From 00d627050fe9cf6f39cd646f624b7afde71182d4 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Tue, 3 Jun 2025 11:57:52 -0600 Subject: [PATCH 1/6] Pass versions of cli and actions as inputs --- .github/workflows/pipelines-drift-detection.yml | 12 ++++++++++-- .github/workflows/pipelines-root.yml | 12 ++++++++++-- .github/workflows/pipelines-unlock.yml | 12 ++++++++++-- .github/workflows/pipelines.yml | 12 ++++++++++-- 4 files changed, 40 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 5508e016..f000a9de 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -30,14 +30,22 @@ on: api_base_url: type: string default: "https://api.prod.app.gruntwork.io/api/v1" + pipelines_cli_version: + type: string + default: "v0.39.0" + description: "For Gruntwork internal testing - the version of the pipelines CLI to use" + pipelines_actions_version: + type: string + default: "v3.6.4" + description: "For Gruntwork internal testing - the version of the pipelines actions to use" secrets: PIPELINES_READ_TOKEN: required: false PR_CREATE_TOKEN: required: false env: - PIPELINES_CLI_VERSION: v0.39.0 - PIPELINES_ACTIONS_VERSION: v3.6.4 + PIPELINES_CLI_VERSION: ${{ inputs.pipelines_cli_version }} + PIPELINES_ACTIONS_VERSION: ${{ inputs.pipelines_actions_version }} BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index 5f1fdd51..2e53e0cc 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -28,6 +28,14 @@ on: type: string default: "" description: "Override where we fetch pipelines from, used for internal testing" + pipelines_cli_version: + type: string + default: "v0.39.0" + description: "For Gruntwork internal testing - the version of the pipelines CLI to use" + pipelines_actions_version: + type: string + default: "v3.6.4" + description: "For Gruntwork internal testing - the version of the pipelines actions to use" secrets: PIPELINES_READ_TOKEN: @@ -38,8 +46,8 @@ on: required: false env: - PIPELINES_CLI_VERSION: v0.39.0 - PIPELINES_ACTIONS_VERSION: v3.6.4 + PIPELINES_CLI_VERSION: ${{ inputs.pipelines_cli_version }} + PIPELINES_ACTIONS_VERSION: ${{ inputs.pipelines_actions_version }} BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 diff --git a/.github/workflows/pipelines-unlock.yml b/.github/workflows/pipelines-unlock.yml index db8ae663..07fd2cf7 100644 --- a/.github/workflows/pipelines-unlock.yml +++ b/.github/workflows/pipelines-unlock.yml @@ -41,12 +41,20 @@ on: runner: type: string default: '"ubuntu-latest"' + pipelines_cli_version: + type: string + default: "v0.39.0" + description: "For Gruntwork internal testing - the version of the pipelines CLI to use" + pipelines_actions_version: + type: string + default: "v3.6.4" + description: "For Gruntwork internal testing - the version of the pipelines actions to use" secrets: PIPELINES_READ_TOKEN: required: true env: - PIPELINES_CLI_VERSION: v0.39.0 - PIPELINES_ACTIONS_VERSION: v3.6.4 + PIPELINES_CLI_VERSION: ${{ inputs.pipelines_cli_version }} + PIPELINES_ACTIONS_VERSION: ${{ inputs.pipelines_actions_version }} jobs: unlock_one: diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 8faf3715..9388bddb 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -28,6 +28,14 @@ on: type: string default: "" description: "Override where we fetch pipelines from, used for internal testing" + pipelines_cli_version: + type: string + default: "v0.39.0" + description: "For Gruntwork internal testing - the version of the pipelines CLI to use" + pipelines_actions_version: + type: string + default: "v3.6.4" + description: "For Gruntwork internal testing - the version of the pipelines actions to use" secrets: PIPELINES_READ_TOKEN: @@ -36,8 +44,8 @@ on: required: false env: - PIPELINES_CLI_VERSION: v0.39.0 - PIPELINES_ACTIONS_VERSION: v3.6.4 + PIPELINES_CLI_VERSION: ${{ inputs.pipelines_cli_version }} + PIPELINES_ACTIONS_VERSION: ${{ inputs.pipelines_actions_version }} # GitHub Actions tends to hit resource exhaustion and kill running jobs # if we leave parallelism unbounded, so we set the max to 10 for a sane default. From abe02143080d2d2161c5858b7a78b0f5641dd7db Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Tue, 3 Jun 2025 12:09:13 -0600 Subject: [PATCH 2/6] Make pipelines actions and credentials refs configurable --- .../workflows/pipelines-drift-detection.yml | 31 +++++++------ .github/workflows/pipelines-root.yml | 45 ++++++++++--------- .github/workflows/pipelines-unlock.yml | 29 +++++++----- .github/workflows/pipelines.yml | 27 ++++++----- 4 files changed, 76 insertions(+), 56 deletions(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index f000a9de..5c77f59f 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -34,10 +34,14 @@ on: type: string default: "v0.39.0" description: "For Gruntwork internal testing - the version of the pipelines CLI to use" - pipelines_actions_version: + pipelines_actions_ref: type: string default: "v3.6.4" - description: "For Gruntwork internal testing - the version of the pipelines actions to use" + description: "For Gruntwork internal testing - the ref of the pipelines actions to use" + pipelines_credentials_ref: + type: string + default: "v1" + description: "For Gruntwork internal testing - the ref of the pipelines credentials to use" secrets: PIPELINES_READ_TOKEN: required: false @@ -45,7 +49,8 @@ on: required: false env: PIPELINES_CLI_VERSION: ${{ inputs.pipelines_cli_version }} - PIPELINES_ACTIONS_VERSION: ${{ inputs.pipelines_actions_version }} + PIPELINES_ACTIONS_REF: ${{ inputs.pipelines_actions_ref }} + PIPELINES_CREDENTIALS_REF: ${{ inputs.pipelines_credentials_ref }} BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 @@ -58,7 +63,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -67,7 +72,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -78,7 +83,7 @@ jobs: with: path: pipelines-actions repository: gruntwork-io/pipelines-actions - ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + ref: ${{ env.PIPELINES_ACTIONS_REF }} token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code @@ -109,7 +114,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -117,7 +122,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -128,7 +133,7 @@ jobs: with: path: pipelines-actions repository: gruntwork-io/pipelines-actions - ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + ref: ${{ env.PIPELINES_ACTIONS_REF }} token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code @@ -156,7 +161,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -164,7 +169,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -172,7 +177,7 @@ jobs: - name: Fetch Create PR Token id: pipelines-propose-infra-change-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} @@ -183,7 +188,7 @@ jobs: with: path: pipelines-actions repository: gruntwork-io/pipelines-actions - ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + ref: ${{ env.PIPELINES_ACTIONS_REF }} token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index 2e53e0cc..819e8ae9 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -32,10 +32,14 @@ on: type: string default: "v0.39.0" description: "For Gruntwork internal testing - the version of the pipelines CLI to use" - pipelines_actions_version: + pipelines_actions_ref: type: string default: "v3.6.4" - description: "For Gruntwork internal testing - the version of the pipelines actions to use" + description: "For Gruntwork internal testing - the ref of the pipelines actions to use" + pipelines_credentials_ref: + type: string + default: "v1" + description: "For Gruntwork internal testing - the ref of the pipelines credentials to use" secrets: PIPELINES_READ_TOKEN: @@ -47,7 +51,8 @@ on: env: PIPELINES_CLI_VERSION: ${{ inputs.pipelines_cli_version }} - PIPELINES_ACTIONS_VERSION: ${{ inputs.pipelines_actions_version }} + PIPELINES_ACTIONS_REF: ${{ inputs.pipelines_actions_ref }} + PIPELINES_CREDENTIALS_REF: ${{ inputs.pipelines_credentials_ref }} BOILERPLATE_VERSION: v0.5.16 GRUNTWORK_INSTALLER_VERSION: v0.0.40 @@ -75,7 +80,7 @@ jobs: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -83,7 +88,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -91,7 +96,7 @@ jobs: - name: Fetch Infra Root Write Token id: pipelines-infra-root-write-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} @@ -99,7 +104,7 @@ jobs: - name: Fetch Org Repo Admin Token id: pipelines-org-repo-admin-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} continue-on-error: true with: PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} @@ -112,7 +117,7 @@ jobs: with: path: pipelines-actions repository: gruntwork-io/pipelines-actions - ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + ref: ${{ env.PIPELINES_ACTIONS_REF }} token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Validate PIPELINES_READ_TOKEN @@ -182,7 +187,7 @@ jobs: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -190,7 +195,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -198,7 +203,7 @@ jobs: - name: Fetch Infra Root Write Token id: pipelines-infra-root-write-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} @@ -209,7 +214,7 @@ jobs: with: path: pipelines-actions repository: gruntwork-io/pipelines-actions - ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + ref: ${{ env.PIPELINES_ACTIONS_REF }} token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code @@ -374,7 +379,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -382,7 +387,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -390,7 +395,7 @@ jobs: - name: Fetch Create PR Token id: pipelines-propose-infra-change-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} @@ -401,7 +406,7 @@ jobs: with: path: pipelines-actions repository: gruntwork-io/pipelines-actions - ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + ref: ${{ env.PIPELINES_ACTIONS_REF }} token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code @@ -497,7 +502,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -505,7 +510,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -513,7 +518,7 @@ jobs: - name: Fetch Org Repo Admin Token id: pipelines-org-repo-admin-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} @@ -524,7 +529,7 @@ jobs: with: path: pipelines-actions repository: gruntwork-io/pipelines-actions - ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + ref: ${{ env.PIPELINES_ACTIONS_REF }} token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code diff --git a/.github/workflows/pipelines-unlock.yml b/.github/workflows/pipelines-unlock.yml index 07fd2cf7..e320d590 100644 --- a/.github/workflows/pipelines-unlock.yml +++ b/.github/workflows/pipelines-unlock.yml @@ -45,16 +45,21 @@ on: type: string default: "v0.39.0" description: "For Gruntwork internal testing - the version of the pipelines CLI to use" - pipelines_actions_version: + pipelines_actions_ref: type: string default: "v3.6.4" - description: "For Gruntwork internal testing - the version of the pipelines actions to use" + description: "For Gruntwork internal testing - the ref of the pipelines actions to use" + pipelines_credentials_ref: + type: string + default: "v1" + description: "For Gruntwork internal testing - the ref of the pipelines credentials to use" secrets: PIPELINES_READ_TOKEN: required: true env: PIPELINES_CLI_VERSION: ${{ inputs.pipelines_cli_version }} - PIPELINES_ACTIONS_VERSION: ${{ inputs.pipelines_actions_version }} + PIPELINES_ACTIONS_REF: ${{ inputs.pipelines_actions_ref }} + PIPELINES_CREDENTIALS_REF: ${{ inputs.pipelines_credentials_ref }} jobs: unlock_one: @@ -64,7 +69,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -72,7 +77,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -83,7 +88,7 @@ jobs: with: path: pipelines-actions repository: gruntwork-io/pipelines-actions - ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + ref: ${{ env.PIPELINES_ACTIONS_REF }} token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code @@ -195,7 +200,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -203,7 +208,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -214,7 +219,7 @@ jobs: with: path: pipelines-actions repository: gruntwork-io/pipelines-actions - ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + ref: ${{ env.PIPELINES_ACTIONS_REF }} token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code @@ -391,7 +396,7 @@ jobs: steps: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -399,7 +404,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -410,7 +415,7 @@ jobs: with: path: pipelines-actions repository: gruntwork-io/pipelines-actions - ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + ref: ${{ env.PIPELINES_ACTIONS_REF }} token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Download Infra-live repo as an artifact diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 9388bddb..415fda66 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -32,10 +32,14 @@ on: type: string default: "v0.39.0" description: "For Gruntwork internal testing - the version of the pipelines CLI to use" - pipelines_actions_version: + pipelines_actions_ref: type: string default: "v3.6.4" - description: "For Gruntwork internal testing - the version of the pipelines actions to use" + description: "For Gruntwork internal testing - the ref of the pipelines actions to use" + pipelines_credentials_ref: + type: string + default: "v1" + description: "For Gruntwork internal testing - the ref of the pipelines credentials to use" secrets: PIPELINES_READ_TOKEN: @@ -45,7 +49,8 @@ on: env: PIPELINES_CLI_VERSION: ${{ inputs.pipelines_cli_version }} - PIPELINES_ACTIONS_VERSION: ${{ inputs.pipelines_actions_version }} + PIPELINES_ACTIONS_REF: ${{ inputs.pipelines_actions_ref }} + PIPELINES_CREDENTIALS_REF: ${{ inputs.pipelines_credentials_ref }} # GitHub Actions tends to hit resource exhaustion and kill running jobs # if we leave parallelism unbounded, so we set the max to 10 for a sane default. @@ -66,7 +71,7 @@ jobs: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -74,7 +79,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -82,7 +87,7 @@ jobs: - name: Fetch Create PR Token id: pipelines-propose-infra-change-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} @@ -94,7 +99,7 @@ jobs: with: path: pipelines-actions repository: gruntwork-io/pipelines-actions - ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + ref: ${{ env.PIPELINES_ACTIONS_REF }} token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Validate PIPELINES_READ_TOKEN @@ -162,7 +167,7 @@ jobs: - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -170,7 +175,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -178,7 +183,7 @@ jobs: - name: Fetch Create PR Token id: pipelines-propose-infra-change-token - uses: gruntwork-io/pipelines-credentials@v1 + uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} with: PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} @@ -189,7 +194,7 @@ jobs: with: path: pipelines-actions repository: gruntwork-io/pipelines-actions - ref: ${{ env.PIPELINES_ACTIONS_VERSION }} + ref: ${{ env.PIPELINES_ACTIONS_REF }} token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - name: Check out repo code From 9f367c5b55f66dc9225e456a6eb9894b12c2eb50 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Tue, 3 Jun 2025 12:22:06 -0600 Subject: [PATCH 3/6] Add checkout steps for pipelines-credentials to all workflow jobs --- .../workflows/pipelines-drift-detection.yml | 36 ++++++++++--- .github/workflows/pipelines-root.yml | 54 ++++++++++++++----- .github/workflows/pipelines-unlock.yml | 33 +++++++++--- .github/workflows/pipelines.yml | 26 ++++++--- 4 files changed, 116 insertions(+), 33 deletions(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 5c77f59f..9e11c738 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -61,18 +61,24 @@ jobs: outputs: units: ${{ steps.determine-units.outputs.units }} steps: + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -112,9 +118,16 @@ jobs: JOB_NAME: Detect Drift in ${{ matrix.unit.path }} name: Detect Drift in ${{ matrix.unit.path }} steps: + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -122,7 +135,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -159,9 +172,16 @@ jobs: runs-on: ${{ fromJSON(inputs.runner) }} needs: pipelines_drift_detection steps: + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -169,7 +189,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -177,7 +197,7 @@ jobs: - name: Fetch Create PR Token id: pipelines-propose-infra-change-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index 819e8ae9..eb52a2cf 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -78,9 +78,16 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -88,7 +95,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -96,7 +103,7 @@ jobs: - name: Fetch Infra Root Write Token id: pipelines-infra-root-write-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} @@ -104,7 +111,7 @@ jobs: - name: Fetch Org Repo Admin Token id: pipelines-org-repo-admin-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials continue-on-error: true with: PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} @@ -185,9 +192,16 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -195,7 +209,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -203,7 +217,7 @@ jobs: - name: Fetch Infra Root Write Token id: pipelines-infra-root-write-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} @@ -377,9 +391,16 @@ jobs: matrix: jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts }} steps: + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -387,7 +408,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -395,7 +416,7 @@ jobs: - name: Fetch Create PR Token id: pipelines-propose-infra-change-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} @@ -500,9 +521,16 @@ jobs: # GHA can't check for length, so we just check if there is an item in the 0 index if: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts[0] != null && needs.pipelines_execute.outputs.delegate_management == 'true' && needs.pipelines_execute.outputs.terragrunt_command == 'run-all apply' }} steps: + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -510,7 +538,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -518,7 +546,7 @@ jobs: - name: Fetch Org Repo Admin Token id: pipelines-org-repo-admin-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} diff --git a/.github/workflows/pipelines-unlock.yml b/.github/workflows/pipelines-unlock.yml index e320d590..cb907656 100644 --- a/.github/workflows/pipelines-unlock.yml +++ b/.github/workflows/pipelines-unlock.yml @@ -67,9 +67,16 @@ jobs: if: ${{ !inputs.unlock_all }} runs-on: ${{ fromJSON(inputs.runner) }} steps: + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -77,7 +84,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -198,9 +205,16 @@ jobs: if: ${{ inputs.unlock_all }} runs-on: ${{ fromJSON(inputs.runner) }} steps: + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -208,7 +222,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -394,9 +408,16 @@ jobs: matrix: working_directory: ${{ fromJson(needs.unlock_all.outputs.unlock_folders) }} steps: + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -404,7 +425,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 415fda66..be959053 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -69,9 +69,16 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -79,7 +86,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -87,7 +94,7 @@ jobs: - name: Fetch Create PR Token id: pipelines-propose-infra-change-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} @@ -165,9 +172,16 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -175,7 +189,7 @@ jobs: - name: Fetch Org Read Token id: pipelines-customer-org-read-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} @@ -183,7 +197,7 @@ jobs: - name: Fetch Create PR Token id: pipelines-propose-infra-change-token - uses: gruntwork-io/pipelines-credentials@${{ inputs.pipelines_credentials_ref }} + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} From b56ade622c9615f89de3abbefe639dacef06726d Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Tue, 3 Jun 2025 12:48:25 -0600 Subject: [PATCH 4/6] Update workflows to use parallel pipelines-credentials token fetching Replace sequential token fetch steps with single parallel credentials action. Use JSON array input to fetch multiple tokens simultaneously. Fix environment variable references to use consistent naming. Add missing pipelines_binary_url input to drift detection and unlock workflows. Resolve merge conflicts by accepting parallel approach over sequential. Update all four workflow files for consistency across the platform. --- .../workflows/pipelines-drift-detection.yml | 183 ++++----- .github/workflows/pipelines-root.yml | 359 +++++++++--------- .github/workflows/pipelines-unlock.yml | 164 ++++---- .github/workflows/pipelines.yml | 131 +++---- 4 files changed, 411 insertions(+), 426 deletions(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 9e11c738..acf37bd2 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -30,6 +30,10 @@ on: api_base_url: type: string default: "https://api.prod.app.gruntwork.io/api/v1" + pipelines_binary_url: + type: string + default: "" + description: "Override where we fetch pipelines from, used for internal testing" pipelines_cli_version: type: string default: "v0.39.0" @@ -61,27 +65,36 @@ jobs: outputs: units: ${{ steps.determine-units.outputs.units }} steps: - - name: Checkout Pipelines Credentials - uses: actions/checkout@v4 - with: - path: pipelines-credentials - repository: gruntwork-io/pipelines-credentials - ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - - - name: Fetch Gruntwork Read Token - id: pipelines-gruntwork-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Org Read Token - id: pipelines-customer-org-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + - name: Record workflow env vars + env: + PIPELINES_BINARY_URL: ${{ inputs.pipelines_binary_url }} + run: | + time_now=$(date -u +"%s") + echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV + echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV + + - name: Fetch Pipelines Tokens + id: pipelines-tokens + uses: gruntwork-io/pipelines-credentials@v1 + with: + PIPELINES_TOKEN_PATHS: | + [ + { + "name": "gruntwork_read", + "path": "pipelines-read/gruntwork-io", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "customer_org_read", + "path": "pipelines-read/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "pr_create", + "path": "propose-infra-change/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PR_CREATE_TOKEN }}" + } + ] api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -90,14 +103,14 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_REF }} - token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} - name: Check out repo code uses: actions/checkout@v4 with: path: infra-live-repo fetch-depth: 0 - token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} - name: Determine Units id: determine-units @@ -118,27 +131,28 @@ jobs: JOB_NAME: Detect Drift in ${{ matrix.unit.path }} name: Detect Drift in ${{ matrix.unit.path }} steps: - - name: Checkout Pipelines Credentials - uses: actions/checkout@v4 - with: - path: pipelines-credentials - repository: gruntwork-io/pipelines-credentials - ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - - - name: Fetch Gruntwork Read Token - id: pipelines-gruntwork-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Org Read Token - id: pipelines-customer-org-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + - name: Fetch Pipelines Tokens + id: pipelines-tokens + uses: gruntwork-io/pipelines-credentials@v1 + with: + PIPELINES_TOKEN_PATHS: | + [ + { + "name": "gruntwork_read", + "path": "pipelines-read/gruntwork-io", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "customer_org_read", + "path": "pipelines-read/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "pr_create", + "path": "propose-infra-change/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PR_CREATE_TOKEN }}" + } + ] api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -147,60 +161,53 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_REF }} - token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} - name: Check out repo code uses: actions/checkout@v4 with: path: infra-live-repo fetch-depth: 0 - token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} - - name: Execute Drift Detection - id: determine-drift - uses: ./pipelines-actions/.github/actions/pipelines-drift-detection-determine-drift + - name: Pipelines Drift Detector + id: detect_drift + uses: ./pipelines-actions/.github/actions/pipelines-drift-detect with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - UNIT_ID: ${{ matrix.unit.id }} - UNIT_PATH: ${{ matrix.unit.path }} - JOB_NAME: ${{ env.JOB_NAME }} - STEP_NAME: "Execute Drift Detection" + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} + PR_COMMENT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).pr_create }} + terragrunt_command: "run-all plan" + # Disable automatic plan for drift detection + TF_INPUT: 0 consolidate_jobs: name: Consolidate Jobs runs-on: ${{ fromJSON(inputs.runner) }} needs: pipelines_drift_detection steps: - - name: Checkout Pipelines Credentials - uses: actions/checkout@v4 - with: - path: pipelines-credentials - repository: gruntwork-io/pipelines-credentials - ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - - - name: Fetch Gruntwork Read Token - id: pipelines-gruntwork-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Org Read Token - id: pipelines-customer-org-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Create PR Token - id: pipelines-propose-infra-change-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} + - name: Fetch Pipelines Tokens + id: pipelines-tokens + uses: gruntwork-io/pipelines-credentials@v1 + with: + PIPELINES_TOKEN_PATHS: | + [ + { + "name": "gruntwork_read", + "path": "pipelines-read/gruntwork-io", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "customer_org_read", + "path": "pipelines-read/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "pr_create", + "path": "propose-infra-change/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PR_CREATE_TOKEN }}" + } + ] api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -209,20 +216,20 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_REF }} - token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} - name: Check out repo code uses: actions/checkout@v4 with: path: infra-live-repo fetch-depth: 0 - token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} - name: "Consolidate Jobs" id: consolidate-jobs uses: ./pipelines-actions/.github/actions/pipelines-drift-detection-consolidate-jobs with: PATH_FILTER: ${{ inputs.path }} - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PR_CREATE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PR_CREATE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).pr_create }} BRANCH_NAME: ${{ inputs.branch-name }} diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index eb52a2cf..3767775d 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -78,44 +78,33 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV - - name: Checkout Pipelines Credentials - uses: actions/checkout@v4 - with: - path: pipelines-credentials - repository: gruntwork-io/pipelines-credentials - ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - - - name: Fetch Gruntwork Read Token - id: pipelines-gruntwork-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Org Read Token - id: pipelines-customer-org-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Infra Root Write Token - id: pipelines-infra-root-write-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Org Repo Admin Token - id: pipelines-org-repo-admin-token - uses: ./pipelines-credentials - continue-on-error: true - with: - PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} + - name: Fetch Pipelines Tokens + id: pipelines-tokens + uses: gruntwork-io/pipelines-credentials@v1 + with: + PIPELINES_TOKEN_PATHS: | + [ + { + "name": "gruntwork_read", + "path": "pipelines-read/gruntwork-io", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "customer_org_read", + "path": "pipelines-read/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "infra_root_write", + "path": "infra-root-write/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.INFRA_ROOT_WRITE_TOKEN }}" + }, + { + "name": "org_repo_admin", + "path": "org-repo-admin/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.ORG_REPO_ADMIN_TOKEN }}" + } + ] api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -125,7 +114,7 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_REF }} - token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} - name: Validate PIPELINES_READ_TOKEN if: always() && steps.checkout_actions.conclusion != 'success' @@ -147,26 +136,26 @@ jobs: with: path: infra-live-repo fetch-depth: 0 - token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} - name: Preflight Checks uses: ./pipelines-actions/.github/actions/pipelines-preflight-action with: IS_ROOT: "true" PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - INFRA_ROOT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} - ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }} - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} + INFRA_ROOT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).infra_root_write }} + ORG_REPO_ADMIN_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).org_repo_admin }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} + PR_COMMENT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).infra_root_write }} - name: Pipelines Orchestrate id: orchestrate uses: ./pipelines-actions/.github/actions/pipelines-orchestrate with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} + PR_COMMENT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).infra_root_write }} outputs: pipelines_jobs: ${{ steps.orchestrate.outputs.jobs }} @@ -192,35 +181,33 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV - - name: Checkout Pipelines Credentials - uses: actions/checkout@v4 - with: - path: pipelines-credentials - repository: gruntwork-io/pipelines-credentials - ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - - - name: Fetch Gruntwork Read Token - id: pipelines-gruntwork-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Org Read Token - id: pipelines-customer-org-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Infra Root Write Token - id: pipelines-infra-root-write-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + - name: Fetch Pipelines Tokens + id: pipelines-tokens + uses: gruntwork-io/pipelines-credentials@v1 + with: + PIPELINES_TOKEN_PATHS: | + [ + { + "name": "gruntwork_read", + "path": "pipelines-read/gruntwork-io", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "customer_org_read", + "path": "pipelines-read/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "infra_root_write", + "path": "infra-root-write/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.INFRA_ROOT_WRITE_TOKEN }}" + }, + { + "name": "org_repo_admin", + "path": "org-repo-admin/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.ORG_REPO_ADMIN_TOKEN }}" + } + ] api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -229,21 +216,21 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_REF }} - token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} - name: Check out repo code uses: actions/checkout@v4 with: path: infra-live-repo fetch-depth: 0 - token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} - name: Bootstrap Workflow id: gruntwork_context uses: ./pipelines-actions/.github/actions/pipelines-bootstrap with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} change_type: ${{ matrix.jobs.ChangeType }} branch: ${{ matrix.jobs.Ref }} working_directory: ${{ matrix.jobs.WorkingDirectory }} @@ -260,9 +247,9 @@ jobs: uses: ./pipelines-actions/.github/custom-actions/pre-provision-new-account if: ${{ steps.gruntwork_context.outputs.action == 'PROVISION_ACCOUNT' }} with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - INFRA_ROOT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} + INFRA_ROOT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).infra_root_write }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - name: "[ProvisionAccount]: Provision New Account" @@ -270,18 +257,18 @@ jobs: if: ${{ steps.gruntwork_context.outputs.action == 'PROVISION_ACCOUNT' }} uses: ./pipelines-actions/.github/actions/pipelines-provision-account-action with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} + PR_COMMENT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).infra_root_write }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - name: "[ProvisionAccount]: Post Provision New Account Custom Action" uses: ./pipelines-actions/.github/custom-actions/post-provision-new-account if: ${{ steps.gruntwork_context.outputs.action == 'PROVISION_ACCOUNT' }} with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - INFRA_ROOT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} + INFRA_ROOT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).infra_root_write }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} baseline_path: ${{ steps.provision_new_account.outputs.baseline_path }} @@ -289,7 +276,7 @@ jobs: uses: ./pipelines-actions/.github/actions/pipelines-new-pr-action if: ${{ steps.gruntwork_context.outputs.action == 'PROVISION_ACCOUNT' }} with: - GH_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} + GH_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).infra_root_write }} path: ${{ steps.provision_new_account.outputs.baseline_path }} new_branch_name: ${{ steps.provision_new_account.outputs.new_branch_name }} commit_message: ${{ steps.provision_new_account.outputs.commit_message }} @@ -302,8 +289,8 @@ jobs: uses: ./pipelines-actions/.github/custom-actions/pre-baseline-core-accounts if: steps.gruntwork_context.outputs.action == 'BASELINE_ACCOUNT' with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} # Run the core accounts baselines(shared, logs, security, etc. to ensure the account is setup correctly) @@ -313,17 +300,17 @@ jobs: # TODO: Rename this as pipelines-apply-core-baselines or something similar uses: ./pipelines-actions/.github/actions/pipelines-baseline-account-action with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} + PR_COMMENT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).infra_root_write }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - name: "[Baseline]: Post Baseline Core Account Action" uses: ./pipelines-actions/.github/custom-actions/post-baseline-core-accounts if: steps.gruntwork_context.outputs.action == 'BASELINE_ACCOUNT' with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - name: "[TerragruntExecute]: Authenticate with AWS and then Invoke Terragrunt" @@ -333,8 +320,8 @@ jobs: env: TERRAGRUNT_AUTH_PROVIDER_CMD: "pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd . --disk-cache-duration-minutes 10" with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} tf_binary: ${{ steps.gruntwork_context.outputs.tf_binary }} working_directory: ${{ steps.gruntwork_context.outputs.working_directory }} terragrunt_command: ${{ steps.gruntwork_context.outputs.terragrunt_command }} @@ -350,7 +337,7 @@ jobs: uses: ./pipelines-actions/.github/actions/pipelines-get-job-logs-url if: always() with: - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} job_name: ${{ env.JOB_NAME }} step_name_prefix: "${{ steps.gruntwork_context.outputs.action == 'TERRAGRUNT_EXECUTE' && '[TerragruntExecute]:\ Authenticate with AWS and then Invoke Terragrunt' || (steps.gruntwork_context.outputs.action == 'BASELINE_ACCOUNT' && 'Run core accounts baselines' || '[ProvisionAccount]:\ Provision New Account') }}" @@ -365,7 +352,7 @@ jobs: step_details_extended_log: ${{ steps.terragrunt.outputs.execute_stdout_log }} pull_request_number: ${{ steps.gruntwork_context.outputs.pr_number }} step_logs_url: ${{ steps.get_logs_url.outputs.step_logs_url }} - PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} + PR_COMMENT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).infra_root_write }} outputs: account_id: ${{ matrix.jobs.AccountId }} @@ -391,35 +378,33 @@ jobs: matrix: jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts }} steps: - - name: Checkout Pipelines Credentials - uses: actions/checkout@v4 - with: - path: pipelines-credentials - repository: gruntwork-io/pipelines-credentials - ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - - - name: Fetch Gruntwork Read Token - id: pipelines-gruntwork-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Org Read Token - id: pipelines-customer-org-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Create PR Token - id: pipelines-propose-infra-change-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + - name: Fetch Pipelines Tokens + id: pipelines-tokens + uses: gruntwork-io/pipelines-credentials@v1 + with: + PIPELINES_TOKEN_PATHS: | + [ + { + "name": "gruntwork_read", + "path": "pipelines-read/gruntwork-io", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "customer_org_read", + "path": "pipelines-read/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "infra_root_write", + "path": "infra-root-write/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.INFRA_ROOT_WRITE_TOKEN }}" + }, + { + "name": "org_repo_admin", + "path": "org-repo-admin/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.ORG_REPO_ADMIN_TOKEN }}" + } + ] api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -428,14 +413,14 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_REF }} - token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} - name: Check out repo code uses: actions/checkout@v4 with: path: infra-live-repo fetch-depth: 0 - token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} - name: Update comment uses: ./pipelines-actions/.github/actions/pipelines-status-update @@ -443,19 +428,19 @@ jobs: step_name: Baseline Child Account ${{ matrix.jobs.Name }} step_status: "in_progress" pull_request_number: ${{ needs.pipelines_execute.outputs.pr_number }} - PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} + PR_COMMENT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).infra_root_write }} - name: Bootstrap Workflow id: gruntwork_context uses: ./pipelines-actions/.github/actions/pipelines-bootstrap with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} change_type: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].ChangeType }} branch: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Ref }} working_directory: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].WorkingDirectory }} account_id: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].AccountId }} - terragrunt_command: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Action.Command }} ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Action.Args }} + terragrunt_command: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Action.Command }} ${{ needs.pipelines_orchestrate.outputs.pipelines_jobs[0].Action.Args }} additional_data: ${{ toJson(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].AdditionalData) }} account_names: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].AdditionalData.AccountNames }} child_account_id: ${{ matrix.jobs.ID }} @@ -465,8 +450,8 @@ jobs: - name: "[Baseline]: Pre Baseline Child Account Action" uses: ./pipelines-actions/.github/custom-actions/pre-baseline-child-account with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} account_id: ${{ matrix.jobs.ID }} account_name: ${{ matrix.jobs.Name }} job: ${{ toJson(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0]) }} @@ -476,8 +461,8 @@ jobs: id: baseline_child_account uses: ./pipelines-actions/.github/actions/pipelines-baseline-child-account-action with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} account_id: ${{ matrix.jobs.ID }} account_name: ${{ matrix.jobs.Name }} job: ${{ toJson(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0]) }} @@ -486,8 +471,8 @@ jobs: - name: "[Baseline]: Post Baseline Child Account Action" uses: ./pipelines-actions/.github/custom-actions/post-baseline-child-account with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} account_id: ${{ matrix.jobs.ID }} account_name: ${{ matrix.jobs.Name }} job: ${{ toJson(fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0]) }} @@ -498,7 +483,7 @@ jobs: uses: ./pipelines-actions/.github/actions/pipelines-get-job-logs-url if: always() with: - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} job_name: ${{ env.JOB_NAME }} step_name_prefix: "[Baseline]: Baseline the Child Account" @@ -512,7 +497,7 @@ jobs: step_details_extended_log: ${{ steps.baseline_child_account.outputs.execute_stdout_log }} pull_request_number: ${{ needs.pipelines_execute.outputs.pr_number }} step_logs_url: ${{ steps.get_logs_url.outputs.step_logs_url }} - PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} + PR_COMMENT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).infra_root_write }} pipelines_setup_delegated_repo: name: "Setup Delegated Repo" @@ -521,35 +506,33 @@ jobs: # GHA can't check for length, so we just check if there is an item in the 0 index if: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts[0] != null && needs.pipelines_execute.outputs.delegate_management == 'true' && needs.pipelines_execute.outputs.terragrunt_command == 'run-all apply' }} steps: - - name: Checkout Pipelines Credentials - uses: actions/checkout@v4 - with: - path: pipelines-credentials - repository: gruntwork-io/pipelines-credentials - ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - - - name: Fetch Gruntwork Read Token - id: pipelines-gruntwork-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Org Read Token - id: pipelines-customer-org-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Org Repo Admin Token - id: pipelines-org-repo-admin-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} + - name: Fetch Pipelines Tokens + id: pipelines-tokens + uses: gruntwork-io/pipelines-credentials@v1 + with: + PIPELINES_TOKEN_PATHS: | + [ + { + "name": "gruntwork_read", + "path": "pipelines-read/gruntwork-io", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "customer_org_read", + "path": "pipelines-read/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "infra_root_write", + "path": "infra-root-write/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.INFRA_ROOT_WRITE_TOKEN }}" + }, + { + "name": "org_repo_admin", + "path": "org-repo-admin/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.ORG_REPO_ADMIN_TOKEN }}" + } + ] api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -558,21 +541,21 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_REF }} - token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} - name: Check out repo code uses: actions/checkout@v4 with: path: infra-live-repo fetch-depth: 0 - token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} - name: Bootstrap Workflow id: gruntwork_context uses: ./pipelines-actions/.github/actions/pipelines-bootstrap with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} change_type: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].ChangeType }} branch: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].Ref }} working_directory: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].WorkingDirectory }} @@ -591,9 +574,9 @@ jobs: uses: ./pipelines-actions/.github/actions/pipelines-provision-access-control-action with: gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} + ORG_REPO_ADMIN_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).org_repo_admin }} - name: "Create and bootstrap delegated Repo" id: provision_delegated_repo @@ -601,9 +584,9 @@ jobs: with: gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} access_control_pull_request_url: ${{ steps.access_control_pr.outputs.pull_request_url }} - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} + ORG_REPO_ADMIN_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).org_repo_admin }} # To learn more about customizing Pipelines see our documentation at https://docs.gruntwork.io/pipelines/maintain/extending/ - name: "Post create delegated repo custom actions" @@ -611,15 +594,15 @@ jobs: with: gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} access_control_pull_request_url: ${{ steps.access_control_pr.outputs.pull_request_url }} - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} + ORG_REPO_ADMIN_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).org_repo_admin }} - name: "Create Delegated Repo PR" uses: ./pipelines-actions/.github/actions/pipelines-new-pr-action with: gruntwork_context: ${{ toJson(steps.gruntwork_context.outputs) }} - GH_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }} + GH_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).org_repo_admin }} path: ${{ steps.provision_delegated_repo.outputs.path }} new_branch_name: ${{ steps.provision_delegated_repo.outputs.new_branch_name }} commit_message: ${{ steps.provision_delegated_repo.outputs.commit_message }} diff --git a/.github/workflows/pipelines-unlock.yml b/.github/workflows/pipelines-unlock.yml index cb907656..12e0285d 100644 --- a/.github/workflows/pipelines-unlock.yml +++ b/.github/workflows/pipelines-unlock.yml @@ -22,6 +22,10 @@ on: api_base_url: type: string default: "https://api.prod.app.gruntwork.io/api/v1" + pipelines_binary_url: + type: string + default: "" + description: "Override where we fetch pipelines from, used for internal testing" # This field can be overriden to customize the runner used for pipelines # workflows. @@ -67,27 +71,31 @@ jobs: if: ${{ !inputs.unlock_all }} runs-on: ${{ fromJSON(inputs.runner) }} steps: - - name: Checkout Pipelines Credentials - uses: actions/checkout@v4 - with: - path: pipelines-credentials - repository: gruntwork-io/pipelines-credentials - ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - - - name: Fetch Gruntwork Read Token - id: pipelines-gruntwork-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} + - name: Record workflow env vars + env: + PIPELINES_BINARY_URL: ${{ inputs.pipelines_binary_url }} + run: | + time_now=$(date -u +"%s") + echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV + echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV - - name: Fetch Org Read Token - id: pipelines-customer-org-read-token - uses: ./pipelines-credentials + - name: Fetch Pipelines Tokens + id: pipelines-tokens + uses: gruntwork-io/pipelines-credentials@v1 with: - PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_TOKEN_PATHS: | + [ + { + "name": "gruntwork_read", + "path": "pipelines-read/gruntwork-io", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "customer_org_read", + "path": "pipelines-read/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + } + ] api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -96,21 +104,21 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_REF }} - token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} - name: Check out repo code uses: actions/checkout@v4 with: path: infra-live-repo fetch-depth: 0 - token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} - name: Bootstrap Workflow id: gruntwork_context uses: ./pipelines-actions/.github/actions/pipelines-bootstrap with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} working_directory: ${{ inputs.working_directory }} terragrunt_command: "force-unlock -force ${{ inputs.lock_id }}" branch: 'main' @@ -158,8 +166,8 @@ jobs: - name: Configure code auth uses: ./pipelines-actions/.github/actions/pipelines-code-auth with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} - name: "Run terragrunt stack generate in ${{ inputs.working_directory }}" id: terragrunt_stack_generate @@ -178,8 +186,8 @@ jobs: env: TERRAGRUNT_AUTH_PROVIDER_CMD: "pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd . --disk-cache-duration-minutes 10" with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} tf_binary: ${{ steps.gruntwork_context.outputs.tf_binary }} working_directory: ${{ steps.gruntwork_context.outputs.working_directory }} terragrunt_command: ${{ steps.gruntwork_context.outputs.terragrunt_command }} @@ -205,27 +213,31 @@ jobs: if: ${{ inputs.unlock_all }} runs-on: ${{ fromJSON(inputs.runner) }} steps: - - name: Checkout Pipelines Credentials - uses: actions/checkout@v4 - with: - path: pipelines-credentials - repository: gruntwork-io/pipelines-credentials - ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - - - name: Fetch Gruntwork Read Token - id: pipelines-gruntwork-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} + - name: Record workflow env vars + env: + PIPELINES_BINARY_URL: ${{ inputs.pipelines_binary_url }} + run: | + time_now=$(date -u +"%s") + echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV + echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV - - name: Fetch Org Read Token - id: pipelines-customer-org-read-token - uses: ./pipelines-credentials + - name: Fetch Pipelines Tokens + id: pipelines-tokens + uses: gruntwork-io/pipelines-credentials@v1 with: - PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_TOKEN_PATHS: | + [ + { + "name": "gruntwork_read", + "path": "pipelines-read/gruntwork-io", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "customer_org_read", + "path": "pipelines-read/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + } + ] api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -234,21 +246,21 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_REF }} - token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} - name: Check out repo code uses: actions/checkout@v4 with: path: infra-live-repo fetch-depth: 0 - token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} - name: Bootstrap Workflow id: gruntwork_context uses: ./pipelines-actions/.github/actions/pipelines-bootstrap with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} working_directory: ${{ inputs.working_directory }} terragrunt_command: "init" branch: 'main' @@ -281,8 +293,8 @@ jobs: - name: Configure code auth uses: ./pipelines-actions/.github/actions/pipelines-code-auth with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} - name: Generate stacks if needed id: generate_stacks @@ -311,7 +323,7 @@ jobs: shell: bash id: unlock_tables env: - GH_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + GH_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} run: | set +x set +e @@ -408,27 +420,23 @@ jobs: matrix: working_directory: ${{ fromJson(needs.unlock_all.outputs.unlock_folders) }} steps: - - name: Checkout Pipelines Credentials - uses: actions/checkout@v4 - with: - path: pipelines-credentials - repository: gruntwork-io/pipelines-credentials - ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - - - name: Fetch Gruntwork Read Token - id: pipelines-gruntwork-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Org Read Token - id: pipelines-customer-org-read-token - uses: ./pipelines-credentials + - name: Fetch Pipelines Tokens + id: pipelines-tokens + uses: gruntwork-io/pipelines-credentials@v1 with: - PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_TOKEN_PATHS: | + [ + { + "name": "gruntwork_read", + "path": "pipelines-read/gruntwork-io", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "customer_org_read", + "path": "pipelines-read/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + } + ] api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -437,7 +445,7 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_REF }} - token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} - name: Download Infra-live repo as an artifact uses: actions/download-artifact@v4 @@ -449,8 +457,8 @@ jobs: id: gruntwork_context uses: ./pipelines-actions/.github/actions/pipelines-bootstrap with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} working_directory: ${{ matrix.working_directory }} terragrunt_command: "init" branch: 'main' @@ -461,8 +469,8 @@ jobs: env: TERRAGRUNT_AUTH_PROVIDER_CMD: "pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd . --disk-cache-duration-minutes 10" with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} tf_binary: ${{ steps.gruntwork_context.outputs.tf_binary }} working_directory: ${{ steps.gruntwork_context.outputs.working_directory }} terragrunt_command: ${{ steps.gruntwork_context.outputs.terragrunt_command }} diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index be959053..7f1a5abe 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -69,35 +69,28 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV - - name: Checkout Pipelines Credentials - uses: actions/checkout@v4 - with: - path: pipelines-credentials - repository: gruntwork-io/pipelines-credentials - ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - - - name: Fetch Gruntwork Read Token - id: pipelines-gruntwork-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Org Read Token - id: pipelines-customer-org-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Create PR Token - id: pipelines-propose-infra-change-token - uses: ./pipelines-credentials + - name: Fetch Pipelines Tokens + id: pipelines-tokens + uses: gruntwork-io/pipelines-credentials@v1 with: - PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} + PIPELINES_TOKEN_PATHS: | + [ + { + "name": "gruntwork_read", + "path": "pipelines-read/gruntwork-io", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "customer_org_read", + "path": "pipelines-read/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "pr_create", + "path": "propose-infra-change/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PR_CREATE_TOKEN }}" + } + ] api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -107,7 +100,7 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_REF }} - token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} - name: Validate PIPELINES_READ_TOKEN if: always() && steps.checkout_actions.conclusion != 'success' @@ -130,23 +123,23 @@ jobs: with: path: infra-live-repo fetch-depth: 0 - token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} - name: Preflight Checks uses: ./pipelines-actions/.github/actions/pipelines-preflight-action with: PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} + PR_COMMENT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).pr_create }} - name: Pipelines Orchestrate id: orchestrate uses: ./pipelines-actions/.github/actions/pipelines-orchestrate with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} - PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} + PR_COMMENT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).pr_create }} outputs: pipelines_jobs: ${{ steps.orchestrate.outputs.jobs }} @@ -172,35 +165,28 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV - - name: Checkout Pipelines Credentials - uses: actions/checkout@v4 - with: - path: pipelines-credentials - repository: gruntwork-io/pipelines-credentials - ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - - - name: Fetch Gruntwork Read Token - id: pipelines-gruntwork-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Org Read Token - id: pipelines-customer-org-read-token - uses: ./pipelines-credentials - with: - PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} - api_base_url: ${{ inputs.api_base_url }} - - - name: Fetch Create PR Token - id: pipelines-propose-infra-change-token - uses: ./pipelines-credentials + - name: Fetch Pipelines Tokens + id: pipelines-tokens + uses: gruntwork-io/pipelines-credentials@v1 with: - PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PR_CREATE_TOKEN }} + PIPELINES_TOKEN_PATHS: | + [ + { + "name": "gruntwork_read", + "path": "pipelines-read/gruntwork-io", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "customer_org_read", + "path": "pipelines-read/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "pr_create", + "path": "propose-infra-change/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PR_CREATE_TOKEN }}" + } + ] api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -209,21 +195,22 @@ jobs: path: pipelines-actions repository: gruntwork-io/pipelines-actions ref: ${{ env.PIPELINES_ACTIONS_REF }} - token: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} - name: Check out repo code uses: actions/checkout@v4 with: path: infra-live-repo fetch-depth: 0 - token: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + token: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} - name: Bootstrap Workflow id: gruntwork_context uses: ./pipelines-actions/.github/actions/pipelines-bootstrap with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} + PR_COMMENT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).pr_create }} change_type: ${{ matrix.jobs.ChangeType }} branch: ${{ matrix.jobs.Ref }} working_directory: ${{ matrix.jobs.WorkingDirectory }} @@ -239,8 +226,8 @@ jobs: env: TERRAGRUNT_AUTH_PROVIDER_CMD: "pipelines auth terragrunt-credentials --ci github-actions --cloud aws --wd . --disk-cache-duration-minutes 10" with: - PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_GRUNTWORK_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).gruntwork_read }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} tf_binary: ${{ steps.gruntwork_context.outputs.tf_binary }} working_directory: ${{ steps.gruntwork_context.outputs.working_directory }} terragrunt_command: ${{ steps.gruntwork_context.outputs.terragrunt_command }} @@ -256,7 +243,7 @@ jobs: uses: ./pipelines-actions/.github/actions/pipelines-get-job-logs-url if: always() with: - PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ steps.pipelines-customer-org-read-token.outputs.PIPELINES_TOKEN }} + PIPELINES_CUSTOMER_ORG_READ_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).customer_org_read }} job_name: ${{ env.JOB_NAME }} step_name_prefix: "Run terragrunt" @@ -271,7 +258,7 @@ jobs: step_details_extended_log: ${{ steps.terragrunt.outputs.execute_stdout_log }} pull_request_number: ${{ steps.gruntwork_context.outputs.pr_number }} step_logs_url: ${{ steps.get_logs_url.outputs.step_logs_url }} - PR_COMMENT_WRITE_TOKEN: ${{ steps.pipelines-propose-infra-change-token.outputs.PIPELINES_TOKEN }} + PR_COMMENT_WRITE_TOKEN: ${{ fromJSON(steps.pipelines-tokens.outputs.PIPELINES_TOKENS).pr_create }} outputs: account_id: ${{ matrix.jobs.AccountId }} From dd49aae4cca3e4fb4b3a83d858c2347c559f9992 Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Tue, 3 Jun 2025 13:00:00 -0600 Subject: [PATCH 5/6] Fix workflows to checkout pipelines-credentials and use local action - Added checkout step for pipelines-credentials repository using PIPELINES_CREDENTIALS_REF - Changed action references from gruntwork-io/pipelines-credentials@v1 to ./pipelines-credentials - This allows testing with specific branches/versions of the credentials action - Applied to all workflows: pipelines.yml, pipelines-drift-detection.yml, pipelines-root.yml, pipelines-unlock.yml --- .../workflows/pipelines-drift-detection.yml | 10 ++++- .github/workflows/pipelines-root.yml | 10 ++++- .github/workflows/pipelines-unlock.yml | 37 +++++++++++++++++-- .github/workflows/pipelines.yml | 20 +++++++++- 4 files changed, 70 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index acf37bd2..5e36049b 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -73,9 +73,17 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + token: ${{ secrets.PIPELINES_READ_TOKEN }} + - name: Fetch Pipelines Tokens id: pipelines-tokens - uses: gruntwork-io/pipelines-credentials@v1 + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATHS: | [ diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index 3767775d..d2c4ad47 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -78,9 +78,17 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + token: ${{ secrets.PIPELINES_READ_TOKEN }} + - name: Fetch Pipelines Tokens id: pipelines-tokens - uses: gruntwork-io/pipelines-credentials@v1 + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATHS: | [ diff --git a/.github/workflows/pipelines-unlock.yml b/.github/workflows/pipelines-unlock.yml index 12e0285d..0310331c 100644 --- a/.github/workflows/pipelines-unlock.yml +++ b/.github/workflows/pipelines-unlock.yml @@ -79,9 +79,17 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + token: ${{ secrets.PIPELINES_READ_TOKEN }} + - name: Fetch Pipelines Tokens id: pipelines-tokens - uses: gruntwork-io/pipelines-credentials@v1 + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATHS: | [ @@ -94,6 +102,11 @@ jobs: "name": "customer_org_read", "path": "pipelines-read/${{ github.repository_owner }}", "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "pr_create", + "path": "propose-infra-change/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PR_CREATE_TOKEN }}" } ] api_base_url: ${{ inputs.api_base_url }} @@ -221,9 +234,17 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + token: ${{ secrets.PIPELINES_READ_TOKEN }} + - name: Fetch Pipelines Tokens id: pipelines-tokens - uses: gruntwork-io/pipelines-credentials@v1 + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATHS: | [ @@ -236,6 +257,11 @@ jobs: "name": "customer_org_read", "path": "pipelines-read/${{ github.repository_owner }}", "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "pr_create", + "path": "propose-infra-change/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PR_CREATE_TOKEN }}" } ] api_base_url: ${{ inputs.api_base_url }} @@ -422,7 +448,7 @@ jobs: steps: - name: Fetch Pipelines Tokens id: pipelines-tokens - uses: gruntwork-io/pipelines-credentials@v1 + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATHS: | [ @@ -435,6 +461,11 @@ jobs: "name": "customer_org_read", "path": "pipelines-read/${{ github.repository_owner }}", "fallback_secret": "${{ secrets.PIPELINES_READ_TOKEN }}" + }, + { + "name": "pr_create", + "path": "propose-infra-change/${{ github.repository_owner }}", + "fallback_secret": "${{ secrets.PR_CREATE_TOKEN }}" } ] api_base_url: ${{ inputs.api_base_url }} diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 7f1a5abe..87a1d524 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -69,9 +69,17 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + token: ${{ secrets.PIPELINES_READ_TOKEN }} + - name: Fetch Pipelines Tokens id: pipelines-tokens - uses: gruntwork-io/pipelines-credentials@v1 + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATHS: | [ @@ -165,9 +173,17 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + token: ${{ secrets.PIPELINES_READ_TOKEN }} + - name: Fetch Pipelines Tokens id: pipelines-tokens - uses: gruntwork-io/pipelines-credentials@v1 + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATHS: | [ From 62e7719a1b45b467e85ec3a3d77ee22528cc0c8d Mon Sep 17 00:00:00 2001 From: Lewis Christie Date: Tue, 3 Jun 2025 13:48:30 -0600 Subject: [PATCH 6/6] Remove token parameter from pipelines-credentials checkout steps - Removed token parameter from all Checkout Pipelines Credentials steps since pipelines-credentials is a public repository - Added missing checkout steps and fixed action references in pipelines_drift_detection and consolidate_jobs - Added missing checkout steps and fixed action references in pipelines_execute, pipelines_apply_baselines, and pipelines_setup_delegated_repo - All workflows now properly checkout pipelines-credentials and use local action path --- .../workflows/pipelines-drift-detection.yml | 19 +++++++++++-- .github/workflows/pipelines-root.yml | 28 ++++++++++++++++--- .github/workflows/pipelines-unlock.yml | 2 -- .github/workflows/pipelines.yml | 2 -- 4 files changed, 40 insertions(+), 11 deletions(-) diff --git a/.github/workflows/pipelines-drift-detection.yml b/.github/workflows/pipelines-drift-detection.yml index 5e36049b..066448d7 100644 --- a/.github/workflows/pipelines-drift-detection.yml +++ b/.github/workflows/pipelines-drift-detection.yml @@ -79,7 +79,6 @@ jobs: path: pipelines-credentials repository: gruntwork-io/pipelines-credentials ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} - name: Fetch Pipelines Tokens id: pipelines-tokens @@ -139,9 +138,16 @@ jobs: JOB_NAME: Detect Drift in ${{ matrix.unit.path }} name: Detect Drift in ${{ matrix.unit.path }} steps: + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Pipelines Tokens id: pipelines-tokens - uses: gruntwork-io/pipelines-credentials@v1 + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATHS: | [ @@ -194,9 +200,16 @@ jobs: runs-on: ${{ fromJSON(inputs.runner) }} needs: pipelines_drift_detection steps: + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Pipelines Tokens id: pipelines-tokens - uses: gruntwork-io/pipelines-credentials@v1 + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATHS: | [ diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index d2c4ad47..8de321bc 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -84,7 +84,6 @@ jobs: path: pipelines-credentials repository: gruntwork-io/pipelines-credentials ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} - name: Fetch Pipelines Tokens id: pipelines-tokens @@ -189,9 +188,16 @@ jobs: echo "PIPELINES_JOB_START_TIME=$time_now" >> $GITHUB_ENV echo "PIPELINES_BINARY_URL=$PIPELINES_BINARY_URL" >> $GITHUB_ENV + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Pipelines Tokens id: pipelines-tokens - uses: gruntwork-io/pipelines-credentials@v1 + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATHS: | [ @@ -386,9 +392,16 @@ jobs: matrix: jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts }} steps: + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Pipelines Tokens id: pipelines-tokens - uses: gruntwork-io/pipelines-credentials@v1 + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATHS: | [ @@ -514,9 +527,16 @@ jobs: # GHA can't check for length, so we just check if there is an item in the 0 index if: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts[0] != null && needs.pipelines_execute.outputs.delegate_management == 'true' && needs.pipelines_execute.outputs.terragrunt_command == 'run-all apply' }} steps: + - name: Checkout Pipelines Credentials + uses: actions/checkout@v4 + with: + path: pipelines-credentials + repository: gruntwork-io/pipelines-credentials + ref: ${{ env.PIPELINES_CREDENTIALS_REF }} + - name: Fetch Pipelines Tokens id: pipelines-tokens - uses: gruntwork-io/pipelines-credentials@v1 + uses: ./pipelines-credentials with: PIPELINES_TOKEN_PATHS: | [ diff --git a/.github/workflows/pipelines-unlock.yml b/.github/workflows/pipelines-unlock.yml index 0310331c..5b21aa59 100644 --- a/.github/workflows/pipelines-unlock.yml +++ b/.github/workflows/pipelines-unlock.yml @@ -85,7 +85,6 @@ jobs: path: pipelines-credentials repository: gruntwork-io/pipelines-credentials ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} - name: Fetch Pipelines Tokens id: pipelines-tokens @@ -240,7 +239,6 @@ jobs: path: pipelines-credentials repository: gruntwork-io/pipelines-credentials ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} - name: Fetch Pipelines Tokens id: pipelines-tokens diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 87a1d524..2e2533cb 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -75,7 +75,6 @@ jobs: path: pipelines-credentials repository: gruntwork-io/pipelines-credentials ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} - name: Fetch Pipelines Tokens id: pipelines-tokens @@ -179,7 +178,6 @@ jobs: path: pipelines-credentials repository: gruntwork-io/pipelines-credentials ref: ${{ env.PIPELINES_CREDENTIALS_REF }} - token: ${{ secrets.PIPELINES_READ_TOKEN }} - name: Fetch Pipelines Tokens id: pipelines-tokens