.event.pull_request.number }} | ||
with: | ||
jenkins_url: https://jenkins-build.toptal.net/ | ||
jenkins_user: ${{ secrets.TOPTAL_TRIGGERBOT_USERNAME }} | ||
jenkins_token: ${{ secrets.TOPTAL_TRIGGERBOT_BUILD_TOKEN }} | ||
jenkins_user: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }} | ||
jenkins_token: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }} | ||
proxy: ${{ env.HTTP_PROXY }} | ||
job_name: picasso-docs | ||
job_params: | | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,7 +2,7 @@ name: Release Alpha Package | |
|
||
on: | ||
issue_comment: | ||
types: [ created ] | ||
types: [created] | ||
|
||
jobs: | ||
triggerPrWorkflow: | ||
|
@@ -11,12 +11,40 @@ jobs: | |
github.event.issue.pull_request && | ||
github.event.comment.body == '@toptal-bot run package:alpha-release' | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: write | ||
id-token: write | ||
actions: write | ||
issues: write | ||
pull-requests: write | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }} | ||
NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLISH }} | ||
STATUS_CHECK_NAME: Publish Alpha Package | ||
STATUS_TARGET_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} | ||
steps: | ||
- name: GSM Secrets | ||
id: secrets_manager | ||
uses: toptal/davinci-github-actions/gsm-secrets@ci-add-gsm-actions-to-public-repos | ||
with: | ||
workload_identity_provider: ${{ secrets.IDENTITY_POOL }} | ||
service_account: ${{ secrets.SA_IDENTITY_POOL }} | ||
secrets_name: |- | ||
HTTP_PROXY:toptal-ci/HTTP_PROXY | ||
NPM_TOKEN_PUBLISH:toptal-ci/NPM_TOKEN_PUBLISH | ||
TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN | ||
TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN | ||
TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME | ||
- name: Parse secrets | ||
id: parse_secrets | ||
uses: toptal/davinci-github-actions/expose-json-outputs@ci-add-gsm-actions-to-public-repos | ||
with: | ||
json: ${{ steps.secrets_manager.outputs.secrets }} | ||
|
||
- name: Set ENV Variables | ||
run: |- | ||
echo "GITHUB_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV | ||
echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN_PUBLISH }}" >> $GITHUB_ENV | ||
- name: Feedback on action started | ||
uses: actions/github-script@v6 | ||
with: | ||
|
@@ -107,9 +135,9 @@ jobs: | |
- uses: toptal/davinci-github-actions/[email protected] | ||
name: Create Jira deployment | ||
env: | ||
JENKINS_USER: ${{ secrets.TOPTAL_TRIGGERBOT_USERNAME }} | ||
JENKINS_BUILD_TOKEN: ${{ secrets.TOPTAL_TRIGGERBOT_BUILD_TOKEN }} | ||
PROXY: http://${{ secrets.HTTP_PROXY }} | ||
JENKINS_USER: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }} | ||
JENKINS_BUILD_TOKEN: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }} | ||
PROXY: http://${{ steps.parse_secrets.outputs.HTTP_PROXY }} | ||
with: | ||
token: ${{ env.GITHUB_TOKEN }} | ||
environment: development | ||
|
Oops, something went wrong.