From e5cd908c5673f512e8add39d9c5598cb31816e4c Mon Sep 17 00:00:00 2001 From: serbantarmure Date: Tue, 14 Nov 2023 14:22:20 +0200 Subject: [PATCH] [CI] Update workflows to fetch secrets from GSM --- .github/workflows/automerge-release.yaml | 27 ++- .github/workflows/ci.yaml | 157 ++++++++++++++++-- .github/workflows/danger.yaml | 27 ++- .github/workflows/davinci-alpha-package.yml | 40 ++++- .../workflows/davinci-integration-tests.yml | 103 ++++++++++-- .github/workflows/handle-contribution.yml | 25 ++- .github/workflows/release.yml | 63 +++++-- .github/workflows/visual-testing.yml | 38 ++++- .gitignore | 3 + 9 files changed, 417 insertions(+), 66 deletions(-) diff --git a/.github/workflows/automerge-release.yaml b/.github/workflows/automerge-release.yaml index 8a38d3e054b..6df657d1467 100644 --- a/.github/workflows/automerge-release.yaml +++ b/.github/workflows/automerge-release.yaml @@ -10,16 +10,39 @@ on: env: PR_NUMBER: ${{ github.event.number }} PR_BODY: ${{ github.event.pull_request.body }} - DEVBOT_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }} - jobs: merge-release-pr: if: ${{ github.event.pull_request.head.ref == 'changeset-release/master' }} name: Merge release PR runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + actions: write + issues: write + pull-requests: write timeout-minutes: 1 steps: + - name: GSM Secrets + id: secrets_manager + uses: toptal/davinci-github-actions/gsm-secrets@master + with: + workload_identity_provider: ${{ secrets.IDENTITY_POOL }} + service_account: ${{ secrets.SA_IDENTITY_POOL }} + secrets_name: |- + TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN + + - name: Parse secrets + id: parse_secrets + uses: toptal/davinci-github-actions/expose-json-outputs@master + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - name: Set ENV Variables + run: |- + echo "DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV + - name: Merge pull request if the release is not major uses: actions/github-script@v6 with: diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a4af9e606c1..432a1597125 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -17,31 +17,60 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -env: - TOPTAL_DEVBOT_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - HTTP_PROXY: http://${{ secrets.HTTP_PROXY }} - HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }} - HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }} - JENKINS_USER: ${{ secrets.TOPTAL_TRIGGERBOT_USERNAME }} - JENKINS_BUILD_TOKEN: ${{ secrets.TOPTAL_TRIGGERBOT_BUILD_TOKEN }} - PROXY: http://${{ secrets.HTTP_PROXY }} - jobs: build-docker-image: if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }} name: Build Picasso docker image runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + actions: write + issues: write + pull-requests: write timeout-minutes: 45 steps: - name: Checkout uses: actions/checkout@v4 + - name: GSM Secrets + id: secrets_manager + uses: toptal/davinci-github-actions/gsm-secrets@master + with: + workload_identity_provider: ${{ secrets.IDENTITY_POOL }} + service_account: ${{ secrets.SA_IDENTITY_POOL }} + secrets_name: |- + GCR_ACCOUNT_KEY:toptal-ci/GCR_ACCOUNT_KEY + HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY + HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET + HTTP_PROXY:toptal-ci/HTTP_PROXY + NPM_TOKEN:toptal-ci/NPM_TOKEN + TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN + TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN + TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME + + - name: Parse secrets + id: parse_secrets + uses: toptal/davinci-github-actions/expose-json-outputs@master + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - name: Set ENV Variables + run: |- + echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV + echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV + echo "HTTP_PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV + echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV + echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV + echo "JENKINS_USER=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }}" >> $GITHUB_ENV + echo "JENKINS_BUILD_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}" >> $GITHUB_ENV + echo "PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV + - uses: toptal/davinci-github-actions/build-push-image@v12.0.0 env: GITHUB_TOKEN: ${{ env.TOPTAL_DEVBOT_TOKEN }} - GCR_ACCOUNT_KEY: ${{ secrets.GCR_ACCOUNT_KEY }} + GCR_ACCOUNT_KEY: ${{ steps.parse_secrets.outputs.GCR_ACCOUNT_KEY }} with: sha: ${{ github.event.pull_request.head.sha }} image-name: picasso @@ -52,6 +81,9 @@ jobs: if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }} name: Static checks runs-on: ubuntu-latest + permissions: + contents: read + id-token: write timeout-minutes: 45 steps: @@ -60,6 +92,38 @@ jobs: with: fetch-depth: 0 + - name: GSM Secrets + id: secrets_manager + uses: toptal/davinci-github-actions/gsm-secrets@master + with: + workload_identity_provider: ${{ secrets.IDENTITY_POOL }} + service_account: ${{ secrets.SA_IDENTITY_POOL }} + secrets_name: |- + HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY + HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET + HTTP_PROXY:toptal-ci/HTTP_PROXY + NPM_TOKEN:toptal-ci/NPM_TOKEN + TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN + TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN + TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME + + - name: Parse secrets + id: parse_secrets + uses: toptal/davinci-github-actions/expose-json-outputs@master + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - name: Set ENV Variables + run: |- + echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV + echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV + echo "HTTP_PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV + echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV + echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV + echo "JENKINS_USER=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }}" >> $GITHUB_ENV + echo "JENKINS_BUILD_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}" >> $GITHUB_ENV + echo "PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV + - name: Set up Node.js uses: actions/setup-node@v4 with: @@ -104,12 +168,38 @@ jobs: if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }} name: Storybook Visual Tests runs-on: ubuntu-latest + permissions: write-all needs: [static-checks] steps: - name: Checkout uses: actions/checkout@v4 + - name: GSM Secrets + id: secrets_manager + uses: toptal/davinci-github-actions/gsm-secrets@master + with: + workload_identity_provider: ${{ secrets.IDENTITY_POOL }} + service_account: ${{ secrets.SA_IDENTITY_POOL }} + secrets_name: |- + HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY + HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET + NPM_TOKEN:toptal-ci/NPM_TOKEN + TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN + + - name: Parse secrets + id: parse_secrets + uses: toptal/davinci-github-actions/expose-json-outputs@master + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - name: Set ENV Variables + run: |- + echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV + echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV + echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV + echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV + - name: Set up Node.js uses: actions/setup-node@v4 with: @@ -129,18 +219,51 @@ jobs: name: Integration Tests uses: ./.github/workflows/davinci-integration-tests.yml secrets: - TOPTAL_DEVBOT_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }} - HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }} + IDENTITY_POOL: ${{ secrets.IDENTITY_POOL }} + SA_IDENTITY_POOL: ${{ secrets.SA_IDENTITY_POOL }} deploy-docs: if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }} name: Deploy Picasso docs runs-on: ubuntu-latest + permissions: + contents: read + id-token: write needs: [build-docker-image] steps: + - name: GSM Secrets + id: secrets_manager + uses: toptal/davinci-github-actions/gsm-secrets@master + with: + workload_identity_provider: ${{ secrets.IDENTITY_POOL }} + service_account: ${{ secrets.SA_IDENTITY_POOL }} + secrets_name: |- + HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY + HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET + HTTP_PROXY:toptal-ci/HTTP_PROXY + NPM_TOKEN:toptal-ci/NPM_TOKEN + TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN + TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN + TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME + + - name: Parse secrets + id: parse_secrets + uses: toptal/davinci-github-actions/expose-json-outputs@master + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - name: Set ENV Variables + run: |- + echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV + echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV + echo "HTTP_PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV + echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV + echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV + echo "JENKINS_USER=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }}" >> $GITHUB_ENV + echo "JENKINS_BUILD_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}" >> $GITHUB_ENV + echo "PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV + - name: Trigger doc deployment job uses: toptal/jenkins-job-trigger-action@1.0.1 env: @@ -148,8 +271,8 @@ jobs: PR_ID: ${{ github.event.pull_request.number }} with: jenkins_url: https://jenkins-build.toptal.net/ - jenkins_user: ${{ secrets.TOPTAL_TRIGGERBOT_USERNAME }} - jenkins_token: ${{ secrets.TOPTAL_TRIGGERBOT_BUILD_TOKEN }} + jenkins_user: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }} + jenkins_token: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }} proxy: ${{ env.HTTP_PROXY }} job_name: picasso-docs job_params: | diff --git a/.github/workflows/danger.yaml b/.github/workflows/danger.yaml index 78e97444c44..db586130278 100644 --- a/.github/workflows/danger.yaml +++ b/.github/workflows/danger.yaml @@ -13,13 +13,36 @@ jobs: danger: name: Check runs-on: ubuntu-latest - env: - GITHUB_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }} + permissions: + contents: write + id-token: write + actions: write + issues: write + pull-requests: write if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }} steps: - name: Checkout project uses: actions/checkout@v4 + - name: GSM Secrets + id: secrets_manager + uses: toptal/davinci-github-actions/gsm-secrets@master + with: + workload_identity_provider: ${{ secrets.IDENTITY_POOL }} + service_account: ${{ secrets.SA_IDENTITY_POOL }} + secrets_name: |- + TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN + + - name: Parse secrets + id: parse_secrets + uses: toptal/davinci-github-actions/expose-json-outputs@master + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - name: Set ENV Variables + run: |- + echo "GITHUB_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV + - name: Set up Node.js uses: actions/setup-node@v4 with: diff --git a/.github/workflows/davinci-alpha-package.yml b/.github/workflows/davinci-alpha-package.yml index bff4fe37a71..061979f4823 100644 --- a/.github/workflows/davinci-alpha-package.yml +++ b/.github/workflows/davinci-alpha-package.yml @@ -2,7 +2,7 @@ name: Release Alpha Package on: issue_comment: - types: [ created ] + types: [created] jobs: triggerPrWorkflow: @@ -11,12 +11,40 @@ jobs: github.event.issue.pull_request && github.event.comment.body == '@toptal-bot run package:alpha-release' runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + actions: write + issues: write + pull-requests: write env: - GITHUB_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLISH }} STATUS_CHECK_NAME: Publish Alpha Package STATUS_TARGET_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} steps: + - name: GSM Secrets + id: secrets_manager + uses: toptal/davinci-github-actions/gsm-secrets@master + with: + workload_identity_provider: ${{ secrets.IDENTITY_POOL }} + service_account: ${{ secrets.SA_IDENTITY_POOL }} + secrets_name: |- + HTTP_PROXY:toptal-ci/HTTP_PROXY + NPM_TOKEN_PUBLISH:toptal-ci/NPM_TOKEN_PUBLISH + TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN + TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN + TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME + + - name: Parse secrets + id: parse_secrets + uses: toptal/davinci-github-actions/expose-json-outputs@ci-add-gsm-actions-to-public-repos + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - name: Set ENV Variables + run: |- + echo "GITHUB_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV + echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN_PUBLISH }}" >> $GITHUB_ENV + - name: Feedback on action started uses: actions/github-script@v6 with: @@ -107,9 +135,9 @@ jobs: - uses: toptal/davinci-github-actions/create-jira-deployment@v12.0.0 name: Create Jira deployment env: - JENKINS_USER: ${{ secrets.TOPTAL_TRIGGERBOT_USERNAME }} - JENKINS_BUILD_TOKEN: ${{ secrets.TOPTAL_TRIGGERBOT_BUILD_TOKEN }} - PROXY: http://${{ secrets.HTTP_PROXY }} + JENKINS_USER: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }} + JENKINS_BUILD_TOKEN: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }} + PROXY: http://${{ steps.parse_secrets.outputs.HTTP_PROXY }} with: token: ${{ env.GITHUB_TOKEN }} environment: development diff --git a/.github/workflows/davinci-integration-tests.yml b/.github/workflows/davinci-integration-tests.yml index eaa203190dc..fbb5685bb97 100644 --- a/.github/workflows/davinci-integration-tests.yml +++ b/.github/workflows/davinci-integration-tests.yml @@ -3,31 +3,54 @@ name: Integration Tests on: workflow_call: secrets: - TOPTAL_DEVBOT_TOKEN: + IDENTITY_POOL: required: true - NPM_TOKEN: - required: true - HAPPO_API_KEY: - required: true - HAPPO_API_SECRET: + SA_IDENTITY_POOL: required: true env: - TOPTAL_DEVBOT_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} HAPPO_PROJECT: Picasso/Cypress - HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }} - HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }} HAPPO_NONCE: ${{ github.run_id }} jobs: build-packages: name: Build packages runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + actions: write + issues: write + pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 + - name: GSM Secrets + id: secrets_manager + uses: toptal/davinci-github-actions/gsm-secrets@master + with: + workload_identity_provider: ${{ secrets.IDENTITY_POOL }} + service_account: ${{ secrets.SA_IDENTITY_POOL }} + secrets_name: |- + HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY + HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET + NPM_TOKEN:toptal-ci/NPM_TOKEN + TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN + + - name: Parse secrets + id: parse_secrets + uses: toptal/davinci-github-actions/expose-json-outputs@master + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - name: Set ENV Variables + run: |- + echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV + echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV + echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV + echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV + - name: Set up Node.js uses: actions/setup-node@v4 with: @@ -47,6 +70,9 @@ jobs: integration-tests: name: Run Integration Tests runs-on: ubuntu-latest + permissions: + contents: read + id-token: write needs: [build-packages] strategy: fail-fast: false @@ -59,6 +85,31 @@ jobs: - name: Checkout project uses: actions/checkout@v4 + - name: GSM Secrets + id: secrets_manager + uses: toptal/davinci-github-actions/gsm-secrets@master + with: + workload_identity_provider: ${{ secrets.IDENTITY_POOL }} + service_account: ${{ secrets.SA_IDENTITY_POOL }} + secrets_name: |- + HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY + HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET + NPM_TOKEN:toptal-ci/NPM_TOKEN + TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN + + - name: Parse secrets + id: parse_secrets + uses: toptal/davinci-github-actions/expose-json-outputs@master + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - name: Set ENV Variables + run: |- + echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV + echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV + echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV + echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV + - name: Set up Node.js uses: actions/setup-node@v4 with: @@ -79,17 +130,45 @@ jobs: uses: actions/upload-artifact@v3 if: failure() with: - name: cypress-screenshots - path: cypress/screenshots + name: cypress-screenshots + path: cypress/screenshots finalize-integration-tests: name: Finalize Integration Tests runs-on: ubuntu-latest + permissions: + contents: read + id-token: write needs: [integration-tests] steps: - name: Checkout project uses: actions/checkout@v4 + - name: GSM Secrets + id: secrets_manager + uses: toptal/davinci-github-actions/gsm-secrets@master + with: + workload_identity_provider: ${{ secrets.IDENTITY_POOL }} + service_account: ${{ secrets.SA_IDENTITY_POOL }} + secrets_name: |- + HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY + HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET + NPM_TOKEN:toptal-ci/NPM_TOKEN + TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN + + - name: Parse secrets + id: parse_secrets + uses: toptal/davinci-github-actions/expose-json-outputs@master + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - name: Set ENV Variables + run: |- + echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV + echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV + echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV + echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV + - name: Set up Node.js uses: actions/setup-node@v4 with: diff --git a/.github/workflows/handle-contribution.yml b/.github/workflows/handle-contribution.yml index 6ae45aae3d1..0a36907dd84 100644 --- a/.github/workflows/handle-contribution.yml +++ b/.github/workflows/handle-contribution.yml @@ -10,12 +10,33 @@ jobs: call-notify-jira-about-contribution: if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }} runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + actions: write + issues: write + pull-requests: write name: Call notify jira about contribution steps: + - name: GSM Secrets + id: secrets_manager + uses: toptal/davinci-github-actions/gsm-secrets@master + with: + workload_identity_provider: ${{ secrets.IDENTITY_POOL }} + service_account: ${{ secrets.SA_IDENTITY_POOL }} + secrets_name: |- + PICASSO_JIRA_AUTOMATION_HOOK_FOR_NEW_CONTRIBUTION:toptal-ci/PICASSO_JIRA_AUTOMATION_HOOK_FOR_NEW_CONTRIBUTION + TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN + + - name: Parse secrets + id: parse_secrets + uses: toptal/davinci-github-actions/expose-json-outputs@master + with: + json: ${{ steps.secrets_manager.outputs.secrets }} - uses: toptal/davinci-github-actions/notify-jira-about-contribution@v12.0.0 with: team: frontend-experience-eng repo: ${{ github.event.repository.name }} pull-number: ${{ github.event.pull_request.number}} - jira-hook: ${{ secrets.JIRA_AUTOMATION_HOOK_FOR_NEW_CONTRIBUTION }} - github-token: ${{ secrets.TOPTAL_DEVBOT_TOKEN }} + jira-hook: ${{ steps.parse_secrets.outputs.PICASSO_JIRA_AUTOMATION_HOOK_FOR_NEW_CONTRIBUTION }} + github-token: ${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5dfe6232d07..03baedacf17 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,19 +7,17 @@ on: - master env: - SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} REPOSITORY_NAME: ${{ github.event.repository.name }} - TOPTAL_BOT_USERNAME: ${{ secrets.TOPTAL_TRIGGERBOT_USERNAME }} - TOPTAL_BOT_JENKINS_DEPLOYMENT_TOKEN: ${{ secrets.TOPTAL_TRIGGERBOT_DEPLOYMENT_TOKEN }} - TOPTAL_JENKINS_BUILD_TOKEN: ${{ secrets.TOPTAL_TRIGGERBOT_BUILD_TOKEN }} - HTTP_PROXY: http://${{ secrets.HTTP_PROXY }} - jobs: release: name: Release runs-on: ubuntu-latest - env: - DEVBOT_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }} + permissions: + contents: write + id-token: write + actions: write + issues: write + pull-requests: write steps: - name: Checkout Repo uses: actions/checkout@v4 @@ -29,6 +27,37 @@ jobs: # This forces changesets to use git user, provided by GITHUB_TOKEN env var persist-credentials: false + - name: GSM Secrets + id: secrets_manager + uses: toptal/davinci-github-actions/gsm-secrets@master + with: + workload_identity_provider: ${{ secrets.IDENTITY_POOL }} + service_account: ${{ secrets.SA_IDENTITY_POOL }} + secrets_name: |- + HTTP_PROXY:toptal-ci/HTTP_PROXY + NPM_TOKEN_PUBLISH:toptal-ci/NPM_TOKEN_PUBLISH + SLACK_BOT_TOKEN:toptal-ci/SLACK_BOT_TOKEN + TOPTAL_BUILD_BOT_TOKEN:toptal-ci/TOPTAL_BUILD_BOT_TOKEN + TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN + TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN + TOPTAL_TRIGGERBOT_DEPLOYMENT_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_DEPLOYMENT_TOKEN + TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME + + - name: Parse secrets + id: parse_secrets + uses: toptal/davinci-github-actions/expose-json-outputs@master + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - name: Set ENV Variables + run: |- + echo "SLACK_BOT_TOKEN=${{ steps.parse_secrets.outputs.SLACK_BOT_TOKEN }}" >> $GITHUB_ENV + echo "TOPTAL_BOT_USERNAME=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }}" >> $GITHUB_ENV + echo "TOPTAL_BOT_JENKINS_DEPLOYMENT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_DEPLOYMENT_TOKEN }}" >> $GITHUB_ENV + echo "TOPTAL_JENKINS_BUILD_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}" >> $GITHUB_ENV + echo "HTTP_PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV + echo "DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV + - name: Set up Node.js uses: actions/setup-node@v4 with: @@ -63,8 +92,8 @@ jobs: with: publish: yarn release env: - GITHUB_TOKEN: ${{ secrets.TOPTAL_BUILD_BOT_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLISH }} + GITHUB_TOKEN: ${{ steps.parse_secrets.outputs.TOPTAL_BUILD_BOT_TOKEN }} + NPM_TOKEN: ${{ steps.parse_secrets.outputs.NPM_TOKEN_PUBLISH }} - name: Edit "Version Package" PR if: ${{ steps.changesets.outputs.published != 'true' }} @@ -112,7 +141,7 @@ jobs: id: trigger-build env: JENKINS_JOB_NAME: ${{ env.REPOSITORY_NAME }}-build-image - JENKINS_USER: ${{ secrets.TOPTAL_TRIGGERBOT_USERNAME }} + JENKINS_USER: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }} with: jenkins_url: https://jenkins-build.toptal.net/ jenkins_user: ${{ env.JENKINS_USER }} @@ -176,9 +205,9 @@ jobs: name: Create Jira deployment if: ${{ steps.changesets.outputs.published == 'true' }} env: - JENKINS_USER: ${{ secrets.TOPTAL_TRIGGERBOT_USERNAME }} - JENKINS_BUILD_TOKEN: ${{ secrets.TOPTAL_TRIGGERBOT_BUILD_TOKEN }} - PROXY: http://${{ secrets.HTTP_PROXY }} + JENKINS_USER: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }} + JENKINS_BUILD_TOKEN: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }} + PROXY: http://${{ steps.parse_secrets.outputs.HTTP_PROXY }} with: token: ${{ env.DEVBOT_TOKEN }} environment: production @@ -188,7 +217,5 @@ jobs: name: Integration Tests uses: ./.github/workflows/davinci-integration-tests.yml secrets: - TOPTAL_DEVBOT_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }} - HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }} + IDENTITY_POOL: ${{ secrets.IDENTITY_POOL }} + SA_IDENTITY_POOL: ${{ secrets.SA_IDENTITY_POOL }} diff --git a/.github/workflows/visual-testing.yml b/.github/workflows/visual-testing.yml index d362e9d868f..1d21255d01a 100644 --- a/.github/workflows/visual-testing.yml +++ b/.github/workflows/visual-testing.yml @@ -14,24 +14,48 @@ jobs: if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }} uses: ./.github/workflows/davinci-integration-tests.yml secrets: - TOPTAL_DEVBOT_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }} - HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }} + IDENTITY_POOL: ${{ secrets.IDENTITY_POOL }} + SA_IDENTITY_POOL: ${{ secrets.SA_IDENTITY_POOL }} storybook-tests: if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }} name: Storybook Tests runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + actions: write + issues: write + pull-requests: write env: HAPPO_PROJECT: Picasso/Storybook - HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }} - HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }} - TOPTAL_DEVBOT_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }} steps: - name: Checkout project uses: actions/checkout@v4 + - name: GSM Secrets + id: secrets_manager + uses: toptal/davinci-github-actions/gsm-secrets@master + with: + workload_identity_provider: ${{ secrets.IDENTITY_POOL }} + service_account: ${{ secrets.SA_IDENTITY_POOL }} + secrets_name: |- + HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY + HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET + TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN + + - name: Parse secrets + id: parse_secrets + uses: toptal/davinci-github-actions/expose-json-outputs@master + with: + json: ${{ steps.secrets_manager.outputs.secrets }} + + - name: Set ENV Variables + run: |- + echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV + echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV + echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV + - name: Set up Node.js uses: actions/setup-node@v4 with: diff --git a/.gitignore b/.gitignore index bae7114960c..c358b0515c5 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,6 @@ cypress/screenshots coverage .nyc_output reports + +# Ignore generated credentials from google-github-actions/auth +gha-creds-*.json